Analysis
-
max time kernel
96s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 01:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
95adf3444433cc1c7ee5484eb9e89c491cbc3125d0fcb3c08f4d260e08104462.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
95adf3444433cc1c7ee5484eb9e89c491cbc3125d0fcb3c08f4d260e08104462.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
95adf3444433cc1c7ee5484eb9e89c491cbc3125d0fcb3c08f4d260e08104462.exe
-
Size
240KB
-
MD5
e5ebb6da1c517838f05ce508561ca12d
-
SHA1
c2e956aac5b55bb27f9d71d77875f780bc681c70
-
SHA256
95adf3444433cc1c7ee5484eb9e89c491cbc3125d0fcb3c08f4d260e08104462
-
SHA512
2ba3077141f4b77ed57e662e797f79473524fe257bccecc47ec64b188bf88649dd18af79a9962cc6781416bbc0877a298441c445a4a9ec99f498e785d0760ae3
-
SSDEEP
6144:yXKPo6bCud3eGyZ6YugQdjGG1wsKm6eBgdQbkoKTBEA:y6Q6VuGyXu1jGG1wsGeBgRTGA
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkofdbkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooqqdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkkple32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkpmdbfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekonpckp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lieccf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efgemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fealin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fiodpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgcjfbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkfcndce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqkiok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feqeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kageaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbgalmej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmdlmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcmmhj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgloefco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inqbclob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgccinoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncnofeof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqlfhjig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbpedjnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppnenlka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbiockdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkjlic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nahgoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qachgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkfadkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onkidm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojhpimhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgelgi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccblbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjkpoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiloco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpgpgfmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgdpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihdldn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amkhmoap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aalmimfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkkhbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icknfcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbpjaeoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klahfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opclldhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adcjop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aopemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajjokd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adepji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkeaqi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lghcocol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qofcff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aoabad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pddhbipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lckiihok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnoddcef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdinljnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kqbkfkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnjnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gidnkkpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpochfji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqhoeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbbagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlolpq32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4916 Hhfedm32.exe 4784 Hkeaqi32.exe 3968 Hjhalefe.exe 5040 Hglaej32.exe 2044 Hhknpmma.exe 2484 Hkjjlhle.exe 1412 Hjlkge32.exe 3148 Iafonaao.exe 564 Ikndgg32.exe 4884 Iqklon32.exe 2368 Inomhbeq.exe 3996 Ihdafkdg.exe 5112 Iqpfjnba.exe 2356 Igjngh32.exe 2852 Iqbbpm32.exe 2892 Jglklggl.exe 4696 Jkhgmf32.exe 3508 Jbaojpgb.exe 3312 Jdpkflfe.exe 2108 Jhlgfj32.exe 4244 Jkjcbe32.exe 2896 Jqglkmlj.exe 2332 Jdbhkk32.exe 4960 Jhndljll.exe 1428 Jgadgf32.exe 1020 Jjopcb32.exe 2324 Jnkldqkc.exe 1448 Jqiipljg.exe 4984 Jdedak32.exe 2100 Jhpqaiji.exe 2616 Jgcamf32.exe 5060 Jjamia32.exe 3564 Jnmijq32.exe 4080 Jbiejoaj.exe 2580 Jdgafjpn.exe 1088 Jibmgi32.exe 1912 Jgenbfoa.exe 2656 Jjdjoane.exe 2772 Jnpfop32.exe 4280 Jbkbpoog.exe 532 Kqnbkl32.exe 4656 Kdinljnk.exe 2120 Kghjhemo.exe 4980 Kkcfid32.exe 3388 Kjffdalb.exe 2904 Kbmoen32.exe 3988 Kqpoakco.exe 3308 Kiggbhda.exe 1416 Kgjgne32.exe 2940 Kkfcndce.exe 2068 Kndojobi.exe 2964 Kbpkkn32.exe 4652 Kqbkfkal.exe 1552 Kijchhbo.exe 2516 Kgmcce32.exe 1504 Kjkpoq32.exe 5048 Knflpoqf.exe 2148 Kaehljpj.exe 4900 Keqdmihc.exe 4264 Kilpmh32.exe 4568 Kkjlic32.exe 4236 Kjmmepfj.exe 3412 Kniieo32.exe 1604 Kageaj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Knhcpa32.dll Oldamm32.exe File created C:\Windows\SysWOW64\Aleckinj.exe Aoabad32.exe File opened for modification C:\Windows\SysWOW64\Mjkblhfo.exe Lmgabcge.exe File opened for modification C:\Windows\SysWOW64\Aknifq32.exe Ahpmjejp.exe File opened for modification C:\Windows\SysWOW64\Dngjff32.exe Dijbno32.exe File created C:\Windows\SysWOW64\Ddkbmj32.exe Dnajppda.exe File created C:\Windows\SysWOW64\Cgkeml32.dll Feqeog32.exe File created C:\Windows\SysWOW64\Jqglkmlj.exe Jkjcbe32.exe File created C:\Windows\SysWOW64\Micoommd.dll Cfldelik.exe File created C:\Windows\SysWOW64\Ocaebc32.exe Omgmeigd.exe File created C:\Windows\SysWOW64\Eajbghaq.dll Hbgkei32.exe File opened for modification C:\Windows\SysWOW64\Nmcpoedn.exe Nhhdnf32.exe File created C:\Windows\SysWOW64\Kaehljpj.exe Knflpoqf.exe File created C:\Windows\SysWOW64\Fcmpdfhi.dll Lkabjbih.exe File created C:\Windows\SysWOW64\Nbbond32.dll Mlkepaam.exe File opened for modification C:\Windows\SysWOW64\Hgdejd32.exe Hbhijepa.exe File created C:\Windows\SysWOW64\Ljceqb32.exe Lfgipd32.exe File opened for modification C:\Windows\SysWOW64\Mcifkf32.exe Mqkiok32.exe File opened for modification C:\Windows\SysWOW64\Inebjihf.exe Hihibbjo.exe File created C:\Windows\SysWOW64\Gnhekleo.dll Afhfaddk.exe File opened for modification C:\Windows\SysWOW64\Kkcfid32.exe Kghjhemo.exe File created C:\Windows\SysWOW64\Paiogf32.exe Pjpfjl32.exe File created C:\Windows\SysWOW64\Egilaj32.dll Qpeahb32.exe File opened for modification C:\Windows\SysWOW64\Gkaclqkk.exe Gegkpf32.exe File created C:\Windows\SysWOW64\Copdgb32.dll Pefabkej.exe File opened for modification C:\Windows\SysWOW64\Aojlaeei.exe Qohpkf32.exe File opened for modification C:\Windows\SysWOW64\Fideeaco.exe Fpjcgm32.exe File created C:\Windows\SysWOW64\Lqikmc32.exe Lnjnqh32.exe File opened for modification C:\Windows\SysWOW64\Nlfnaicd.exe Napjdpcn.exe File opened for modification C:\Windows\SysWOW64\Cildom32.exe Ccblbb32.exe File created C:\Windows\SysWOW64\Oiknlagg.exe Ooejohhq.exe File created C:\Windows\SysWOW64\Cjelhg32.dll Gbdoof32.exe File opened for modification C:\Windows\SysWOW64\Hmdlmg32.exe Hlepcdoa.exe File opened for modification C:\Windows\SysWOW64\Kjjbjd32.exe Kodnmkap.exe File opened for modification C:\Windows\SysWOW64\Pnfiplog.exe Ocaebc32.exe File opened for modification C:\Windows\SysWOW64\Dnmaea32.exe Dhphmj32.exe File opened for modification C:\Windows\SysWOW64\Eomffaag.exe Ekajec32.exe File opened for modification C:\Windows\SysWOW64\Bmggingc.exe Bfmolc32.exe File created C:\Windows\SysWOW64\Hejkiial.dll Polppg32.exe File opened for modification C:\Windows\SysWOW64\Gdobnj32.exe Glgjlm32.exe File created C:\Windows\SysWOW64\Fmkqpkla.exe Fiodpl32.exe File created C:\Windows\SysWOW64\Ioolkncg.exe Ilqoobdd.exe File created C:\Windows\SysWOW64\Mkfefigf.dll Qobhkjdi.exe File created C:\Windows\SysWOW64\Dgpamjnb.dll Gijmad32.exe File opened for modification C:\Windows\SysWOW64\Nhhdnf32.exe Njedbjej.exe File created C:\Windows\SysWOW64\Cgaaeham.dll Hhfedm32.exe File created C:\Windows\SysWOW64\Mnkggfkb.exe Mgaokl32.exe File created C:\Windows\SysWOW64\Adfnofpd.exe Aednci32.exe File created C:\Windows\SysWOW64\Paoinm32.dll Fbbicl32.exe File created C:\Windows\SysWOW64\Bdcmkgmm.exe Bkkhbb32.exe File created C:\Windows\SysWOW64\Pekbga32.exe Plbmokop.exe File opened for modification C:\Windows\SysWOW64\Llflea32.exe Lihpif32.exe File created C:\Windows\SysWOW64\Pkpbai32.dll Hbldphde.exe File created C:\Windows\SysWOW64\Ipdndloi.exe Ieojgc32.exe File created C:\Windows\SysWOW64\Lfgnho32.dll Ppnenlka.exe File created C:\Windows\SysWOW64\Lklcfhik.dll Kghjhemo.exe File opened for modification C:\Windows\SysWOW64\Ipeeobbe.exe Iliinc32.exe File created C:\Windows\SysWOW64\Cfnqklgh.exe Cmflbf32.exe File created C:\Windows\SysWOW64\Pcmdgodo.dll Cdpcal32.exe File created C:\Windows\SysWOW64\Lfebfnqn.dll Gmimai32.exe File created C:\Windows\SysWOW64\Afmfkjol.dll Ahcajk32.exe File created C:\Windows\SysWOW64\Gpaoobkd.dll Cmhigf32.exe File opened for modification C:\Windows\SysWOW64\Dfoiaj32.exe Dflmlj32.exe File opened for modification C:\Windows\SysWOW64\Bdpaeehj.exe Baadiiif.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6108 5820 WerFault.exe 880 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinjhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Modpib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nacmdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbgcih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inqbclob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcphab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnjejjgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljaoeini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgjoif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbibfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhndljll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljdceo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Malgcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnkggfkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jljbeali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocaebc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amikgpcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bblnindg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgdejd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoideh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paiogf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcoccc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qikbaaml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnkldqkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbflg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gimqajgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aopemh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckbemgcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpadhll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqklon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldopb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdnabjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdmmeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cildom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgpeha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnbakghm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmcjpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkjgegae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qohpkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjpjel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkmdecbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchppmij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkegpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmimai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcifkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiopca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lljdai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaalblgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghojbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qclmck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdafkdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibcjqgnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjokd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abfdpfaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiggbhda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lijlof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glbjggof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaqhjggp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lafmjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekajec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hihibbjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjdjoane.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpkkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjpnlbd.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkidpke.dll" Cgifbhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fanmld32.dll" Noblkqca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecbfdd32.dll" Lghcocol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hejkiial.dll" Polppg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocgnlha.dll" Pldcjeia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmpcbhji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfnqklgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbicpfdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncqlkemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpkbko32.dll" Iqpfjnba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anmfbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kglmio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aciihh32.dll" Nclikl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcegclgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qcnjijoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lieccf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njghbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Neafjdkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlkngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjdilmf.dll" Ckdkhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Appfnncn.dll" Klahfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgbloglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpioin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igkilc32.dll" Ncmhko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndikch32.dll" Baegibae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kamjda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnjnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nghekkmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klbbcjfp.dll" Okkdic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmkqpkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmpga32.dll" Onapdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmkmfbo.dll" Koonge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiibaffb.dll" Cnfaohbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fflohaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmkmjjaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iqpfjnba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfejnf32.dll" Igdnabjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iophkojl.dll" Jcikgacl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaakdpkj.dll" Ohfami32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckdkhq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbmoen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfiedd32.dll" Kjjbjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adfgdpmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iimcma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nopfpgip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddkbmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coppbe32.dll" Hahokfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccblbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnoddcef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Licfngjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjkblhfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oogpjbbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plikcm32.dll" Bmeandma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kiggbhda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmaioi32.dll" Dbpjaeoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abjmkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmkdcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpfkpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbaojpgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipjedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdpmbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Finnef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djaiilmd.dll" Licfngjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceifibod.dll" Qikgco32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3964 wrote to memory of 4916 3964 95adf3444433cc1c7ee5484eb9e89c491cbc3125d0fcb3c08f4d260e08104462.exe 83 PID 3964 wrote to memory of 4916 3964 95adf3444433cc1c7ee5484eb9e89c491cbc3125d0fcb3c08f4d260e08104462.exe 83 PID 3964 wrote to memory of 4916 3964 95adf3444433cc1c7ee5484eb9e89c491cbc3125d0fcb3c08f4d260e08104462.exe 83 PID 4916 wrote to memory of 4784 4916 Hhfedm32.exe 84 PID 4916 wrote to memory of 4784 4916 Hhfedm32.exe 84 PID 4916 wrote to memory of 4784 4916 Hhfedm32.exe 84 PID 4784 wrote to memory of 3968 4784 Hkeaqi32.exe 85 PID 4784 wrote to memory of 3968 4784 Hkeaqi32.exe 85 PID 4784 wrote to memory of 3968 4784 Hkeaqi32.exe 85 PID 3968 wrote to memory of 5040 3968 Hjhalefe.exe 86 PID 3968 wrote to memory of 5040 3968 Hjhalefe.exe 86 PID 3968 wrote to memory of 5040 3968 Hjhalefe.exe 86 PID 5040 wrote to memory of 2044 5040 Hglaej32.exe 87 PID 5040 wrote to memory of 2044 5040 Hglaej32.exe 87 PID 5040 wrote to memory of 2044 5040 Hglaej32.exe 87 PID 2044 wrote to memory of 2484 2044 Hhknpmma.exe 88 PID 2044 wrote to memory of 2484 2044 Hhknpmma.exe 88 PID 2044 wrote to memory of 2484 2044 Hhknpmma.exe 88 PID 2484 wrote to memory of 1412 2484 Hkjjlhle.exe 89 PID 2484 wrote to memory of 1412 2484 Hkjjlhle.exe 89 PID 2484 wrote to memory of 1412 2484 Hkjjlhle.exe 89 PID 1412 wrote to memory of 3148 1412 Hjlkge32.exe 90 PID 1412 wrote to memory of 3148 1412 Hjlkge32.exe 90 PID 1412 wrote to memory of 3148 1412 Hjlkge32.exe 90 PID 3148 wrote to memory of 564 3148 Iafonaao.exe 91 PID 3148 wrote to memory of 564 3148 Iafonaao.exe 91 PID 3148 wrote to memory of 564 3148 Iafonaao.exe 91 PID 564 wrote to memory of 4884 564 Ikndgg32.exe 92 PID 564 wrote to memory of 4884 564 Ikndgg32.exe 92 PID 564 wrote to memory of 4884 564 Ikndgg32.exe 92 PID 4884 wrote to memory of 2368 4884 Iqklon32.exe 93 PID 4884 wrote to memory of 2368 4884 Iqklon32.exe 93 PID 4884 wrote to memory of 2368 4884 Iqklon32.exe 93 PID 2368 wrote to memory of 3996 2368 Inomhbeq.exe 94 PID 2368 wrote to memory of 3996 2368 Inomhbeq.exe 94 PID 2368 wrote to memory of 3996 2368 Inomhbeq.exe 94 PID 3996 wrote to memory of 5112 3996 Ihdafkdg.exe 95 PID 3996 wrote to memory of 5112 3996 Ihdafkdg.exe 95 PID 3996 wrote to memory of 5112 3996 Ihdafkdg.exe 95 PID 5112 wrote to memory of 2356 5112 Iqpfjnba.exe 96 PID 5112 wrote to memory of 2356 5112 Iqpfjnba.exe 96 PID 5112 wrote to memory of 2356 5112 Iqpfjnba.exe 96 PID 2356 wrote to memory of 2852 2356 Igjngh32.exe 97 PID 2356 wrote to memory of 2852 2356 Igjngh32.exe 97 PID 2356 wrote to memory of 2852 2356 Igjngh32.exe 97 PID 2852 wrote to memory of 2892 2852 Iqbbpm32.exe 98 PID 2852 wrote to memory of 2892 2852 Iqbbpm32.exe 98 PID 2852 wrote to memory of 2892 2852 Iqbbpm32.exe 98 PID 2892 wrote to memory of 4696 2892 Jglklggl.exe 99 PID 2892 wrote to memory of 4696 2892 Jglklggl.exe 99 PID 2892 wrote to memory of 4696 2892 Jglklggl.exe 99 PID 4696 wrote to memory of 3508 4696 Jkhgmf32.exe 100 PID 4696 wrote to memory of 3508 4696 Jkhgmf32.exe 100 PID 4696 wrote to memory of 3508 4696 Jkhgmf32.exe 100 PID 3508 wrote to memory of 3312 3508 Jbaojpgb.exe 101 PID 3508 wrote to memory of 3312 3508 Jbaojpgb.exe 101 PID 3508 wrote to memory of 3312 3508 Jbaojpgb.exe 101 PID 3312 wrote to memory of 2108 3312 Jdpkflfe.exe 102 PID 3312 wrote to memory of 2108 3312 Jdpkflfe.exe 102 PID 3312 wrote to memory of 2108 3312 Jdpkflfe.exe 102 PID 2108 wrote to memory of 4244 2108 Jhlgfj32.exe 103 PID 2108 wrote to memory of 4244 2108 Jhlgfj32.exe 103 PID 2108 wrote to memory of 4244 2108 Jhlgfj32.exe 103 PID 4244 wrote to memory of 2896 4244 Jkjcbe32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\95adf3444433cc1c7ee5484eb9e89c491cbc3125d0fcb3c08f4d260e08104462.exe"C:\Users\Admin\AppData\Local\Temp\95adf3444433cc1c7ee5484eb9e89c491cbc3125d0fcb3c08f4d260e08104462.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Hhfedm32.exeC:\Windows\system32\Hhfedm32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\Hkeaqi32.exeC:\Windows\system32\Hkeaqi32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Hjhalefe.exeC:\Windows\system32\Hjhalefe.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\Hglaej32.exeC:\Windows\system32\Hglaej32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Hhknpmma.exeC:\Windows\system32\Hhknpmma.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Hkjjlhle.exeC:\Windows\system32\Hkjjlhle.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Hjlkge32.exeC:\Windows\system32\Hjlkge32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\Iafonaao.exeC:\Windows\system32\Iafonaao.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\Ikndgg32.exeC:\Windows\system32\Ikndgg32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\Iqklon32.exeC:\Windows\system32\Iqklon32.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Inomhbeq.exeC:\Windows\system32\Inomhbeq.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Ihdafkdg.exeC:\Windows\system32\Ihdafkdg.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\Iqpfjnba.exeC:\Windows\system32\Iqpfjnba.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\Igjngh32.exeC:\Windows\system32\Igjngh32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Iqbbpm32.exeC:\Windows\system32\Iqbbpm32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Jglklggl.exeC:\Windows\system32\Jglklggl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Jkhgmf32.exeC:\Windows\system32\Jkhgmf32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\Jhlgfj32.exeC:\Windows\system32\Jhlgfj32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Jkjcbe32.exeC:\Windows\system32\Jkjcbe32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe23⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Jdbhkk32.exeC:\Windows\system32\Jdbhkk32.exe24⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Jhndljll.exeC:\Windows\system32\Jhndljll.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4960 -
C:\Windows\SysWOW64\Jgadgf32.exeC:\Windows\system32\Jgadgf32.exe26⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Jjopcb32.exeC:\Windows\system32\Jjopcb32.exe27⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Jnkldqkc.exeC:\Windows\system32\Jnkldqkc.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\Jqiipljg.exeC:\Windows\system32\Jqiipljg.exe29⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Jdedak32.exeC:\Windows\system32\Jdedak32.exe30⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe31⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Jgcamf32.exeC:\Windows\system32\Jgcamf32.exe32⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe33⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Jnmijq32.exeC:\Windows\system32\Jnmijq32.exe34⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Jbiejoaj.exeC:\Windows\system32\Jbiejoaj.exe35⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Jdgafjpn.exeC:\Windows\system32\Jdgafjpn.exe36⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Jibmgi32.exeC:\Windows\system32\Jibmgi32.exe37⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Jgenbfoa.exeC:\Windows\system32\Jgenbfoa.exe38⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Jjdjoane.exeC:\Windows\system32\Jjdjoane.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\Jnpfop32.exeC:\Windows\system32\Jnpfop32.exe40⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Jbkbpoog.exeC:\Windows\system32\Jbkbpoog.exe41⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Kqnbkl32.exeC:\Windows\system32\Kqnbkl32.exe42⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Kdinljnk.exeC:\Windows\system32\Kdinljnk.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Kghjhemo.exeC:\Windows\system32\Kghjhemo.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\Kkcfid32.exeC:\Windows\system32\Kkcfid32.exe45⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Kjffdalb.exeC:\Windows\system32\Kjffdalb.exe46⤵
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\Kbmoen32.exeC:\Windows\system32\Kbmoen32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Kqpoakco.exeC:\Windows\system32\Kqpoakco.exe48⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Kiggbhda.exeC:\Windows\system32\Kiggbhda.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3308 -
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe50⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Kkfcndce.exeC:\Windows\system32\Kkfcndce.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Kndojobi.exeC:\Windows\system32\Kndojobi.exe52⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Kbpkkn32.exeC:\Windows\system32\Kbpkkn32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2964 -
C:\Windows\SysWOW64\Kqbkfkal.exeC:\Windows\system32\Kqbkfkal.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Kijchhbo.exeC:\Windows\system32\Kijchhbo.exe55⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Kgmcce32.exeC:\Windows\system32\Kgmcce32.exe56⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Kjkpoq32.exeC:\Windows\system32\Kjkpoq32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Knflpoqf.exeC:\Windows\system32\Knflpoqf.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5048 -
C:\Windows\SysWOW64\Kaehljpj.exeC:\Windows\system32\Kaehljpj.exe59⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe60⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Kilpmh32.exeC:\Windows\system32\Kilpmh32.exe61⤵
- Executes dropped EXE
PID:4264 -
C:\Windows\SysWOW64\Kkjlic32.exeC:\Windows\system32\Kkjlic32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe63⤵
- Executes dropped EXE
PID:4236 -
C:\Windows\SysWOW64\Kniieo32.exeC:\Windows\system32\Kniieo32.exe64⤵
- Executes dropped EXE
PID:3412 -
C:\Windows\SysWOW64\Kageaj32.exeC:\Windows\system32\Kageaj32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe66⤵PID:3448
-
C:\Windows\SysWOW64\Kgamnded.exeC:\Windows\system32\Kgamnded.exe67⤵PID:1684
-
C:\Windows\SysWOW64\Kkmioc32.exeC:\Windows\system32\Kkmioc32.exe68⤵PID:2676
-
C:\Windows\SysWOW64\Knkekn32.exeC:\Windows\system32\Knkekn32.exe69⤵PID:4316
-
C:\Windows\SysWOW64\Lbgalmej.exeC:\Windows\system32\Lbgalmej.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2608 -
C:\Windows\SysWOW64\Leenhhdn.exeC:\Windows\system32\Leenhhdn.exe71⤵PID:4240
-
C:\Windows\SysWOW64\Liqihglg.exeC:\Windows\system32\Liqihglg.exe72⤵PID:4672
-
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4320 -
C:\Windows\SysWOW64\Ljbfpo32.exeC:\Windows\system32\Ljbfpo32.exe74⤵PID:3760
-
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe75⤵PID:704
-
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe76⤵PID:2776
-
C:\Windows\SysWOW64\Legjmh32.exeC:\Windows\system32\Legjmh32.exe77⤵PID:2960
-
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe78⤵
- Modifies registry class
PID:3640 -
C:\Windows\SysWOW64\Lkabjbih.exeC:\Windows\system32\Lkabjbih.exe79⤵
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Ljdceo32.exeC:\Windows\system32\Ljdceo32.exe80⤵
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe81⤵PID:2988
-
C:\Windows\SysWOW64\Lankbigo.exeC:\Windows\system32\Lankbigo.exe82⤵PID:1276
-
C:\Windows\SysWOW64\Lieccf32.exeC:\Windows\system32\Lieccf32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4764 -
C:\Windows\SysWOW64\Lghcocol.exeC:\Windows\system32\Lghcocol.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1476 -
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe85⤵
- System Location Discovery: System Language Discovery
PID:3320 -
C:\Windows\SysWOW64\Lnbklm32.exeC:\Windows\system32\Lnbklm32.exe86⤵PID:864
-
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe87⤵PID:4620
-
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe88⤵PID:3952
-
C:\Windows\SysWOW64\Lihpif32.exeC:\Windows\system32\Lihpif32.exe89⤵
- Drops file in System32 directory
PID:708 -
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe90⤵PID:4472
-
C:\Windows\SysWOW64\Ljilqnlm.exeC:\Windows\system32\Ljilqnlm.exe91⤵PID:1544
-
C:\Windows\SysWOW64\Lbpdblmo.exeC:\Windows\system32\Lbpdblmo.exe92⤵PID:1360
-
C:\Windows\SysWOW64\Lacdmh32.exeC:\Windows\system32\Lacdmh32.exe93⤵PID:1916
-
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe94⤵
- System Location Discovery: System Language Discovery
PID:784 -
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe95⤵PID:652
-
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe96⤵PID:1100
-
C:\Windows\SysWOW64\Mngegmbc.exeC:\Windows\system32\Mngegmbc.exe97⤵PID:492
-
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4312 -
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe99⤵PID:1548
-
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe100⤵PID:2952
-
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe101⤵
- Drops file in System32 directory
PID:4664 -
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe102⤵PID:4836
-
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe103⤵PID:2664
-
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe104⤵PID:2132
-
C:\Windows\SysWOW64\Miaboe32.exeC:\Windows\system32\Miaboe32.exe105⤵PID:4168
-
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe106⤵PID:1228
-
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe107⤵PID:4564
-
C:\Windows\SysWOW64\Malgcg32.exeC:\Windows\system32\Malgcg32.exe108⤵
- System Location Discovery: System Language Discovery
PID:2408 -
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe109⤵PID:1232
-
C:\Windows\SysWOW64\Mejpje32.exeC:\Windows\system32\Mejpje32.exe110⤵PID:4356
-
C:\Windows\SysWOW64\Njghbl32.exeC:\Windows\system32\Njghbl32.exe111⤵
- Modifies registry class
PID:900 -
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe112⤵PID:2188
-
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe113⤵PID:3396
-
C:\Windows\SysWOW64\Njiegl32.exeC:\Windows\system32\Njiegl32.exe114⤵PID:4488
-
C:\Windows\SysWOW64\Nacmdf32.exeC:\Windows\system32\Nacmdf32.exe115⤵
- System Location Discovery: System Language Discovery
PID:1500 -
C:\Windows\SysWOW64\Nijeec32.exeC:\Windows\system32\Nijeec32.exe116⤵PID:4976
-
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe117⤵PID:404
-
C:\Windows\SysWOW64\Neafjdkn.exeC:\Windows\system32\Neafjdkn.exe118⤵
- Modifies registry class
PID:5136 -
C:\Windows\SysWOW64\Nimbkc32.exeC:\Windows\system32\Nimbkc32.exe119⤵PID:5176
-
C:\Windows\SysWOW64\Nlkngo32.exeC:\Windows\system32\Nlkngo32.exe120⤵
- Modifies registry class
PID:5216 -
C:\Windows\SysWOW64\Nahgoe32.exeC:\Windows\system32\Nahgoe32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5256
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-