Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 10:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
14bf677046c47e64585f76729627c53419d7d4db31804d278c7203753fa4e99eN.exe
Resource
win7-20240708-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
14bf677046c47e64585f76729627c53419d7d4db31804d278c7203753fa4e99eN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
14bf677046c47e64585f76729627c53419d7d4db31804d278c7203753fa4e99eN.exe
-
Size
45KB
-
MD5
90f3fd135841e935f12541d12b8a7d70
-
SHA1
35c88c2eb5a0ea9065146e4d6a555469354b5f97
-
SHA256
14bf677046c47e64585f76729627c53419d7d4db31804d278c7203753fa4e99e
-
SHA512
23b53e3bf60c33692c931feb659f365232d4374706cf5f4e634eba67065f1072ee4d406230e9c4063a7f7eb77ba1c175f62f3f036d9937ff653ccd0e97b087da
-
SSDEEP
768:blod6YG8Lv7/WQEjGkiYGUks7Mk4qGD20t/80zH5DUk1tntJTQ/1H5wC:blo28Lv7/WQOiYGUks7l432Q/8D+tWd
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqkondfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bokehc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdimqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dggkipii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecdbop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haafcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mglfplgk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnhgjaml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaehljpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hemdlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omnjojpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bogkmgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmedjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gigaka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iogopi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoioli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppnenlka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epdime32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnlgleef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkofdbkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbefdijg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgkfnh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpdcag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffnknafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnljkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egegjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odalmibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfdpad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeocna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflfac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekodjiol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqpbglno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahqddk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflmlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nccokk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aopemh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbldphde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpqggh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mokmdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgihop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhmeapmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdmqmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Figgdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnkbkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boenhgdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjnnbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpedeiff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epikpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nccokk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqbala32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmbnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooejohhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmnhcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmafajfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kegpifod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdmoafdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddklbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djklmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odalmibl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmohno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfaigclq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imgicgca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgejpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmehb32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2796 Bjlgdc32.exe 2364 Boipmj32.exe 3924 Bfchidda.exe 1084 Biadeoce.exe 1712 Bqilgmdg.exe 3284 Bgbdcgld.exe 640 Bidqko32.exe 1128 Cqpbglno.exe 5108 Cflkpblf.exe 2712 Cmfclm32.exe 1076 Cglgjeci.exe 1920 Cimcan32.exe 3156 Cmipblaq.exe 2972 Cgndoeag.exe 1468 Cmklglpn.exe 3392 Cpihcgoa.exe 4232 Cfcqpa32.exe 3248 Caienjfd.exe 3604 Cpleig32.exe 2944 Cjaifp32.exe 4212 Dmpfbk32.exe 5024 Dakacjdb.exe 4496 Dcjnoece.exe 3276 Dgejpd32.exe 4300 Dfhjkabi.exe 4672 Djdflp32.exe 1136 Dhhfedil.exe 1720 Dmdonkgc.exe 2936 Dcogje32.exe 4128 Djhpgofm.exe 4908 Djklmo32.exe 2984 Djmibn32.exe 2580 Eibfck32.exe 4944 Ejbbmnnb.exe 4264 Edjgfcec.exe 1564 Eangpgcl.exe 4256 Efkphnbd.exe 4844 Edopabqn.exe 4400 Filiii32.exe 3084 Facqkg32.exe 2816 Fdamgb32.exe 4340 Ffpicn32.exe 3152 Fdcjlb32.exe 1292 Fmlneg32.exe 2428 Fdffbake.exe 1440 Fhabbp32.exe 4800 Fmqgpgoc.exe 3500 Fdkpma32.exe 2844 Gigheh32.exe 444 Gdmmbq32.exe 3892 Gpcmga32.exe 1624 Gilapgqb.exe 4988 Gpfjma32.exe 3296 Gaefgd32.exe 564 Gnlgleef.exe 3104 Hgelek32.exe 4744 Hajpbckl.exe 2392 Hdilnojp.exe 1356 Hkbdki32.exe 2088 Hnaqgd32.exe 1752 Hpomcp32.exe 4984 Hgiepjga.exe 4132 Hjhalefe.exe 2432 Hpbiip32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nimbkc32.exe Neafjdkn.exe File opened for modification C:\Windows\SysWOW64\Lqpamb32.exe Lggldm32.exe File created C:\Windows\SysWOW64\Kkhpdcab.exe Kgmcce32.exe File created C:\Windows\SysWOW64\Nliaao32.exe Nhmeapmd.exe File opened for modification C:\Windows\SysWOW64\Nmhijd32.exe Nimmifgo.exe File opened for modification C:\Windows\SysWOW64\Gkcigjel.exe Gdiakp32.exe File opened for modification C:\Windows\SysWOW64\Eidlnd32.exe Eiaoid32.exe File opened for modification C:\Windows\SysWOW64\Coadnlnb.exe Clchbqoo.exe File opened for modification C:\Windows\SysWOW64\Eqdpgk32.exe Ebaplnie.exe File opened for modification C:\Windows\SysWOW64\Nqmojd32.exe Njbgmjgl.exe File opened for modification C:\Windows\SysWOW64\Cildom32.exe Ccblbb32.exe File created C:\Windows\SysWOW64\Gajlgpic.dll Fdmaoahm.exe File created C:\Windows\SysWOW64\Pabblb32.exe Pkhjph32.exe File created C:\Windows\SysWOW64\Mqkiok32.exe Mjaabq32.exe File created C:\Windows\SysWOW64\Ciipkkdj.dll Bhblllfo.exe File created C:\Windows\SysWOW64\Aaiimadl.exe Acfhad32.exe File opened for modification C:\Windows\SysWOW64\Bfngdn32.exe Acokhc32.exe File opened for modification C:\Windows\SysWOW64\Lgpoihnl.exe Lljklo32.exe File opened for modification C:\Windows\SysWOW64\Mlljnf32.exe Mjnnbk32.exe File created C:\Windows\SysWOW64\Lieccf32.exe Lankbigo.exe File opened for modification C:\Windows\SysWOW64\Hlnjbedi.exe Hipmfjee.exe File opened for modification C:\Windows\SysWOW64\Iiopca32.exe Iojkeh32.exe File created C:\Windows\SysWOW64\Abocgb32.dll Dpjfgf32.exe File created C:\Windows\SysWOW64\Qjfpkhpm.dll Ggccllai.exe File created C:\Windows\SysWOW64\Ojmjcf32.dll Glbjggof.exe File opened for modification C:\Windows\SysWOW64\Lfbped32.exe Lgpoihnl.exe File created C:\Windows\SysWOW64\Jongga32.dll Gfeaopqo.exe File created C:\Windows\SysWOW64\Fpbdco32.dll Hhfpbpdo.exe File created C:\Windows\SysWOW64\Ppgomnai.exe Pimfpc32.exe File created C:\Windows\SysWOW64\Kpbodmjl.dll Aaiimadl.exe File opened for modification C:\Windows\SysWOW64\Nabfjpak.exe Njinmf32.exe File opened for modification C:\Windows\SysWOW64\Oghghb32.exe Ombcji32.exe File created C:\Windows\SysWOW64\Jhnhbn32.dll Efafgifc.exe File opened for modification C:\Windows\SysWOW64\Lcgpni32.exe Lqhdbm32.exe File opened for modification C:\Windows\SysWOW64\Jiglnf32.exe Jcmdaljn.exe File created C:\Windows\SysWOW64\Bpqjjjjl.exe Bmbnnn32.exe File opened for modification C:\Windows\SysWOW64\Cbgnemjj.exe Ckmehb32.exe File created C:\Windows\SysWOW64\Ckgofgjn.dll Aefjii32.exe File created C:\Windows\SysWOW64\Blghiiea.dll Eqmlccdi.exe File opened for modification C:\Windows\SysWOW64\Bjlpjm32.exe Bbdhiojo.exe File created C:\Windows\SysWOW64\Cbeapmll.exe Cofecami.exe File created C:\Windows\SysWOW64\Kqbdldnq.exe Kkeldnpi.exe File opened for modification C:\Windows\SysWOW64\Njkkbehl.exe Nabfjpak.exe File created C:\Windows\SysWOW64\Npdopj32.dll Ilqoobdd.exe File created C:\Windows\SysWOW64\Iipejo32.dll Cmfclm32.exe File opened for modification C:\Windows\SysWOW64\Naaqofgj.exe Nobdbkhf.exe File created C:\Windows\SysWOW64\Jpmcbhlp.dll Qoelkp32.exe File opened for modification C:\Windows\SysWOW64\Ebaplnie.exe Ddnobj32.exe File created C:\Windows\SysWOW64\Djmibn32.exe Djklmo32.exe File created C:\Windows\SysWOW64\Qlejfm32.dll Dcnqpo32.exe File created C:\Windows\SysWOW64\Geohklaa.exe Gbalopbn.exe File opened for modification C:\Windows\SysWOW64\Eghkjdoa.exe Eqncnj32.exe File opened for modification C:\Windows\SysWOW64\Ggfglb32.exe Gicgpelg.exe File created C:\Windows\SysWOW64\Kjmmepfj.exe Kgopidgf.exe File opened for modification C:\Windows\SysWOW64\Domdjj32.exe Dmohno32.exe File created C:\Windows\SysWOW64\Ickglm32.exe Ilqoobdd.exe File created C:\Windows\SysWOW64\Nmbjcljl.exe Mfhbga32.exe File created C:\Windows\SysWOW64\Iojkeh32.exe Ilkoim32.exe File created C:\Windows\SysWOW64\Obgohklm.exe Ocdnln32.exe File created C:\Windows\SysWOW64\Bcahmb32.exe Bkkple32.exe File created C:\Windows\SysWOW64\Obgbikfp.dll Bnmoijje.exe File opened for modification C:\Windows\SysWOW64\Cdmoafdb.exe Ckdkhq32.exe File created C:\Windows\SysWOW64\Ncbigo32.dll Dpalgenf.exe File created C:\Windows\SysWOW64\Jbnnbmfj.dll Ooqqdi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7320 5012 WerFault.exe 942 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnohnffc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajmladbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laqhhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbefdijg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfandnla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnkbkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdmoafdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqbliicp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipeeobbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Binhnomg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qebhhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jphkkpbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bepmoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fechomko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdamgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgjlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdpaeehj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Domdjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjgeedch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apmhiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmcolgbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnpphljo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeoblb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pekbga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpphjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glcaambb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqpamb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojajin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqpoakco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnmdme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjjbjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofhknodl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbldphde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooejohhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njljch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oldjcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppdbgncl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apggckbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfmolc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdffbake.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooqqdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aodogdmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdkoch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omdieb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hipmfjee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klggli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Majjng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mglfplgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcnjijoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpomcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdmmbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfelogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdlqqcnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hemdlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hahokfag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djegekil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njgqhicg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkgpbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjnnbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkpma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgelek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgaijaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coadnlnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpenfp32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpbiip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihqiqn32.dll" Kaehljpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkafmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilnpcnol.dll" Kkgiimng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmpcbhji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omalpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnggge32.dll" Lkofdbkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oalipoiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bogkmgba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nobdbkhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oogpjbbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcmgob32.dll" Enkdaepb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imiehfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gajlgpic.dll" Fdmaoahm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iafkld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nocckb32.dll" Edjgfcec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djcoai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbgbpn32.dll" Mebcop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqknpl32.dll" Hbhboolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnafno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfmmplad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebaplnie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeocna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omdieb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lacdmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acokhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfgbakef.dll" Pfccogfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdigjdia.dll" Kgopidgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbefdijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igdgglfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fijdjfdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmgbm32.dll" Gkcigjel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qoelkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdffbake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlkhbi32.dll" Iogopi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjaifp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmnqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncnofeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccoecbmi.dll" Bmeandma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qclmck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcidlo32.dll" Cdhffg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Monjjgkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdagpnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iolhkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcmodajm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 14bf677046c47e64585f76729627c53419d7d4db31804d278c7203753fa4e99eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpcodihc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdpmoppk.dll" Pkbjjbda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akepfpcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbddol32.dll" Cdmoafdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgeofeib.dll" Oalipoiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbkbpoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nogiifoh.dll" Lbgalmej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maeachag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blhpqhlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbdhiojo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciafbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elgaeolp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdbdcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmmmfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kckqbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeeape32.dll" Bgpcliao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbighjdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgaclkia.dll" Hmbphg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2892 wrote to memory of 2796 2892 14bf677046c47e64585f76729627c53419d7d4db31804d278c7203753fa4e99eN.exe 82 PID 2892 wrote to memory of 2796 2892 14bf677046c47e64585f76729627c53419d7d4db31804d278c7203753fa4e99eN.exe 82 PID 2892 wrote to memory of 2796 2892 14bf677046c47e64585f76729627c53419d7d4db31804d278c7203753fa4e99eN.exe 82 PID 2796 wrote to memory of 2364 2796 Bjlgdc32.exe 83 PID 2796 wrote to memory of 2364 2796 Bjlgdc32.exe 83 PID 2796 wrote to memory of 2364 2796 Bjlgdc32.exe 83 PID 2364 wrote to memory of 3924 2364 Boipmj32.exe 84 PID 2364 wrote to memory of 3924 2364 Boipmj32.exe 84 PID 2364 wrote to memory of 3924 2364 Boipmj32.exe 84 PID 3924 wrote to memory of 1084 3924 Bfchidda.exe 85 PID 3924 wrote to memory of 1084 3924 Bfchidda.exe 85 PID 3924 wrote to memory of 1084 3924 Bfchidda.exe 85 PID 1084 wrote to memory of 1712 1084 Biadeoce.exe 86 PID 1084 wrote to memory of 1712 1084 Biadeoce.exe 86 PID 1084 wrote to memory of 1712 1084 Biadeoce.exe 86 PID 1712 wrote to memory of 3284 1712 Bqilgmdg.exe 87 PID 1712 wrote to memory of 3284 1712 Bqilgmdg.exe 87 PID 1712 wrote to memory of 3284 1712 Bqilgmdg.exe 87 PID 3284 wrote to memory of 640 3284 Bgbdcgld.exe 88 PID 3284 wrote to memory of 640 3284 Bgbdcgld.exe 88 PID 3284 wrote to memory of 640 3284 Bgbdcgld.exe 88 PID 640 wrote to memory of 1128 640 Bidqko32.exe 89 PID 640 wrote to memory of 1128 640 Bidqko32.exe 89 PID 640 wrote to memory of 1128 640 Bidqko32.exe 89 PID 1128 wrote to memory of 5108 1128 Cqpbglno.exe 90 PID 1128 wrote to memory of 5108 1128 Cqpbglno.exe 90 PID 1128 wrote to memory of 5108 1128 Cqpbglno.exe 90 PID 5108 wrote to memory of 2712 5108 Cflkpblf.exe 91 PID 5108 wrote to memory of 2712 5108 Cflkpblf.exe 91 PID 5108 wrote to memory of 2712 5108 Cflkpblf.exe 91 PID 2712 wrote to memory of 1076 2712 Cmfclm32.exe 92 PID 2712 wrote to memory of 1076 2712 Cmfclm32.exe 92 PID 2712 wrote to memory of 1076 2712 Cmfclm32.exe 92 PID 1076 wrote to memory of 1920 1076 Cglgjeci.exe 93 PID 1076 wrote to memory of 1920 1076 Cglgjeci.exe 93 PID 1076 wrote to memory of 1920 1076 Cglgjeci.exe 93 PID 1920 wrote to memory of 3156 1920 Cimcan32.exe 94 PID 1920 wrote to memory of 3156 1920 Cimcan32.exe 94 PID 1920 wrote to memory of 3156 1920 Cimcan32.exe 94 PID 3156 wrote to memory of 2972 3156 Cmipblaq.exe 95 PID 3156 wrote to memory of 2972 3156 Cmipblaq.exe 95 PID 3156 wrote to memory of 2972 3156 Cmipblaq.exe 95 PID 2972 wrote to memory of 1468 2972 Cgndoeag.exe 96 PID 2972 wrote to memory of 1468 2972 Cgndoeag.exe 96 PID 2972 wrote to memory of 1468 2972 Cgndoeag.exe 96 PID 1468 wrote to memory of 3392 1468 Cmklglpn.exe 97 PID 1468 wrote to memory of 3392 1468 Cmklglpn.exe 97 PID 1468 wrote to memory of 3392 1468 Cmklglpn.exe 97 PID 3392 wrote to memory of 4232 3392 Cpihcgoa.exe 98 PID 3392 wrote to memory of 4232 3392 Cpihcgoa.exe 98 PID 3392 wrote to memory of 4232 3392 Cpihcgoa.exe 98 PID 4232 wrote to memory of 3248 4232 Cfcqpa32.exe 99 PID 4232 wrote to memory of 3248 4232 Cfcqpa32.exe 99 PID 4232 wrote to memory of 3248 4232 Cfcqpa32.exe 99 PID 3248 wrote to memory of 3604 3248 Caienjfd.exe 100 PID 3248 wrote to memory of 3604 3248 Caienjfd.exe 100 PID 3248 wrote to memory of 3604 3248 Caienjfd.exe 100 PID 3604 wrote to memory of 2944 3604 Cpleig32.exe 101 PID 3604 wrote to memory of 2944 3604 Cpleig32.exe 101 PID 3604 wrote to memory of 2944 3604 Cpleig32.exe 101 PID 2944 wrote to memory of 4212 2944 Cjaifp32.exe 102 PID 2944 wrote to memory of 4212 2944 Cjaifp32.exe 102 PID 2944 wrote to memory of 4212 2944 Cjaifp32.exe 102 PID 4212 wrote to memory of 5024 4212 Dmpfbk32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\14bf677046c47e64585f76729627c53419d7d4db31804d278c7203753fa4e99eN.exe"C:\Users\Admin\AppData\Local\Temp\14bf677046c47e64585f76729627c53419d7d4db31804d278c7203753fa4e99eN.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Bjlgdc32.exeC:\Windows\system32\Bjlgdc32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Bfchidda.exeC:\Windows\system32\Bfchidda.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\Biadeoce.exeC:\Windows\system32\Biadeoce.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Bqilgmdg.exeC:\Windows\system32\Bqilgmdg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Bgbdcgld.exeC:\Windows\system32\Bgbdcgld.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\Bidqko32.exeC:\Windows\system32\Bidqko32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Cqpbglno.exeC:\Windows\system32\Cqpbglno.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\Cmfclm32.exeC:\Windows\system32\Cmfclm32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Cglgjeci.exeC:\Windows\system32\Cglgjeci.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\Cimcan32.exeC:\Windows\system32\Cimcan32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Cmipblaq.exeC:\Windows\system32\Cmipblaq.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\Cgndoeag.exeC:\Windows\system32\Cgndoeag.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Cpihcgoa.exeC:\Windows\system32\Cpihcgoa.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\Cfcqpa32.exeC:\Windows\system32\Cfcqpa32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\Caienjfd.exeC:\Windows\system32\Caienjfd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\Cpleig32.exeC:\Windows\system32\Cpleig32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\Cjaifp32.exeC:\Windows\system32\Cjaifp32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Dmpfbk32.exeC:\Windows\system32\Dmpfbk32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\Dakacjdb.exeC:\Windows\system32\Dakacjdb.exe23⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Dcjnoece.exeC:\Windows\system32\Dcjnoece.exe24⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Dgejpd32.exeC:\Windows\system32\Dgejpd32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Dfhjkabi.exeC:\Windows\system32\Dfhjkabi.exe26⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Djdflp32.exeC:\Windows\system32\Djdflp32.exe27⤵
- Executes dropped EXE
PID:4672 -
C:\Windows\SysWOW64\Dhhfedil.exeC:\Windows\system32\Dhhfedil.exe28⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Dmdonkgc.exeC:\Windows\system32\Dmdonkgc.exe29⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe30⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Djhpgofm.exeC:\Windows\system32\Djhpgofm.exe31⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Djklmo32.exeC:\Windows\system32\Djklmo32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4908 -
C:\Windows\SysWOW64\Djmibn32.exeC:\Windows\system32\Djmibn32.exe33⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Eibfck32.exeC:\Windows\system32\Eibfck32.exe34⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Ejbbmnnb.exeC:\Windows\system32\Ejbbmnnb.exe35⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Edjgfcec.exeC:\Windows\system32\Edjgfcec.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:4264 -
C:\Windows\SysWOW64\Eangpgcl.exeC:\Windows\system32\Eangpgcl.exe37⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Efkphnbd.exeC:\Windows\system32\Efkphnbd.exe38⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Edopabqn.exeC:\Windows\system32\Edopabqn.exe39⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Filiii32.exeC:\Windows\system32\Filiii32.exe40⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Facqkg32.exeC:\Windows\system32\Facqkg32.exe41⤵
- Executes dropped EXE
PID:3084 -
C:\Windows\SysWOW64\Fdamgb32.exeC:\Windows\system32\Fdamgb32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Windows\SysWOW64\Ffpicn32.exeC:\Windows\system32\Ffpicn32.exe43⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Fdcjlb32.exeC:\Windows\system32\Fdcjlb32.exe44⤵
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\Fmlneg32.exeC:\Windows\system32\Fmlneg32.exe45⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Fdffbake.exeC:\Windows\system32\Fdffbake.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Fhabbp32.exeC:\Windows\system32\Fhabbp32.exe47⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Fmqgpgoc.exeC:\Windows\system32\Fmqgpgoc.exe48⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Fdkpma32.exeC:\Windows\system32\Fdkpma32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3500 -
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe50⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Gdmmbq32.exeC:\Windows\system32\Gdmmbq32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:444 -
C:\Windows\SysWOW64\Gpcmga32.exeC:\Windows\system32\Gpcmga32.exe52⤵
- Executes dropped EXE
PID:3892 -
C:\Windows\SysWOW64\Gilapgqb.exeC:\Windows\system32\Gilapgqb.exe53⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Gpfjma32.exeC:\Windows\system32\Gpfjma32.exe54⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Gaefgd32.exeC:\Windows\system32\Gaefgd32.exe55⤵
- Executes dropped EXE
PID:3296 -
C:\Windows\SysWOW64\Gnlgleef.exeC:\Windows\system32\Gnlgleef.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Hgelek32.exeC:\Windows\system32\Hgelek32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3104 -
C:\Windows\SysWOW64\Hajpbckl.exeC:\Windows\system32\Hajpbckl.exe58⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Hdilnojp.exeC:\Windows\system32\Hdilnojp.exe59⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Hkbdki32.exeC:\Windows\system32\Hkbdki32.exe60⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Hnaqgd32.exeC:\Windows\system32\Hnaqgd32.exe61⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Hpomcp32.exeC:\Windows\system32\Hpomcp32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1752 -
C:\Windows\SysWOW64\Hgiepjga.exeC:\Windows\system32\Hgiepjga.exe63⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Hjhalefe.exeC:\Windows\system32\Hjhalefe.exe64⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Hpbiip32.exeC:\Windows\system32\Hpbiip32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Hdmein32.exeC:\Windows\system32\Hdmein32.exe66⤵PID:3040
-
C:\Windows\SysWOW64\Hglaej32.exeC:\Windows\system32\Hglaej32.exe67⤵PID:3976
-
C:\Windows\SysWOW64\Hkgnfhnh.exeC:\Windows\system32\Hkgnfhnh.exe68⤵PID:3804
-
C:\Windows\SysWOW64\Haafcb32.exeC:\Windows\system32\Haafcb32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4940 -
C:\Windows\SysWOW64\Hpdfnolo.exeC:\Windows\system32\Hpdfnolo.exe70⤵PID:2904
-
C:\Windows\SysWOW64\Hhknpmma.exeC:\Windows\system32\Hhknpmma.exe71⤵PID:1460
-
C:\Windows\SysWOW64\Hkjjlhle.exeC:\Windows\system32\Hkjjlhle.exe72⤵PID:2728
-
C:\Windows\SysWOW64\Hnhghcki.exeC:\Windows\system32\Hnhghcki.exe73⤵PID:1772
-
C:\Windows\SysWOW64\Iklgah32.exeC:\Windows\system32\Iklgah32.exe74⤵PID:64
-
C:\Windows\SysWOW64\Ijadbdoj.exeC:\Windows\system32\Ijadbdoj.exe75⤵PID:4992
-
C:\Windows\SysWOW64\Ihbdplfi.exeC:\Windows\system32\Ihbdplfi.exe76⤵PID:2960
-
C:\Windows\SysWOW64\Ijfnmc32.exeC:\Windows\system32\Ijfnmc32.exe77⤵PID:3464
-
C:\Windows\SysWOW64\Ijhjcchb.exeC:\Windows\system32\Ijhjcchb.exe78⤵PID:208
-
C:\Windows\SysWOW64\Jjjghcfp.exeC:\Windows\system32\Jjjghcfp.exe79⤵PID:4444
-
C:\Windows\SysWOW64\Jgogbgei.exeC:\Windows\system32\Jgogbgei.exe80⤵PID:1876
-
C:\Windows\SysWOW64\Jdbhkk32.exeC:\Windows\system32\Jdbhkk32.exe81⤵PID:4392
-
C:\Windows\SysWOW64\Jjopcb32.exeC:\Windows\system32\Jjopcb32.exe82⤵PID:324
-
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe83⤵PID:2992
-
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe84⤵PID:3148
-
C:\Windows\SysWOW64\Jibmgi32.exeC:\Windows\system32\Jibmgi32.exe85⤵PID:3716
-
C:\Windows\SysWOW64\Jbkbpoog.exeC:\Windows\system32\Jbkbpoog.exe86⤵
- Modifies registry class
PID:3732 -
C:\Windows\SysWOW64\Kdinljnk.exeC:\Windows\system32\Kdinljnk.exe87⤵PID:2800
-
C:\Windows\SysWOW64\Kqpoakco.exeC:\Windows\system32\Kqpoakco.exe88⤵
- System Location Discovery: System Language Discovery
PID:4516 -
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe89⤵PID:5052
-
C:\Windows\SysWOW64\Kqbkfkal.exeC:\Windows\system32\Kqbkfkal.exe90⤵PID:5036
-
C:\Windows\SysWOW64\Kgmcce32.exeC:\Windows\system32\Kgmcce32.exe91⤵
- Drops file in System32 directory
PID:1884 -
C:\Windows\SysWOW64\Kkhpdcab.exeC:\Windows\system32\Kkhpdcab.exe92⤵PID:3184
-
C:\Windows\SysWOW64\Kaehljpj.exeC:\Windows\system32\Kaehljpj.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Kgopidgf.exeC:\Windows\system32\Kgopidgf.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:4348 -
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe95⤵PID:2620
-
C:\Windows\SysWOW64\Kniieo32.exeC:\Windows\system32\Kniieo32.exe96⤵PID:3532
-
C:\Windows\SysWOW64\Kgamnded.exeC:\Windows\system32\Kgamnded.exe97⤵PID:3908
-
C:\Windows\SysWOW64\Lbgalmej.exeC:\Windows\system32\Lbgalmej.exe98⤵
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Lgcjdd32.exeC:\Windows\system32\Lgcjdd32.exe99⤵PID:1068
-
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5132 -
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe101⤵PID:5176
-
C:\Windows\SysWOW64\Legjmh32.exeC:\Windows\system32\Legjmh32.exe102⤵PID:5216
-
C:\Windows\SysWOW64\Ljdceo32.exeC:\Windows\system32\Ljdceo32.exe103⤵PID:5256
-
C:\Windows\SysWOW64\Lankbigo.exeC:\Windows\system32\Lankbigo.exe104⤵
- Drops file in System32 directory
PID:5304 -
C:\Windows\SysWOW64\Lieccf32.exeC:\Windows\system32\Lieccf32.exe105⤵PID:5344
-
C:\Windows\SysWOW64\Lnbklm32.exeC:\Windows\system32\Lnbklm32.exe106⤵PID:5384
-
C:\Windows\SysWOW64\Laqhhi32.exeC:\Windows\system32\Laqhhi32.exe107⤵
- System Location Discovery: System Language Discovery
PID:5424 -
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe108⤵PID:5468
-
C:\Windows\SysWOW64\Lndham32.exeC:\Windows\system32\Lndham32.exe109⤵PID:5512
-
C:\Windows\SysWOW64\Lacdmh32.exeC:\Windows\system32\Lacdmh32.exe110⤵
- Modifies registry class
PID:5556 -
C:\Windows\SysWOW64\Mngegmbc.exeC:\Windows\system32\Mngegmbc.exe111⤵PID:5600
-
C:\Windows\SysWOW64\Maeachag.exeC:\Windows\system32\Maeachag.exe112⤵
- Modifies registry class
PID:5644 -
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe113⤵PID:5688
-
C:\Windows\SysWOW64\Mjneln32.exeC:\Windows\system32\Mjneln32.exe114⤵PID:5732
-
C:\Windows\SysWOW64\Miofjepg.exeC:\Windows\system32\Miofjepg.exe115⤵PID:5776
-
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe116⤵PID:5828
-
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe117⤵PID:5884
-
C:\Windows\SysWOW64\Mbgjbkfg.exeC:\Windows\system32\Mbgjbkfg.exe118⤵PID:5940
-
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe119⤵
- System Location Discovery: System Language Discovery
PID:5988 -
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe120⤵
- Modifies registry class
PID:6036 -
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe121⤵PID:6080
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-