Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 11:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
165a3e95beb1b9eaf90c52ed1acb02e2ef9377057e7b81c211983e6b6c1b7ee0N.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
165a3e95beb1b9eaf90c52ed1acb02e2ef9377057e7b81c211983e6b6c1b7ee0N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
165a3e95beb1b9eaf90c52ed1acb02e2ef9377057e7b81c211983e6b6c1b7ee0N.exe
-
Size
108KB
-
MD5
6612efd2591a1cdaaf4898481f096ba0
-
SHA1
f9d2329e41a7b35ab403e7eda506f42ab813ce03
-
SHA256
165a3e95beb1b9eaf90c52ed1acb02e2ef9377057e7b81c211983e6b6c1b7ee0
-
SHA512
b939b73d6085c9b8b2ad358875ae2916e4127ae28585b1770287ed2064aad0b4319bab151f225bca9b1b3beb785abf5c0febf4b02b42f2fd6d6821d46c7d5a21
-
SSDEEP
3072:dnPcJQZ2c8+KYsEXNjShiKCFcFmKcUsvKwF:dnH2wXdShJ6Us
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcnipn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dijpgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edakpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmgepo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbkafe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Negcjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoqkkfpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggafndba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iboici32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jqfcje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebpqab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igkakpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmnfgnle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doooii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcdnpfjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fblpmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlafop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpmcmbhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhdqdamb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ailaii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnpgfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqoifd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkmbob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnbkadln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkopfmce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckhcllkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faghoece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkpeohlc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhdqdamb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bklcqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgpomp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjlgjieb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edngpkee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmmicbdq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okiembdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Peeokjnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpkgke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Miapid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljeppa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfgnhhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lanbablg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnlincim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpechaki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mejnce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfcqfhld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdafcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nonkmbbq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjbjcd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncbfjdcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohkplnhg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdlkaal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbfaad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfjico32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eegddefl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olihblon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qlnkdilf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkdoidbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnmbfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbjcgq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eodbhj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amqgii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edqdfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjogbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phdlgfma.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2580 Ceglmh32.exe 4840 Chehic32.exe 3980 Cjcdeo32.exe 2376 Cdlhnd32.exe 644 Cfjejp32.exe 4092 Doamlm32.exe 3168 Delehgpi.exe 1968 Dfmapp32.exe 2212 Dmgjmjnd.exe 5012 Ddqbicea.exe 4036 Dfoneode.exe 1100 Doffgmdg.exe 3560 Ddcoocco.exe 3636 Dohcllbd.exe 932 Debkifja.exe 2352 Dkocamhi.exe 3740 Dailng32.exe 404 Deehofho.exe 3972 Ddhhjb32.exe 4908 Egfdfn32.exe 4064 Eegddefl.exe 4524 Edjepb32.exe 4180 Eheqpa32.exe 3992 Ekdmll32.exe 2960 Eopimkml.exe 3132 Embihh32.exe 3332 Eaneiflp.exe 4716 Eejaje32.exe 5036 Edlaebkd.exe 4604 Ehhmfq32.exe 3552 Ekfjbl32.exe 456 Eobfbkjj.exe 1776 Emefng32.exe 2952 Emefng32.exe 2756 Eapbofjm.exe 4740 Eelnoe32.exe 4132 Ehjjkp32.exe 3964 Eodbhj32.exe 1620 Emgbcgoa.exe 4072 Edakpa32.exe 2544 Ehmgapog.exe 3684 Eogonj32.exe 3056 Fkmpbk32.exe 2028 Faghoece.exe 392 Fdfdkqbi.exe 1768 Fgdqglbm.exe 3604 Fnnidf32.exe 3852 Fdhaapqf.exe 4920 Fkbinj32.exe 704 Fehmkchi.exe 2328 Fgijbk32.exe 5068 Fdmjlp32.exe 3728 Foboih32.exe 2692 Gdogaojo.exe 3752 Geoclb32.exe 2372 Ggppcjgp.exe 3924 Goghdhhb.exe 4396 Gaedqc32.exe 2968 Gkniiinf.exe 4360 Gahafc32.exe 2856 Gkpeohlc.exe 4980 Gdhjhnbd.exe 3680 Gggfdiag.exe 4552 Gnanqc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oelmeleh.exe Oobdha32.exe File opened for modification C:\Windows\SysWOW64\Akcajo32.exe Ahddnc32.exe File created C:\Windows\SysWOW64\Dcmgog32.exe Dmcobm32.exe File created C:\Windows\SysWOW64\Fjchnn32.exe Fblpmp32.exe File created C:\Windows\SysWOW64\Gjnabq32.dll Hklekg32.exe File opened for modification C:\Windows\SysWOW64\Cifmfeee.exe Cjcmkh32.exe File created C:\Windows\SysWOW64\Gdcjbhcm.exe Gaemfmdj.exe File created C:\Windows\SysWOW64\Jgpkfpgo.exe Jdaojdhk.exe File created C:\Windows\SysWOW64\Bkefgl32.exe Bhgjka32.exe File opened for modification C:\Windows\SysWOW64\Kmmekndg.exe Kjniobed.exe File opened for modification C:\Windows\SysWOW64\Cdlhnd32.exe Cjcdeo32.exe File created C:\Windows\SysWOW64\Fdfdkqbi.exe Faghoece.exe File opened for modification C:\Windows\SysWOW64\Mlfbeooc.exe Mihficpp.exe File created C:\Windows\SysWOW64\Nligcfph.dll Bfahnfem.exe File created C:\Windows\SysWOW64\Flmoeg32.exe Fiobik32.exe File opened for modification C:\Windows\SysWOW64\Hpbfcb32.exe Hmdjgf32.exe File created C:\Windows\SysWOW64\Jjnqhecf.exe Jgodlidc.exe File created C:\Windows\SysWOW64\Liogpgld.dll Ncpjedeg.exe File created C:\Windows\SysWOW64\Cnpnkh32.dll Kbbfjm32.exe File opened for modification C:\Windows\SysWOW64\Jkbmhm32.exe Jidalb32.exe File created C:\Windows\SysWOW64\Lljlojee.exe Lilpcofa.exe File opened for modification C:\Windows\SysWOW64\Ckhcllkj.exe Ciigpq32.exe File created C:\Windows\SysWOW64\Pbglie32.dll Egfdfn32.exe File created C:\Windows\SysWOW64\Mmokhajg.dll Fifodq32.exe File created C:\Windows\SysWOW64\Hanplllo.exe Hkdhpa32.exe File created C:\Windows\SysWOW64\Lapogbjd.exe Lnabkfkq.exe File created C:\Windows\SysWOW64\Nkpbgdlj.exe Nhafkimf.exe File created C:\Windows\SysWOW64\Bffaifah.exe Blnmpp32.exe File created C:\Windows\SysWOW64\Npgjej32.dll Gbcfno32.exe File opened for modification C:\Windows\SysWOW64\Ggafndba.exe Gdcjbhcm.exe File created C:\Windows\SysWOW64\Icfljmhj.exe Ipgpnaif.exe File created C:\Windows\SysWOW64\Dmaclifc.dll Ddcoocco.exe File opened for modification C:\Windows\SysWOW64\Pcciedhh.exe Pljaij32.exe File created C:\Windows\SysWOW64\Jingcj32.dll Mmdebjpm.exe File created C:\Windows\SysWOW64\Djilaaef.exe Dcoddg32.exe File opened for modification C:\Windows\SysWOW64\Poejeo32.exe Phkahe32.exe File opened for modification C:\Windows\SysWOW64\Gbecco32.exe Gpgggc32.exe File created C:\Windows\SysWOW64\Ipqbdpqk.exe Inbfhdag.exe File opened for modification C:\Windows\SysWOW64\Lhjnnbem.exe Lfiafj32.exe File created C:\Windows\SysWOW64\Ofpbildp.dll Gibopo32.exe File opened for modification C:\Windows\SysWOW64\Lengmppk.exe Lndopf32.exe File opened for modification C:\Windows\SysWOW64\Nenpdn32.exe Mbpdhb32.exe File opened for modification C:\Windows\SysWOW64\Bllpkq32.exe Bhpdjbda.exe File created C:\Windows\SysWOW64\Eapbofjm.exe Emefng32.exe File opened for modification C:\Windows\SysWOW64\Plehnjdq.exe Pjflaoem.exe File created C:\Windows\SysWOW64\Fhecmhca.exe Fpnkkk32.exe File created C:\Windows\SysWOW64\Bklcqn32.exe Ajkgiepi.exe File opened for modification C:\Windows\SysWOW64\Nlooagcm.exe Niqbeldi.exe File created C:\Windows\SysWOW64\Dbnked32.exe Doooii32.exe File opened for modification C:\Windows\SysWOW64\Mfbdmi32.exe Mbghljok.exe File created C:\Windows\SysWOW64\Okngmo32.dll Dfadqhnf.exe File opened for modification C:\Windows\SysWOW64\Fpnkkk32.exe Fmpoop32.exe File created C:\Windows\SysWOW64\Gineepcg.exe Ghlimg32.exe File created C:\Windows\SysWOW64\Heddhpcc.dll Mkqleb32.exe File created C:\Windows\SysWOW64\Nmmgiigb.exe Ncecpc32.exe File created C:\Windows\SysWOW64\Jnlanl32.dll Ngejiffo.exe File created C:\Windows\SysWOW64\Afnemn32.exe Aocmqcea.exe File created C:\Windows\SysWOW64\Nonkmbbq.exe Nlooagcm.exe File opened for modification C:\Windows\SysWOW64\Mnhaao32.exe Mjlepqid.exe File opened for modification C:\Windows\SysWOW64\Npdklmej.exe Meognded.exe File opened for modification C:\Windows\SysWOW64\Igkakpld.exe Iboici32.exe File opened for modification C:\Windows\SysWOW64\Idobedjm.exe Inejhj32.exe File opened for modification C:\Windows\SysWOW64\Kqakkn32.exe Knboob32.exe File created C:\Windows\SysWOW64\Gmjhcmma.dll Gpdjadik.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 15740 15624 WerFault.exe 835 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmeadnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okiembdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epkndg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kneldaab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naeaio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohkiagel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fblpmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjlepqid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Negcjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhdqdamb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edlkklgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkdoidbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijedll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inejhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kknmcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nefmoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkije32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkhlcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjpmnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcpqng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddhhjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emefng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niomjbjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccghio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gineepcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aefhbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ameadhfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbcqba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noihmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhpbnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lljlojee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ichipl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipica32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lndopf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoeclmpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciigpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgfjmhnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dohcllbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgcjmfna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggafndba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaigal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Incmbkec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mehanell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npdklmej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olhagekb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acobgljo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmkgqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hccodmjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcofin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggppcjgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeileifo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khfdcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgkpne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dijpgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hghedmhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmcceolb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mahkbjnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaneiflp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moeoajng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amqgii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhcjjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejifj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abdohhog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmomad32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ackpfbbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggafndba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhppccgc.dll" Oldhlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikoqaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmcceolb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmaebm32.dll" Ikdafofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjilfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cohnkh32.dll" Eblgfblj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kknmcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdjijpbm.dll" Nljnla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkcdbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdemajom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebgjee32.dll" Giiljp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhcfgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kginmnod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjmcmp32.dll" Mlcoei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afkamgke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cojenjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfmhmh32.dll" Nifbka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmmen32.dll" Olihblon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Poeaoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjlmic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oioodgbm.dll" Hkglpgfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdmgllkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kebhabjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oeoikl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlafop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmlbcfg.dll" Ddqbicea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbfojdn.dll" Inejhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbclefkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Doffgmdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nenfmb32.dll" Qhpbnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phdlgfma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iilepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efemlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmadji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnkmml32.dll" Pcampdjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdhcmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogjcde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfmlfpka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkopfmce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjchnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Celkcn32.dll" Jpmcmbhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knmpjmba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mehanell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npghamcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojihkgpo.dll" Fibfiame.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hejoaefi.dll" Bjpqde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncecpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjnabq32.dll" Hklekg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjcqnjbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abdohhog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmmgiigb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbjmgie.dll" Gdogaojo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Begimghg.dll" Dfcqfhld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnnmfkof.dll" Gkhhdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnilb32.dll" Edlkklgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpmek32.dll" Jjcqnjbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njhelo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefmjb32.dll" Cmgpfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqhelmea.dll" Doooii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgpgdndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deiiid32.dll" Eakaiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnmbfe32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2216 wrote to memory of 2580 2216 165a3e95beb1b9eaf90c52ed1acb02e2ef9377057e7b81c211983e6b6c1b7ee0N.exe 83 PID 2216 wrote to memory of 2580 2216 165a3e95beb1b9eaf90c52ed1acb02e2ef9377057e7b81c211983e6b6c1b7ee0N.exe 83 PID 2216 wrote to memory of 2580 2216 165a3e95beb1b9eaf90c52ed1acb02e2ef9377057e7b81c211983e6b6c1b7ee0N.exe 83 PID 2580 wrote to memory of 4840 2580 Ceglmh32.exe 84 PID 2580 wrote to memory of 4840 2580 Ceglmh32.exe 84 PID 2580 wrote to memory of 4840 2580 Ceglmh32.exe 84 PID 4840 wrote to memory of 3980 4840 Chehic32.exe 85 PID 4840 wrote to memory of 3980 4840 Chehic32.exe 85 PID 4840 wrote to memory of 3980 4840 Chehic32.exe 85 PID 3980 wrote to memory of 2376 3980 Cjcdeo32.exe 86 PID 3980 wrote to memory of 2376 3980 Cjcdeo32.exe 86 PID 3980 wrote to memory of 2376 3980 Cjcdeo32.exe 86 PID 2376 wrote to memory of 644 2376 Cdlhnd32.exe 87 PID 2376 wrote to memory of 644 2376 Cdlhnd32.exe 87 PID 2376 wrote to memory of 644 2376 Cdlhnd32.exe 87 PID 644 wrote to memory of 4092 644 Cfjejp32.exe 88 PID 644 wrote to memory of 4092 644 Cfjejp32.exe 88 PID 644 wrote to memory of 4092 644 Cfjejp32.exe 88 PID 4092 wrote to memory of 3168 4092 Doamlm32.exe 89 PID 4092 wrote to memory of 3168 4092 Doamlm32.exe 89 PID 4092 wrote to memory of 3168 4092 Doamlm32.exe 89 PID 3168 wrote to memory of 1968 3168 Delehgpi.exe 90 PID 3168 wrote to memory of 1968 3168 Delehgpi.exe 90 PID 3168 wrote to memory of 1968 3168 Delehgpi.exe 90 PID 1968 wrote to memory of 2212 1968 Dfmapp32.exe 91 PID 1968 wrote to memory of 2212 1968 Dfmapp32.exe 91 PID 1968 wrote to memory of 2212 1968 Dfmapp32.exe 91 PID 2212 wrote to memory of 5012 2212 Dmgjmjnd.exe 92 PID 2212 wrote to memory of 5012 2212 Dmgjmjnd.exe 92 PID 2212 wrote to memory of 5012 2212 Dmgjmjnd.exe 92 PID 5012 wrote to memory of 4036 5012 Ddqbicea.exe 93 PID 5012 wrote to memory of 4036 5012 Ddqbicea.exe 93 PID 5012 wrote to memory of 4036 5012 Ddqbicea.exe 93 PID 4036 wrote to memory of 1100 4036 Dfoneode.exe 94 PID 4036 wrote to memory of 1100 4036 Dfoneode.exe 94 PID 4036 wrote to memory of 1100 4036 Dfoneode.exe 94 PID 1100 wrote to memory of 3560 1100 Doffgmdg.exe 95 PID 1100 wrote to memory of 3560 1100 Doffgmdg.exe 95 PID 1100 wrote to memory of 3560 1100 Doffgmdg.exe 95 PID 3560 wrote to memory of 3636 3560 Ddcoocco.exe 96 PID 3560 wrote to memory of 3636 3560 Ddcoocco.exe 96 PID 3560 wrote to memory of 3636 3560 Ddcoocco.exe 96 PID 3636 wrote to memory of 932 3636 Dohcllbd.exe 97 PID 3636 wrote to memory of 932 3636 Dohcllbd.exe 97 PID 3636 wrote to memory of 932 3636 Dohcllbd.exe 97 PID 932 wrote to memory of 2352 932 Debkifja.exe 98 PID 932 wrote to memory of 2352 932 Debkifja.exe 98 PID 932 wrote to memory of 2352 932 Debkifja.exe 98 PID 2352 wrote to memory of 3740 2352 Dkocamhi.exe 99 PID 2352 wrote to memory of 3740 2352 Dkocamhi.exe 99 PID 2352 wrote to memory of 3740 2352 Dkocamhi.exe 99 PID 3740 wrote to memory of 404 3740 Dailng32.exe 100 PID 3740 wrote to memory of 404 3740 Dailng32.exe 100 PID 3740 wrote to memory of 404 3740 Dailng32.exe 100 PID 404 wrote to memory of 3972 404 Deehofho.exe 101 PID 404 wrote to memory of 3972 404 Deehofho.exe 101 PID 404 wrote to memory of 3972 404 Deehofho.exe 101 PID 3972 wrote to memory of 4908 3972 Ddhhjb32.exe 102 PID 3972 wrote to memory of 4908 3972 Ddhhjb32.exe 102 PID 3972 wrote to memory of 4908 3972 Ddhhjb32.exe 102 PID 4908 wrote to memory of 4064 4908 Egfdfn32.exe 103 PID 4908 wrote to memory of 4064 4908 Egfdfn32.exe 103 PID 4908 wrote to memory of 4064 4908 Egfdfn32.exe 103 PID 4064 wrote to memory of 4524 4064 Eegddefl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\165a3e95beb1b9eaf90c52ed1acb02e2ef9377057e7b81c211983e6b6c1b7ee0N.exe"C:\Users\Admin\AppData\Local\Temp\165a3e95beb1b9eaf90c52ed1acb02e2ef9377057e7b81c211983e6b6c1b7ee0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Ceglmh32.exeC:\Windows\system32\Ceglmh32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Chehic32.exeC:\Windows\system32\Chehic32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Cjcdeo32.exeC:\Windows\system32\Cjcdeo32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\Cdlhnd32.exeC:\Windows\system32\Cdlhnd32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Cfjejp32.exeC:\Windows\system32\Cfjejp32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\Doamlm32.exeC:\Windows\system32\Doamlm32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\Delehgpi.exeC:\Windows\system32\Delehgpi.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\Dfmapp32.exeC:\Windows\system32\Dfmapp32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Dmgjmjnd.exeC:\Windows\system32\Dmgjmjnd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Ddqbicea.exeC:\Windows\system32\Ddqbicea.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Dfoneode.exeC:\Windows\system32\Dfoneode.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\Doffgmdg.exeC:\Windows\system32\Doffgmdg.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Ddcoocco.exeC:\Windows\system32\Ddcoocco.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\Dohcllbd.exeC:\Windows\system32\Dohcllbd.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\Debkifja.exeC:\Windows\system32\Debkifja.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\Dkocamhi.exeC:\Windows\system32\Dkocamhi.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Dailng32.exeC:\Windows\system32\Dailng32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\Deehofho.exeC:\Windows\system32\Deehofho.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Ddhhjb32.exeC:\Windows\system32\Ddhhjb32.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\Egfdfn32.exeC:\Windows\system32\Egfdfn32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\Eegddefl.exeC:\Windows\system32\Eegddefl.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Edjepb32.exeC:\Windows\system32\Edjepb32.exe23⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Eheqpa32.exeC:\Windows\system32\Eheqpa32.exe24⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Ekdmll32.exeC:\Windows\system32\Ekdmll32.exe25⤵
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Eopimkml.exeC:\Windows\system32\Eopimkml.exe26⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Embihh32.exeC:\Windows\system32\Embihh32.exe27⤵
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Eaneiflp.exeC:\Windows\system32\Eaneiflp.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3332 -
C:\Windows\SysWOW64\Eejaje32.exeC:\Windows\system32\Eejaje32.exe29⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Edlaebkd.exeC:\Windows\system32\Edlaebkd.exe30⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Ehhmfq32.exeC:\Windows\system32\Ehhmfq32.exe31⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Ekfjbl32.exeC:\Windows\system32\Ekfjbl32.exe32⤵
- Executes dropped EXE
PID:3552 -
C:\Windows\SysWOW64\Eobfbkjj.exeC:\Windows\system32\Eobfbkjj.exe33⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Emefng32.exeC:\Windows\system32\Emefng32.exe34⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Emefng32.exeC:\Windows\system32\Emefng32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Windows\SysWOW64\Eapbofjm.exeC:\Windows\system32\Eapbofjm.exe36⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Eelnoe32.exeC:\Windows\system32\Eelnoe32.exe37⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Ehjjkp32.exeC:\Windows\system32\Ehjjkp32.exe38⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Eodbhj32.exeC:\Windows\system32\Eodbhj32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Emgbcgoa.exeC:\Windows\system32\Emgbcgoa.exe40⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Eabodf32.exeC:\Windows\system32\Eabodf32.exe41⤵PID:1616
-
C:\Windows\SysWOW64\Edakpa32.exeC:\Windows\system32\Edakpa32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Ehmgapog.exeC:\Windows\system32\Ehmgapog.exe43⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Eogonj32.exeC:\Windows\system32\Eogonj32.exe44⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Fkmpbk32.exeC:\Windows\system32\Fkmpbk32.exe45⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Faghoece.exeC:\Windows\system32\Faghoece.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Fdfdkqbi.exeC:\Windows\system32\Fdfdkqbi.exe47⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Fgdqglbm.exeC:\Windows\system32\Fgdqglbm.exe48⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Fnnidf32.exeC:\Windows\system32\Fnnidf32.exe49⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Fdhaapqf.exeC:\Windows\system32\Fdhaapqf.exe50⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Fkbinj32.exeC:\Windows\system32\Fkbinj32.exe51⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Fehmkchi.exeC:\Windows\system32\Fehmkchi.exe52⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Fgijbk32.exeC:\Windows\system32\Fgijbk32.exe53⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Fdmjlp32.exeC:\Windows\system32\Fdmjlp32.exe54⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Foboih32.exeC:\Windows\system32\Foboih32.exe55⤵
- Executes dropped EXE
PID:3728 -
C:\Windows\SysWOW64\Gdogaojo.exeC:\Windows\system32\Gdogaojo.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Geoclb32.exeC:\Windows\system32\Geoclb32.exe57⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\Ggppcjgp.exeC:\Windows\system32\Ggppcjgp.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Windows\SysWOW64\Goghdhhb.exeC:\Windows\system32\Goghdhhb.exe59⤵
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Gaedqc32.exeC:\Windows\system32\Gaedqc32.exe60⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Gkniiinf.exeC:\Windows\system32\Gkniiinf.exe61⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Gahafc32.exeC:\Windows\system32\Gahafc32.exe62⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Gkpeohlc.exeC:\Windows\system32\Gkpeohlc.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Gdhjhnbd.exeC:\Windows\system32\Gdhjhnbd.exe64⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Gggfdiag.exeC:\Windows\system32\Gggfdiag.exe65⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Gnanqc32.exeC:\Windows\system32\Gnanqc32.exe66⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Hoqkkfpg.exeC:\Windows\system32\Hoqkkfpg.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2716 -
C:\Windows\SysWOW64\Hnckfc32.exeC:\Windows\system32\Hnckfc32.exe68⤵PID:4448
-
C:\Windows\SysWOW64\Hkglpgfk.exeC:\Windows\system32\Hkglpgfk.exe69⤵
- Modifies registry class
PID:3596 -
C:\Windows\SysWOW64\Hfmpmpea.exeC:\Windows\system32\Hfmpmpea.exe70⤵PID:4520
-
C:\Windows\SysWOW64\Hbcqba32.exeC:\Windows\system32\Hbcqba32.exe71⤵
- System Location Discovery: System Language Discovery
PID:408 -
C:\Windows\SysWOW64\Hhmiokbb.exeC:\Windows\system32\Hhmiokbb.exe72⤵PID:2276
-
C:\Windows\SysWOW64\Hklekg32.exeC:\Windows\system32\Hklekg32.exe73⤵
- Drops file in System32 directory
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Hbfmgaic.exeC:\Windows\system32\Hbfmgaic.exe74⤵PID:3124
-
C:\Windows\SysWOW64\Hgbfphgj.exeC:\Windows\system32\Hgbfphgj.exe75⤵PID:4828
-
C:\Windows\SysWOW64\Ifdfno32.exeC:\Windows\system32\Ifdfno32.exe76⤵PID:2360
-
C:\Windows\SysWOW64\Ikqnffnq.exeC:\Windows\system32\Ikqnffnq.exe77⤵PID:4188
-
C:\Windows\SysWOW64\Iidoojlj.exeC:\Windows\system32\Iidoojlj.exe78⤵PID:112
-
C:\Windows\SysWOW64\Ifhoiokd.exeC:\Windows\system32\Ifhoiokd.exe79⤵PID:740
-
C:\Windows\SysWOW64\Ikehaejk.exeC:\Windows\system32\Ikehaejk.exe80⤵PID:3456
-
C:\Windows\SysWOW64\Ibopnpah.exeC:\Windows\system32\Ibopnpah.exe81⤵PID:4888
-
C:\Windows\SysWOW64\Idnljkpl.exeC:\Windows\system32\Idnljkpl.exe82⤵PID:5084
-
C:\Windows\SysWOW64\Iglhffop.exeC:\Windows\system32\Iglhffop.exe83⤵PID:548
-
C:\Windows\SysWOW64\Ifmidn32.exeC:\Windows\system32\Ifmidn32.exe84⤵PID:2720
-
C:\Windows\SysWOW64\Iilepi32.exeC:\Windows\system32\Iilepi32.exe85⤵
- Modifies registry class
PID:4688 -
C:\Windows\SysWOW64\Inhnhp32.exeC:\Windows\system32\Inhnhp32.exe86⤵PID:1876
-
C:\Windows\SysWOW64\Jfpeinel.exeC:\Windows\system32\Jfpeinel.exe87⤵PID:2464
-
C:\Windows\SysWOW64\Jklnadcc.exeC:\Windows\system32\Jklnadcc.exe88⤵PID:1976
-
C:\Windows\SysWOW64\Jnkjnpbg.exeC:\Windows\system32\Jnkjnpbg.exe89⤵PID:3548
-
C:\Windows\SysWOW64\Jedbjj32.exeC:\Windows\system32\Jedbjj32.exe90⤵PID:5100
-
C:\Windows\SysWOW64\Jkokgdaq.exeC:\Windows\system32\Jkokgdaq.exe91⤵PID:1216
-
C:\Windows\SysWOW64\Jnmgcpqd.exeC:\Windows\system32\Jnmgcpqd.exe92⤵PID:1680
-
C:\Windows\SysWOW64\Jfdodm32.exeC:\Windows\system32\Jfdodm32.exe93⤵PID:3948
-
C:\Windows\SysWOW64\Jibkqh32.exeC:\Windows\system32\Jibkqh32.exe94⤵PID:4668
-
C:\Windows\SysWOW64\Jpmcmbhg.exeC:\Windows\system32\Jpmcmbhg.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4904 -
C:\Windows\SysWOW64\Jeileifo.exeC:\Windows\system32\Jeileifo.exe96⤵
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\Jiehfh32.exeC:\Windows\system32\Jiehfh32.exe97⤵PID:4808
-
C:\Windows\SysWOW64\Jkcdbc32.exeC:\Windows\system32\Jkcdbc32.exe98⤵
- Modifies registry class
PID:4456 -
C:\Windows\SysWOW64\Jbmloneh.exeC:\Windows\system32\Jbmloneh.exe99⤵PID:3716
-
C:\Windows\SysWOW64\Jelhki32.exeC:\Windows\system32\Jelhki32.exe100⤵PID:4580
-
C:\Windows\SysWOW64\Jpamhb32.exeC:\Windows\system32\Jpamhb32.exe101⤵PID:1316
-
C:\Windows\SysWOW64\Kfkeelko.exeC:\Windows\system32\Kfkeelko.exe102⤵PID:4748
-
C:\Windows\SysWOW64\Kglamd32.exeC:\Windows\system32\Kglamd32.exe103⤵PID:4508
-
C:\Windows\SysWOW64\Kpcina32.exeC:\Windows\system32\Kpcina32.exe104⤵PID:4700
-
C:\Windows\SysWOW64\Kbbfjm32.exeC:\Windows\system32\Kbbfjm32.exe105⤵
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Kepbfh32.exeC:\Windows\system32\Kepbfh32.exe106⤵PID:3612
-
C:\Windows\SysWOW64\Kljjcb32.exeC:\Windows\system32\Kljjcb32.exe107⤵PID:648
-
C:\Windows\SysWOW64\Knifon32.exeC:\Windows\system32\Knifon32.exe108⤵PID:2368
-
C:\Windows\SysWOW64\Kfpnpk32.exeC:\Windows\system32\Kfpnpk32.exe109⤵PID:1980
-
C:\Windows\SysWOW64\Kinklg32.exeC:\Windows\system32\Kinklg32.exe110⤵PID:836
-
C:\Windows\SysWOW64\Khakhcmg.exeC:\Windows\system32\Khakhcmg.exe111⤵PID:4536
-
C:\Windows\SysWOW64\Kiqgbf32.exeC:\Windows\system32\Kiqgbf32.exe112⤵PID:3532
-
C:\Windows\SysWOW64\Khchmc32.exeC:\Windows\system32\Khchmc32.exe113⤵PID:5136
-
C:\Windows\SysWOW64\Knmpjmba.exeC:\Windows\system32\Knmpjmba.exe114⤵
- Modifies registry class
PID:5180 -
C:\Windows\SysWOW64\Kbilkl32.exeC:\Windows\system32\Kbilkl32.exe115⤵PID:5224
-
C:\Windows\SysWOW64\Khfdcc32.exeC:\Windows\system32\Khfdcc32.exe116⤵
- System Location Discovery: System Language Discovery
PID:5268 -
C:\Windows\SysWOW64\Klapcaak.exeC:\Windows\system32\Klapcaak.exe117⤵PID:5328
-
C:\Windows\SysWOW64\Lbkhpl32.exeC:\Windows\system32\Lbkhpl32.exe118⤵PID:5376
-
C:\Windows\SysWOW64\Lejelg32.exeC:\Windows\system32\Lejelg32.exe119⤵PID:5420
-
C:\Windows\SysWOW64\Lieamfpe.exeC:\Windows\system32\Lieamfpe.exe120⤵PID:5464
-
C:\Windows\SysWOW64\Lhhahb32.exeC:\Windows\system32\Lhhahb32.exe121⤵PID:5500
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-