Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:56
Static task
static1
Behavioral task
behavioral1
Sample
b39af6ecda0b0c8981eddc5a84fabd5c50f91172726b0e3578a3a831b6212629N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b39af6ecda0b0c8981eddc5a84fabd5c50f91172726b0e3578a3a831b6212629N.exe
Resource
win10v2004-20241007-en
General
-
Target
b39af6ecda0b0c8981eddc5a84fabd5c50f91172726b0e3578a3a831b6212629N.exe
-
Size
96KB
-
MD5
d7403a572ff671a80a89cbe7dbbf43b0
-
SHA1
3a9d36f5f0bd1307f015296ddbc42bffeff0fef3
-
SHA256
b39af6ecda0b0c8981eddc5a84fabd5c50f91172726b0e3578a3a831b6212629
-
SHA512
fee9a6057f0c2f38aed9aa321da73e4f97fab73d71388e29042df746dd17ad06ef44527dd0b485e1220eb081563c851b78ac0ec8a72bd4cb8e74e59178231c9d
-
SSDEEP
1536:4FONuY8klBOTkQah7LGfV5wki0vY+U3StGAZ17WSduV9jojTIvjrH:4FLY8kl4TkQah7C9Fi0vYB2X7Vd69jcs
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aokcklid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lajagj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajpqnneo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jddnfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcqjon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhncdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqfoamfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmbfbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpfepf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ombcji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlihle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aggegh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgqqdeod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pchlpfjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akhcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kggcnoic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogpepl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efkphnbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hncmmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffnknafg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmcolgbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iibccgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oileggkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejdocm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gphgbafl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhmmjbkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaiimadl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeddnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jofalmmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiihahme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajcdnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgdbnmji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahgjejhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pedlgbkh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blqllqqa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akffafgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfoann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgihfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqoiqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fphnlcdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mahnhhod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nliaao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nknobkje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflgmqhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogfcjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhdhon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffqhcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plpqil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iciaqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlglidlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hoeieolb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfandnla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcbfakec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpejlmcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhmofj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knqepc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epjajeqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdmqmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaplqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahmjjoig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amodep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahcajk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajggomog.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2276 Lihfcm32.exe 4136 Llgcph32.exe 2612 Lbqklb32.exe 1700 Lflgmqhd.exe 3208 Likcilhh.exe 4468 Lhncdi32.exe 5000 Lbchba32.exe 2440 Mimpolee.exe 3552 Mpghkf32.exe 552 Mojhgbdl.exe 2092 Medqcmki.exe 3472 Mhbmphjm.exe 2640 Mbhamajc.exe 3656 Mibijk32.exe 2804 Mlpeff32.exe 3852 Moobbb32.exe 1220 Mehjol32.exe 4228 Mhgfkg32.exe 1656 Moaogand.exe 4460 Mfhfhong.exe 3448 Mhicpg32.exe 1684 Mockmala.exe 3100 Mfjcnold.exe 4248 Niipjj32.exe 1452 Nhlpfgbb.exe 2324 Nlglfe32.exe 4856 Npchgdcd.exe 3708 Nbadcpbh.exe 1324 Neppokal.exe 1188 Nhnlkfpp.exe 3344 Nlihle32.exe 3944 Npedmdab.exe 4548 Nbcqiope.exe 3596 Ngomin32.exe 5004 Niniei32.exe 1224 Nhpiafnm.exe 2596 Npgabc32.exe 2012 Ncfmno32.exe 3592 Nedjjj32.exe 3564 Nhbfff32.exe 372 Npjnhc32.exe 4992 Nchjdo32.exe 3420 Ngdfdmdi.exe 3936 Nibbqicm.exe 4500 Nlqomd32.exe 1040 Nplkmckj.exe 4692 Ncjginjn.exe 844 Ogfcjm32.exe 2748 Oidofh32.exe 4152 Ohgoaehe.exe 976 Ooagno32.exe 1316 Oghppm32.exe 2836 Oekpkigo.exe 3932 Ohjlgefb.exe 1844 Olehhc32.exe 3632 Opadhb32.exe 1528 Ocopdn32.exe 3192 Ogklelna.exe 2588 Oiihahme.exe 4356 Ohlimd32.exe 1408 Opcqnb32.exe 1616 Ocamjm32.exe 1164 Ogmijllo.exe 4304 Oileggkb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fhoaad32.dll Nedjjj32.exe File created C:\Windows\SysWOW64\Fliabjbh.dll Bjfjka32.exe File opened for modification C:\Windows\SysWOW64\Dpgeee32.exe Daediilg.exe File opened for modification C:\Windows\SysWOW64\Fhabbp32.exe Fdffbake.exe File opened for modification C:\Windows\SysWOW64\Lqbncb32.exe Lndagg32.exe File created C:\Windows\SysWOW64\Madjhb32.exe Mnfnlf32.exe File created C:\Windows\SysWOW64\Bkibgh32.exe Bgnffj32.exe File created C:\Windows\SysWOW64\Kbmoen32.exe Knbbep32.exe File created C:\Windows\SysWOW64\Aaiimadl.exe Acfhad32.exe File created C:\Windows\SysWOW64\Fbociolq.dll Bkkple32.exe File opened for modification C:\Windows\SysWOW64\Nmenca32.exe Njfagf32.exe File opened for modification C:\Windows\SysWOW64\Popbpqjh.exe Pkegpb32.exe File created C:\Windows\SysWOW64\Aonhghjl.exe Akblfj32.exe File opened for modification C:\Windows\SysWOW64\Ocamjm32.exe Opcqnb32.exe File created C:\Windows\SysWOW64\Fpmehf32.dll Plbmokop.exe File created C:\Windows\SysWOW64\Phfjcf32.exe Pehngkcg.exe File created C:\Windows\SysWOW64\Ackigjmh.exe Aqmlknnd.exe File opened for modification C:\Windows\SysWOW64\Jdedak32.exe Jqiipljg.exe File created C:\Windows\SysWOW64\Efpomccg.exe Eofgpikj.exe File created C:\Windows\SysWOW64\Efeihb32.exe Ennqfenp.exe File opened for modification C:\Windows\SysWOW64\Emanjldl.exe Efgemb32.exe File opened for modification C:\Windows\SysWOW64\Gpnfge32.exe Gidnkkpc.exe File created C:\Windows\SysWOW64\Lelgfl32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ejpfhnpe.exe Efdjgo32.exe File opened for modification C:\Windows\SysWOW64\Lnjgfb32.exe Lfbped32.exe File opened for modification C:\Windows\SysWOW64\Lncjlq32.exe Lgibpf32.exe File created C:\Windows\SysWOW64\Mnpofk32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Lqkgbcff.exe Lnmkfh32.exe File created C:\Windows\SysWOW64\Lgjijmin.exe Lekmnajj.exe File created C:\Windows\SysWOW64\Odgpqgeo.dll Madjhb32.exe File created C:\Windows\SysWOW64\Mjknojbk.dll Qkipkani.exe File opened for modification C:\Windows\SysWOW64\Lfgipd32.exe Lgdidgjg.exe File created C:\Windows\SysWOW64\Pfandnla.exe Pccahbmn.exe File created C:\Windows\SysWOW64\Bclgdl32.dll Mfjcnold.exe File created C:\Windows\SysWOW64\Ccnncgmc.exe Cpbbch32.exe File created C:\Windows\SysWOW64\Fkpool32.exe Fgdbnmji.exe File created C:\Windows\SysWOW64\Olgncmim.exe Oemefcap.exe File opened for modification C:\Windows\SysWOW64\Aakebqbj.exe Aomifecf.exe File opened for modification C:\Windows\SysWOW64\Efeihb32.exe Ennqfenp.exe File created C:\Windows\SysWOW64\Ckjinf32.dll Gppcmeem.exe File created C:\Windows\SysWOW64\Efgemb32.exe Enpmld32.exe File created C:\Windows\SysWOW64\Ealkjh32.exe Empoiimf.exe File opened for modification C:\Windows\SysWOW64\Gnhnaf32.exe Gdoihpbk.exe File opened for modification C:\Windows\SysWOW64\Jqdoem32.exe Jnfcia32.exe File created C:\Windows\SysWOW64\Pefhlaie.exe Pchlpfjb.exe File created C:\Windows\SysWOW64\Npjfngdm.dll Lggldm32.exe File opened for modification C:\Windows\SysWOW64\Plpjoe32.exe Pdhbmh32.exe File opened for modification C:\Windows\SysWOW64\Eoideh32.exe Efpomccg.exe File opened for modification C:\Windows\SysWOW64\Holfoqcm.exe Hlnjbedi.exe File created C:\Windows\SysWOW64\Pijmiq32.dll Kcpjnjii.exe File created C:\Windows\SysWOW64\Hikemehi.dll Process not Found File created C:\Windows\SysWOW64\Lpefcn32.dll Jekqmhia.exe File created C:\Windows\SysWOW64\Nplkmckj.exe Nlqomd32.exe File opened for modification C:\Windows\SysWOW64\Oiihahme.exe Ogklelna.exe File opened for modification C:\Windows\SysWOW64\Epjajeqo.exe Eagaoh32.exe File opened for modification C:\Windows\SysWOW64\Dihlbf32.exe Dckdjomg.exe File created C:\Windows\SysWOW64\Njfagf32.exe Nghekkmn.exe File created C:\Windows\SysWOW64\Kiljgf32.dll Dmlkhofd.exe File opened for modification C:\Windows\SysWOW64\Dngjff32.exe Dkhnjk32.exe File created C:\Windows\SysWOW64\Mqkiok32.exe Mnmmboed.exe File opened for modification C:\Windows\SysWOW64\Pmpolgoi.exe Pjbcplpe.exe File opened for modification C:\Windows\SysWOW64\Olehhc32.exe Ohjlgefb.exe File opened for modification C:\Windows\SysWOW64\Ojnblg32.exe Ogpepl32.exe File opened for modification C:\Windows\SysWOW64\Ejchhgid.exe Eciplm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5796 5820 Process not Found 1156 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgqfdnah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmhhefi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcelpggq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnifekmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibobdqid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkhgmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgninn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhkdof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nadleilm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfhfhong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfbped32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Modgdicm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqhcpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meepdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nccokk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oekiqccc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkmgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgccinoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcngpjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niipjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npjnhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqkpeopg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eibfck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emphocjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqffjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jibmgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhoipb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfagf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgbfhmll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkbcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amlogfel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgenbfoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdajb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flkdfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpanan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neppokal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdgged32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbnoiqdq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jekqmhia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oidofh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aogiap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhecmcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iikmbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nglhld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjmcnbdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkicaahi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmbqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlpfgbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogklelna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiloco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efgemb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gemkelcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkkeclfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lghcocol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nacmdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcaofebg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hipmfjee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjgebf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akffafgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngjbaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Popbpqjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcgpni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pamiaboj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpnkdq32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djmibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mniallpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjeehbgh.dll" Akglloai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obfohnkk.dll" Ogpepl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkhgmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dckdjomg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkmkkjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaafn32.dll" Gemkelcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbchba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkbado32.dll" Icdheded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkpbin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmpmgdc.dll" Jbfheo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccnncgmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqdoem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkicaahi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlmfeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omgcpokp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akcoajfm.dll" Hlpfhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlbcnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pomgjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmdonkgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plndcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjjiej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdmkhgho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjaqpbkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Podmed32.dll" Fibojhim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kndojobi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpchnbbb.dll" Lhmmjbkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icland32.dll" Cfigpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hahqkaaa.dll" Bdbnjdfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocoaob32.dll" Gpnfge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlglidlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfjcnold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhlpqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Facqkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jqdoem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jofalmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qhhpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmlgah32.dll" Neppokal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcijdmpm.dll" Ejlbhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glgcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klinjgke.dll" Aomifecf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lekmnajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pehngkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnkbcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Coohhlpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eppjfgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olieecnn.dll" Jgpfbjlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhefcoo.dll" Pccahbmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkmmaeap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debbhd32.dll" Eangpgcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmflc32.dll" Ijogmdqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjigamma.dll" Jjjghcfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akcjkfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekfjcc32.dll" Iohejo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcbfcigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oheihn32.dll" Eigonjcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eigonjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkhjph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cncijina.dll" Oeheqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aogiap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppolhcnm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1428 wrote to memory of 2276 1428 b39af6ecda0b0c8981eddc5a84fabd5c50f91172726b0e3578a3a831b6212629N.exe 85 PID 1428 wrote to memory of 2276 1428 b39af6ecda0b0c8981eddc5a84fabd5c50f91172726b0e3578a3a831b6212629N.exe 85 PID 1428 wrote to memory of 2276 1428 b39af6ecda0b0c8981eddc5a84fabd5c50f91172726b0e3578a3a831b6212629N.exe 85 PID 2276 wrote to memory of 4136 2276 Lihfcm32.exe 86 PID 2276 wrote to memory of 4136 2276 Lihfcm32.exe 86 PID 2276 wrote to memory of 4136 2276 Lihfcm32.exe 86 PID 4136 wrote to memory of 2612 4136 Llgcph32.exe 87 PID 4136 wrote to memory of 2612 4136 Llgcph32.exe 87 PID 4136 wrote to memory of 2612 4136 Llgcph32.exe 87 PID 2612 wrote to memory of 1700 2612 Lbqklb32.exe 88 PID 2612 wrote to memory of 1700 2612 Lbqklb32.exe 88 PID 2612 wrote to memory of 1700 2612 Lbqklb32.exe 88 PID 1700 wrote to memory of 3208 1700 Lflgmqhd.exe 89 PID 1700 wrote to memory of 3208 1700 Lflgmqhd.exe 89 PID 1700 wrote to memory of 3208 1700 Lflgmqhd.exe 89 PID 3208 wrote to memory of 4468 3208 Likcilhh.exe 90 PID 3208 wrote to memory of 4468 3208 Likcilhh.exe 90 PID 3208 wrote to memory of 4468 3208 Likcilhh.exe 90 PID 4468 wrote to memory of 5000 4468 Lhncdi32.exe 92 PID 4468 wrote to memory of 5000 4468 Lhncdi32.exe 92 PID 4468 wrote to memory of 5000 4468 Lhncdi32.exe 92 PID 5000 wrote to memory of 2440 5000 Lbchba32.exe 93 PID 5000 wrote to memory of 2440 5000 Lbchba32.exe 93 PID 5000 wrote to memory of 2440 5000 Lbchba32.exe 93 PID 2440 wrote to memory of 3552 2440 Mimpolee.exe 94 PID 2440 wrote to memory of 3552 2440 Mimpolee.exe 94 PID 2440 wrote to memory of 3552 2440 Mimpolee.exe 94 PID 3552 wrote to memory of 552 3552 Mpghkf32.exe 95 PID 3552 wrote to memory of 552 3552 Mpghkf32.exe 95 PID 3552 wrote to memory of 552 3552 Mpghkf32.exe 95 PID 552 wrote to memory of 2092 552 Mojhgbdl.exe 96 PID 552 wrote to memory of 2092 552 Mojhgbdl.exe 96 PID 552 wrote to memory of 2092 552 Mojhgbdl.exe 96 PID 2092 wrote to memory of 3472 2092 Medqcmki.exe 97 PID 2092 wrote to memory of 3472 2092 Medqcmki.exe 97 PID 2092 wrote to memory of 3472 2092 Medqcmki.exe 97 PID 3472 wrote to memory of 2640 3472 Mhbmphjm.exe 98 PID 3472 wrote to memory of 2640 3472 Mhbmphjm.exe 98 PID 3472 wrote to memory of 2640 3472 Mhbmphjm.exe 98 PID 2640 wrote to memory of 3656 2640 Mbhamajc.exe 99 PID 2640 wrote to memory of 3656 2640 Mbhamajc.exe 99 PID 2640 wrote to memory of 3656 2640 Mbhamajc.exe 99 PID 3656 wrote to memory of 2804 3656 Mibijk32.exe 100 PID 3656 wrote to memory of 2804 3656 Mibijk32.exe 100 PID 3656 wrote to memory of 2804 3656 Mibijk32.exe 100 PID 2804 wrote to memory of 3852 2804 Mlpeff32.exe 101 PID 2804 wrote to memory of 3852 2804 Mlpeff32.exe 101 PID 2804 wrote to memory of 3852 2804 Mlpeff32.exe 101 PID 3852 wrote to memory of 1220 3852 Moobbb32.exe 102 PID 3852 wrote to memory of 1220 3852 Moobbb32.exe 102 PID 3852 wrote to memory of 1220 3852 Moobbb32.exe 102 PID 1220 wrote to memory of 4228 1220 Mehjol32.exe 103 PID 1220 wrote to memory of 4228 1220 Mehjol32.exe 103 PID 1220 wrote to memory of 4228 1220 Mehjol32.exe 103 PID 4228 wrote to memory of 1656 4228 Mhgfkg32.exe 104 PID 4228 wrote to memory of 1656 4228 Mhgfkg32.exe 104 PID 4228 wrote to memory of 1656 4228 Mhgfkg32.exe 104 PID 1656 wrote to memory of 4460 1656 Moaogand.exe 105 PID 1656 wrote to memory of 4460 1656 Moaogand.exe 105 PID 1656 wrote to memory of 4460 1656 Moaogand.exe 105 PID 4460 wrote to memory of 3448 4460 Mfhfhong.exe 106 PID 4460 wrote to memory of 3448 4460 Mfhfhong.exe 106 PID 4460 wrote to memory of 3448 4460 Mfhfhong.exe 106 PID 3448 wrote to memory of 1684 3448 Mhicpg32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\b39af6ecda0b0c8981eddc5a84fabd5c50f91172726b0e3578a3a831b6212629N.exe"C:\Users\Admin\AppData\Local\Temp\b39af6ecda0b0c8981eddc5a84fabd5c50f91172726b0e3578a3a831b6212629N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Lihfcm32.exeC:\Windows\system32\Lihfcm32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Llgcph32.exeC:\Windows\system32\Llgcph32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Lflgmqhd.exeC:\Windows\system32\Lflgmqhd.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Lhncdi32.exeC:\Windows\system32\Lhncdi32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Mibijk32.exeC:\Windows\system32\Mibijk32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Moobbb32.exeC:\Windows\system32\Moobbb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\Mehjol32.exeC:\Windows\system32\Mehjol32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Mfhfhong.exeC:\Windows\system32\Mfhfhong.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe23⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3100 -
C:\Windows\SysWOW64\Niipjj32.exeC:\Windows\system32\Niipjj32.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4248 -
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1452 -
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe27⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe28⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe29⤵
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1324 -
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe31⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Nlihle32.exeC:\Windows\system32\Nlihle32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3344 -
C:\Windows\SysWOW64\Npedmdab.exeC:\Windows\system32\Npedmdab.exe33⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Nbcqiope.exeC:\Windows\system32\Nbcqiope.exe34⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe35⤵
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe36⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe37⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe38⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe39⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3592 -
C:\Windows\SysWOW64\Nhbfff32.exeC:\Windows\system32\Nhbfff32.exe41⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:372 -
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe43⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe44⤵
- Executes dropped EXE
PID:3420 -
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe45⤵
- Executes dropped EXE
PID:3936 -
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4500 -
C:\Windows\SysWOW64\Nplkmckj.exeC:\Windows\system32\Nplkmckj.exe47⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe48⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Ohgoaehe.exeC:\Windows\system32\Ohgoaehe.exe51⤵
- Executes dropped EXE
PID:4152 -
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe52⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Oghppm32.exeC:\Windows\system32\Oghppm32.exe53⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe54⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Ohjlgefb.exeC:\Windows\system32\Ohjlgefb.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3932 -
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe56⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Opadhb32.exeC:\Windows\system32\Opadhb32.exe57⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\Ocopdn32.exeC:\Windows\system32\Ocopdn32.exe58⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3192 -
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe61⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Opcqnb32.exeC:\Windows\system32\Opcqnb32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1408 -
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe63⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe64⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe66⤵PID:3316
-
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe67⤵PID:5032
-
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:812 -
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe69⤵PID:3668
-
C:\Windows\SysWOW64\Ohqbhdpj.exeC:\Windows\system32\Ohqbhdpj.exe70⤵PID:4864
-
C:\Windows\SysWOW64\Ophjiaql.exeC:\Windows\system32\Ophjiaql.exe71⤵PID:948
-
C:\Windows\SysWOW64\Ocffempp.exeC:\Windows\system32\Ocffempp.exe72⤵PID:2452
-
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe73⤵PID:1564
-
C:\Windows\SysWOW64\Pjpobg32.exeC:\Windows\system32\Pjpobg32.exe74⤵PID:1676
-
C:\Windows\SysWOW64\Phcomcng.exeC:\Windows\system32\Phcomcng.exe75⤵PID:4540
-
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe76⤵PID:4316
-
C:\Windows\SysWOW64\Pomgjn32.exeC:\Windows\system32\Pomgjn32.exe77⤵
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Pgdokkfg.exeC:\Windows\system32\Pgdokkfg.exe78⤵PID:3996
-
C:\Windows\SysWOW64\Pfgogh32.exeC:\Windows\system32\Pfgogh32.exe79⤵PID:2412
-
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe80⤵PID:1292
-
C:\Windows\SysWOW64\Ppmcdq32.exeC:\Windows\system32\Ppmcdq32.exe81⤵PID:3572
-
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe82⤵PID:4368
-
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe83⤵PID:468
-
C:\Windows\SysWOW64\Pgihfj32.exeC:\Windows\system32\Pgihfj32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4024 -
C:\Windows\SysWOW64\Pjgebf32.exeC:\Windows\system32\Pjgebf32.exe85⤵
- System Location Discovery: System Language Discovery
PID:3340 -
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe86⤵PID:2716
-
C:\Windows\SysWOW64\Pcpikkge.exeC:\Windows\system32\Pcpikkge.exe87⤵PID:1004
-
C:\Windows\SysWOW64\Pjjahe32.exeC:\Windows\system32\Pjjahe32.exe88⤵PID:1652
-
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe89⤵PID:3128
-
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe90⤵PID:2508
-
C:\Windows\SysWOW64\Qcbfakec.exeC:\Windows\system32\Qcbfakec.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2112 -
C:\Windows\SysWOW64\Qfpbmfdf.exeC:\Windows\system32\Qfpbmfdf.exe92⤵PID:3588
-
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe93⤵PID:2476
-
C:\Windows\SysWOW64\Qqffjo32.exeC:\Windows\system32\Qqffjo32.exe94⤵
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Qcdbfk32.exeC:\Windows\system32\Qcdbfk32.exe95⤵PID:2368
-
C:\Windows\SysWOW64\Qjnkcekm.exeC:\Windows\system32\Qjnkcekm.exe96⤵PID:2892
-
C:\Windows\SysWOW64\Qqhcpo32.exeC:\Windows\system32\Qqhcpo32.exe97⤵
- System Location Discovery: System Language Discovery
PID:3988 -
C:\Windows\SysWOW64\Aokcklid.exeC:\Windows\system32\Aokcklid.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4028 -
C:\Windows\SysWOW64\Ajqgidij.exeC:\Windows\system32\Ajqgidij.exe99⤵PID:1608
-
C:\Windows\SysWOW64\Amodep32.exeC:\Windows\system32\Amodep32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1108 -
C:\Windows\SysWOW64\Aqkpeopg.exeC:\Windows\system32\Aqkpeopg.exe101⤵
- System Location Discovery: System Language Discovery
PID:1496 -
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe102⤵PID:1312
-
C:\Windows\SysWOW64\Agdhbi32.exeC:\Windows\system32\Agdhbi32.exe103⤵PID:5148
-
C:\Windows\SysWOW64\Ajcdnd32.exeC:\Windows\system32\Ajcdnd32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5184 -
C:\Windows\SysWOW64\Aqmlknnd.exeC:\Windows\system32\Aqmlknnd.exe105⤵
- Drops file in System32 directory
PID:5236 -
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe106⤵PID:5276
-
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5316 -
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe108⤵PID:5364
-
C:\Windows\SysWOW64\Aqoiqn32.exeC:\Windows\system32\Aqoiqn32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5408 -
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe110⤵PID:5452
-
C:\Windows\SysWOW64\Aflaie32.exeC:\Windows\system32\Aflaie32.exe111⤵PID:5496
-
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe112⤵PID:5540
-
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe113⤵PID:5584
-
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe114⤵PID:5624
-
C:\Windows\SysWOW64\Afnnnd32.exeC:\Windows\system32\Afnnnd32.exe115⤵PID:5668
-
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe116⤵PID:5712
-
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe117⤵PID:5756
-
C:\Windows\SysWOW64\Bfqkddfd.exeC:\Windows\system32\Bfqkddfd.exe118⤵PID:5792
-
C:\Windows\SysWOW64\Bjlgdc32.exeC:\Windows\system32\Bjlgdc32.exe119⤵PID:5844
-
C:\Windows\SysWOW64\Bqfoamfj.exeC:\Windows\system32\Bqfoamfj.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5904 -
C:\Windows\SysWOW64\Bjodjb32.exeC:\Windows\system32\Bjodjb32.exe121⤵PID:5944
-
C:\Windows\SysWOW64\Bmmpfn32.exeC:\Windows\system32\Bmmpfn32.exe122⤵PID:5992
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-