Analysis
-
max time kernel
145s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2024 02:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cc1d33cfc52f578a389002a6a80dd039c38afa1346562c89338a6aa52e6ff011.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
cc1d33cfc52f578a389002a6a80dd039c38afa1346562c89338a6aa52e6ff011.exe
Resource
win10v2004-20240910-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
cc1d33cfc52f578a389002a6a80dd039c38afa1346562c89338a6aa52e6ff011.exe
-
Size
95KB
-
MD5
c58fb75df3f2327f1e5841ec041320ee
-
SHA1
f19d85aabc053c8b782fe415a5faba65e7113180
-
SHA256
cc1d33cfc52f578a389002a6a80dd039c38afa1346562c89338a6aa52e6ff011
-
SHA512
4fb1fedace7ead31be519db916d466a3dddfc15020ffcd240dd122d8ea42047fd6fd20b750c3915da7f31c13880bf477d876ae0b445aea19d0321af85dab34b1
-
SSDEEP
1536:ls+ph3icL5ubxlZbcpNUYlUeleHxy4SaSPA0KRcvG/6666666vLERQrJRVRoRcha:xvS66uPKSYD6666666vLEetTWM1dQrTH
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijcahd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbiejoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oeokal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahdpjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilphdlqh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oejbfmpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgnqgqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgeghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pajeam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anobgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcnfohmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eoepebho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mljmhflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fcniglmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndflak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoaojp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Klfaapbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onmfimga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkhnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdbhkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Naaqofgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olijhmgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ommceclc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqdoem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Clgbmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogbfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aknbkjfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihbponja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fajgkfio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qlgpod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgjhpcmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffaong32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Badanigc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aogbfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkndie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Enkmfolf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eomffaag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mjpjgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fphnlcdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gilapgqb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcblpdgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmkmjjaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljbnfleo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nndjndbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iibccgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mqkiok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghghb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjdpelnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggaah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efeihb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdjgha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebejfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdjibj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akglloai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhclmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dndnpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfohgqlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mfenglqf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccmgiaig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpphjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eppqqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blnoga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpdnjple.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnjdpaki.exe -
Executes dropped EXE 64 IoCs
pid Process 4848 Fdamgb32.exe 4932 Fineoi32.exe 1872 Fphnlcdo.exe 1296 Fagjfflb.exe 2940 Fdffbake.exe 4768 Fajgkfio.exe 2836 Fdhcgaic.exe 3200 Falcae32.exe 4408 Gkdhjknm.exe 636 Gaopfe32.exe 1416 Gdmmbq32.exe 4064 Gaamlecg.exe 1608 Gilapgqb.exe 4832 Ghmbno32.exe 1588 Gklnjj32.exe 3232 Gphgbafl.exe 1104 Ggbook32.exe 3812 Gahcmd32.exe 1020 Gpkchqdj.exe 1644 Hpmpnp32.exe 460 Hgghjjid.exe 2008 Hdkidohn.exe 1132 Hncmmd32.exe 1516 Hhiajmod.exe 1128 Hpdfnolo.exe 772 Hjlkge32.exe 400 Igqkqiai.exe 4304 Ijogmdqm.exe 2160 Iqipio32.exe 2592 Idghpmnp.exe 3592 Ijcahd32.exe 3124 Inomhbeq.exe 1772 Iqmidndd.exe 4868 Iggaah32.exe 2568 Ijfnmc32.exe 1544 Ibmeoq32.exe 1360 Indfca32.exe 5008 Jkhgmf32.exe 1924 Jqdoem32.exe 1204 Jkjcbe32.exe 4428 Jdbhkk32.exe 4844 Jbfheo32.exe 988 Jkomneim.exe 1708 Jbiejoaj.exe 1764 Jibmgi32.exe 2960 Jnpfop32.exe 2600 Kghjhemo.exe 4888 Kbmoen32.exe 4264 Kkfcndce.exe 1944 Kndojobi.exe 4884 Kkhpdcab.exe 4472 Kbbhqn32.exe 2316 Kgopidgf.exe 4876 Kecabifp.exe 5004 Lbgalmej.exe 4044 Lbinam32.exe 4792 Legjmh32.exe 3832 Lgffic32.exe 4556 Lkabjbih.exe 2280 Lnpofnhk.exe 3180 Lankbigo.exe 3176 Lldopb32.exe 228 Lbngllob.exe 1672 Lelchgne.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eephln32.dll Ikdcmpnl.exe File created C:\Windows\SysWOW64\Qgngnj32.dll Jlobkg32.exe File created C:\Windows\SysWOW64\Poimpapp.exe Plkpcfal.exe File created C:\Windows\SysWOW64\Aefjii32.exe Anobgl32.exe File created C:\Windows\SysWOW64\Nqdmimbf.dll Gbchdp32.exe File created C:\Windows\SysWOW64\Dkhgod32.exe Dqbcbkab.exe File opened for modification C:\Windows\SysWOW64\Gilapgqb.exe Gaamlecg.exe File opened for modification C:\Windows\SysWOW64\Pkenjh32.exe Pamiaboj.exe File opened for modification C:\Windows\SysWOW64\Ebkbbmqj.exe Eomffaag.exe File created C:\Windows\SysWOW64\Fgeaiknl.dll Klfaapbl.exe File created C:\Windows\SysWOW64\Dkekjdck.exe Dgjoif32.exe File created C:\Windows\SysWOW64\Ljpaqmgb.exe Laiipofp.exe File created C:\Windows\SysWOW64\Ememkjeq.dll Knooej32.exe File created C:\Windows\SysWOW64\Fklenm32.dll Plpjoe32.exe File created C:\Windows\SysWOW64\Mnhdgpii.exe Mfqlfb32.exe File opened for modification C:\Windows\SysWOW64\Aphnnafb.exe Aogbfi32.exe File created C:\Windows\SysWOW64\Lielhgaa.dll Aaldccip.exe File created C:\Windows\SysWOW64\Iqmidndd.exe Inomhbeq.exe File created C:\Windows\SysWOW64\Gnepna32.exe Gmdcfidg.exe File created C:\Windows\SysWOW64\Omgmeigd.exe Ofmdio32.exe File created C:\Windows\SysWOW64\Gbnhoj32.exe Gpolbo32.exe File opened for modification C:\Windows\SysWOW64\Hhimhobl.exe Hejqldci.exe File created C:\Windows\SysWOW64\Mfenglqf.exe Mokfja32.exe File opened for modification C:\Windows\SysWOW64\Indfca32.exe Ibmeoq32.exe File opened for modification C:\Windows\SysWOW64\Neqopnhb.exe Nmigoagp.exe File created C:\Windows\SysWOW64\Nhmofj32.exe Nenbjo32.exe File created C:\Windows\SysWOW64\Cagdge32.dll Egened32.exe File created C:\Windows\SysWOW64\Ecipcemb.dll Fgcjfbed.exe File created C:\Windows\SysWOW64\Dgcaaddl.dll Nhpbfpka.exe File opened for modification C:\Windows\SysWOW64\Aoofle32.exe Alqjpi32.exe File opened for modification C:\Windows\SysWOW64\Kghjhemo.exe Jnpfop32.exe File created C:\Windows\SysWOW64\Kjmejc32.dll Dkekjdck.exe File opened for modification C:\Windows\SysWOW64\Ihbponja.exe Ieccbbkn.exe File opened for modification C:\Windows\SysWOW64\Pcbkml32.exe Padnaq32.exe File created C:\Windows\SysWOW64\Pbhgoh32.exe Ppikbm32.exe File created C:\Windows\SysWOW64\Pjcikejg.exe Pfhmjf32.exe File created C:\Windows\SysWOW64\Jkomneim.exe Jbfheo32.exe File opened for modification C:\Windows\SysWOW64\Jibmgi32.exe Jbiejoaj.exe File created C:\Windows\SysWOW64\Baadiiif.exe Bnfihkqm.exe File created C:\Windows\SysWOW64\Lelgfl32.dll Cnaaib32.exe File created C:\Windows\SysWOW64\Fmamhbhe.dll Ckjknfnh.exe File opened for modification C:\Windows\SysWOW64\Pfepdg32.exe Pplhhm32.exe File created C:\Windows\SysWOW64\Egjogddi.dll Pcepkfld.exe File created C:\Windows\SysWOW64\Doogdl32.dll Ncofplba.exe File created C:\Windows\SysWOW64\Enkjji32.dll Mecjif32.exe File created C:\Windows\SysWOW64\Nliaao32.exe Nijeec32.exe File created C:\Windows\SysWOW64\Emhkdmlg.exe Deqcbpld.exe File opened for modification C:\Windows\SysWOW64\Kcbfcigf.exe Kpcjgnhb.exe File created C:\Windows\SysWOW64\Aqjpajgi.dll Cglbhhga.exe File created C:\Windows\SysWOW64\Chnlgjlb.exe Cacckp32.exe File opened for modification C:\Windows\SysWOW64\Falcae32.exe Fdhcgaic.exe File created C:\Windows\SysWOW64\Ggbook32.exe Gphgbafl.exe File created C:\Windows\SysWOW64\Opnaqk32.dll Gbnhoj32.exe File created C:\Windows\SysWOW64\Enfqikef.dll Pmblagmf.exe File created C:\Windows\SysWOW64\Fgcjfbed.exe Feenjgfq.exe File opened for modification C:\Windows\SysWOW64\Gejhef32.exe Ganldgib.exe File created C:\Windows\SysWOW64\Pajeam32.exe Poliea32.exe File created C:\Windows\SysWOW64\Ndnljbeg.dll Lfgipd32.exe File created C:\Windows\SysWOW64\Hbobifpp.dll Chfegk32.exe File created C:\Windows\SysWOW64\Nblolm32.exe Mqjbddpl.exe File created C:\Windows\SysWOW64\Oifppdpd.exe Ofgdcipq.exe File created C:\Windows\SysWOW64\Omalpc32.exe Oifppdpd.exe File created C:\Windows\SysWOW64\Pcpnhl32.exe Pqbala32.exe File opened for modification C:\Windows\SysWOW64\Pjoppf32.exe Pfccogfc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 17600 17520 WerFault.exe 1051 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaompd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gljgbllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pehngkcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dflfac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlbejloe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkgpbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnelok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aonoao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnfpinmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdkifmjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aakebqbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlgpod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmkigh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiphjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fngcmcfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddcenpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najmjokc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpgpgfmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ickglm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jncoikmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeelnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbohpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koodbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmmqhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edgbii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpnfge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmjfodne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjneln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgloefco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhigf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcifkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbbajjlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadpdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcbkml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmkbfeab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chkobkod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibmeoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbighjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfokoelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kclgmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqmojd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfhmjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hehdfdek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmlpaoaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mljmhflh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agimkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqklkbbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjlkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Finnef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkqgaol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqfbpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfepdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cleegp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekonpckp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbcjnilj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckgohf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkhgod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckboblp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchppmij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdecgbfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpqldc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmnbfhal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jldbpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipkjb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ficlfj32.dll" Gojiiafp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ppolhcnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dblamanm.dll" Ppikbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kamojc32.dll" Ijcahd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqbff32.dll" Cfqmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmmaqlm.dll" Hildmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Odjeljhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkokcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qeodhjmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmeddp32.dll" Bnfihkqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejimf32.dll" Ocihgnam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hlcjhkdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cdpjlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Johnamkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eomffaag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kofdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nqmfdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qobhkjdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkamodje.dll" Bgpcliao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klkkgm32.dll" Ijfnmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lbngllob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djfoankj.dll" Dkbocbog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhdcojj.dll" Gkkgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efpgoecp.dll" Hgdejd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mfnhfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oqoefand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pncepolj.dll" Geoapenf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jggocdgo.dll" Hlblcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Inlihl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemnff32.dll" Jgpfbjlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjojj32.dll" Nflkbanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qedegh32.dll" Ojfcdnjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebfign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keaebdpc.dll" Iljpij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kgipcogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phlepppi.dll" Aopemh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bgpcliao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dqbcbkab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebdlangb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eciqfjec.dll" Ieojgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jkomneim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joicekop.dll" Lgjijmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Onpjichj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kcidmkpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbehfom.dll" Lnjgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bkkple32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bbdhiojo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfajq32.dll" Majjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnahhegq.dll" Omdppiif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jpgdai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blcnqjjo.dll" Paihlpfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnbjama.dll" Ppolhcnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejlkojm.dll" Bjicdmmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekpped32.dll" Qklmpalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfkmkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Glkmmefl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjgeopm.dll" Nqbpojnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdmmeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nodiqp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpdaepai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bohbhmfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfipef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gemdebha.dll" Kjlopc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcfimfi.dll" Pjpfjl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4912 wrote to memory of 4848 4912 cc1d33cfc52f578a389002a6a80dd039c38afa1346562c89338a6aa52e6ff011.exe 86 PID 4912 wrote to memory of 4848 4912 cc1d33cfc52f578a389002a6a80dd039c38afa1346562c89338a6aa52e6ff011.exe 86 PID 4912 wrote to memory of 4848 4912 cc1d33cfc52f578a389002a6a80dd039c38afa1346562c89338a6aa52e6ff011.exe 86 PID 4848 wrote to memory of 4932 4848 Fdamgb32.exe 87 PID 4848 wrote to memory of 4932 4848 Fdamgb32.exe 87 PID 4848 wrote to memory of 4932 4848 Fdamgb32.exe 87 PID 4932 wrote to memory of 1872 4932 Fineoi32.exe 89 PID 4932 wrote to memory of 1872 4932 Fineoi32.exe 89 PID 4932 wrote to memory of 1872 4932 Fineoi32.exe 89 PID 1872 wrote to memory of 1296 1872 Fphnlcdo.exe 90 PID 1872 wrote to memory of 1296 1872 Fphnlcdo.exe 90 PID 1872 wrote to memory of 1296 1872 Fphnlcdo.exe 90 PID 1296 wrote to memory of 2940 1296 Fagjfflb.exe 91 PID 1296 wrote to memory of 2940 1296 Fagjfflb.exe 91 PID 1296 wrote to memory of 2940 1296 Fagjfflb.exe 91 PID 2940 wrote to memory of 4768 2940 Fdffbake.exe 92 PID 2940 wrote to memory of 4768 2940 Fdffbake.exe 92 PID 2940 wrote to memory of 4768 2940 Fdffbake.exe 92 PID 4768 wrote to memory of 2836 4768 Fajgkfio.exe 93 PID 4768 wrote to memory of 2836 4768 Fajgkfio.exe 93 PID 4768 wrote to memory of 2836 4768 Fajgkfio.exe 93 PID 2836 wrote to memory of 3200 2836 Fdhcgaic.exe 94 PID 2836 wrote to memory of 3200 2836 Fdhcgaic.exe 94 PID 2836 wrote to memory of 3200 2836 Fdhcgaic.exe 94 PID 3200 wrote to memory of 4408 3200 Falcae32.exe 95 PID 3200 wrote to memory of 4408 3200 Falcae32.exe 95 PID 3200 wrote to memory of 4408 3200 Falcae32.exe 95 PID 4408 wrote to memory of 636 4408 Gkdhjknm.exe 96 PID 4408 wrote to memory of 636 4408 Gkdhjknm.exe 96 PID 4408 wrote to memory of 636 4408 Gkdhjknm.exe 96 PID 636 wrote to memory of 1416 636 Gaopfe32.exe 97 PID 636 wrote to memory of 1416 636 Gaopfe32.exe 97 PID 636 wrote to memory of 1416 636 Gaopfe32.exe 97 PID 1416 wrote to memory of 4064 1416 Gdmmbq32.exe 98 PID 1416 wrote to memory of 4064 1416 Gdmmbq32.exe 98 PID 1416 wrote to memory of 4064 1416 Gdmmbq32.exe 98 PID 4064 wrote to memory of 1608 4064 Gaamlecg.exe 99 PID 4064 wrote to memory of 1608 4064 Gaamlecg.exe 99 PID 4064 wrote to memory of 1608 4064 Gaamlecg.exe 99 PID 1608 wrote to memory of 4832 1608 Gilapgqb.exe 100 PID 1608 wrote to memory of 4832 1608 Gilapgqb.exe 100 PID 1608 wrote to memory of 4832 1608 Gilapgqb.exe 100 PID 4832 wrote to memory of 1588 4832 Ghmbno32.exe 101 PID 4832 wrote to memory of 1588 4832 Ghmbno32.exe 101 PID 4832 wrote to memory of 1588 4832 Ghmbno32.exe 101 PID 1588 wrote to memory of 3232 1588 Gklnjj32.exe 102 PID 1588 wrote to memory of 3232 1588 Gklnjj32.exe 102 PID 1588 wrote to memory of 3232 1588 Gklnjj32.exe 102 PID 3232 wrote to memory of 1104 3232 Gphgbafl.exe 103 PID 3232 wrote to memory of 1104 3232 Gphgbafl.exe 103 PID 3232 wrote to memory of 1104 3232 Gphgbafl.exe 103 PID 1104 wrote to memory of 3812 1104 Ggbook32.exe 104 PID 1104 wrote to memory of 3812 1104 Ggbook32.exe 104 PID 1104 wrote to memory of 3812 1104 Ggbook32.exe 104 PID 3812 wrote to memory of 1020 3812 Gahcmd32.exe 105 PID 3812 wrote to memory of 1020 3812 Gahcmd32.exe 105 PID 3812 wrote to memory of 1020 3812 Gahcmd32.exe 105 PID 1020 wrote to memory of 1644 1020 Gpkchqdj.exe 106 PID 1020 wrote to memory of 1644 1020 Gpkchqdj.exe 106 PID 1020 wrote to memory of 1644 1020 Gpkchqdj.exe 106 PID 1644 wrote to memory of 460 1644 Hpmpnp32.exe 107 PID 1644 wrote to memory of 460 1644 Hpmpnp32.exe 107 PID 1644 wrote to memory of 460 1644 Hpmpnp32.exe 107 PID 460 wrote to memory of 2008 460 Hgghjjid.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc1d33cfc52f578a389002a6a80dd039c38afa1346562c89338a6aa52e6ff011.exe"C:\Users\Admin\AppData\Local\Temp\cc1d33cfc52f578a389002a6a80dd039c38afa1346562c89338a6aa52e6ff011.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\Fdamgb32.exeC:\Windows\system32\Fdamgb32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Fineoi32.exeC:\Windows\system32\Fineoi32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\Fphnlcdo.exeC:\Windows\system32\Fphnlcdo.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Fagjfflb.exeC:\Windows\system32\Fagjfflb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Fdffbake.exeC:\Windows\system32\Fdffbake.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Fajgkfio.exeC:\Windows\system32\Fajgkfio.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\Fdhcgaic.exeC:\Windows\system32\Fdhcgaic.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Falcae32.exeC:\Windows\system32\Falcae32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\Gkdhjknm.exeC:\Windows\system32\Gkdhjknm.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\Gaopfe32.exeC:\Windows\system32\Gaopfe32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Gdmmbq32.exeC:\Windows\system32\Gdmmbq32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Gaamlecg.exeC:\Windows\system32\Gaamlecg.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Gilapgqb.exeC:\Windows\system32\Gilapgqb.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Ghmbno32.exeC:\Windows\system32\Ghmbno32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Gklnjj32.exeC:\Windows\system32\Gklnjj32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Gphgbafl.exeC:\Windows\system32\Gphgbafl.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\Ggbook32.exeC:\Windows\system32\Ggbook32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Gahcmd32.exeC:\Windows\system32\Gahcmd32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SysWOW64\Gpkchqdj.exeC:\Windows\system32\Gpkchqdj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Hpmpnp32.exeC:\Windows\system32\Hpmpnp32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Hgghjjid.exeC:\Windows\system32\Hgghjjid.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SysWOW64\Hdkidohn.exeC:\Windows\system32\Hdkidohn.exe23⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Hncmmd32.exeC:\Windows\system32\Hncmmd32.exe24⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Hhiajmod.exeC:\Windows\system32\Hhiajmod.exe25⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Hpdfnolo.exeC:\Windows\system32\Hpdfnolo.exe26⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Hjlkge32.exeC:\Windows\system32\Hjlkge32.exe27⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Igqkqiai.exeC:\Windows\system32\Igqkqiai.exe28⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Ijogmdqm.exeC:\Windows\system32\Ijogmdqm.exe29⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Iqipio32.exeC:\Windows\system32\Iqipio32.exe30⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Idghpmnp.exeC:\Windows\system32\Idghpmnp.exe31⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Ijcahd32.exeC:\Windows\system32\Ijcahd32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3592 -
C:\Windows\SysWOW64\Inomhbeq.exeC:\Windows\system32\Inomhbeq.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3124 -
C:\Windows\SysWOW64\Iqmidndd.exeC:\Windows\system32\Iqmidndd.exe34⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Iggaah32.exeC:\Windows\system32\Iggaah32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Ijfnmc32.exeC:\Windows\system32\Ijfnmc32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Ibmeoq32.exeC:\Windows\system32\Ibmeoq32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1544 -
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe38⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Jkhgmf32.exeC:\Windows\system32\Jkhgmf32.exe39⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Jqdoem32.exeC:\Windows\system32\Jqdoem32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Jkjcbe32.exeC:\Windows\system32\Jkjcbe32.exe41⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Jdbhkk32.exeC:\Windows\system32\Jdbhkk32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4844 -
C:\Windows\SysWOW64\Jkomneim.exeC:\Windows\system32\Jkomneim.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:988 -
C:\Windows\SysWOW64\Jbiejoaj.exeC:\Windows\system32\Jbiejoaj.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Jibmgi32.exeC:\Windows\system32\Jibmgi32.exe46⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Jnpfop32.exeC:\Windows\system32\Jnpfop32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Kghjhemo.exeC:\Windows\system32\Kghjhemo.exe48⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Kbmoen32.exeC:\Windows\system32\Kbmoen32.exe49⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Kkfcndce.exeC:\Windows\system32\Kkfcndce.exe50⤵
- Executes dropped EXE
PID:4264 -
C:\Windows\SysWOW64\Kndojobi.exeC:\Windows\system32\Kndojobi.exe51⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Kkhpdcab.exeC:\Windows\system32\Kkhpdcab.exe52⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Kbbhqn32.exeC:\Windows\system32\Kbbhqn32.exe53⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Kgopidgf.exeC:\Windows\system32\Kgopidgf.exe54⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe55⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Lbgalmej.exeC:\Windows\system32\Lbgalmej.exe56⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Lbinam32.exeC:\Windows\system32\Lbinam32.exe57⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Legjmh32.exeC:\Windows\system32\Legjmh32.exe58⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Lgffic32.exeC:\Windows\system32\Lgffic32.exe59⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Lkabjbih.exeC:\Windows\system32\Lkabjbih.exe60⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Lnpofnhk.exeC:\Windows\system32\Lnpofnhk.exe61⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Lankbigo.exeC:\Windows\system32\Lankbigo.exe62⤵
- Executes dropped EXE
PID:3180 -
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe63⤵
- Executes dropped EXE
PID:3176 -
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:228 -
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe65⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Ljilqnlm.exeC:\Windows\system32\Ljilqnlm.exe66⤵PID:2528
-
C:\Windows\SysWOW64\Leopnglc.exeC:\Windows\system32\Leopnglc.exe67⤵PID:3276
-
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe68⤵PID:4772
-
C:\Windows\SysWOW64\Maeachag.exeC:\Windows\system32\Maeachag.exe69⤵PID:1880
-
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe70⤵PID:628
-
C:\Windows\SysWOW64\Mjneln32.exeC:\Windows\system32\Mjneln32.exe71⤵
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Windows\SysWOW64\Mecjif32.exeC:\Windows\system32\Mecjif32.exe72⤵
- Drops file in System32 directory
PID:5080 -
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe73⤵PID:4324
-
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe74⤵
- Modifies registry class
PID:3536 -
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe75⤵PID:5012
-
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe76⤵PID:544
-
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe77⤵
- System Location Discovery: System Language Discovery
PID:760 -
C:\Windows\SysWOW64\Mlbkap32.exeC:\Windows\system32\Mlbkap32.exe78⤵PID:588
-
C:\Windows\SysWOW64\Mnphmkji.exeC:\Windows\system32\Mnphmkji.exe79⤵PID:4860
-
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe80⤵PID:1916
-
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe81⤵PID:1508
-
C:\Windows\SysWOW64\Naaqofgj.exeC:\Windows\system32\Naaqofgj.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3028 -
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe83⤵PID:3408
-
C:\Windows\SysWOW64\Nhkikq32.exeC:\Windows\system32\Nhkikq32.exe84⤵PID:3444
-
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe85⤵PID:3580
-
C:\Windows\SysWOW64\Nacmdf32.exeC:\Windows\system32\Nacmdf32.exe86⤵PID:5072
-
C:\Windows\SysWOW64\Nijeec32.exeC:\Windows\system32\Nijeec32.exe87⤵
- Drops file in System32 directory
PID:4312 -
C:\Windows\SysWOW64\Nliaao32.exeC:\Windows\system32\Nliaao32.exe88⤵PID:5156
-
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe89⤵PID:5232
-
C:\Windows\SysWOW64\Nbcjnilj.exeC:\Windows\system32\Nbcjnilj.exe90⤵
- System Location Discovery: System Language Discovery
PID:5316 -
C:\Windows\SysWOW64\Neafjdkn.exeC:\Windows\system32\Neafjdkn.exe91⤵PID:5364
-
C:\Windows\SysWOW64\Nimbkc32.exeC:\Windows\system32\Nimbkc32.exe92⤵PID:5404
-
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe93⤵
- Drops file in System32 directory
PID:5460 -
C:\Windows\SysWOW64\Nknobkje.exeC:\Windows\system32\Nknobkje.exe94⤵PID:5508
-
C:\Windows\SysWOW64\Nbefdijg.exeC:\Windows\system32\Nbefdijg.exe95⤵PID:5552
-
C:\Windows\SysWOW64\Neccpd32.exeC:\Windows\system32\Neccpd32.exe96⤵PID:5600
-
C:\Windows\SysWOW64\Nlnkmnah.exeC:\Windows\system32\Nlnkmnah.exe97⤵PID:5656
-
C:\Windows\SysWOW64\Najceeoo.exeC:\Windows\system32\Najceeoo.exe98⤵PID:5704
-
C:\Windows\SysWOW64\Nlphbnoe.exeC:\Windows\system32\Nlphbnoe.exe99⤵PID:5748
-
C:\Windows\SysWOW64\Objpoh32.exeC:\Windows\system32\Objpoh32.exe100⤵PID:5792
-
C:\Windows\SysWOW64\Oidhlb32.exeC:\Windows\system32\Oidhlb32.exe101⤵PID:5836
-
C:\Windows\SysWOW64\Ohghgodi.exeC:\Windows\system32\Ohghgodi.exe102⤵PID:5876
-
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe103⤵
- System Location Discovery: System Language Discovery
PID:5920 -
C:\Windows\SysWOW64\Ohiemobf.exeC:\Windows\system32\Ohiemobf.exe104⤵PID:5964
-
C:\Windows\SysWOW64\Oocmii32.exeC:\Windows\system32\Oocmii32.exe105⤵PID:6008
-
C:\Windows\SysWOW64\Oaajed32.exeC:\Windows\system32\Oaajed32.exe106⤵PID:6052
-
C:\Windows\SysWOW64\Oihagaji.exeC:\Windows\system32\Oihagaji.exe107⤵PID:6096
-
C:\Windows\SysWOW64\Ooejohhq.exeC:\Windows\system32\Ooejohhq.exe108⤵PID:6140
-
C:\Windows\SysWOW64\Oeoblb32.exeC:\Windows\system32\Oeoblb32.exe109⤵PID:5216
-
C:\Windows\SysWOW64\Olijhmgj.exeC:\Windows\system32\Olijhmgj.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5328 -
C:\Windows\SysWOW64\Oeaoab32.exeC:\Windows\system32\Oeaoab32.exe111⤵PID:5392
-
C:\Windows\SysWOW64\Pkogiikb.exeC:\Windows\system32\Pkogiikb.exe112⤵PID:5476
-
C:\Windows\SysWOW64\Pcepkfld.exeC:\Windows\system32\Pcepkfld.exe113⤵
- Drops file in System32 directory
PID:5544 -
C:\Windows\SysWOW64\Plndcl32.exeC:\Windows\system32\Plndcl32.exe114⤵PID:5652
-
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe115⤵PID:5712
-
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe116⤵PID:5784
-
C:\Windows\SysWOW64\Pamiaboj.exeC:\Windows\system32\Pamiaboj.exe117⤵
- Drops file in System32 directory
PID:692 -
C:\Windows\SysWOW64\Pkenjh32.exeC:\Windows\system32\Pkenjh32.exe118⤵PID:2304
-
C:\Windows\SysWOW64\Phincl32.exeC:\Windows\system32\Phincl32.exe119⤵PID:5832
-
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe120⤵PID:5912
-
C:\Windows\SysWOW64\Pabblb32.exeC:\Windows\system32\Pabblb32.exe121⤵PID:5980
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-