Analysis
-
max time kernel
103s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
25/03/2025, 11:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1e807ce3c655cd0fd3a074af9578c01ef5470c5c4c0c3404e8f058a10154b534.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
1e807ce3c655cd0fd3a074af9578c01ef5470c5c4c0c3404e8f058a10154b534.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
1e807ce3c655cd0fd3a074af9578c01ef5470c5c4c0c3404e8f058a10154b534.exe
-
Size
112KB
-
MD5
6b95c38f49904840993da779448a5c10
-
SHA1
3f4046cc84b673155ce1515e91c23a9e9887ef22
-
SHA256
1e807ce3c655cd0fd3a074af9578c01ef5470c5c4c0c3404e8f058a10154b534
-
SHA512
513914955ab699eeb16c67c7db7387644c6eac84403040c084e03d4ee07b0fa3035e75e311755d2d9ef2e5d5afdb159c46d9d722b691e821bfd7e988fa189f58
-
SSDEEP
1536:zHHfJABdidX0Ou0aciPotTmix7YszOy6QogZ2m6j0s20pq4A+wcikRynlypv8LIV:7WidFcPkmQ6y6QM/p2+v+lc802eSQ
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbkaeeed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbbjmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlmlkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmqebnej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcacogfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aldodhma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlgmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llqhba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnpoem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfmlllci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmieeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckbejhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjppcdkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgkpde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mofbehco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lngkmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jopabhna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjpijb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifcika32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngbpqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodemkco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcpndmlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnmlegim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cppcldgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqegiogh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnojdpci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegklgdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnckkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Modfpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfimkgmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apnldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bokkni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggcjcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhgbmlia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gklcclll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glhgmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bagkde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abnnlhhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpefna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jekqji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkfenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebhmbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khkban32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kagikl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfakcfpe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmojjijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdhmmnmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcmoab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Peimapdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blpnpfcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qocdob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpifbcom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fiijbeac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anogqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgoajbke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpojbhdh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnhidnao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcfknodh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cemldk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enbind32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkmjpqak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefnhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pabhbhpe.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4460 Ekjklk32.exe 1376 Epfgljlb.exe 1528 Finkeo32.exe 6036 Fphcbijp.exe 3664 Fbgpneic.exe 1468 Fmldknii.exe 2240 Fpkpgi32.exe 4888 Ffdidcoj.exe 1776 Fmoaam32.exe 3500 Fnpmheme.exe 4616 Fejeep32.exe 2744 Fmanfm32.exe 4792 Fpojbhdh.exe 4980 Fbnfodck.exe 4700 Fihnkn32.exe 5004 Fpafhhbe.exe 5064 Gbpbdcai.exe 5068 Gijkan32.exe 5224 Glhgmi32.exe 3088 Gfnkjbgo.exe 1496 Gilhfmfc.exe 4956 Glkdbief.exe 4508 Gpfpcg32.exe 5324 Gfphpael.exe 2664 Giodlmdp.exe 3172 Glmqhhcd.exe 2024 Gnlmddbg.exe 2748 Geeeanjd.exe 3568 Glpmnh32.exe 3628 Gonijc32.exe 3684 Gehbfnha.exe 2188 Gmojhkhd.exe 3140 Hopfpc32.exe 3884 Hfgnqqod.exe 5480 Hppbif32.exe 736 Hfjkfpmb.exe 3820 Hihgblle.exe 5592 Hmcccj32.exe 5260 Hoepkbjm.exe 456 Hflhlpko.exe 2016 Hmfphjbl.exe 2924 Hbchqaqc.exe 3328 Headmlpg.exe 3164 Hmhmnjpi.exe 1428 Hfqago32.exe 2928 Ipiepe32.exe 4196 Ibgblp32.exe 5388 Iefnhl32.exe 5860 Immfii32.exe 2312 Ilpfdfco.exe 3508 Iehkmk32.exe 3876 Imocoi32.exe 1780 Ipnokdie.exe 6000 Iblkgphi.exe 3460 Ighggn32.exe 5720 Imapdhho.exe 980 Ipplpdgb.exe 2908 Igjdmn32.exe 2424 Imdljhfl.exe 2608 Ioeiaplj.exe 2228 Iglqbnml.exe 6108 Imfioh32.exe 4404 Jliikdkd.exe 1244 Johegpjg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nfdncm32.exe Nbibcnie.exe File opened for modification C:\Windows\SysWOW64\Amdbiahp.exe Abnnlhhj.exe File created C:\Windows\SysWOW64\Cckpah32.dll Ioeiaplj.exe File opened for modification C:\Windows\SysWOW64\Jliikdkd.exe Imfioh32.exe File created C:\Windows\SysWOW64\Qmnbbi32.exe Qjoffm32.exe File created C:\Windows\SysWOW64\Qjcpaf32.dll Bplhface.exe File opened for modification C:\Windows\SysWOW64\Bgfpbl32.exe Bhcpgocg.exe File created C:\Windows\SysWOW64\Jpkdalji.exe Jlpham32.exe File opened for modification C:\Windows\SysWOW64\Nmgpoh32.exe Njidcl32.exe File opened for modification C:\Windows\SysWOW64\Nofmlc32.exe Nqclpfgl.exe File opened for modification C:\Windows\SysWOW64\Gpfiia32.exe Ggoahdia.exe File opened for modification C:\Windows\SysWOW64\Khpllmoj.exe Keappapf.exe File created C:\Windows\SysWOW64\Mjggnmab.exe Mbppmoap.exe File created C:\Windows\SysWOW64\Bipliajo.exe Badgdold.exe File opened for modification C:\Windows\SysWOW64\Aelcmn32.exe Abngab32.exe File created C:\Windows\SysWOW64\Ahkjgi32.dll Dlgmhc32.exe File created C:\Windows\SysWOW64\Hblgcbcc.dll Pggbbe32.exe File created C:\Windows\SysWOW64\Djohhdom.dll Bgoajbke.exe File created C:\Windows\SysWOW64\Npoifbaa.dll Finkeo32.exe File created C:\Windows\SysWOW64\Emaolfaj.dll Lngkmc32.exe File opened for modification C:\Windows\SysWOW64\Lcdcejfk.exe Lqegiogh.exe File created C:\Windows\SysWOW64\Ojekia32.exe Oggnme32.exe File created C:\Windows\SysWOW64\Hklcoa32.dll Daafaahp.exe File created C:\Windows\SysWOW64\Eolmle32.exe Egeekg32.exe File opened for modification C:\Windows\SysWOW64\Kacgjc32.exe Kcqgnfbe.exe File created C:\Windows\SysWOW64\Nmjmeg32.exe Nhnadidg.exe File created C:\Windows\SysWOW64\Nnoben32.dll Gfphpael.exe File created C:\Windows\SysWOW64\Modkdm32.dll Lnbabdli.exe File opened for modification C:\Windows\SysWOW64\Ecphpa32.exe Encphk32.exe File created C:\Windows\SysWOW64\Lhkdneaq.exe Lelhajbm.exe File created C:\Windows\SysWOW64\Ojmdloek.dll Iqfqbkjh.exe File created C:\Windows\SysWOW64\Jcpljd32.exe Jmfdnjha.exe File created C:\Windows\SysWOW64\Kampjg32.exe Knocnl32.exe File created C:\Windows\SysWOW64\Bjhjijpa.dll Okebbfdi.exe File created C:\Windows\SysWOW64\Ehhkpi32.dll Gonijc32.exe File created C:\Windows\SysWOW64\Edifdloi.exe Ebjihppe.exe File created C:\Windows\SysWOW64\Eqbcolbj.exe Encgba32.exe File opened for modification C:\Windows\SysWOW64\Mojmpe32.exe Mpgmdhai.exe File opened for modification C:\Windows\SysWOW64\Inmelekk.exe Igcmokcn.exe File opened for modification C:\Windows\SysWOW64\Fepkgfgg.exe Fcankkhd.exe File created C:\Windows\SysWOW64\Bmocjblh.dll Ponkdcpb.exe File created C:\Windows\SysWOW64\Gqmmec32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Qjoffm32.exe Qhajjb32.exe File created C:\Windows\SysWOW64\Epmfmp32.dll Chalhm32.exe File created C:\Windows\SysWOW64\Kpbjbk32.exe Klgoalkh.exe File created C:\Windows\SysWOW64\Jjpemd32.exe Jhaiqi32.exe File created C:\Windows\SysWOW64\Lkfmjjok.exe Lhhanoph.exe File opened for modification C:\Windows\SysWOW64\Cieded32.exe Process not Found File created C:\Windows\SysWOW64\Bnlono32.dll Bdlfgicm.exe File created C:\Windows\SysWOW64\Bbnjah32.dll Fcankkhd.exe File created C:\Windows\SysWOW64\Ohdnnl32.dll Deoaqiej.exe File created C:\Windows\SysWOW64\Ejameodi.dll Ljblffge.exe File created C:\Windows\SysWOW64\Mecnbhle.exe Moifeodh.exe File created C:\Windows\SysWOW64\Cmddei32.exe Cemldk32.exe File opened for modification C:\Windows\SysWOW64\Dgonklmm.exe Dpefna32.exe File created C:\Windows\SysWOW64\Djahqb32.dll Bhhibn32.exe File created C:\Windows\SysWOW64\Nlcfjg32.dll Njidcl32.exe File created C:\Windows\SysWOW64\Eplloqoh.exe Emnpbepd.exe File created C:\Windows\SysWOW64\Hgbmng32.exe Gdcqak32.exe File created C:\Windows\SysWOW64\Oolegeqg.exe Nhamkk32.exe File created C:\Windows\SysWOW64\Cnbmmk32.exe Process not Found File created C:\Windows\SysWOW64\Chmnkp32.exe Process not Found File created C:\Windows\SysWOW64\Ffdidcoj.exe Fpkpgi32.exe File opened for modification C:\Windows\SysWOW64\Ahcgpa32.exe Aplood32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7144 7240 Process not Found 1151 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhphikkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlpham32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kllogbko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdaflo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcmoab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kacppmfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mefkhhjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cppcldgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecoafk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icgjdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iedpcodj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaiminno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jekqji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbpeqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aejfhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqhmhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgneqbfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggcjcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqiklcjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahnemgqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coigogqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjbhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdcgkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onqbhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmgpoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amehdkbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooehndhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Choobm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geeeanjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mopmejgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkhoijgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oacdjpgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enajma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmjmeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkgbojbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nacbmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epqejp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfqago32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcmfki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibldli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khkban32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkaehdoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijeklo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbbmipmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lacifkga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peimapdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imocoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bokkni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnblkmid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mafmfqij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfhlmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgaopb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnpmheme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmfphjbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geenfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncieggdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doegkffi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebhmbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obnlnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcgokmko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcankkhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fchdlj32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdjpi32.dll" Ppmlcpil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hggmclnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccmdah32.dll" Idopnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcgbhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncdeaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ielfcnnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cimapi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhaddn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlcpna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ielmndbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhkkhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nqhfkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aflfag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanfkh32.dll" Elbmca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bminkmce.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fojimcda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khmogmal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khpllmoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpmgfeik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oolegeqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcgcfd32.dll" Ljibgeam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lngkmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hffedaqg.dll" Pjfcpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahjmqqlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkdihj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgpff32.dll" Gcgghnig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gphiojdn.dll" Iamgcjdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkeaohbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pflmkimc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dflcfe32.dll" Kjmjclgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mennmclo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmbjdhp.dll" Qfoialaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnmbpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbemmi32.dll" Hpahdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhaiqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eamcfd32.dll" Mlkjiced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndpaddje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngbpqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olhadj32.dll" Johegpjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hijmmefg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Heiqgaoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbijcaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokiofla.dll" Hihgblle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oojhgi32.dll" Ighggn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggcjcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbnphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhhgfb32.dll" Meedmbff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnhpnpoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlibpngh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhnjjbqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cemldk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjgokleg.dll" Mecghb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcgkp32.dll" Jeojcdpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Koggcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qbggkiob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkjjqnba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qbbged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfcjqjco.dll" Ldeola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhcgbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fqkfek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjfdh32.dll" Ocbacp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Meaami32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Penglp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1352 wrote to memory of 4460 1352 1e807ce3c655cd0fd3a074af9578c01ef5470c5c4c0c3404e8f058a10154b534.exe 86 PID 1352 wrote to memory of 4460 1352 1e807ce3c655cd0fd3a074af9578c01ef5470c5c4c0c3404e8f058a10154b534.exe 86 PID 1352 wrote to memory of 4460 1352 1e807ce3c655cd0fd3a074af9578c01ef5470c5c4c0c3404e8f058a10154b534.exe 86 PID 4460 wrote to memory of 1376 4460 Ekjklk32.exe 87 PID 4460 wrote to memory of 1376 4460 Ekjklk32.exe 87 PID 4460 wrote to memory of 1376 4460 Ekjklk32.exe 87 PID 1376 wrote to memory of 1528 1376 Epfgljlb.exe 88 PID 1376 wrote to memory of 1528 1376 Epfgljlb.exe 88 PID 1376 wrote to memory of 1528 1376 Epfgljlb.exe 88 PID 1528 wrote to memory of 6036 1528 Finkeo32.exe 89 PID 1528 wrote to memory of 6036 1528 Finkeo32.exe 89 PID 1528 wrote to memory of 6036 1528 Finkeo32.exe 89 PID 6036 wrote to memory of 3664 6036 Fphcbijp.exe 90 PID 6036 wrote to memory of 3664 6036 Fphcbijp.exe 90 PID 6036 wrote to memory of 3664 6036 Fphcbijp.exe 90 PID 3664 wrote to memory of 1468 3664 Fbgpneic.exe 91 PID 3664 wrote to memory of 1468 3664 Fbgpneic.exe 91 PID 3664 wrote to memory of 1468 3664 Fbgpneic.exe 91 PID 1468 wrote to memory of 2240 1468 Fmldknii.exe 93 PID 1468 wrote to memory of 2240 1468 Fmldknii.exe 93 PID 1468 wrote to memory of 2240 1468 Fmldknii.exe 93 PID 2240 wrote to memory of 4888 2240 Fpkpgi32.exe 94 PID 2240 wrote to memory of 4888 2240 Fpkpgi32.exe 94 PID 2240 wrote to memory of 4888 2240 Fpkpgi32.exe 94 PID 4888 wrote to memory of 1776 4888 Ffdidcoj.exe 95 PID 4888 wrote to memory of 1776 4888 Ffdidcoj.exe 95 PID 4888 wrote to memory of 1776 4888 Ffdidcoj.exe 95 PID 1776 wrote to memory of 3500 1776 Fmoaam32.exe 97 PID 1776 wrote to memory of 3500 1776 Fmoaam32.exe 97 PID 1776 wrote to memory of 3500 1776 Fmoaam32.exe 97 PID 3500 wrote to memory of 4616 3500 Fnpmheme.exe 98 PID 3500 wrote to memory of 4616 3500 Fnpmheme.exe 98 PID 3500 wrote to memory of 4616 3500 Fnpmheme.exe 98 PID 4616 wrote to memory of 2744 4616 Fejeep32.exe 99 PID 4616 wrote to memory of 2744 4616 Fejeep32.exe 99 PID 4616 wrote to memory of 2744 4616 Fejeep32.exe 99 PID 2744 wrote to memory of 4792 2744 Fmanfm32.exe 100 PID 2744 wrote to memory of 4792 2744 Fmanfm32.exe 100 PID 2744 wrote to memory of 4792 2744 Fmanfm32.exe 100 PID 4792 wrote to memory of 4980 4792 Fpojbhdh.exe 102 PID 4792 wrote to memory of 4980 4792 Fpojbhdh.exe 102 PID 4792 wrote to memory of 4980 4792 Fpojbhdh.exe 102 PID 4980 wrote to memory of 4700 4980 Fbnfodck.exe 103 PID 4980 wrote to memory of 4700 4980 Fbnfodck.exe 103 PID 4980 wrote to memory of 4700 4980 Fbnfodck.exe 103 PID 4700 wrote to memory of 5004 4700 Fihnkn32.exe 104 PID 4700 wrote to memory of 5004 4700 Fihnkn32.exe 104 PID 4700 wrote to memory of 5004 4700 Fihnkn32.exe 104 PID 5004 wrote to memory of 5064 5004 Fpafhhbe.exe 105 PID 5004 wrote to memory of 5064 5004 Fpafhhbe.exe 105 PID 5004 wrote to memory of 5064 5004 Fpafhhbe.exe 105 PID 5064 wrote to memory of 5068 5064 Gbpbdcai.exe 106 PID 5064 wrote to memory of 5068 5064 Gbpbdcai.exe 106 PID 5064 wrote to memory of 5068 5064 Gbpbdcai.exe 106 PID 5068 wrote to memory of 5224 5068 Gijkan32.exe 107 PID 5068 wrote to memory of 5224 5068 Gijkan32.exe 107 PID 5068 wrote to memory of 5224 5068 Gijkan32.exe 107 PID 5224 wrote to memory of 3088 5224 Glhgmi32.exe 108 PID 5224 wrote to memory of 3088 5224 Glhgmi32.exe 108 PID 5224 wrote to memory of 3088 5224 Glhgmi32.exe 108 PID 3088 wrote to memory of 1496 3088 Gfnkjbgo.exe 109 PID 3088 wrote to memory of 1496 3088 Gfnkjbgo.exe 109 PID 3088 wrote to memory of 1496 3088 Gfnkjbgo.exe 109 PID 1496 wrote to memory of 4956 1496 Gilhfmfc.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e807ce3c655cd0fd3a074af9578c01ef5470c5c4c0c3404e8f058a10154b534.exe"C:\Users\Admin\AppData\Local\Temp\1e807ce3c655cd0fd3a074af9578c01ef5470c5c4c0c3404e8f058a10154b534.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\Ekjklk32.exeC:\Windows\system32\Ekjklk32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Epfgljlb.exeC:\Windows\system32\Epfgljlb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Finkeo32.exeC:\Windows\system32\Finkeo32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Fphcbijp.exeC:\Windows\system32\Fphcbijp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6036 -
C:\Windows\SysWOW64\Fbgpneic.exeC:\Windows\system32\Fbgpneic.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\Fmldknii.exeC:\Windows\system32\Fmldknii.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Fpkpgi32.exeC:\Windows\system32\Fpkpgi32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Ffdidcoj.exeC:\Windows\system32\Ffdidcoj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Fmoaam32.exeC:\Windows\system32\Fmoaam32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Fnpmheme.exeC:\Windows\system32\Fnpmheme.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\Fejeep32.exeC:\Windows\system32\Fejeep32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\Fmanfm32.exeC:\Windows\system32\Fmanfm32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Fpojbhdh.exeC:\Windows\system32\Fpojbhdh.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\Fbnfodck.exeC:\Windows\system32\Fbnfodck.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Fihnkn32.exeC:\Windows\system32\Fihnkn32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\Fpafhhbe.exeC:\Windows\system32\Fpafhhbe.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Gbpbdcai.exeC:\Windows\system32\Gbpbdcai.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\Gijkan32.exeC:\Windows\system32\Gijkan32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Glhgmi32.exeC:\Windows\system32\Glhgmi32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5224 -
C:\Windows\SysWOW64\Gfnkjbgo.exeC:\Windows\system32\Gfnkjbgo.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\Gilhfmfc.exeC:\Windows\system32\Gilhfmfc.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Glkdbief.exeC:\Windows\system32\Glkdbief.exe23⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Gpfpcg32.exeC:\Windows\system32\Gpfpcg32.exe24⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Gfphpael.exeC:\Windows\system32\Gfphpael.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5324 -
C:\Windows\SysWOW64\Giodlmdp.exeC:\Windows\system32\Giodlmdp.exe26⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Glmqhhcd.exeC:\Windows\system32\Glmqhhcd.exe27⤵
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Gnlmddbg.exeC:\Windows\system32\Gnlmddbg.exe28⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Geeeanjd.exeC:\Windows\system32\Geeeanjd.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Glpmnh32.exeC:\Windows\system32\Glpmnh32.exe30⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Gonijc32.exeC:\Windows\system32\Gonijc32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3628 -
C:\Windows\SysWOW64\Gehbfnha.exeC:\Windows\system32\Gehbfnha.exe32⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Gmojhkhd.exeC:\Windows\system32\Gmojhkhd.exe33⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Hopfpc32.exeC:\Windows\system32\Hopfpc32.exe34⤵
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\Hfgnqqod.exeC:\Windows\system32\Hfgnqqod.exe35⤵
- Executes dropped EXE
PID:3884 -
C:\Windows\SysWOW64\Hppbif32.exeC:\Windows\system32\Hppbif32.exe36⤵
- Executes dropped EXE
PID:5480 -
C:\Windows\SysWOW64\Hfjkfpmb.exeC:\Windows\system32\Hfjkfpmb.exe37⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Hihgblle.exeC:\Windows\system32\Hihgblle.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:3820 -
C:\Windows\SysWOW64\Hmcccj32.exeC:\Windows\system32\Hmcccj32.exe39⤵
- Executes dropped EXE
PID:5592 -
C:\Windows\SysWOW64\Hoepkbjm.exeC:\Windows\system32\Hoepkbjm.exe40⤵
- Executes dropped EXE
PID:5260 -
C:\Windows\SysWOW64\Hflhlpko.exeC:\Windows\system32\Hflhlpko.exe41⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Hmfphjbl.exeC:\Windows\system32\Hmfphjbl.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Windows\SysWOW64\Hbchqaqc.exeC:\Windows\system32\Hbchqaqc.exe43⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Headmlpg.exeC:\Windows\system32\Headmlpg.exe44⤵
- Executes dropped EXE
PID:3328 -
C:\Windows\SysWOW64\Hmhmnjpi.exeC:\Windows\system32\Hmhmnjpi.exe45⤵
- Executes dropped EXE
PID:3164 -
C:\Windows\SysWOW64\Hfqago32.exeC:\Windows\system32\Hfqago32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1428 -
C:\Windows\SysWOW64\Ipiepe32.exeC:\Windows\system32\Ipiepe32.exe47⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Ibgblp32.exeC:\Windows\system32\Ibgblp32.exe48⤵
- Executes dropped EXE
PID:4196 -
C:\Windows\SysWOW64\Iefnhl32.exeC:\Windows\system32\Iefnhl32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5388 -
C:\Windows\SysWOW64\Immfii32.exeC:\Windows\system32\Immfii32.exe50⤵
- Executes dropped EXE
PID:5860 -
C:\Windows\SysWOW64\Ilpfdfco.exeC:\Windows\system32\Ilpfdfco.exe51⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Iehkmk32.exeC:\Windows\system32\Iehkmk32.exe52⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\Imocoi32.exeC:\Windows\system32\Imocoi32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3876 -
C:\Windows\SysWOW64\Ipnokdie.exeC:\Windows\system32\Ipnokdie.exe54⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Iblkgphi.exeC:\Windows\system32\Iblkgphi.exe55⤵
- Executes dropped EXE
PID:6000 -
C:\Windows\SysWOW64\Ighggn32.exeC:\Windows\system32\Ighggn32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:3460 -
C:\Windows\SysWOW64\Imapdhho.exeC:\Windows\system32\Imapdhho.exe57⤵
- Executes dropped EXE
PID:5720 -
C:\Windows\SysWOW64\Ipplpdgb.exeC:\Windows\system32\Ipplpdgb.exe58⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Igjdmn32.exeC:\Windows\system32\Igjdmn32.exe59⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Imdljhfl.exeC:\Windows\system32\Imdljhfl.exe60⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Ioeiaplj.exeC:\Windows\system32\Ioeiaplj.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Iglqbnml.exeC:\Windows\system32\Iglqbnml.exe62⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Imfioh32.exeC:\Windows\system32\Imfioh32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:6108 -
C:\Windows\SysWOW64\Jliikdkd.exeC:\Windows\system32\Jliikdkd.exe64⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Johegpjg.exeC:\Windows\system32\Johegpjg.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Jeancj32.exeC:\Windows\system32\Jeancj32.exe66⤵PID:3816
-
C:\Windows\SysWOW64\Jmieeg32.exeC:\Windows\system32\Jmieeg32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5352 -
C:\Windows\SysWOW64\Jojbmphe.exeC:\Windows\system32\Jojbmphe.exe68⤵PID:4624
-
C:\Windows\SysWOW64\Jgajnm32.exeC:\Windows\system32\Jgajnm32.exe69⤵PID:4680
-
C:\Windows\SysWOW64\Jedjijpa.exeC:\Windows\system32\Jedjijpa.exe70⤵PID:4760
-
C:\Windows\SysWOW64\Jlnbfd32.exeC:\Windows\system32\Jlnbfd32.exe71⤵PID:4820
-
C:\Windows\SysWOW64\Jchkbnnk.exeC:\Windows\system32\Jchkbnnk.exe72⤵PID:4928
-
C:\Windows\SysWOW64\Jefgoino.exeC:\Windows\system32\Jefgoino.exe73⤵PID:5044
-
C:\Windows\SysWOW64\Jnmopgna.exeC:\Windows\system32\Jnmopgna.exe74⤵PID:5268
-
C:\Windows\SysWOW64\Jplklbme.exeC:\Windows\system32\Jplklbme.exe75⤵PID:1136
-
C:\Windows\SysWOW64\Jcjghnli.exeC:\Windows\system32\Jcjghnli.exe76⤵PID:6044
-
C:\Windows\SysWOW64\Jeicdi32.exeC:\Windows\system32\Jeicdi32.exe77⤵PID:5880
-
C:\Windows\SysWOW64\Jnplef32.exeC:\Windows\system32\Jnplef32.exe78⤵PID:5504
-
C:\Windows\SysWOW64\Jpnhab32.exeC:\Windows\system32\Jpnhab32.exe79⤵PID:5236
-
C:\Windows\SysWOW64\Jekqji32.exeC:\Windows\system32\Jekqji32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Knbhkf32.exeC:\Windows\system32\Knbhkf32.exe81⤵PID:2600
-
C:\Windows\SysWOW64\Kcoacm32.exeC:\Windows\system32\Kcoacm32.exe82⤵PID:4504
-
C:\Windows\SysWOW64\Kjiipg32.exeC:\Windows\system32\Kjiipg32.exe83⤵PID:2020
-
C:\Windows\SysWOW64\Kcanimfq.exeC:\Windows\system32\Kcanimfq.exe84⤵PID:3868
-
C:\Windows\SysWOW64\Kfpjehed.exeC:\Windows\system32\Kfpjehed.exe85⤵PID:3256
-
C:\Windows\SysWOW64\Kpenbaej.exeC:\Windows\system32\Kpenbaej.exe86⤵PID:2220
-
C:\Windows\SysWOW64\Kgofok32.exeC:\Windows\system32\Kgofok32.exe87⤵PID:628
-
C:\Windows\SysWOW64\Kllogbko.exeC:\Windows\system32\Kllogbko.exe88⤵
- System Location Discovery: System Language Discovery
PID:620 -
C:\Windows\SysWOW64\Kgacdkjd.exeC:\Windows\system32\Kgacdkjd.exe89⤵PID:2288
-
C:\Windows\SysWOW64\Knlkae32.exeC:\Windows\system32\Knlkae32.exe90⤵PID:1536
-
C:\Windows\SysWOW64\Kchdil32.exeC:\Windows\system32\Kchdil32.exe91⤵PID:1596
-
C:\Windows\SysWOW64\Ljblffge.exeC:\Windows\system32\Ljblffge.exe92⤵
- Drops file in System32 directory
PID:1860 -
C:\Windows\SysWOW64\Llqhba32.exeC:\Windows\system32\Llqhba32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1812 -
C:\Windows\SysWOW64\Lgflpj32.exeC:\Windows\system32\Lgflpj32.exe94⤵PID:3532
-
C:\Windows\SysWOW64\Lfimkgmj.exeC:\Windows\system32\Lfimkgmj.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2460 -
C:\Windows\SysWOW64\Llceha32.exeC:\Windows\system32\Llceha32.exe96⤵PID:5960
-
C:\Windows\SysWOW64\Lghiej32.exeC:\Windows\system32\Lghiej32.exe97⤵PID:3648
-
C:\Windows\SysWOW64\Lfkiqfkg.exeC:\Windows\system32\Lfkiqfkg.exe98⤵PID:4608
-
C:\Windows\SysWOW64\Lnbabdli.exeC:\Windows\system32\Lnbabdli.exe99⤵
- Drops file in System32 directory
PID:1212 -
C:\Windows\SysWOW64\Lleamqbd.exeC:\Windows\system32\Lleamqbd.exe100⤵PID:5196
-
C:\Windows\SysWOW64\Lqanno32.exeC:\Windows\system32\Lqanno32.exe101⤵PID:5556
-
C:\Windows\SysWOW64\Lgkfkibj.exeC:\Windows\system32\Lgkfkibj.exe102⤵PID:5768
-
C:\Windows\SysWOW64\Lfnfff32.exeC:\Windows\system32\Lfnfff32.exe103⤵PID:1044
-
C:\Windows\SysWOW64\Ljibgeam.exeC:\Windows\system32\Ljibgeam.exe104⤵
- Modifies registry class
PID:4816 -
C:\Windows\SysWOW64\Lnengc32.exeC:\Windows\system32\Lnengc32.exe105⤵PID:4568
-
C:\Windows\SysWOW64\Lqcjco32.exeC:\Windows\system32\Lqcjco32.exe106⤵PID:5000
-
C:\Windows\SysWOW64\Lofkolpe.exeC:\Windows\system32\Lofkolpe.exe107⤵PID:5280
-
C:\Windows\SysWOW64\Lcafpj32.exeC:\Windows\system32\Lcafpj32.exe108⤵PID:6128
-
C:\Windows\SysWOW64\Lfpclf32.exeC:\Windows\system32\Lfpclf32.exe109⤵PID:5536
-
C:\Windows\SysWOW64\Lngkmc32.exeC:\Windows\system32\Lngkmc32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Lmjkhpoo.exeC:\Windows\system32\Lmjkhpoo.exe111⤵PID:5056
-
C:\Windows\SysWOW64\Lqegiogh.exeC:\Windows\system32\Lqegiogh.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5664 -
C:\Windows\SysWOW64\Lcdcejfk.exeC:\Windows\system32\Lcdcejfk.exe113⤵PID:3432
-
C:\Windows\SysWOW64\Mfbpaeeo.exeC:\Windows\system32\Mfbpaeeo.exe114⤵PID:3352
-
C:\Windows\SysWOW64\Mqhdonee.exeC:\Windows\system32\Mqhdonee.exe115⤵PID:180
-
C:\Windows\SysWOW64\Mgblkh32.exeC:\Windows\system32\Mgblkh32.exe116⤵PID:1972
-
C:\Windows\SysWOW64\Mjphgd32.exeC:\Windows\system32\Mjphgd32.exe117⤵PID:5560
-
C:\Windows\SysWOW64\Momqpk32.exeC:\Windows\system32\Momqpk32.exe118⤵PID:3512
-
C:\Windows\SysWOW64\Mgdiahjo.exeC:\Windows\system32\Mgdiahjo.exe119⤵PID:512
-
C:\Windows\SysWOW64\Mfgime32.exeC:\Windows\system32\Mfgime32.exe120⤵PID:1408
-
C:\Windows\SysWOW64\Mqmmjn32.exeC:\Windows\system32\Mqmmjn32.exe121⤵PID:1164
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-