Analysis
-
max time kernel
92s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2025, 04:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6d55849fcc8614cbddbd11c3f55fb1e9292faaf7705c180b4eea2568eeec7f42.exe
Resource
win7-20240903-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
6d55849fcc8614cbddbd11c3f55fb1e9292faaf7705c180b4eea2568eeec7f42.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
6d55849fcc8614cbddbd11c3f55fb1e9292faaf7705c180b4eea2568eeec7f42.exe
-
Size
45KB
-
MD5
26e86ecbe87dc4a84ac7c6ac782b8f05
-
SHA1
7f30f7e908999948656c6a101c390913d58f0f0c
-
SHA256
6d55849fcc8614cbddbd11c3f55fb1e9292faaf7705c180b4eea2568eeec7f42
-
SHA512
2c378a53eeeabd7ca8fbe7bcabec9242bb0b8bbc488407ef50e0320e2f5b1b1c8e90d8db8625e865a485c281289efc92a89356f5a33e82d13a4d0ed6542ba70b
-
SSDEEP
768:PGMhIjgdRaNUUbutnT389h8YwbYUA2T+wT+i5ytz7W/1H5:PGpgd8Nhba389k+Q+i5l
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpjhpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfjhbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnladpka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bepengla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdoejd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kopjhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbppdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mklnop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdfone32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aolgeadb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jegfpmde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obanofmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pijbmnhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmmndj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eidqgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgokdk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oggjlhnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pggbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpcbop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkembmbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnidhcam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kopjhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imonmknj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knfjokab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nobbagib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anogqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeopcmbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ponkdcpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoockq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Illljj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eimjgglq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpcki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biqkjeqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gblhjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cliafekj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egcgfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaplpgdk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldoabp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khjlgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkjlniel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjkfhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjepij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpkchc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnhbjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibfdgdef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meaami32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oclamjhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmncegdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amanik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Demekigm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmcoamhg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpifbcom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddqbnpni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmncegdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaokop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faqini32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqmnll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmhhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aklaicpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdfone32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amehdkbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffddbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpjhpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oajacapk.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2712 Dnimal32.exe 3400 Ephing32.exe 1220 Edcenfob.exe 4944 Ekmnkpfo.exe 4160 Ejpngm32.exe 3644 Epjfcgef.exe 592 Ecibpbdj.exe 3656 Ejbklm32.exe 3960 Ennfmkcp.exe 3376 Edhoie32.exe 2300 Egfkfa32.exe 3168 Enqcbk32.exe 2716 Epopof32.exe 2600 Ecmlkb32.exe 3528 Ekddlo32.exe 3320 Encphk32.exe 760 Edmhdegh.exe 4060 Ekgqaond.exe 1908 Faqini32.exe 5012 Fdoejd32.exe 2068 Fgnafp32.exe 1000 Fkimgolb.exe 4444 Fngicjke.exe 4756 Fqffoeki.exe 852 Fcdbkajm.exe 3740 Fkkjlnjo.exe 4868 Fnjfij32.exe 1224 Fddnedap.exe 1944 Fknfbn32.exe 4536 Fjqgnkog.exe 4476 Fqkoje32.exe 3812 Fdfkkcom.exe 1336 Fgdggonq.exe 4520 Fkpcgn32.exe 4292 Fbjldh32.exe 244 Fdhhqc32.exe 4000 Fjepij32.exe 1456 Gblhjg32.exe 2560 Gcneapab.exe 3992 Gkembmbd.exe 3488 Gboeog32.exe 2532 Gcpago32.exe 1988 Gkgihm32.exe 4920 Gnefdh32.exe 2144 Gdpnabgb.exe 3240 Gnhbjh32.exe 2372 Gqfofc32.exe 3388 Ggpgcm32.exe 1228 Gklcclll.exe 4484 Hgjjilli.exe 2872 Hbonfe32.exe 2640 Hglfol32.exe 932 Hjjbkg32.exe 3596 Hbakld32.exe 1056 Hepghp32.exe 4056 Hgncdk32.exe 1624 Hkjodj32.exe 4656 Inhkqe32.exe 4728 Iaggma32.exe 1920 Iebcnpfm.exe 2732 Illljj32.exe 448 Inkhfe32.exe 4764 Ibfdgdef.exe 2556 Iedpcodj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jaednobd.exe Jlhkfh32.exe File created C:\Windows\SysWOW64\Icofei32.dll Cmagpihd.exe File created C:\Windows\SysWOW64\Hahhcpmm.dll Cfjliooe.exe File created C:\Windows\SysWOW64\Nhcopa32.dll Ggfmbhhb.exe File created C:\Windows\SysWOW64\Hedgpa32.dll Jbpgmbml.exe File created C:\Windows\SysWOW64\Gfbpdd32.exe Gcddhh32.exe File created C:\Windows\SysWOW64\Coajke32.dll Mgfqej32.exe File created C:\Windows\SysWOW64\Bjaope32.dll Aoockq32.exe File opened for modification C:\Windows\SysWOW64\Abpmll32.exe Aoappp32.exe File opened for modification C:\Windows\SysWOW64\Diadqb32.exe Dbgldhke.exe File created C:\Windows\SysWOW64\Kjmjclgf.exe Kfancm32.exe File created C:\Windows\SysWOW64\Clcqap32.exe Cejhdedf.exe File created C:\Windows\SysWOW64\Edhoie32.exe Ennfmkcp.exe File opened for modification C:\Windows\SysWOW64\Mhmacd32.exe Lkiajqpd.exe File created C:\Windows\SysWOW64\Mebaoged.dll Edcodpkf.exe File created C:\Windows\SysWOW64\Hmcoamhg.exe Hjebeaic.exe File created C:\Windows\SysWOW64\Eljlefhf.dll Hdkfbjii.exe File created C:\Windows\SysWOW64\Gjboamak.dll Hmhhll32.exe File created C:\Windows\SysWOW64\Pgbigfce.exe Pddmkkda.exe File opened for modification C:\Windows\SysWOW64\Aohnja32.exe Aklaicpn.exe File created C:\Windows\SysWOW64\Bepengla.exe Bocmfpnj.exe File created C:\Windows\SysWOW64\Gklcclll.exe Ggpgcm32.exe File created C:\Windows\SysWOW64\Meaami32.exe Maefljeo.exe File opened for modification C:\Windows\SysWOW64\Lfkail32.exe Laniaehk.exe File created C:\Windows\SysWOW64\Phbfaikh.exe Pfcienld.exe File opened for modification C:\Windows\SysWOW64\Bepengla.exe Bocmfpnj.exe File created C:\Windows\SysWOW64\Fgnafp32.exe Fdoejd32.exe File created C:\Windows\SysWOW64\Ibppfcaa.dll Nklffnpo.exe File created C:\Windows\SysWOW64\Jlplbhdi.dll Pooanidm.exe File created C:\Windows\SysWOW64\Abimfcid.exe Aloeii32.exe File created C:\Windows\SysWOW64\Jbofbi32.dll Fgogai32.exe File opened for modification C:\Windows\SysWOW64\Agcbndeb.exe Addfbhfo.exe File opened for modification C:\Windows\SysWOW64\Ennfmkcp.exe Ejbklm32.exe File opened for modification C:\Windows\SysWOW64\Ecmlkb32.exe Epopof32.exe File created C:\Windows\SysWOW64\Cccjfnfq.dll Moqlfmnp.exe File opened for modification C:\Windows\SysWOW64\Nbhkhgei.exe Ncekmk32.exe File opened for modification C:\Windows\SysWOW64\Abimfcid.exe Aloeii32.exe File opened for modification C:\Windows\SysWOW64\Demekigm.exe Ddlhca32.exe File opened for modification C:\Windows\SysWOW64\Elbmca32.exe Eidqgf32.exe File created C:\Windows\SysWOW64\Hdkfbjii.exe Hmcoamhg.exe File created C:\Windows\SysWOW64\Khhoah32.exe Kejbelbb.exe File opened for modification C:\Windows\SysWOW64\Dbllin32.exe Dpnpmb32.exe File opened for modification C:\Windows\SysWOW64\Hgkpde32.exe Hdmchj32.exe File opened for modification C:\Windows\SysWOW64\Jadmdh32.exe Jmhacjfo.exe File created C:\Windows\SysWOW64\Fejaidjh.dll Pklhbe32.exe File created C:\Windows\SysWOW64\Melggb32.dll Pfcienld.exe File opened for modification C:\Windows\SysWOW64\Afilgkil.exe Aoockq32.exe File opened for modification C:\Windows\SysWOW64\Cejhdedf.exe Cbklhjec.exe File created C:\Windows\SysWOW64\Aafoajmm.dll Ihjbpjmf.exe File created C:\Windows\SysWOW64\Aeemmojj.exe Abgqqckf.exe File created C:\Windows\SysWOW64\Nnlain32.dll Hcfqmhfl.exe File opened for modification C:\Windows\SysWOW64\Lmncegdg.exe Lokcjj32.exe File created C:\Windows\SysWOW64\Bkmjpqak.exe Bebbcfjo.exe File opened for modification C:\Windows\SysWOW64\Ijaikfba.exe Igcmokcn.exe File created C:\Windows\SysWOW64\Kejbelbb.exe Kangdn32.exe File created C:\Windows\SysWOW64\Alhbncek.dll Amanik32.exe File opened for modification C:\Windows\SysWOW64\Cmagpihd.exe Bejoolhb.exe File opened for modification C:\Windows\SysWOW64\Dmocag32.exe Dehkpj32.exe File created C:\Windows\SysWOW64\Qlbhen32.dll Lfkail32.exe File created C:\Windows\SysWOW64\Iindpjem.dll Bebbcfjo.exe File created C:\Windows\SysWOW64\Hclpad32.dll Gcpago32.exe File opened for modification C:\Windows\SysWOW64\Pdgqkq32.exe Pojhcj32.exe File created C:\Windows\SysWOW64\Iiafcahe.dll Lmdiffno.exe File created C:\Windows\SysWOW64\Ngpcki32.exe Neogcqnl.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11500 12180 WerFault.exe 602 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edmhdegh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difdfhbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onqbhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnhmmmmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqffoeki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkgmko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkhoijgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmdmlfho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdmchj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clkgaoek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejbklm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcpago32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ielfcnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Demekigm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkekid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhmacd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oleffo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieicch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgfqej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pggbbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abpmll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bepengla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ennfmkcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcddhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keqieklj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohlfkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiebhmnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdbemb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmocag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfjhbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbmgpnoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Illljj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdfone32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqhmhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neadipli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokjdqqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhpgpboi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eimjgglq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpioebe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaifohjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ponkdcpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inangdge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhamkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beglof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmgkbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abgqqckf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpjcfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mklnop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmbmpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgnicd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeiomh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhloeikc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjonbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnonjpio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecibpbdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnhbjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llagcdmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nobbagib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbbplaqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffgqhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceoijk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgogai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmdqohla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Encphk32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfkfqcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dncbca32.dll" Qbddkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdkfbjii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkdikhbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfonngah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciogkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hindde32.dll" Encphk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kangdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdbemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmjpofkb.dll" Ijeklo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmpiadca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkbcpohj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leebqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkfbcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnkbkc32.dll" Jcpljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Labhfm32.dll" Keneee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mennmclo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngpcki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfcdkh32.dll" Cenaoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 6d55849fcc8614cbddbd11c3f55fb1e9292faaf7705c180b4eea2568eeec7f42.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aafoajmm.dll" Ihjbpjmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khoebgkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpdfhn32.dll" Nbhkhgei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okjbgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjlgilbd.dll" Qcogjgha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okpigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afjkjn32.dll" Fddnedap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjholemj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jaednobd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiooep32.dll" Kbppdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbfhje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcodmf32.dll" Afdblk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohncap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ponkdcpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhdnmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhbcea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbmgpnoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jainjjnc.dll" Qhilbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laalak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnefdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbfhje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnpeobpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onqbhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edmhdegh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbflnj32.dll" Iedpcodj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abgqqckf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeemmojj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elbmca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjebeaic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmijjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfpbhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdoejd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgjjilli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khmhlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dblhje32.dll" Pnladpka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edhoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kogqia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhaagfik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekddlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdoejd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjqgnkog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgjjilli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhpannph.dll" Blbkff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgkpde32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1840 wrote to memory of 2712 1840 6d55849fcc8614cbddbd11c3f55fb1e9292faaf7705c180b4eea2568eeec7f42.exe 86 PID 1840 wrote to memory of 2712 1840 6d55849fcc8614cbddbd11c3f55fb1e9292faaf7705c180b4eea2568eeec7f42.exe 86 PID 1840 wrote to memory of 2712 1840 6d55849fcc8614cbddbd11c3f55fb1e9292faaf7705c180b4eea2568eeec7f42.exe 86 PID 2712 wrote to memory of 3400 2712 Dnimal32.exe 87 PID 2712 wrote to memory of 3400 2712 Dnimal32.exe 87 PID 2712 wrote to memory of 3400 2712 Dnimal32.exe 87 PID 3400 wrote to memory of 1220 3400 Ephing32.exe 88 PID 3400 wrote to memory of 1220 3400 Ephing32.exe 88 PID 3400 wrote to memory of 1220 3400 Ephing32.exe 88 PID 1220 wrote to memory of 4944 1220 Edcenfob.exe 89 PID 1220 wrote to memory of 4944 1220 Edcenfob.exe 89 PID 1220 wrote to memory of 4944 1220 Edcenfob.exe 89 PID 4944 wrote to memory of 4160 4944 Ekmnkpfo.exe 90 PID 4944 wrote to memory of 4160 4944 Ekmnkpfo.exe 90 PID 4944 wrote to memory of 4160 4944 Ekmnkpfo.exe 90 PID 4160 wrote to memory of 3644 4160 Ejpngm32.exe 91 PID 4160 wrote to memory of 3644 4160 Ejpngm32.exe 91 PID 4160 wrote to memory of 3644 4160 Ejpngm32.exe 91 PID 3644 wrote to memory of 592 3644 Epjfcgef.exe 92 PID 3644 wrote to memory of 592 3644 Epjfcgef.exe 92 PID 3644 wrote to memory of 592 3644 Epjfcgef.exe 92 PID 592 wrote to memory of 3656 592 Ecibpbdj.exe 94 PID 592 wrote to memory of 3656 592 Ecibpbdj.exe 94 PID 592 wrote to memory of 3656 592 Ecibpbdj.exe 94 PID 3656 wrote to memory of 3960 3656 Ejbklm32.exe 95 PID 3656 wrote to memory of 3960 3656 Ejbklm32.exe 95 PID 3656 wrote to memory of 3960 3656 Ejbklm32.exe 95 PID 3960 wrote to memory of 3376 3960 Ennfmkcp.exe 96 PID 3960 wrote to memory of 3376 3960 Ennfmkcp.exe 96 PID 3960 wrote to memory of 3376 3960 Ennfmkcp.exe 96 PID 3376 wrote to memory of 2300 3376 Edhoie32.exe 97 PID 3376 wrote to memory of 2300 3376 Edhoie32.exe 97 PID 3376 wrote to memory of 2300 3376 Edhoie32.exe 97 PID 2300 wrote to memory of 3168 2300 Egfkfa32.exe 98 PID 2300 wrote to memory of 3168 2300 Egfkfa32.exe 98 PID 2300 wrote to memory of 3168 2300 Egfkfa32.exe 98 PID 3168 wrote to memory of 2716 3168 Enqcbk32.exe 99 PID 3168 wrote to memory of 2716 3168 Enqcbk32.exe 99 PID 3168 wrote to memory of 2716 3168 Enqcbk32.exe 99 PID 2716 wrote to memory of 2600 2716 Epopof32.exe 100 PID 2716 wrote to memory of 2600 2716 Epopof32.exe 100 PID 2716 wrote to memory of 2600 2716 Epopof32.exe 100 PID 2600 wrote to memory of 3528 2600 Ecmlkb32.exe 101 PID 2600 wrote to memory of 3528 2600 Ecmlkb32.exe 101 PID 2600 wrote to memory of 3528 2600 Ecmlkb32.exe 101 PID 3528 wrote to memory of 3320 3528 Ekddlo32.exe 102 PID 3528 wrote to memory of 3320 3528 Ekddlo32.exe 102 PID 3528 wrote to memory of 3320 3528 Ekddlo32.exe 102 PID 3320 wrote to memory of 760 3320 Encphk32.exe 103 PID 3320 wrote to memory of 760 3320 Encphk32.exe 103 PID 3320 wrote to memory of 760 3320 Encphk32.exe 103 PID 760 wrote to memory of 4060 760 Edmhdegh.exe 104 PID 760 wrote to memory of 4060 760 Edmhdegh.exe 104 PID 760 wrote to memory of 4060 760 Edmhdegh.exe 104 PID 4060 wrote to memory of 1908 4060 Ekgqaond.exe 105 PID 4060 wrote to memory of 1908 4060 Ekgqaond.exe 105 PID 4060 wrote to memory of 1908 4060 Ekgqaond.exe 105 PID 1908 wrote to memory of 5012 1908 Faqini32.exe 106 PID 1908 wrote to memory of 5012 1908 Faqini32.exe 106 PID 1908 wrote to memory of 5012 1908 Faqini32.exe 106 PID 5012 wrote to memory of 2068 5012 Fdoejd32.exe 107 PID 5012 wrote to memory of 2068 5012 Fdoejd32.exe 107 PID 5012 wrote to memory of 2068 5012 Fdoejd32.exe 107 PID 2068 wrote to memory of 1000 2068 Fgnafp32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d55849fcc8614cbddbd11c3f55fb1e9292faaf7705c180b4eea2568eeec7f42.exe"C:\Users\Admin\AppData\Local\Temp\6d55849fcc8614cbddbd11c3f55fb1e9292faaf7705c180b4eea2568eeec7f42.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Dnimal32.exeC:\Windows\system32\Dnimal32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Ephing32.exeC:\Windows\system32\Ephing32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\Edcenfob.exeC:\Windows\system32\Edcenfob.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Ekmnkpfo.exeC:\Windows\system32\Ekmnkpfo.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\Ejpngm32.exeC:\Windows\system32\Ejpngm32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\Epjfcgef.exeC:\Windows\system32\Epjfcgef.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\Ecibpbdj.exeC:\Windows\system32\Ecibpbdj.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Ejbklm32.exeC:\Windows\system32\Ejbklm32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Ennfmkcp.exeC:\Windows\system32\Ennfmkcp.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\Edhoie32.exeC:\Windows\system32\Edhoie32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\Egfkfa32.exeC:\Windows\system32\Egfkfa32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Enqcbk32.exeC:\Windows\system32\Enqcbk32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\Epopof32.exeC:\Windows\system32\Epopof32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Ecmlkb32.exeC:\Windows\system32\Ecmlkb32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Ekddlo32.exeC:\Windows\system32\Ekddlo32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Encphk32.exeC:\Windows\system32\Encphk32.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\Edmhdegh.exeC:\Windows\system32\Edmhdegh.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Ekgqaond.exeC:\Windows\system32\Ekgqaond.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\Faqini32.exeC:\Windows\system32\Faqini32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Fdoejd32.exeC:\Windows\system32\Fdoejd32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Fgnafp32.exeC:\Windows\system32\Fgnafp32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Fkimgolb.exeC:\Windows\system32\Fkimgolb.exe23⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Fngicjke.exeC:\Windows\system32\Fngicjke.exe24⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Fqffoeki.exeC:\Windows\system32\Fqffoeki.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4756 -
C:\Windows\SysWOW64\Fcdbkajm.exeC:\Windows\system32\Fcdbkajm.exe26⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Fkkjlnjo.exeC:\Windows\system32\Fkkjlnjo.exe27⤵
- Executes dropped EXE
PID:3740 -
C:\Windows\SysWOW64\Fnjfij32.exeC:\Windows\system32\Fnjfij32.exe28⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Fddnedap.exeC:\Windows\system32\Fddnedap.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:1224 -
C:\Windows\SysWOW64\Fknfbn32.exeC:\Windows\system32\Fknfbn32.exe30⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Fjqgnkog.exeC:\Windows\system32\Fjqgnkog.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:4536 -
C:\Windows\SysWOW64\Fqkoje32.exeC:\Windows\system32\Fqkoje32.exe32⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Fdfkkcom.exeC:\Windows\system32\Fdfkkcom.exe33⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Fgdggonq.exeC:\Windows\system32\Fgdggonq.exe34⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Fkpcgn32.exeC:\Windows\system32\Fkpcgn32.exe35⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Fbjldh32.exeC:\Windows\system32\Fbjldh32.exe36⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Fdhhqc32.exeC:\Windows\system32\Fdhhqc32.exe37⤵
- Executes dropped EXE
PID:244 -
C:\Windows\SysWOW64\Fjepij32.exeC:\Windows\system32\Fjepij32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Gblhjg32.exeC:\Windows\system32\Gblhjg32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Gcneapab.exeC:\Windows\system32\Gcneapab.exe40⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Gkembmbd.exeC:\Windows\system32\Gkembmbd.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Gboeog32.exeC:\Windows\system32\Gboeog32.exe42⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Gcpago32.exeC:\Windows\system32\Gcpago32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\Gkgihm32.exeC:\Windows\system32\Gkgihm32.exe44⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Gnefdh32.exeC:\Windows\system32\Gnefdh32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:4920 -
C:\Windows\SysWOW64\Gdpnabgb.exeC:\Windows\system32\Gdpnabgb.exe46⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Gnhbjh32.exeC:\Windows\system32\Gnhbjh32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3240 -
C:\Windows\SysWOW64\Gqfofc32.exeC:\Windows\system32\Gqfofc32.exe48⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Ggpgcm32.exeC:\Windows\system32\Ggpgcm32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3388 -
C:\Windows\SysWOW64\Gklcclll.exeC:\Windows\system32\Gklcclll.exe50⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Hgjjilli.exeC:\Windows\system32\Hgjjilli.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:4484 -
C:\Windows\SysWOW64\Hbonfe32.exeC:\Windows\system32\Hbonfe32.exe52⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Hglfol32.exeC:\Windows\system32\Hglfol32.exe53⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Hjjbkg32.exeC:\Windows\system32\Hjjbkg32.exe54⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Hbakld32.exeC:\Windows\system32\Hbakld32.exe55⤵
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Hepghp32.exeC:\Windows\system32\Hepghp32.exe56⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Hgncdk32.exeC:\Windows\system32\Hgncdk32.exe57⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Hkjodj32.exeC:\Windows\system32\Hkjodj32.exe58⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Inhkqe32.exeC:\Windows\system32\Inhkqe32.exe59⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Iaggma32.exeC:\Windows\system32\Iaggma32.exe60⤵
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Iebcnpfm.exeC:\Windows\system32\Iebcnpfm.exe61⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Illljj32.exeC:\Windows\system32\Illljj32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\Inkhfe32.exeC:\Windows\system32\Inkhfe32.exe63⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Ibfdgdef.exeC:\Windows\system32\Ibfdgdef.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\Iedpcodj.exeC:\Windows\system32\Iedpcodj.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Igcmokcn.exeC:\Windows\system32\Igcmokcn.exe66⤵
- Drops file in System32 directory
PID:3192 -
C:\Windows\SysWOW64\Ijaikfba.exeC:\Windows\system32\Ijaikfba.exe67⤵PID:640
-
C:\Windows\SysWOW64\Inmelekk.exeC:\Windows\system32\Inmelekk.exe68⤵PID:5004
-
C:\Windows\SysWOW64\Iakahpjo.exeC:\Windows\system32\Iakahpjo.exe69⤵PID:4352
-
C:\Windows\SysWOW64\Icjmdlib.exeC:\Windows\system32\Icjmdlib.exe70⤵PID:4604
-
C:\Windows\SysWOW64\Ilaeeijd.exeC:\Windows\system32\Ilaeeijd.exe71⤵PID:2876
-
C:\Windows\SysWOW64\Ibkmbc32.exeC:\Windows\system32\Ibkmbc32.exe72⤵PID:4376
-
C:\Windows\SysWOW64\Ieijno32.exeC:\Windows\system32\Ieijno32.exe73⤵PID:2156
-
C:\Windows\SysWOW64\Ihhfjj32.exeC:\Windows\system32\Ihhfjj32.exe74⤵PID:3084
-
C:\Windows\SysWOW64\Inangdge.exeC:\Windows\system32\Inangdge.exe75⤵
- System Location Discovery: System Language Discovery
PID:3316 -
C:\Windows\SysWOW64\Ielfcnnb.exeC:\Windows\system32\Ielfcnnb.exe76⤵
- System Location Discovery: System Language Discovery
PID:4236 -
C:\Windows\SysWOW64\Ihjbpjmf.exeC:\Windows\system32\Ihjbpjmf.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Jjholemj.exeC:\Windows\system32\Jjholemj.exe78⤵
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Jbpgmbml.exeC:\Windows\system32\Jbpgmbml.exe79⤵
- Drops file in System32 directory
PID:4844 -
C:\Windows\SysWOW64\Jabgio32.exeC:\Windows\system32\Jabgio32.exe80⤵PID:744
-
C:\Windows\SysWOW64\Jhloeikc.exeC:\Windows\system32\Jhloeikc.exe81⤵
- System Location Discovery: System Language Discovery
PID:1980 -
C:\Windows\SysWOW64\Jlhkfh32.exeC:\Windows\system32\Jlhkfh32.exe82⤵
- Drops file in System32 directory
PID:4492 -
C:\Windows\SysWOW64\Jaednobd.exeC:\Windows\system32\Jaednobd.exe83⤵
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Jljhkhaj.exeC:\Windows\system32\Jljhkhaj.exe84⤵PID:2456
-
C:\Windows\SysWOW64\Jnidhcam.exeC:\Windows\system32\Jnidhcam.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4580 -
C:\Windows\SysWOW64\Jebmdm32.exeC:\Windows\system32\Jebmdm32.exe86⤵PID:4804
-
C:\Windows\SysWOW64\Jlmeagpg.exeC:\Windows\system32\Jlmeagpg.exe87⤵PID:1400
-
C:\Windows\SysWOW64\Jaiminno.exeC:\Windows\system32\Jaiminno.exe88⤵PID:1240
-
C:\Windows\SysWOW64\Jhcefhek.exeC:\Windows\system32\Jhcefhek.exe89⤵PID:340
-
C:\Windows\SysWOW64\Jjbabddo.exeC:\Windows\system32\Jjbabddo.exe90⤵PID:3536
-
C:\Windows\SysWOW64\Jegfpmde.exeC:\Windows\system32\Jegfpmde.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4824 -
C:\Windows\SysWOW64\Khfblhci.exeC:\Windows\system32\Khfblhci.exe92⤵PID:4372
-
C:\Windows\SysWOW64\Kopjhb32.exeC:\Windows\system32\Kopjhb32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4652 -
C:\Windows\SysWOW64\Kangdn32.exeC:\Windows\system32\Kangdn32.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:5132 -
C:\Windows\SysWOW64\Kejbelbb.exeC:\Windows\system32\Kejbelbb.exe95⤵
- Drops file in System32 directory
PID:5176 -
C:\Windows\SysWOW64\Khhoah32.exeC:\Windows\system32\Khhoah32.exe96⤵PID:5220
-
C:\Windows\SysWOW64\Klckafjo.exeC:\Windows\system32\Klckafjo.exe97⤵PID:5264
-
C:\Windows\SysWOW64\Kobgnbic.exeC:\Windows\system32\Kobgnbic.exe98⤵PID:5312
-
C:\Windows\SysWOW64\Kaqcjmhf.exeC:\Windows\system32\Kaqcjmhf.exe99⤵PID:5356
-
C:\Windows\SysWOW64\Khjlgg32.exeC:\Windows\system32\Khjlgg32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5408 -
C:\Windows\SysWOW64\Klfggfgl.exeC:\Windows\system32\Klfggfgl.exe101⤵PID:5468
-
C:\Windows\SysWOW64\Kbppdp32.exeC:\Windows\system32\Kbppdp32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5532 -
C:\Windows\SysWOW64\Kdallheg.exeC:\Windows\system32\Kdallheg.exe103⤵PID:5576
-
C:\Windows\SysWOW64\Khmhlg32.exeC:\Windows\system32\Khmhlg32.exe104⤵
- Modifies registry class
PID:5620 -
C:\Windows\SysWOW64\Kogqia32.exeC:\Windows\system32\Kogqia32.exe105⤵
- Modifies registry class
PID:5664 -
C:\Windows\SysWOW64\Kbbmipmf.exeC:\Windows\system32\Kbbmipmf.exe106⤵PID:5708
-
C:\Windows\SysWOW64\Keqieklj.exeC:\Windows\system32\Keqieklj.exe107⤵
- System Location Discovery: System Language Discovery
PID:5752 -
C:\Windows\SysWOW64\Khoebgkn.exeC:\Windows\system32\Khoebgkn.exe108⤵
- Modifies registry class
PID:5796 -
C:\Windows\SysWOW64\Klkabe32.exeC:\Windows\system32\Klkabe32.exe109⤵PID:5840
-
C:\Windows\SysWOW64\Koimoa32.exeC:\Windows\system32\Koimoa32.exe110⤵PID:5888
-
C:\Windows\SysWOW64\Kagikl32.exeC:\Windows\system32\Kagikl32.exe111⤵PID:5932
-
C:\Windows\SysWOW64\Kecekkjh.exeC:\Windows\system32\Kecekkjh.exe112⤵PID:5996
-
C:\Windows\SysWOW64\Kdffgh32.exeC:\Windows\system32\Kdffgh32.exe113⤵PID:6040
-
C:\Windows\SysWOW64\Lhaagfik.exeC:\Windows\system32\Lhaagfik.exe114⤵
- Modifies registry class
PID:6088 -
C:\Windows\SysWOW64\Lkpncb32.exeC:\Windows\system32\Lkpncb32.exe115⤵PID:6140
-
C:\Windows\SysWOW64\Lokjdqqh.exeC:\Windows\system32\Lokjdqqh.exe116⤵
- System Location Discovery: System Language Discovery
PID:5184 -
C:\Windows\SysWOW64\Lajfplpl.exeC:\Windows\system32\Lajfplpl.exe117⤵PID:5244
-
C:\Windows\SysWOW64\Leebqk32.exeC:\Windows\system32\Leebqk32.exe118⤵
- Modifies registry class
PID:5324 -
C:\Windows\SysWOW64\Lhdnmf32.exeC:\Windows\system32\Lhdnmf32.exe119⤵
- Modifies registry class
PID:5424 -
C:\Windows\SysWOW64\Llojmdpb.exeC:\Windows\system32\Llojmdpb.exe120⤵PID:5496
-
C:\Windows\SysWOW64\Lkbkia32.exeC:\Windows\system32\Lkbkia32.exe121⤵PID:5568
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-