Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 10:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
29c87c877bc1ce3050fb6759e7e8391822fc42db9808b06292711afb6794f510N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
29c87c877bc1ce3050fb6759e7e8391822fc42db9808b06292711afb6794f510N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
29c87c877bc1ce3050fb6759e7e8391822fc42db9808b06292711afb6794f510N.exe
-
Size
664KB
-
MD5
c8cb6c3c39d20830bf770ac13043c130
-
SHA1
ed902fb76c16b12670fa619e87c1863ad5142cef
-
SHA256
29c87c877bc1ce3050fb6759e7e8391822fc42db9808b06292711afb6794f510
-
SHA512
39b391e7e0faf9ff418f3b5a0dd49c54c03f635eba65d9c345ac0f142f67b3e07ed057595fc92f29cbdad40a3763b4b324e82dfb898553bfd1e298d34ae05bc2
-
SSDEEP
12288:Hd5fM3zpV6yYPVpV6yYPg058KpV6yYPNUir2MhNl6zX3w9As/xO23WM6tJmDYjm:95fMDWVWleKWNUir2MhNl6zX3w9As/xi
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emnbdioi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajpqnneo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fealin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhpofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Caojpaij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpfcdojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oafcqcea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knchpiom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpbpbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gimqajgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfpecg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khmknk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmmpfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjnmpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkbcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bakgoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmqlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmlfqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogbfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aphnnafb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djklmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Emphocjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkgcea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qhmqdemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebdcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ogpepl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcjnoece.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbenmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkdcbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbcfhibj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jleijb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbinam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Naaqofgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpbmfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inqbclob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Niklpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfmojenc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgeghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Digehphc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibaeen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jleijb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najceeoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cocacl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Enbjad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igajal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mjaabq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhhpop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeekkafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jqiipljg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajggomog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebhglj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mepfiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohfami32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoalgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdickcpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eppjfgcp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paiogf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gohaeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdnldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlpeff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhalefe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijogmdqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjafok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnplfj32.exe -
Executes dropped EXE 64 IoCs
pid Process 5056 Fkqeib32.exe 3280 Fnobem32.exe 2956 Fefjfked.exe 3948 Gekcaj32.exe 4992 Gglpibgm.exe 2292 Gadqlkep.exe 4184 Gohaeo32.exe 324 Gddinf32.exe 1260 Gnmnfkia.exe 1952 Hnoklk32.exe 4424 Hffcmh32.exe 4816 Hgjljpkm.exe 1400 Hdnldd32.exe 2988 Hocqam32.exe 640 Hdpiid32.exe 4484 Hfpecg32.exe 3744 Ibffhhek.exe 4460 Igcoqocb.exe 2016 Idgojc32.exe 4288 Inpccihl.exe 2352 Iiehpahb.exe 744 Ibnligoc.exe 4388 Ibpiogmp.exe 4464 Jodjhkkj.exe 2464 Jilnqqbj.exe 4376 Jecofa32.exe 5052 Jnkcogno.exe 1488 Jeekkafl.exe 3504 Jicdap32.exe 2076 Jkaqnk32.exe 3268 Jblijebc.exe 4088 Jghabl32.exe 924 Kflnfcgg.exe 4988 Khmknk32.exe 1268 Kngcje32.exe 3188 Kbbokdlk.exe 2308 Klkcdj32.exe 3264 Knippe32.exe 4824 Kechmoil.exe 100 Khbdikip.exe 3292 Knlleepl.exe 752 Kefdbo32.exe 5008 Kiaqcnpb.exe 1188 Llpmoiof.exe 4580 Lbjelc32.exe 1128 Lidmhmnp.exe 4448 Lblaabdp.exe 3200 Lhijijbg.exe 1144 Locbfd32.exe 4556 Lhkgoiqe.exe 3316 Lpbopfag.exe 2628 Likcilhh.exe 1324 Lbchba32.exe 4792 Mojhgbdl.exe 1588 Medqcmki.exe 3404 Mlnipg32.exe 3612 Mfcmmp32.exe 4796 Mlpeff32.exe 3112 Moobbb32.exe 2112 Midfokpm.exe 3856 Moaogand.exe 4596 Mleoafmn.exe 3376 Nemcjk32.exe 3472 Npchgdcd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hibjli32.exe Hpiecd32.exe File opened for modification C:\Windows\SysWOW64\Knippe32.exe Klkcdj32.exe File opened for modification C:\Windows\SysWOW64\Idkbkl32.exe Iqpfjnba.exe File created C:\Windows\SysWOW64\Lagajn32.dll Ejfeng32.exe File opened for modification C:\Windows\SysWOW64\Dnpdegjp.exe Dhclmp32.exe File opened for modification C:\Windows\SysWOW64\Podmkm32.exe Phjenbhp.exe File created C:\Windows\SysWOW64\Plkcijka.dll Phedhmhi.exe File opened for modification C:\Windows\SysWOW64\Bkdcbd32.exe Bfgjjm32.exe File created C:\Windows\SysWOW64\Injmlc32.dll Dlghoa32.exe File created C:\Windows\SysWOW64\Kjhcjq32.exe Kkfcndce.exe File created C:\Windows\SysWOW64\Mhilfa32.exe Maodigil.exe File created C:\Windows\SysWOW64\Qofmkc32.dll Njpdnedf.exe File created C:\Windows\SysWOW64\Cofnik32.exe Chlflabp.exe File created C:\Windows\SysWOW64\Fnnjmbpm.exe Flpmagqi.exe File created C:\Windows\SysWOW64\Ckebcg32.exe Chfegk32.exe File created C:\Windows\SysWOW64\Fpggamqc.exe Fimodc32.exe File created C:\Windows\SysWOW64\Iigkob32.dll Lqndhcdc.exe File created C:\Windows\SysWOW64\Mjkblhfo.exe Mcqjon32.exe File opened for modification C:\Windows\SysWOW64\Chiigadc.exe Cfkmkf32.exe File opened for modification C:\Windows\SysWOW64\Cglbhhga.exe Cdmfllhn.exe File created C:\Windows\SysWOW64\Kohmng32.dll Oileggkb.exe File opened for modification C:\Windows\SysWOW64\Cfadkb32.exe Cadlbk32.exe File created C:\Windows\SysWOW64\Nlfcoqpl.dll Megljppl.exe File opened for modification C:\Windows\SysWOW64\Jpenfp32.exe Jngbjd32.exe File created C:\Windows\SysWOW64\Ehjlaaig.exe Epcdqd32.exe File created C:\Windows\SysWOW64\Hkicaahi.exe Hdokdg32.exe File opened for modification C:\Windows\SysWOW64\Anobgl32.exe Ahbjoe32.exe File created C:\Windows\SysWOW64\Npepkf32.exe Njhgbp32.exe File created C:\Windows\SysWOW64\Ljfhqh32.exe Lqndhcdc.exe File created C:\Windows\SysWOW64\Jhijep32.dll Cpfcfmlp.exe File created C:\Windows\SysWOW64\Hgagmm32.dll Qfbobf32.exe File created C:\Windows\SysWOW64\Llelopkl.dll Ffpicn32.exe File opened for modification C:\Windows\SysWOW64\Pocfpf32.exe Phincl32.exe File opened for modification C:\Windows\SysWOW64\Jncoikmp.exe Ikdcmpnl.exe File created C:\Windows\SysWOW64\Dckdjomg.exe Dmalne32.exe File opened for modification C:\Windows\SysWOW64\Lbchba32.exe Likcilhh.exe File created C:\Windows\SysWOW64\Fmjaphek.exe Ffpicn32.exe File created C:\Windows\SysWOW64\Jlgepanl.exe Jenmcggo.exe File opened for modification C:\Windows\SysWOW64\Nnfpinmi.exe Nfohgqlg.exe File opened for modification C:\Windows\SysWOW64\Fibhpbea.exe Ffclcgfn.exe File opened for modification C:\Windows\SysWOW64\Pecellgl.exe Pmlmkn32.exe File opened for modification C:\Windows\SysWOW64\Hidgai32.exe Hlpfhe32.exe File opened for modification C:\Windows\SysWOW64\Kegpifod.exe Komhll32.exe File created C:\Windows\SysWOW64\Phlacbfm.exe Podmkm32.exe File created C:\Windows\SysWOW64\Jkhgmf32.exe Indfca32.exe File created C:\Windows\SysWOW64\Jjopcb32.exe Jdbhkk32.exe File created C:\Windows\SysWOW64\Phbhcmjl.exe Pcepkfld.exe File created C:\Windows\SysWOW64\Cmeafpab.dll Pedbahod.exe File created C:\Windows\SysWOW64\Pjmjdm32.exe Pccahbmn.exe File opened for modification C:\Windows\SysWOW64\Bmjkic32.exe Bgpcliao.exe File created C:\Windows\SysWOW64\Inbpkjag.dll Bcelmhen.exe File opened for modification C:\Windows\SysWOW64\Kelkaj32.exe Knbbep32.exe File created C:\Windows\SysWOW64\Fjecoi32.dll Oemefcap.exe File created C:\Windows\SysWOW64\Jjafok32.exe Jcgnbaeo.exe File opened for modification C:\Windows\SysWOW64\Cfqmpl32.exe Ckkiccep.exe File created C:\Windows\SysWOW64\Mlgjal32.dll Bnkbcj32.exe File created C:\Windows\SysWOW64\Lhnjoi32.dll Flkdfh32.exe File opened for modification C:\Windows\SysWOW64\Gifkpknp.exe Gfhndpol.exe File opened for modification C:\Windows\SysWOW64\Idgojc32.exe Igcoqocb.exe File opened for modification C:\Windows\SysWOW64\Npchgdcd.exe Nemcjk32.exe File created C:\Windows\SysWOW64\Opeemh32.dll Edhjqc32.exe File created C:\Windows\SysWOW64\Mbenmk32.exe Mhoipb32.exe File created C:\Windows\SysWOW64\Leabba32.dll Ijqmhnko.exe File opened for modification C:\Windows\SysWOW64\Jdodkebj.exe Jnelok32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5576 5492 WerFault.exe 865 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjfnedho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbgihaji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geaepk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iepaaico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imgicgca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlolpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccqkigkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhflnpoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aphnnafb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcjgnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhhpop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paelfmaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnhmnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdmein32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhdlao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anobgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jinboekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knqepc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjjocap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djhimica.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcpjnjii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckiihok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpecbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjepjkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oemefcap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkjgegae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiobceef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Megljppl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coadnlnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebdcld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oileggkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gigheh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dabhdinj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghmbno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llflea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gekcaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmmpfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olanmgig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chlflabp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgbloglj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljhnlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogpepl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkmkkjko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcjnoece.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oafcqcea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfglb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcejco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omcjep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epmmqheb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oghppm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agiamhdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbflg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkqaoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcnqpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phodcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknbkjfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngcje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgamnded.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmglcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajpqnneo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibffhhek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpnihiio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgelek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqlefl32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcphdpff.dll" Idcepgmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdaia32.dll" Gflhoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ncqlkemc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Onmfimga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abeiec32.dll" Jeekkafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpgiggmj.dll" Hglaej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Najceeoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cmflbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogacbllg.dll" Pecellgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binlfp32.dll" Npepkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Onmfimga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ibpiogmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Phdnngdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iadenp32.dll" Nbgcih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjalckog.dll" Qmhlgmmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebdcld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ekmhejao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nnafno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bkoigdom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcanijap.dll" Aakebqbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdglf32.dll" Nlmdbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kflide32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gndcedao.dll" Knflpoqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbbond32.dll" Mhoipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qkjgegae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eeelnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aalebkhm.dll" Lldopb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haffcnib.dll" Bfedoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnpban32.dll" Kqbkfkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgjbbcpq.dll" Glgjlm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ohfami32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nhbfff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lgepom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mmpmnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hockka32.dll" Qodeajbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gfheof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oingap32.dll" Akkffkhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oimkbaed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fpejlmcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ffaong32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iiehpahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkodcb32.dll" Mjlhgaqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehnaq32.dll" Bnoddcef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dcigeooj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hkbdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqnnno32.dll" Kkfcndce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mehcdfch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Abponp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfkegm32.dll" Mjahlgpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndfbikc.dll" Bhnikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chfegk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Llpmoiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cpfcfmlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdliee32.dll" Pllgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aoalgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fbgihaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iicfkknk.dll" Poaqemao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lndham32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ffclcgfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lekmnajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baaelkfn.dll" Fealin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ffpicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flafeh32.dll" Jncoikmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chiigadc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3608 wrote to memory of 5056 3608 29c87c877bc1ce3050fb6759e7e8391822fc42db9808b06292711afb6794f510N.exe 83 PID 3608 wrote to memory of 5056 3608 29c87c877bc1ce3050fb6759e7e8391822fc42db9808b06292711afb6794f510N.exe 83 PID 3608 wrote to memory of 5056 3608 29c87c877bc1ce3050fb6759e7e8391822fc42db9808b06292711afb6794f510N.exe 83 PID 5056 wrote to memory of 3280 5056 Fkqeib32.exe 84 PID 5056 wrote to memory of 3280 5056 Fkqeib32.exe 84 PID 5056 wrote to memory of 3280 5056 Fkqeib32.exe 84 PID 3280 wrote to memory of 2956 3280 Fnobem32.exe 85 PID 3280 wrote to memory of 2956 3280 Fnobem32.exe 85 PID 3280 wrote to memory of 2956 3280 Fnobem32.exe 85 PID 2956 wrote to memory of 3948 2956 Fefjfked.exe 86 PID 2956 wrote to memory of 3948 2956 Fefjfked.exe 86 PID 2956 wrote to memory of 3948 2956 Fefjfked.exe 86 PID 3948 wrote to memory of 4992 3948 Gekcaj32.exe 88 PID 3948 wrote to memory of 4992 3948 Gekcaj32.exe 88 PID 3948 wrote to memory of 4992 3948 Gekcaj32.exe 88 PID 4992 wrote to memory of 2292 4992 Gglpibgm.exe 90 PID 4992 wrote to memory of 2292 4992 Gglpibgm.exe 90 PID 4992 wrote to memory of 2292 4992 Gglpibgm.exe 90 PID 2292 wrote to memory of 4184 2292 Gadqlkep.exe 91 PID 2292 wrote to memory of 4184 2292 Gadqlkep.exe 91 PID 2292 wrote to memory of 4184 2292 Gadqlkep.exe 91 PID 4184 wrote to memory of 324 4184 Gohaeo32.exe 93 PID 4184 wrote to memory of 324 4184 Gohaeo32.exe 93 PID 4184 wrote to memory of 324 4184 Gohaeo32.exe 93 PID 324 wrote to memory of 1260 324 Gddinf32.exe 94 PID 324 wrote to memory of 1260 324 Gddinf32.exe 94 PID 324 wrote to memory of 1260 324 Gddinf32.exe 94 PID 1260 wrote to memory of 1952 1260 Gnmnfkia.exe 95 PID 1260 wrote to memory of 1952 1260 Gnmnfkia.exe 95 PID 1260 wrote to memory of 1952 1260 Gnmnfkia.exe 95 PID 1952 wrote to memory of 4424 1952 Hnoklk32.exe 96 PID 1952 wrote to memory of 4424 1952 Hnoklk32.exe 96 PID 1952 wrote to memory of 4424 1952 Hnoklk32.exe 96 PID 4424 wrote to memory of 4816 4424 Hffcmh32.exe 97 PID 4424 wrote to memory of 4816 4424 Hffcmh32.exe 97 PID 4424 wrote to memory of 4816 4424 Hffcmh32.exe 97 PID 4816 wrote to memory of 1400 4816 Hgjljpkm.exe 98 PID 4816 wrote to memory of 1400 4816 Hgjljpkm.exe 98 PID 4816 wrote to memory of 1400 4816 Hgjljpkm.exe 98 PID 1400 wrote to memory of 2988 1400 Hdnldd32.exe 99 PID 1400 wrote to memory of 2988 1400 Hdnldd32.exe 99 PID 1400 wrote to memory of 2988 1400 Hdnldd32.exe 99 PID 2988 wrote to memory of 640 2988 Hocqam32.exe 101 PID 2988 wrote to memory of 640 2988 Hocqam32.exe 101 PID 2988 wrote to memory of 640 2988 Hocqam32.exe 101 PID 640 wrote to memory of 4484 640 Hdpiid32.exe 102 PID 640 wrote to memory of 4484 640 Hdpiid32.exe 102 PID 640 wrote to memory of 4484 640 Hdpiid32.exe 102 PID 4484 wrote to memory of 3744 4484 Hfpecg32.exe 103 PID 4484 wrote to memory of 3744 4484 Hfpecg32.exe 103 PID 4484 wrote to memory of 3744 4484 Hfpecg32.exe 103 PID 3744 wrote to memory of 4460 3744 Ibffhhek.exe 104 PID 3744 wrote to memory of 4460 3744 Ibffhhek.exe 104 PID 3744 wrote to memory of 4460 3744 Ibffhhek.exe 104 PID 4460 wrote to memory of 2016 4460 Igcoqocb.exe 105 PID 4460 wrote to memory of 2016 4460 Igcoqocb.exe 105 PID 4460 wrote to memory of 2016 4460 Igcoqocb.exe 105 PID 2016 wrote to memory of 4288 2016 Idgojc32.exe 106 PID 2016 wrote to memory of 4288 2016 Idgojc32.exe 106 PID 2016 wrote to memory of 4288 2016 Idgojc32.exe 106 PID 4288 wrote to memory of 2352 4288 Inpccihl.exe 107 PID 4288 wrote to memory of 2352 4288 Inpccihl.exe 107 PID 4288 wrote to memory of 2352 4288 Inpccihl.exe 107 PID 2352 wrote to memory of 744 2352 Iiehpahb.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\29c87c877bc1ce3050fb6759e7e8391822fc42db9808b06292711afb6794f510N.exe"C:\Users\Admin\AppData\Local\Temp\29c87c877bc1ce3050fb6759e7e8391822fc42db9808b06292711afb6794f510N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\Fkqeib32.exeC:\Windows\system32\Fkqeib32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\Fnobem32.exeC:\Windows\system32\Fnobem32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\Fefjfked.exeC:\Windows\system32\Fefjfked.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Gekcaj32.exeC:\Windows\system32\Gekcaj32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Gglpibgm.exeC:\Windows\system32\Gglpibgm.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Gadqlkep.exeC:\Windows\system32\Gadqlkep.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Gohaeo32.exeC:\Windows\system32\Gohaeo32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\SysWOW64\Gddinf32.exeC:\Windows\system32\Gddinf32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Gnmnfkia.exeC:\Windows\system32\Gnmnfkia.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Hnoklk32.exeC:\Windows\system32\Hnoklk32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Hffcmh32.exeC:\Windows\system32\Hffcmh32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\Hgjljpkm.exeC:\Windows\system32\Hgjljpkm.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\Hdnldd32.exeC:\Windows\system32\Hdnldd32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Hocqam32.exeC:\Windows\system32\Hocqam32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Hdpiid32.exeC:\Windows\system32\Hdpiid32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Ibffhhek.exeC:\Windows\system32\Ibffhhek.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Idgojc32.exeC:\Windows\system32\Idgojc32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Inpccihl.exeC:\Windows\system32\Inpccihl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\Iiehpahb.exeC:\Windows\system32\Iiehpahb.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Ibnligoc.exeC:\Windows\system32\Ibnligoc.exe23⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Ibpiogmp.exeC:\Windows\system32\Ibpiogmp.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:4388 -
C:\Windows\SysWOW64\Jodjhkkj.exeC:\Windows\system32\Jodjhkkj.exe25⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe26⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe27⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe28⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Jeekkafl.exeC:\Windows\system32\Jeekkafl.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Jicdap32.exeC:\Windows\system32\Jicdap32.exe30⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Jkaqnk32.exeC:\Windows\system32\Jkaqnk32.exe31⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe32⤵
- Executes dropped EXE
PID:3268 -
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe33⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Kflnfcgg.exeC:\Windows\system32\Kflnfcgg.exe34⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Khmknk32.exeC:\Windows\system32\Khmknk32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1268 -
C:\Windows\SysWOW64\Kbbokdlk.exeC:\Windows\system32\Kbbokdlk.exe37⤵
- Executes dropped EXE
PID:3188 -
C:\Windows\SysWOW64\Klkcdj32.exeC:\Windows\system32\Klkcdj32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Knippe32.exeC:\Windows\system32\Knippe32.exe39⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Kechmoil.exeC:\Windows\system32\Kechmoil.exe40⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Khbdikip.exeC:\Windows\system32\Khbdikip.exe41⤵
- Executes dropped EXE
PID:100 -
C:\Windows\SysWOW64\Knlleepl.exeC:\Windows\system32\Knlleepl.exe42⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Kefdbo32.exeC:\Windows\system32\Kefdbo32.exe43⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Kiaqcnpb.exeC:\Windows\system32\Kiaqcnpb.exe44⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Llpmoiof.exeC:\Windows\system32\Llpmoiof.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1188 -
C:\Windows\SysWOW64\Lbjelc32.exeC:\Windows\system32\Lbjelc32.exe46⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Lidmhmnp.exeC:\Windows\system32\Lidmhmnp.exe47⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Lblaabdp.exeC:\Windows\system32\Lblaabdp.exe48⤵
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe49⤵
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\Locbfd32.exeC:\Windows\system32\Locbfd32.exe50⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe51⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Lpbopfag.exeC:\Windows\system32\Lpbopfag.exe52⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe54⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe55⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe56⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe57⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Mfcmmp32.exeC:\Windows\system32\Mfcmmp32.exe58⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Moobbb32.exeC:\Windows\system32\Moobbb32.exe60⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe61⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe62⤵
- Executes dropped EXE
PID:3856 -
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe63⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3376 -
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe65⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Niklpj32.exeC:\Windows\system32\Niklpj32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2844 -
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe67⤵PID:4800
-
C:\Windows\SysWOW64\Nhbfff32.exeC:\Windows\system32\Nhbfff32.exe68⤵
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe69⤵PID:4396
-
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe70⤵PID:920
-
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe71⤵PID:4876
-
C:\Windows\SysWOW64\Oghppm32.exeC:\Windows\system32\Oghppm32.exe72⤵
- System Location Discovery: System Language Discovery
PID:4868 -
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe73⤵PID:4928
-
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe74⤵PID:2372
-
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe75⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4516 -
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4888 -
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe77⤵PID:3712
-
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe78⤵
- Drops file in System32 directory
PID:4124 -
C:\Windows\SysWOW64\Pgdokkfg.exeC:\Windows\system32\Pgdokkfg.exe79⤵PID:4408
-
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe80⤵PID:4064
-
C:\Windows\SysWOW64\Poaqemao.exeC:\Windows\system32\Poaqemao.exe81⤵
- Modifies registry class
PID:3496 -
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe82⤵
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Podmkm32.exeC:\Windows\system32\Podmkm32.exe83⤵
- Drops file in System32 directory
PID:4564 -
C:\Windows\SysWOW64\Phlacbfm.exeC:\Windows\system32\Phlacbfm.exe84⤵PID:4820
-
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe85⤵PID:4684
-
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe86⤵PID:3736
-
C:\Windows\SysWOW64\Qfbobf32.exeC:\Windows\system32\Qfbobf32.exe87⤵
- Drops file in System32 directory
PID:1404 -
C:\Windows\SysWOW64\Qlmgopjq.exeC:\Windows\system32\Qlmgopjq.exe88⤵PID:2936
-
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe89⤵PID:2576
-
C:\Windows\SysWOW64\Amodep32.exeC:\Windows\system32\Amodep32.exe90⤵PID:2404
-
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe91⤵PID:3092
-
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe92⤵PID:1800
-
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe93⤵PID:3248
-
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe94⤵PID:2160
-
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe95⤵PID:3900
-
C:\Windows\SysWOW64\Agiamhdo.exeC:\Windows\system32\Agiamhdo.exe96⤵
- System Location Discovery: System Language Discovery
PID:2928 -
C:\Windows\SysWOW64\Aflaie32.exeC:\Windows\system32\Aflaie32.exe97⤵PID:3116
-
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe98⤵PID:4784
-
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe99⤵PID:4560
-
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe100⤵
- System Location Discovery: System Language Discovery
PID:3324 -
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe101⤵PID:1224
-
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe102⤵PID:5088
-
C:\Windows\SysWOW64\Biogppeg.exeC:\Windows\system32\Biogppeg.exe103⤵PID:5128
-
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe104⤵
- Drops file in System32 directory
PID:5172 -
C:\Windows\SysWOW64\Bfchidda.exeC:\Windows\system32\Bfchidda.exe105⤵PID:5216
-
C:\Windows\SysWOW64\Bmmpfn32.exeC:\Windows\system32\Bmmpfn32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5264 -
C:\Windows\SysWOW64\Bfedoc32.exeC:\Windows\system32\Bfedoc32.exe107⤵
- Modifies registry class
PID:5308 -
C:\Windows\SysWOW64\Bidqko32.exeC:\Windows\system32\Bidqko32.exe108⤵PID:5352
-
C:\Windows\SysWOW64\Bpnihiio.exeC:\Windows\system32\Bpnihiio.exe109⤵
- System Location Discovery: System Language Discovery
PID:5396 -
C:\Windows\SysWOW64\Bfhadc32.exeC:\Windows\system32\Bfhadc32.exe110⤵PID:5440
-
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe111⤵PID:5488
-
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe112⤵PID:5532
-
C:\Windows\SysWOW64\Cmdfgm32.exeC:\Windows\system32\Cmdfgm32.exe113⤵PID:5576
-
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe114⤵PID:5620
-
C:\Windows\SysWOW64\Cjhfpa32.exeC:\Windows\system32\Cjhfpa32.exe115⤵PID:5664
-
C:\Windows\SysWOW64\Cabomkll.exeC:\Windows\system32\Cabomkll.exe116⤵PID:5708
-
C:\Windows\SysWOW64\Ccqkigkp.exeC:\Windows\system32\Ccqkigkp.exe117⤵
- System Location Discovery: System Language Discovery
PID:5752 -
C:\Windows\SysWOW64\Cfogeb32.exeC:\Windows\system32\Cfogeb32.exe118⤵PID:5792
-
C:\Windows\SysWOW64\Cadlbk32.exeC:\Windows\system32\Cadlbk32.exe119⤵
- Drops file in System32 directory
PID:5836 -
C:\Windows\SysWOW64\Cfadkb32.exeC:\Windows\system32\Cfadkb32.exe120⤵PID:5884
-
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe121⤵PID:5928
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-