Analysis
-
max time kernel
93s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 20:46
Behavioral task
behavioral1
Sample
2bda9c99230373fe928269d70f03e18a76c7a4e68c5386f6d99e9ff503a2ea3c.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
2bda9c99230373fe928269d70f03e18a76c7a4e68c5386f6d99e9ff503a2ea3c.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
2bda9c99230373fe928269d70f03e18a76c7a4e68c5386f6d99e9ff503a2ea3c.exe
-
Size
187KB
-
MD5
f57e18ea485aa59f04daa7018d518126
-
SHA1
dbe87934f0f2c60fa6c9e379954055d506df461b
-
SHA256
2bda9c99230373fe928269d70f03e18a76c7a4e68c5386f6d99e9ff503a2ea3c
-
SHA512
8af3c1ca42b780d1b50000e9836b23dad9da9bc18d9097356efb339815a921d807647d9d3961e06d46798ce2c7fc233c8e270654c64e4ba841fdc2e92f4d3d78
-
SSDEEP
3072:X1nmFgbvApactRbMP7s7BFVgtRQ2c+tlB5xpWJLM77OkeCK2+hDueHO:X1neJbE7yBFV+tbFOLM77OLLtu
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jniood32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjeiodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paihlpfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baegibae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bddcenpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebaplnie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcfahbpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebommi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmcain32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqhdbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqpcjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Codhnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjmoag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqfpckhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npgmpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnifekmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahjgjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hedafk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aonhghjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhcali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbbicl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegkpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiopca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lqndhcdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcmdaljn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nagiji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojomcopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfandnla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efblbbqd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gigaka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njpdnedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plmmif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmaffnce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndnpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmhijd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jknfcofa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnkggfkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pplobcpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfkkqmiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhmbqm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekcgkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hajkqfoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjicdmmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipmbjgpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfbped32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmfkhmdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njjdho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hicpgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncmhko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opbean32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkdcbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Impliekg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmfcok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaifpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lojmcdgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieojgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcahmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mebcop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pejkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alnfpcag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfbcke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bljlfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doagjc32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4720 Piijno32.exe 1360 Qofcff32.exe 4340 Qcaofebg.exe 3104 Qljcoj32.exe 2840 Qcclld32.exe 2040 Ajndioga.exe 2416 Allpejfe.exe 4824 Akoqpg32.exe 3360 Aaiimadl.exe 1476 Alnmjjdb.exe 2584 Aomifecf.exe 3112 Afgacokc.exe 1064 Alqjpi32.exe 2240 Aoofle32.exe 3580 Afinioip.exe 2844 Akffafgg.exe 1956 Abponp32.exe 1264 Ahjgjj32.exe 3464 Aodogdmn.exe 4140 Bjicdmmd.exe 4260 Bcahmb32.exe 4480 Bfpdin32.exe 4572 Bljlfh32.exe 1940 Bcddcbab.exe 3056 Bfbaonae.exe 960 Bmlilh32.exe 1000 Bcfahbpo.exe 3792 Bbiado32.exe 2368 Bcinna32.exe 3092 Bfgjjm32.exe 4724 Bkdcbd32.exe 2448 Cfigpm32.exe 3460 Cjecpkcg.exe 636 Cobkhb32.exe 1604 Cfldelik.exe 4872 Cmflbf32.exe 5012 Codhnb32.exe 4332 Cjjlkk32.exe 4324 Ckkiccep.exe 1704 Cofecami.exe 4916 Cjliajmo.exe 3488 Ckmehb32.exe 1764 Cjnffjkl.exe 64 Ckpbnb32.exe 2032 Ccgjopal.exe 3004 Diccgfpd.exe 1688 Dpnkdq32.exe 3620 Dblgpl32.exe 5116 Dfgcakon.exe 2560 Djcoai32.exe 1396 Dkdliame.exe 1816 Djelgied.exe 3268 Dmdhcddh.exe 3132 Dflmlj32.exe 1020 Dikihe32.exe 3604 Dcpmen32.exe 2988 Dfoiaj32.exe 3288 Dimenegi.exe 4968 Dlkbjqgm.exe 2080 Eiobceef.exe 4756 Ecefqnel.exe 452 Ejoomhmi.exe 3724 Ecgcfm32.exe 2852 Ebjcajjd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nmigoagp.exe Njkkbehl.exe File created C:\Windows\SysWOW64\Hebqnm32.dll Ifomll32.exe File opened for modification C:\Windows\SysWOW64\Fohfbpgi.exe Finnef32.exe File created C:\Windows\SysWOW64\Hjcakafa.dll Lhenai32.exe File opened for modification C:\Windows\SysWOW64\Mfhbga32.exe Mgeakekd.exe File created C:\Windows\SysWOW64\Dhhmleng.dll Ojhpimhp.exe File opened for modification C:\Windows\SysWOW64\Bhblllfo.exe Bdfpkm32.exe File created C:\Windows\SysWOW64\Bbiado32.exe Bcfahbpo.exe File created C:\Windows\SysWOW64\Fgaemg32.dll Kkjeomld.exe File created C:\Windows\SysWOW64\Poigcbng.dll Dfglfdkb.exe File created C:\Windows\SysWOW64\Feoodn32.exe Fflohaij.exe File created C:\Windows\SysWOW64\Glienb32.dll Epndknin.exe File opened for modification C:\Windows\SysWOW64\Hpofii32.exe Hmpjmn32.exe File created C:\Windows\SysWOW64\Kcbfcigf.exe Klhnfo32.exe File created C:\Windows\SysWOW64\Deqcbpld.exe Dfnbgc32.exe File opened for modification C:\Windows\SysWOW64\Pfandnla.exe Ppgegd32.exe File created C:\Windows\SysWOW64\Fmbdpnaj.dll Gghdaa32.exe File opened for modification C:\Windows\SysWOW64\Hpjmnjqn.exe Gipdap32.exe File created C:\Windows\SysWOW64\Pjnppabn.dll Hgdejd32.exe File created C:\Windows\SysWOW64\Hpcodihc.exe Hmechmip.exe File opened for modification C:\Windows\SysWOW64\Kcndbp32.exe Kmdlffhj.exe File opened for modification C:\Windows\SysWOW64\Kqdaadln.exe Kjjiej32.exe File created C:\Windows\SysWOW64\Bpmhce32.dll Eiokinbk.exe File opened for modification C:\Windows\SysWOW64\Hpnoncim.exe Hmpcbhji.exe File opened for modification C:\Windows\SysWOW64\Bffcpg32.exe Bnoknihb.exe File created C:\Windows\SysWOW64\Lmgnid32.dll Ebdcld32.exe File created C:\Windows\SysWOW64\Chdialdl.exe Boldhf32.exe File opened for modification C:\Windows\SysWOW64\Egened32.exe Edgbii32.exe File created C:\Windows\SysWOW64\Godcje32.dll Qdoacabq.exe File opened for modification C:\Windows\SysWOW64\Bcinna32.exe Bbiado32.exe File created C:\Windows\SysWOW64\Gmiclo32.exe Gfokoelp.exe File created C:\Windows\SysWOW64\Ginacp32.dll Aonoao32.exe File created C:\Windows\SysWOW64\Afbgkl32.exe Adcjop32.exe File created C:\Windows\SysWOW64\Malhfo32.dll Piijno32.exe File opened for modification C:\Windows\SysWOW64\Iojbpo32.exe Illfdc32.exe File opened for modification C:\Windows\SysWOW64\Finnef32.exe Fqgedh32.exe File created C:\Windows\SysWOW64\Ggmmlamj.exe Geoapenf.exe File created C:\Windows\SysWOW64\Dfnbgc32.exe Dodjjimm.exe File created C:\Windows\SysWOW64\Jhkbjd32.dll Ekkkoj32.exe File created C:\Windows\SysWOW64\Iojbpo32.exe Illfdc32.exe File created C:\Windows\SysWOW64\Jilfifme.exe Jcanll32.exe File created C:\Windows\SysWOW64\Nbnimm32.dll Kglmio32.exe File created C:\Windows\SysWOW64\Hedafk32.exe Gbeejp32.exe File created C:\Windows\SysWOW64\Jkjpda32.dll Lljklo32.exe File created C:\Windows\SysWOW64\Gndick32.exe Glfmgp32.exe File created C:\Windows\SysWOW64\Mnpabe32.exe Mkadfj32.exe File opened for modification C:\Windows\SysWOW64\Kjgeedch.exe Kgiiiidd.exe File created C:\Windows\SysWOW64\Ncchae32.exe Npgmpf32.exe File created C:\Windows\SysWOW64\Hajkqfoe.exe Hpioin32.exe File opened for modification C:\Windows\SysWOW64\Fkofga32.exe Fiqjke32.exe File created C:\Windows\SysWOW64\Pififb32.exe Pfhmjf32.exe File opened for modification C:\Windows\SysWOW64\Cbpajgmf.exe Coadnlnb.exe File created C:\Windows\SysWOW64\Kfpcoefj.exe Kcbfcigf.exe File created C:\Windows\SysWOW64\Ogakfe32.dll Pffgom32.exe File opened for modification C:\Windows\SysWOW64\Egaejeej.exe Eqgmmk32.exe File created C:\Windows\SysWOW64\Allpejfe.exe Ajndioga.exe File created C:\Windows\SysWOW64\Bklfgo32.exe Bhnikc32.exe File created C:\Windows\SysWOW64\Oanokhdb.exe Onocomdo.exe File created C:\Windows\SysWOW64\Jcknij32.dll Dpkmal32.exe File created C:\Windows\SysWOW64\Mmdaih32.dll Kcoccc32.exe File created C:\Windows\SysWOW64\Ledepn32.exe Lojmcdgl.exe File created C:\Windows\SysWOW64\Eiobceef.exe Dlkbjqgm.exe File created C:\Windows\SysWOW64\Jdaaaeqg.exe Jnhidk32.exe File opened for modification C:\Windows\SysWOW64\Hmpcbhji.exe Hehkajig.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 15524 16068 WerFault.exe 867 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnoncim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggpfkjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmeandma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipgkjlmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocihgnam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfepdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pocpfphe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chqogq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnipbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omfekbdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paelfmaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efblbbqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gikdkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhboolf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kidben32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaiimadl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njkkbehl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pknqoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfhndpol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjblje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aokkahlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpfcfmlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dolmodpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpjmnjqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enpfan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalipoiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnmhpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chiblk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eidlnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kglmio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnfpcag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keimof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apmhiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmcpoedn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpdhkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adndoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpanan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chdialdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpqggh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkblhfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmggfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idhnkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jklinohd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcidmkpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmeigg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnajppda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ganldgib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfigpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppnenlka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhkdof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekkkoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gldglf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdojjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdfpkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onnmdcjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdfehh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qachgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbpajgmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhnfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojomcopk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebjcajjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdfjld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olicnfco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flfkkhid.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfodeohd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lflbkcll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kefiopki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnclimck.dll" Qljcoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bljlfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeoe32.dll" Cfigpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjokgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aojefobm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpoalo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdojjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lepleocn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnkggfkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plmmif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iooogokm.dll" Kfpcoefj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anhaoj32.dll" Fqbliicp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naagioah.dll" Nckkfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olaqbelh.dll" Ckkiccep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aehgnied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcmdaljn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Domdocba.dll" Bknlbhhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ledepn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjcbmgnb.dll" Nbebbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjoppf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odhifjkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbhboolf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lomqcjie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbcohkd.dll" Eidlnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dooaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekoglqie.dll" Klfaapbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjllddpj.dll" Boenhgdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Momcpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nckkfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbeejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejhdfi32.dll" Illfdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hecjke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgkpagl.dll" Knchpiom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aogiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdmlfj.dll" Apjkcadp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Piocecgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oaplqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akdilipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enhpao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdgmickl.dll" Poliea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npgmpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iahgad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jocnlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkdliame.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eiieicml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lljklo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopjdidn.dll" Monjjgkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcleff32.dll" Ncnofeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfqedp32.dll" Lojmcdgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leabba32.dll" Ipjedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdkohe32.dll" Mglfplgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmanjof.dll" Qdphngfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfeeabda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Manmoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilgonc32.dll" Pjpfjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boenhgdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglpdp32.dll" Kegpifod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eopjfnlo.dll" Paeelgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojidbohn.dll" Ekonpckp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fqbliicp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Geoapenf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4436 wrote to memory of 4720 4436 2bda9c99230373fe928269d70f03e18a76c7a4e68c5386f6d99e9ff503a2ea3c.exe 83 PID 4436 wrote to memory of 4720 4436 2bda9c99230373fe928269d70f03e18a76c7a4e68c5386f6d99e9ff503a2ea3c.exe 83 PID 4436 wrote to memory of 4720 4436 2bda9c99230373fe928269d70f03e18a76c7a4e68c5386f6d99e9ff503a2ea3c.exe 83 PID 4720 wrote to memory of 1360 4720 Piijno32.exe 84 PID 4720 wrote to memory of 1360 4720 Piijno32.exe 84 PID 4720 wrote to memory of 1360 4720 Piijno32.exe 84 PID 1360 wrote to memory of 4340 1360 Qofcff32.exe 85 PID 1360 wrote to memory of 4340 1360 Qofcff32.exe 85 PID 1360 wrote to memory of 4340 1360 Qofcff32.exe 85 PID 4340 wrote to memory of 3104 4340 Qcaofebg.exe 86 PID 4340 wrote to memory of 3104 4340 Qcaofebg.exe 86 PID 4340 wrote to memory of 3104 4340 Qcaofebg.exe 86 PID 3104 wrote to memory of 2840 3104 Qljcoj32.exe 87 PID 3104 wrote to memory of 2840 3104 Qljcoj32.exe 87 PID 3104 wrote to memory of 2840 3104 Qljcoj32.exe 87 PID 2840 wrote to memory of 2040 2840 Qcclld32.exe 88 PID 2840 wrote to memory of 2040 2840 Qcclld32.exe 88 PID 2840 wrote to memory of 2040 2840 Qcclld32.exe 88 PID 2040 wrote to memory of 2416 2040 Ajndioga.exe 89 PID 2040 wrote to memory of 2416 2040 Ajndioga.exe 89 PID 2040 wrote to memory of 2416 2040 Ajndioga.exe 89 PID 2416 wrote to memory of 4824 2416 Allpejfe.exe 90 PID 2416 wrote to memory of 4824 2416 Allpejfe.exe 90 PID 2416 wrote to memory of 4824 2416 Allpejfe.exe 90 PID 4824 wrote to memory of 3360 4824 Akoqpg32.exe 91 PID 4824 wrote to memory of 3360 4824 Akoqpg32.exe 91 PID 4824 wrote to memory of 3360 4824 Akoqpg32.exe 91 PID 3360 wrote to memory of 1476 3360 Aaiimadl.exe 92 PID 3360 wrote to memory of 1476 3360 Aaiimadl.exe 92 PID 3360 wrote to memory of 1476 3360 Aaiimadl.exe 92 PID 1476 wrote to memory of 2584 1476 Alnmjjdb.exe 93 PID 1476 wrote to memory of 2584 1476 Alnmjjdb.exe 93 PID 1476 wrote to memory of 2584 1476 Alnmjjdb.exe 93 PID 2584 wrote to memory of 3112 2584 Aomifecf.exe 94 PID 2584 wrote to memory of 3112 2584 Aomifecf.exe 94 PID 2584 wrote to memory of 3112 2584 Aomifecf.exe 94 PID 3112 wrote to memory of 1064 3112 Afgacokc.exe 95 PID 3112 wrote to memory of 1064 3112 Afgacokc.exe 95 PID 3112 wrote to memory of 1064 3112 Afgacokc.exe 95 PID 1064 wrote to memory of 2240 1064 Alqjpi32.exe 96 PID 1064 wrote to memory of 2240 1064 Alqjpi32.exe 96 PID 1064 wrote to memory of 2240 1064 Alqjpi32.exe 96 PID 2240 wrote to memory of 3580 2240 Aoofle32.exe 97 PID 2240 wrote to memory of 3580 2240 Aoofle32.exe 97 PID 2240 wrote to memory of 3580 2240 Aoofle32.exe 97 PID 3580 wrote to memory of 2844 3580 Afinioip.exe 98 PID 3580 wrote to memory of 2844 3580 Afinioip.exe 98 PID 3580 wrote to memory of 2844 3580 Afinioip.exe 98 PID 2844 wrote to memory of 1956 2844 Akffafgg.exe 99 PID 2844 wrote to memory of 1956 2844 Akffafgg.exe 99 PID 2844 wrote to memory of 1956 2844 Akffafgg.exe 99 PID 1956 wrote to memory of 1264 1956 Abponp32.exe 100 PID 1956 wrote to memory of 1264 1956 Abponp32.exe 100 PID 1956 wrote to memory of 1264 1956 Abponp32.exe 100 PID 1264 wrote to memory of 3464 1264 Ahjgjj32.exe 101 PID 1264 wrote to memory of 3464 1264 Ahjgjj32.exe 101 PID 1264 wrote to memory of 3464 1264 Ahjgjj32.exe 101 PID 3464 wrote to memory of 4140 3464 Aodogdmn.exe 102 PID 3464 wrote to memory of 4140 3464 Aodogdmn.exe 102 PID 3464 wrote to memory of 4140 3464 Aodogdmn.exe 102 PID 4140 wrote to memory of 4260 4140 Bjicdmmd.exe 103 PID 4140 wrote to memory of 4260 4140 Bjicdmmd.exe 103 PID 4140 wrote to memory of 4260 4140 Bjicdmmd.exe 103 PID 4260 wrote to memory of 4480 4260 Bcahmb32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bda9c99230373fe928269d70f03e18a76c7a4e68c5386f6d99e9ff503a2ea3c.exe"C:\Users\Admin\AppData\Local\Temp\2bda9c99230373fe928269d70f03e18a76c7a4e68c5386f6d99e9ff503a2ea3c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\Piijno32.exeC:\Windows\system32\Piijno32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\Qofcff32.exeC:\Windows\system32\Qofcff32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Qcaofebg.exeC:\Windows\system32\Qcaofebg.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\Qljcoj32.exeC:\Windows\system32\Qljcoj32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\Qcclld32.exeC:\Windows\system32\Qcclld32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Ajndioga.exeC:\Windows\system32\Ajndioga.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Allpejfe.exeC:\Windows\system32\Allpejfe.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Akoqpg32.exeC:\Windows\system32\Akoqpg32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\Aaiimadl.exeC:\Windows\system32\Aaiimadl.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\Alnmjjdb.exeC:\Windows\system32\Alnmjjdb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Aomifecf.exeC:\Windows\system32\Aomifecf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Afgacokc.exeC:\Windows\system32\Afgacokc.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\Alqjpi32.exeC:\Windows\system32\Alqjpi32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Aoofle32.exeC:\Windows\system32\Aoofle32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Afinioip.exeC:\Windows\system32\Afinioip.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\Akffafgg.exeC:\Windows\system32\Akffafgg.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Abponp32.exeC:\Windows\system32\Abponp32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Ahjgjj32.exeC:\Windows\system32\Ahjgjj32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Aodogdmn.exeC:\Windows\system32\Aodogdmn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\Bjicdmmd.exeC:\Windows\system32\Bjicdmmd.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\Bcahmb32.exeC:\Windows\system32\Bcahmb32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\Bfpdin32.exeC:\Windows\system32\Bfpdin32.exe23⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Bljlfh32.exeC:\Windows\system32\Bljlfh32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4572 -
C:\Windows\SysWOW64\Bcddcbab.exeC:\Windows\system32\Bcddcbab.exe25⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Bfbaonae.exeC:\Windows\system32\Bfbaonae.exe26⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Bmlilh32.exeC:\Windows\system32\Bmlilh32.exe27⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Bcfahbpo.exeC:\Windows\system32\Bcfahbpo.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1000 -
C:\Windows\SysWOW64\Bbiado32.exeC:\Windows\system32\Bbiado32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3792 -
C:\Windows\SysWOW64\Bcinna32.exeC:\Windows\system32\Bcinna32.exe30⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Bfgjjm32.exeC:\Windows\system32\Bfgjjm32.exe31⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Cfigpm32.exeC:\Windows\system32\Cfigpm32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Cjecpkcg.exeC:\Windows\system32\Cjecpkcg.exe34⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Cobkhb32.exeC:\Windows\system32\Cobkhb32.exe35⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Cfldelik.exeC:\Windows\system32\Cfldelik.exe36⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Cmflbf32.exeC:\Windows\system32\Cmflbf32.exe37⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Codhnb32.exeC:\Windows\system32\Codhnb32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Cjjlkk32.exeC:\Windows\system32\Cjjlkk32.exe39⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Ckkiccep.exeC:\Windows\system32\Ckkiccep.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:4324 -
C:\Windows\SysWOW64\Cofecami.exeC:\Windows\system32\Cofecami.exe41⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Cjliajmo.exeC:\Windows\system32\Cjliajmo.exe42⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Ckmehb32.exeC:\Windows\system32\Ckmehb32.exe43⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Cjnffjkl.exeC:\Windows\system32\Cjnffjkl.exe44⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Ckpbnb32.exeC:\Windows\system32\Ckpbnb32.exe45⤵
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\Ccgjopal.exeC:\Windows\system32\Ccgjopal.exe46⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Diccgfpd.exeC:\Windows\system32\Diccgfpd.exe47⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Dpnkdq32.exeC:\Windows\system32\Dpnkdq32.exe48⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Dblgpl32.exeC:\Windows\system32\Dblgpl32.exe49⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Dfgcakon.exeC:\Windows\system32\Dfgcakon.exe50⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Djcoai32.exeC:\Windows\system32\Djcoai32.exe51⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Dkdliame.exeC:\Windows\system32\Dkdliame.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1396 -
C:\Windows\SysWOW64\Djelgied.exeC:\Windows\system32\Djelgied.exe53⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Dmdhcddh.exeC:\Windows\system32\Dmdhcddh.exe54⤵
- Executes dropped EXE
PID:3268 -
C:\Windows\SysWOW64\Dflmlj32.exeC:\Windows\system32\Dflmlj32.exe55⤵
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Dikihe32.exeC:\Windows\system32\Dikihe32.exe56⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Dcpmen32.exeC:\Windows\system32\Dcpmen32.exe57⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Dfoiaj32.exeC:\Windows\system32\Dfoiaj32.exe58⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Dimenegi.exeC:\Windows\system32\Dimenegi.exe59⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Dlkbjqgm.exeC:\Windows\system32\Dlkbjqgm.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4968 -
C:\Windows\SysWOW64\Eiobceef.exeC:\Windows\system32\Eiobceef.exe61⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Ecefqnel.exeC:\Windows\system32\Ecefqnel.exe62⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Ejoomhmi.exeC:\Windows\system32\Ejoomhmi.exe63⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Ecgcfm32.exeC:\Windows\system32\Ecgcfm32.exe64⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Ebjcajjd.exeC:\Windows\system32\Ebjcajjd.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Windows\SysWOW64\Efepbi32.exeC:\Windows\system32\Efepbi32.exe66⤵PID:4400
-
C:\Windows\SysWOW64\Eidlnd32.exeC:\Windows\system32\Eidlnd32.exe67⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3188 -
C:\Windows\SysWOW64\Epndknin.exeC:\Windows\system32\Epndknin.exe68⤵
- Drops file in System32 directory
PID:552 -
C:\Windows\SysWOW64\Efhlhh32.exeC:\Windows\system32\Efhlhh32.exe69⤵PID:4428
-
C:\Windows\SysWOW64\Eifhdd32.exeC:\Windows\system32\Eifhdd32.exe70⤵PID:2392
-
C:\Windows\SysWOW64\Eppqqn32.exeC:\Windows\system32\Eppqqn32.exe71⤵PID:1748
-
C:\Windows\SysWOW64\Ebommi32.exeC:\Windows\system32\Ebommi32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:60 -
C:\Windows\SysWOW64\Eiieicml.exeC:\Windows\system32\Eiieicml.exe73⤵
- Modifies registry class
PID:3348 -
C:\Windows\SysWOW64\Fcniglmb.exeC:\Windows\system32\Fcniglmb.exe74⤵PID:2632
-
C:\Windows\SysWOW64\Fmfnpa32.exeC:\Windows\system32\Fmfnpa32.exe75⤵PID:3916
-
C:\Windows\SysWOW64\Fjjnifbl.exeC:\Windows\system32\Fjjnifbl.exe76⤵PID:4528
-
C:\Windows\SysWOW64\Fmikeaap.exeC:\Windows\system32\Fmikeaap.exe77⤵PID:4088
-
C:\Windows\SysWOW64\Fdccbl32.exeC:\Windows\system32\Fdccbl32.exe78⤵PID:1224
-
C:\Windows\SysWOW64\Fmkgkapm.exeC:\Windows\system32\Fmkgkapm.exe79⤵PID:924
-
C:\Windows\SysWOW64\Fbhpch32.exeC:\Windows\system32\Fbhpch32.exe80⤵PID:3652
-
C:\Windows\SysWOW64\Flqdlnde.exeC:\Windows\system32\Flqdlnde.exe81⤵PID:1364
-
C:\Windows\SysWOW64\Fjadje32.exeC:\Windows\system32\Fjadje32.exe82⤵PID:1632
-
C:\Windows\SysWOW64\Gpnmbl32.exeC:\Windows\system32\Gpnmbl32.exe83⤵PID:1616
-
C:\Windows\SysWOW64\Gigaka32.exeC:\Windows\system32\Gigaka32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1696 -
C:\Windows\SysWOW64\Gbofcghl.exeC:\Windows\system32\Gbofcghl.exe85⤵PID:1212
-
C:\Windows\SysWOW64\Giinpa32.exeC:\Windows\system32\Giinpa32.exe86⤵PID:4576
-
C:\Windows\SysWOW64\Gfmojenc.exeC:\Windows\system32\Gfmojenc.exe87⤵PID:4372
-
C:\Windows\SysWOW64\Gmggfp32.exeC:\Windows\system32\Gmggfp32.exe88⤵
- System Location Discovery: System Language Discovery
PID:4220 -
C:\Windows\SysWOW64\Gfokoelp.exeC:\Windows\system32\Gfokoelp.exe89⤵
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Gmiclo32.exeC:\Windows\system32\Gmiclo32.exe90⤵PID:1436
-
C:\Windows\SysWOW64\Gdcliikj.exeC:\Windows\system32\Gdcliikj.exe91⤵PID:3012
-
C:\Windows\SysWOW64\Gkmdecbg.exeC:\Windows\system32\Gkmdecbg.exe92⤵PID:4448
-
C:\Windows\SysWOW64\Gipdap32.exeC:\Windows\system32\Gipdap32.exe93⤵
- Drops file in System32 directory
PID:4004 -
C:\Windows\SysWOW64\Hpjmnjqn.exeC:\Windows\system32\Hpjmnjqn.exe94⤵
- System Location Discovery: System Language Discovery
PID:3712 -
C:\Windows\SysWOW64\Hgdejd32.exeC:\Windows\system32\Hgdejd32.exe95⤵
- Drops file in System32 directory
PID:3872 -
C:\Windows\SysWOW64\Hkpqkcpd.exeC:\Windows\system32\Hkpqkcpd.exe96⤵PID:3416
-
C:\Windows\SysWOW64\Hlambk32.exeC:\Windows\system32\Hlambk32.exe97⤵PID:228
-
C:\Windows\SysWOW64\Hdhedh32.exeC:\Windows\system32\Hdhedh32.exe98⤵PID:2108
-
C:\Windows\SysWOW64\Hgfapd32.exeC:\Windows\system32\Hgfapd32.exe99⤵PID:2836
-
C:\Windows\SysWOW64\Hmpjmn32.exeC:\Windows\system32\Hmpjmn32.exe100⤵
- Drops file in System32 directory
PID:3144 -
C:\Windows\SysWOW64\Hpofii32.exeC:\Windows\system32\Hpofii32.exe101⤵PID:872
-
C:\Windows\SysWOW64\Hginecde.exeC:\Windows\system32\Hginecde.exe102⤵PID:4564
-
C:\Windows\SysWOW64\Hmbfbn32.exeC:\Windows\system32\Hmbfbn32.exe103⤵PID:556
-
C:\Windows\SysWOW64\Hlegnjbm.exeC:\Windows\system32\Hlegnjbm.exe104⤵PID:1820
-
C:\Windows\SysWOW64\Hgkkkcbc.exeC:\Windows\system32\Hgkkkcbc.exe105⤵PID:4116
-
C:\Windows\SysWOW64\Hmechmip.exeC:\Windows\system32\Hmechmip.exe106⤵
- Drops file in System32 directory
PID:3408 -
C:\Windows\SysWOW64\Hpcodihc.exeC:\Windows\system32\Hpcodihc.exe107⤵PID:764
-
C:\Windows\SysWOW64\Hcblpdgg.exeC:\Windows\system32\Hcblpdgg.exe108⤵PID:4868
-
C:\Windows\SysWOW64\Hgmgqc32.exeC:\Windows\system32\Hgmgqc32.exe109⤵PID:1164
-
C:\Windows\SysWOW64\Hildmn32.exeC:\Windows\system32\Hildmn32.exe110⤵PID:376
-
C:\Windows\SysWOW64\Idahjg32.exeC:\Windows\system32\Idahjg32.exe111⤵PID:3524
-
C:\Windows\SysWOW64\Ikkpgafg.exeC:\Windows\system32\Ikkpgafg.exe112⤵PID:4840
-
C:\Windows\SysWOW64\Iinqbn32.exeC:\Windows\system32\Iinqbn32.exe113⤵PID:2192
-
C:\Windows\SysWOW64\Iphioh32.exeC:\Windows\system32\Iphioh32.exe114⤵PID:3256
-
C:\Windows\SysWOW64\Icfekc32.exeC:\Windows\system32\Icfekc32.exe115⤵PID:1640
-
C:\Windows\SysWOW64\Ijqmhnko.exeC:\Windows\system32\Ijqmhnko.exe116⤵PID:2928
-
C:\Windows\SysWOW64\Ipjedh32.exeC:\Windows\system32\Ipjedh32.exe117⤵
- Modifies registry class
PID:5148 -
C:\Windows\SysWOW64\Idfaefkd.exeC:\Windows\system32\Idfaefkd.exe118⤵PID:5192
-
C:\Windows\SysWOW64\Igdnabjh.exeC:\Windows\system32\Igdnabjh.exe119⤵PID:5236
-
C:\Windows\SysWOW64\Ijcjmmil.exeC:\Windows\system32\Ijcjmmil.exe120⤵PID:5280
-
C:\Windows\SysWOW64\Ipmbjgpi.exeC:\Windows\system32\Ipmbjgpi.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5320
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-