Analysis
-
max time kernel
139s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09/08/2024, 18:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
138ba96b59edfb014f6b396d555095273d6e9687920253f157daf8d85ce56d56.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
138ba96b59edfb014f6b396d555095273d6e9687920253f157daf8d85ce56d56.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
138ba96b59edfb014f6b396d555095273d6e9687920253f157daf8d85ce56d56.exe
-
Size
96KB
-
MD5
5c3f53d443bca4b13c6270d8c671108b
-
SHA1
30103d0846ee18ec9dbe71f1d09e264100b8549f
-
SHA256
138ba96b59edfb014f6b396d555095273d6e9687920253f157daf8d85ce56d56
-
SHA512
a2036698af1179e54a0d59f466802bba8f5cde04e0eb6d6f653ee8d9b5a96deab2d005e79ff09975634153ed596649034d81b784c219b2eab6dc4d2283e97c07
-
SSDEEP
1536:jQO/PPPpXPTJfUUK5IiOTJMTfEsIavPTYQproFFfUN1Avhw6JCMd:jQaPPPpXPlK8sZDPJproFFfUrQlMW
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aejfce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Defofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imhhhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odfqecdl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbphh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boiamiih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhdbkonf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbaicf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfeiojnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnoneglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfbppkjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jejcmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jijhib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neknam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clfdllpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehddijaq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbjlid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocmjlpfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adplbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhfqmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djmgiboq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anbklj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blmafnhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Demefpjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmaknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llpcljnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfabaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alaajobo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dejhapmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdiaoike.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbiadl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnadadld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eahogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jejcmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mepnfone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aamchpmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chjaag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Benidnao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cogmng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elkfnino.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibijkiao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpdqemjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmogopcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njifhljn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Echkqcci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njnpck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcnccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfmhff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndoked32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnoneglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iehfgeqb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfjhnegp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpgfbjjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Libgpooi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldggmbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiqllfiq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdnang32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmcnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjkjcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhfqmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdjbpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoeipeah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfoaid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpgfbjjk.exe -
Executes dropped EXE 64 IoCs
pid Process 3504 Abimaj32.exe 3768 Acjjibbm.exe 1408 Alaajobo.exe 4736 Anpnfkac.exe 5016 Aanjcfqf.exe 3328 Aejfce32.exe 4140 Alcnpopl.exe 2736 Anbklj32.exe 1328 Bdocda32.exe 2432 Blfkeo32.exe 5012 Bndgaj32.exe 2732 Baccne32.exe 4984 Bhmlkpdn.exe 348 Bngdgj32.exe 392 Bbbphh32.exe 2304 Bdcmpqjb.exe 4912 Boiamiih.exe 3900 Bagmiehl.exe 784 Blmafnhb.exe 3088 Boknbige.exe 4880 Bhdbkonf.exe 4592 Cdjbpp32.exe 4048 Copgnh32.exe 4744 Caocjd32.exe 4776 Cldggmbj.exe 3664 Cobcchan.exe 4928 Caapocpa.exe 1992 Clfdllpg.exe 3020 Coephhok.exe 1060 Ceoheb32.exe 684 Cliabl32.exe 3284 Cogmng32.exe 2172 Cddefn32.exe 4888 Coijcg32.exe 3896 Decbqabb.exe 4108 Ddfbln32.exe 4820 Dkpjih32.exe 1928 Dolfigic.exe 4624 Defofa32.exe 2692 Dlpgbkhl.exe 4872 Doncofgp.exe 3264 Dehkkq32.exe 3936 Dhfhhl32.exe 4428 Dkeddgmd.exe 972 Dclleemf.exe 3588 Dejhapmj.exe 4484 Dldpnj32.exe 3632 Dkgqigka.exe 2648 Dcnhjdkd.exe 1248 Demefpjh.exe 5052 Dhkackjk.exe 2968 Dkjmogio.exe 1844 Eoeipeah.exe 4616 Eeoalp32.exe 4120 Elijijpb.exe 1184 Eccbed32.exe 2124 Eddomlmm.exe 2816 Elkfnino.exe 5104 Eahogp32.exe 2308 Edgkcl32.exe 4812 Eolopd32.exe 4128 Echkqcci.exe 2752 Eefhmobm.exe 2596 Ehddijaq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fcangbko.exe Fkjffdjl.exe File opened for modification C:\Windows\SysWOW64\Gcmnbpaa.exe Gkffacpo.exe File created C:\Windows\SysWOW64\Fimgkfjk.dll Kdpemidf.exe File opened for modification C:\Windows\SysWOW64\Neialnfj.exe Nckepbgf.exe File created C:\Windows\SysWOW64\Mldllahm.dll Qjjheg32.exe File created C:\Windows\SysWOW64\Dhokmgpm.exe Cepnqkai.exe File created C:\Windows\SysWOW64\Memapppg.exe Mboeddad.exe File created C:\Windows\SysWOW64\Jdeikd32.dll Ofncnkcb.exe File opened for modification C:\Windows\SysWOW64\Edkdnkge.exe Ecjhfcaf.exe File opened for modification C:\Windows\SysWOW64\Foholc32.exe Flibpg32.exe File created C:\Windows\SysWOW64\Cnamib32.exe Cfkegd32.exe File created C:\Windows\SysWOW64\Gkilmilg.dll Dhokmgpm.exe File created C:\Windows\SysWOW64\Dailkl32.exe Dokpoq32.exe File created C:\Windows\SysWOW64\Caocjd32.exe Copgnh32.exe File opened for modification C:\Windows\SysWOW64\Demefpjh.exe Dcnhjdkd.exe File created C:\Windows\SysWOW64\Hmjlfecl.exe Gdccehcj.exe File created C:\Windows\SysWOW64\Ihhmllij.dll Hmjlfecl.exe File opened for modification C:\Windows\SysWOW64\Hkfohq32.exe Hihble32.exe File created C:\Windows\SysWOW64\Pgplnmib.exe Pdapabjo.exe File opened for modification C:\Windows\SysWOW64\Anmjfe32.exe Agbbjkhm.exe File created C:\Windows\SysWOW64\Mkgkegld.dll Acjjibbm.exe File created C:\Windows\SysWOW64\Bhfgganp.dll Onekoh32.exe File opened for modification C:\Windows\SysWOW64\Gbbkdmfi.exe Gmebkf32.exe File created C:\Windows\SysWOW64\Hjekkmnh.dll Ampkbagd.exe File opened for modification C:\Windows\SysWOW64\Jlnnpmna.exe Jmkndq32.exe File created C:\Windows\SysWOW64\Oinlcn32.dll Lefkpq32.exe File opened for modification C:\Windows\SysWOW64\Aamchpmk.exe Anogldng.exe File created C:\Windows\SysWOW64\Cmbpoofo.exe Cjddbcgk.exe File created C:\Windows\SysWOW64\Mmppdn32.dll Echkqcci.exe File opened for modification C:\Windows\SysWOW64\Fhpceh32.exe Ffbghmhp.exe File created C:\Windows\SysWOW64\Qqoggb32.exe Pnakkf32.exe File created C:\Windows\SysWOW64\Ncjbid32.dll Chjaag32.exe File created C:\Windows\SysWOW64\Ddfbln32.exe Decbqabb.exe File created C:\Windows\SysWOW64\Fkhipe32.exe Fdnackeb.exe File created C:\Windows\SysWOW64\Feeecoom.dll Lpgfbjjk.exe File opened for modification C:\Windows\SysWOW64\Boknbige.exe Blmafnhb.exe File created C:\Windows\SysWOW64\Gfpcjk32.exe Gofkmadc.exe File created C:\Windows\SysWOW64\Bpglof32.dll Hiefge32.exe File opened for modification C:\Windows\SysWOW64\Pdhfbacf.exe Pqmjab32.exe File opened for modification C:\Windows\SysWOW64\Celeel32.exe Cmdmdo32.exe File opened for modification C:\Windows\SysWOW64\Dldpnj32.exe Dejhapmj.exe File opened for modification C:\Windows\SysWOW64\Jpdqemjp.exe Jmfdiakl.exe File opened for modification C:\Windows\SysWOW64\Ophhpene.exe Nnilcjnb.exe File created C:\Windows\SysWOW64\Hkhfjo32.dll Ogdmaocp.exe File created C:\Windows\SysWOW64\Knlhaf32.dll Kianiamk.exe File opened for modification C:\Windows\SysWOW64\Lpnlbi32.exe Lmppfm32.exe File created C:\Windows\SysWOW64\Bmodcn32.dll Ngkjlpkj.exe File opened for modification C:\Windows\SysWOW64\Nlhbdgia.exe Njifhljn.exe File created C:\Windows\SysWOW64\Ejbnnpll.dll Qflpoi32.exe File created C:\Windows\SysWOW64\Gofkmadc.exe Gmgoaeeo.exe File opened for modification C:\Windows\SysWOW64\Opmakd32.exe Ojbinjbc.exe File created C:\Windows\SysWOW64\Benidnao.exe Bmfqcqql.exe File opened for modification C:\Windows\SysWOW64\Bnhjbcfl.exe Bfabaf32.exe File opened for modification C:\Windows\SysWOW64\Ehddijaq.exe Eefhmobm.exe File created C:\Windows\SysWOW64\Icpconql.exe Ikhknppj.exe File created C:\Windows\SysWOW64\Jpbdpmlc.exe Jmcgcamo.exe File created C:\Windows\SysWOW64\Bhckqh32.exe Beeodm32.exe File created C:\Windows\SysWOW64\Baccne32.exe Bndgaj32.exe File created C:\Windows\SysWOW64\Icbpdmoi.exe Ipfddo32.exe File opened for modification C:\Windows\SysWOW64\Kikappdq.exe Kbaicf32.exe File created C:\Windows\SysWOW64\Mldkjlpl.dll Oloidfcj.exe File created C:\Windows\SysWOW64\Bfmhff32.exe Bcnljkjl.exe File created C:\Windows\SysWOW64\Hhlohbjc.dll Cegljmid.exe File created C:\Windows\SysWOW64\Bmgidpdo.dll Alcnpopl.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8336 8532 WerFault.exe 425 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdcmpqjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhdbkonf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dclleemf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elkfnino.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Limnep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mipcambi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agbbjkhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpcioha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chehfhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edgkcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gofkmadc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oncoihfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhqnki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfbppkjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifnpkipp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njifhljn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olcbpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Badiio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbbphh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clfdllpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcnhjdkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edkdnkge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmcgcamo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfcbmfnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmicll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqmjab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkeddgmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dldpnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Echkqcci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkcilcba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibgmfjca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchhjbii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnlapgnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqknlbmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aamchpmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmdmdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdocda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiqllfiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amhdab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlnnpmna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Celeel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dailkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bndgaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clkngl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Defofa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iioimd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipknonbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbaicf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lghdockp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddekah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhfqmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acjjibbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baccne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkgqigka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbbkdmfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lifqkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocmjlpfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oflfhkee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onekoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afjlqgkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffddnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibijkiao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kikappdq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afhokgme.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iigjgbeb.dll" Aejfce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhpceh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdiaoike.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmebkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mldllahm.dll" Qjjheg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcgfbo32.dll" Bglepipb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikhknppj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chjaag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dokpoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abimaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eeoalp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hokdhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mipcambi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bglepipb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dailkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eddomlmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbijgo32.dll" Hcddcoki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egggme32.dll" Imonhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccmmaq32.dll" Lpnlbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pqknlbmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emigpjhp.dll" Dlpgbkhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edgkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moodba32.dll" Ffddnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfpcjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aemgbbfa.dll" Pfqpcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmgfll32.dll" Pcijhnld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pggbnlbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jijhib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ommfgcig.dll" Lfoaid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qflpoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dldpnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eahogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaocpk32.dll" Njifhljn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppccfl32.dll" Oflfhkee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnhjbcfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caoinf32.dll" Bagfooep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eccbed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkjffdjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbjlid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdocda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkdonbn.dll" Coijcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mohioc32.dll" Dldpnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbphfh32.dll" Kdiolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojbinjbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddhhggdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iijobeaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imonhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mchhjbii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nngonjqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqmjab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eolopd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aicblo32.dll" Hcmgin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdiolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcgmbnnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhkackjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkalfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hflceibb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojbinjbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmmefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimgkfjk.dll" Kdpemidf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmbpoofo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjkjcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Coijcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdphjm32.dll" Edgkcl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2616 wrote to memory of 3504 2616 138ba96b59edfb014f6b396d555095273d6e9687920253f157daf8d85ce56d56.exe 83 PID 2616 wrote to memory of 3504 2616 138ba96b59edfb014f6b396d555095273d6e9687920253f157daf8d85ce56d56.exe 83 PID 2616 wrote to memory of 3504 2616 138ba96b59edfb014f6b396d555095273d6e9687920253f157daf8d85ce56d56.exe 83 PID 3504 wrote to memory of 3768 3504 Abimaj32.exe 85 PID 3504 wrote to memory of 3768 3504 Abimaj32.exe 85 PID 3504 wrote to memory of 3768 3504 Abimaj32.exe 85 PID 3768 wrote to memory of 1408 3768 Acjjibbm.exe 86 PID 3768 wrote to memory of 1408 3768 Acjjibbm.exe 86 PID 3768 wrote to memory of 1408 3768 Acjjibbm.exe 86 PID 1408 wrote to memory of 4736 1408 Alaajobo.exe 87 PID 1408 wrote to memory of 4736 1408 Alaajobo.exe 87 PID 1408 wrote to memory of 4736 1408 Alaajobo.exe 87 PID 4736 wrote to memory of 5016 4736 Anpnfkac.exe 88 PID 4736 wrote to memory of 5016 4736 Anpnfkac.exe 88 PID 4736 wrote to memory of 5016 4736 Anpnfkac.exe 88 PID 5016 wrote to memory of 3328 5016 Aanjcfqf.exe 90 PID 5016 wrote to memory of 3328 5016 Aanjcfqf.exe 90 PID 5016 wrote to memory of 3328 5016 Aanjcfqf.exe 90 PID 3328 wrote to memory of 4140 3328 Aejfce32.exe 91 PID 3328 wrote to memory of 4140 3328 Aejfce32.exe 91 PID 3328 wrote to memory of 4140 3328 Aejfce32.exe 91 PID 4140 wrote to memory of 2736 4140 Alcnpopl.exe 92 PID 4140 wrote to memory of 2736 4140 Alcnpopl.exe 92 PID 4140 wrote to memory of 2736 4140 Alcnpopl.exe 92 PID 2736 wrote to memory of 1328 2736 Anbklj32.exe 93 PID 2736 wrote to memory of 1328 2736 Anbklj32.exe 93 PID 2736 wrote to memory of 1328 2736 Anbklj32.exe 93 PID 1328 wrote to memory of 2432 1328 Bdocda32.exe 94 PID 1328 wrote to memory of 2432 1328 Bdocda32.exe 94 PID 1328 wrote to memory of 2432 1328 Bdocda32.exe 94 PID 2432 wrote to memory of 5012 2432 Blfkeo32.exe 95 PID 2432 wrote to memory of 5012 2432 Blfkeo32.exe 95 PID 2432 wrote to memory of 5012 2432 Blfkeo32.exe 95 PID 5012 wrote to memory of 2732 5012 Bndgaj32.exe 96 PID 5012 wrote to memory of 2732 5012 Bndgaj32.exe 96 PID 5012 wrote to memory of 2732 5012 Bndgaj32.exe 96 PID 2732 wrote to memory of 4984 2732 Baccne32.exe 97 PID 2732 wrote to memory of 4984 2732 Baccne32.exe 97 PID 2732 wrote to memory of 4984 2732 Baccne32.exe 97 PID 4984 wrote to memory of 348 4984 Bhmlkpdn.exe 98 PID 4984 wrote to memory of 348 4984 Bhmlkpdn.exe 98 PID 4984 wrote to memory of 348 4984 Bhmlkpdn.exe 98 PID 348 wrote to memory of 392 348 Bngdgj32.exe 99 PID 348 wrote to memory of 392 348 Bngdgj32.exe 99 PID 348 wrote to memory of 392 348 Bngdgj32.exe 99 PID 392 wrote to memory of 2304 392 Bbbphh32.exe 100 PID 392 wrote to memory of 2304 392 Bbbphh32.exe 100 PID 392 wrote to memory of 2304 392 Bbbphh32.exe 100 PID 2304 wrote to memory of 4912 2304 Bdcmpqjb.exe 101 PID 2304 wrote to memory of 4912 2304 Bdcmpqjb.exe 101 PID 2304 wrote to memory of 4912 2304 Bdcmpqjb.exe 101 PID 4912 wrote to memory of 3900 4912 Boiamiih.exe 102 PID 4912 wrote to memory of 3900 4912 Boiamiih.exe 102 PID 4912 wrote to memory of 3900 4912 Boiamiih.exe 102 PID 3900 wrote to memory of 784 3900 Bagmiehl.exe 103 PID 3900 wrote to memory of 784 3900 Bagmiehl.exe 103 PID 3900 wrote to memory of 784 3900 Bagmiehl.exe 103 PID 784 wrote to memory of 3088 784 Blmafnhb.exe 104 PID 784 wrote to memory of 3088 784 Blmafnhb.exe 104 PID 784 wrote to memory of 3088 784 Blmafnhb.exe 104 PID 3088 wrote to memory of 4880 3088 Boknbige.exe 105 PID 3088 wrote to memory of 4880 3088 Boknbige.exe 105 PID 3088 wrote to memory of 4880 3088 Boknbige.exe 105 PID 4880 wrote to memory of 4592 4880 Bhdbkonf.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\138ba96b59edfb014f6b396d555095273d6e9687920253f157daf8d85ce56d56.exe"C:\Users\Admin\AppData\Local\Temp\138ba96b59edfb014f6b396d555095273d6e9687920253f157daf8d85ce56d56.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Abimaj32.exeC:\Windows\system32\Abimaj32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\Acjjibbm.exeC:\Windows\system32\Acjjibbm.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\Alaajobo.exeC:\Windows\system32\Alaajobo.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\Anpnfkac.exeC:\Windows\system32\Anpnfkac.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\Aanjcfqf.exeC:\Windows\system32\Aanjcfqf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Aejfce32.exeC:\Windows\system32\Aejfce32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\Alcnpopl.exeC:\Windows\system32\Alcnpopl.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\Anbklj32.exeC:\Windows\system32\Anbklj32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Bdocda32.exeC:\Windows\system32\Bdocda32.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\Blfkeo32.exeC:\Windows\system32\Blfkeo32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Bndgaj32.exeC:\Windows\system32\Bndgaj32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Baccne32.exeC:\Windows\system32\Baccne32.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Bhmlkpdn.exeC:\Windows\system32\Bhmlkpdn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\Bngdgj32.exeC:\Windows\system32\Bngdgj32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\Bbbphh32.exeC:\Windows\system32\Bbbphh32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Bdcmpqjb.exeC:\Windows\system32\Bdcmpqjb.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Boiamiih.exeC:\Windows\system32\Boiamiih.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\Bagmiehl.exeC:\Windows\system32\Bagmiehl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\Blmafnhb.exeC:\Windows\system32\Blmafnhb.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\Boknbige.exeC:\Windows\system32\Boknbige.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\Bhdbkonf.exeC:\Windows\system32\Bhdbkonf.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\Cdjbpp32.exeC:\Windows\system32\Cdjbpp32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Copgnh32.exeC:\Windows\system32\Copgnh32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4048 -
C:\Windows\SysWOW64\Caocjd32.exeC:\Windows\system32\Caocjd32.exe25⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Cldggmbj.exeC:\Windows\system32\Cldggmbj.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Cobcchan.exeC:\Windows\system32\Cobcchan.exe27⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Caapocpa.exeC:\Windows\system32\Caapocpa.exe28⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Clfdllpg.exeC:\Windows\system32\Clfdllpg.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\SysWOW64\Coephhok.exeC:\Windows\system32\Coephhok.exe30⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Ceoheb32.exeC:\Windows\system32\Ceoheb32.exe31⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Cliabl32.exeC:\Windows\system32\Cliabl32.exe32⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Cogmng32.exeC:\Windows\system32\Cogmng32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\Cddefn32.exeC:\Windows\system32\Cddefn32.exe34⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Clkngl32.exeC:\Windows\system32\Clkngl32.exe35⤵
- System Location Discovery: System Language Discovery
PID:4280 -
C:\Windows\SysWOW64\Coijcg32.exeC:\Windows\system32\Coijcg32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:4888 -
C:\Windows\SysWOW64\Decbqabb.exeC:\Windows\system32\Decbqabb.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3896 -
C:\Windows\SysWOW64\Ddfbln32.exeC:\Windows\system32\Ddfbln32.exe38⤵
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Dkpjih32.exeC:\Windows\system32\Dkpjih32.exe39⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Dolfigic.exeC:\Windows\system32\Dolfigic.exe40⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Defofa32.exeC:\Windows\system32\Defofa32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4624 -
C:\Windows\SysWOW64\Dlpgbkhl.exeC:\Windows\system32\Dlpgbkhl.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Doncofgp.exeC:\Windows\system32\Doncofgp.exe43⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Dehkkq32.exeC:\Windows\system32\Dehkkq32.exe44⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Dhfhhl32.exeC:\Windows\system32\Dhfhhl32.exe45⤵
- Executes dropped EXE
PID:3936 -
C:\Windows\SysWOW64\Dkeddgmd.exeC:\Windows\system32\Dkeddgmd.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4428 -
C:\Windows\SysWOW64\Dclleemf.exeC:\Windows\system32\Dclleemf.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:972 -
C:\Windows\SysWOW64\Dejhapmj.exeC:\Windows\system32\Dejhapmj.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3588 -
C:\Windows\SysWOW64\Dldpnj32.exeC:\Windows\system32\Dldpnj32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4484 -
C:\Windows\SysWOW64\Dkgqigka.exeC:\Windows\system32\Dkgqigka.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3632 -
C:\Windows\SysWOW64\Dcnhjdkd.exeC:\Windows\system32\Dcnhjdkd.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\Demefpjh.exeC:\Windows\system32\Demefpjh.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Dhkackjk.exeC:\Windows\system32\Dhkackjk.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:5052 -
C:\Windows\SysWOW64\Dkjmogio.exeC:\Windows\system32\Dkjmogio.exe54⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Eoeipeah.exeC:\Windows\system32\Eoeipeah.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Eeoalp32.exeC:\Windows\system32\Eeoalp32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:4616 -
C:\Windows\SysWOW64\Elijijpb.exeC:\Windows\system32\Elijijpb.exe57⤵
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Eccbed32.exeC:\Windows\system32\Eccbed32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1184 -
C:\Windows\SysWOW64\Eddomlmm.exeC:\Windows\system32\Eddomlmm.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Elkfnino.exeC:\Windows\system32\Elkfnino.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Windows\SysWOW64\Eahogp32.exeC:\Windows\system32\Eahogp32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5104 -
C:\Windows\SysWOW64\Edgkcl32.exeC:\Windows\system32\Edgkcl32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Eolopd32.exeC:\Windows\system32\Eolopd32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:4812 -
C:\Windows\SysWOW64\Echkqcci.exeC:\Windows\system32\Echkqcci.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4128 -
C:\Windows\SysWOW64\Eefhmobm.exeC:\Windows\system32\Eefhmobm.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2752 -
C:\Windows\SysWOW64\Ehddijaq.exeC:\Windows\system32\Ehddijaq.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Ecjhfcaf.exeC:\Windows\system32\Ecjhfcaf.exe67⤵
- Drops file in System32 directory
PID:4064 -
C:\Windows\SysWOW64\Edkdnkge.exeC:\Windows\system32\Edkdnkge.exe68⤵
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\Foaikdgk.exeC:\Windows\system32\Foaikdgk.exe69⤵PID:1224
-
C:\Windows\SysWOW64\Faoegofo.exeC:\Windows\system32\Faoegofo.exe70⤵PID:3000
-
C:\Windows\SysWOW64\Fdnackeb.exeC:\Windows\system32\Fdnackeb.exe71⤵
- Drops file in System32 directory
PID:224 -
C:\Windows\SysWOW64\Fkhipe32.exeC:\Windows\system32\Fkhipe32.exe72⤵PID:4364
-
C:\Windows\SysWOW64\Fcoaab32.exeC:\Windows\system32\Fcoaab32.exe73⤵PID:2544
-
C:\Windows\SysWOW64\Ffmnmnle.exeC:\Windows\system32\Ffmnmnle.exe74⤵PID:4980
-
C:\Windows\SysWOW64\Fkjffdjl.exeC:\Windows\system32\Fkjffdjl.exe75⤵
- Drops file in System32 directory
- Modifies registry class
PID:1240 -
C:\Windows\SysWOW64\Fcangbko.exeC:\Windows\system32\Fcangbko.exe76⤵PID:1664
-
C:\Windows\SysWOW64\Ffpjcmjb.exeC:\Windows\system32\Ffpjcmjb.exe77⤵PID:4652
-
C:\Windows\SysWOW64\Flibpg32.exeC:\Windows\system32\Flibpg32.exe78⤵
- Drops file in System32 directory
PID:3508 -
C:\Windows\SysWOW64\Foholc32.exeC:\Windows\system32\Foholc32.exe79⤵PID:1660
-
C:\Windows\SysWOW64\Ffbghmhp.exeC:\Windows\system32\Ffbghmhp.exe80⤵
- Drops file in System32 directory
PID:4316 -
C:\Windows\SysWOW64\Fhpceh32.exeC:\Windows\system32\Fhpceh32.exe81⤵
- Modifies registry class
PID:4968 -
C:\Windows\SysWOW64\Fkopad32.exeC:\Windows\system32\Fkopad32.exe82⤵PID:1988
-
C:\Windows\SysWOW64\Ffddnm32.exeC:\Windows\system32\Ffddnm32.exe83⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3656 -
C:\Windows\SysWOW64\Gkalfc32.exeC:\Windows\system32\Gkalfc32.exe84⤵
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Gchdga32.exeC:\Windows\system32\Gchdga32.exe85⤵PID:3840
-
C:\Windows\SysWOW64\Gdiaoike.exeC:\Windows\system32\Gdiaoike.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Gkcilcba.exeC:\Windows\system32\Gkcilcba.exe87⤵
- System Location Discovery: System Language Discovery
PID:3856 -
C:\Windows\SysWOW64\Gfimilbh.exeC:\Windows\system32\Gfimilbh.exe88⤵PID:1284
-
C:\Windows\SysWOW64\Gkffacpo.exeC:\Windows\system32\Gkffacpo.exe89⤵
- Drops file in System32 directory
PID:3944 -
C:\Windows\SysWOW64\Gcmnbpaa.exeC:\Windows\system32\Gcmnbpaa.exe90⤵PID:1980
-
C:\Windows\SysWOW64\Gfkjolpe.exeC:\Windows\system32\Gfkjolpe.exe91⤵PID:4260
-
C:\Windows\SysWOW64\Gmebkf32.exeC:\Windows\system32\Gmebkf32.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Gbbkdmfi.exeC:\Windows\system32\Gbbkdmfi.exe93⤵
- System Location Discovery: System Language Discovery
PID:3396 -
C:\Windows\SysWOW64\Gilcqg32.exeC:\Windows\system32\Gilcqg32.exe94⤵PID:3384
-
C:\Windows\SysWOW64\Gmgoaeeo.exeC:\Windows\system32\Gmgoaeeo.exe95⤵
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Gofkmadc.exeC:\Windows\system32\Gofkmadc.exe96⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4792 -
C:\Windows\SysWOW64\Gfpcjk32.exeC:\Windows\system32\Gfpcjk32.exe97⤵
- Modifies registry class
PID:3604 -
C:\Windows\SysWOW64\Gdccehcj.exeC:\Windows\system32\Gdccehcj.exe98⤵
- Drops file in System32 directory
PID:4856 -
C:\Windows\SysWOW64\Hmjlfecl.exeC:\Windows\system32\Hmjlfecl.exe99⤵
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Hcddcoki.exeC:\Windows\system32\Hcddcoki.exe100⤵
- Modifies registry class
PID:4920 -
C:\Windows\SysWOW64\Hfbppkjm.exeC:\Windows\system32\Hfbppkjm.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4272 -
C:\Windows\SysWOW64\Hiqllfiq.exeC:\Windows\system32\Hiqllfiq.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4876 -
C:\Windows\SysWOW64\Hokdhp32.exeC:\Windows\system32\Hokdhp32.exe103⤵
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Hbiadl32.exeC:\Windows\system32\Hbiadl32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5136 -
C:\Windows\SysWOW64\Hegmqg32.exeC:\Windows\system32\Hegmqg32.exe105⤵PID:5180
-
C:\Windows\SysWOW64\Hmoead32.exeC:\Windows\system32\Hmoead32.exe106⤵PID:5224
-
C:\Windows\SysWOW64\Homanp32.exeC:\Windows\system32\Homanp32.exe107⤵PID:5268
-
C:\Windows\SysWOW64\Hbknjkno.exeC:\Windows\system32\Hbknjkno.exe108⤵PID:5312
-
C:\Windows\SysWOW64\Hejjfgmb.exeC:\Windows\system32\Hejjfgmb.exe109⤵PID:5356
-
C:\Windows\SysWOW64\Hiefge32.exeC:\Windows\system32\Hiefge32.exe110⤵
- Drops file in System32 directory
PID:5392 -
C:\Windows\SysWOW64\Hkdbca32.exeC:\Windows\system32\Hkdbca32.exe111⤵PID:5440
-
C:\Windows\SysWOW64\Hckjdn32.exeC:\Windows\system32\Hckjdn32.exe112⤵PID:5488
-
C:\Windows\SysWOW64\Hfifpj32.exeC:\Windows\system32\Hfifpj32.exe113⤵PID:5532
-
C:\Windows\SysWOW64\Hihble32.exeC:\Windows\system32\Hihble32.exe114⤵
- Drops file in System32 directory
PID:5576 -
C:\Windows\SysWOW64\Hkfohq32.exeC:\Windows\system32\Hkfohq32.exe115⤵PID:5620
-
C:\Windows\SysWOW64\Hcmgin32.exeC:\Windows\system32\Hcmgin32.exe116⤵
- Modifies registry class
PID:5664 -
C:\Windows\SysWOW64\Hflceibb.exeC:\Windows\system32\Hflceibb.exe117⤵
- Modifies registry class
PID:5704 -
C:\Windows\SysWOW64\Iijobeaf.exeC:\Windows\system32\Iijobeaf.exe118⤵
- Modifies registry class
PID:5752 -
C:\Windows\SysWOW64\Ikhknppj.exeC:\Windows\system32\Ikhknppj.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:5792 -
C:\Windows\SysWOW64\Icpconql.exeC:\Windows\system32\Icpconql.exe120⤵PID:5836
-
C:\Windows\SysWOW64\Ifnpkipp.exeC:\Windows\system32\Ifnpkipp.exe121⤵
- System Location Discovery: System Language Discovery
PID:5880
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-