Analysis
-
max time kernel
97s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27/09/2024, 05:58
Behavioral task
behavioral1
Sample
aa8bfcb38378495c86304597b7b9d32b56c698398b2960ac3b0b5209730df8f2N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
aa8bfcb38378495c86304597b7b9d32b56c698398b2960ac3b0b5209730df8f2N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
aa8bfcb38378495c86304597b7b9d32b56c698398b2960ac3b0b5209730df8f2N.exe
-
Size
182KB
-
MD5
db286af4509a94553de10e96ca4a9060
-
SHA1
91049f9e95a5caf1fa38836f12f592e0e11da6b8
-
SHA256
aa8bfcb38378495c86304597b7b9d32b56c698398b2960ac3b0b5209730df8f2
-
SHA512
7b7525a28ce568612caf5085409f81d135cceb0abacb2be7cc96b5294b51b8b4bd62ec8bc6897bf3b34994604811f27912e6725b904a308d0d49a8508df6df20
-
SSDEEP
3072:Jf2eT39RCV24ho1mtye3lFDrFDHZtOga24ho1mtye3l:Jf2cKasFj5tT3sF
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahdged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lopmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igpdfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcdala32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfchlbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bklomh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdfpkm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnfkdb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejlbhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lobjni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgepom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pocpfphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pocpfphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhbcfbjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efpomccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chkobkod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cioilg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpjmnjqn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knnhjcog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnojho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nijeec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olfghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pidabppl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djhimica.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbfldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plpjoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fneggdhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fneggdhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhoipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlkepaam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aogbfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahaceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohpkmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coiaiakf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pefabkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeaanjkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdpaeehj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibjli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mldhfpib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bokehc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkjnfkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlgpod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdbpgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoofle32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqfngd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iloidijb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pldcjeia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kflide32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmpmnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npbceggm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofhknodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebejfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elnoopdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfmojenc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnhkbfme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgplado.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gikdkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cklhcfle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qebhhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbbdjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgqfdnah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pecellgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Camddhoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdpjlb32.exe -
Executes dropped EXE 64 IoCs
pid Process 4620 Meamcg32.exe 2292 Mhoipb32.exe 772 Mlkepaam.exe 1960 Mniallpq.exe 4300 Mhafeb32.exe 4392 Mnlnbl32.exe 3984 Meefofek.exe 832 Mlpokp32.exe 2056 Mnnkgl32.exe 1776 Micoed32.exe 1084 Mjellmbp.exe 5012 Maodigil.exe 4800 Mldhfpib.exe 2336 Nbnpcj32.exe 916 Nihipdhl.exe 4500 Nlfelogp.exe 220 Nbqmiinl.exe 4872 Nijeec32.exe 3668 Nliaao32.exe 460 Nafjjf32.exe 2068 Nimbkc32.exe 444 Nknobkje.exe 1556 Nbefdijg.exe 4320 Nhbolp32.exe 624 Nolgijpk.exe 4104 Najceeoo.exe 3288 Oondnini.exe 1004 Oampjeml.exe 3976 Okedcjcm.exe 1816 Oldamm32.exe 3648 Oboijgbl.exe 972 Olgncmim.exe 552 Oadfkdgd.exe 3520 Ohnohn32.exe 2228 Oeaoab32.exe 4064 Ohpkmn32.exe 628 Pcepkfld.exe 4984 Piphgq32.exe 3644 Plndcl32.exe 4524 Pefhlaie.exe 3988 Pkcadhgm.exe 4756 Pidabppl.exe 3428 Poajkgnc.exe 3632 Pekbga32.exe 636 Pocfpf32.exe 3628 Qcaofebg.exe 2500 Qikgco32.exe 5008 Qljcoj32.exe 2660 Qohpkf32.exe 4196 Qebhhp32.exe 1268 Allpejfe.exe 212 Aojlaeei.exe 808 Ajpqnneo.exe 4560 Akamff32.exe 4488 Achegd32.exe 4836 Ajbmdn32.exe 428 Akcjkfij.exe 1368 Aoofle32.exe 548 Afinioip.exe 3740 Akffafgg.exe 4868 Acmobchj.exe 1096 Ajggomog.exe 4840 Akhcfe32.exe 1444 Acokhc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kemilf32.dll Acokhc32.exe File created C:\Windows\SysWOW64\Nglhld32.exe Ncqlkemc.exe File opened for modification C:\Windows\SysWOW64\Fpgpgfmh.exe Flkdfh32.exe File created C:\Windows\SysWOW64\Ghjnkpdc.dll Gpbpbecj.exe File created C:\Windows\SysWOW64\Ndikch32.dll Bmjkic32.exe File created C:\Windows\SysWOW64\Ajbmdn32.exe Achegd32.exe File created C:\Windows\SysWOW64\Mfplpfib.dll Dkdliame.exe File opened for modification C:\Windows\SysWOW64\Olanmgig.exe Odjeljhd.exe File opened for modification C:\Windows\SysWOW64\Ckjbhmad.exe Cdpjlb32.exe File created C:\Windows\SysWOW64\Cdbfab32.exe Cbdjeg32.exe File created C:\Windows\SysWOW64\Biafno32.dll Cdbpgl32.exe File created C:\Windows\SysWOW64\Jklinohd.exe Jcdala32.exe File created C:\Windows\SysWOW64\Glbjggof.exe Gidnkkpc.exe File created C:\Windows\SysWOW64\Jleiba32.dll Jllokajf.exe File opened for modification C:\Windows\SysWOW64\Aogbfi32.exe Afpjel32.exe File created C:\Windows\SysWOW64\Bohibc32.exe Bhoqeibl.exe File opened for modification C:\Windows\SysWOW64\Cioilg32.exe Cfqmpl32.exe File created C:\Windows\SysWOW64\Dmeoam32.dll Kgninn32.exe File opened for modification C:\Windows\SysWOW64\Dpkmal32.exe Dojqjdbl.exe File created C:\Windows\SysWOW64\Lefioe32.dll Qikgco32.exe File created C:\Windows\SysWOW64\Dlghoa32.exe Dfjpfj32.exe File created C:\Windows\SysWOW64\Lddgmbpb.exe Lnjnqh32.exe File opened for modification C:\Windows\SysWOW64\Pmoiqneg.exe Plmmif32.exe File created C:\Windows\SysWOW64\Jihiic32.dll Nclbpf32.exe File created C:\Windows\SysWOW64\Jponoqjl.dll Pjmjdm32.exe File opened for modification C:\Windows\SysWOW64\Acmobchj.exe Akffafgg.exe File created C:\Windows\SysWOW64\Kebncn32.dll Dfgcakon.exe File created C:\Windows\SysWOW64\Ddplkbaa.dll Jcphab32.exe File created C:\Windows\SysWOW64\Gaakdpkj.dll Olanmgig.exe File created C:\Windows\SysWOW64\Lciibdmj.dll Hlglidlo.exe File created C:\Windows\SysWOW64\Palbgl32.exe Ponfka32.exe File created C:\Windows\SysWOW64\Ogjdmbil.exe Ocohmc32.exe File created C:\Windows\SysWOW64\Ncndec32.dll Poajkgnc.exe File created C:\Windows\SysWOW64\Hclnnc32.dll Fpbmfn32.exe File created C:\Windows\SysWOW64\Dafipibl.dll Jklinohd.exe File created C:\Windows\SysWOW64\Kcejco32.exe Kqfngd32.exe File created C:\Windows\SysWOW64\Pmoiqneg.exe Plmmif32.exe File created C:\Windows\SysWOW64\Mminhceb.exe Mnfnlf32.exe File opened for modification C:\Windows\SysWOW64\Pjkmomfn.exe Ohlqcagj.exe File created C:\Windows\SysWOW64\Dhbebj32.exe Dpkmal32.exe File created C:\Windows\SysWOW64\Allpejfe.exe Qebhhp32.exe File created C:\Windows\SysWOW64\Dpgnjo32.exe Dmhand32.exe File opened for modification C:\Windows\SysWOW64\Nfohgqlg.exe Nglhld32.exe File created C:\Windows\SysWOW64\Hbceobam.dll Neqopnhb.exe File created C:\Windows\SysWOW64\Olfghg32.exe Oelolmnd.exe File created C:\Windows\SysWOW64\Emmdom32.exe Eeelnp32.exe File created C:\Windows\SysWOW64\Jhafck32.dll Kcbfcigf.exe File opened for modification C:\Windows\SysWOW64\Gkmdecbg.exe Gbfldf32.exe File created C:\Windows\SysWOW64\Mcjmel32.exe Mnmdme32.exe File created C:\Windows\SysWOW64\Nlnhqepf.dll Enpmld32.exe File created C:\Windows\SysWOW64\Gidnkkpc.exe Fbjena32.exe File opened for modification C:\Windows\SysWOW64\Bgkiaj32.exe Bdmmeo32.exe File opened for modification C:\Windows\SysWOW64\Fneggdhg.exe Fpbflg32.exe File opened for modification C:\Windows\SysWOW64\Mokmdh32.exe Mmmqhl32.exe File opened for modification C:\Windows\SysWOW64\Nbqmiinl.exe Nlfelogp.exe File created C:\Windows\SysWOW64\Ljclki32.exe Lgepom32.exe File created C:\Windows\SysWOW64\Mbnnhndk.dll Pefabkej.exe File created C:\Windows\SysWOW64\Moipoh32.exe Mqfpckhm.exe File created C:\Windows\SysWOW64\Pjllddpj.dll Bmhocd32.exe File created C:\Windows\SysWOW64\Pognhd32.dll Mhoipb32.exe File created C:\Windows\SysWOW64\Gpcfmkff.exe Giinpa32.exe File opened for modification C:\Windows\SysWOW64\Hibafp32.exe Hbhijepa.exe File opened for modification C:\Windows\SysWOW64\Idcepgmg.exe Injmcmej.exe File created C:\Windows\SysWOW64\Migmpjdh.dll Jcmdaljn.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13508 14324 WerFault.exe 739 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecefqnel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idcepgmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkjnfkma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjbcakl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmcjpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jniood32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllokajf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meamcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcnqpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpjmnjqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkdic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeelnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekdnei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmbhoeid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Komhll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akcjkfij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Offnhpfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icfekc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfagf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpgind32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmipdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhafeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdqfll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dheibpje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jepjhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqfpckhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omdppiif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcepkfld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pldcjeia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodjjimm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adcjop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lggldm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgplado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfjkjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocohmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdjgha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdmdnadc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcqjon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbjkkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Higjaoci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ingpmmgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhpfqcln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbbffdlq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmdcfidg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iikmbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknobkje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklomh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chkobkod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfcabp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckilmcgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meiioonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmhlgmmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdfpkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnlnbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahdged32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adkgje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bomkcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipoheakj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmpkadnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmdemd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkmkkjko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jokkgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jddnfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oelolmnd.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbobmnod.dll" Mnkggfkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppadmq32.dll" Okkdic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenghpla.dll" Enbjad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcfggkac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djhimica.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqphfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkeldnpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgpqgeo.dll" Mminhceb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eplgeokq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knnhjcog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akpoaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdpmbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmepam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adkgje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pefhlaie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmbmkpie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lddgmbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Folnlh32.dll" Nnojho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlgpod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efeihb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpanan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcaaddl.dll" Nimbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdjiqhc.dll" Eblpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eppqqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gengje32.dll" Pdkoch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiejjepo.dll" Hpnoncim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcghdkpf.dll" Impliekg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omnjojpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iohmnmmb.dll" Agimkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knooej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kglmio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnmdme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkajlm32.dll" Ahpmjejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdbpgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdliee32.dll" Ohpkmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afinioip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jebfng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coegoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boldhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfpcgbim.dll" Kcndbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaldccip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdfpkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaplji32.dll" Micoed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olgncmim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npbceggm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pocfpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilccoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jljbeali.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqkqhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbnpcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpcpem32.dll" Hgkkkcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdfqocb.dll" Hffken32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iomoenej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imnocf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omnjojpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohlqcagj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebejfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcgbdc32.dll" Gpecbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cklgfgfg.dll" Boldhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipflihfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cljobphg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jongga32.dll" Gidnkkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Locfbi32.dll" Jcfggkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipoheakj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3536 wrote to memory of 4620 3536 aa8bfcb38378495c86304597b7b9d32b56c698398b2960ac3b0b5209730df8f2N.exe 82 PID 3536 wrote to memory of 4620 3536 aa8bfcb38378495c86304597b7b9d32b56c698398b2960ac3b0b5209730df8f2N.exe 82 PID 3536 wrote to memory of 4620 3536 aa8bfcb38378495c86304597b7b9d32b56c698398b2960ac3b0b5209730df8f2N.exe 82 PID 4620 wrote to memory of 2292 4620 Meamcg32.exe 83 PID 4620 wrote to memory of 2292 4620 Meamcg32.exe 83 PID 4620 wrote to memory of 2292 4620 Meamcg32.exe 83 PID 2292 wrote to memory of 772 2292 Mhoipb32.exe 84 PID 2292 wrote to memory of 772 2292 Mhoipb32.exe 84 PID 2292 wrote to memory of 772 2292 Mhoipb32.exe 84 PID 772 wrote to memory of 1960 772 Mlkepaam.exe 85 PID 772 wrote to memory of 1960 772 Mlkepaam.exe 85 PID 772 wrote to memory of 1960 772 Mlkepaam.exe 85 PID 1960 wrote to memory of 4300 1960 Mniallpq.exe 86 PID 1960 wrote to memory of 4300 1960 Mniallpq.exe 86 PID 1960 wrote to memory of 4300 1960 Mniallpq.exe 86 PID 4300 wrote to memory of 4392 4300 Mhafeb32.exe 87 PID 4300 wrote to memory of 4392 4300 Mhafeb32.exe 87 PID 4300 wrote to memory of 4392 4300 Mhafeb32.exe 87 PID 4392 wrote to memory of 3984 4392 Mnlnbl32.exe 88 PID 4392 wrote to memory of 3984 4392 Mnlnbl32.exe 88 PID 4392 wrote to memory of 3984 4392 Mnlnbl32.exe 88 PID 3984 wrote to memory of 832 3984 Meefofek.exe 89 PID 3984 wrote to memory of 832 3984 Meefofek.exe 89 PID 3984 wrote to memory of 832 3984 Meefofek.exe 89 PID 832 wrote to memory of 2056 832 Mlpokp32.exe 90 PID 832 wrote to memory of 2056 832 Mlpokp32.exe 90 PID 832 wrote to memory of 2056 832 Mlpokp32.exe 90 PID 2056 wrote to memory of 1776 2056 Mnnkgl32.exe 91 PID 2056 wrote to memory of 1776 2056 Mnnkgl32.exe 91 PID 2056 wrote to memory of 1776 2056 Mnnkgl32.exe 91 PID 1776 wrote to memory of 1084 1776 Micoed32.exe 92 PID 1776 wrote to memory of 1084 1776 Micoed32.exe 92 PID 1776 wrote to memory of 1084 1776 Micoed32.exe 92 PID 1084 wrote to memory of 5012 1084 Mjellmbp.exe 93 PID 1084 wrote to memory of 5012 1084 Mjellmbp.exe 93 PID 1084 wrote to memory of 5012 1084 Mjellmbp.exe 93 PID 5012 wrote to memory of 4800 5012 Maodigil.exe 94 PID 5012 wrote to memory of 4800 5012 Maodigil.exe 94 PID 5012 wrote to memory of 4800 5012 Maodigil.exe 94 PID 4800 wrote to memory of 2336 4800 Mldhfpib.exe 95 PID 4800 wrote to memory of 2336 4800 Mldhfpib.exe 95 PID 4800 wrote to memory of 2336 4800 Mldhfpib.exe 95 PID 2336 wrote to memory of 916 2336 Nbnpcj32.exe 96 PID 2336 wrote to memory of 916 2336 Nbnpcj32.exe 96 PID 2336 wrote to memory of 916 2336 Nbnpcj32.exe 96 PID 916 wrote to memory of 4500 916 Nihipdhl.exe 97 PID 916 wrote to memory of 4500 916 Nihipdhl.exe 97 PID 916 wrote to memory of 4500 916 Nihipdhl.exe 97 PID 4500 wrote to memory of 220 4500 Nlfelogp.exe 98 PID 4500 wrote to memory of 220 4500 Nlfelogp.exe 98 PID 4500 wrote to memory of 220 4500 Nlfelogp.exe 98 PID 220 wrote to memory of 4872 220 Nbqmiinl.exe 99 PID 220 wrote to memory of 4872 220 Nbqmiinl.exe 99 PID 220 wrote to memory of 4872 220 Nbqmiinl.exe 99 PID 4872 wrote to memory of 3668 4872 Nijeec32.exe 100 PID 4872 wrote to memory of 3668 4872 Nijeec32.exe 100 PID 4872 wrote to memory of 3668 4872 Nijeec32.exe 100 PID 3668 wrote to memory of 460 3668 Nliaao32.exe 101 PID 3668 wrote to memory of 460 3668 Nliaao32.exe 101 PID 3668 wrote to memory of 460 3668 Nliaao32.exe 101 PID 460 wrote to memory of 2068 460 Nafjjf32.exe 102 PID 460 wrote to memory of 2068 460 Nafjjf32.exe 102 PID 460 wrote to memory of 2068 460 Nafjjf32.exe 102 PID 2068 wrote to memory of 444 2068 Nimbkc32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa8bfcb38378495c86304597b7b9d32b56c698398b2960ac3b0b5209730df8f2N.exe"C:\Users\Admin\AppData\Local\Temp\aa8bfcb38378495c86304597b7b9d32b56c698398b2960ac3b0b5209730df8f2N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Mhoipb32.exeC:\Windows\system32\Mhoipb32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\Mnlnbl32.exeC:\Windows\system32\Mnlnbl32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Mldhfpib.exeC:\Windows\system32\Mldhfpib.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Nijeec32.exeC:\Windows\system32\Nijeec32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\Nliaao32.exeC:\Windows\system32\Nliaao32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SysWOW64\Nimbkc32.exeC:\Windows\system32\Nimbkc32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Nknobkje.exeC:\Windows\system32\Nknobkje.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:444 -
C:\Windows\SysWOW64\Nbefdijg.exeC:\Windows\system32\Nbefdijg.exe24⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Nhbolp32.exeC:\Windows\system32\Nhbolp32.exe25⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Nolgijpk.exeC:\Windows\system32\Nolgijpk.exe26⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Najceeoo.exeC:\Windows\system32\Najceeoo.exe27⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Oondnini.exeC:\Windows\system32\Oondnini.exe28⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Oampjeml.exeC:\Windows\system32\Oampjeml.exe29⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Okedcjcm.exeC:\Windows\system32\Okedcjcm.exe30⤵
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe31⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Oboijgbl.exeC:\Windows\system32\Oboijgbl.exe32⤵
- Executes dropped EXE
PID:3648 -
C:\Windows\SysWOW64\Olgncmim.exeC:\Windows\system32\Olgncmim.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:972 -
C:\Windows\SysWOW64\Oadfkdgd.exeC:\Windows\system32\Oadfkdgd.exe34⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Ohnohn32.exeC:\Windows\system32\Ohnohn32.exe35⤵
- Executes dropped EXE
PID:3520 -
C:\Windows\SysWOW64\Oeaoab32.exeC:\Windows\system32\Oeaoab32.exe36⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Ohpkmn32.exeC:\Windows\system32\Ohpkmn32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4064 -
C:\Windows\SysWOW64\Pcepkfld.exeC:\Windows\system32\Pcepkfld.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:628 -
C:\Windows\SysWOW64\Piphgq32.exeC:\Windows\system32\Piphgq32.exe39⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Plndcl32.exeC:\Windows\system32\Plndcl32.exe40⤵
- Executes dropped EXE
PID:3644 -
C:\Windows\SysWOW64\Pefhlaie.exeC:\Windows\system32\Pefhlaie.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:4524 -
C:\Windows\SysWOW64\Pkcadhgm.exeC:\Windows\system32\Pkcadhgm.exe42⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Pidabppl.exeC:\Windows\system32\Pidabppl.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Poajkgnc.exeC:\Windows\system32\Poajkgnc.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3428 -
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe45⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\Pocfpf32.exeC:\Windows\system32\Pocfpf32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:636 -
C:\Windows\SysWOW64\Qcaofebg.exeC:\Windows\system32\Qcaofebg.exe47⤵
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\Qikgco32.exeC:\Windows\system32\Qikgco32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\Qljcoj32.exeC:\Windows\system32\Qljcoj32.exe49⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Qohpkf32.exeC:\Windows\system32\Qohpkf32.exe50⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Qebhhp32.exeC:\Windows\system32\Qebhhp32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4196 -
C:\Windows\SysWOW64\Allpejfe.exeC:\Windows\system32\Allpejfe.exe52⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Aojlaeei.exeC:\Windows\system32\Aojlaeei.exe53⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Ajpqnneo.exeC:\Windows\system32\Ajpqnneo.exe54⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Akamff32.exeC:\Windows\system32\Akamff32.exe55⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Achegd32.exeC:\Windows\system32\Achegd32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4488 -
C:\Windows\SysWOW64\Ajbmdn32.exeC:\Windows\system32\Ajbmdn32.exe57⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Akcjkfij.exeC:\Windows\system32\Akcjkfij.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:428 -
C:\Windows\SysWOW64\Aoofle32.exeC:\Windows\system32\Aoofle32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Afinioip.exeC:\Windows\system32\Afinioip.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:548 -
C:\Windows\SysWOW64\Akffafgg.exeC:\Windows\system32\Akffafgg.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3740 -
C:\Windows\SysWOW64\Acmobchj.exeC:\Windows\system32\Acmobchj.exe62⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Ajggomog.exeC:\Windows\system32\Ajggomog.exe63⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Akhcfe32.exeC:\Windows\system32\Akhcfe32.exe64⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Acokhc32.exeC:\Windows\system32\Acokhc32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1444 -
C:\Windows\SysWOW64\Bjicdmmd.exeC:\Windows\system32\Bjicdmmd.exe66⤵PID:4256
-
C:\Windows\SysWOW64\Bhldpj32.exeC:\Windows\system32\Bhldpj32.exe67⤵PID:4132
-
C:\Windows\SysWOW64\Boflmdkk.exeC:\Windows\system32\Boflmdkk.exe68⤵PID:1116
-
C:\Windows\SysWOW64\Bbdhiojo.exeC:\Windows\system32\Bbdhiojo.exe69⤵PID:2072
-
C:\Windows\SysWOW64\Bhoqeibl.exeC:\Windows\system32\Bhoqeibl.exe70⤵
- Drops file in System32 directory
PID:1812 -
C:\Windows\SysWOW64\Bohibc32.exeC:\Windows\system32\Bohibc32.exe71⤵PID:1832
-
C:\Windows\SysWOW64\Bfbaonae.exeC:\Windows\system32\Bfbaonae.exe72⤵PID:4216
-
C:\Windows\SysWOW64\Bjnmpl32.exeC:\Windows\system32\Bjnmpl32.exe73⤵PID:3936
-
C:\Windows\SysWOW64\Bokehc32.exeC:\Windows\system32\Bokehc32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1516 -
C:\Windows\SysWOW64\Bcfahbpo.exeC:\Windows\system32\Bcfahbpo.exe75⤵PID:4856
-
C:\Windows\SysWOW64\Bhcjqinf.exeC:\Windows\system32\Bhcjqinf.exe76⤵PID:228
-
C:\Windows\SysWOW64\Bkafmd32.exeC:\Windows\system32\Bkafmd32.exe77⤵PID:616
-
C:\Windows\SysWOW64\Bfgjjm32.exeC:\Windows\system32\Bfgjjm32.exe78⤵PID:3176
-
C:\Windows\SysWOW64\Bjbfklei.exeC:\Windows\system32\Bjbfklei.exe79⤵PID:1876
-
C:\Windows\SysWOW64\Bopocbcq.exeC:\Windows\system32\Bopocbcq.exe80⤵PID:1296
-
C:\Windows\SysWOW64\Cfigpm32.exeC:\Windows\system32\Cfigpm32.exe81⤵PID:3400
-
C:\Windows\SysWOW64\Cmcolgbj.exeC:\Windows\system32\Cmcolgbj.exe82⤵PID:1564
-
C:\Windows\SysWOW64\Ckfphc32.exeC:\Windows\system32\Ckfphc32.exe83⤵PID:2212
-
C:\Windows\SysWOW64\Cbphdn32.exeC:\Windows\system32\Cbphdn32.exe84⤵PID:4496
-
C:\Windows\SysWOW64\Ckilmcgb.exeC:\Windows\system32\Ckilmcgb.exe85⤵
- System Location Discovery: System Language Discovery
PID:968 -
C:\Windows\SysWOW64\Cbbdjm32.exeC:\Windows\system32\Cbbdjm32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2108 -
C:\Windows\SysWOW64\Cmhigf32.exeC:\Windows\system32\Cmhigf32.exe87⤵PID:1908
-
C:\Windows\SysWOW64\Cofecami.exeC:\Windows\system32\Cofecami.exe88⤵PID:4224
-
C:\Windows\SysWOW64\Cfqmpl32.exeC:\Windows\system32\Cfqmpl32.exe89⤵
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Cioilg32.exeC:\Windows\system32\Cioilg32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2804 -
C:\Windows\SysWOW64\Coiaiakf.exeC:\Windows\system32\Coiaiakf.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4052 -
C:\Windows\SysWOW64\Cbgnemjj.exeC:\Windows\system32\Cbgnemjj.exe92⤵PID:4176
-
C:\Windows\SysWOW64\Ciafbg32.exeC:\Windows\system32\Ciafbg32.exe93⤵PID:1624
-
C:\Windows\SysWOW64\Ckpbnb32.exeC:\Windows\system32\Ckpbnb32.exe94⤵PID:4200
-
C:\Windows\SysWOW64\Dbjkkl32.exeC:\Windows\system32\Dbjkkl32.exe95⤵
- System Location Discovery: System Language Discovery
PID:3920 -
C:\Windows\SysWOW64\Djqblj32.exeC:\Windows\system32\Djqblj32.exe96⤵PID:1936
-
C:\Windows\SysWOW64\Dmoohe32.exeC:\Windows\system32\Dmoohe32.exe97⤵PID:4892
-
C:\Windows\SysWOW64\Dcigeooj.exeC:\Windows\system32\Dcigeooj.exe98⤵PID:2008
-
C:\Windows\SysWOW64\Dfgcakon.exeC:\Windows\system32\Dfgcakon.exe99⤵
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Difpmfna.exeC:\Windows\system32\Difpmfna.exe100⤵PID:3896
-
C:\Windows\SysWOW64\Dkdliame.exeC:\Windows\system32\Dkdliame.exe101⤵
- Drops file in System32 directory
PID:4008 -
C:\Windows\SysWOW64\Dckdjomg.exeC:\Windows\system32\Dckdjomg.exe102⤵PID:3692
-
C:\Windows\SysWOW64\Dfjpfj32.exeC:\Windows\system32\Dfjpfj32.exe103⤵
- Drops file in System32 directory
PID:4536 -
C:\Windows\SysWOW64\Dlghoa32.exeC:\Windows\system32\Dlghoa32.exe104⤵PID:4924
-
C:\Windows\SysWOW64\Dcnqpo32.exeC:\Windows\system32\Dcnqpo32.exe105⤵
- System Location Discovery: System Language Discovery
PID:4136 -
C:\Windows\SysWOW64\Djhimica.exeC:\Windows\system32\Djhimica.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Dikihe32.exeC:\Windows\system32\Dikihe32.exe107⤵PID:3128
-
C:\Windows\SysWOW64\Dcpmen32.exeC:\Windows\system32\Dcpmen32.exe108⤵PID:2684
-
C:\Windows\SysWOW64\Dfoiaj32.exeC:\Windows\system32\Dfoiaj32.exe109⤵PID:4268
-
C:\Windows\SysWOW64\Dmhand32.exeC:\Windows\system32\Dmhand32.exe110⤵
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Dpgnjo32.exeC:\Windows\system32\Dpgnjo32.exe111⤵PID:2496
-
C:\Windows\SysWOW64\Ebejfk32.exeC:\Windows\system32\Ebejfk32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3952 -
C:\Windows\SysWOW64\Ejlbhh32.exeC:\Windows\system32\Ejlbhh32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:332 -
C:\Windows\SysWOW64\Elnoopdj.exeC:\Windows\system32\Elnoopdj.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4060 -
C:\Windows\SysWOW64\Ecefqnel.exeC:\Windows\system32\Ecefqnel.exe115⤵
- System Location Discovery: System Language Discovery
PID:704 -
C:\Windows\SysWOW64\Ejoomhmi.exeC:\Windows\system32\Ejoomhmi.exe116⤵PID:3892
-
C:\Windows\SysWOW64\Eiaoid32.exeC:\Windows\system32\Eiaoid32.exe117⤵PID:2640
-
C:\Windows\SysWOW64\Emmkiclm.exeC:\Windows\system32\Emmkiclm.exe118⤵PID:4080
-
C:\Windows\SysWOW64\Eplgeokq.exeC:\Windows\system32\Eplgeokq.exe119⤵
- Modifies registry class
PID:1216 -
C:\Windows\SysWOW64\Ejalcgkg.exeC:\Windows\system32\Ejalcgkg.exe120⤵PID:1240
-
C:\Windows\SysWOW64\Elbhjp32.exeC:\Windows\system32\Elbhjp32.exe121⤵PID:2060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-