Analysis
-
max time kernel
110s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 22:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7c9a540a312ba05dc82ad004963f414eb2eeb61363a5f4cafb185e845bb9a6f9N.exe
Resource
win7-20241010-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
7c9a540a312ba05dc82ad004963f414eb2eeb61363a5f4cafb185e845bb9a6f9N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
7c9a540a312ba05dc82ad004963f414eb2eeb61363a5f4cafb185e845bb9a6f9N.exe
-
Size
276KB
-
MD5
f110949f513ce36acfcf815590b14aa0
-
SHA1
0744b0f8b635734067ccd15c549118111aa90e32
-
SHA256
7c9a540a312ba05dc82ad004963f414eb2eeb61363a5f4cafb185e845bb9a6f9
-
SHA512
c0966c803582702403ef79454aaeb99d2ed7271d320244b02fbfb89cb05ffbeb11f3f510a76b2f42bb73148e1200da9d2be61e177b865aedcd2fc6ccfd8f8642
-
SSDEEP
6144:mV+KgE8ffaORLSdn7MUZst5qXsunbLwMddjPXmF6EC1LlzxAKN+xTU5AX/KXWZCC:cER+pMUQunbpd/mF6ECJlzxAKN2X/WW7
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fipkjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiodpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lobjni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plejdkmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiehpahb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpcjgnhb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkipkani.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gijekg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lelchgne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmcclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boklbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llflea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbenmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lekmnajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kckqbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnfhfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pahpfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpgpgfmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpglnhad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lklbdm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efblbbqd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gojiiafp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhpiafnm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amnlme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opadhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fagjfflb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jepjhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcdciiec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmeigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igjeanmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljhefhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afpjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aagkhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poaqemao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmdgikhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Offnhpfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akpoaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bahdob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hplbickp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkafmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikkpgafg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iebngial.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfandnla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccgajfeh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqkgbcff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omcjep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flpmagqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaifpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbdjchgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkibgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaenbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oekpkigo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pplobcpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdlpneli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglgjeci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dannij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbiejoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meamcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmalne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmkmjjaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlklkgei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anaomkdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdpmbc32.exe -
Executes dropped EXE 64 IoCs
pid Process 2544 Fdijbg32.exe 4168 Fggfnc32.exe 1548 Fonnop32.exe 3972 Famjkl32.exe 3188 Fehfljca.exe 4876 Fhgbhfbe.exe 2316 Foqkdp32.exe 3124 Gaogak32.exe 5040 Gnfhfl32.exe 3472 Gempgj32.exe 3208 Ghklce32.exe 3432 Gepmlimi.exe 1244 Gohaeo32.exe 3168 Gfbibikg.exe 2172 Ghpendjj.exe 5104 Gkobjpin.exe 3816 Gfdfgiid.exe 4720 Goljqnpd.exe 4268 Hdicienl.exe 4920 Hoogfnnb.exe 3108 Hdlpneli.exe 3024 Hkehkocf.exe 3176 Hbpphi32.exe 4596 Hdnldd32.exe 3928 Hocqam32.exe 3164 Hbbmmi32.exe 5064 Hgoeep32.exe 660 Hbdjchgn.exe 3636 Hhnbpb32.exe 1196 Hkmnln32.exe 4336 Ifbbig32.exe 5052 Ihqoeb32.exe 4888 Igcoqocb.exe 1592 Inmgmijo.exe 3104 Iickkbje.exe 3100 Ikaggmii.exe 1852 Iiehpahb.exe 1896 Ibnligoc.exe 3948 Igjeanmj.exe 3216 Indmnh32.exe 2820 Jngjch32.exe 4912 Jeqbpb32.exe 2120 Jkkjmlan.exe 2740 Jbdbjf32.exe 1540 Jgakbm32.exe 2824 Jnkcogno.exe 2916 Jiaglp32.exe 228 Jbileede.exe 1476 Jblijebc.exe 5056 Jghabl32.exe 2808 Kbnepe32.exe 1460 Kgknhl32.exe 2904 Kpbfii32.exe 4552 Kflnfcgg.exe 4392 Kijjbofj.exe 4160 Kpdboimg.exe 4916 Kfnkkb32.exe 1640 Khpgckkb.exe 4944 Knippe32.exe 5032 Kiodmn32.exe 4936 Klmpiiai.exe 4348 Kbghfc32.exe 780 Lhdqnj32.exe 4956 Lbjelc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pdggmekl.dll Hbbmmi32.exe File created C:\Windows\SysWOW64\Cikglnkj.exe Cflkpblf.exe File created C:\Windows\SysWOW64\Pjglocmi.dll Lhmmjbkf.exe File created C:\Windows\SysWOW64\Bjjhhfnd.dll Bkaobnio.exe File created C:\Windows\SysWOW64\Ngqagcag.exe Nmkmjjaa.exe File opened for modification C:\Windows\SysWOW64\Cklhcfle.exe Process not Found File created C:\Windows\SysWOW64\Oekpkigo.exe Ocmconhk.exe File created C:\Windows\SysWOW64\Lfklem32.dll Adkgje32.exe File opened for modification C:\Windows\SysWOW64\Dmlkhofd.exe Cdecgbfa.exe File created C:\Windows\SysWOW64\Nggnadib.exe Nopfpgip.exe File created C:\Windows\SysWOW64\Gohaeo32.exe Gepmlimi.exe File opened for modification C:\Windows\SysWOW64\Kdpmbc32.exe Kmieae32.exe File opened for modification C:\Windows\SysWOW64\Njfagf32.exe Nghekkmn.exe File created C:\Windows\SysWOW64\Edqnimdf.dll Kgiiiidd.exe File created C:\Windows\SysWOW64\Ahfmpnql.exe Adkqoohc.exe File created C:\Windows\SysWOW64\Mmihfl32.dll Conanfli.exe File created C:\Windows\SysWOW64\Dmpfbk32.exe Cjaifp32.exe File created C:\Windows\SysWOW64\Iahqoq32.dll Acmobchj.exe File created C:\Windows\SysWOW64\Qdbpmock.dll Cbeapmll.exe File created C:\Windows\SysWOW64\Gmdjapgb.exe Gfkbde32.exe File opened for modification C:\Windows\SysWOW64\Dodjjimm.exe Dkhnjk32.exe File created C:\Windows\SysWOW64\Qgjamboa.dll Imiehfao.exe File created C:\Windows\SysWOW64\Lcccepbd.dll Afbgkl32.exe File opened for modification C:\Windows\SysWOW64\Hpbiip32.exe Hjhalefe.exe File opened for modification C:\Windows\SysWOW64\Eiobceef.exe Ebejfk32.exe File opened for modification C:\Windows\SysWOW64\Idahjg32.exe Iljpij32.exe File opened for modification C:\Windows\SysWOW64\Hlepcdoa.exe Hekgfj32.exe File created C:\Windows\SysWOW64\Jjpode32.exe Jcfggkac.exe File created C:\Windows\SysWOW64\Geqnma32.dll Aagkhd32.exe File created C:\Windows\SysWOW64\Hkpnbd32.dll Aahbbkaq.exe File opened for modification C:\Windows\SysWOW64\Locbfd32.exe Lldfjh32.exe File created C:\Windows\SysWOW64\Mbmcqa32.dll Dfamapjo.exe File created C:\Windows\SysWOW64\Haedpe32.dll Hgnoki32.exe File created C:\Windows\SysWOW64\Ooejohhq.exe Ohkbbn32.exe File created C:\Windows\SysWOW64\Nlfndjhh.dll Gkkgpc32.exe File opened for modification C:\Windows\SysWOW64\Idcepgmg.exe Ilmmni32.exe File created C:\Windows\SysWOW64\Jcphab32.exe Jpaleglc.exe File created C:\Windows\SysWOW64\Cedckdaj.dll Pmiikh32.exe File created C:\Windows\SysWOW64\Panhbfep.exe Pnplfj32.exe File created C:\Windows\SysWOW64\Dbfpagon.dll Aogbfi32.exe File created C:\Windows\SysWOW64\Lemkcnaa.exe Locbfd32.exe File opened for modification C:\Windows\SysWOW64\Hdpbon32.exe Haafcb32.exe File opened for modification C:\Windows\SysWOW64\Nhahaiec.exe Neclenfo.exe File created C:\Windows\SysWOW64\Gbalopbn.exe Gpbpbecj.exe File opened for modification C:\Windows\SysWOW64\Lcdciiec.exe Lljklo32.exe File created C:\Windows\SysWOW64\Bpfkpp32.exe Bmhocd32.exe File created C:\Windows\SysWOW64\Mhgfkg32.exe Mffjcopi.exe File created C:\Windows\SysWOW64\Mefiblfk.dll Cgndoeag.exe File opened for modification C:\Windows\SysWOW64\Dannij32.exe Diffglam.exe File opened for modification C:\Windows\SysWOW64\Jgogbgei.exe Jdpkflfe.exe File created C:\Windows\SysWOW64\Jejechjg.dll Flinkojm.exe File created C:\Windows\SysWOW64\Gidnkkpc.exe Gehbjm32.exe File created C:\Windows\SysWOW64\Dfjehbcf.dll Iepaaico.exe File opened for modification C:\Windows\SysWOW64\Pkadoiip.exe Phbhcmjl.exe File created C:\Windows\SysWOW64\Bidmbiaj.dll Kiodmn32.exe File created C:\Windows\SysWOW64\Pokhnl32.dll Lifjnm32.exe File opened for modification C:\Windows\SysWOW64\Pfnegggi.exe Ppamophb.exe File opened for modification C:\Windows\SysWOW64\Plhnda32.exe Pfnegggi.exe File created C:\Windows\SysWOW64\Qhonib32.exe Qgnbaj32.exe File opened for modification C:\Windows\SysWOW64\Ejpfhnpe.exe Ehailbaa.exe File created C:\Windows\SysWOW64\Kdinljnk.exe Jjdjoane.exe File opened for modification C:\Windows\SysWOW64\Bafndi32.exe Bklfgo32.exe File created C:\Windows\SysWOW64\Kpoalo32.exe Kgflcifg.exe File opened for modification C:\Windows\SysWOW64\Bgkiaj32.exe Bhhiemoj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6252 18424 Process not Found 1138 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilnbicff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Komhll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcngpjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcinna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jocefm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iebngial.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmohno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eangpgcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngqagcag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paeelgnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmbqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqcjepfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaamlecg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpjmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klfaapbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnifekmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fphnlcdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aopmfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllbaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbedga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehailbaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpcbhji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boenhgdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gepmlimi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdlpneli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olanmgig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palbgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Codhnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maiccajf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbicpfdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pccahbmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phonha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmeandma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aajohjon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhncdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poaqemao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihgnkkbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqbbpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkcfid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbfklei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loeolc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keqdmihc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkcadhgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmkigh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpoalo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocaebc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnkcogno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgejpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbeapmll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlobkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peahgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Illfdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkobjpin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nchjdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epcdqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjkpoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkaobnio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqpbglno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neclenfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiahnnph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkmgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Panhbfep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Molelb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlpokp32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maiccajf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjieo32.dll" Bdojjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oklmii32.dll" Khpgckkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iejpiq32.dll" Aflaie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bihjfnmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcobaedj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oacoqnci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jofalmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idefqiag.dll" Lfeljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmfgbl32.dll" Nchjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memfnodb.dll" Diccgfpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginacp32.dll" Akccap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bllbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdbfab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmiadaea.dll" Nncccnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehcfaboo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohkbbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfpdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdbnjdfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dooaoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeddnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecqieiii.dll" Aeddnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipjedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iciaqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjdpelnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkhqmjb.dll" Cncnob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkibb32.dll" Ooqqdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmmcnn32.dll" Lklbdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlkngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Modgdicm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaifpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpcecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdkifmjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cglgjeci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cippgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcjmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfnmog32.dll" Gifkpknp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfandnla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpbjkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kednfemc.dll" Fpeafcfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhjnjq32.dll" Codhnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbkqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adkqoohc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckbemgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oafcqcea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omqmop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qachgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfpcoefj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmfkhmdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahfdjanb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkjmbk32.dll" Qlggjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noomkkpc.dll" Ckpbnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgipcogp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgdidgjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihcbd32.dll" Ocgbld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmeigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahjgjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdpmbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gblbca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfheof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhqgik32.dll" Jncoikmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmkmjjaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godcje32.dll" Qhjmdp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3248 wrote to memory of 2544 3248 7c9a540a312ba05dc82ad004963f414eb2eeb61363a5f4cafb185e845bb9a6f9N.exe 84 PID 3248 wrote to memory of 2544 3248 7c9a540a312ba05dc82ad004963f414eb2eeb61363a5f4cafb185e845bb9a6f9N.exe 84 PID 3248 wrote to memory of 2544 3248 7c9a540a312ba05dc82ad004963f414eb2eeb61363a5f4cafb185e845bb9a6f9N.exe 84 PID 2544 wrote to memory of 4168 2544 Fdijbg32.exe 85 PID 2544 wrote to memory of 4168 2544 Fdijbg32.exe 85 PID 2544 wrote to memory of 4168 2544 Fdijbg32.exe 85 PID 4168 wrote to memory of 1548 4168 Fggfnc32.exe 86 PID 4168 wrote to memory of 1548 4168 Fggfnc32.exe 86 PID 4168 wrote to memory of 1548 4168 Fggfnc32.exe 86 PID 1548 wrote to memory of 3972 1548 Fonnop32.exe 87 PID 1548 wrote to memory of 3972 1548 Fonnop32.exe 87 PID 1548 wrote to memory of 3972 1548 Fonnop32.exe 87 PID 3972 wrote to memory of 3188 3972 Famjkl32.exe 88 PID 3972 wrote to memory of 3188 3972 Famjkl32.exe 88 PID 3972 wrote to memory of 3188 3972 Famjkl32.exe 88 PID 3188 wrote to memory of 4876 3188 Fehfljca.exe 89 PID 3188 wrote to memory of 4876 3188 Fehfljca.exe 89 PID 3188 wrote to memory of 4876 3188 Fehfljca.exe 89 PID 4876 wrote to memory of 2316 4876 Fhgbhfbe.exe 90 PID 4876 wrote to memory of 2316 4876 Fhgbhfbe.exe 90 PID 4876 wrote to memory of 2316 4876 Fhgbhfbe.exe 90 PID 2316 wrote to memory of 3124 2316 Foqkdp32.exe 91 PID 2316 wrote to memory of 3124 2316 Foqkdp32.exe 91 PID 2316 wrote to memory of 3124 2316 Foqkdp32.exe 91 PID 3124 wrote to memory of 5040 3124 Gaogak32.exe 92 PID 3124 wrote to memory of 5040 3124 Gaogak32.exe 92 PID 3124 wrote to memory of 5040 3124 Gaogak32.exe 92 PID 5040 wrote to memory of 3472 5040 Gnfhfl32.exe 93 PID 5040 wrote to memory of 3472 5040 Gnfhfl32.exe 93 PID 5040 wrote to memory of 3472 5040 Gnfhfl32.exe 93 PID 3472 wrote to memory of 3208 3472 Gempgj32.exe 94 PID 3472 wrote to memory of 3208 3472 Gempgj32.exe 94 PID 3472 wrote to memory of 3208 3472 Gempgj32.exe 94 PID 3208 wrote to memory of 3432 3208 Ghklce32.exe 96 PID 3208 wrote to memory of 3432 3208 Ghklce32.exe 96 PID 3208 wrote to memory of 3432 3208 Ghklce32.exe 96 PID 3432 wrote to memory of 1244 3432 Gepmlimi.exe 97 PID 3432 wrote to memory of 1244 3432 Gepmlimi.exe 97 PID 3432 wrote to memory of 1244 3432 Gepmlimi.exe 97 PID 1244 wrote to memory of 3168 1244 Gohaeo32.exe 99 PID 1244 wrote to memory of 3168 1244 Gohaeo32.exe 99 PID 1244 wrote to memory of 3168 1244 Gohaeo32.exe 99 PID 3168 wrote to memory of 2172 3168 Gfbibikg.exe 100 PID 3168 wrote to memory of 2172 3168 Gfbibikg.exe 100 PID 3168 wrote to memory of 2172 3168 Gfbibikg.exe 100 PID 2172 wrote to memory of 5104 2172 Ghpendjj.exe 101 PID 2172 wrote to memory of 5104 2172 Ghpendjj.exe 101 PID 2172 wrote to memory of 5104 2172 Ghpendjj.exe 101 PID 5104 wrote to memory of 3816 5104 Gkobjpin.exe 102 PID 5104 wrote to memory of 3816 5104 Gkobjpin.exe 102 PID 5104 wrote to memory of 3816 5104 Gkobjpin.exe 102 PID 3816 wrote to memory of 4720 3816 Gfdfgiid.exe 103 PID 3816 wrote to memory of 4720 3816 Gfdfgiid.exe 103 PID 3816 wrote to memory of 4720 3816 Gfdfgiid.exe 103 PID 4720 wrote to memory of 4268 4720 Goljqnpd.exe 105 PID 4720 wrote to memory of 4268 4720 Goljqnpd.exe 105 PID 4720 wrote to memory of 4268 4720 Goljqnpd.exe 105 PID 4268 wrote to memory of 4920 4268 Hdicienl.exe 106 PID 4268 wrote to memory of 4920 4268 Hdicienl.exe 106 PID 4268 wrote to memory of 4920 4268 Hdicienl.exe 106 PID 4920 wrote to memory of 3108 4920 Hoogfnnb.exe 107 PID 4920 wrote to memory of 3108 4920 Hoogfnnb.exe 107 PID 4920 wrote to memory of 3108 4920 Hoogfnnb.exe 107 PID 3108 wrote to memory of 3024 3108 Hdlpneli.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c9a540a312ba05dc82ad004963f414eb2eeb61363a5f4cafb185e845bb9a6f9N.exe"C:\Users\Admin\AppData\Local\Temp\7c9a540a312ba05dc82ad004963f414eb2eeb61363a5f4cafb185e845bb9a6f9N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\Fdijbg32.exeC:\Windows\system32\Fdijbg32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Fggfnc32.exeC:\Windows\system32\Fggfnc32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\Fonnop32.exeC:\Windows\system32\Fonnop32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Famjkl32.exeC:\Windows\system32\Famjkl32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\Fehfljca.exeC:\Windows\system32\Fehfljca.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\Fhgbhfbe.exeC:\Windows\system32\Fhgbhfbe.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\Foqkdp32.exeC:\Windows\system32\Foqkdp32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Gaogak32.exeC:\Windows\system32\Gaogak32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\Gnfhfl32.exeC:\Windows\system32\Gnfhfl32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Gempgj32.exeC:\Windows\system32\Gempgj32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\Ghklce32.exeC:\Windows\system32\Ghklce32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Gepmlimi.exeC:\Windows\system32\Gepmlimi.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\Gohaeo32.exeC:\Windows\system32\Gohaeo32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Gfbibikg.exeC:\Windows\system32\Gfbibikg.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\Ghpendjj.exeC:\Windows\system32\Ghpendjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Gkobjpin.exeC:\Windows\system32\Gkobjpin.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Gfdfgiid.exeC:\Windows\system32\Gfdfgiid.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\Goljqnpd.exeC:\Windows\system32\Goljqnpd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\Hdicienl.exeC:\Windows\system32\Hdicienl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\Hoogfnnb.exeC:\Windows\system32\Hoogfnnb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Hdlpneli.exeC:\Windows\system32\Hdlpneli.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe23⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Hbpphi32.exeC:\Windows\system32\Hbpphi32.exe24⤵
- Executes dropped EXE
PID:3176 -
C:\Windows\SysWOW64\Hdnldd32.exeC:\Windows\system32\Hdnldd32.exe25⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Hocqam32.exeC:\Windows\system32\Hocqam32.exe26⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Hbbmmi32.exeC:\Windows\system32\Hbbmmi32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3164 -
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe28⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Hbdjchgn.exeC:\Windows\system32\Hbdjchgn.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Hhnbpb32.exeC:\Windows\system32\Hhnbpb32.exe30⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Hkmnln32.exeC:\Windows\system32\Hkmnln32.exe31⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Ifbbig32.exeC:\Windows\system32\Ifbbig32.exe32⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Ihqoeb32.exeC:\Windows\system32\Ihqoeb32.exe33⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe34⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Inmgmijo.exeC:\Windows\system32\Inmgmijo.exe35⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe36⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Ikaggmii.exeC:\Windows\system32\Ikaggmii.exe37⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Iiehpahb.exeC:\Windows\system32\Iiehpahb.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Ibnligoc.exeC:\Windows\system32\Ibnligoc.exe39⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Igjeanmj.exeC:\Windows\system32\Igjeanmj.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\Indmnh32.exeC:\Windows\system32\Indmnh32.exe41⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe42⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Jeqbpb32.exeC:\Windows\system32\Jeqbpb32.exe43⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Jkkjmlan.exeC:\Windows\system32\Jkkjmlan.exe44⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Jbdbjf32.exeC:\Windows\system32\Jbdbjf32.exe45⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Jgakbm32.exeC:\Windows\system32\Jgakbm32.exe46⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Jiaglp32.exeC:\Windows\system32\Jiaglp32.exe48⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Jbileede.exeC:\Windows\system32\Jbileede.exe49⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe50⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe51⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe52⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Kgknhl32.exeC:\Windows\system32\Kgknhl32.exe53⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Kpbfii32.exeC:\Windows\system32\Kpbfii32.exe54⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Kflnfcgg.exeC:\Windows\system32\Kflnfcgg.exe55⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Kijjbofj.exeC:\Windows\system32\Kijjbofj.exe56⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Kpdboimg.exeC:\Windows\system32\Kpdboimg.exe57⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Kfnkkb32.exeC:\Windows\system32\Kfnkkb32.exe58⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Khpgckkb.exeC:\Windows\system32\Khpgckkb.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Knippe32.exeC:\Windows\system32\Knippe32.exe60⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5032 -
C:\Windows\SysWOW64\Klmpiiai.exeC:\Windows\system32\Klmpiiai.exe62⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Kbghfc32.exeC:\Windows\system32\Kbghfc32.exe63⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe64⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Lbjelc32.exeC:\Windows\system32\Lbjelc32.exe65⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Lehaho32.exeC:\Windows\system32\Lehaho32.exe66⤵PID:4556
-
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe67⤵PID:3892
-
C:\Windows\SysWOW64\Lblaabdp.exeC:\Windows\system32\Lblaabdp.exe68⤵PID:2028
-
C:\Windows\SysWOW64\Lifjnm32.exeC:\Windows\system32\Lifjnm32.exe69⤵
- Drops file in System32 directory
PID:4156 -
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe70⤵
- Drops file in System32 directory
PID:4000 -
C:\Windows\SysWOW64\Locbfd32.exeC:\Windows\system32\Locbfd32.exe71⤵
- Drops file in System32 directory
PID:212 -
C:\Windows\SysWOW64\Lemkcnaa.exeC:\Windows\system32\Lemkcnaa.exe72⤵PID:3856
-
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe73⤵PID:2360
-
C:\Windows\SysWOW64\Loeolc32.exeC:\Windows\system32\Loeolc32.exe74⤵
- System Location Discovery: System Language Discovery
PID:3944 -
C:\Windows\SysWOW64\Lflgmqhd.exeC:\Windows\system32\Lflgmqhd.exe75⤵PID:2928
-
C:\Windows\SysWOW64\Lhncdi32.exeC:\Windows\system32\Lhncdi32.exe76⤵
- System Location Discovery: System Language Discovery
PID:3464 -
C:\Windows\SysWOW64\Leadnm32.exeC:\Windows\system32\Leadnm32.exe77⤵PID:4528
-
C:\Windows\SysWOW64\Mlklkgei.exeC:\Windows\system32\Mlklkgei.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5028 -
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe79⤵
- System Location Discovery: System Language Discovery
PID:4084 -
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe80⤵PID:4116
-
C:\Windows\SysWOW64\Molelb32.exeC:\Windows\system32\Molelb32.exe81⤵
- System Location Discovery: System Language Discovery
PID:4652 -
C:\Windows\SysWOW64\Mefmimif.exeC:\Windows\system32\Mefmimif.exe82⤵PID:1660
-
C:\Windows\SysWOW64\Moobbb32.exeC:\Windows\system32\Moobbb32.exe83⤵PID:5072
-
C:\Windows\SysWOW64\Mffjcopi.exeC:\Windows\system32\Mffjcopi.exe84⤵
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe85⤵PID:68
-
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe86⤵PID:2108
-
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe87⤵PID:4396
-
C:\Windows\SysWOW64\Mpqkad32.exeC:\Windows\system32\Mpqkad32.exe88⤵PID:2668
-
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe89⤵PID:2616
-
C:\Windows\SysWOW64\Niipjj32.exeC:\Windows\system32\Niipjj32.exe90⤵PID:1436
-
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe91⤵PID:4284
-
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe92⤵PID:1620
-
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe93⤵PID:4780
-
C:\Windows\SysWOW64\Niklpj32.exeC:\Windows\system32\Niklpj32.exe94⤵PID:2236
-
C:\Windows\SysWOW64\Npedmdab.exeC:\Windows\system32\Npedmdab.exe95⤵PID:1100
-
C:\Windows\SysWOW64\Nbcqiope.exeC:\Windows\system32\Nbcqiope.exe96⤵PID:5140
-
C:\Windows\SysWOW64\Nebmekoi.exeC:\Windows\system32\Nebmekoi.exe97⤵PID:5216
-
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5300 -
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe99⤵PID:5348
-
C:\Windows\SysWOW64\Ngaionfl.exeC:\Windows\system32\Ngaionfl.exe100⤵PID:5396
-
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe101⤵PID:5452
-
C:\Windows\SysWOW64\Nhbfff32.exeC:\Windows\system32\Nhbfff32.exe102⤵PID:5504
-
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe103⤵PID:5552
-
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe104⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5592 -
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe105⤵PID:5656
-
C:\Windows\SysWOW64\Nplkmckj.exeC:\Windows\system32\Nplkmckj.exe106⤵PID:5700
-
C:\Windows\SysWOW64\Oeicejia.exeC:\Windows\system32\Oeicejia.exe107⤵PID:5744
-
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe108⤵PID:5788
-
C:\Windows\SysWOW64\Ocmconhk.exeC:\Windows\system32\Ocmconhk.exe109⤵
- Drops file in System32 directory
PID:5832 -
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5876 -
C:\Windows\SysWOW64\Opadhb32.exeC:\Windows\system32\Opadhb32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5916 -
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe112⤵PID:5960
-
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe113⤵PID:6004
-
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe114⤵PID:6044
-
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe115⤵PID:6088
-
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe116⤵PID:6132
-
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe117⤵PID:5168
-
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe118⤵PID:5296
-
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe119⤵PID:5364
-
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe120⤵PID:5444
-
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe121⤵PID:5532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-