Analysis
-
max time kernel
94s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 00:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
87b0eb0c172a6c7366d0600a011184b7fe1e4cb8bcb526109434939857cf3855.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
87b0eb0c172a6c7366d0600a011184b7fe1e4cb8bcb526109434939857cf3855.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
87b0eb0c172a6c7366d0600a011184b7fe1e4cb8bcb526109434939857cf3855.exe
-
Size
93KB
-
MD5
9e16c9eb398cd32a450ca8ab009e2052
-
SHA1
efb48a3b5e5d6ab763ddb638eac0e10d5916868f
-
SHA256
87b0eb0c172a6c7366d0600a011184b7fe1e4cb8bcb526109434939857cf3855
-
SHA512
66a9036c8eb525281e9549bdf53c1287fdb0909a9385dfcce5d1c29d406860471397ac21b41e8fd9c22defb616a6d2fdff25d51dc22aa2601f528e541ac300d1
-
SSDEEP
1536:BM+lxrcBkwGVei1UyNtFNSW//cxXywWNhBstL55saMiwihtIbbpkp:G+/rOloeivFzcxX8BqL55dMiwaIbbpkp
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfldelik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgkfnh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbohpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppjbmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apodoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkdpbpih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjgchm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igfclkdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljeafb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Joekag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcniglmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlpfhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kofkbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggkqgaol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibjqaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcfggkac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iklgah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iimcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meamcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckpbnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cleegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddgibkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fohfbpgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diccgfpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaalblgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oplfkeob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apaadpng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnlhncgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cofecami.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onmfimga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppnenlka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qaqegecm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofgdcipq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkhjph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebgpad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iikmbh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mogcihaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmipdk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfchlbfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inainbcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnohlgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onnmdcjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmennnni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lljklo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obgohklm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppikbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inmpcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjjghcfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jklphekp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqhafffk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmdcfidg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mogcihaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Giljfddl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpdhkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohcegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oakbehfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apaadpng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmkofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cijpahho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idhnkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oclkgccf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpaihooo.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3168 Hglaej32.exe 4844 Hjjnae32.exe 1380 Hpdfnolo.exe 212 Hkjjlhle.exe 4608 Hnhghcki.exe 4604 Idbodn32.exe 1000 Iklgah32.exe 4584 Injcmc32.exe 1068 Iqipio32.exe 2360 Igchfiof.exe 3964 Inmpcc32.exe 5004 Iqklon32.exe 3664 Igedlh32.exe 4400 Ijcahd32.exe 4484 Idieem32.exe 3244 Iggaah32.exe 1948 Inainbcn.exe 4696 Ibmeoq32.exe 1796 Ihgnkkbd.exe 816 Ijhjcchb.exe 1140 Iqbbpm32.exe 8 Jglklggl.exe 5072 Jjjghcfp.exe 1816 Jdpkflfe.exe 2124 Jkjcbe32.exe 2284 Jbdlop32.exe 3448 Jqglkmlj.exe 3020 Jklphekp.exe 3364 Jbfheo32.exe 3340 Jhpqaiji.exe 2176 Jnmijq32.exe 3620 Jgenbfoa.exe 888 Jnpfop32.exe 3004 Kqnbkl32.exe 4476 Kjffdalb.exe 1084 Kqpoakco.exe 972 Kgjgne32.exe 4292 Kqbkfkal.exe 4320 Kijchhbo.exe 1556 Knflpoqf.exe 2556 Kgopidgf.exe 1860 Kageaj32.exe 3028 Kjpijpdg.exe 2188 Liqihglg.exe 2168 Lbinam32.exe 1240 Lkabjbih.exe 4228 Lbngllob.exe 3760 Lelchgne.exe 3164 Llflea32.exe 2388 Lbpdblmo.exe 5024 Leopnglc.exe 4980 Lhmmjbkf.exe 4532 Maeachag.exe 3436 Meamcg32.exe 1684 Mjneln32.exe 2880 Mbenmk32.exe 3928 Miofjepg.exe 4812 Mnlnbl32.exe 2932 Mbgjbkfg.exe 4404 Mhdckaeo.exe 1012 Mjbogmdb.exe 2596 Mehcdfch.exe 4492 Micoed32.exe 4304 Mnphmkji.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lnjnqh32.exe Ljobpiql.exe File created C:\Windows\SysWOW64\Feoodn32.exe Fbpchb32.exe File created C:\Windows\SysWOW64\Nnhmnn32.exe Nfaemp32.exe File created C:\Windows\SysWOW64\Fnfmbmbi.exe Fkhpfbce.exe File created C:\Windows\SysWOW64\Pififb32.exe Pblajhje.exe File created C:\Windows\SysWOW64\Lhmmjbkf.exe Leopnglc.exe File created C:\Windows\SysWOW64\Mobnnd32.dll Lnjnqh32.exe File created C:\Windows\SysWOW64\Mebcop32.exe Mnhkbfme.exe File created C:\Windows\SysWOW64\Pmnbfhal.exe Pjpfjl32.exe File created C:\Windows\SysWOW64\Dkpqlc32.dll Foapaa32.exe File created C:\Windows\SysWOW64\Kofkbk32.exe Klhnfo32.exe File opened for modification C:\Windows\SysWOW64\Feenjgfq.exe Fbgbnkfm.exe File created C:\Windows\SysWOW64\Flpoofmk.dll Galoohke.exe File opened for modification C:\Windows\SysWOW64\Jhpqaiji.exe Jbfheo32.exe File created C:\Windows\SysWOW64\Bopocbcq.exe Bmabggdm.exe File opened for modification C:\Windows\SysWOW64\Ikdcmpnl.exe Idkkpf32.exe File created C:\Windows\SysWOW64\Nobkpkdh.dll Dkfadkgf.exe File created C:\Windows\SysWOW64\Emcnmpcj.dll Goglcahb.exe File created C:\Windows\SysWOW64\Njlmnj32.dll Ilfennic.exe File opened for modification C:\Windows\SysWOW64\Jllhpkfk.exe Jimldogg.exe File opened for modification C:\Windows\SysWOW64\Pjlcjf32.exe Pcbkml32.exe File created C:\Windows\SysWOW64\Coffgmig.dll Gpaihooo.exe File opened for modification C:\Windows\SysWOW64\Gpdennml.exe Ggmmlamj.exe File created C:\Windows\SysWOW64\Pjlcjf32.exe Pcbkml32.exe File created C:\Windows\SysWOW64\Nnecgoki.dll Kgopidgf.exe File created C:\Windows\SysWOW64\Mbgjbkfg.exe Mnlnbl32.exe File created C:\Windows\SysWOW64\Kglmio32.exe Kdmqmc32.exe File created C:\Windows\SysWOW64\Mepfiq32.exe Mnfnlf32.exe File opened for modification C:\Windows\SysWOW64\Bojomm32.exe Bllbaa32.exe File created C:\Windows\SysWOW64\Nlkfjqib.dll Njmhhefi.exe File created C:\Windows\SysWOW64\Bcbbjj32.dll Eiloco32.exe File opened for modification C:\Windows\SysWOW64\Offnhpfo.exe Oplfkeob.exe File created C:\Windows\SysWOW64\Cpfcfmlp.exe Cnhgjaml.exe File created C:\Windows\SysWOW64\Qidpon32.dll Njgqhicg.exe File created C:\Windows\SysWOW64\Hemmac32.exe Hbnaeh32.exe File created C:\Windows\SysWOW64\Oncelonn.dll Egaejeej.exe File created C:\Windows\SysWOW64\Kmmcjnkq.dll Halhfe32.exe File created C:\Windows\SysWOW64\Jbdlop32.exe Jkjcbe32.exe File opened for modification C:\Windows\SysWOW64\Alqjpi32.exe Ahenokjf.exe File created C:\Windows\SysWOW64\Hhcmlj32.dll Ijcjmmil.exe File created C:\Windows\SysWOW64\Mokmdh32.exe Mnjqmpgg.exe File created C:\Windows\SysWOW64\Onmfimga.exe Offnhpfo.exe File created C:\Windows\SysWOW64\Qcclld32.exe Qljcoj32.exe File opened for modification C:\Windows\SysWOW64\Ckpbnb32.exe Ciafbg32.exe File opened for modification C:\Windows\SysWOW64\Igpdfb32.exe Ipflihfq.exe File created C:\Windows\SysWOW64\Jljbeali.exe Jilfifme.exe File created C:\Windows\SysWOW64\Cfiedd32.dll Klhnfo32.exe File created C:\Windows\SysWOW64\Ekjali32.dll Jidinqpb.exe File opened for modification C:\Windows\SysWOW64\Kcbnnpka.exe Kqdaadln.exe File opened for modification C:\Windows\SysWOW64\Nmgjia32.exe Nndjndbh.exe File created C:\Windows\SysWOW64\Hahqkaaa.dll Bhnikc32.exe File created C:\Windows\SysWOW64\Cdecgbfa.exe Cbfgkffn.exe File created C:\Windows\SysWOW64\Gmdcfidg.exe Gemkelcd.exe File opened for modification C:\Windows\SysWOW64\Obqanjdb.exe Oihmedma.exe File created C:\Windows\SysWOW64\Nhkikq32.exe Nemmoe32.exe File opened for modification C:\Windows\SysWOW64\Ggahedjn.exe Gdcliikj.exe File created C:\Windows\SysWOW64\Nkbjmj32.dll Kckqbj32.exe File created C:\Windows\SysWOW64\Kifojnol.exe Kekbjo32.exe File opened for modification C:\Windows\SysWOW64\Obnehj32.exe Oqmhqapg.exe File created C:\Windows\SysWOW64\Ibepke32.dll Khgbqkhj.exe File created C:\Windows\SysWOW64\Hpdfnolo.exe Hjjnae32.exe File created C:\Windows\SysWOW64\Idbodn32.exe Hnhghcki.exe File created C:\Windows\SysWOW64\Pgfcalbj.dll Qlimed32.exe File opened for modification C:\Windows\SysWOW64\Kgdpni32.exe Komhll32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 17856 17776 WerFault.exe 1050 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkcadhgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbjhbbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dojqjdbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnkmnah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pedlgbkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flqdlnde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojefobm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbbffdlq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eokqkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbelcblk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kofdhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bblnindg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pldcjeia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqmhqapg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iggaah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhmmjbkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibaeen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnbcgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inebjihf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojqcnhkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blielbfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibjli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqfpckhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giecfejd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hecjke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnmijq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpjmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkadfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oodcdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeodhjmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijdjfdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibjqaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdpkflfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbmfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejkmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhkmec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dokgdkeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jedccfqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkcndeen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cndeii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpfbcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcbnnpka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbbnpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfaemp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbdlop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlcalieg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnlhncgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hldiinke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjjnae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elbhjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlhccj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfiildio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpmomo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhdckaeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcnmin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfchlbfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Monjjgkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkphhgfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilfennic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjepjkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oobfob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdldn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nahgoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkmmaeap.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mociom32.dll" Ijqmhnko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gabfbmnl.dll" Mfchlbfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cimmggfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ciafbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ememkjeq.dll" Knooej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkjnfkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchcpi32.dll" Cohkokgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajlgckkf.dll" Ohpkmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbkjdh32.dll" Ajndioga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akffafgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enigke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibcaknbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfgdjh32.dll" Ohcegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckgofgjn.dll" Ahdged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bddjpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnmijq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edeleklf.dll" Llflea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icfekc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Himfiblh.dll" Ihmfco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhgkgijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpdfnolo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdnmfclj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binlfp32.dll" Nqbpojnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghdi32.dll" 87b0eb0c172a6c7366d0600a011184b7fe1e4cb8bcb526109434939857cf3855.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Achegd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Doagjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehbnigjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aadafn32.dll" Nqcejcha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hflkamml.dll" Mgobel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnmdme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Paoollik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qhkdof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiljgf32.dll" Dmlkhofd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnbakghm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mokmdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Palklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leoema32.dll" Hpdfnolo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnohlgep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njmhhefi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahmjjoig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qhkdof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aajhndkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mokfja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgiklme.dll" Hdjbiheb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Komhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Laiipofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmkigh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eqncnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Galoohke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemfmoce.dll" Jqglkmlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pamiaboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkchlonc.dll" Cofnik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdafpj32.dll" Kcbnnpka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkikinpo.dll" Ddnobj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Loofnccf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmkqpkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjjgd32.dll" Dnonkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfcjjj32.dll" Dqnjgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmmcjnkq.dll" Halhfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqolaipg.dll" Nqfbpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbndfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blciboie.dll" Pldcjeia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nklinjmj.dll" Dfiildio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iggaah32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3176 wrote to memory of 3168 3176 87b0eb0c172a6c7366d0600a011184b7fe1e4cb8bcb526109434939857cf3855.exe 82 PID 3176 wrote to memory of 3168 3176 87b0eb0c172a6c7366d0600a011184b7fe1e4cb8bcb526109434939857cf3855.exe 82 PID 3176 wrote to memory of 3168 3176 87b0eb0c172a6c7366d0600a011184b7fe1e4cb8bcb526109434939857cf3855.exe 82 PID 3168 wrote to memory of 4844 3168 Hglaej32.exe 83 PID 3168 wrote to memory of 4844 3168 Hglaej32.exe 83 PID 3168 wrote to memory of 4844 3168 Hglaej32.exe 83 PID 4844 wrote to memory of 1380 4844 Hjjnae32.exe 84 PID 4844 wrote to memory of 1380 4844 Hjjnae32.exe 84 PID 4844 wrote to memory of 1380 4844 Hjjnae32.exe 84 PID 1380 wrote to memory of 212 1380 Hpdfnolo.exe 85 PID 1380 wrote to memory of 212 1380 Hpdfnolo.exe 85 PID 1380 wrote to memory of 212 1380 Hpdfnolo.exe 85 PID 212 wrote to memory of 4608 212 Hkjjlhle.exe 86 PID 212 wrote to memory of 4608 212 Hkjjlhle.exe 86 PID 212 wrote to memory of 4608 212 Hkjjlhle.exe 86 PID 4608 wrote to memory of 4604 4608 Hnhghcki.exe 87 PID 4608 wrote to memory of 4604 4608 Hnhghcki.exe 87 PID 4608 wrote to memory of 4604 4608 Hnhghcki.exe 87 PID 4604 wrote to memory of 1000 4604 Idbodn32.exe 88 PID 4604 wrote to memory of 1000 4604 Idbodn32.exe 88 PID 4604 wrote to memory of 1000 4604 Idbodn32.exe 88 PID 1000 wrote to memory of 4584 1000 Iklgah32.exe 89 PID 1000 wrote to memory of 4584 1000 Iklgah32.exe 89 PID 1000 wrote to memory of 4584 1000 Iklgah32.exe 89 PID 4584 wrote to memory of 1068 4584 Injcmc32.exe 90 PID 4584 wrote to memory of 1068 4584 Injcmc32.exe 90 PID 4584 wrote to memory of 1068 4584 Injcmc32.exe 90 PID 1068 wrote to memory of 2360 1068 Iqipio32.exe 91 PID 1068 wrote to memory of 2360 1068 Iqipio32.exe 91 PID 1068 wrote to memory of 2360 1068 Iqipio32.exe 91 PID 2360 wrote to memory of 3964 2360 Igchfiof.exe 92 PID 2360 wrote to memory of 3964 2360 Igchfiof.exe 92 PID 2360 wrote to memory of 3964 2360 Igchfiof.exe 92 PID 3964 wrote to memory of 5004 3964 Inmpcc32.exe 93 PID 3964 wrote to memory of 5004 3964 Inmpcc32.exe 93 PID 3964 wrote to memory of 5004 3964 Inmpcc32.exe 93 PID 5004 wrote to memory of 3664 5004 Iqklon32.exe 94 PID 5004 wrote to memory of 3664 5004 Iqklon32.exe 94 PID 5004 wrote to memory of 3664 5004 Iqklon32.exe 94 PID 3664 wrote to memory of 4400 3664 Igedlh32.exe 95 PID 3664 wrote to memory of 4400 3664 Igedlh32.exe 95 PID 3664 wrote to memory of 4400 3664 Igedlh32.exe 95 PID 4400 wrote to memory of 4484 4400 Ijcahd32.exe 96 PID 4400 wrote to memory of 4484 4400 Ijcahd32.exe 96 PID 4400 wrote to memory of 4484 4400 Ijcahd32.exe 96 PID 4484 wrote to memory of 3244 4484 Idieem32.exe 97 PID 4484 wrote to memory of 3244 4484 Idieem32.exe 97 PID 4484 wrote to memory of 3244 4484 Idieem32.exe 97 PID 3244 wrote to memory of 1948 3244 Iggaah32.exe 98 PID 3244 wrote to memory of 1948 3244 Iggaah32.exe 98 PID 3244 wrote to memory of 1948 3244 Iggaah32.exe 98 PID 1948 wrote to memory of 4696 1948 Inainbcn.exe 99 PID 1948 wrote to memory of 4696 1948 Inainbcn.exe 99 PID 1948 wrote to memory of 4696 1948 Inainbcn.exe 99 PID 4696 wrote to memory of 1796 4696 Ibmeoq32.exe 100 PID 4696 wrote to memory of 1796 4696 Ibmeoq32.exe 100 PID 4696 wrote to memory of 1796 4696 Ibmeoq32.exe 100 PID 1796 wrote to memory of 816 1796 Ihgnkkbd.exe 101 PID 1796 wrote to memory of 816 1796 Ihgnkkbd.exe 101 PID 1796 wrote to memory of 816 1796 Ihgnkkbd.exe 101 PID 816 wrote to memory of 1140 816 Ijhjcchb.exe 102 PID 816 wrote to memory of 1140 816 Ijhjcchb.exe 102 PID 816 wrote to memory of 1140 816 Ijhjcchb.exe 102 PID 1140 wrote to memory of 8 1140 Iqbbpm32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\87b0eb0c172a6c7366d0600a011184b7fe1e4cb8bcb526109434939857cf3855.exe"C:\Users\Admin\AppData\Local\Temp\87b0eb0c172a6c7366d0600a011184b7fe1e4cb8bcb526109434939857cf3855.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\Hglaej32.exeC:\Windows\system32\Hglaej32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\Hjjnae32.exeC:\Windows\system32\Hjjnae32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Hpdfnolo.exeC:\Windows\system32\Hpdfnolo.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Hkjjlhle.exeC:\Windows\system32\Hkjjlhle.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\Hnhghcki.exeC:\Windows\system32\Hnhghcki.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Idbodn32.exeC:\Windows\system32\Idbodn32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\Iklgah32.exeC:\Windows\system32\Iklgah32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\Injcmc32.exeC:\Windows\system32\Injcmc32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\Iqipio32.exeC:\Windows\system32\Iqipio32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Igchfiof.exeC:\Windows\system32\Igchfiof.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Inmpcc32.exeC:\Windows\system32\Inmpcc32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Iqklon32.exeC:\Windows\system32\Iqklon32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Igedlh32.exeC:\Windows\system32\Igedlh32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\Ijcahd32.exeC:\Windows\system32\Ijcahd32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\Idieem32.exeC:\Windows\system32\Idieem32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Iggaah32.exeC:\Windows\system32\Iggaah32.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\Inainbcn.exeC:\Windows\system32\Inainbcn.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Ibmeoq32.exeC:\Windows\system32\Ibmeoq32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\Ihgnkkbd.exeC:\Windows\system32\Ihgnkkbd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Ijhjcchb.exeC:\Windows\system32\Ijhjcchb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\Iqbbpm32.exeC:\Windows\system32\Iqbbpm32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Jglklggl.exeC:\Windows\system32\Jglklggl.exe23⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Jjjghcfp.exeC:\Windows\system32\Jjjghcfp.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1816 -
C:\Windows\SysWOW64\Jkjcbe32.exeC:\Windows\system32\Jkjcbe32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Jbdlop32.exeC:\Windows\system32\Jbdlop32.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:3448 -
C:\Windows\SysWOW64\Jklphekp.exeC:\Windows\system32\Jklphekp.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3364 -
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe31⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Jnmijq32.exeC:\Windows\system32\Jnmijq32.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Jgenbfoa.exeC:\Windows\system32\Jgenbfoa.exe33⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Jnpfop32.exeC:\Windows\system32\Jnpfop32.exe34⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Kqnbkl32.exeC:\Windows\system32\Kqnbkl32.exe35⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Kjffdalb.exeC:\Windows\system32\Kjffdalb.exe36⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Kqpoakco.exeC:\Windows\system32\Kqpoakco.exe37⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe38⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Kqbkfkal.exeC:\Windows\system32\Kqbkfkal.exe39⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Kijchhbo.exeC:\Windows\system32\Kijchhbo.exe40⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Knflpoqf.exeC:\Windows\system32\Knflpoqf.exe41⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Kgopidgf.exeC:\Windows\system32\Kgopidgf.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Kageaj32.exeC:\Windows\system32\Kageaj32.exe43⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe44⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Liqihglg.exeC:\Windows\system32\Liqihglg.exe45⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Lbinam32.exeC:\Windows\system32\Lbinam32.exe46⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Lkabjbih.exeC:\Windows\system32\Lkabjbih.exe47⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe48⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe49⤵
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:3164 -
C:\Windows\SysWOW64\Lbpdblmo.exeC:\Windows\system32\Lbpdblmo.exe51⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Leopnglc.exeC:\Windows\system32\Leopnglc.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5024 -
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4980 -
C:\Windows\SysWOW64\Maeachag.exeC:\Windows\system32\Maeachag.exe54⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3436 -
C:\Windows\SysWOW64\Mjneln32.exeC:\Windows\system32\Mjneln32.exe56⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe57⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Miofjepg.exeC:\Windows\system32\Miofjepg.exe58⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Mnlnbl32.exeC:\Windows\system32\Mnlnbl32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4812 -
C:\Windows\SysWOW64\Mbgjbkfg.exeC:\Windows\system32\Mbgjbkfg.exe60⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4404 -
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe62⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Mehcdfch.exeC:\Windows\system32\Mehcdfch.exe63⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe64⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Mnphmkji.exeC:\Windows\system32\Mnphmkji.exe65⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe66⤵PID:4024
-
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe67⤵PID:4392
-
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe68⤵PID:4860
-
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe69⤵
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Nhkikq32.exeC:\Windows\system32\Nhkikq32.exe70⤵PID:5008
-
C:\Windows\SysWOW64\Njiegl32.exeC:\Windows\system32\Njiegl32.exe71⤵PID:4908
-
C:\Windows\SysWOW64\Noeahkfc.exeC:\Windows\system32\Noeahkfc.exe72⤵PID:920
-
C:\Windows\SysWOW64\Nhmeapmd.exeC:\Windows\system32\Nhmeapmd.exe73⤵PID:64
-
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe74⤵PID:1988
-
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe75⤵PID:3636
-
C:\Windows\SysWOW64\Neafjdkn.exeC:\Windows\system32\Neafjdkn.exe76⤵PID:4068
-
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe77⤵PID:812
-
C:\Windows\SysWOW64\Nahgoe32.exeC:\Windows\system32\Nahgoe32.exe78⤵
- System Location Discovery: System Language Discovery
PID:4712 -
C:\Windows\SysWOW64\Nlnkmnah.exeC:\Windows\system32\Nlnkmnah.exe79⤵
- System Location Discovery: System Language Discovery
PID:4048 -
C:\Windows\SysWOW64\Nbgcih32.exeC:\Windows\system32\Nbgcih32.exe80⤵PID:5000
-
C:\Windows\SysWOW64\Nhdlao32.exeC:\Windows\system32\Nhdlao32.exe81⤵PID:3628
-
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe82⤵PID:4508
-
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe83⤵PID:2092
-
C:\Windows\SysWOW64\Okedcjcm.exeC:\Windows\system32\Okedcjcm.exe84⤵PID:3432
-
C:\Windows\SysWOW64\Oekiqccc.exeC:\Windows\system32\Oekiqccc.exe85⤵PID:4676
-
C:\Windows\SysWOW64\Okgaijaj.exeC:\Windows\system32\Okgaijaj.exe86⤵PID:4364
-
C:\Windows\SysWOW64\Oboijgbl.exeC:\Windows\system32\Oboijgbl.exe87⤵PID:2996
-
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe88⤵PID:4408
-
C:\Windows\SysWOW64\Oadfkdgd.exeC:\Windows\system32\Oadfkdgd.exe89⤵PID:2268
-
C:\Windows\SysWOW64\Oeoblb32.exeC:\Windows\system32\Oeoblb32.exe90⤵PID:1604
-
C:\Windows\SysWOW64\Olijhmgj.exeC:\Windows\system32\Olijhmgj.exe91⤵PID:3076
-
C:\Windows\SysWOW64\Oohgdhfn.exeC:\Windows\system32\Oohgdhfn.exe92⤵PID:1592
-
C:\Windows\SysWOW64\Oeaoab32.exeC:\Windows\system32\Oeaoab32.exe93⤵PID:2112
-
C:\Windows\SysWOW64\Ohpkmn32.exeC:\Windows\system32\Ohpkmn32.exe94⤵
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Pllgnl32.exeC:\Windows\system32\Pllgnl32.exe95⤵PID:1812
-
C:\Windows\SysWOW64\Pojcjh32.exeC:\Windows\system32\Pojcjh32.exe96⤵PID:1236
-
C:\Windows\SysWOW64\Pedlgbkh.exeC:\Windows\system32\Pedlgbkh.exe97⤵
- System Location Discovery: System Language Discovery
PID:4344 -
C:\Windows\SysWOW64\Plndcl32.exeC:\Windows\system32\Plndcl32.exe98⤵PID:3120
-
C:\Windows\SysWOW64\Polppg32.exeC:\Windows\system32\Polppg32.exe99⤵PID:2888
-
C:\Windows\SysWOW64\Pefhlaie.exeC:\Windows\system32\Pefhlaie.exe100⤵PID:2660
-
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe101⤵PID:940
-
C:\Windows\SysWOW64\Pkcadhgm.exeC:\Windows\system32\Pkcadhgm.exe102⤵
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Pamiaboj.exeC:\Windows\system32\Pamiaboj.exe103⤵
- Modifies registry class
PID:4776 -
C:\Windows\SysWOW64\Peieba32.exeC:\Windows\system32\Peieba32.exe104⤵PID:4688
-
C:\Windows\SysWOW64\Plbmokop.exeC:\Windows\system32\Plbmokop.exe105⤵PID:2692
-
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe106⤵PID:1664
-
C:\Windows\SysWOW64\Phincl32.exeC:\Windows\system32\Phincl32.exe107⤵PID:3744
-
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1912 -
C:\Windows\SysWOW64\Pabblb32.exeC:\Windows\system32\Pabblb32.exe109⤵PID:4960
-
C:\Windows\SysWOW64\Qhlkilba.exeC:\Windows\system32\Qhlkilba.exe110⤵PID:3372
-
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe111⤵PID:2120
-
C:\Windows\SysWOW64\Qadoba32.exeC:\Windows\system32\Qadoba32.exe112⤵PID:1092
-
C:\Windows\SysWOW64\Qikgco32.exeC:\Windows\system32\Qikgco32.exe113⤵PID:1424
-
C:\Windows\SysWOW64\Qljcoj32.exeC:\Windows\system32\Qljcoj32.exe114⤵
- Drops file in System32 directory
PID:4300 -
C:\Windows\SysWOW64\Qcclld32.exeC:\Windows\system32\Qcclld32.exe115⤵PID:2540
-
C:\Windows\SysWOW64\Qaflgago.exeC:\Windows\system32\Qaflgago.exe116⤵PID:4808
-
C:\Windows\SysWOW64\Ajndioga.exeC:\Windows\system32\Ajndioga.exe117⤵
- Modifies registry class
PID:5164 -
C:\Windows\SysWOW64\Akoqpg32.exeC:\Windows\system32\Akoqpg32.exe118⤵PID:5208
-
C:\Windows\SysWOW64\Aojlaeei.exeC:\Windows\system32\Aojlaeei.exe119⤵PID:5252
-
C:\Windows\SysWOW64\Aaiimadl.exeC:\Windows\system32\Aaiimadl.exe120⤵PID:5296
-
C:\Windows\SysWOW64\Ahcajk32.exeC:\Windows\system32\Ahcajk32.exe121⤵PID:5328
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-