Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
08/12/2024, 04:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e7b4abab986c9dcebcf57c1b761affcba8933133cc086034499a7245a01b8849.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
e7b4abab986c9dcebcf57c1b761affcba8933133cc086034499a7245a01b8849.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
e7b4abab986c9dcebcf57c1b761affcba8933133cc086034499a7245a01b8849.exe
-
Size
894KB
-
MD5
ed558ff8ab2fa4627349c629571dd27d
-
SHA1
35ecc3be1029fb2c2b3c216e53e055cc75198c96
-
SHA256
e7b4abab986c9dcebcf57c1b761affcba8933133cc086034499a7245a01b8849
-
SHA512
608f6ab8b21fafb26dd6a177036d1500758dc0fa9dfcb23564b05dc20ca6feaa96e29aeab7747cbf77e49500e5af686c963dbcd5a2feaa7752bb4386ff155e4a
-
SSDEEP
12288:Gfr/Ng1/Nblt01PBExKN4P6IfKTLR+6CwUkEoIq:/lks/6HnEpq
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngiiip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anhbdpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phhmeehg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heqfdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfkbqcam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldfldpqf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaopcbga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gimaah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpapgnpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpbiolnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkakbpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keappgmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khkadoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfmqigba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmopge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjpkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edofbpja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afqhjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdcdfmqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dieiap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laqadknn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omhkcnfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjnhnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbfklolh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llbnnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Manljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbccklmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmkdhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdgcaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjihci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqemeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naokbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkalcdao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kenjgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihbdhepp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckpoih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkjbpkag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egkehllh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nglmifca.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2660 Dpfkeb32.exe 2884 Enneln32.exe 2632 Efmckpko.exe 2644 Epfhde32.exe 236 Fpokjd32.exe 1488 Fkilka32.exe 2512 Gajjhkgh.exe 2628 Gcmcebkc.exe 860 Hecebm32.exe 1704 Hdjoii32.exe 2356 Imhqbkbm.exe 776 Immjnj32.exe 1268 Imacijjb.exe 2876 Jbnlaqhi.exe 2316 Jajocl32.exe 496 Klfmijae.exe 1760 Kijmbnpo.exe 1356 Klhioioc.exe 2024 Lhdcojaa.exe 2036 Ldkdckff.exe 1932 Lmcilp32.exe 2056 Laaabo32.exe 1916 Lkifkdjm.exe 2816 Miocmq32.exe 2104 Meecaa32.exe 2808 Mehpga32.exe 2648 Mejmmqpd.exe 2744 Mdojnm32.exe 2756 Ndafcmci.exe 2956 Njnokdaq.exe 2576 Nfglfdeb.exe 2548 Nfjildbp.exe 2244 Njhbabif.exe 2428 Nhkbmo32.exe 804 Omhkcnfg.exe 2108 Ogbldk32.exe 1696 Obhpad32.exe 1080 Oiahnnji.exe 1724 Ojceef32.exe 2976 Ockinl32.exe 752 Oqojhp32.exe 1028 Pcnfdl32.exe 1804 Ppdfimji.exe 1680 Pimkbbpi.exe 1412 Pbepkh32.exe 2988 Pmkdhq32.exe 1764 Pbglpg32.exe 2640 Ppkmjlca.exe 2804 Pfeeff32.exe 2540 Plbmom32.exe 2704 Qekbgbpf.exe 3020 Qldjdlgb.exe 1140 Qemomb32.exe 2444 Qhkkim32.exe 3036 Adblnnbk.exe 2028 Afqhjj32.exe 2352 Ahpddmia.exe 2068 Ajnqphhe.exe 2460 Adgein32.exe 3004 Ajamfh32.exe 1604 Amoibc32.exe 900 Afgnkilf.exe 1364 Amafgc32.exe 1996 Abnopj32.exe -
Loads dropped DLL 64 IoCs
pid Process 2196 e7b4abab986c9dcebcf57c1b761affcba8933133cc086034499a7245a01b8849.exe 2196 e7b4abab986c9dcebcf57c1b761affcba8933133cc086034499a7245a01b8849.exe 2660 Dpfkeb32.exe 2660 Dpfkeb32.exe 2884 Enneln32.exe 2884 Enneln32.exe 2632 Efmckpko.exe 2632 Efmckpko.exe 2644 Epfhde32.exe 2644 Epfhde32.exe 236 Fpokjd32.exe 236 Fpokjd32.exe 1488 Fkilka32.exe 1488 Fkilka32.exe 2512 Gajjhkgh.exe 2512 Gajjhkgh.exe 2628 Gcmcebkc.exe 2628 Gcmcebkc.exe 860 Hecebm32.exe 860 Hecebm32.exe 1704 Hdjoii32.exe 1704 Hdjoii32.exe 2356 Imhqbkbm.exe 2356 Imhqbkbm.exe 776 Immjnj32.exe 776 Immjnj32.exe 1268 Imacijjb.exe 1268 Imacijjb.exe 2876 Jbnlaqhi.exe 2876 Jbnlaqhi.exe 2316 Jajocl32.exe 2316 Jajocl32.exe 496 Klfmijae.exe 496 Klfmijae.exe 1760 Kijmbnpo.exe 1760 Kijmbnpo.exe 1356 Klhioioc.exe 1356 Klhioioc.exe 2024 Lhdcojaa.exe 2024 Lhdcojaa.exe 2036 Ldkdckff.exe 2036 Ldkdckff.exe 1932 Lmcilp32.exe 1932 Lmcilp32.exe 2056 Laaabo32.exe 2056 Laaabo32.exe 1916 Lkifkdjm.exe 1916 Lkifkdjm.exe 2816 Miocmq32.exe 2816 Miocmq32.exe 2104 Meecaa32.exe 2104 Meecaa32.exe 2808 Mehpga32.exe 2808 Mehpga32.exe 2648 Mejmmqpd.exe 2648 Mejmmqpd.exe 2744 Mdojnm32.exe 2744 Mdojnm32.exe 2756 Ndafcmci.exe 2756 Ndafcmci.exe 2956 Njnokdaq.exe 2956 Njnokdaq.exe 2576 Nfglfdeb.exe 2576 Nfglfdeb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Caenkc32.exe Cdamao32.exe File created C:\Windows\SysWOW64\Memncbmj.exe Mfhabe32.exe File opened for modification C:\Windows\SysWOW64\Kkglim32.exe Kejdqffo.exe File created C:\Windows\SysWOW64\Heccqa32.dll Process not Found File created C:\Windows\SysWOW64\Kkbbqjgb.exe Process not Found File created C:\Windows\SysWOW64\Kkhdohnm.exe Process not Found File created C:\Windows\SysWOW64\Fgaihd32.dll Process not Found File created C:\Windows\SysWOW64\Fhpoalho.exe Process not Found File created C:\Windows\SysWOW64\Adallm32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Hcpbalaa.exe Process not Found File created C:\Windows\SysWOW64\Peqiahfi.dll Dhklna32.exe File opened for modification C:\Windows\SysWOW64\Dqfabdaf.exe Djmiejji.exe File created C:\Windows\SysWOW64\Ddpbfl32.exe Docjne32.exe File created C:\Windows\SysWOW64\Egikle32.exe Ekbjgd32.exe File created C:\Windows\SysWOW64\Bgjgpkgn.dll Gfpjgn32.exe File created C:\Windows\SysWOW64\Anbicp32.dll Jhlgnd32.exe File opened for modification C:\Windows\SysWOW64\Apbblg32.exe Alfflhpa.exe File created C:\Windows\SysWOW64\Npmana32.exe Process not Found File created C:\Windows\SysWOW64\Ajnnipnc.exe Process not Found File created C:\Windows\SysWOW64\Plnkkccp.exe Process not Found File created C:\Windows\SysWOW64\Imccco32.exe Process not Found File created C:\Windows\SysWOW64\Lnnndl32.exe Liaeleak.exe File created C:\Windows\SysWOW64\Lphdbl32.dll Akbelbpi.exe File created C:\Windows\SysWOW64\Eiefqc32.exe Epmahmcm.exe File created C:\Windows\SysWOW64\Kiojqfdp.exe Jjimpj32.exe File created C:\Windows\SysWOW64\Oloioh32.dll Ojjnioae.exe File created C:\Windows\SysWOW64\Aochck32.dll Process not Found File created C:\Windows\SysWOW64\Hcdkagga.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gfigkljk.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nbfjckjc.exe Process not Found File created C:\Windows\SysWOW64\Epegae32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dleelp32.exe Dflmpebj.exe File created C:\Windows\SysWOW64\Lfingaaf.exe Lhenmm32.exe File created C:\Windows\SysWOW64\Odjoeplp.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dllnphkd.exe Process not Found File created C:\Windows\SysWOW64\Okjenb32.dll Process not Found File created C:\Windows\SysWOW64\Bjmool32.dll Process not Found File created C:\Windows\SysWOW64\Opgjfb32.exe Process not Found File created C:\Windows\SysWOW64\Miaaki32.exe Meffjjln.exe File opened for modification C:\Windows\SysWOW64\Ninjjf32.exe Nmgjee32.exe File opened for modification C:\Windows\SysWOW64\Bfphmi32.exe Boeppomj.exe File created C:\Windows\SysWOW64\Adhohapp.exe Akpkok32.exe File opened for modification C:\Windows\SysWOW64\Nkbdbbop.exe Ndhlfh32.exe File created C:\Windows\SysWOW64\Lmnlnnim.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ofaaghom.exe Process not Found File created C:\Windows\SysWOW64\Laifbnho.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jajocl32.exe Jbnlaqhi.exe File created C:\Windows\SysWOW64\Bkcfjk32.exe Bnofaf32.exe File created C:\Windows\SysWOW64\Omefae32.dll Manljd32.exe File created C:\Windows\SysWOW64\Pmeocnah.dll Process not Found File created C:\Windows\SysWOW64\Cjiiim32.exe Process not Found File created C:\Windows\SysWOW64\Bgdinmof.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mknbmm32.exe Process not Found File created C:\Windows\SysWOW64\Coladm32.exe Cgqmpkfg.exe File opened for modification C:\Windows\SysWOW64\Chmkkf32.exe Caqfiloi.exe File opened for modification C:\Windows\SysWOW64\Neaehelb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hhklibbf.exe Process not Found File created C:\Windows\SysWOW64\Mcagma32.exe Process not Found File created C:\Windows\SysWOW64\Fkgemh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jbclcf32.exe Process not Found File created C:\Windows\SysWOW64\Plbmom32.exe Pfeeff32.exe File created C:\Windows\SysWOW64\Fhdaigqo.dll Blodefdg.exe File opened for modification C:\Windows\SysWOW64\Jfiekc32.exe Jpomnilc.exe File created C:\Windows\SysWOW64\Pkaonifh.dll Process not Found -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoalia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Milaecdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cemebcnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eomdoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilpkel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adnegldo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plaoim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odlnkmjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbpoebgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbinad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfiofefm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkmldbcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pajeanhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oobiclmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iilocklc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpedghl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dflnkjhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gllabp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gghloe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omnmal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkiooocb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jndflk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqimoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljndga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mognco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biqfpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhngem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kijmbnpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdogldmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Immjnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jojnglco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmbclj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqdcgib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onmgeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpddgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmcedg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jklnggjm.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pogaeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omdkhjjg.dll" Cofohkgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgkknm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgfdjfkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkpdhc32.dll" Ocbbbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edhpdbbm.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keappgmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipaklm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anpahn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmfala32.dll" Kdincdcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnkpaedi.dll" Babbpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgmhcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijgkkd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eckomcec.dll" Fclbgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhlcal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmdmkboi.dll" Omonmpcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iganmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lejppj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkbdbbop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chkpakla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaojgf32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppkmjlca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgmfjdbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafgagdb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikhndk32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Engjkeab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpcoec32.dll" Jhkeelml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdbfjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgphke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abgbihnk.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoeadjbl.dll" Nfglfdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmfmej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cadbgifg.dll" Jneoojeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khklgjgf.dll" Aglmbfdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggfehlqg.dll" Bgqqcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ollkge32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fedfgejh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckfeic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmmgbbeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nogjbbma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fodbcjid.dll" Pjqdjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlojh32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iklfia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jndflk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chofhm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2660 2196 e7b4abab986c9dcebcf57c1b761affcba8933133cc086034499a7245a01b8849.exe 30 PID 2196 wrote to memory of 2660 2196 e7b4abab986c9dcebcf57c1b761affcba8933133cc086034499a7245a01b8849.exe 30 PID 2196 wrote to memory of 2660 2196 e7b4abab986c9dcebcf57c1b761affcba8933133cc086034499a7245a01b8849.exe 30 PID 2196 wrote to memory of 2660 2196 e7b4abab986c9dcebcf57c1b761affcba8933133cc086034499a7245a01b8849.exe 30 PID 2660 wrote to memory of 2884 2660 Dpfkeb32.exe 31 PID 2660 wrote to memory of 2884 2660 Dpfkeb32.exe 31 PID 2660 wrote to memory of 2884 2660 Dpfkeb32.exe 31 PID 2660 wrote to memory of 2884 2660 Dpfkeb32.exe 31 PID 2884 wrote to memory of 2632 2884 Enneln32.exe 32 PID 2884 wrote to memory of 2632 2884 Enneln32.exe 32 PID 2884 wrote to memory of 2632 2884 Enneln32.exe 32 PID 2884 wrote to memory of 2632 2884 Enneln32.exe 32 PID 2632 wrote to memory of 2644 2632 Efmckpko.exe 33 PID 2632 wrote to memory of 2644 2632 Efmckpko.exe 33 PID 2632 wrote to memory of 2644 2632 Efmckpko.exe 33 PID 2632 wrote to memory of 2644 2632 Efmckpko.exe 33 PID 2644 wrote to memory of 236 2644 Epfhde32.exe 34 PID 2644 wrote to memory of 236 2644 Epfhde32.exe 34 PID 2644 wrote to memory of 236 2644 Epfhde32.exe 34 PID 2644 wrote to memory of 236 2644 Epfhde32.exe 34 PID 236 wrote to memory of 1488 236 Fpokjd32.exe 35 PID 236 wrote to memory of 1488 236 Fpokjd32.exe 35 PID 236 wrote to memory of 1488 236 Fpokjd32.exe 35 PID 236 wrote to memory of 1488 236 Fpokjd32.exe 35 PID 1488 wrote to memory of 2512 1488 Fkilka32.exe 36 PID 1488 wrote to memory of 2512 1488 Fkilka32.exe 36 PID 1488 wrote to memory of 2512 1488 Fkilka32.exe 36 PID 1488 wrote to memory of 2512 1488 Fkilka32.exe 36 PID 2512 wrote to memory of 2628 2512 Gajjhkgh.exe 37 PID 2512 wrote to memory of 2628 2512 Gajjhkgh.exe 37 PID 2512 wrote to memory of 2628 2512 Gajjhkgh.exe 37 PID 2512 wrote to memory of 2628 2512 Gajjhkgh.exe 37 PID 2628 wrote to memory of 860 2628 Gcmcebkc.exe 38 PID 2628 wrote to memory of 860 2628 Gcmcebkc.exe 38 PID 2628 wrote to memory of 860 2628 Gcmcebkc.exe 38 PID 2628 wrote to memory of 860 2628 Gcmcebkc.exe 38 PID 860 wrote to memory of 1704 860 Hecebm32.exe 39 PID 860 wrote to memory of 1704 860 Hecebm32.exe 39 PID 860 wrote to memory of 1704 860 Hecebm32.exe 39 PID 860 wrote to memory of 1704 860 Hecebm32.exe 39 PID 1704 wrote to memory of 2356 1704 Hdjoii32.exe 40 PID 1704 wrote to memory of 2356 1704 Hdjoii32.exe 40 PID 1704 wrote to memory of 2356 1704 Hdjoii32.exe 40 PID 1704 wrote to memory of 2356 1704 Hdjoii32.exe 40 PID 2356 wrote to memory of 776 2356 Imhqbkbm.exe 41 PID 2356 wrote to memory of 776 2356 Imhqbkbm.exe 41 PID 2356 wrote to memory of 776 2356 Imhqbkbm.exe 41 PID 2356 wrote to memory of 776 2356 Imhqbkbm.exe 41 PID 776 wrote to memory of 1268 776 Immjnj32.exe 42 PID 776 wrote to memory of 1268 776 Immjnj32.exe 42 PID 776 wrote to memory of 1268 776 Immjnj32.exe 42 PID 776 wrote to memory of 1268 776 Immjnj32.exe 42 PID 1268 wrote to memory of 2876 1268 Imacijjb.exe 43 PID 1268 wrote to memory of 2876 1268 Imacijjb.exe 43 PID 1268 wrote to memory of 2876 1268 Imacijjb.exe 43 PID 1268 wrote to memory of 2876 1268 Imacijjb.exe 43 PID 2876 wrote to memory of 2316 2876 Jbnlaqhi.exe 44 PID 2876 wrote to memory of 2316 2876 Jbnlaqhi.exe 44 PID 2876 wrote to memory of 2316 2876 Jbnlaqhi.exe 44 PID 2876 wrote to memory of 2316 2876 Jbnlaqhi.exe 44 PID 2316 wrote to memory of 496 2316 Jajocl32.exe 45 PID 2316 wrote to memory of 496 2316 Jajocl32.exe 45 PID 2316 wrote to memory of 496 2316 Jajocl32.exe 45 PID 2316 wrote to memory of 496 2316 Jajocl32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7b4abab986c9dcebcf57c1b761affcba8933133cc086034499a7245a01b8849.exe"C:\Users\Admin\AppData\Local\Temp\e7b4abab986c9dcebcf57c1b761affcba8933133cc086034499a7245a01b8849.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Dpfkeb32.exeC:\Windows\system32\Dpfkeb32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Enneln32.exeC:\Windows\system32\Enneln32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Efmckpko.exeC:\Windows\system32\Efmckpko.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Epfhde32.exeC:\Windows\system32\Epfhde32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Fpokjd32.exeC:\Windows\system32\Fpokjd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Windows\SysWOW64\Fkilka32.exeC:\Windows\system32\Fkilka32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Gajjhkgh.exeC:\Windows\system32\Gajjhkgh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Gcmcebkc.exeC:\Windows\system32\Gcmcebkc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Hecebm32.exeC:\Windows\system32\Hecebm32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Hdjoii32.exeC:\Windows\system32\Hdjoii32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Imhqbkbm.exeC:\Windows\system32\Imhqbkbm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Immjnj32.exeC:\Windows\system32\Immjnj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Imacijjb.exeC:\Windows\system32\Imacijjb.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Jbnlaqhi.exeC:\Windows\system32\Jbnlaqhi.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Jajocl32.exeC:\Windows\system32\Jajocl32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Klfmijae.exeC:\Windows\system32\Klfmijae.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:496 -
C:\Windows\SysWOW64\Kijmbnpo.exeC:\Windows\system32\Kijmbnpo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\Klhioioc.exeC:\Windows\system32\Klhioioc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1356 -
C:\Windows\SysWOW64\Lhdcojaa.exeC:\Windows\system32\Lhdcojaa.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\Ldkdckff.exeC:\Windows\system32\Ldkdckff.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Lmcilp32.exeC:\Windows\system32\Lmcilp32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Laaabo32.exeC:\Windows\system32\Laaabo32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\Lkifkdjm.exeC:\Windows\system32\Lkifkdjm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1916 -
C:\Windows\SysWOW64\Miocmq32.exeC:\Windows\system32\Miocmq32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Meecaa32.exeC:\Windows\system32\Meecaa32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Mehpga32.exeC:\Windows\system32\Mehpga32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Mejmmqpd.exeC:\Windows\system32\Mejmmqpd.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Mdojnm32.exeC:\Windows\system32\Mdojnm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Ndafcmci.exeC:\Windows\system32\Ndafcmci.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Njnokdaq.exeC:\Windows\system32\Njnokdaq.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Nfglfdeb.exeC:\Windows\system32\Nfglfdeb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Nfjildbp.exeC:\Windows\system32\Nfjildbp.exe33⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Njhbabif.exeC:\Windows\system32\Njhbabif.exe34⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Nhkbmo32.exeC:\Windows\system32\Nhkbmo32.exe35⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Omhkcnfg.exeC:\Windows\system32\Omhkcnfg.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Ogbldk32.exeC:\Windows\system32\Ogbldk32.exe37⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Obhpad32.exeC:\Windows\system32\Obhpad32.exe38⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Oiahnnji.exeC:\Windows\system32\Oiahnnji.exe39⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Ojceef32.exeC:\Windows\system32\Ojceef32.exe40⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Ockinl32.exeC:\Windows\system32\Ockinl32.exe41⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Oqojhp32.exeC:\Windows\system32\Oqojhp32.exe42⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Pcnfdl32.exeC:\Windows\system32\Pcnfdl32.exe43⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Ppdfimji.exeC:\Windows\system32\Ppdfimji.exe44⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Pimkbbpi.exeC:\Windows\system32\Pimkbbpi.exe45⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Pbepkh32.exeC:\Windows\system32\Pbepkh32.exe46⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Pmkdhq32.exeC:\Windows\system32\Pmkdhq32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Pbglpg32.exeC:\Windows\system32\Pbglpg32.exe48⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Ppkmjlca.exeC:\Windows\system32\Ppkmjlca.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Pfeeff32.exeC:\Windows\system32\Pfeeff32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Plbmom32.exeC:\Windows\system32\Plbmom32.exe51⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Qekbgbpf.exeC:\Windows\system32\Qekbgbpf.exe52⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Qldjdlgb.exeC:\Windows\system32\Qldjdlgb.exe53⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Qemomb32.exeC:\Windows\system32\Qemomb32.exe54⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Qhkkim32.exeC:\Windows\system32\Qhkkim32.exe55⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Adblnnbk.exeC:\Windows\system32\Adblnnbk.exe56⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Afqhjj32.exeC:\Windows\system32\Afqhjj32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Ahpddmia.exeC:\Windows\system32\Ahpddmia.exe58⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Ajnqphhe.exeC:\Windows\system32\Ajnqphhe.exe59⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Adgein32.exeC:\Windows\system32\Adgein32.exe60⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Ajamfh32.exeC:\Windows\system32\Ajamfh32.exe61⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Amoibc32.exeC:\Windows\system32\Amoibc32.exe62⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Afgnkilf.exeC:\Windows\system32\Afgnkilf.exe63⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Amafgc32.exeC:\Windows\system32\Amafgc32.exe64⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Abnopj32.exeC:\Windows\system32\Abnopj32.exe65⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Boeoek32.exeC:\Windows\system32\Boeoek32.exe66⤵PID:1640
-
C:\Windows\SysWOW64\Baclaf32.exeC:\Windows\system32\Baclaf32.exe67⤵PID:1304
-
C:\Windows\SysWOW64\Bbchkime.exeC:\Windows\system32\Bbchkime.exe68⤵PID:2144
-
C:\Windows\SysWOW64\Bimphc32.exeC:\Windows\system32\Bimphc32.exe69⤵PID:2872
-
C:\Windows\SysWOW64\Bhbmip32.exeC:\Windows\system32\Bhbmip32.exe70⤵PID:2788
-
C:\Windows\SysWOW64\Bnofaf32.exeC:\Windows\system32\Bnofaf32.exe71⤵
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Bkcfjk32.exeC:\Windows\system32\Bkcfjk32.exe72⤵PID:2176
-
C:\Windows\SysWOW64\Cnabffeo.exeC:\Windows\system32\Cnabffeo.exe73⤵PID:2528
-
C:\Windows\SysWOW64\Ckecpjdh.exeC:\Windows\system32\Ckecpjdh.exe74⤵PID:820
-
C:\Windows\SysWOW64\Cncolfcl.exeC:\Windows\system32\Cncolfcl.exe75⤵PID:1456
-
C:\Windows\SysWOW64\Cjjpag32.exeC:\Windows\system32\Cjjpag32.exe76⤵PID:2904
-
C:\Windows\SysWOW64\Cpdhna32.exeC:\Windows\system32\Cpdhna32.exe77⤵PID:2340
-
C:\Windows\SysWOW64\Cgnpjkhj.exeC:\Windows\system32\Cgnpjkhj.exe78⤵PID:1388
-
C:\Windows\SysWOW64\Cpgecq32.exeC:\Windows\system32\Cpgecq32.exe79⤵PID:1816
-
C:\Windows\SysWOW64\Cgqmpkfg.exeC:\Windows\system32\Cgqmpkfg.exe80⤵
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Coladm32.exeC:\Windows\system32\Coladm32.exe81⤵PID:1988
-
C:\Windows\SysWOW64\Cffjagko.exeC:\Windows\system32\Cffjagko.exe82⤵PID:1924
-
C:\Windows\SysWOW64\Dcjjkkji.exeC:\Windows\system32\Dcjjkkji.exe83⤵PID:2852
-
C:\Windows\SysWOW64\Doqkpl32.exeC:\Windows\system32\Doqkpl32.exe84⤵PID:528
-
C:\Windows\SysWOW64\Dhiphb32.exeC:\Windows\system32\Dhiphb32.exe85⤵PID:2148
-
C:\Windows\SysWOW64\Dhklna32.exeC:\Windows\system32\Dhklna32.exe86⤵
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Djmiejji.exeC:\Windows\system32\Djmiejji.exe87⤵
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Dqfabdaf.exeC:\Windows\system32\Dqfabdaf.exe88⤵PID:2580
-
C:\Windows\SysWOW64\Djoeki32.exeC:\Windows\system32\Djoeki32.exe89⤵PID:2968
-
C:\Windows\SysWOW64\Egcfdn32.exeC:\Windows\system32\Egcfdn32.exe90⤵PID:2100
-
C:\Windows\SysWOW64\Empomd32.exeC:\Windows\system32\Empomd32.exe91⤵PID:840
-
C:\Windows\SysWOW64\Egebjmdn.exeC:\Windows\system32\Egebjmdn.exe92⤵PID:2440
-
C:\Windows\SysWOW64\Eqngcc32.exeC:\Windows\system32\Eqngcc32.exe93⤵PID:2360
-
C:\Windows\SysWOW64\Efjpkj32.exeC:\Windows\system32\Efjpkj32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2168 -
C:\Windows\SysWOW64\Ekghcq32.exeC:\Windows\system32\Ekghcq32.exe95⤵PID:2152
-
C:\Windows\SysWOW64\Ebappk32.exeC:\Windows\system32\Ebappk32.exe96⤵PID:1960
-
C:\Windows\SysWOW64\Elieipej.exeC:\Windows\system32\Elieipej.exe97⤵PID:1580
-
C:\Windows\SysWOW64\Egpena32.exeC:\Windows\system32\Egpena32.exe98⤵PID:1728
-
C:\Windows\SysWOW64\Fedfgejh.exeC:\Windows\system32\Fedfgejh.exe99⤵
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Fbhfajia.exeC:\Windows\system32\Fbhfajia.exe100⤵PID:1688
-
C:\Windows\SysWOW64\Fheoiqgi.exeC:\Windows\system32\Fheoiqgi.exe101⤵PID:2776
-
C:\Windows\SysWOW64\Famcbf32.exeC:\Windows\system32\Famcbf32.exe102⤵PID:3032
-
C:\Windows\SysWOW64\Fdlpnamm.exeC:\Windows\system32\Fdlpnamm.exe103⤵PID:1568
-
C:\Windows\SysWOW64\Fappgflg.exeC:\Windows\system32\Fappgflg.exe104⤵PID:1576
-
C:\Windows\SysWOW64\Fjhdpk32.exeC:\Windows\system32\Fjhdpk32.exe105⤵PID:1300
-
C:\Windows\SysWOW64\Gimaah32.exeC:\Windows\system32\Gimaah32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1808 -
C:\Windows\SysWOW64\Gllnnc32.exeC:\Windows\system32\Gllnnc32.exe107⤵PID:1200
-
C:\Windows\SysWOW64\Gdcfoq32.exeC:\Windows\system32\Gdcfoq32.exe108⤵PID:2156
-
C:\Windows\SysWOW64\Gipngg32.exeC:\Windows\system32\Gipngg32.exe109⤵PID:2160
-
C:\Windows\SysWOW64\Gefolhja.exeC:\Windows\system32\Gefolhja.exe110⤵PID:2384
-
C:\Windows\SysWOW64\Ghekhd32.exeC:\Windows\system32\Ghekhd32.exe111⤵PID:1780
-
C:\Windows\SysWOW64\Gplcia32.exeC:\Windows\system32\Gplcia32.exe112⤵PID:2500
-
C:\Windows\SysWOW64\Gidhbgag.exeC:\Windows\system32\Gidhbgag.exe113⤵PID:2764
-
C:\Windows\SysWOW64\Gaplfinb.exeC:\Windows\system32\Gaplfinb.exe114⤵PID:400
-
C:\Windows\SysWOW64\Ghidcceo.exeC:\Windows\system32\Ghidcceo.exe115⤵PID:2264
-
C:\Windows\SysWOW64\Hdpehd32.exeC:\Windows\system32\Hdpehd32.exe116⤵PID:300
-
C:\Windows\SysWOW64\Hofjem32.exeC:\Windows\system32\Hofjem32.exe117⤵PID:1332
-
C:\Windows\SysWOW64\Hganjo32.exeC:\Windows\system32\Hganjo32.exe118⤵PID:1280
-
C:\Windows\SysWOW64\Hnkffi32.exeC:\Windows\system32\Hnkffi32.exe119⤵PID:1628
-
C:\Windows\SysWOW64\Hdeoccgn.exeC:\Windows\system32\Hdeoccgn.exe120⤵PID:1784
-
C:\Windows\SysWOW64\Hnmcli32.exeC:\Windows\system32\Hnmcli32.exe121⤵PID:1544
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-