Analysis
-
max time kernel
115s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17/08/2024, 00:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
38e8c9d84bf0bb30f8ce2e8a15a00890N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
38e8c9d84bf0bb30f8ce2e8a15a00890N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
38e8c9d84bf0bb30f8ce2e8a15a00890N.exe
-
Size
92KB
-
MD5
38e8c9d84bf0bb30f8ce2e8a15a00890
-
SHA1
a69164a1ec844594d2f4f85ff78551261256aa25
-
SHA256
8612fd081b81ca37cce788c11fef12bd683c2df051757d9ae2bc4c3404f0765c
-
SHA512
f544cef60262973fb6dce25b1766c02bbc498db59c85a9c40d7cf7663dc2c58e30a320522d75c4d0a02b6ad5238f204cf873aae93aa92a99f211adb8261dd7d7
-
SSDEEP
1536:orX4gmM92SMoyhxM21bqjXq+66DFUABABOVLefE3:dgmKMoyhBbqj6+JB8M3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abfdpfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghojbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfnamjhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbhildae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmjdm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilphdlqh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjficg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fndpmndl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihkjno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klndfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcjjhdjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckggnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjmodffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjpfjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmhocd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdalog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jblflp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbncbpqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njgqhicg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keceoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbhool32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omgmeigd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpdennml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dafppp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enjfli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcjdam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hepgkohh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdmlkfjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqhoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmphaaln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccblbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdfpkm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpbnhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojemig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddhomdje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qapnmopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekqckmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaifpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjjfdfbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiopca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkjfakng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdhbpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koonge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmbnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqcejcha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdmoafdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apggckbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbppgona.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkibgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnlhncgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfagighf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdhffg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kopcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmmlla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpedeiff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhmhpfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmhijd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aagdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibgdlg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgkiaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqiibjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgkiaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khiofk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cacckp32.exe -
Executes dropped EXE 64 IoCs
pid Process 4148 Nqpcjj32.exe 3152 Nflkbanj.exe 2416 Njhgbp32.exe 3644 Ncqlkemc.exe 3728 Nnfpinmi.exe 4088 Nadleilm.exe 1524 Ngndaccj.exe 4332 Nnhmnn32.exe 4036 Npiiffqe.exe 2292 Nceefd32.exe 2956 Ojomcopk.exe 5116 Onkidm32.exe 3500 Oaifpi32.exe 3000 Ojajin32.exe 1768 Ompfej32.exe 1228 Opnbae32.exe 1628 Ofhknodl.exe 2372 Ombcji32.exe 3076 Oghghb32.exe 1716 Omdppiif.exe 2216 Ogjdmbil.exe 4524 Ojhpimhp.exe 3428 Omgmeigd.exe 2060 Pjkmomfn.exe 724 Pmiikh32.exe 2680 Phonha32.exe 3536 Pjmjdm32.exe 3596 Pdenmbkk.exe 768 Pjpfjl32.exe 648 Pnkbkk32.exe 1568 Pdhkcb32.exe 2828 Pmpolgoi.exe 3632 Palklf32.exe 1536 Phfcipoo.exe 780 Pmblagmf.exe 4692 Pdmdnadc.exe 4180 Qjfmkk32.exe 1616 Qmeigg32.exe 1464 Qfmmplad.exe 4428 Qodeajbg.exe 1700 Qacameaj.exe 992 Ahmjjoig.exe 216 Akkffkhk.exe 3056 Aaenbd32.exe 2104 Adcjop32.exe 1560 Aoioli32.exe 5032 Apjkcadp.exe 2204 Ahaceo32.exe 4624 Amnlme32.exe 3424 Apmhiq32.exe 3328 Aggpfkjj.exe 2328 Aaldccip.exe 4268 Adkqoohc.exe 2748 Akdilipp.exe 372 Amcehdod.exe 2236 Bgkiaj32.exe 2300 Bobabg32.exe 4900 Baannc32.exe 3864 Bhkfkmmg.exe 1436 Bkibgh32.exe 4892 Bmhocd32.exe 1060 Bpfkpp32.exe 4704 Bklomh32.exe 5132 Baegibae.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jaemilci.exe Jbbmmo32.exe File created C:\Windows\SysWOW64\Jhplpl32.exe Jeapcq32.exe File created C:\Windows\SysWOW64\Nckkfp32.exe Nmaciefp.exe File created C:\Windows\SysWOW64\Oihmedma.exe Ojemig32.exe File opened for modification C:\Windows\SysWOW64\Ggjjlk32.exe Gcnnllcg.exe File created C:\Windows\SysWOW64\Paenokbf.dll Aaiqcnhg.exe File created C:\Windows\SysWOW64\Cienon32.exe Ckbncapd.exe File created C:\Windows\SysWOW64\Eacdhhjj.dll Eqmlccdi.exe File opened for modification C:\Windows\SysWOW64\Jogqlpde.exe Jjkdlall.exe File created C:\Windows\SysWOW64\Bhgbbckh.dll Ngndaccj.exe File created C:\Windows\SysWOW64\Jlobem32.dll Chdialdl.exe File created C:\Windows\SysWOW64\Paoinm32.dll Fnfmbmbi.exe File opened for modification C:\Windows\SysWOW64\Ajmladbl.exe Abfdpfaj.exe File created C:\Windows\SysWOW64\Nqaiecjd.exe Nmfmde32.exe File created C:\Windows\SysWOW64\Nmjfodne.exe Niojoeel.exe File created C:\Windows\SysWOW64\Keceoj32.exe Kbeibo32.exe File created C:\Windows\SysWOW64\Clbidkde.dll Cmgqpkip.exe File opened for modification C:\Windows\SysWOW64\Amnlme32.exe Ahaceo32.exe File created C:\Windows\SysWOW64\Hobbfhjl.dll Mhjhmhhd.exe File created C:\Windows\SysWOW64\Njljch32.exe Ncbafoge.exe File opened for modification C:\Windows\SysWOW64\Cpljehpo.exe Ckpamabg.exe File opened for modification C:\Windows\SysWOW64\Ijkled32.exe Indkpcdk.exe File opened for modification C:\Windows\SysWOW64\Akkffkhk.exe Ahmjjoig.exe File created C:\Windows\SysWOW64\Gejqna32.dll Oonlfo32.exe File created C:\Windows\SysWOW64\Gcnnllcg.exe Gjficg32.exe File created C:\Windows\SysWOW64\Hkaeih32.exe Halaloif.exe File created C:\Windows\SysWOW64\Edngom32.dll Hjmodffo.exe File created C:\Windows\SysWOW64\Nflkbanj.exe Nqpcjj32.exe File opened for modification C:\Windows\SysWOW64\Bajqda32.exe Bkphhgfc.exe File opened for modification C:\Windows\SysWOW64\Aibibp32.exe Ajohfcpj.exe File opened for modification C:\Windows\SysWOW64\Cpcpfg32.exe Ckggnp32.exe File created C:\Windows\SysWOW64\Mfnhfm32.exe Modpib32.exe File created C:\Windows\SysWOW64\Enjfli32.exe Ekljpm32.exe File created C:\Windows\SysWOW64\Pghien32.dll Chiblk32.exe File created C:\Windows\SysWOW64\Fmamhbhe.dll Cocjiehd.exe File created C:\Windows\SysWOW64\Fooclapd.exe Eghkjdoa.exe File created C:\Windows\SysWOW64\Fqbliicp.exe Fndpmndl.exe File opened for modification C:\Windows\SysWOW64\Bmbnnn32.exe Ajdbac32.exe File created C:\Windows\SysWOW64\Agecdgmk.dll Dahfkimd.exe File created C:\Windows\SysWOW64\Ohnncn32.dll Jblflp32.exe File created C:\Windows\SysWOW64\Kbeibo32.exe Koimbpbc.exe File created C:\Windows\SysWOW64\Ilgonc32.dll Pjpfjl32.exe File created C:\Windows\SysWOW64\Fckjejfe.dll Gpmomo32.exe File created C:\Windows\SysWOW64\Nmdkcj32.dll Lfiokmkc.exe File opened for modification C:\Windows\SysWOW64\Qpbnhl32.exe Qapnmopa.exe File created C:\Windows\SysWOW64\Cammjakm.exe Cggimh32.exe File created C:\Windows\SysWOW64\Mpaqbf32.dll Hnnljj32.exe File opened for modification C:\Windows\SysWOW64\Haaaaeim.exe Hppeim32.exe File created C:\Windows\SysWOW64\Hehhjm32.dll Palklf32.exe File opened for modification C:\Windows\SysWOW64\Fecadghc.exe Fkjmlaac.exe File created C:\Windows\SysWOW64\Jidinqpb.exe Iehmmb32.exe File created C:\Windows\SysWOW64\Kjekja32.dll Hepgkohh.exe File created C:\Windows\SysWOW64\Kofdhd32.exe Klggli32.exe File created C:\Windows\SysWOW64\Gipbmd32.dll Ncpeaoih.exe File opened for modification C:\Windows\SysWOW64\Kkgdhp32.exe Kdmlkfjb.exe File opened for modification C:\Windows\SysWOW64\Aaiqcnhg.exe Aibibp32.exe File created C:\Windows\SysWOW64\Hnmanm32.dll Ckbncapd.exe File created C:\Windows\SysWOW64\Binfdh32.dll Ekljpm32.exe File created C:\Windows\SysWOW64\Klbnajqc.exe Keifdpif.exe File created C:\Windows\SysWOW64\Pjhfcm32.dll Qapnmopa.exe File opened for modification C:\Windows\SysWOW64\Binhnomg.exe Bbdpad32.exe File opened for modification C:\Windows\SysWOW64\Djegekil.exe Dggkipii.exe File created C:\Windows\SysWOW64\Aepjgm32.dll Nceefd32.exe File created C:\Windows\SysWOW64\Adcjop32.exe Aaenbd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11076 10716 WerFault.exe 517 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nceefd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkjmlaac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glfmgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 38e8c9d84bf0bb30f8ce2e8a15a00890N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmiikh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njbgmjgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cggimh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekajec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kalcik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mofmobmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abfdpfaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njhgbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgkiaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmlla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbaclegm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmladm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmdkcnie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bphqji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfaigclq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbhildae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfepdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpedeiff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggfglb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbdpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqbliicp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbcncibp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apeknk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpnda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjkdlall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjpfjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palklf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaenbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekngemhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqpcjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmeigg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbknebqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnedgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhpofl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaiqcnhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccdihbgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dajbaika.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdhbpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baannc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babcil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbafoge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Binhnomg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlfhke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqiibjlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhldbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahmjjoig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koonge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgihop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enlcahgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njgqhicg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edaaccbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jppnpjel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldikgdpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbgkei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kabcopmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjocbhbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gndbie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opnbae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koajmepf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfldgk32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmhocd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkphhgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqoloc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggccllai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekljpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jeaiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekbmje32.dll" Apmhiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mioaanec.dll" Amcehdod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkcndeen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpochfji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncmhko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igafkb32.dll" Pmpolgoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichqihli.dll" Aggpfkjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dafppp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlofiddl.dll" Hifmmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enhifi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgocgjgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhmleng.dll" Ojhpimhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaebef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpnkbfj.dll" Lhgkgijg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqcejcha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckbncapd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjiffif.dll" Iehmmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koajmepf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abfdpfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqpbcn32.dll" Jdjfohjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpenegb.dll" Pdenmbkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akdilipp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmhocd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcblekh.dll" Dajbaika.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekngemhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgmhcaac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjocbhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdhbpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iankhggi.dll" Mfkkqmiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfihbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obhehh32.dll" Afockelf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbfmgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iponmakp.dll" Bmladm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lddble32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkmlnimb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcljmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akdilipp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibegfglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibegfglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjdilmf.dll" Cigkdmel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddfbgelh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fndpmndl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccdihbgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjnfn32.dll" Gggmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahlk32.dll" Ilfodgeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apjkcadp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ondhkbee.dll" Dglkoeio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmefoohh.dll" Fbgbnkfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpoofmk.dll" Gnnccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acqgojmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnedgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cigkdmel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikpndppf.dll" Dggkipii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opnbae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmeigg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biklho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejceb32.dll" Fnffhgon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijpepcfj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 744 wrote to memory of 4148 744 38e8c9d84bf0bb30f8ce2e8a15a00890N.exe 91 PID 744 wrote to memory of 4148 744 38e8c9d84bf0bb30f8ce2e8a15a00890N.exe 91 PID 744 wrote to memory of 4148 744 38e8c9d84bf0bb30f8ce2e8a15a00890N.exe 91 PID 4148 wrote to memory of 3152 4148 Nqpcjj32.exe 92 PID 4148 wrote to memory of 3152 4148 Nqpcjj32.exe 92 PID 4148 wrote to memory of 3152 4148 Nqpcjj32.exe 92 PID 3152 wrote to memory of 2416 3152 Nflkbanj.exe 93 PID 3152 wrote to memory of 2416 3152 Nflkbanj.exe 93 PID 3152 wrote to memory of 2416 3152 Nflkbanj.exe 93 PID 2416 wrote to memory of 3644 2416 Njhgbp32.exe 94 PID 2416 wrote to memory of 3644 2416 Njhgbp32.exe 94 PID 2416 wrote to memory of 3644 2416 Njhgbp32.exe 94 PID 3644 wrote to memory of 3728 3644 Ncqlkemc.exe 95 PID 3644 wrote to memory of 3728 3644 Ncqlkemc.exe 95 PID 3644 wrote to memory of 3728 3644 Ncqlkemc.exe 95 PID 3728 wrote to memory of 4088 3728 Nnfpinmi.exe 96 PID 3728 wrote to memory of 4088 3728 Nnfpinmi.exe 96 PID 3728 wrote to memory of 4088 3728 Nnfpinmi.exe 96 PID 4088 wrote to memory of 1524 4088 Nadleilm.exe 97 PID 4088 wrote to memory of 1524 4088 Nadleilm.exe 97 PID 4088 wrote to memory of 1524 4088 Nadleilm.exe 97 PID 1524 wrote to memory of 4332 1524 Ngndaccj.exe 99 PID 1524 wrote to memory of 4332 1524 Ngndaccj.exe 99 PID 1524 wrote to memory of 4332 1524 Ngndaccj.exe 99 PID 4332 wrote to memory of 4036 4332 Nnhmnn32.exe 100 PID 4332 wrote to memory of 4036 4332 Nnhmnn32.exe 100 PID 4332 wrote to memory of 4036 4332 Nnhmnn32.exe 100 PID 4036 wrote to memory of 2292 4036 Npiiffqe.exe 101 PID 4036 wrote to memory of 2292 4036 Npiiffqe.exe 101 PID 4036 wrote to memory of 2292 4036 Npiiffqe.exe 101 PID 2292 wrote to memory of 2956 2292 Nceefd32.exe 102 PID 2292 wrote to memory of 2956 2292 Nceefd32.exe 102 PID 2292 wrote to memory of 2956 2292 Nceefd32.exe 102 PID 2956 wrote to memory of 5116 2956 Ojomcopk.exe 103 PID 2956 wrote to memory of 5116 2956 Ojomcopk.exe 103 PID 2956 wrote to memory of 5116 2956 Ojomcopk.exe 103 PID 5116 wrote to memory of 3500 5116 Onkidm32.exe 104 PID 5116 wrote to memory of 3500 5116 Onkidm32.exe 104 PID 5116 wrote to memory of 3500 5116 Onkidm32.exe 104 PID 3500 wrote to memory of 3000 3500 Oaifpi32.exe 105 PID 3500 wrote to memory of 3000 3500 Oaifpi32.exe 105 PID 3500 wrote to memory of 3000 3500 Oaifpi32.exe 105 PID 3000 wrote to memory of 1768 3000 Ojajin32.exe 107 PID 3000 wrote to memory of 1768 3000 Ojajin32.exe 107 PID 3000 wrote to memory of 1768 3000 Ojajin32.exe 107 PID 1768 wrote to memory of 1228 1768 Ompfej32.exe 108 PID 1768 wrote to memory of 1228 1768 Ompfej32.exe 108 PID 1768 wrote to memory of 1228 1768 Ompfej32.exe 108 PID 1228 wrote to memory of 1628 1228 Opnbae32.exe 109 PID 1228 wrote to memory of 1628 1228 Opnbae32.exe 109 PID 1228 wrote to memory of 1628 1228 Opnbae32.exe 109 PID 1628 wrote to memory of 2372 1628 Ofhknodl.exe 110 PID 1628 wrote to memory of 2372 1628 Ofhknodl.exe 110 PID 1628 wrote to memory of 2372 1628 Ofhknodl.exe 110 PID 2372 wrote to memory of 3076 2372 Ombcji32.exe 111 PID 2372 wrote to memory of 3076 2372 Ombcji32.exe 111 PID 2372 wrote to memory of 3076 2372 Ombcji32.exe 111 PID 3076 wrote to memory of 1716 3076 Oghghb32.exe 112 PID 3076 wrote to memory of 1716 3076 Oghghb32.exe 112 PID 3076 wrote to memory of 1716 3076 Oghghb32.exe 112 PID 1716 wrote to memory of 2216 1716 Omdppiif.exe 114 PID 1716 wrote to memory of 2216 1716 Omdppiif.exe 114 PID 1716 wrote to memory of 2216 1716 Omdppiif.exe 114 PID 2216 wrote to memory of 4524 2216 Ogjdmbil.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\38e8c9d84bf0bb30f8ce2e8a15a00890N.exe"C:\Users\Admin\AppData\Local\Temp\38e8c9d84bf0bb30f8ce2e8a15a00890N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\Nqpcjj32.exeC:\Windows\system32\Nqpcjj32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\Nflkbanj.exeC:\Windows\system32\Nflkbanj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\Njhgbp32.exeC:\Windows\system32\Njhgbp32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Ncqlkemc.exeC:\Windows\system32\Ncqlkemc.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\Nnfpinmi.exeC:\Windows\system32\Nnfpinmi.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\SysWOW64\Nadleilm.exeC:\Windows\system32\Nadleilm.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\Ngndaccj.exeC:\Windows\system32\Ngndaccj.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Nnhmnn32.exeC:\Windows\system32\Nnhmnn32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\Npiiffqe.exeC:\Windows\system32\Npiiffqe.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\Nceefd32.exeC:\Windows\system32\Nceefd32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Ojomcopk.exeC:\Windows\system32\Ojomcopk.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Onkidm32.exeC:\Windows\system32\Onkidm32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\Oaifpi32.exeC:\Windows\system32\Oaifpi32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\Ojajin32.exeC:\Windows\system32\Ojajin32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Ompfej32.exeC:\Windows\system32\Ompfej32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Opnbae32.exeC:\Windows\system32\Opnbae32.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\Ofhknodl.exeC:\Windows\system32\Ofhknodl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Ombcji32.exeC:\Windows\system32\Ombcji32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Oghghb32.exeC:\Windows\system32\Oghghb32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\Omdppiif.exeC:\Windows\system32\Omdppiif.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Ogjdmbil.exeC:\Windows\system32\Ogjdmbil.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Ojhpimhp.exeC:\Windows\system32\Ojhpimhp.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:4524 -
C:\Windows\SysWOW64\Omgmeigd.exeC:\Windows\system32\Omgmeigd.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Pjkmomfn.exeC:\Windows\system32\Pjkmomfn.exe25⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Pmiikh32.exeC:\Windows\system32\Pmiikh32.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:724 -
C:\Windows\SysWOW64\Phonha32.exeC:\Windows\system32\Phonha32.exe27⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Pjmjdm32.exeC:\Windows\system32\Pjmjdm32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\Pdenmbkk.exeC:\Windows\system32\Pdenmbkk.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:3596 -
C:\Windows\SysWOW64\Pjpfjl32.exeC:\Windows\system32\Pjpfjl32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:768 -
C:\Windows\SysWOW64\Pnkbkk32.exeC:\Windows\system32\Pnkbkk32.exe31⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Pdhkcb32.exeC:\Windows\system32\Pdhkcb32.exe32⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Pmpolgoi.exeC:\Windows\system32\Pmpolgoi.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Palklf32.exeC:\Windows\system32\Palklf32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3632 -
C:\Windows\SysWOW64\Phfcipoo.exeC:\Windows\system32\Phfcipoo.exe35⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Pmblagmf.exeC:\Windows\system32\Pmblagmf.exe36⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Pdmdnadc.exeC:\Windows\system32\Pdmdnadc.exe37⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Qjfmkk32.exeC:\Windows\system32\Qjfmkk32.exe38⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Qmeigg32.exeC:\Windows\system32\Qmeigg32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Qfmmplad.exeC:\Windows\system32\Qfmmplad.exe40⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Qodeajbg.exeC:\Windows\system32\Qodeajbg.exe41⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Qacameaj.exeC:\Windows\system32\Qacameaj.exe42⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Ahmjjoig.exeC:\Windows\system32\Ahmjjoig.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:992 -
C:\Windows\SysWOW64\Akkffkhk.exeC:\Windows\system32\Akkffkhk.exe44⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Aaenbd32.exeC:\Windows\system32\Aaenbd32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Adcjop32.exeC:\Windows\system32\Adcjop32.exe46⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Aoioli32.exeC:\Windows\system32\Aoioli32.exe47⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Apjkcadp.exeC:\Windows\system32\Apjkcadp.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:5032 -
C:\Windows\SysWOW64\Ahaceo32.exeC:\Windows\system32\Ahaceo32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Amnlme32.exeC:\Windows\system32\Amnlme32.exe50⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Apmhiq32.exeC:\Windows\system32\Apmhiq32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:3424 -
C:\Windows\SysWOW64\Aggpfkjj.exeC:\Windows\system32\Aggpfkjj.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:3328 -
C:\Windows\SysWOW64\Aaldccip.exeC:\Windows\system32\Aaldccip.exe53⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Adkqoohc.exeC:\Windows\system32\Adkqoohc.exe54⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Akdilipp.exeC:\Windows\system32\Akdilipp.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Amcehdod.exeC:\Windows\system32\Amcehdod.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:372 -
C:\Windows\SysWOW64\Bgkiaj32.exeC:\Windows\system32\Bgkiaj32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2236 -
C:\Windows\SysWOW64\Bobabg32.exeC:\Windows\system32\Bobabg32.exe58⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Baannc32.exeC:\Windows\system32\Baannc32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4900 -
C:\Windows\SysWOW64\Bhkfkmmg.exeC:\Windows\system32\Bhkfkmmg.exe60⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Bkibgh32.exeC:\Windows\system32\Bkibgh32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Bmhocd32.exeC:\Windows\system32\Bmhocd32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4892 -
C:\Windows\SysWOW64\Bpfkpp32.exeC:\Windows\system32\Bpfkpp32.exe63⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Bklomh32.exeC:\Windows\system32\Bklomh32.exe64⤵
- Executes dropped EXE
PID:4704 -
C:\Windows\SysWOW64\Baegibae.exeC:\Windows\system32\Baegibae.exe65⤵
- Executes dropped EXE
PID:5132 -
C:\Windows\SysWOW64\Bhpofl32.exeC:\Windows\system32\Bhpofl32.exe66⤵
- System Location Discovery: System Language Discovery
PID:5172 -
C:\Windows\SysWOW64\Bgbpaipl.exeC:\Windows\system32\Bgbpaipl.exe67⤵PID:5212
-
C:\Windows\SysWOW64\Bnlhncgi.exeC:\Windows\system32\Bnlhncgi.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5252 -
C:\Windows\SysWOW64\Bdfpkm32.exeC:\Windows\system32\Bdfpkm32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5292 -
C:\Windows\SysWOW64\Bkphhgfc.exeC:\Windows\system32\Bkphhgfc.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:5332 -
C:\Windows\SysWOW64\Bajqda32.exeC:\Windows\system32\Bajqda32.exe71⤵PID:5372
-
C:\Windows\SysWOW64\Chdialdl.exeC:\Windows\system32\Chdialdl.exe72⤵
- Drops file in System32 directory
PID:5412 -
C:\Windows\SysWOW64\Cggimh32.exeC:\Windows\system32\Cggimh32.exe73⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5452 -
C:\Windows\SysWOW64\Cammjakm.exeC:\Windows\system32\Cammjakm.exe74⤵PID:5492
-
C:\Windows\SysWOW64\Chfegk32.exeC:\Windows\system32\Chfegk32.exe75⤵PID:5532
-
C:\Windows\SysWOW64\Cncnob32.exeC:\Windows\system32\Cncnob32.exe76⤵PID:5572
-
C:\Windows\SysWOW64\Chiblk32.exeC:\Windows\system32\Chiblk32.exe77⤵
- Drops file in System32 directory
PID:5616 -
C:\Windows\SysWOW64\Cocjiehd.exeC:\Windows\system32\Cocjiehd.exe78⤵
- Drops file in System32 directory
PID:5656 -
C:\Windows\SysWOW64\Coegoe32.exeC:\Windows\system32\Coegoe32.exe79⤵PID:5696
-
C:\Windows\SysWOW64\Cacckp32.exeC:\Windows\system32\Cacckp32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5736 -
C:\Windows\SysWOW64\Dafppp32.exeC:\Windows\system32\Dafppp32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5780 -
C:\Windows\SysWOW64\Dgcihgaj.exeC:\Windows\system32\Dgcihgaj.exe82⤵PID:5820
-
C:\Windows\SysWOW64\Dahmfpap.exeC:\Windows\system32\Dahmfpap.exe83⤵PID:5864
-
C:\Windows\SysWOW64\Dolmodpi.exeC:\Windows\system32\Dolmodpi.exe84⤵PID:5908
-
C:\Windows\SysWOW64\Dnonkq32.exeC:\Windows\system32\Dnonkq32.exe85⤵PID:5952
-
C:\Windows\SysWOW64\Dkcndeen.exeC:\Windows\system32\Dkcndeen.exe86⤵
- Modifies registry class
PID:6000 -
C:\Windows\SysWOW64\Dglkoeio.exeC:\Windows\system32\Dglkoeio.exe87⤵
- Modifies registry class
PID:6044 -
C:\Windows\SysWOW64\Ebdlangb.exeC:\Windows\system32\Ebdlangb.exe88⤵PID:6088
-
C:\Windows\SysWOW64\Eklajcmc.exeC:\Windows\system32\Eklajcmc.exe89⤵PID:6132
-
C:\Windows\SysWOW64\Eqiibjlj.exeC:\Windows\system32\Eqiibjlj.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5164 -
C:\Windows\SysWOW64\Ehpadhll.exeC:\Windows\system32\Ehpadhll.exe91⤵PID:5244
-
C:\Windows\SysWOW64\Ekajec32.exeC:\Windows\system32\Ekajec32.exe92⤵
- System Location Discovery: System Language Discovery
PID:5328 -
C:\Windows\SysWOW64\Eghkjdoa.exeC:\Windows\system32\Eghkjdoa.exe93⤵
- Drops file in System32 directory
PID:5384 -
C:\Windows\SysWOW64\Fooclapd.exeC:\Windows\system32\Fooclapd.exe94⤵PID:5448
-
C:\Windows\SysWOW64\Fqppci32.exeC:\Windows\system32\Fqppci32.exe95⤵PID:5520
-
C:\Windows\SysWOW64\Fkfcqb32.exeC:\Windows\system32\Fkfcqb32.exe96⤵PID:5608
-
C:\Windows\SysWOW64\Fndpmndl.exeC:\Windows\system32\Fndpmndl.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5684 -
C:\Windows\SysWOW64\Fqbliicp.exeC:\Windows\system32\Fqbliicp.exe98⤵
- System Location Discovery: System Language Discovery
PID:5776 -
C:\Windows\SysWOW64\Fnfmbmbi.exeC:\Windows\system32\Fnfmbmbi.exe99⤵
- Drops file in System32 directory
PID:5860 -
C:\Windows\SysWOW64\Feqeog32.exeC:\Windows\system32\Feqeog32.exe100⤵PID:5968
-
C:\Windows\SysWOW64\Filapfbo.exeC:\Windows\system32\Filapfbo.exe101⤵PID:6040
-
C:\Windows\SysWOW64\Fkjmlaac.exeC:\Windows\system32\Fkjmlaac.exe102⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6128 -
C:\Windows\SysWOW64\Fecadghc.exeC:\Windows\system32\Fecadghc.exe103⤵PID:5180
-
C:\Windows\SysWOW64\Fbgbnkfm.exeC:\Windows\system32\Fbgbnkfm.exe104⤵
- Modifies registry class
PID:5300 -
C:\Windows\SysWOW64\Gnnccl32.exeC:\Windows\system32\Gnnccl32.exe105⤵
- Modifies registry class
PID:5400 -
C:\Windows\SysWOW64\Gicgpelg.exeC:\Windows\system32\Gicgpelg.exe106⤵PID:5508
-
C:\Windows\SysWOW64\Ggfglb32.exeC:\Windows\system32\Ggfglb32.exe107⤵
- System Location Discovery: System Language Discovery
PID:5632 -
C:\Windows\SysWOW64\Gpmomo32.exeC:\Windows\system32\Gpmomo32.exe108⤵
- Drops file in System32 directory
PID:5732 -
C:\Windows\SysWOW64\Gbkkik32.exeC:\Windows\system32\Gbkkik32.exe109⤵PID:5876
-
C:\Windows\SysWOW64\Gkdpbpih.exeC:\Windows\system32\Gkdpbpih.exe110⤵PID:6028
-
C:\Windows\SysWOW64\Gnblnlhl.exeC:\Windows\system32\Gnblnlhl.exe111⤵PID:5144
-
C:\Windows\SysWOW64\Gihpkd32.exeC:\Windows\system32\Gihpkd32.exe112⤵PID:5320
-
C:\Windows\SysWOW64\Glfmgp32.exeC:\Windows\system32\Glfmgp32.exe113⤵
- System Location Discovery: System Language Discovery
PID:5484 -
C:\Windows\SysWOW64\Geoapenf.exeC:\Windows\system32\Geoapenf.exe114⤵PID:5652
-
C:\Windows\SysWOW64\Gijmad32.exeC:\Windows\system32\Gijmad32.exe115⤵PID:5892
-
C:\Windows\SysWOW64\Glhimp32.exeC:\Windows\system32\Glhimp32.exe116⤵PID:6084
-
C:\Windows\SysWOW64\Gpdennml.exeC:\Windows\system32\Gpdennml.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5408 -
C:\Windows\SysWOW64\Gaebef32.exeC:\Windows\system32\Gaebef32.exe118⤵
- Modifies registry class
PID:5648 -
C:\Windows\SysWOW64\Ghojbq32.exeC:\Windows\system32\Ghojbq32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5988 -
C:\Windows\SysWOW64\Hahokfag.exeC:\Windows\system32\Hahokfag.exe120⤵PID:5356
-
C:\Windows\SysWOW64\Hbgkei32.exeC:\Windows\system32\Hbgkei32.exe121⤵
- System Location Discovery: System Language Discovery
PID:6036
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-