Analysis
-
max time kernel
115s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28-09-2024 05:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
937ce1d09a5b621c41ebd7b3c5808b42a9bfe5aac40fd2d4d948ec6ae1d83600N.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
937ce1d09a5b621c41ebd7b3c5808b42a9bfe5aac40fd2d4d948ec6ae1d83600N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
937ce1d09a5b621c41ebd7b3c5808b42a9bfe5aac40fd2d4d948ec6ae1d83600N.exe
-
Size
88KB
-
MD5
53e96ca6e2e217c48a603beec8b7a810
-
SHA1
a1b63bc1d62cf4f031a38e818d28826620d12229
-
SHA256
937ce1d09a5b621c41ebd7b3c5808b42a9bfe5aac40fd2d4d948ec6ae1d83600
-
SHA512
d7f6018cb639be19809106fbe25e18c50036db0eac3f6f5c161dff3ed0dad09d1feea2ed262f227e8a42c1b84486c7676e5b6db09538b10144a8179603c0c7e0
-
SSDEEP
1536:irbXl/Sumc0kVAeXCxHf43OojQe9E4nC9TnIVSZJg8hnouy8L:i/l/klkWi44oGSId8BoutL
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jejbhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmimdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lobhqdec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibbcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aidomjaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lndfchdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmjcdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Homcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afeban32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blgddd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpgjpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqpika32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjnqap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Japmcfcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Foonjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiehhjjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adnbapjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hllcfnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjnqap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqfqfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhkgnkoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgedjjki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljoiibbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akjgdjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khihld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nefdbekh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfpkhjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpfcelml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhennm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpqgjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fajgfiag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icogcjde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iabglnco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlgjhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofhbgmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhgjll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elnehifk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flghognq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhbbmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlnqln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Celgjlpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkeakl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hedhoc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohcmpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcncodki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhjnfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cldjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqpika32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iohlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkiiee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eippgckc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdjhkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kanidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kidmcqeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dicbfhni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eahjqicj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcgqag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imdgljil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poagma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhcjbfag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohmepbki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ileflmpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kblpcndd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oolnabal.exe -
Executes dropped EXE 64 IoCs
pid Process 3932 Hgapmj32.exe 676 Hjolie32.exe 4412 Hnkhjdle.exe 1712 Hkohchko.exe 1776 Hbiapb32.exe 3632 Hegmlnbp.exe 972 Hjdedepg.exe 3736 Hejjanpm.exe 2504 Hghfnioq.exe 2144 Hnbnjc32.exe 3332 Icogcjde.exe 2152 Ijiopd32.exe 1692 Iabglnco.exe 3076 Ilhkigcd.exe 1764 Ibbcfa32.exe 4504 Iccpniqp.exe 4524 Ijmhkchl.exe 3168 Iagqgn32.exe 3512 Ihaidhgf.exe 4064 Inkaqb32.exe 4600 Iajmmm32.exe 4892 Idhiii32.exe 1040 Jbijgp32.exe 224 Jehfcl32.exe 692 Jnpjlajn.exe 3396 Jejbhk32.exe 3244 Jjgkab32.exe 3080 Jjihfbno.exe 3416 Jbbmmo32.exe 2196 Keceoj32.exe 2300 Kefbdjgm.exe 1680 Klpjad32.exe 836 Khfkfedn.exe 1616 Kblpcndd.exe 4076 Khihld32.exe 2212 Kaaldjil.exe 4896 Loemnnhe.exe 4676 Lhmafcnf.exe 4888 Lddble32.exe 2288 Lahbei32.exe 4152 Llngbabj.exe 5088 Lbhool32.exe 4960 Lhdggb32.exe 2340 Loopdmpk.exe 4436 Ldkhlcnb.exe 2668 Mclhjkfa.exe 2924 Mhiabbdi.exe 4108 Mociol32.exe 3848 Mdpagc32.exe 2612 Mlgjhp32.exe 2276 Madbagif.exe 768 Mlifnphl.exe 4512 Mafofggd.exe 5016 Mhpgca32.exe 1436 Mojopk32.exe 4928 Mdghhb32.exe 2472 Nomlek32.exe 1772 Nefdbekh.exe 2776 Nkcmjlio.exe 3360 Namegfql.exe 2976 Nkeipk32.exe 4824 Napameoi.exe 4332 Nlefjnno.exe 4972 Nocbfjmc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Japmcfcc.exe Jjfdfl32.exe File created C:\Windows\SysWOW64\Oogdfc32.exe Odbpij32.exe File created C:\Windows\SysWOW64\Bijfpm32.dll Ogmiepcf.exe File opened for modification C:\Windows\SysWOW64\Glinjqhb.exe Gikbneio.exe File created C:\Windows\SysWOW64\Hqfqfj32.exe Hnhdjn32.exe File created C:\Windows\SysWOW64\Hnkhdmeh.dll Phkaqqoi.exe File created C:\Windows\SysWOW64\Icooig32.exe Ileflmpb.exe File created C:\Windows\SysWOW64\Joobdfei.exe Jkcfch32.exe File created C:\Windows\SysWOW64\Fnchgmkg.dll Kbedaand.exe File opened for modification C:\Windows\SysWOW64\Gmdoel32.exe Gjebiq32.exe File opened for modification C:\Windows\SysWOW64\Dbbdip32.exe Djklgb32.exe File created C:\Windows\SysWOW64\Lamgof32.dll Khfkfedn.exe File created C:\Windows\SysWOW64\Piceflpi.exe Pfeijqqe.exe File created C:\Windows\SysWOW64\Ifckkhfi.exe Iqfcbahb.exe File created C:\Windows\SysWOW64\Emabga32.dll Khcgfo32.exe File created C:\Windows\SysWOW64\Khihld32.exe Kblpcndd.exe File opened for modification C:\Windows\SysWOW64\Obfhmd32.exe Ohncdobq.exe File created C:\Windows\SysWOW64\Mimial32.dll Mhhjhlqm.exe File created C:\Windows\SysWOW64\Qdflaa32.exe Pnlcdg32.exe File created C:\Windows\SysWOW64\Pfjhdhal.dll Ellpmolj.exe File created C:\Windows\SysWOW64\Cpbbak32.exe Clffalkf.exe File created C:\Windows\SysWOW64\Gpodkdll.exe Gjdknjep.exe File opened for modification C:\Windows\SysWOW64\Ioppho32.exe Hhehkepj.exe File created C:\Windows\SysWOW64\Hhcajd32.dll Lpghfi32.exe File created C:\Windows\SysWOW64\Ieknpb32.exe Ioafchai.exe File created C:\Windows\SysWOW64\Kbbhka32.exe Jkhpogij.exe File opened for modification C:\Windows\SysWOW64\Loemnnhe.exe Kaaldjil.exe File created C:\Windows\SysWOW64\Cefked32.dll Qbkcek32.exe File opened for modification C:\Windows\SysWOW64\Lglcag32.exe Lpelqj32.exe File created C:\Windows\SysWOW64\Liofdigo.exe Lfqjhmhk.exe File created C:\Windows\SysWOW64\Eiebmbnn.dll Nocbfjmc.exe File created C:\Windows\SysWOW64\Jhbkgiif.dll Glnnofhi.exe File created C:\Windows\SysWOW64\Alnifp32.dll Qkqdnkge.exe File created C:\Windows\SysWOW64\Cpmbkm32.dll Fblpflfg.exe File created C:\Windows\SysWOW64\Ckmacl32.dll Hkjjfkcm.exe File created C:\Windows\SysWOW64\Dgmfnkfn.dll Hegmlnbp.exe File opened for modification C:\Windows\SysWOW64\Jbijgp32.exe Idhiii32.exe File created C:\Windows\SysWOW64\Efhbch32.dll Jejbhk32.exe File opened for modification C:\Windows\SysWOW64\Pfmlok32.exe Pkhhbbck.exe File created C:\Windows\SysWOW64\Bojllo32.dll Kfejmobh.exe File opened for modification C:\Windows\SysWOW64\Kbedaand.exe Kkkldg32.exe File opened for modification C:\Windows\SysWOW64\Lddble32.exe Lhmafcnf.exe File opened for modification C:\Windows\SysWOW64\Ffpcbchm.exe Fdogjk32.exe File opened for modification C:\Windows\SysWOW64\Dilmeida.exe Dbbdip32.exe File created C:\Windows\SysWOW64\Hligqnjp.exe Hikkdc32.exe File created C:\Windows\SysWOW64\Jjihfbno.exe Jjgkab32.exe File created C:\Windows\SysWOW64\Fblpflfg.exe Foqdem32.exe File created C:\Windows\SysWOW64\Edjgidik.dll Bpgjpb32.exe File created C:\Windows\SysWOW64\Lfcjfjoi.dll Fneoma32.exe File created C:\Windows\SysWOW64\Oimlepla.dll Nomlek32.exe File created C:\Windows\SysWOW64\Eipilmgh.exe Ebeapc32.exe File opened for modification C:\Windows\SysWOW64\Kmkpipaf.exe Kqdodo32.exe File created C:\Windows\SysWOW64\Jkajnh32.exe Jjpmfpid.exe File created C:\Windows\SysWOW64\Plmiie32.dll Aeffgkkp.exe File created C:\Windows\SysWOW64\Gglpgd32.exe Gqagkjne.exe File created C:\Windows\SysWOW64\Jgekdq32.exe Jmpgghoo.exe File created C:\Windows\SysWOW64\Cejjdlap.exe Cbknhqbl.exe File created C:\Windows\SysWOW64\Dgmpkg32.exe Dabhomea.exe File created C:\Windows\SysWOW64\Lhalmkbm.dll Kcdakd32.exe File created C:\Windows\SysWOW64\Qmckbjdl.exe Qihoak32.exe File opened for modification C:\Windows\SysWOW64\Pnlcdg32.exe Pgbkgmao.exe File created C:\Windows\SysWOW64\Ilhllpbm.dll Fbqiak32.exe File created C:\Windows\SysWOW64\Hiinoc32.exe Haafnf32.exe File created C:\Windows\SysWOW64\Jjefao32.exe Joobdfei.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2212 3212 WerFault.exe 804 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpgjpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqagkjne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohdbkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpdfpmoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djipbbne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfeijqqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fckaeioa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnlmdcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfkhfmdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lajhpbme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hphfac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eieplhlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjbjlpga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibbcfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdpagc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfhhml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfdklllb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kidmcqeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ancjef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfljnejl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohdlpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgapmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkeipk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epeohn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icnphd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhghge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bflagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohobebig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enedio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hejjanpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjihfbno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohncdobq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omcbkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpmbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glnnofhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbqdmodg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijmhkchl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggfobofl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdflaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkqdnkge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihaidhgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjnlha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhllni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmiljn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkcmjlio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qppkhfec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epaemojk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gojnfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohaokbfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkbkoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giahndcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbiapb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcncodki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blgddd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfanflne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjcqffkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmedmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kilphk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giddddad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlifnphl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deidjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flboch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kimgba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dajnol32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhllni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qajlje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkiapn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbejblj.dll" Hkohchko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bechccgd.dll" Dlqpaafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpgfoc32.dll" Efhjjcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obncao32.dll" Jnfjbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akjgdjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkobdqqa.dll" Djmima32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfabmmhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iohlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohgopgfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fiheheka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icogcjde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkabbgol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bclppboi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfhbipdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfqdid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcgekjgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgnlmdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcelel32.dll" Ohdbkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpodkdll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpelqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aedfbe32.dll" Ibbcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkchqpgd.dll" Andqol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbniai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlhmea32.dll" Imcqacfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iipkfmal.dll" Pcdqhecd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igmcfhol.dll" Glmhdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abipfifn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dalkek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Diamko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfemoei.dll" Ebcdjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gohokhje.dll" Jjqdafmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Balodg32.dll" Mdpagc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jedoeg32.dll" Pkhhbbck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jllmml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebndbijh.dll" Jbkbkbfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkiigchm.dll" Pecpknke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhkgnkoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bampkqcn.dll" Dfqdid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odqpha32.dll" Midfjnge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejglcq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohqpjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnckooob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmdjha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpmeimpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhhjhlqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeackh32.dll" Adnilfnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfcdaehf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhjaco32.dll" Llngbabj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agdghm32.dll" Bbcignbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfhhml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobeniph.dll" Kjamhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdngpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfemmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hqimlihn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebggf32.dll" Nlgbon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnkhdmeh.dll" Phkaqqoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feiglp32.dll" Fajgfiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kblkap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Beaecjab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imiagi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggilgn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5012 wrote to memory of 3932 5012 937ce1d09a5b621c41ebd7b3c5808b42a9bfe5aac40fd2d4d948ec6ae1d83600N.exe 89 PID 5012 wrote to memory of 3932 5012 937ce1d09a5b621c41ebd7b3c5808b42a9bfe5aac40fd2d4d948ec6ae1d83600N.exe 89 PID 5012 wrote to memory of 3932 5012 937ce1d09a5b621c41ebd7b3c5808b42a9bfe5aac40fd2d4d948ec6ae1d83600N.exe 89 PID 3932 wrote to memory of 676 3932 Hgapmj32.exe 90 PID 3932 wrote to memory of 676 3932 Hgapmj32.exe 90 PID 3932 wrote to memory of 676 3932 Hgapmj32.exe 90 PID 676 wrote to memory of 4412 676 Hjolie32.exe 91 PID 676 wrote to memory of 4412 676 Hjolie32.exe 91 PID 676 wrote to memory of 4412 676 Hjolie32.exe 91 PID 4412 wrote to memory of 1712 4412 Hnkhjdle.exe 92 PID 4412 wrote to memory of 1712 4412 Hnkhjdle.exe 92 PID 4412 wrote to memory of 1712 4412 Hnkhjdle.exe 92 PID 1712 wrote to memory of 1776 1712 Hkohchko.exe 93 PID 1712 wrote to memory of 1776 1712 Hkohchko.exe 93 PID 1712 wrote to memory of 1776 1712 Hkohchko.exe 93 PID 1776 wrote to memory of 3632 1776 Hbiapb32.exe 94 PID 1776 wrote to memory of 3632 1776 Hbiapb32.exe 94 PID 1776 wrote to memory of 3632 1776 Hbiapb32.exe 94 PID 3632 wrote to memory of 972 3632 Hegmlnbp.exe 95 PID 3632 wrote to memory of 972 3632 Hegmlnbp.exe 95 PID 3632 wrote to memory of 972 3632 Hegmlnbp.exe 95 PID 972 wrote to memory of 3736 972 Hjdedepg.exe 96 PID 972 wrote to memory of 3736 972 Hjdedepg.exe 96 PID 972 wrote to memory of 3736 972 Hjdedepg.exe 96 PID 3736 wrote to memory of 2504 3736 Hejjanpm.exe 97 PID 3736 wrote to memory of 2504 3736 Hejjanpm.exe 97 PID 3736 wrote to memory of 2504 3736 Hejjanpm.exe 97 PID 2504 wrote to memory of 2144 2504 Hghfnioq.exe 98 PID 2504 wrote to memory of 2144 2504 Hghfnioq.exe 98 PID 2504 wrote to memory of 2144 2504 Hghfnioq.exe 98 PID 2144 wrote to memory of 3332 2144 Hnbnjc32.exe 99 PID 2144 wrote to memory of 3332 2144 Hnbnjc32.exe 99 PID 2144 wrote to memory of 3332 2144 Hnbnjc32.exe 99 PID 3332 wrote to memory of 2152 3332 Icogcjde.exe 100 PID 3332 wrote to memory of 2152 3332 Icogcjde.exe 100 PID 3332 wrote to memory of 2152 3332 Icogcjde.exe 100 PID 2152 wrote to memory of 1692 2152 Ijiopd32.exe 101 PID 2152 wrote to memory of 1692 2152 Ijiopd32.exe 101 PID 2152 wrote to memory of 1692 2152 Ijiopd32.exe 101 PID 1692 wrote to memory of 3076 1692 Iabglnco.exe 102 PID 1692 wrote to memory of 3076 1692 Iabglnco.exe 102 PID 1692 wrote to memory of 3076 1692 Iabglnco.exe 102 PID 3076 wrote to memory of 1764 3076 Ilhkigcd.exe 103 PID 3076 wrote to memory of 1764 3076 Ilhkigcd.exe 103 PID 3076 wrote to memory of 1764 3076 Ilhkigcd.exe 103 PID 1764 wrote to memory of 4504 1764 Ibbcfa32.exe 104 PID 1764 wrote to memory of 4504 1764 Ibbcfa32.exe 104 PID 1764 wrote to memory of 4504 1764 Ibbcfa32.exe 104 PID 4504 wrote to memory of 4524 4504 Iccpniqp.exe 105 PID 4504 wrote to memory of 4524 4504 Iccpniqp.exe 105 PID 4504 wrote to memory of 4524 4504 Iccpniqp.exe 105 PID 4524 wrote to memory of 3168 4524 Ijmhkchl.exe 106 PID 4524 wrote to memory of 3168 4524 Ijmhkchl.exe 106 PID 4524 wrote to memory of 3168 4524 Ijmhkchl.exe 106 PID 3168 wrote to memory of 3512 3168 Iagqgn32.exe 107 PID 3168 wrote to memory of 3512 3168 Iagqgn32.exe 107 PID 3168 wrote to memory of 3512 3168 Iagqgn32.exe 107 PID 3512 wrote to memory of 4064 3512 Ihaidhgf.exe 108 PID 3512 wrote to memory of 4064 3512 Ihaidhgf.exe 108 PID 3512 wrote to memory of 4064 3512 Ihaidhgf.exe 108 PID 4064 wrote to memory of 4600 4064 Inkaqb32.exe 109 PID 4064 wrote to memory of 4600 4064 Inkaqb32.exe 109 PID 4064 wrote to memory of 4600 4064 Inkaqb32.exe 109 PID 4600 wrote to memory of 4892 4600 Iajmmm32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\937ce1d09a5b621c41ebd7b3c5808b42a9bfe5aac40fd2d4d948ec6ae1d83600N.exe"C:\Users\Admin\AppData\Local\Temp\937ce1d09a5b621c41ebd7b3c5808b42a9bfe5aac40fd2d4d948ec6ae1d83600N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Hgapmj32.exeC:\Windows\system32\Hgapmj32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\Hjolie32.exeC:\Windows\system32\Hjolie32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\Hnkhjdle.exeC:\Windows\system32\Hnkhjdle.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Hkohchko.exeC:\Windows\system32\Hkohchko.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Hbiapb32.exeC:\Windows\system32\Hbiapb32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Hegmlnbp.exeC:\Windows\system32\Hegmlnbp.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\Hjdedepg.exeC:\Windows\system32\Hjdedepg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\Hejjanpm.exeC:\Windows\system32\Hejjanpm.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\SysWOW64\Hghfnioq.exeC:\Windows\system32\Hghfnioq.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Hnbnjc32.exeC:\Windows\system32\Hnbnjc32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Icogcjde.exeC:\Windows\system32\Icogcjde.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\Ijiopd32.exeC:\Windows\system32\Ijiopd32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Iabglnco.exeC:\Windows\system32\Iabglnco.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Ilhkigcd.exeC:\Windows\system32\Ilhkigcd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\Ibbcfa32.exeC:\Windows\system32\Ibbcfa32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Iccpniqp.exeC:\Windows\system32\Iccpniqp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Ijmhkchl.exeC:\Windows\system32\Ijmhkchl.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\Iagqgn32.exeC:\Windows\system32\Iagqgn32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\Ihaidhgf.exeC:\Windows\system32\Ihaidhgf.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\Inkaqb32.exeC:\Windows\system32\Inkaqb32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Iajmmm32.exeC:\Windows\system32\Iajmmm32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Idhiii32.exeC:\Windows\system32\Idhiii32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4892 -
C:\Windows\SysWOW64\Jbijgp32.exeC:\Windows\system32\Jbijgp32.exe24⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Jehfcl32.exeC:\Windows\system32\Jehfcl32.exe25⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Jnpjlajn.exeC:\Windows\system32\Jnpjlajn.exe26⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Jejbhk32.exeC:\Windows\system32\Jejbhk32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3396 -
C:\Windows\SysWOW64\Jjgkab32.exeC:\Windows\system32\Jjgkab32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3244 -
C:\Windows\SysWOW64\Jjihfbno.exeC:\Windows\system32\Jjihfbno.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3080 -
C:\Windows\SysWOW64\Jbbmmo32.exeC:\Windows\system32\Jbbmmo32.exe30⤵
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\Keceoj32.exeC:\Windows\system32\Keceoj32.exe31⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Kefbdjgm.exeC:\Windows\system32\Kefbdjgm.exe32⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Klpjad32.exeC:\Windows\system32\Klpjad32.exe33⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Khfkfedn.exeC:\Windows\system32\Khfkfedn.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:836 -
C:\Windows\SysWOW64\Kblpcndd.exeC:\Windows\system32\Kblpcndd.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Khihld32.exeC:\Windows\system32\Khihld32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Kaaldjil.exeC:\Windows\system32\Kaaldjil.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2212 -
C:\Windows\SysWOW64\Loemnnhe.exeC:\Windows\system32\Loemnnhe.exe38⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Lhmafcnf.exeC:\Windows\system32\Lhmafcnf.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4676 -
C:\Windows\SysWOW64\Lddble32.exeC:\Windows\system32\Lddble32.exe40⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Lahbei32.exeC:\Windows\system32\Lahbei32.exe41⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Llngbabj.exeC:\Windows\system32\Llngbabj.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:4152 -
C:\Windows\SysWOW64\Lbhool32.exeC:\Windows\system32\Lbhool32.exe43⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Lhdggb32.exeC:\Windows\system32\Lhdggb32.exe44⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Loopdmpk.exeC:\Windows\system32\Loopdmpk.exe45⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Ldkhlcnb.exeC:\Windows\system32\Ldkhlcnb.exe46⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Mclhjkfa.exeC:\Windows\system32\Mclhjkfa.exe47⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Mhiabbdi.exeC:\Windows\system32\Mhiabbdi.exe48⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Mociol32.exeC:\Windows\system32\Mociol32.exe49⤵
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Mdpagc32.exeC:\Windows\system32\Mdpagc32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3848 -
C:\Windows\SysWOW64\Mlgjhp32.exeC:\Windows\system32\Mlgjhp32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Madbagif.exeC:\Windows\system32\Madbagif.exe52⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Mlifnphl.exeC:\Windows\system32\Mlifnphl.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:768 -
C:\Windows\SysWOW64\Mafofggd.exeC:\Windows\system32\Mafofggd.exe54⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Mhpgca32.exeC:\Windows\system32\Mhpgca32.exe55⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Mojopk32.exeC:\Windows\system32\Mojopk32.exe56⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Mdghhb32.exeC:\Windows\system32\Mdghhb32.exe57⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Nomlek32.exeC:\Windows\system32\Nomlek32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Nefdbekh.exeC:\Windows\system32\Nefdbekh.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Nkcmjlio.exeC:\Windows\system32\Nkcmjlio.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2776 -
C:\Windows\SysWOW64\Namegfql.exeC:\Windows\system32\Namegfql.exe61⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Nkeipk32.exeC:\Windows\system32\Nkeipk32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Napameoi.exeC:\Windows\system32\Napameoi.exe63⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Nlefjnno.exeC:\Windows\system32\Nlefjnno.exe64⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Nocbfjmc.exeC:\Windows\system32\Nocbfjmc.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4972 -
C:\Windows\SysWOW64\Nbbnbemf.exeC:\Windows\system32\Nbbnbemf.exe66⤵PID:1196
-
C:\Windows\SysWOW64\Nlgbon32.exeC:\Windows\system32\Nlgbon32.exe67⤵
- Modifies registry class
PID:3624 -
C:\Windows\SysWOW64\Nfpghccm.exeC:\Windows\system32\Nfpghccm.exe68⤵PID:1732
-
C:\Windows\SysWOW64\Ohncdobq.exeC:\Windows\system32\Ohncdobq.exe69⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4752 -
C:\Windows\SysWOW64\Obfhmd32.exeC:\Windows\system32\Obfhmd32.exe70⤵PID:2952
-
C:\Windows\SysWOW64\Ohqpjo32.exeC:\Windows\system32\Ohqpjo32.exe71⤵
- Modifies registry class
PID:3192 -
C:\Windows\SysWOW64\Ocfdgg32.exeC:\Windows\system32\Ocfdgg32.exe72⤵PID:4320
-
C:\Windows\SysWOW64\Ohcmpn32.exeC:\Windows\system32\Ohcmpn32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1080 -
C:\Windows\SysWOW64\Oloipmfd.exeC:\Windows\system32\Oloipmfd.exe74⤵PID:4260
-
C:\Windows\SysWOW64\Odjmdocp.exeC:\Windows\system32\Odjmdocp.exe75⤵PID:4508
-
C:\Windows\SysWOW64\Oheienli.exeC:\Windows\system32\Oheienli.exe76⤵PID:4684
-
C:\Windows\SysWOW64\Ofijnbkb.exeC:\Windows\system32\Ofijnbkb.exe77⤵PID:1148
-
C:\Windows\SysWOW64\Omcbkl32.exeC:\Windows\system32\Omcbkl32.exe78⤵
- System Location Discovery: System Language Discovery
PID:4316 -
C:\Windows\SysWOW64\Ooangh32.exeC:\Windows\system32\Ooangh32.exe79⤵PID:3020
-
C:\Windows\SysWOW64\Pdngpo32.exeC:\Windows\system32\Pdngpo32.exe80⤵
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Pcpgmf32.exeC:\Windows\system32\Pcpgmf32.exe81⤵PID:4432
-
C:\Windows\SysWOW64\Pmhkflnj.exeC:\Windows\system32\Pmhkflnj.exe82⤵PID:2592
-
C:\Windows\SysWOW64\Pofhbgmn.exeC:\Windows\system32\Pofhbgmn.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2580 -
C:\Windows\SysWOW64\Pecpknke.exeC:\Windows\system32\Pecpknke.exe84⤵
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Pkmhgh32.exeC:\Windows\system32\Pkmhgh32.exe85⤵PID:5164
-
C:\Windows\SysWOW64\Pcdqhecd.exeC:\Windows\system32\Pcdqhecd.exe86⤵
- Modifies registry class
PID:5208 -
C:\Windows\SysWOW64\Pbgqdb32.exeC:\Windows\system32\Pbgqdb32.exe87⤵PID:5252
-
C:\Windows\SysWOW64\Peempn32.exeC:\Windows\system32\Peempn32.exe88⤵PID:5296
-
C:\Windows\SysWOW64\Pmmeak32.exeC:\Windows\system32\Pmmeak32.exe89⤵PID:5340
-
C:\Windows\SysWOW64\Pfeijqqe.exeC:\Windows\system32\Pfeijqqe.exe90⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5388 -
C:\Windows\SysWOW64\Piceflpi.exeC:\Windows\system32\Piceflpi.exe91⤵PID:5432
-
C:\Windows\SysWOW64\Pkabbgol.exeC:\Windows\system32\Pkabbgol.exe92⤵
- Modifies registry class
PID:5476 -
C:\Windows\SysWOW64\Qejfkmem.exeC:\Windows\system32\Qejfkmem.exe93⤵PID:5520
-
C:\Windows\SysWOW64\Qkdohg32.exeC:\Windows\system32\Qkdohg32.exe94⤵PID:5592
-
C:\Windows\SysWOW64\Qppkhfec.exeC:\Windows\system32\Qppkhfec.exe95⤵
- System Location Discovery: System Language Discovery
PID:5648 -
C:\Windows\SysWOW64\Qbngeadf.exeC:\Windows\system32\Qbngeadf.exe96⤵PID:5696
-
C:\Windows\SysWOW64\Qihoak32.exeC:\Windows\system32\Qihoak32.exe97⤵
- Drops file in System32 directory
PID:5780 -
C:\Windows\SysWOW64\Qmckbjdl.exeC:\Windows\system32\Qmckbjdl.exe98⤵PID:5824
-
C:\Windows\SysWOW64\Qcncodki.exeC:\Windows\system32\Qcncodki.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5868 -
C:\Windows\SysWOW64\Acppddig.exeC:\Windows\system32\Acppddig.exe100⤵PID:5912
-
C:\Windows\SysWOW64\Aimhmkgn.exeC:\Windows\system32\Aimhmkgn.exe101⤵PID:5960
-
C:\Windows\SysWOW64\Afqifo32.exeC:\Windows\system32\Afqifo32.exe102⤵PID:6004
-
C:\Windows\SysWOW64\Aeffgkkp.exeC:\Windows\system32\Aeffgkkp.exe103⤵
- Drops file in System32 directory
PID:6044 -
C:\Windows\SysWOW64\Apkjddke.exeC:\Windows\system32\Apkjddke.exe104⤵PID:6088
-
C:\Windows\SysWOW64\Afeban32.exeC:\Windows\system32\Afeban32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6132 -
C:\Windows\SysWOW64\Aidomjaf.exeC:\Windows\system32\Aidomjaf.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5156 -
C:\Windows\SysWOW64\Apngjd32.exeC:\Windows\system32\Apngjd32.exe107⤵PID:5232
-
C:\Windows\SysWOW64\Bejobk32.exeC:\Windows\system32\Bejobk32.exe108⤵PID:5264
-
C:\Windows\SysWOW64\Bmagch32.exeC:\Windows\system32\Bmagch32.exe109⤵PID:5364
-
C:\Windows\SysWOW64\Bclppboi.exeC:\Windows\system32\Bclppboi.exe110⤵
- Modifies registry class
PID:5416 -
C:\Windows\SysWOW64\Bemlhj32.exeC:\Windows\system32\Bemlhj32.exe111⤵PID:4568
-
C:\Windows\SysWOW64\Blgddd32.exeC:\Windows\system32\Blgddd32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5616 -
C:\Windows\SysWOW64\Bpbpecen.exeC:\Windows\system32\Bpbpecen.exe113⤵PID:5704
-
C:\Windows\SysWOW64\Bflham32.exeC:\Windows\system32\Bflham32.exe114⤵PID:5808
-
C:\Windows\SysWOW64\Bikeni32.exeC:\Windows\system32\Bikeni32.exe115⤵PID:5908
-
C:\Windows\SysWOW64\Bliajd32.exeC:\Windows\system32\Bliajd32.exe116⤵PID:6028
-
C:\Windows\SysWOW64\Bcpika32.exeC:\Windows\system32\Bcpika32.exe117⤵PID:6104
-
C:\Windows\SysWOW64\Bbcignbo.exeC:\Windows\system32\Bbcignbo.exe118⤵
- Modifies registry class
PID:5236 -
C:\Windows\SysWOW64\Bfoegm32.exeC:\Windows\system32\Bfoegm32.exe119⤵PID:5356
-
C:\Windows\SysWOW64\Beaecjab.exeC:\Windows\system32\Beaecjab.exe120⤵
- Modifies registry class
PID:5536 -
C:\Windows\SysWOW64\Bmimdg32.exeC:\Windows\system32\Bmimdg32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5728
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-