Analysis
-
max time kernel
147s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 00:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c4ce897ab364c2252110e1cdd4d93586387c150f6aba4e35ca7eff2f279bf9dc.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
c4ce897ab364c2252110e1cdd4d93586387c150f6aba4e35ca7eff2f279bf9dc.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
c4ce897ab364c2252110e1cdd4d93586387c150f6aba4e35ca7eff2f279bf9dc.exe
-
Size
790KB
-
MD5
bcb7a8341912e1d65d41c48c78180060
-
SHA1
833eedb95fa1bdd6d801b7170322ce5da0fbcbdd
-
SHA256
c4ce897ab364c2252110e1cdd4d93586387c150f6aba4e35ca7eff2f279bf9dc
-
SHA512
938a6781c6f6dea3744b429d3810a8bef7ee515b8e7ce0ebb1252427451358188d3a8594163cd2c27ba73aa87d5d18fe3b76e5af0339f971bc5fa5da8a882098
-
SSDEEP
6144:8arisD2iRFM6234lKmwr8SeNpgdyuH1lZfRo0V8JcgE+ezpg1xrloBNTNxaaqk9y:8a2MFB24lA87g7/VycgE81lgxaa79y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opfcgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppmihfdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aggklnnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Epfgji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jagnidkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npomgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppdpie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpgnlppj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdmbcjgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pldjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aobopp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bonoln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpphka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efnbachd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hncpklnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifhgemcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpqdep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpenppgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khlfamho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmochep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdmbcjgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhdbpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bolbfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcgngmkn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgacbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhdeijdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeclpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clnoaafo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nedidian.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boqlanop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcblae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikafql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihgdopjg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oenbenmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dcmqijif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eodjei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iamkbfcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nedidian.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlbhlp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjjgipbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcblae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofkbia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qmjmhiki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aicjbiok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epfgji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laidebkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pldjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Apkfid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjpbeefk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecofehiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jhnjpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kgdphikd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgiich32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjhmdfmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gjnado32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpbpme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iooofjdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npjdlhep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bldlkbni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cplhgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdekepjc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppdpie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqcgolhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haalggmg.exe -
Executes dropped EXE 64 IoCs
pid Process 4416 Npjdlhep.exe 848 Nffinbjj.exe 3436 Npomgh32.exe 2648 Oelfoo32.exe 1208 Opajlgog.exe 4680 Ondjhd32.exe 5004 Ofkbia32.exe 3344 Oenbenmo.exe 4952 Omejflna.exe 1016 Opcgbgme.exe 1256 Onfgnd32.exe 5036 Obbcnbli.exe 4076 Oeqojnkl.exe 1388 Oilkkm32.exe 704 Oljgghbi.exe 5012 Opfcgg32.exe 4692 Obdpcb32.exe 3380 Ofpldabo.exe 3516 Oeclpn32.exe 4504 Omjdak32.exe 988 Ophpmf32.exe 2572 Obglib32.exe 4312 Ofbhjqpl.exe 64 Oiqdflop.exe 3144 Oloabgnd.exe 2268 Ponmnc32.exe 4444 Pfdeop32.exe 4616 Picakl32.exe 924 Pmomljef.exe 4688 Ppmihfdj.exe 1620 Pbkfdacn.exe 2992 Pejbqmca.exe 2684 Pmajajcd.exe 4080 Pldjmg32.exe 696 Pbnbja32.exe 408 Pelofl32.exe 2504 Pmcggj32.exe 3740 Plfgbfhl.exe 3840 Podcobgp.exe 3336 Peokll32.exe 2980 Pmecmi32.exe 1772 Ppdpie32.exe 3032 Pbblep32.exe 1068 Peahalmj.exe 2848 Qoimja32.exe 3656 Qfpdko32.exe 3544 Qecegkkg.exe 3924 Qmjmhiki.exe 5152 Qpiiddjm.exe 5188 Qolipa32.exe 5224 Qfbaqnbj.exe 5264 Qianmjam.exe 5300 Qmmimh32.exe 5336 Apkfid32.exe 5372 Afenfnpg.exe 5408 Aicjbiok.exe 5444 Albfoeno.exe 5496 Aopbkpmb.exe 5552 Aggklnnd.exe 5592 Amachhea.exe 5632 Appodcde.exe 5668 Aobopp32.exe 5708 Abnkqoci.exe 5744 Aemhmjbl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ondjhd32.exe Opajlgog.exe File created C:\Windows\SysWOW64\Lpogcgoo.dll Cojohm32.exe File created C:\Windows\SysWOW64\Hhnaiaba.exe Hpgihdbp.exe File created C:\Windows\SysWOW64\Qdcddcif.dll Jghplk32.exe File opened for modification C:\Windows\SysWOW64\Nnhdbpld.exe Nkigedmp.exe File created C:\Windows\SysWOW64\Dofdnmgi.dll Lqanlnmp.exe File opened for modification C:\Windows\SysWOW64\Opcgbgme.exe Omejflna.exe File opened for modification C:\Windows\SysWOW64\Obdpcb32.exe Opfcgg32.exe File created C:\Windows\SysWOW64\Ghomci32.dll Aihcmi32.exe File opened for modification C:\Windows\SysWOW64\Bjfpogoe.exe Bekdnh32.exe File created C:\Windows\SysWOW64\Epfgji32.exe Eqcgolhj.exe File opened for modification C:\Windows\SysWOW64\Ihpnoaqo.exe Iafebg32.exe File opened for modification C:\Windows\SysWOW64\Obglib32.exe Ophpmf32.exe File created C:\Windows\SysWOW64\Cjpbeefk.exe Cfdgdg32.exe File created C:\Windows\SysWOW64\Klfgadoa.dll Gjldno32.exe File created C:\Windows\SysWOW64\Hniiqp32.dll Oloabgnd.exe File opened for modification C:\Windows\SysWOW64\Eodjei32.exe Emeninad.exe File created C:\Windows\SysWOW64\Nqniqq32.dll Gjjgipbk.exe File created C:\Windows\SysWOW64\Mdflbk32.exe Moidjd32.exe File created C:\Windows\SysWOW64\Ponmnc32.exe Oloabgnd.exe File opened for modification C:\Windows\SysWOW64\Pelofl32.exe Pbnbja32.exe File created C:\Windows\SysWOW64\Jfgcdohc.dll Ffeibb32.exe File created C:\Windows\SysWOW64\Blkidcfd.exe Aimmhhgp.exe File created C:\Windows\SysWOW64\Pgcaml32.dll Bekdnh32.exe File opened for modification C:\Windows\SysWOW64\Dfmikefg.exe Dleeap32.exe File created C:\Windows\SysWOW64\Bghjkn32.dll Eodjei32.exe File opened for modification C:\Windows\SysWOW64\Lobnje32.exe Lqanlnmp.exe File created C:\Windows\SysWOW64\Ooifdfhb.dll Mkpepeek.exe File created C:\Windows\SysWOW64\Mmokfd32.dll Pmecmi32.exe File created C:\Windows\SysWOW64\Nhnhqqgj.dll Becnni32.exe File created C:\Windows\SysWOW64\Dapmjg32.dll Bldlkbni.exe File created C:\Windows\SysWOW64\Gogdfmef.dll Cjhmdfmc.exe File created C:\Windows\SysWOW64\Idgncbfc.exe Immfghof.exe File created C:\Windows\SysWOW64\Klncib32.dll Aobopp32.exe File created C:\Windows\SysWOW64\Cfdgdg32.exe Cgafijgg.exe File created C:\Windows\SysWOW64\Gjldno32.exe Gcblae32.exe File created C:\Windows\SysWOW64\Ikafql32.exe Ifekpneg.exe File created C:\Windows\SysWOW64\Mholnjhj.exe Mqhdmm32.exe File created C:\Windows\SysWOW64\Nnhdbpld.exe Nkigedmp.exe File opened for modification C:\Windows\SysWOW64\Ofpldabo.exe Obdpcb32.exe File created C:\Windows\SysWOW64\Acceln32.exe Apdhpb32.exe File created C:\Windows\SysWOW64\Kdcgfn32.exe Kphkfoej.exe File created C:\Windows\SysWOW64\Ipbhdbhb.exe Imdlhgio.exe File created C:\Windows\SysWOW64\Kpqdep32.exe Joohmhfd.exe File created C:\Windows\SysWOW64\Pmcggj32.exe Pelofl32.exe File created C:\Windows\SysWOW64\Becnni32.exe Bgqnblfj.exe File created C:\Windows\SysWOW64\Kjecee32.dll Bgcjgl32.exe File created C:\Windows\SysWOW64\Khemgh32.dll Bpphka32.exe File opened for modification C:\Windows\SysWOW64\Cfdgdg32.exe Cgafijgg.exe File created C:\Windows\SysWOW64\Hpgihdbp.exe Hmhmli32.exe File created C:\Windows\SysWOW64\Blnfjc32.exe Bmkfof32.exe File created C:\Windows\SysWOW64\Gbfqfmhg.dll Cpbeaq32.exe File created C:\Windows\SysWOW64\Gfeaipcj.exe Gahiqieb.exe File created C:\Windows\SysWOW64\Ipnoic32.exe Ikafql32.exe File created C:\Windows\SysWOW64\Qmjmhiki.exe Qecegkkg.exe File created C:\Windows\SysWOW64\Mjfeei32.dll Alimodhf.exe File created C:\Windows\SysWOW64\Cndhee32.exe Cjhmdfmc.exe File opened for modification C:\Windows\SysWOW64\Cjkijf32.exe Cglmnk32.exe File created C:\Windows\SysWOW64\Ghncapnd.dll Fpkpehjp.exe File opened for modification C:\Windows\SysWOW64\Blkidcfd.exe Aimmhhgp.exe File created C:\Windows\SysWOW64\Dbbckn32.dll Ccaamlcc.exe File opened for modification C:\Windows\SysWOW64\Hmhmli32.exe Hjjqpm32.exe File opened for modification C:\Windows\SysWOW64\Ldjmgm32.exe Lnpejc32.exe File opened for modification C:\Windows\SysWOW64\Dlbhlp32.exe Djdlpe32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9064 8504 WerFault.exe 385 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpeafpbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjpbeefk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpgihdbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbjmlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oilkkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejbqmca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmfgpkca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Monmedka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmkfof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfpogoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cndhee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghpdhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnjgqa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obglib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acqhfnaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cllbla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjjgipbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmjqkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iafebg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhlmjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Johbmill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aicjbiok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeaahi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnpejc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qecegkkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngbddhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmoaolii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdcgfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmecmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgojcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nefejiok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiqdflop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bolbfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Colkmleb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knlkocdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apdhpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bidcig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglmnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpikap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onfgnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpgeeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlmemae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Podcobgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfbaqnbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bonoln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emeninad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeclpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Picakl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plfgbfhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoimja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dleeap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkmochep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgiich32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbacmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ondjhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmajajcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnmbdfkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fajmok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kobechda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofkbia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blkidcfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoanoibj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfeaipcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpjgko32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Enejbqhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqniqq32.dll" Gjjgipbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Johbmill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhllepme.dll" Jagnidkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lqanlnmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pbnbja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jmplceoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kgdphikd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eodjei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmjgcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ifekpneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heqede32.dll" Cglmnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fpkpehjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ihgdopjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaeiciho.dll" Jaiknd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mdmbcjgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bgjphkno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbeoccf.dll" Fcdpqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqbdem32.dll" Mdflbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afenfnpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Appodcde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpnpe32.dll" Bmkfof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amopijgh.dll" Cgafijgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dghmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kobechda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Alimodhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nnhdbpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cllbla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ghpdhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Khlfamho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lodkoecl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Clnoaafo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ngphke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pejbqmca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Blpbpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dcmqijif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jkapgjpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aihcmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbhqklba.dll" Behgihho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmjqkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghpmfndi.dll" Ikafql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mdflbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfedigkb.dll" Bcgngmkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gobbgoai.dll" Bceaan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Efnbachd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idoaaofm.dll" Ipbhdbhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aobopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njicdlbj.dll" Dleeap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fngghpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abpbkoie.dll" Fmoaolii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cenjli32.dll" Johbmill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Acqhfnaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pbblep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cpikap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lqfggm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiliij32.dll" Mqhdmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aojfac32.dll" Mbljaoje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hpbpme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfalld32.dll" Bonoln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdell32.dll" Cfajogpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ecofehiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hdkohc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmhngebm.dll" Nbelhnbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmkfof32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1332 wrote to memory of 4416 1332 c4ce897ab364c2252110e1cdd4d93586387c150f6aba4e35ca7eff2f279bf9dc.exe 91 PID 1332 wrote to memory of 4416 1332 c4ce897ab364c2252110e1cdd4d93586387c150f6aba4e35ca7eff2f279bf9dc.exe 91 PID 1332 wrote to memory of 4416 1332 c4ce897ab364c2252110e1cdd4d93586387c150f6aba4e35ca7eff2f279bf9dc.exe 91 PID 4416 wrote to memory of 848 4416 Npjdlhep.exe 92 PID 4416 wrote to memory of 848 4416 Npjdlhep.exe 92 PID 4416 wrote to memory of 848 4416 Npjdlhep.exe 92 PID 848 wrote to memory of 3436 848 Nffinbjj.exe 93 PID 848 wrote to memory of 3436 848 Nffinbjj.exe 93 PID 848 wrote to memory of 3436 848 Nffinbjj.exe 93 PID 3436 wrote to memory of 2648 3436 Npomgh32.exe 95 PID 3436 wrote to memory of 2648 3436 Npomgh32.exe 95 PID 3436 wrote to memory of 2648 3436 Npomgh32.exe 95 PID 2648 wrote to memory of 1208 2648 Oelfoo32.exe 96 PID 2648 wrote to memory of 1208 2648 Oelfoo32.exe 96 PID 2648 wrote to memory of 1208 2648 Oelfoo32.exe 96 PID 1208 wrote to memory of 4680 1208 Opajlgog.exe 97 PID 1208 wrote to memory of 4680 1208 Opajlgog.exe 97 PID 1208 wrote to memory of 4680 1208 Opajlgog.exe 97 PID 4680 wrote to memory of 5004 4680 Ondjhd32.exe 98 PID 4680 wrote to memory of 5004 4680 Ondjhd32.exe 98 PID 4680 wrote to memory of 5004 4680 Ondjhd32.exe 98 PID 5004 wrote to memory of 3344 5004 Ofkbia32.exe 99 PID 5004 wrote to memory of 3344 5004 Ofkbia32.exe 99 PID 5004 wrote to memory of 3344 5004 Ofkbia32.exe 99 PID 3344 wrote to memory of 4952 3344 Oenbenmo.exe 100 PID 3344 wrote to memory of 4952 3344 Oenbenmo.exe 100 PID 3344 wrote to memory of 4952 3344 Oenbenmo.exe 100 PID 4952 wrote to memory of 1016 4952 Omejflna.exe 101 PID 4952 wrote to memory of 1016 4952 Omejflna.exe 101 PID 4952 wrote to memory of 1016 4952 Omejflna.exe 101 PID 1016 wrote to memory of 1256 1016 Opcgbgme.exe 102 PID 1016 wrote to memory of 1256 1016 Opcgbgme.exe 102 PID 1016 wrote to memory of 1256 1016 Opcgbgme.exe 102 PID 1256 wrote to memory of 5036 1256 Onfgnd32.exe 103 PID 1256 wrote to memory of 5036 1256 Onfgnd32.exe 103 PID 1256 wrote to memory of 5036 1256 Onfgnd32.exe 103 PID 5036 wrote to memory of 4076 5036 Obbcnbli.exe 104 PID 5036 wrote to memory of 4076 5036 Obbcnbli.exe 104 PID 5036 wrote to memory of 4076 5036 Obbcnbli.exe 104 PID 4076 wrote to memory of 1388 4076 Oeqojnkl.exe 105 PID 4076 wrote to memory of 1388 4076 Oeqojnkl.exe 105 PID 4076 wrote to memory of 1388 4076 Oeqojnkl.exe 105 PID 1388 wrote to memory of 704 1388 Oilkkm32.exe 106 PID 1388 wrote to memory of 704 1388 Oilkkm32.exe 106 PID 1388 wrote to memory of 704 1388 Oilkkm32.exe 106 PID 704 wrote to memory of 5012 704 Oljgghbi.exe 107 PID 704 wrote to memory of 5012 704 Oljgghbi.exe 107 PID 704 wrote to memory of 5012 704 Oljgghbi.exe 107 PID 5012 wrote to memory of 4692 5012 Opfcgg32.exe 108 PID 5012 wrote to memory of 4692 5012 Opfcgg32.exe 108 PID 5012 wrote to memory of 4692 5012 Opfcgg32.exe 108 PID 4692 wrote to memory of 3380 4692 Obdpcb32.exe 109 PID 4692 wrote to memory of 3380 4692 Obdpcb32.exe 109 PID 4692 wrote to memory of 3380 4692 Obdpcb32.exe 109 PID 3380 wrote to memory of 3516 3380 Ofpldabo.exe 110 PID 3380 wrote to memory of 3516 3380 Ofpldabo.exe 110 PID 3380 wrote to memory of 3516 3380 Ofpldabo.exe 110 PID 3516 wrote to memory of 4504 3516 Oeclpn32.exe 111 PID 3516 wrote to memory of 4504 3516 Oeclpn32.exe 111 PID 3516 wrote to memory of 4504 3516 Oeclpn32.exe 111 PID 4504 wrote to memory of 988 4504 Omjdak32.exe 112 PID 4504 wrote to memory of 988 4504 Omjdak32.exe 112 PID 4504 wrote to memory of 988 4504 Omjdak32.exe 112 PID 988 wrote to memory of 2572 988 Ophpmf32.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4ce897ab364c2252110e1cdd4d93586387c150f6aba4e35ca7eff2f279bf9dc.exe"C:\Users\Admin\AppData\Local\Temp\c4ce897ab364c2252110e1cdd4d93586387c150f6aba4e35ca7eff2f279bf9dc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Npjdlhep.exeC:\Windows\system32\Npjdlhep.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\Nffinbjj.exeC:\Windows\system32\Nffinbjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Npomgh32.exeC:\Windows\system32\Npomgh32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\Oelfoo32.exeC:\Windows\system32\Oelfoo32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Opajlgog.exeC:\Windows\system32\Opajlgog.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Ondjhd32.exeC:\Windows\system32\Ondjhd32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\Ofkbia32.exeC:\Windows\system32\Ofkbia32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Oenbenmo.exeC:\Windows\system32\Oenbenmo.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\Omejflna.exeC:\Windows\system32\Omejflna.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\Opcgbgme.exeC:\Windows\system32\Opcgbgme.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Onfgnd32.exeC:\Windows\system32\Onfgnd32.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Obbcnbli.exeC:\Windows\system32\Obbcnbli.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Oeqojnkl.exeC:\Windows\system32\Oeqojnkl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Oilkkm32.exeC:\Windows\system32\Oilkkm32.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Oljgghbi.exeC:\Windows\system32\Oljgghbi.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SysWOW64\Opfcgg32.exeC:\Windows\system32\Opfcgg32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Obdpcb32.exeC:\Windows\system32\Obdpcb32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Ofpldabo.exeC:\Windows\system32\Ofpldabo.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\Oeclpn32.exeC:\Windows\system32\Oeclpn32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\Omjdak32.exeC:\Windows\system32\Omjdak32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Ophpmf32.exeC:\Windows\system32\Ophpmf32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\SysWOW64\Obglib32.exeC:\Windows\system32\Obglib32.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\SysWOW64\Ofbhjqpl.exeC:\Windows\system32\Ofbhjqpl.exe24⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Oiqdflop.exeC:\Windows\system32\Oiqdflop.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:64 -
C:\Windows\SysWOW64\Oloabgnd.exeC:\Windows\system32\Oloabgnd.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3144 -
C:\Windows\SysWOW64\Ponmnc32.exeC:\Windows\system32\Ponmnc32.exe27⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Pfdeop32.exeC:\Windows\system32\Pfdeop32.exe28⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Picakl32.exeC:\Windows\system32\Picakl32.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4616 -
C:\Windows\SysWOW64\Pmomljef.exeC:\Windows\system32\Pmomljef.exe30⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Ppmihfdj.exeC:\Windows\system32\Ppmihfdj.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\Pbkfdacn.exeC:\Windows\system32\Pbkfdacn.exe32⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Pejbqmca.exeC:\Windows\system32\Pejbqmca.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Pmajajcd.exeC:\Windows\system32\Pmajajcd.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Pldjmg32.exeC:\Windows\system32\Pldjmg32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Pbnbja32.exeC:\Windows\system32\Pbnbja32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:696 -
C:\Windows\SysWOW64\Pelofl32.exeC:\Windows\system32\Pelofl32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:408 -
C:\Windows\SysWOW64\Pmcggj32.exeC:\Windows\system32\Pmcggj32.exe38⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Plfgbfhl.exeC:\Windows\system32\Plfgbfhl.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3740 -
C:\Windows\SysWOW64\Podcobgp.exeC:\Windows\system32\Podcobgp.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3840 -
C:\Windows\SysWOW64\Peokll32.exeC:\Windows\system32\Peokll32.exe41⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\Pmecmi32.exeC:\Windows\system32\Pmecmi32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\Ppdpie32.exeC:\Windows\system32\Ppdpie32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Pbblep32.exeC:\Windows\system32\Pbblep32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Peahalmj.exeC:\Windows\system32\Peahalmj.exe45⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Qoimja32.exeC:\Windows\system32\Qoimja32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Qfpdko32.exeC:\Windows\system32\Qfpdko32.exe47⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Qecegkkg.exeC:\Windows\system32\Qecegkkg.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3544 -
C:\Windows\SysWOW64\Qmjmhiki.exeC:\Windows\system32\Qmjmhiki.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Qpiiddjm.exeC:\Windows\system32\Qpiiddjm.exe50⤵
- Executes dropped EXE
PID:5152 -
C:\Windows\SysWOW64\Qolipa32.exeC:\Windows\system32\Qolipa32.exe51⤵
- Executes dropped EXE
PID:5188 -
C:\Windows\SysWOW64\Qfbaqnbj.exeC:\Windows\system32\Qfbaqnbj.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5224 -
C:\Windows\SysWOW64\Qianmjam.exeC:\Windows\system32\Qianmjam.exe53⤵
- Executes dropped EXE
PID:5264 -
C:\Windows\SysWOW64\Qmmimh32.exeC:\Windows\system32\Qmmimh32.exe54⤵
- Executes dropped EXE
PID:5300 -
C:\Windows\SysWOW64\Apkfid32.exeC:\Windows\system32\Apkfid32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5336 -
C:\Windows\SysWOW64\Afenfnpg.exeC:\Windows\system32\Afenfnpg.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:5372 -
C:\Windows\SysWOW64\Aicjbiok.exeC:\Windows\system32\Aicjbiok.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5408 -
C:\Windows\SysWOW64\Albfoeno.exeC:\Windows\system32\Albfoeno.exe58⤵
- Executes dropped EXE
PID:5444 -
C:\Windows\SysWOW64\Aopbkpmb.exeC:\Windows\system32\Aopbkpmb.exe59⤵
- Executes dropped EXE
PID:5496 -
C:\Windows\SysWOW64\Aggklnnd.exeC:\Windows\system32\Aggklnnd.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5552 -
C:\Windows\SysWOW64\Amachhea.exeC:\Windows\system32\Amachhea.exe61⤵
- Executes dropped EXE
PID:5592 -
C:\Windows\SysWOW64\Appodcde.exeC:\Windows\system32\Appodcde.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:5632 -
C:\Windows\SysWOW64\Aobopp32.exeC:\Windows\system32\Aobopp32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5668 -
C:\Windows\SysWOW64\Abnkqoci.exeC:\Windows\system32\Abnkqoci.exe64⤵
- Executes dropped EXE
PID:5708 -
C:\Windows\SysWOW64\Aemhmjbl.exeC:\Windows\system32\Aemhmjbl.exe65⤵
- Executes dropped EXE
PID:5744 -
C:\Windows\SysWOW64\Aihcmi32.exeC:\Windows\system32\Aihcmi32.exe66⤵
- Drops file in System32 directory
- Modifies registry class
PID:5780 -
C:\Windows\SysWOW64\Alfpjd32.exeC:\Windows\system32\Alfpjd32.exe67⤵PID:5816
-
C:\Windows\SysWOW64\Aoelfp32.exeC:\Windows\system32\Aoelfp32.exe68⤵PID:5852
-
C:\Windows\SysWOW64\Acqhfnaf.exeC:\Windows\system32\Acqhfnaf.exe69⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5888 -
C:\Windows\SysWOW64\Aeodbjqj.exeC:\Windows\system32\Aeodbjqj.exe70⤵PID:5924
-
C:\Windows\SysWOW64\Aijpch32.exeC:\Windows\system32\Aijpch32.exe71⤵PID:5960
-
C:\Windows\SysWOW64\Alimodhf.exeC:\Windows\system32\Alimodhf.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:5996 -
C:\Windows\SysWOW64\Apdhpb32.exeC:\Windows\system32\Apdhpb32.exe73⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6032 -
C:\Windows\SysWOW64\Acceln32.exeC:\Windows\system32\Acceln32.exe74⤵PID:6072
-
C:\Windows\SysWOW64\Aeaahi32.exeC:\Windows\system32\Aeaahi32.exe75⤵
- System Location Discovery: System Language Discovery
PID:6104 -
C:\Windows\SysWOW64\Aimmhhgp.exeC:\Windows\system32\Aimmhhgp.exe76⤵
- Drops file in System32 directory
PID:6140 -
C:\Windows\SysWOW64\Blkidcfd.exeC:\Windows\system32\Blkidcfd.exe77⤵
- System Location Discovery: System Language Discovery
PID:3396 -
C:\Windows\SysWOW64\Bpgeeb32.exeC:\Windows\system32\Bpgeeb32.exe78⤵
- System Location Discovery: System Language Discovery
PID:4884 -
C:\Windows\SysWOW64\Bceaan32.exeC:\Windows\system32\Bceaan32.exe79⤵
- Modifies registry class
PID:4000 -
C:\Windows\SysWOW64\Bgqnblfj.exeC:\Windows\system32\Bgqnblfj.exe80⤵
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Becnni32.exeC:\Windows\system32\Becnni32.exe81⤵
- Drops file in System32 directory
PID:1900 -
C:\Windows\SysWOW64\Bmkfof32.exeC:\Windows\system32\Bmkfof32.exe82⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3236 -
C:\Windows\SysWOW64\Blnfjc32.exeC:\Windows\system32\Blnfjc32.exe83⤵PID:5176
-
C:\Windows\SysWOW64\Bolbfo32.exeC:\Windows\system32\Bolbfo32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:880 -
C:\Windows\SysWOW64\Bcgngmkn.exeC:\Windows\system32\Bcgngmkn.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5288 -
C:\Windows\SysWOW64\Bgcjgl32.exeC:\Windows\system32\Bgcjgl32.exe86⤵
- Drops file in System32 directory
PID:5364 -
C:\Windows\SysWOW64\Biafcg32.exeC:\Windows\system32\Biafcg32.exe87⤵PID:5416
-
C:\Windows\SysWOW64\Bnmbdfkd.exeC:\Windows\system32\Bnmbdfkd.exe88⤵
- System Location Discovery: System Language Discovery
PID:5452 -
C:\Windows\SysWOW64\Blpbpc32.exeC:\Windows\system32\Blpbpc32.exe89⤵
- Modifies registry class
PID:5576 -
C:\Windows\SysWOW64\Bonoln32.exeC:\Windows\system32\Bonoln32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5652 -
C:\Windows\SysWOW64\Bcjklmik.exeC:\Windows\system32\Bcjklmik.exe91⤵PID:5704
-
C:\Windows\SysWOW64\Behgihho.exeC:\Windows\system32\Behgihho.exe92⤵
- Modifies registry class
PID:5772 -
C:\Windows\SysWOW64\Bidcig32.exeC:\Windows\system32\Bidcig32.exe93⤵
- System Location Discovery: System Language Discovery
PID:5840 -
C:\Windows\SysWOW64\Blboeb32.exeC:\Windows\system32\Blboeb32.exe94⤵PID:5896
-
C:\Windows\SysWOW64\Bpnkfa32.exeC:\Windows\system32\Bpnkfa32.exe95⤵PID:5956
-
C:\Windows\SysWOW64\Boqlanop.exeC:\Windows\system32\Boqlanop.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6004 -
C:\Windows\SysWOW64\Bclhbm32.exeC:\Windows\system32\Bclhbm32.exe97⤵PID:6096
-
C:\Windows\SysWOW64\Bekdnh32.exeC:\Windows\system32\Bekdnh32.exe98⤵
- Drops file in System32 directory
PID:3372 -
C:\Windows\SysWOW64\Bjfpogoe.exeC:\Windows\system32\Bjfpogoe.exe99⤵
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Windows\SysWOW64\Bldlkbni.exeC:\Windows\system32\Bldlkbni.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Bpphka32.exeC:\Windows\system32\Bpphka32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6176 -
C:\Windows\SysWOW64\Bcodgl32.exeC:\Windows\system32\Bcodgl32.exe102⤵PID:6212
-
C:\Windows\SysWOW64\Bgjphkno.exeC:\Windows\system32\Bgjphkno.exe103⤵
- Modifies registry class
PID:6248 -
C:\Windows\SysWOW64\Cjhmdfmc.exeC:\Windows\system32\Cjhmdfmc.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6284 -
C:\Windows\SysWOW64\Cndhee32.exeC:\Windows\system32\Cndhee32.exe105⤵
- System Location Discovery: System Language Discovery
PID:6320 -
C:\Windows\SysWOW64\Cpbeaq32.exeC:\Windows\system32\Cpbeaq32.exe106⤵
- Drops file in System32 directory
PID:6356 -
C:\Windows\SysWOW64\Ccaamlcc.exeC:\Windows\system32\Ccaamlcc.exe107⤵
- Drops file in System32 directory
PID:6392 -
C:\Windows\SysWOW64\Cglmnk32.exeC:\Windows\system32\Cglmnk32.exe108⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6428 -
C:\Windows\SysWOW64\Cjkijf32.exeC:\Windows\system32\Cjkijf32.exe109⤵PID:6464
-
C:\Windows\SysWOW64\Cnfejeci.exeC:\Windows\system32\Cnfejeci.exe110⤵PID:6500
-
C:\Windows\SysWOW64\Cpeafpbm.exeC:\Windows\system32\Cpeafpbm.exe111⤵
- System Location Discovery: System Language Discovery
PID:6536 -
C:\Windows\SysWOW64\Cohbbm32.exeC:\Windows\system32\Cohbbm32.exe112⤵PID:6572
-
C:\Windows\SysWOW64\Cgojcj32.exeC:\Windows\system32\Cgojcj32.exe113⤵
- System Location Discovery: System Language Discovery
PID:6608 -
C:\Windows\SysWOW64\Cfajogpd.exeC:\Windows\system32\Cfajogpd.exe114⤵
- Modifies registry class
PID:6644 -
C:\Windows\SysWOW64\Cjmfof32.exeC:\Windows\system32\Cjmfof32.exe115⤵PID:6680
-
C:\Windows\SysWOW64\Cllbla32.exeC:\Windows\system32\Cllbla32.exe116⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6716 -
C:\Windows\SysWOW64\Cpgnlppj.exeC:\Windows\system32\Cpgnlppj.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6752 -
C:\Windows\SysWOW64\Cojohm32.exeC:\Windows\system32\Cojohm32.exe118⤵
- Drops file in System32 directory
PID:6788 -
C:\Windows\SysWOW64\Cgafijgg.exeC:\Windows\system32\Cgafijgg.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:6824 -
C:\Windows\SysWOW64\Cfdgdg32.exeC:\Windows\system32\Cfdgdg32.exe120⤵
- Drops file in System32 directory
PID:6860 -
C:\Windows\SysWOW64\Cjpbeefk.exeC:\Windows\system32\Cjpbeefk.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:6896
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-