Analysis
-
max time kernel
98s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/08/2024, 05:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fb092c337768111840f460c70420d6344c145d0ee0af835baf3e30733d504f5b.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
fb092c337768111840f460c70420d6344c145d0ee0af835baf3e30733d504f5b.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
fb092c337768111840f460c70420d6344c145d0ee0af835baf3e30733d504f5b.exe
-
Size
55KB
-
MD5
cbbe82917231b69c3baa4930aa1ec98b
-
SHA1
74b332cdde2f0bb59dec1e342a2f5160c9ff6e62
-
SHA256
fb092c337768111840f460c70420d6344c145d0ee0af835baf3e30733d504f5b
-
SHA512
11d3993e8cd36b89248b36528de31c09eaedbd12d2d5cfa4f926942b2d9051e51068c820080b9ceaa80ecd8e174534f01ed09f1eb9eb7fb172b72e31f272be9a
-
SSDEEP
1536:1FSyV36s7zvYqzA82HPPuoihxu+NXVZHHQjG3vll:1kAKKzh2H+oihxu+NXVZnDvll
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diffglam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlmfeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bohbhmfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efeihb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iipfmggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhhfedil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lomqcjie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiehpahb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggkiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdilnojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlbkap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfhbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kngcje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jllokajf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoalgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkjgegae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doaneiop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opadhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amaqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cimmggfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emdajb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meiioonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bebjdgmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npjnhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpeohh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aanbhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdmgfedl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmlddqem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plpqil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gahjgj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnkcogno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajeadd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgjjdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnodaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkgnfhnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ollnhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdpjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnmmboed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njmqnobn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgjgne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkmdecbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghklce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eipinkib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijogmdqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eifhdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chnbbqpn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Johnamkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmaamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocgbld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oclkgccf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keakgpko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Midfokpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjomap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibmeoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbpkkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoofle32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkjeomld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhahaiec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pffgom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aijnep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbfheo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neoieenp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpbdopck.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlfpdh32.exe -
Executes dropped EXE 64 IoCs
pid Process 3280 Ehfjah32.exe 448 Ekefmc32.exe 4988 Eejjjl32.exe 1956 Eglgbdep.exe 2580 Eobocb32.exe 3416 Eemgplno.exe 684 Ehkclgmb.exe 4844 Ekiohclf.exe 5096 Emhldnkj.exe 4784 Feocelll.exe 808 Fdbdah32.exe 4736 Fgppmd32.exe 3156 Fnjhjn32.exe 1584 Feapkk32.exe 2412 Fgbmccpg.exe 1296 Fahaplon.exe 3840 Fdfmlhna.exe 3540 Fgeihcme.exe 4872 Folaiqng.exe 3508 Fefjfked.exe 3324 Fggfnc32.exe 5068 Fonnop32.exe 3368 Famjkl32.exe 2772 Fgjccb32.exe 616 Fnckpmql.exe 1692 Ghipne32.exe 2964 Gaadfkgc.exe 2712 Ghklce32.exe 4016 Goedpofl.exe 232 Ghniielm.exe 432 Gohaeo32.exe 744 Ggcfja32.exe 1208 Gojnko32.exe 3084 Gahjgj32.exe 1032 Gfdfgiid.exe 4084 Ggeboaob.exe 1076 Goljqnpd.exe 1036 Hnoklk32.exe 216 Hdicienl.exe 4244 Hghoeqmp.exe 5028 Hkckeo32.exe 1040 Hnagak32.exe 3260 Hfipbh32.exe 1428 Hdlpneli.exe 3068 Hkehkocf.exe 3868 Hfklhhcl.exe 5000 Hhihdcbp.exe 1588 Hkhdqoac.exe 3624 Hbbmmi32.exe 1760 Hgoeep32.exe 4864 Hofmfmhj.exe 4876 Hfpecg32.exe 3528 Hgabkoee.exe 1984 Ibffhhek.exe 4508 Idebdcdo.exe 3276 Igcoqocb.exe 4764 Inmgmijo.exe 1496 Iickkbje.exe 4236 Iomcgl32.exe 3492 Ifgldfio.exe 4348 Iiehpahb.exe 1672 Inbqhhfj.exe 2976 Ifihif32.exe 2496 Igjeanmj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Podmkm32.exe Phjenbhp.exe File created C:\Windows\SysWOW64\Eghoda32.dll Kilpmh32.exe File created C:\Windows\SysWOW64\Fmkgkapm.exe Fdccbl32.exe File created C:\Windows\SysWOW64\Gfheof32.exe Gdjibj32.exe File opened for modification C:\Windows\SysWOW64\Dbpjaeoc.exe Doaneiop.exe File opened for modification C:\Windows\SysWOW64\Hhihdcbp.exe Hfklhhcl.exe File opened for modification C:\Windows\SysWOW64\Hglaej32.exe Haoimcgg.exe File created C:\Windows\SysWOW64\Qdphngfl.exe Qaalblgi.exe File created C:\Windows\SysWOW64\Gghpel32.dll Qhlkilba.exe File created C:\Windows\SysWOW64\Gfokoelp.exe Gdaociml.exe File created C:\Windows\SysWOW64\Gafian32.dll Pjehmfch.exe File created C:\Windows\SysWOW64\Ooiolbic.dll Qljjjqlc.exe File opened for modification C:\Windows\SysWOW64\Kecabifp.exe Kniieo32.exe File created C:\Windows\SysWOW64\Liqihglg.exe Lbgalmej.exe File opened for modification C:\Windows\SysWOW64\Mngegmbc.exe Llhikacp.exe File created C:\Windows\SysWOW64\Oaompd32.exe Ooqqdi32.exe File opened for modification C:\Windows\SysWOW64\Aodogdmn.exe Aleckinj.exe File created C:\Windows\SysWOW64\Klcekpdo.exe Knqepc32.exe File created C:\Windows\SysWOW64\Flafeh32.dll Jdmgfedl.exe File created C:\Windows\SysWOW64\Ohcpka32.dll Alkijdci.exe File created C:\Windows\SysWOW64\Egbcih32.dll Ifmqfm32.exe File created C:\Windows\SysWOW64\Jleijb32.exe Jiglnf32.exe File created C:\Windows\SysWOW64\Iophkojl.dll Kmaopfjm.exe File opened for modification C:\Windows\SysWOW64\Knnhjcog.exe Kjblje32.exe File created C:\Windows\SysWOW64\Dolqpa32.dll Ljeafb32.exe File created C:\Windows\SysWOW64\Hlnchmib.dll Fdfmlhna.exe File created C:\Windows\SysWOW64\Lhkgoiqe.exe Lemkcnaa.exe File opened for modification C:\Windows\SysWOW64\Ckmehb32.exe Cioilg32.exe File created C:\Windows\SysWOW64\Hcmbee32.exe Hpofii32.exe File opened for modification C:\Windows\SysWOW64\Ompfej32.exe Ojajin32.exe File created C:\Windows\SysWOW64\Fcppfn32.dll Neppokal.exe File created C:\Windows\SysWOW64\Dckhejil.dll Iddljmpc.exe File opened for modification C:\Windows\SysWOW64\Lnbklm32.exe Lldopb32.exe File created C:\Windows\SysWOW64\Jfniqp32.dll Oodcdb32.exe File created C:\Windows\SysWOW64\Mfqlfb32.exe Mgnlkfal.exe File created C:\Windows\SysWOW64\Aknifq32.exe Alkijdci.exe File created C:\Windows\SysWOW64\Aablof32.dll Kgiiiidd.exe File created C:\Windows\SysWOW64\Jjdjoane.exe Jgenbfoa.exe File created C:\Windows\SysWOW64\Klobfk32.dll Allpejfe.exe File created C:\Windows\SysWOW64\Achegd32.exe Akamff32.exe File opened for modification C:\Windows\SysWOW64\Glcaambb.exe Fideeaco.exe File created C:\Windows\SysWOW64\Iinqbn32.exe Icdheded.exe File created C:\Windows\SysWOW64\Hfcnpn32.exe Hlnjbedi.exe File opened for modification C:\Windows\SysWOW64\Iipfmggc.exe Ibfnqmpf.exe File created C:\Windows\SysWOW64\Lfodbqfa.exe Loglacfo.exe File created C:\Windows\SysWOW64\Nibbqicm.exe Ngdfdmdi.exe File created C:\Windows\SysWOW64\Mkellk32.dll Aleckinj.exe File created C:\Windows\SysWOW64\Bgeemcfc.dll Nnbnhedj.exe File opened for modification C:\Windows\SysWOW64\Oacoqnci.exe Oodcdb32.exe File opened for modification C:\Windows\SysWOW64\Nefped32.exe Nkqkhk32.exe File opened for modification C:\Windows\SysWOW64\Gbofcghl.exe Gpqjglii.exe File created C:\Windows\SysWOW64\Ohcegi32.exe Nmnqjp32.exe File created C:\Windows\SysWOW64\Eofgpikj.exe Eiloco32.exe File opened for modification C:\Windows\SysWOW64\Qaqegecm.exe Qobhkjdi.exe File created C:\Windows\SysWOW64\Gqhejb32.dll Gikdkj32.exe File created C:\Windows\SysWOW64\Ckkpjkai.dll Ncchae32.exe File created C:\Windows\SysWOW64\Qodeajbg.exe Qhjmdp32.exe File created C:\Windows\SysWOW64\Ejbbmnnb.exe Edhjqc32.exe File created C:\Windows\SysWOW64\Egdeookg.dll Mehcdfch.exe File opened for modification C:\Windows\SysWOW64\Icfekc32.exe Ilmmni32.exe File created C:\Windows\SysWOW64\Ehqkihfg.dll Ncabfkqo.exe File created C:\Windows\SysWOW64\Lhnjoi32.dll Flkdfh32.exe File opened for modification C:\Windows\SysWOW64\Ghipne32.exe Fnckpmql.exe File created C:\Windows\SysWOW64\Cdjnam32.dll Ackigjmh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7060 6920 WerFault.exe 1105 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peahgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojhpimhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmaamn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Monjjgkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iickkbje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhdjehhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acnemi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaqdegaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meamcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfkmkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qodeajbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdpcal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fahaplon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdfmlhna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bblnindg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blielbfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncchb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aajohjon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmpolgoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biadeoce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dapkni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poomegpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aleckinj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmehb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfmojenc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahofoogd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehfjah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnkcogno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nklbmllg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcpahpmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bheplb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnqfcbnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnnikdnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjeljhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjillkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpimlfke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqdoem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalipoiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocgbld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgjccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olgemcli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pedbahod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aijnep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bggnof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emoadlfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eglgbdep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibffhhek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liqihglg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkqpkla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgnlkfal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkqaoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkehkocf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlleaeff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpgeee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Legjmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icdheded.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phonha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lehaho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhijijbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdkidohn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilmmni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diicml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Digehphc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlklkgei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjhfpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cioilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njoddaaj.dll" Cfcjfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqimikfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ompfej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elbhjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioqgiibk.dll" Hcblpdgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akqfkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hahqkaaa.dll" Bepmoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipeeobbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhahaiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmaffnce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlimed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkehkocf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbidda32.dll" Bjlgdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnnkgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfbaonae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdqlliil.dll" Cioilg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckebcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iipfmggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhcjcf32.dll" Mlpeff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikndgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poomegpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejljgqdp.dll" Jdfjld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmphblgf.dll" Dheibpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhkgoiqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nheble32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmgdfa32.dll" Qfpbmfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiobodkp.dll" Acnemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chdialdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgkhgb32.dll" Qcbfakec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjlgdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkcfid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hckeoeno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jknfcofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olfghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgjccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iiehpahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcjifm32.dll" Jkodhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edmclccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmgghbe.dll" Hjlkge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnplfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmcpd32.dll" Pknqoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbdadm32.dll" Onkidm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID fb092c337768111840f460c70420d6344c145d0ee0af835baf3e30733d504f5b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gohaeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciepangh.dll" Llbidimc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djhpgofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mngegmbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kldmckic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmgabcge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdphngfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnhenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iibccgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgkhpld.dll" Lfodbqfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjnkcekm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggilil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcddcbab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iinqbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lncjlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfpagon.dll" Aogbfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaadfkgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeekll32.dll" Ehailbaa.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3220 wrote to memory of 3280 3220 fb092c337768111840f460c70420d6344c145d0ee0af835baf3e30733d504f5b.exe 81 PID 3220 wrote to memory of 3280 3220 fb092c337768111840f460c70420d6344c145d0ee0af835baf3e30733d504f5b.exe 81 PID 3220 wrote to memory of 3280 3220 fb092c337768111840f460c70420d6344c145d0ee0af835baf3e30733d504f5b.exe 81 PID 3280 wrote to memory of 448 3280 Ehfjah32.exe 82 PID 3280 wrote to memory of 448 3280 Ehfjah32.exe 82 PID 3280 wrote to memory of 448 3280 Ehfjah32.exe 82 PID 448 wrote to memory of 4988 448 Ekefmc32.exe 84 PID 448 wrote to memory of 4988 448 Ekefmc32.exe 84 PID 448 wrote to memory of 4988 448 Ekefmc32.exe 84 PID 4988 wrote to memory of 1956 4988 Eejjjl32.exe 85 PID 4988 wrote to memory of 1956 4988 Eejjjl32.exe 85 PID 4988 wrote to memory of 1956 4988 Eejjjl32.exe 85 PID 1956 wrote to memory of 2580 1956 Eglgbdep.exe 87 PID 1956 wrote to memory of 2580 1956 Eglgbdep.exe 87 PID 1956 wrote to memory of 2580 1956 Eglgbdep.exe 87 PID 2580 wrote to memory of 3416 2580 Eobocb32.exe 88 PID 2580 wrote to memory of 3416 2580 Eobocb32.exe 88 PID 2580 wrote to memory of 3416 2580 Eobocb32.exe 88 PID 3416 wrote to memory of 684 3416 Eemgplno.exe 89 PID 3416 wrote to memory of 684 3416 Eemgplno.exe 89 PID 3416 wrote to memory of 684 3416 Eemgplno.exe 89 PID 684 wrote to memory of 4844 684 Ehkclgmb.exe 90 PID 684 wrote to memory of 4844 684 Ehkclgmb.exe 90 PID 684 wrote to memory of 4844 684 Ehkclgmb.exe 90 PID 4844 wrote to memory of 5096 4844 Ekiohclf.exe 91 PID 4844 wrote to memory of 5096 4844 Ekiohclf.exe 91 PID 4844 wrote to memory of 5096 4844 Ekiohclf.exe 91 PID 5096 wrote to memory of 4784 5096 Emhldnkj.exe 92 PID 5096 wrote to memory of 4784 5096 Emhldnkj.exe 92 PID 5096 wrote to memory of 4784 5096 Emhldnkj.exe 92 PID 4784 wrote to memory of 808 4784 Feocelll.exe 93 PID 4784 wrote to memory of 808 4784 Feocelll.exe 93 PID 4784 wrote to memory of 808 4784 Feocelll.exe 93 PID 808 wrote to memory of 4736 808 Fdbdah32.exe 94 PID 808 wrote to memory of 4736 808 Fdbdah32.exe 94 PID 808 wrote to memory of 4736 808 Fdbdah32.exe 94 PID 4736 wrote to memory of 3156 4736 Fgppmd32.exe 96 PID 4736 wrote to memory of 3156 4736 Fgppmd32.exe 96 PID 4736 wrote to memory of 3156 4736 Fgppmd32.exe 96 PID 3156 wrote to memory of 1584 3156 Fnjhjn32.exe 97 PID 3156 wrote to memory of 1584 3156 Fnjhjn32.exe 97 PID 3156 wrote to memory of 1584 3156 Fnjhjn32.exe 97 PID 1584 wrote to memory of 2412 1584 Feapkk32.exe 98 PID 1584 wrote to memory of 2412 1584 Feapkk32.exe 98 PID 1584 wrote to memory of 2412 1584 Feapkk32.exe 98 PID 2412 wrote to memory of 1296 2412 Fgbmccpg.exe 99 PID 2412 wrote to memory of 1296 2412 Fgbmccpg.exe 99 PID 2412 wrote to memory of 1296 2412 Fgbmccpg.exe 99 PID 1296 wrote to memory of 3840 1296 Fahaplon.exe 100 PID 1296 wrote to memory of 3840 1296 Fahaplon.exe 100 PID 1296 wrote to memory of 3840 1296 Fahaplon.exe 100 PID 3840 wrote to memory of 3540 3840 Fdfmlhna.exe 101 PID 3840 wrote to memory of 3540 3840 Fdfmlhna.exe 101 PID 3840 wrote to memory of 3540 3840 Fdfmlhna.exe 101 PID 3540 wrote to memory of 4872 3540 Fgeihcme.exe 102 PID 3540 wrote to memory of 4872 3540 Fgeihcme.exe 102 PID 3540 wrote to memory of 4872 3540 Fgeihcme.exe 102 PID 4872 wrote to memory of 3508 4872 Folaiqng.exe 103 PID 4872 wrote to memory of 3508 4872 Folaiqng.exe 103 PID 4872 wrote to memory of 3508 4872 Folaiqng.exe 103 PID 3508 wrote to memory of 3324 3508 Fefjfked.exe 104 PID 3508 wrote to memory of 3324 3508 Fefjfked.exe 104 PID 3508 wrote to memory of 3324 3508 Fefjfked.exe 104 PID 3324 wrote to memory of 5068 3324 Fggfnc32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb092c337768111840f460c70420d6344c145d0ee0af835baf3e30733d504f5b.exe"C:\Users\Admin\AppData\Local\Temp\fb092c337768111840f460c70420d6344c145d0ee0af835baf3e30733d504f5b.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\Ehfjah32.exeC:\Windows\system32\Ehfjah32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\Ekefmc32.exeC:\Windows\system32\Ekefmc32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Eejjjl32.exeC:\Windows\system32\Eejjjl32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Eglgbdep.exeC:\Windows\system32\Eglgbdep.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Eobocb32.exeC:\Windows\system32\Eobocb32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Eemgplno.exeC:\Windows\system32\Eemgplno.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\Ehkclgmb.exeC:\Windows\system32\Ehkclgmb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\Ekiohclf.exeC:\Windows\system32\Ekiohclf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Emhldnkj.exeC:\Windows\system32\Emhldnkj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Feocelll.exeC:\Windows\system32\Feocelll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Fdbdah32.exeC:\Windows\system32\Fdbdah32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Fgppmd32.exeC:\Windows\system32\Fgppmd32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\Fnjhjn32.exeC:\Windows\system32\Fnjhjn32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\Feapkk32.exeC:\Windows\system32\Feapkk32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Fgbmccpg.exeC:\Windows\system32\Fgbmccpg.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Fahaplon.exeC:\Windows\system32\Fahaplon.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Fdfmlhna.exeC:\Windows\system32\Fdfmlhna.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SysWOW64\Fgeihcme.exeC:\Windows\system32\Fgeihcme.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\Folaiqng.exeC:\Windows\system32\Folaiqng.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\Fefjfked.exeC:\Windows\system32\Fefjfked.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\Fggfnc32.exeC:\Windows\system32\Fggfnc32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\Fonnop32.exeC:\Windows\system32\Fonnop32.exe23⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Famjkl32.exeC:\Windows\system32\Famjkl32.exe24⤵
- Executes dropped EXE
PID:3368 -
C:\Windows\SysWOW64\Fgjccb32.exeC:\Windows\system32\Fgjccb32.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Fnckpmql.exeC:\Windows\system32\Fnckpmql.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:616 -
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe27⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Gaadfkgc.exeC:\Windows\system32\Gaadfkgc.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Ghklce32.exeC:\Windows\system32\Ghklce32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Goedpofl.exeC:\Windows\system32\Goedpofl.exe30⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Ghniielm.exeC:\Windows\system32\Ghniielm.exe31⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Gohaeo32.exeC:\Windows\system32\Gohaeo32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:432 -
C:\Windows\SysWOW64\Ggcfja32.exeC:\Windows\system32\Ggcfja32.exe33⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Gojnko32.exeC:\Windows\system32\Gojnko32.exe34⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Gahjgj32.exeC:\Windows\system32\Gahjgj32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3084 -
C:\Windows\SysWOW64\Gfdfgiid.exeC:\Windows\system32\Gfdfgiid.exe36⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Ggeboaob.exeC:\Windows\system32\Ggeboaob.exe37⤵
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\Goljqnpd.exeC:\Windows\system32\Goljqnpd.exe38⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Hnoklk32.exeC:\Windows\system32\Hnoklk32.exe39⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Hdicienl.exeC:\Windows\system32\Hdicienl.exe40⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Hghoeqmp.exeC:\Windows\system32\Hghoeqmp.exe41⤵
- Executes dropped EXE
PID:4244 -
C:\Windows\SysWOW64\Hkckeo32.exeC:\Windows\system32\Hkckeo32.exe42⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Hnagak32.exeC:\Windows\system32\Hnagak32.exe43⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe44⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\Hdlpneli.exeC:\Windows\system32\Hdlpneli.exe45⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Hfklhhcl.exeC:\Windows\system32\Hfklhhcl.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3868 -
C:\Windows\SysWOW64\Hhihdcbp.exeC:\Windows\system32\Hhihdcbp.exe48⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Hkhdqoac.exeC:\Windows\system32\Hkhdqoac.exe49⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Hbbmmi32.exeC:\Windows\system32\Hbbmmi32.exe50⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe51⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Hofmfmhj.exeC:\Windows\system32\Hofmfmhj.exe52⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe53⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Hgabkoee.exeC:\Windows\system32\Hgabkoee.exe54⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Ibffhhek.exeC:\Windows\system32\Ibffhhek.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\Idebdcdo.exeC:\Windows\system32\Idebdcdo.exe56⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe57⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Inmgmijo.exeC:\Windows\system32\Inmgmijo.exe58⤵
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1496 -
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe60⤵
- Executes dropped EXE
PID:4236 -
C:\Windows\SysWOW64\Ifgldfio.exeC:\Windows\system32\Ifgldfio.exe61⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Iiehpahb.exeC:\Windows\system32\Iiehpahb.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4348 -
C:\Windows\SysWOW64\Inbqhhfj.exeC:\Windows\system32\Inbqhhfj.exe63⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe64⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Igjeanmj.exeC:\Windows\system32\Igjeanmj.exe65⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Ifleoe32.exeC:\Windows\system32\Ifleoe32.exe66⤵PID:4156
-
C:\Windows\SysWOW64\Igmagnkg.exeC:\Windows\system32\Igmagnkg.exe67⤵PID:4192
-
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe68⤵PID:4556
-
C:\Windows\SysWOW64\Jeqbpb32.exeC:\Windows\system32\Jeqbpb32.exe69⤵PID:760
-
C:\Windows\SysWOW64\Jgonlm32.exeC:\Windows\system32\Jgonlm32.exe70⤵PID:2024
-
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe71⤵PID:3928
-
C:\Windows\SysWOW64\Jgakbm32.exeC:\Windows\system32\Jgakbm32.exe72⤵PID:3792
-
C:\Windows\SysWOW64\Joiccj32.exeC:\Windows\system32\Joiccj32.exe73⤵PID:3908
-
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1944 -
C:\Windows\SysWOW64\Jeekkafl.exeC:\Windows\system32\Jeekkafl.exe75⤵PID:772
-
C:\Windows\SysWOW64\Jkodhk32.exeC:\Windows\system32\Jkodhk32.exe76⤵
- Modifies registry class
PID:4284 -
C:\Windows\SysWOW64\Jbileede.exeC:\Windows\system32\Jbileede.exe77⤵PID:3172
-
C:\Windows\SysWOW64\Jicdap32.exeC:\Windows\system32\Jicdap32.exe78⤵PID:364
-
C:\Windows\SysWOW64\Jkaqnk32.exeC:\Windows\system32\Jkaqnk32.exe79⤵PID:1404
-
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe80⤵PID:4488
-
C:\Windows\SysWOW64\Kldmckic.exeC:\Windows\system32\Kldmckic.exe81⤵
- Modifies registry class
PID:4160 -
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe82⤵PID:4796
-
C:\Windows\SysWOW64\Kihnmohm.exeC:\Windows\system32\Kihnmohm.exe83⤵PID:4720
-
C:\Windows\SysWOW64\Kpbfii32.exeC:\Windows\system32\Kpbfii32.exe84⤵PID:408
-
C:\Windows\SysWOW64\Keonap32.exeC:\Windows\system32\Keonap32.exe85⤵PID:4132
-
C:\Windows\SysWOW64\Khmknk32.exeC:\Windows\system32\Khmknk32.exe86⤵PID:4136
-
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1684 -
C:\Windows\SysWOW64\Keakgpko.exeC:\Windows\system32\Keakgpko.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3176 -
C:\Windows\SysWOW64\Klkcdj32.exeC:\Windows\system32\Klkcdj32.exe89⤵PID:2128
-
C:\Windows\SysWOW64\Kechmoil.exeC:\Windows\system32\Kechmoil.exe90⤵PID:1504
-
C:\Windows\SysWOW64\Klmpiiai.exeC:\Windows\system32\Klmpiiai.exe91⤵PID:1396
-
C:\Windows\SysWOW64\Kiaqcnpb.exeC:\Windows\system32\Kiaqcnpb.exe92⤵PID:3040
-
C:\Windows\SysWOW64\Llpmoiof.exeC:\Windows\system32\Llpmoiof.exe93⤵PID:1412
-
C:\Windows\SysWOW64\Lnnikdnj.exeC:\Windows\system32\Lnnikdnj.exe94⤵
- System Location Discovery: System Language Discovery
PID:392 -
C:\Windows\SysWOW64\Lehaho32.exeC:\Windows\system32\Lehaho32.exe95⤵
- System Location Discovery: System Language Discovery
PID:436 -
C:\Windows\SysWOW64\Llbidimc.exeC:\Windows\system32\Llbidimc.exe96⤵
- Modifies registry class
PID:4432 -
C:\Windows\SysWOW64\Lblaabdp.exeC:\Windows\system32\Lblaabdp.exe97⤵PID:3968
-
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe98⤵
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe99⤵PID:3212
-
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe100⤵PID:3136
-
C:\Windows\SysWOW64\Lemkcnaa.exeC:\Windows\system32\Lemkcnaa.exe101⤵
- Drops file in System32 directory
PID:4564 -
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe102⤵
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe103⤵PID:4792
-
C:\Windows\SysWOW64\Llipehgk.exeC:\Windows\system32\Llipehgk.exe104⤵PID:1364
-
C:\Windows\SysWOW64\Loglacfo.exeC:\Windows\system32\Loglacfo.exe105⤵
- Drops file in System32 directory
PID:1444 -
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe106⤵
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Mlklkgei.exeC:\Windows\system32\Mlklkgei.exe107⤵
- Modifies registry class
PID:3272 -
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe108⤵PID:1952
-
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe109⤵PID:4560
-
C:\Windows\SysWOW64\Mpieqeko.exeC:\Windows\system32\Mpieqeko.exe110⤵PID:4856
-
C:\Windows\SysWOW64\Mhdjehhj.exeC:\Windows\system32\Mhdjehhj.exe111⤵
- System Location Discovery: System Language Discovery
PID:3552 -
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe112⤵
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Mffjcopi.exeC:\Windows\system32\Mffjcopi.exe113⤵PID:4340
-
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2508 -
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe115⤵PID:916
-
C:\Windows\SysWOW64\Mblkhq32.exeC:\Windows\system32\Mblkhq32.exe116⤵PID:4944
-
C:\Windows\SysWOW64\Mifcejnj.exeC:\Windows\system32\Mifcejnj.exe117⤵PID:1972
-
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe118⤵PID:5144
-
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe119⤵PID:5184
-
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe120⤵PID:5228
-
C:\Windows\SysWOW64\Niipjj32.exeC:\Windows\system32\Niipjj32.exe121⤵PID:5264
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-