Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
05/03/2025, 11:00
Behavioral task
behavioral1
Sample
dbc849898d2e7134264dbeb68cefe254f0e18865506b0ccce998b8b855063b76.exe
Resource
win7-20250207-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
dbc849898d2e7134264dbeb68cefe254f0e18865506b0ccce998b8b855063b76.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
dbc849898d2e7134264dbeb68cefe254f0e18865506b0ccce998b8b855063b76.exe
-
Size
395KB
-
MD5
8fb6d684eaf22946186c8607be233cfc
-
SHA1
fc1714a3ed2e5a80535a7100a24963e9640ff95f
-
SHA256
dbc849898d2e7134264dbeb68cefe254f0e18865506b0ccce998b8b855063b76
-
SHA512
9d8ae828efb3edaa2131f3a758417b44f5f6820f68cea433e4525e3eacefac08cd95eb47531a247cd95791cc04fb7570453e22b0eaa6524f514d15e19a5faf61
-
SSDEEP
6144:PF5G+0mBs4y70u4HXs4yr0u490u4Ds4yvW8lM:214O0dHc4i0d90dA4X
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pncanhaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agnkck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjpgmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abpmpkoh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpomem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfkamk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpmpkoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liifnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgeadjai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfndlphp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfmnbjcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbklli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghqeihbb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhobjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Googaaej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggfobofl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgkimn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjlaoioh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdhlepkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knpmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bichcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebagdddp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lihpdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfieagka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnoefagj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akjnnpcf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anijjkbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beaohcmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gedfblql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hokgmpkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjfjee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iadljc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ailabddb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hladlc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjamhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bilcol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhcfleff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jabiie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndpcdjho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpgnjebd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbdhgaid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhfmbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moglpedd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Didjqoae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiheheka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dimcppgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhkpdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogqmee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfdbpjmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciogobcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeglbeea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlkplk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iodjcnca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmpido32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcqgahoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgeadjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dehgejep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diopep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcfcmnce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imhjlb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njmejp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljkghi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfcdaehf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfkcibdl.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1208 Hgnlmdcp.exe 1656 Hjoeoo32.exe 676 Hjabdo32.exe 4412 Hmpnqj32.exe 4164 Hcifmdeo.exe 4280 Idkpmgjo.exe 4152 Icqmncof.exe 924 Ifaepolg.exe 656 Igqbiacj.exe 1528 Icgbob32.exe 3300 Jcjodbgl.exe 3940 Jfhlpnfp.exe 2812 Jghhjq32.exe 1996 Jjfdfl32.exe 3200 Japmcfcc.exe 4064 Jcoioabf.exe 3976 Jfmekm32.exe 3652 Jndmlj32.exe 5052 Jabiie32.exe 2100 Jmijnfgd.exe 4512 Jaefne32.exe 3620 Jepbodhg.exe 4792 Khonkogj.exe 1092 Knifging.exe 3192 Kmlgcf32.exe 4604 Kebodc32.exe 416 Khakqo32.exe 3724 Kjpgmj32.exe 1132 Knkcmild.exe 3744 Kaioidkh.exe 1084 Kdhlepkl.exe 2104 Khcgfo32.exe 2620 Kjbdbjbi.exe 2668 Kmppneal.exe 4996 Keghocao.exe 4856 Khfdlnab.exe 1692 Kjdqhjpf.exe 2260 Knpmhh32.exe 3880 Kanidd32.exe 1836 Kdmeqo32.exe 4800 Kfkamk32.exe 4600 Kjfmminc.exe 224 Kmeiie32.exe 1820 Lelajb32.exe 3540 Ldoafodd.exe 2476 Lfmnbjcg.exe 2832 Lndfchdj.exe 1668 Lacbpccn.exe 4648 Lennpb32.exe 2796 Lhmjlm32.exe 2376 Ljkghi32.exe 4420 Lmjcdd32.exe 3756 Leqkeajd.exe 4204 Ldckan32.exe 3212 Lfbgmj32.exe 2316 Loiong32.exe 3524 Laglkb32.exe 1196 Ldfhgn32.exe 5128 Lfddci32.exe 5160 Lokldg32.exe 5200 Lajhpbme.exe 5240 Ldhdlnli.exe 5280 Lfgahikm.exe 5320 Lkbmih32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Phbolflm.exe Pfdbpjmi.exe File created C:\Windows\SysWOW64\Ciogobcm.exe Bbeobhlp.exe File created C:\Windows\SysWOW64\Fclddi32.dll Ijgjpaao.exe File opened for modification C:\Windows\SysWOW64\Dlnlak32.exe Diopep32.exe File opened for modification C:\Windows\SysWOW64\Fhllni32.exe Fgjpfqpi.exe File created C:\Windows\SysWOW64\Hfniikha.exe Hgkimn32.exe File created C:\Windows\SysWOW64\Cmefomdo.dll Qjcdih32.exe File created C:\Windows\SysWOW64\Einenbgg.dll Ldckan32.exe File created C:\Windows\SysWOW64\Bkgokhco.dll Ohpiphlb.exe File opened for modification C:\Windows\SysWOW64\Bgmnooom.exe Beobcdoi.exe File created C:\Windows\SysWOW64\Ekakgcih.dll Ioafchai.exe File created C:\Windows\SysWOW64\Khonkogj.exe Jepbodhg.exe File opened for modification C:\Windows\SysWOW64\Lelajb32.exe Kmeiie32.exe File created C:\Windows\SysWOW64\Fbmqcp32.dll Ljkghi32.exe File opened for modification C:\Windows\SysWOW64\Qoocnpag.exe Qghlmbae.exe File created C:\Windows\SysWOW64\Akjnnpcf.exe Ailabddb.exe File created C:\Windows\SysWOW64\Bkhjpn32.exe Bgmnooom.exe File created C:\Windows\SysWOW64\Npliag32.dll Foonjd32.exe File created C:\Windows\SysWOW64\Peqkdjmm.dll Ggafgo32.exe File created C:\Windows\SysWOW64\Ecjchlqh.dll Kjdqhjpf.exe File opened for modification C:\Windows\SysWOW64\Nglcjfie.exe Ndmgnkja.exe File created C:\Windows\SysWOW64\Cpdmho32.dll Oggbfdog.exe File opened for modification C:\Windows\SysWOW64\Gikbneio.exe Fiheheka.exe File created C:\Windows\SysWOW64\Kigmon32.dll Llpofd32.exe File created C:\Windows\SysWOW64\Bomppneg.exe Bkadoo32.exe File created C:\Windows\SysWOW64\Bjbboi32.dll Fhllni32.exe File opened for modification C:\Windows\SysWOW64\Bndblcdq.exe Bkefphem.exe File opened for modification C:\Windows\SysWOW64\Eblgon32.exe Ejdonq32.exe File opened for modification C:\Windows\SysWOW64\Anijjkbj.exe Akjnnpcf.exe File created C:\Windows\SysWOW64\Oakaofpm.dll Aeglbeea.exe File opened for modification C:\Windows\SysWOW64\Epehnhbj.exe Ehnpmkbg.exe File created C:\Windows\SysWOW64\Jncemmid.dll Fidbgm32.exe File created C:\Windows\SysWOW64\Kjlcmdbb.exe Kcbkpj32.exe File created C:\Windows\SysWOW64\Qjcdih32.exe Qgehml32.exe File created C:\Windows\SysWOW64\Okiboajh.dll Elfhmc32.exe File created C:\Windows\SysWOW64\Kmlgcf32.exe Knifging.exe File created C:\Windows\SysWOW64\Dcplke32.dll Kmppneal.exe File created C:\Windows\SysWOW64\Oejcki32.dll Oddmoj32.exe File opened for modification C:\Windows\SysWOW64\Deokja32.exe Cbqonf32.exe File opened for modification C:\Windows\SysWOW64\Gpgnjebd.exe Ghqeihbb.exe File created C:\Windows\SysWOW64\Cfenfhnj.dll Ljhchc32.exe File created C:\Windows\SysWOW64\Iooodacm.dll Mhjpceko.exe File created C:\Windows\SysWOW64\Jnjjekeo.dll Kjnihnmd.exe File opened for modification C:\Windows\SysWOW64\Pbfjjlgc.exe Pohnnqgo.exe File created C:\Windows\SysWOW64\Ancoda32.dll Cpklql32.exe File created C:\Windows\SysWOW64\Kinhljen.dll Cbqonf32.exe File created C:\Windows\SysWOW64\Hnlnbkcc.dll Poagma32.exe File created C:\Windows\SysWOW64\Epehnhbj.exe Ehnpmkbg.exe File created C:\Windows\SysWOW64\Ehpmbj32.exe Eimlgnij.exe File opened for modification C:\Windows\SysWOW64\Flpbnh32.exe Fibfbm32.exe File created C:\Windows\SysWOW64\Kfcdaehf.exe Kpilekqj.exe File created C:\Windows\SysWOW64\Hchqnhej.dll Odaiodbp.exe File created C:\Windows\SysWOW64\Pnjgog32.exe Pacfjfej.exe File created C:\Windows\SysWOW64\Jcoioabf.exe Japmcfcc.exe File created C:\Windows\SysWOW64\Aapkgh32.dll Jabiie32.exe File created C:\Windows\SysWOW64\Lgefmhck.dll Odkcpi32.exe File opened for modification C:\Windows\SysWOW64\Pbdmdlie.exe Poeahaib.exe File created C:\Windows\SysWOW64\Egeflakp.dll Elnehifk.exe File created C:\Windows\SysWOW64\Moglpedd.exe Mgpcohcb.exe File created C:\Windows\SysWOW64\Dlkplk32.exe Dimcppgm.exe File created C:\Windows\SysWOW64\Hcaibo32.exe Hpcmfchg.exe File created C:\Windows\SysWOW64\Hgmebnpd.exe Hcaibo32.exe File created C:\Windows\SysWOW64\Phmknd32.dll Kjamhd32.exe File opened for modification C:\Windows\SysWOW64\Hmpnqj32.exe Hjabdo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11608 11468 WerFault.exe 583 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbdmdlie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glnnofhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfgefg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmjcdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mehafq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioafchai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfndlphp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjfmminc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppamjcpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljjicl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icqmncof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khfdlnab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eedmlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjcjmclj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aklciimh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lajhpbme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mejnlpai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poeahaib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jopiom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbijinfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elfhmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjbdbjbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdbiphhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abbiej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciogobcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlnlak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpnkdfko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnlmdcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oamgcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clmckmcq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehifak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Googaaej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcbkpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Libido32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbldhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhhjhlqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjgpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgcjea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Homcbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeopnmoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adnbapjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gehice32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldfhgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfieagka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Didjqoae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foonjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlhaee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhobjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgbkgmao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmlgcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gheodg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfmnbjcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhkgnkoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeodqocd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjieii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chkjpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjfdfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmeiie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhbmnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noqofdlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onmahojj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eekjep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhaope32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmqiec32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goamlkpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cofaon32.dll" Glchjedc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpcmfchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcifmdeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjmiege.dll" Mgpcohcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhbmnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oennph32.dll" Agjhbbob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbckcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhaope32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgpcohcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akogio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhmgfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odaiodbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjaiac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbijinfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoindndf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gikbneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fidbgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggafgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lennpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpbbak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinndkag.dll" Dlnlak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihheqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqilaplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbmbgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glchjedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgoigcip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkonbamc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjpgmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npoehn32.dll" Lennpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkjlqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeackh32.dll" Adnilfnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkcackeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggafgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbapom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID dbc849898d2e7134264dbeb68cefe254f0e18865506b0ccce998b8b855063b76.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ancoda32.dll" Cpklql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnolif32.dll" Efjgpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imfmgcdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Difici32.dll" Qgehml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhflhcfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcogflc.dll" Onhhmpoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgllad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmbniiil.dll" Mpedgghj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adbkmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqdlmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilhllpbm.dll" Fiheheka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioafchai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hodqlq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lennpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jahadh32.dll" Qdipag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abbiej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khcgfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nehjmnei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlicflic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfgefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaogacia.dll" Lipmoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nibbklke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbmbgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lihpdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjmkoamp.dll" Ndmgnkja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akjnnpcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plogne32.dll" Bfieagka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dimcppgm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4436 wrote to memory of 1208 4436 dbc849898d2e7134264dbeb68cefe254f0e18865506b0ccce998b8b855063b76.exe 84 PID 4436 wrote to memory of 1208 4436 dbc849898d2e7134264dbeb68cefe254f0e18865506b0ccce998b8b855063b76.exe 84 PID 4436 wrote to memory of 1208 4436 dbc849898d2e7134264dbeb68cefe254f0e18865506b0ccce998b8b855063b76.exe 84 PID 1208 wrote to memory of 1656 1208 Hgnlmdcp.exe 86 PID 1208 wrote to memory of 1656 1208 Hgnlmdcp.exe 86 PID 1208 wrote to memory of 1656 1208 Hgnlmdcp.exe 86 PID 1656 wrote to memory of 676 1656 Hjoeoo32.exe 87 PID 1656 wrote to memory of 676 1656 Hjoeoo32.exe 87 PID 1656 wrote to memory of 676 1656 Hjoeoo32.exe 87 PID 676 wrote to memory of 4412 676 Hjabdo32.exe 88 PID 676 wrote to memory of 4412 676 Hjabdo32.exe 88 PID 676 wrote to memory of 4412 676 Hjabdo32.exe 88 PID 4412 wrote to memory of 4164 4412 Hmpnqj32.exe 89 PID 4412 wrote to memory of 4164 4412 Hmpnqj32.exe 89 PID 4412 wrote to memory of 4164 4412 Hmpnqj32.exe 89 PID 4164 wrote to memory of 4280 4164 Hcifmdeo.exe 91 PID 4164 wrote to memory of 4280 4164 Hcifmdeo.exe 91 PID 4164 wrote to memory of 4280 4164 Hcifmdeo.exe 91 PID 4280 wrote to memory of 4152 4280 Idkpmgjo.exe 93 PID 4280 wrote to memory of 4152 4280 Idkpmgjo.exe 93 PID 4280 wrote to memory of 4152 4280 Idkpmgjo.exe 93 PID 4152 wrote to memory of 924 4152 Icqmncof.exe 94 PID 4152 wrote to memory of 924 4152 Icqmncof.exe 94 PID 4152 wrote to memory of 924 4152 Icqmncof.exe 94 PID 924 wrote to memory of 656 924 Ifaepolg.exe 96 PID 924 wrote to memory of 656 924 Ifaepolg.exe 96 PID 924 wrote to memory of 656 924 Ifaepolg.exe 96 PID 656 wrote to memory of 1528 656 Igqbiacj.exe 97 PID 656 wrote to memory of 1528 656 Igqbiacj.exe 97 PID 656 wrote to memory of 1528 656 Igqbiacj.exe 97 PID 1528 wrote to memory of 3300 1528 Icgbob32.exe 98 PID 1528 wrote to memory of 3300 1528 Icgbob32.exe 98 PID 1528 wrote to memory of 3300 1528 Icgbob32.exe 98 PID 3300 wrote to memory of 3940 3300 Jcjodbgl.exe 99 PID 3300 wrote to memory of 3940 3300 Jcjodbgl.exe 99 PID 3300 wrote to memory of 3940 3300 Jcjodbgl.exe 99 PID 3940 wrote to memory of 2812 3940 Jfhlpnfp.exe 101 PID 3940 wrote to memory of 2812 3940 Jfhlpnfp.exe 101 PID 3940 wrote to memory of 2812 3940 Jfhlpnfp.exe 101 PID 2812 wrote to memory of 1996 2812 Jghhjq32.exe 102 PID 2812 wrote to memory of 1996 2812 Jghhjq32.exe 102 PID 2812 wrote to memory of 1996 2812 Jghhjq32.exe 102 PID 1996 wrote to memory of 3200 1996 Jjfdfl32.exe 103 PID 1996 wrote to memory of 3200 1996 Jjfdfl32.exe 103 PID 1996 wrote to memory of 3200 1996 Jjfdfl32.exe 103 PID 3200 wrote to memory of 4064 3200 Japmcfcc.exe 104 PID 3200 wrote to memory of 4064 3200 Japmcfcc.exe 104 PID 3200 wrote to memory of 4064 3200 Japmcfcc.exe 104 PID 4064 wrote to memory of 3976 4064 Jcoioabf.exe 105 PID 4064 wrote to memory of 3976 4064 Jcoioabf.exe 105 PID 4064 wrote to memory of 3976 4064 Jcoioabf.exe 105 PID 3976 wrote to memory of 3652 3976 Jfmekm32.exe 106 PID 3976 wrote to memory of 3652 3976 Jfmekm32.exe 106 PID 3976 wrote to memory of 3652 3976 Jfmekm32.exe 106 PID 3652 wrote to memory of 5052 3652 Jndmlj32.exe 107 PID 3652 wrote to memory of 5052 3652 Jndmlj32.exe 107 PID 3652 wrote to memory of 5052 3652 Jndmlj32.exe 107 PID 5052 wrote to memory of 2100 5052 Jabiie32.exe 108 PID 5052 wrote to memory of 2100 5052 Jabiie32.exe 108 PID 5052 wrote to memory of 2100 5052 Jabiie32.exe 108 PID 2100 wrote to memory of 4512 2100 Jmijnfgd.exe 109 PID 2100 wrote to memory of 4512 2100 Jmijnfgd.exe 109 PID 2100 wrote to memory of 4512 2100 Jmijnfgd.exe 109 PID 4512 wrote to memory of 3620 4512 Jaefne32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbc849898d2e7134264dbeb68cefe254f0e18865506b0ccce998b8b855063b76.exe"C:\Users\Admin\AppData\Local\Temp\dbc849898d2e7134264dbeb68cefe254f0e18865506b0ccce998b8b855063b76.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\Hgnlmdcp.exeC:\Windows\system32\Hgnlmdcp.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Hjoeoo32.exeC:\Windows\system32\Hjoeoo32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Hjabdo32.exeC:\Windows\system32\Hjabdo32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\Hmpnqj32.exeC:\Windows\system32\Hmpnqj32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Hcifmdeo.exeC:\Windows\system32\Hcifmdeo.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\SysWOW64\Idkpmgjo.exeC:\Windows\system32\Idkpmgjo.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\Icqmncof.exeC:\Windows\system32\Icqmncof.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\Ifaepolg.exeC:\Windows\system32\Ifaepolg.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\Igqbiacj.exeC:\Windows\system32\Igqbiacj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\Icgbob32.exeC:\Windows\system32\Icgbob32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Jcjodbgl.exeC:\Windows\system32\Jcjodbgl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\Jfhlpnfp.exeC:\Windows\system32\Jfhlpnfp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\Jghhjq32.exeC:\Windows\system32\Jghhjq32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Jjfdfl32.exeC:\Windows\system32\Jjfdfl32.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Japmcfcc.exeC:\Windows\system32\Japmcfcc.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\Jcoioabf.exeC:\Windows\system32\Jcoioabf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Jfmekm32.exeC:\Windows\system32\Jfmekm32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\Jndmlj32.exeC:\Windows\system32\Jndmlj32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\Jabiie32.exeC:\Windows\system32\Jabiie32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Jmijnfgd.exeC:\Windows\system32\Jmijnfgd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Jaefne32.exeC:\Windows\system32\Jaefne32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Jepbodhg.exeC:\Windows\system32\Jepbodhg.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3620 -
C:\Windows\SysWOW64\Khonkogj.exeC:\Windows\system32\Khonkogj.exe24⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Knifging.exeC:\Windows\system32\Knifging.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Kmlgcf32.exeC:\Windows\system32\Kmlgcf32.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3192 -
C:\Windows\SysWOW64\Kebodc32.exeC:\Windows\system32\Kebodc32.exe27⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Khakqo32.exeC:\Windows\system32\Khakqo32.exe28⤵
- Executes dropped EXE
PID:416 -
C:\Windows\SysWOW64\Kjpgmj32.exeC:\Windows\system32\Kjpgmj32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3724 -
C:\Windows\SysWOW64\Knkcmild.exeC:\Windows\system32\Knkcmild.exe30⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Kaioidkh.exeC:\Windows\system32\Kaioidkh.exe31⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Kdhlepkl.exeC:\Windows\system32\Kdhlepkl.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Khcgfo32.exeC:\Windows\system32\Khcgfo32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Kjbdbjbi.exeC:\Windows\system32\Kjbdbjbi.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\Kmppneal.exeC:\Windows\system32\Kmppneal.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Keghocao.exeC:\Windows\system32\Keghocao.exe36⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Khfdlnab.exeC:\Windows\system32\Khfdlnab.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4856 -
C:\Windows\SysWOW64\Kjdqhjpf.exeC:\Windows\system32\Kjdqhjpf.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Knpmhh32.exeC:\Windows\system32\Knpmhh32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Kanidd32.exeC:\Windows\system32\Kanidd32.exe40⤵
- Executes dropped EXE
PID:3880 -
C:\Windows\SysWOW64\Kdmeqo32.exeC:\Windows\system32\Kdmeqo32.exe41⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Kfkamk32.exeC:\Windows\system32\Kfkamk32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Kjfmminc.exeC:\Windows\system32\Kjfmminc.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4600 -
C:\Windows\SysWOW64\Kmeiie32.exeC:\Windows\system32\Kmeiie32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:224 -
C:\Windows\SysWOW64\Lelajb32.exeC:\Windows\system32\Lelajb32.exe45⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Ldoafodd.exeC:\Windows\system32\Ldoafodd.exe46⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\Lfmnbjcg.exeC:\Windows\system32\Lfmnbjcg.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2476 -
C:\Windows\SysWOW64\Lndfchdj.exeC:\Windows\system32\Lndfchdj.exe48⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Lacbpccn.exeC:\Windows\system32\Lacbpccn.exe49⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Lennpb32.exeC:\Windows\system32\Lennpb32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:4648 -
C:\Windows\SysWOW64\Lhmjlm32.exeC:\Windows\system32\Lhmjlm32.exe51⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Ljkghi32.exeC:\Windows\system32\Ljkghi32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Lmjcdd32.exeC:\Windows\system32\Lmjcdd32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4420 -
C:\Windows\SysWOW64\Leqkeajd.exeC:\Windows\system32\Leqkeajd.exe54⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Ldckan32.exeC:\Windows\system32\Ldckan32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4204 -
C:\Windows\SysWOW64\Lfbgmj32.exeC:\Windows\system32\Lfbgmj32.exe56⤵
- Executes dropped EXE
PID:3212 -
C:\Windows\SysWOW64\Loiong32.exeC:\Windows\system32\Loiong32.exe57⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Laglkb32.exeC:\Windows\system32\Laglkb32.exe58⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Ldfhgn32.exeC:\Windows\system32\Ldfhgn32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1196 -
C:\Windows\SysWOW64\Lfddci32.exeC:\Windows\system32\Lfddci32.exe60⤵
- Executes dropped EXE
PID:5128 -
C:\Windows\SysWOW64\Lokldg32.exeC:\Windows\system32\Lokldg32.exe61⤵
- Executes dropped EXE
PID:5160 -
C:\Windows\SysWOW64\Lajhpbme.exeC:\Windows\system32\Lajhpbme.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5200 -
C:\Windows\SysWOW64\Ldhdlnli.exeC:\Windows\system32\Ldhdlnli.exe63⤵
- Executes dropped EXE
PID:5240 -
C:\Windows\SysWOW64\Lfgahikm.exeC:\Windows\system32\Lfgahikm.exe64⤵
- Executes dropped EXE
PID:5280 -
C:\Windows\SysWOW64\Lkbmih32.exeC:\Windows\system32\Lkbmih32.exe65⤵
- Executes dropped EXE
PID:5320 -
C:\Windows\SysWOW64\Lmqiec32.exeC:\Windows\system32\Lmqiec32.exe66⤵
- System Location Discovery: System Language Discovery
PID:5360 -
C:\Windows\SysWOW64\Mehafq32.exeC:\Windows\system32\Mehafq32.exe67⤵
- System Location Discovery: System Language Discovery
PID:5400 -
C:\Windows\SysWOW64\Mhfmbl32.exeC:\Windows\system32\Mhfmbl32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5440 -
C:\Windows\SysWOW64\Mkdiog32.exeC:\Windows\system32\Mkdiog32.exe69⤵PID:5480
-
C:\Windows\SysWOW64\Mmcfkc32.exeC:\Windows\system32\Mmcfkc32.exe70⤵PID:5524
-
C:\Windows\SysWOW64\Mejnlpai.exeC:\Windows\system32\Mejnlpai.exe71⤵
- System Location Discovery: System Language Discovery
PID:5560 -
C:\Windows\SysWOW64\Mhhjhlqm.exeC:\Windows\system32\Mhhjhlqm.exe72⤵
- System Location Discovery: System Language Discovery
PID:5600 -
C:\Windows\SysWOW64\Mkgfdgpq.exeC:\Windows\system32\Mkgfdgpq.exe73⤵PID:5640
-
C:\Windows\SysWOW64\Mmebpbod.exeC:\Windows\system32\Mmebpbod.exe74⤵PID:5680
-
C:\Windows\SysWOW64\Mdokmm32.exeC:\Windows\system32\Mdokmm32.exe75⤵PID:5720
-
C:\Windows\SysWOW64\Mhkgnkoj.exeC:\Windows\system32\Mhkgnkoj.exe76⤵
- System Location Discovery: System Language Discovery
PID:5760 -
C:\Windows\SysWOW64\Mkicjgnn.exeC:\Windows\system32\Mkicjgnn.exe77⤵PID:5800
-
C:\Windows\SysWOW64\Mmhofbma.exeC:\Windows\system32\Mmhofbma.exe78⤵PID:5836
-
C:\Windows\SysWOW64\Mackfa32.exeC:\Windows\system32\Mackfa32.exe79⤵PID:5876
-
C:\Windows\SysWOW64\Mdagbl32.exeC:\Windows\system32\Mdagbl32.exe80⤵PID:5912
-
C:\Windows\SysWOW64\Mgpcohcb.exeC:\Windows\system32\Mgpcohcb.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:5952 -
C:\Windows\SysWOW64\Moglpedd.exeC:\Windows\system32\Moglpedd.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5988 -
C:\Windows\SysWOW64\Mmjlkb32.exeC:\Windows\system32\Mmjlkb32.exe83⤵PID:6032
-
C:\Windows\SysWOW64\Meadlo32.exeC:\Windows\system32\Meadlo32.exe84⤵PID:6068
-
C:\Windows\SysWOW64\Mhppik32.exeC:\Windows\system32\Mhppik32.exe85⤵PID:6112
-
C:\Windows\SysWOW64\Mknlef32.exeC:\Windows\system32\Mknlef32.exe86⤵PID:1620
-
C:\Windows\SysWOW64\Nmlhaa32.exeC:\Windows\system32\Nmlhaa32.exe87⤵PID:5092
-
C:\Windows\SysWOW64\Necqbo32.exeC:\Windows\system32\Necqbo32.exe88⤵PID:1408
-
C:\Windows\SysWOW64\Nhbmnj32.exeC:\Windows\system32\Nhbmnj32.exe89⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Nkpijfgf.exeC:\Windows\system32\Nkpijfgf.exe90⤵PID:1020
-
C:\Windows\SysWOW64\Nnoefagj.exeC:\Windows\system32\Nnoefagj.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3636 -
C:\Windows\SysWOW64\Nefmgogl.exeC:\Windows\system32\Nefmgogl.exe92⤵PID:3296
-
C:\Windows\SysWOW64\Nhdicjfp.exeC:\Windows\system32\Nhdicjfp.exe93⤵PID:5176
-
C:\Windows\SysWOW64\Nonbqd32.exeC:\Windows\system32\Nonbqd32.exe94⤵PID:5232
-
C:\Windows\SysWOW64\Nnabladg.exeC:\Windows\system32\Nnabladg.exe95⤵PID:5312
-
C:\Windows\SysWOW64\Nehjmnei.exeC:\Windows\system32\Nehjmnei.exe96⤵
- Modifies registry class
PID:5388 -
C:\Windows\SysWOW64\Nhffijdm.exeC:\Windows\system32\Nhffijdm.exe97⤵PID:5472
-
C:\Windows\SysWOW64\Noqofdlj.exeC:\Windows\system32\Noqofdlj.exe98⤵
- System Location Discovery: System Language Discovery
PID:5536 -
C:\Windows\SysWOW64\Naokbokn.exeC:\Windows\system32\Naokbokn.exe99⤵PID:5596
-
C:\Windows\SysWOW64\Ndmgnkja.exeC:\Windows\system32\Ndmgnkja.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:5668 -
C:\Windows\SysWOW64\Nglcjfie.exeC:\Windows\system32\Nglcjfie.exe101⤵PID:5744
-
C:\Windows\SysWOW64\Nockkcjg.exeC:\Windows\system32\Nockkcjg.exe102⤵PID:5812
-
C:\Windows\SysWOW64\Naaghoik.exeC:\Windows\system32\Naaghoik.exe103⤵PID:5868
-
C:\Windows\SysWOW64\Ndpcdjho.exeC:\Windows\system32\Ndpcdjho.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5940 -
C:\Windows\SysWOW64\Nhkpdi32.exeC:\Windows\system32\Nhkpdi32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1056 -
C:\Windows\SysWOW64\Nkjlqd32.exeC:\Windows\system32\Nkjlqd32.exe106⤵
- Modifies registry class
PID:6052 -
C:\Windows\SysWOW64\Onhhmpoo.exeC:\Windows\system32\Onhhmpoo.exe107⤵
- Modifies registry class
PID:6124 -
C:\Windows\SysWOW64\Oeopnmoa.exeC:\Windows\system32\Oeopnmoa.exe108⤵
- System Location Discovery: System Language Discovery
PID:3948 -
C:\Windows\SysWOW64\Odbpij32.exeC:\Windows\system32\Odbpij32.exe109⤵PID:4932
-
C:\Windows\SysWOW64\Ogqmee32.exeC:\Windows\system32\Ogqmee32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3600 -
C:\Windows\SysWOW64\Oogdfc32.exeC:\Windows\system32\Oogdfc32.exe111⤵PID:468
-
C:\Windows\SysWOW64\Oafacn32.exeC:\Windows\system32\Oafacn32.exe112⤵PID:5196
-
C:\Windows\SysWOW64\Oddmoj32.exeC:\Windows\system32\Oddmoj32.exe113⤵
- Drops file in System32 directory
PID:5344 -
C:\Windows\SysWOW64\Ohpiphlb.exeC:\Windows\system32\Ohpiphlb.exe114⤵
- Drops file in System32 directory
PID:5456 -
C:\Windows\SysWOW64\Okneldkf.exeC:\Windows\system32\Okneldkf.exe115⤵PID:5584
-
C:\Windows\SysWOW64\Onmahojj.exeC:\Windows\system32\Onmahojj.exe116⤵
- System Location Discovery: System Language Discovery
PID:4416 -
C:\Windows\SysWOW64\Oediim32.exeC:\Windows\system32\Oediim32.exe117⤵PID:5824
-
C:\Windows\SysWOW64\Odgjdibf.exeC:\Windows\system32\Odgjdibf.exe118⤵PID:6180
-
C:\Windows\SysWOW64\Ogefqeaj.exeC:\Windows\system32\Ogefqeaj.exe119⤵PID:6220
-
C:\Windows\SysWOW64\Oolnabal.exeC:\Windows\system32\Oolnabal.exe120⤵PID:6268
-
C:\Windows\SysWOW64\Oakjnnap.exeC:\Windows\system32\Oakjnnap.exe121⤵PID:6300
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-