Analysis
-
max time kernel
120s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27/07/2024, 23:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
663ae1f0cce8b5623a8214f445bde2c0b5911d6edc590e70bfb661bf143c283b.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
663ae1f0cce8b5623a8214f445bde2c0b5911d6edc590e70bfb661bf143c283b.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
663ae1f0cce8b5623a8214f445bde2c0b5911d6edc590e70bfb661bf143c283b.exe
-
Size
488KB
-
MD5
cee02ed0cb53030d32cffcd0ceb40dee
-
SHA1
9b57e2e528b3e5cb297473b832b768b20f3bdc84
-
SHA256
663ae1f0cce8b5623a8214f445bde2c0b5911d6edc590e70bfb661bf143c283b
-
SHA512
3a464c5ec0a8a35a0a37a25b2853a2d0a3b7ba0e7206dc3d2eccc7f44dd4f370b516d35383e645b9d020fdae2262e6f7674d3755fa93d705f762da0d50c6fb48
-
SSDEEP
6144:4A37fon/TNId/1fon/T9P7GSon/TNId/1fon/T2oI0YokOsfY7Uon2KO:4ywNIVyeNIVy2oIvPKiKO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiplmq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmohno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kekbjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akkffkhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiglnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqimikfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phigif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmgqpkip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkgpbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlgepanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fncibg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeocna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mapppn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnajppda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckdkhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lelchgne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bobabg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enigke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paeelgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpmapodj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbefdijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llmhaold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omdieb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmohno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipbaol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pplobcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqgmmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgbanq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnpabe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnlkedai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfbcke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfiokmkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljhefhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boenhgdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gejhef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbiejoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iphioh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feoodn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqfngd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoobdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geldkfpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhqefjpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmladm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fibojhim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lelchgne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngjkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feenjgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejalcgkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhcali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apodoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glcaambb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgloefco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqfngd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbnaeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opnbae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnfmbmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eangpgcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llmhaold.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnlkedai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpmapodj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ookoaokf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 663ae1f0cce8b5623a8214f445bde2c0b5911d6edc590e70bfb661bf143c283b.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adndoe32.exe -
Executes dropped EXE 64 IoCs
pid Process 4156 Edhjqc32.exe 4312 Eangpgcl.exe 3500 Ehjlaaig.exe 1452 Fibojhim.exe 5020 Iqipio32.exe 2024 Iakiia32.exe 4864 Igjngh32.exe 4480 Jbiejoaj.exe 3612 Kqpoakco.exe 2396 Kbpkkn32.exe 1412 Lgcjdd32.exe 2976 Lelchgne.exe 2220 Meamcg32.exe 404 Mjellmbp.exe 4656 Neafjdkn.exe 4148 Nbefdijg.exe 4940 Oehlkc32.exe 4400 Pedlgbkh.exe 2124 Peieba32.exe 4564 Qkjgegae.exe 2200 Alnmjjdb.exe 4528 Aanbhp32.exe 752 Aleckinj.exe 2188 Cjgpfk32.exe 384 Cjliajmo.exe 4552 Dbjkkl32.exe 2100 Dckdjomg.exe 4796 Ecefqnel.exe 4536 Ejfeng32.exe 1712 Fibhpbea.exe 2676 Glcaambb.exe 2076 Gipdap32.exe 536 Hkpqkcpd.exe 2756 Hdmoohbo.exe 3144 Hildmn32.exe 5068 Iphioh32.exe 1908 Ilafiihp.exe 4248 Jncoikmp.exe 4504 Jkgpbp32.exe 4004 Jcdala32.exe 2796 Jddnfd32.exe 1848 Kggcnoic.exe 636 Knchpiom.exe 3172 Kqfngd32.exe 3008 Lqikmc32.exe 472 Lcjcnoej.exe 3568 Ljhefhha.exe 3952 Mnfnlf32.exe 3604 Mgaokl32.exe 1744 Mnpabe32.exe 1108 Nlfnaicd.exe 3168 Nlhkgi32.exe 4016 Njmhhefi.exe 3660 Odhifjkg.exe 1708 Ohfami32.exe 3400 Omegjomb.exe 4520 Okkdic32.exe 3428 Plmmif32.exe 2924 Pmaffnce.exe 4760 Phigif32.exe 2088 Aogiap32.exe 3392 Adfnofpd.exe 3684 Aehgnied.exe 4724 Adndoe32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Eqkondfl.exe Eddnic32.exe File opened for modification C:\Windows\SysWOW64\Bebjdgmj.exe Bepmoh32.exe File created C:\Windows\SysWOW64\Hoaojp32.exe Hoobdp32.exe File created C:\Windows\SysWOW64\Jlgepanl.exe Jiglnf32.exe File created C:\Windows\SysWOW64\Monjjgkb.exe Mqimikfj.exe File created C:\Windows\SysWOW64\Heegad32.exe Hhaggp32.exe File created C:\Windows\SysWOW64\Ejhfdb32.dll Jpgdai32.exe File created C:\Windows\SysWOW64\Nlhkgi32.exe Nlfnaicd.exe File created C:\Windows\SysWOW64\Jhijep32.dll Cnfkdb32.exe File created C:\Windows\SysWOW64\Fcanfh32.dll Bmdkcnie.exe File opened for modification C:\Windows\SysWOW64\Cibain32.exe Bmladm32.exe File created C:\Windows\SysWOW64\Peieba32.exe Pedlgbkh.exe File created C:\Windows\SysWOW64\Hlnjbedi.exe Gimqajgh.exe File created C:\Windows\SysWOW64\Lhpapf32.dll Eqncnj32.exe File opened for modification C:\Windows\SysWOW64\Cgfbbb32.exe Cibain32.exe File created C:\Windows\SysWOW64\Lelchgne.exe Lgcjdd32.exe File created C:\Windows\SysWOW64\Faimhjhp.dll Ejalcgkg.exe File created C:\Windows\SysWOW64\Lafnnj32.dll Knchpiom.exe File opened for modification C:\Windows\SysWOW64\Eehicoel.exe Enigke32.exe File created C:\Windows\SysWOW64\Idaiki32.dll Pplobcpp.exe File created C:\Windows\SysWOW64\Ipbaol32.exe Hbnaeh32.exe File created C:\Windows\SysWOW64\Hildmn32.exe Hdmoohbo.exe File created C:\Windows\SysWOW64\Fhgcme32.dll Adndoe32.exe File created C:\Windows\SysWOW64\Bhbcfbjk.exe Bebjdgmj.exe File created C:\Windows\SysWOW64\Bghgmioe.dll Cgqlcg32.exe File opened for modification C:\Windows\SysWOW64\Heegad32.exe Hhaggp32.exe File opened for modification C:\Windows\SysWOW64\Fncibg32.exe Fjeplijj.exe File created C:\Windows\SysWOW64\Ngckdnpn.dll Gegkpf32.exe File created C:\Windows\SysWOW64\Ocoick32.dll Gejhef32.exe File created C:\Windows\SysWOW64\Adndoe32.exe Aehgnied.exe File created C:\Windows\SysWOW64\Hfjjlc32.dll Ekdnei32.exe File opened for modification C:\Windows\SysWOW64\Fnipbc32.exe Feoodn32.exe File opened for modification C:\Windows\SysWOW64\Bobabg32.exe Apodoq32.exe File created C:\Windows\SysWOW64\Epopbo32.dll Bobabg32.exe File created C:\Windows\SysWOW64\Dafppp32.exe Cgqlcg32.exe File created C:\Windows\SysWOW64\Hdeeipfp.dll Fncibg32.exe File opened for modification C:\Windows\SysWOW64\Jpgdai32.exe Jeocna32.exe File created C:\Windows\SysWOW64\Gflonn32.dll Ockdmmoj.exe File created C:\Windows\SysWOW64\Apggckbf.exe Ajjokd32.exe File created C:\Windows\SysWOW64\Egnajocq.exe Daollh32.exe File created C:\Windows\SysWOW64\Kkcghg32.dll Eddnic32.exe File opened for modification C:\Windows\SysWOW64\Fjeplijj.exe Eqmlccdi.exe File opened for modification C:\Windows\SysWOW64\Nlfnaicd.exe Mnpabe32.exe File created C:\Windows\SysWOW64\Cdbijb32.dll Njmhhefi.exe File created C:\Windows\SysWOW64\Ngndaccj.exe Ngjkfd32.exe File opened for modification C:\Windows\SysWOW64\Omalpc32.exe Omopjcjp.exe File opened for modification C:\Windows\SysWOW64\Dgdncplk.exe Dgbanq32.exe File created C:\Windows\SysWOW64\Fgnjqm32.exe Fjjjgh32.exe File created C:\Windows\SysWOW64\Nofhmj32.dll Eangpgcl.exe File opened for modification C:\Windows\SysWOW64\Cgqlcg32.exe Cnfkdb32.exe File created C:\Windows\SysWOW64\Eqlfhjig.exe Eqiibjlj.exe File created C:\Windows\SysWOW64\Dndfnlpc.dll Omopjcjp.exe File opened for modification C:\Windows\SysWOW64\Cmgqpkip.exe Cgklmacf.exe File created C:\Windows\SysWOW64\Nlkppnab.dll Dmjmekgn.exe File opened for modification C:\Windows\SysWOW64\Gldglf32.exe Fbjena32.exe File opened for modification C:\Windows\SysWOW64\Ngjkfd32.exe Nopfpgip.exe File opened for modification C:\Windows\SysWOW64\Fnfmbmbi.exe Fndpmndl.exe File opened for modification C:\Windows\SysWOW64\Hbldphde.exe Heegad32.exe File created C:\Windows\SysWOW64\Mmdaih32.dll Kekbjo32.exe File created C:\Windows\SysWOW64\Hejeak32.dll Pcbkml32.exe File created C:\Windows\SysWOW64\Eqdpgk32.exe Dndgfpbo.exe File created C:\Windows\SysWOW64\Iafkld32.exe Ipbaol32.exe File created C:\Windows\SysWOW64\Bpldbefn.dll Nmjfodne.exe File opened for modification C:\Windows\SysWOW64\Ajjokd32.exe Amfobp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2124 3368 WerFault.exe 324 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kggcnoic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjeiodek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhoahh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 663ae1f0cce8b5623a8214f445bde2c0b5911d6edc590e70bfb661bf143c283b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqipio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabhfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhaggp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omopjcjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enigke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqpoakco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daollh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paeelgnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgqlcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhdbhifj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dckdjomg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfnaicd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmaffnce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbpajgmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjdqmng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiikpnmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fncibg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nopfpgip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqkondfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcekfnkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcjcnoej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfiokmkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gddgpqbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hildmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqncnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnfmbmbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkdic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gimqajgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amlogfel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjeplijj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmohno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgnjqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgloefco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omalpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjellmbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omegjomb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eehicoel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mapppn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjjfdfbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aokkahlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefphb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpmcmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glcaambb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gipdap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlofcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgfbbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adndoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgifbhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppikbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babcil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jddnfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiglnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlkedai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lobjni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qodeajbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnajppda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhqefjpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aidehpea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjjjgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jncoikmp.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbbajjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhoahh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ildolk32.dll" Nbphglbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgfbbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjbac32.dll" Edaaccbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oehlkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glcaambb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnfmbmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gengjl32.dll" Igjngh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcbkml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlkppnab.dll" Dmjmekgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aibibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqaip32.dll" Cmgqpkip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmaffnce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmdml32.dll" Qmeigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajjokd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdaih32.dll" Kekbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhegig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aanbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egbcih32.dll" Hfjdqmng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amlogfel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igfclkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nopfpgip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngjkfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amlogfel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panlem32.dll" Hbldphde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqpoakco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecefqnel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnpabe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfiokmkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egnajocq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adfnofpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipgbdbqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jokkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bigbmpco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lehagi32.dll" Ehjlaaig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcijdmpm.dll" Dckdjomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klfaapbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbqceofn.dll" Apodoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpmapodj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcbkml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodlnfco.dll" Nlhkgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpenfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lobjni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqdmimbf.dll" Geohklaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgjojai.dll" Nofefp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nofefp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehjlaaig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhjlnlii.dll" Oehlkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adfnofpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqdpgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpgdai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omdieb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqikmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jokkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kllfakij.dll" Monjjgkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipecicga.dll" Babcil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nofhmj32.dll" Eangpgcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdfpkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfcklp32.dll" Fnfmbmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhbek32.dll" Cpmapodj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nofefp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehjlaaig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjellmbp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3836 wrote to memory of 4156 3836 663ae1f0cce8b5623a8214f445bde2c0b5911d6edc590e70bfb661bf143c283b.exe 87 PID 3836 wrote to memory of 4156 3836 663ae1f0cce8b5623a8214f445bde2c0b5911d6edc590e70bfb661bf143c283b.exe 87 PID 3836 wrote to memory of 4156 3836 663ae1f0cce8b5623a8214f445bde2c0b5911d6edc590e70bfb661bf143c283b.exe 87 PID 4156 wrote to memory of 4312 4156 Edhjqc32.exe 88 PID 4156 wrote to memory of 4312 4156 Edhjqc32.exe 88 PID 4156 wrote to memory of 4312 4156 Edhjqc32.exe 88 PID 4312 wrote to memory of 3500 4312 Eangpgcl.exe 89 PID 4312 wrote to memory of 3500 4312 Eangpgcl.exe 89 PID 4312 wrote to memory of 3500 4312 Eangpgcl.exe 89 PID 3500 wrote to memory of 1452 3500 Ehjlaaig.exe 90 PID 3500 wrote to memory of 1452 3500 Ehjlaaig.exe 90 PID 3500 wrote to memory of 1452 3500 Ehjlaaig.exe 90 PID 1452 wrote to memory of 5020 1452 Fibojhim.exe 91 PID 1452 wrote to memory of 5020 1452 Fibojhim.exe 91 PID 1452 wrote to memory of 5020 1452 Fibojhim.exe 91 PID 5020 wrote to memory of 2024 5020 Iqipio32.exe 92 PID 5020 wrote to memory of 2024 5020 Iqipio32.exe 92 PID 5020 wrote to memory of 2024 5020 Iqipio32.exe 92 PID 2024 wrote to memory of 4864 2024 Iakiia32.exe 93 PID 2024 wrote to memory of 4864 2024 Iakiia32.exe 93 PID 2024 wrote to memory of 4864 2024 Iakiia32.exe 93 PID 4864 wrote to memory of 4480 4864 Igjngh32.exe 94 PID 4864 wrote to memory of 4480 4864 Igjngh32.exe 94 PID 4864 wrote to memory of 4480 4864 Igjngh32.exe 94 PID 4480 wrote to memory of 3612 4480 Jbiejoaj.exe 95 PID 4480 wrote to memory of 3612 4480 Jbiejoaj.exe 95 PID 4480 wrote to memory of 3612 4480 Jbiejoaj.exe 95 PID 3612 wrote to memory of 2396 3612 Kqpoakco.exe 280 PID 3612 wrote to memory of 2396 3612 Kqpoakco.exe 280 PID 3612 wrote to memory of 2396 3612 Kqpoakco.exe 280 PID 2396 wrote to memory of 1412 2396 Kbpkkn32.exe 97 PID 2396 wrote to memory of 1412 2396 Kbpkkn32.exe 97 PID 2396 wrote to memory of 1412 2396 Kbpkkn32.exe 97 PID 1412 wrote to memory of 2976 1412 Lgcjdd32.exe 312 PID 1412 wrote to memory of 2976 1412 Lgcjdd32.exe 312 PID 1412 wrote to memory of 2976 1412 Lgcjdd32.exe 312 PID 2976 wrote to memory of 2220 2976 Lelchgne.exe 298 PID 2976 wrote to memory of 2220 2976 Lelchgne.exe 298 PID 2976 wrote to memory of 2220 2976 Lelchgne.exe 298 PID 2220 wrote to memory of 404 2220 Meamcg32.exe 308 PID 2220 wrote to memory of 404 2220 Meamcg32.exe 308 PID 2220 wrote to memory of 404 2220 Meamcg32.exe 308 PID 404 wrote to memory of 4656 404 Mjellmbp.exe 101 PID 404 wrote to memory of 4656 404 Mjellmbp.exe 101 PID 404 wrote to memory of 4656 404 Mjellmbp.exe 101 PID 4656 wrote to memory of 4148 4656 Neafjdkn.exe 102 PID 4656 wrote to memory of 4148 4656 Neafjdkn.exe 102 PID 4656 wrote to memory of 4148 4656 Neafjdkn.exe 102 PID 4148 wrote to memory of 4940 4148 Nbefdijg.exe 103 PID 4148 wrote to memory of 4940 4148 Nbefdijg.exe 103 PID 4148 wrote to memory of 4940 4148 Nbefdijg.exe 103 PID 4940 wrote to memory of 4400 4940 Oehlkc32.exe 104 PID 4940 wrote to memory of 4400 4940 Oehlkc32.exe 104 PID 4940 wrote to memory of 4400 4940 Oehlkc32.exe 104 PID 4400 wrote to memory of 2124 4400 Pedlgbkh.exe 327 PID 4400 wrote to memory of 2124 4400 Pedlgbkh.exe 327 PID 4400 wrote to memory of 2124 4400 Pedlgbkh.exe 327 PID 2124 wrote to memory of 4564 2124 Peieba32.exe 106 PID 2124 wrote to memory of 4564 2124 Peieba32.exe 106 PID 2124 wrote to memory of 4564 2124 Peieba32.exe 106 PID 4564 wrote to memory of 2200 4564 Qkjgegae.exe 107 PID 4564 wrote to memory of 2200 4564 Qkjgegae.exe 107 PID 4564 wrote to memory of 2200 4564 Qkjgegae.exe 107 PID 2200 wrote to memory of 4528 2200 Alnmjjdb.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\663ae1f0cce8b5623a8214f445bde2c0b5911d6edc590e70bfb661bf143c283b.exe"C:\Users\Admin\AppData\Local\Temp\663ae1f0cce8b5623a8214f445bde2c0b5911d6edc590e70bfb661bf143c283b.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\Edhjqc32.exeC:\Windows\system32\Edhjqc32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\Eangpgcl.exeC:\Windows\system32\Eangpgcl.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\Ehjlaaig.exeC:\Windows\system32\Ehjlaaig.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\Fibojhim.exeC:\Windows\system32\Fibojhim.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Iqipio32.exeC:\Windows\system32\Iqipio32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\Iakiia32.exeC:\Windows\system32\Iakiia32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Igjngh32.exeC:\Windows\system32\Igjngh32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Jbiejoaj.exeC:\Windows\system32\Jbiejoaj.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Kqpoakco.exeC:\Windows\system32\Kqpoakco.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\Kbpkkn32.exeC:\Windows\system32\Kbpkkn32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Lgcjdd32.exeC:\Windows\system32\Lgcjdd32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Neafjdkn.exeC:\Windows\system32\Neafjdkn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\Nbefdijg.exeC:\Windows\system32\Nbefdijg.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Pedlgbkh.exeC:\Windows\system32\Pedlgbkh.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\Peieba32.exeC:\Windows\system32\Peieba32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Alnmjjdb.exeC:\Windows\system32\Alnmjjdb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Aanbhp32.exeC:\Windows\system32\Aanbhp32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:4528 -
C:\Windows\SysWOW64\Aleckinj.exeC:\Windows\system32\Aleckinj.exe24⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Cjgpfk32.exeC:\Windows\system32\Cjgpfk32.exe25⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Cjliajmo.exeC:\Windows\system32\Cjliajmo.exe26⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Dbjkkl32.exeC:\Windows\system32\Dbjkkl32.exe27⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Dckdjomg.exeC:\Windows\system32\Dckdjomg.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Ecefqnel.exeC:\Windows\system32\Ecefqnel.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4796 -
C:\Windows\SysWOW64\Ejalcgkg.exeC:\Windows\system32\Ejalcgkg.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4912 -
C:\Windows\SysWOW64\Ejfeng32.exeC:\Windows\system32\Ejfeng32.exe31⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Fibhpbea.exeC:\Windows\system32\Fibhpbea.exe32⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Glcaambb.exeC:\Windows\system32\Glcaambb.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Gipdap32.exeC:\Windows\system32\Gipdap32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\SysWOW64\Hkpqkcpd.exeC:\Windows\system32\Hkpqkcpd.exe35⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Hdmoohbo.exeC:\Windows\system32\Hdmoohbo.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Hildmn32.exeC:\Windows\system32\Hildmn32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3144 -
C:\Windows\SysWOW64\Iphioh32.exeC:\Windows\system32\Iphioh32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Ilafiihp.exeC:\Windows\system32\Ilafiihp.exe39⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Jncoikmp.exeC:\Windows\system32\Jncoikmp.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4248 -
C:\Windows\SysWOW64\Jkgpbp32.exeC:\Windows\system32\Jkgpbp32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Jcdala32.exeC:\Windows\system32\Jcdala32.exe42⤵
- Executes dropped EXE
PID:4004 -
C:\Windows\SysWOW64\Jddnfd32.exeC:\Windows\system32\Jddnfd32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Windows\SysWOW64\Kggcnoic.exeC:\Windows\system32\Kggcnoic.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1848 -
C:\Windows\SysWOW64\Knchpiom.exeC:\Windows\system32\Knchpiom.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:636 -
C:\Windows\SysWOW64\Kqfngd32.exeC:\Windows\system32\Kqfngd32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Lqikmc32.exeC:\Windows\system32\Lqikmc32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Lcjcnoej.exeC:\Windows\system32\Lcjcnoej.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:472 -
C:\Windows\SysWOW64\Ljhefhha.exeC:\Windows\system32\Ljhefhha.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Mnfnlf32.exeC:\Windows\system32\Mnfnlf32.exe50⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Mgaokl32.exeC:\Windows\system32\Mgaokl32.exe51⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Mnpabe32.exeC:\Windows\system32\Mnpabe32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Nlfnaicd.exeC:\Windows\system32\Nlfnaicd.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1108 -
C:\Windows\SysWOW64\Nlhkgi32.exeC:\Windows\system32\Nlhkgi32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:3168 -
C:\Windows\SysWOW64\Njmhhefi.exeC:\Windows\system32\Njmhhefi.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4016 -
C:\Windows\SysWOW64\Odhifjkg.exeC:\Windows\system32\Odhifjkg.exe56⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Ohfami32.exeC:\Windows\system32\Ohfami32.exe57⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Omegjomb.exeC:\Windows\system32\Omegjomb.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3400 -
C:\Windows\SysWOW64\Okkdic32.exeC:\Windows\system32\Okkdic32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4520 -
C:\Windows\SysWOW64\Plmmif32.exeC:\Windows\system32\Plmmif32.exe60⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Pmaffnce.exeC:\Windows\system32\Pmaffnce.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Phigif32.exeC:\Windows\system32\Phigif32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Aogiap32.exeC:\Windows\system32\Aogiap32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Adfnofpd.exeC:\Windows\system32\Adfnofpd.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:3392 -
C:\Windows\SysWOW64\Aehgnied.exeC:\Windows\system32\Aehgnied.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3684 -
C:\Windows\SysWOW64\Adndoe32.exeC:\Windows\system32\Adndoe32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4724 -
C:\Windows\SysWOW64\Bepmoh32.exeC:\Windows\system32\Bepmoh32.exe67⤵
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\Bebjdgmj.exeC:\Windows\system32\Bebjdgmj.exe68⤵
- Drops file in System32 directory
PID:4532 -
C:\Windows\SysWOW64\Bhbcfbjk.exeC:\Windows\system32\Bhbcfbjk.exe69⤵PID:1636
-
C:\Windows\SysWOW64\Blqllqqa.exeC:\Windows\system32\Blqllqqa.exe70⤵PID:2612
-
C:\Windows\SysWOW64\Cbpajgmf.exeC:\Windows\system32\Cbpajgmf.exe71⤵
- System Location Discovery: System Language Discovery
PID:4332 -
C:\Windows\SysWOW64\Cofnik32.exeC:\Windows\system32\Cofnik32.exe72⤵PID:2860
-
C:\Windows\SysWOW64\Cfbcke32.exeC:\Windows\system32\Cfbcke32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3252 -
C:\Windows\SysWOW64\Dmohno32.exeC:\Windows\system32\Dmohno32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\Dmcain32.exeC:\Windows\system32\Dmcain32.exe75⤵PID:1132
-
C:\Windows\SysWOW64\Enigke32.exeC:\Windows\system32\Enigke32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Windows\SysWOW64\Eehicoel.exeC:\Windows\system32\Eehicoel.exe77⤵
- System Location Discovery: System Language Discovery
PID:5156 -
C:\Windows\SysWOW64\Ekdnei32.exeC:\Windows\system32\Ekdnei32.exe78⤵
- Drops file in System32 directory
PID:5208 -
C:\Windows\SysWOW64\Feoodn32.exeC:\Windows\system32\Feoodn32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5256 -
C:\Windows\SysWOW64\Fnipbc32.exeC:\Windows\system32\Fnipbc32.exe80⤵PID:5296
-
C:\Windows\SysWOW64\Ffceip32.exeC:\Windows\system32\Ffceip32.exe81⤵PID:5336
-
C:\Windows\SysWOW64\Fbjena32.exeC:\Windows\system32\Fbjena32.exe82⤵
- Drops file in System32 directory
PID:5388 -
C:\Windows\SysWOW64\Gldglf32.exeC:\Windows\system32\Gldglf32.exe83⤵PID:5424
-
C:\Windows\SysWOW64\Geohklaa.exeC:\Windows\system32\Geohklaa.exe84⤵
- Modifies registry class
PID:5468 -
C:\Windows\SysWOW64\Gimqajgh.exeC:\Windows\system32\Gimqajgh.exe85⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5508 -
C:\Windows\SysWOW64\Hlnjbedi.exeC:\Windows\system32\Hlnjbedi.exe86⤵PID:5548
-
C:\Windows\SysWOW64\Hoobdp32.exeC:\Windows\system32\Hoobdp32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5588 -
C:\Windows\SysWOW64\Hoaojp32.exeC:\Windows\system32\Hoaojp32.exe88⤵PID:5628
-
C:\Windows\SysWOW64\Hfjdqmng.exeC:\Windows\system32\Hfjdqmng.exe89⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5668 -
C:\Windows\SysWOW64\Iikmbh32.exeC:\Windows\system32\Iikmbh32.exe90⤵PID:5712
-
C:\Windows\SysWOW64\Ipgbdbqb.exeC:\Windows\system32\Ipgbdbqb.exe91⤵
- Modifies registry class
PID:5756 -
C:\Windows\SysWOW64\Igfclkdj.exeC:\Windows\system32\Igfclkdj.exe92⤵
- Modifies registry class
PID:5804 -
C:\Windows\SysWOW64\Jiglnf32.exeC:\Windows\system32\Jiglnf32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5844 -
C:\Windows\SysWOW64\Jlgepanl.exeC:\Windows\system32\Jlgepanl.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5892 -
C:\Windows\SysWOW64\Jpenfp32.exeC:\Windows\system32\Jpenfp32.exe95⤵
- Modifies registry class
PID:5944 -
C:\Windows\SysWOW64\Jokkgl32.exeC:\Windows\system32\Jokkgl32.exe96⤵
- Modifies registry class
PID:5984 -
C:\Windows\SysWOW64\Jnlkedai.exeC:\Windows\system32\Jnlkedai.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:6068 -
C:\Windows\SysWOW64\Kjeiodek.exeC:\Windows\system32\Kjeiodek.exe98⤵
- System Location Discovery: System Language Discovery
PID:6112 -
C:\Windows\SysWOW64\Klfaapbl.exeC:\Windows\system32\Klfaapbl.exe99⤵
- Modifies registry class
PID:5136 -
C:\Windows\SysWOW64\Knenkbio.exeC:\Windows\system32\Knenkbio.exe100⤵PID:5184
-
C:\Windows\SysWOW64\Llmhaold.exeC:\Windows\system32\Llmhaold.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5292 -
C:\Windows\SysWOW64\Lcimdh32.exeC:\Windows\system32\Lcimdh32.exe102⤵PID:5408
-
C:\Windows\SysWOW64\Lmaamn32.exeC:\Windows\system32\Lmaamn32.exe103⤵PID:5476
-
C:\Windows\SysWOW64\Lobjni32.exeC:\Windows\system32\Lobjni32.exe104⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5572 -
C:\Windows\SysWOW64\Mgloefco.exeC:\Windows\system32\Mgloefco.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5660 -
C:\Windows\SysWOW64\Mmkdcm32.exeC:\Windows\system32\Mmkdcm32.exe106⤵PID:5652
-
C:\Windows\SysWOW64\Mqimikfj.exeC:\Windows\system32\Mqimikfj.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5796 -
C:\Windows\SysWOW64\Monjjgkb.exeC:\Windows\system32\Monjjgkb.exe108⤵
- Modifies registry class
PID:5836 -
C:\Windows\SysWOW64\Nopfpgip.exeC:\Windows\system32\Nopfpgip.exe109⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5936 -
C:\Windows\SysWOW64\Ngjkfd32.exeC:\Windows\system32\Ngjkfd32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5940 -
C:\Windows\SysWOW64\Ngndaccj.exeC:\Windows\system32\Ngndaccj.exe111⤵PID:6108
-
C:\Windows\SysWOW64\Nceefd32.exeC:\Windows\system32\Nceefd32.exe112⤵PID:700
-
C:\Windows\SysWOW64\Ogcnmc32.exeC:\Windows\system32\Ogcnmc32.exe113⤵PID:516
-
C:\Windows\SysWOW64\Opnbae32.exeC:\Windows\system32\Opnbae32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5144 -
C:\Windows\SysWOW64\Oghghb32.exeC:\Windows\system32\Oghghb32.exe115⤵PID:5284
-
C:\Windows\SysWOW64\Oabhfg32.exeC:\Windows\system32\Oabhfg32.exe116⤵
- System Location Discovery: System Language Discovery
PID:5452 -
C:\Windows\SysWOW64\Paeelgnj.exeC:\Windows\system32\Paeelgnj.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5580 -
C:\Windows\SysWOW64\Ppjbmc32.exeC:\Windows\system32\Ppjbmc32.exe118⤵PID:5696
-
C:\Windows\SysWOW64\Pplobcpp.exeC:\Windows\system32\Pplobcpp.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5832 -
C:\Windows\SysWOW64\Pfiddm32.exeC:\Windows\system32\Pfiddm32.exe120⤵PID:6024
-
C:\Windows\SysWOW64\Qmeigg32.exeC:\Windows\system32\Qmeigg32.exe121⤵
- Modifies registry class
PID:3668
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-