Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-08-2024 09:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
108b26b33ed5a0fa4dbe2e41723a9b20N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
108b26b33ed5a0fa4dbe2e41723a9b20N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
108b26b33ed5a0fa4dbe2e41723a9b20N.exe
-
Size
324KB
-
MD5
108b26b33ed5a0fa4dbe2e41723a9b20
-
SHA1
d6754621a0fac37d033b518c551be799303f4742
-
SHA256
e59dd6cd2c4eb4a6df8415be34c995e61394c831b268e2baf3183df6ad0df801
-
SHA512
14f14ee2386db2204d8387ae775decb2f2dfbf17675bd7bd4dc4a7b541e9fd34e2fe669ded640d444094328a7741957c40b70ca46c516d07acf728bed5608a10
-
SSDEEP
6144:/Qkk5fRB9ezd5IF6rfBBcVPINRFYpfZvT6zAWq6JMf3us8ws:/QkkRRBcp5IFy5BcVPINRFYpfZvTmAW9
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmejnacf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfkkgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbdmfmjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qkgaalcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmamdbke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idleal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhefbe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjicmond.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmpobk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elhlfehb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlkkip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgbdlimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmkeglbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olakjble.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aonmniaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkoeqpae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajmkkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcledg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipbffm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnkedpnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dohhke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phfhpafi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbhhfcfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebdahonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebdahonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aoejhjiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbqikkel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecfjhabl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgehbhek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djcmnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpnknf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlliheom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjkpco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqfcmq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afclpdlh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmnmcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hppipnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnabnafk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djdcim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdefkcle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjngefam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpjeqehf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgdbgoki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhoihd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpggjobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emabamkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hghlbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olfeea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Peningop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajmkkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cchepfmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpipel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Migfkjea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkmedp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okpbjoge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhknhona.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnabnafk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obfjkmhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccjaeekl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgcjpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hniahj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhoefb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igpbbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfbahpbe.exe -
Executes dropped EXE 64 IoCs
pid Process 4692 Ciedbcob.exe 4304 Cpomom32.exe 2352 Cckipl32.exe 2412 Cfielg32.exe 5088 Cjeamffe.exe 5072 Cjgnbedb.exe 4068 Cmejnacf.exe 1324 Cgknlj32.exe 1128 Cmhfdq32.exe 1920 Ccboqkhp.exe 1896 Cjlgme32.exe 1548 Cpipel32.exe 796 Dfbhbf32.exe 808 Dmmpopmn.exe 3244 Dgbdlimd.exe 4024 Dicqda32.exe 4268 Dpmiqkjo.exe 2076 Dhdabhka.exe 404 Djcmnd32.exe 4052 Dhgngh32.exe 2592 Dihjopom.exe 368 Dpbblj32.exe 4140 Djgfic32.exe 1364 Dmfceoec.exe 1416 Epdoajdg.exe 1152 Emhpkncq.exe 2720 Edbhgh32.exe 3056 Ejlpdbbj.exe 4508 Epihli32.exe 2080 Ejomjb32.exe 2116 Eaheflgd.exe 2996 Edgabhfh.exe 2892 Eicjkodp.exe 884 Emoekm32.exe 1100 Edinhg32.exe 3020 Efhjdc32.exe 4172 Emabamkf.exe 1096 Fppomhjj.exe 1332 Fhgfnfjl.exe 4832 Fkecjajp.exe 2644 Fmdofmic.exe 3748 Fapkgk32.exe 3096 Fhicde32.exe 1968 Fmflll32.exe 668 Fpehhh32.exe 1524 Fhlpie32.exe 116 Fkjleq32.exe 4524 Fmihal32.exe 4192 Fpgdng32.exe 4200 Fhnmoedd.exe 1388 Fkmikpcg.exe 3120 Fmkeglbk.exe 2328 Fafahj32.exe 3560 Fdemdf32.exe 4632 Fgcjpa32.exe 3088 Fkoeqpae.exe 4928 Gainmj32.exe 3376 Gdgjie32.exe 2472 Gmpobk32.exe 4656 Gpnknf32.exe 4840 Gdjgoefc.exe 2064 Gkcolo32.exe 4416 Gifogldj.exe 4368 Gpqgdf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lhijhm32.dll Iapmegdg.exe File created C:\Windows\SysWOW64\Bgfohb32.dll Ijbhjhlj.exe File created C:\Windows\SysWOW64\Jaiabinh.dll Jqomlb32.exe File created C:\Windows\SysWOW64\Ijdhoabe.dll Jnejkfnk.exe File created C:\Windows\SysWOW64\Dbiamqhj.exe Dcfaad32.exe File opened for modification C:\Windows\SysWOW64\Hpgnde32.exe Hniahj32.exe File created C:\Windows\SysWOW64\Inmnpl32.dll Ijiecide.exe File opened for modification C:\Windows\SysWOW64\Mljlbe32.exe Mikpfj32.exe File created C:\Windows\SysWOW64\Klbfcdmg.dll Cmejnacf.exe File opened for modification C:\Windows\SysWOW64\Mikpfj32.exe Madhel32.exe File created C:\Windows\SysWOW64\Oiconfma.exe Oalgli32.exe File created C:\Windows\SysWOW64\Bpdjiiag.dll Oobdkmif.exe File opened for modification C:\Windows\SysWOW64\Jbcbadda.exe Jjlkpgdp.exe File created C:\Windows\SysWOW64\Bjkiah32.dll Njdbna32.exe File created C:\Windows\SysWOW64\Pknnkm32.exe Phobob32.exe File created C:\Windows\SysWOW64\Hdqbhf32.dll Dlfoqeje.exe File created C:\Windows\SysWOW64\Paiieioi.dll Hpgnde32.exe File created C:\Windows\SysWOW64\Ggjapi32.dll Kifndm32.exe File created C:\Windows\SysWOW64\Gdqnfc32.dll Mljlbe32.exe File created C:\Windows\SysWOW64\Peeonf32.exe Pcgcbj32.exe File created C:\Windows\SysWOW64\Aonmniaf.exe Alpqbnbb.exe File opened for modification C:\Windows\SysWOW64\Bmichljg.exe Bjkglakd.exe File created C:\Windows\SysWOW64\Bfjpkifk.dll Gpqgdf32.exe File opened for modification C:\Windows\SysWOW64\Gndhmjjq.exe Gkflaokm.exe File created C:\Windows\SysWOW64\Jkijdj32.exe Jhknhona.exe File opened for modification C:\Windows\SysWOW64\Mnkedpnq.exe Mlliheom.exe File opened for modification C:\Windows\SysWOW64\Icabbh32.exe Ipbffm32.exe File created C:\Windows\SysWOW64\Cjgnbedb.exe Cjeamffe.exe File opened for modification C:\Windows\SysWOW64\Coelef32.exe Cmgpijng.exe File opened for modification C:\Windows\SysWOW64\Cfielg32.exe Cckipl32.exe File opened for modification C:\Windows\SysWOW64\Mlecgfde.exe Migfkjea.exe File opened for modification C:\Windows\SysWOW64\Olakjble.exe Oiconfma.exe File opened for modification C:\Windows\SysWOW64\Qkingl32.exe Qeleoe32.exe File created C:\Windows\SysWOW64\Epdoajdg.exe Dmfceoec.exe File created C:\Windows\SysWOW64\Bkqngbid.dll Lnjlmblc.exe File created C:\Windows\SysWOW64\Minmli32.exe Mbddoohl.exe File opened for modification C:\Windows\SysWOW64\Oielcfko.exe Oandbijl.exe File created C:\Windows\SysWOW64\Aoggmj32.exe Alijaohj.exe File created C:\Windows\SysWOW64\Dfigholm.exe Dcjklcmj.exe File opened for modification C:\Windows\SysWOW64\Dlfoqeje.exe Dmcoei32.exe File opened for modification C:\Windows\SysWOW64\Elobgdbj.exe Ejnfol32.exe File created C:\Windows\SysWOW64\Onhjakke.dll Gndhmjjq.exe File opened for modification C:\Windows\SysWOW64\Hkakmmap.exe Hplgpdaj.exe File created C:\Windows\SysWOW64\Hhhhla32.exe Hpaqkd32.exe File created C:\Windows\SysWOW64\Knqnab32.dll Pcbjgknj.exe File created C:\Windows\SysWOW64\Cjnfajmg.dll Peeonf32.exe File created C:\Windows\SysWOW64\Ajmkkc32.exe Aeaojdnk.exe File created C:\Windows\SysWOW64\Bcpajd32.dll Fmhagf32.exe File created C:\Windows\SysWOW64\Icabbh32.exe Ipbffm32.exe File created C:\Windows\SysWOW64\Jdmebp32.exe Jbnifd32.exe File created C:\Windows\SysWOW64\Lajbof32.dll Jjjnjg32.exe File created C:\Windows\SysWOW64\Olfeea32.exe Ohjidbpf.exe File opened for modification C:\Windows\SysWOW64\Ajcakbql.exe Abmijdpj.exe File opened for modification C:\Windows\SysWOW64\Ccjaeekl.exe Coofeg32.exe File opened for modification C:\Windows\SysWOW64\Hgqogiip.exe Hpggjobc.exe File opened for modification C:\Windows\SysWOW64\Ajadfbbo.exe Affhec32.exe File created C:\Windows\SysWOW64\Cmnmcl32.exe Bfddfa32.exe File opened for modification C:\Windows\SysWOW64\Ciedbcob.exe 108b26b33ed5a0fa4dbe2e41723a9b20N.exe File created C:\Windows\SysWOW64\Hipeiqbn.dll Eicjkodp.exe File opened for modification C:\Windows\SysWOW64\Njfodqop.exe Nhhchepl.exe File created C:\Windows\SysWOW64\Ojbnhojh.dll Nepmli32.exe File opened for modification C:\Windows\SysWOW64\Ohcbccfo.exe Oaijgi32.exe File opened for modification C:\Windows\SysWOW64\Aeaojdnk.exe Aaecie32.exe File opened for modification C:\Windows\SysWOW64\Cfpdbpdh.exe Ccahfded.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11104 10996 WerFault.exe 501 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niilghel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgieil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcfaad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebkgin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejlpdbbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmihal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjgnbedb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhefbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoiccj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqhpbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnflia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaqqghhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogpdhik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpjeqehf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elobgdbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fldlbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmoqobmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiogcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqmpfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkanl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpkgnqlq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpehhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pciphjga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bojljggi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elaomdpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhgngh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccokqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecfjhabl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipbffm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oloodb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalgli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjicmond.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgdbgoki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gngdcjhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afclpdlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfielg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obfjkmhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjqklilf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iccogh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epdoajdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfglqjak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gainmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hplgpdaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jncmefpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfodqop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgehbhek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkcolo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oagnaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oomkpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiconfma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfddfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffipol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpomom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifogldj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmiloj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcjklcmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipeckm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iniceadm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kifndm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpgnde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eljile32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdjpfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjemfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpjjje32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfbhbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnhkplda.dll" Cchepfmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlkkip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijiecide.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncdmmh32.dll" Gmmkbemm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmamdbke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipeckm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhiegpbn.dll" Dihjopom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpeaoeha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjljenjh.dll" Aceochmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmnmcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diekahmm.dll" Emjefhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kilndnab.dll" Bocfih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efnpcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efnpcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnpgiipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okpbjoge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abmijdpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpdmh32.dll" Bbcokc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmcacd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgdddj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lipqjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iihnicpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbeogcbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcenmaap.dll" Cjicmond.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebdahonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkcjl32.dll" Hpicpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkgmn32.dll" Bfddfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iqmpfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Madhel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Paejbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcgcbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qkingl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnflia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnhhnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omdodc32.dll" Dchngc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdmpiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpgnde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phmejbnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Poijllcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnonbi32.dll" Bmkpnlhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjbojkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qokfma32.dll" Kkejph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcfaad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbeminoe.dll" Ebdahonl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flkbbbhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcgplj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flhjnn32.dll" Cpipel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdemdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhhchepl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkhlipmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfddfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkmfomka.dll" Fhlpie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Maiaplmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhkkbnca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gahbki32.dll" Cmnmcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjdmo32.dll" Hmkgcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkmikpcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hghlbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oagnaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qeleoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajadfbbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmfceoec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gihebeol.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4436 wrote to memory of 4692 4436 108b26b33ed5a0fa4dbe2e41723a9b20N.exe 84 PID 4436 wrote to memory of 4692 4436 108b26b33ed5a0fa4dbe2e41723a9b20N.exe 84 PID 4436 wrote to memory of 4692 4436 108b26b33ed5a0fa4dbe2e41723a9b20N.exe 84 PID 4692 wrote to memory of 4304 4692 Ciedbcob.exe 85 PID 4692 wrote to memory of 4304 4692 Ciedbcob.exe 85 PID 4692 wrote to memory of 4304 4692 Ciedbcob.exe 85 PID 4304 wrote to memory of 2352 4304 Cpomom32.exe 86 PID 4304 wrote to memory of 2352 4304 Cpomom32.exe 86 PID 4304 wrote to memory of 2352 4304 Cpomom32.exe 86 PID 2352 wrote to memory of 2412 2352 Cckipl32.exe 87 PID 2352 wrote to memory of 2412 2352 Cckipl32.exe 87 PID 2352 wrote to memory of 2412 2352 Cckipl32.exe 87 PID 2412 wrote to memory of 5088 2412 Cfielg32.exe 88 PID 2412 wrote to memory of 5088 2412 Cfielg32.exe 88 PID 2412 wrote to memory of 5088 2412 Cfielg32.exe 88 PID 5088 wrote to memory of 5072 5088 Cjeamffe.exe 89 PID 5088 wrote to memory of 5072 5088 Cjeamffe.exe 89 PID 5088 wrote to memory of 5072 5088 Cjeamffe.exe 89 PID 5072 wrote to memory of 4068 5072 Cjgnbedb.exe 90 PID 5072 wrote to memory of 4068 5072 Cjgnbedb.exe 90 PID 5072 wrote to memory of 4068 5072 Cjgnbedb.exe 90 PID 4068 wrote to memory of 1324 4068 Cmejnacf.exe 91 PID 4068 wrote to memory of 1324 4068 Cmejnacf.exe 91 PID 4068 wrote to memory of 1324 4068 Cmejnacf.exe 91 PID 1324 wrote to memory of 1128 1324 Cgknlj32.exe 92 PID 1324 wrote to memory of 1128 1324 Cgknlj32.exe 92 PID 1324 wrote to memory of 1128 1324 Cgknlj32.exe 92 PID 1128 wrote to memory of 1920 1128 Cmhfdq32.exe 94 PID 1128 wrote to memory of 1920 1128 Cmhfdq32.exe 94 PID 1128 wrote to memory of 1920 1128 Cmhfdq32.exe 94 PID 1920 wrote to memory of 1896 1920 Ccboqkhp.exe 95 PID 1920 wrote to memory of 1896 1920 Ccboqkhp.exe 95 PID 1920 wrote to memory of 1896 1920 Ccboqkhp.exe 95 PID 1896 wrote to memory of 1548 1896 Cjlgme32.exe 97 PID 1896 wrote to memory of 1548 1896 Cjlgme32.exe 97 PID 1896 wrote to memory of 1548 1896 Cjlgme32.exe 97 PID 1548 wrote to memory of 796 1548 Cpipel32.exe 98 PID 1548 wrote to memory of 796 1548 Cpipel32.exe 98 PID 1548 wrote to memory of 796 1548 Cpipel32.exe 98 PID 796 wrote to memory of 808 796 Dfbhbf32.exe 100 PID 796 wrote to memory of 808 796 Dfbhbf32.exe 100 PID 796 wrote to memory of 808 796 Dfbhbf32.exe 100 PID 808 wrote to memory of 3244 808 Dmmpopmn.exe 101 PID 808 wrote to memory of 3244 808 Dmmpopmn.exe 101 PID 808 wrote to memory of 3244 808 Dmmpopmn.exe 101 PID 3244 wrote to memory of 4024 3244 Dgbdlimd.exe 102 PID 3244 wrote to memory of 4024 3244 Dgbdlimd.exe 102 PID 3244 wrote to memory of 4024 3244 Dgbdlimd.exe 102 PID 4024 wrote to memory of 4268 4024 Dicqda32.exe 103 PID 4024 wrote to memory of 4268 4024 Dicqda32.exe 103 PID 4024 wrote to memory of 4268 4024 Dicqda32.exe 103 PID 4268 wrote to memory of 2076 4268 Dpmiqkjo.exe 104 PID 4268 wrote to memory of 2076 4268 Dpmiqkjo.exe 104 PID 4268 wrote to memory of 2076 4268 Dpmiqkjo.exe 104 PID 2076 wrote to memory of 404 2076 Dhdabhka.exe 105 PID 2076 wrote to memory of 404 2076 Dhdabhka.exe 105 PID 2076 wrote to memory of 404 2076 Dhdabhka.exe 105 PID 404 wrote to memory of 4052 404 Djcmnd32.exe 106 PID 404 wrote to memory of 4052 404 Djcmnd32.exe 106 PID 404 wrote to memory of 4052 404 Djcmnd32.exe 106 PID 4052 wrote to memory of 2592 4052 Dhgngh32.exe 107 PID 4052 wrote to memory of 2592 4052 Dhgngh32.exe 107 PID 4052 wrote to memory of 2592 4052 Dhgngh32.exe 107 PID 2592 wrote to memory of 368 2592 Dihjopom.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\108b26b33ed5a0fa4dbe2e41723a9b20N.exe"C:\Users\Admin\AppData\Local\Temp\108b26b33ed5a0fa4dbe2e41723a9b20N.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\Ciedbcob.exeC:\Windows\system32\Ciedbcob.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Cpomom32.exeC:\Windows\system32\Cpomom32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\Cckipl32.exeC:\Windows\system32\Cckipl32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Cfielg32.exeC:\Windows\system32\Cfielg32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Cjeamffe.exeC:\Windows\system32\Cjeamffe.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\Cjgnbedb.exeC:\Windows\system32\Cjgnbedb.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Cmejnacf.exeC:\Windows\system32\Cmejnacf.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Cgknlj32.exeC:\Windows\system32\Cgknlj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Cmhfdq32.exeC:\Windows\system32\Cmhfdq32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Ccboqkhp.exeC:\Windows\system32\Ccboqkhp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Cjlgme32.exeC:\Windows\system32\Cjlgme32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Cpipel32.exeC:\Windows\system32\Cpipel32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Dfbhbf32.exeC:\Windows\system32\Dfbhbf32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Dmmpopmn.exeC:\Windows\system32\Dmmpopmn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Dgbdlimd.exeC:\Windows\system32\Dgbdlimd.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\Dicqda32.exeC:\Windows\system32\Dicqda32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\Dpmiqkjo.exeC:\Windows\system32\Dpmiqkjo.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\Dhdabhka.exeC:\Windows\system32\Dhdabhka.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Djcmnd32.exeC:\Windows\system32\Djcmnd32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Dhgngh32.exeC:\Windows\system32\Dhgngh32.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\Dihjopom.exeC:\Windows\system32\Dihjopom.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Dpbblj32.exeC:\Windows\system32\Dpbblj32.exe23⤵
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\Djgfic32.exeC:\Windows\system32\Djgfic32.exe24⤵
- Executes dropped EXE
PID:4140 -
C:\Windows\SysWOW64\Dmfceoec.exeC:\Windows\system32\Dmfceoec.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1364 -
C:\Windows\SysWOW64\Epdoajdg.exeC:\Windows\system32\Epdoajdg.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1416 -
C:\Windows\SysWOW64\Emhpkncq.exeC:\Windows\system32\Emhpkncq.exe27⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Edbhgh32.exeC:\Windows\system32\Edbhgh32.exe28⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Ejlpdbbj.exeC:\Windows\system32\Ejlpdbbj.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Epihli32.exeC:\Windows\system32\Epihli32.exe30⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Ejomjb32.exeC:\Windows\system32\Ejomjb32.exe31⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Eaheflgd.exeC:\Windows\system32\Eaheflgd.exe32⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Edgabhfh.exeC:\Windows\system32\Edgabhfh.exe33⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Eicjkodp.exeC:\Windows\system32\Eicjkodp.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Emoekm32.exeC:\Windows\system32\Emoekm32.exe35⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Edinhg32.exeC:\Windows\system32\Edinhg32.exe36⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Efhjdc32.exeC:\Windows\system32\Efhjdc32.exe37⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Emabamkf.exeC:\Windows\system32\Emabamkf.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4172 -
C:\Windows\SysWOW64\Fppomhjj.exeC:\Windows\system32\Fppomhjj.exe39⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Fhgfnfjl.exeC:\Windows\system32\Fhgfnfjl.exe40⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Fkecjajp.exeC:\Windows\system32\Fkecjajp.exe41⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Fmdofmic.exeC:\Windows\system32\Fmdofmic.exe42⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Fapkgk32.exeC:\Windows\system32\Fapkgk32.exe43⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Fhicde32.exeC:\Windows\system32\Fhicde32.exe44⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Fmflll32.exeC:\Windows\system32\Fmflll32.exe45⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Fpehhh32.exeC:\Windows\system32\Fpehhh32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:668 -
C:\Windows\SysWOW64\Fhlpie32.exeC:\Windows\system32\Fhlpie32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Fkjleq32.exeC:\Windows\system32\Fkjleq32.exe48⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Fmihal32.exeC:\Windows\system32\Fmihal32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4524 -
C:\Windows\SysWOW64\Fpgdng32.exeC:\Windows\system32\Fpgdng32.exe50⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Fhnmoedd.exeC:\Windows\system32\Fhnmoedd.exe51⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\Fkmikpcg.exeC:\Windows\system32\Fkmikpcg.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1388 -
C:\Windows\SysWOW64\Fmkeglbk.exeC:\Windows\system32\Fmkeglbk.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Fafahj32.exeC:\Windows\system32\Fafahj32.exe54⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Fdemdf32.exeC:\Windows\system32\Fdemdf32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:3560 -
C:\Windows\SysWOW64\Fgcjpa32.exeC:\Windows\system32\Fgcjpa32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Fkoeqpae.exeC:\Windows\system32\Fkoeqpae.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Gainmj32.exeC:\Windows\system32\Gainmj32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4928 -
C:\Windows\SysWOW64\Gdgjie32.exeC:\Windows\system32\Gdgjie32.exe59⤵
- Executes dropped EXE
PID:3376 -
C:\Windows\SysWOW64\Gmpobk32.exeC:\Windows\system32\Gmpobk32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Gpnknf32.exeC:\Windows\system32\Gpnknf32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Gdjgoefc.exeC:\Windows\system32\Gdjgoefc.exe62⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Gkcolo32.exeC:\Windows\system32\Gkcolo32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2064 -
C:\Windows\SysWOW64\Gifogldj.exeC:\Windows\system32\Gifogldj.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4416 -
C:\Windows\SysWOW64\Gpqgdf32.exeC:\Windows\system32\Gpqgdf32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4368 -
C:\Windows\SysWOW64\Gdlcdedp.exeC:\Windows\system32\Gdlcdedp.exe66⤵PID:4964
-
C:\Windows\SysWOW64\Gkflaokm.exeC:\Windows\system32\Gkflaokm.exe67⤵
- Drops file in System32 directory
PID:4596 -
C:\Windows\SysWOW64\Gndhmjjq.exeC:\Windows\system32\Gndhmjjq.exe68⤵
- Drops file in System32 directory
PID:4480 -
C:\Windows\SysWOW64\Gpcdifjd.exeC:\Windows\system32\Gpcdifjd.exe69⤵PID:4556
-
C:\Windows\SysWOW64\Ghjlkcjf.exeC:\Windows\system32\Ghjlkcjf.exe70⤵PID:2100
-
C:\Windows\SysWOW64\Gkhhgoij.exeC:\Windows\system32\Gkhhgoij.exe71⤵PID:4872
-
C:\Windows\SysWOW64\Gngdcjhn.exeC:\Windows\system32\Gngdcjhn.exe72⤵
- System Location Discovery: System Language Discovery
PID:656 -
C:\Windows\SysWOW64\Gpeaoeha.exeC:\Windows\system32\Gpeaoeha.exe73⤵
- Modifies registry class
PID:1336 -
C:\Windows\SysWOW64\Ggoilp32.exeC:\Windows\system32\Ggoilp32.exe74⤵PID:1700
-
C:\Windows\SysWOW64\Hniahj32.exeC:\Windows\system32\Hniahj32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4952 -
C:\Windows\SysWOW64\Hpgnde32.exeC:\Windows\system32\Hpgnde32.exe76⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:456 -
C:\Windows\SysWOW64\Hhoefb32.exeC:\Windows\system32\Hhoefb32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:560 -
C:\Windows\SysWOW64\Hkmbbn32.exeC:\Windows\system32\Hkmbbn32.exe78⤵PID:3752
-
C:\Windows\SysWOW64\Hjpbmklp.exeC:\Windows\system32\Hjpbmklp.exe79⤵PID:5100
-
C:\Windows\SysWOW64\Hpjjje32.exeC:\Windows\system32\Hpjjje32.exe80⤵
- System Location Discovery: System Language Discovery
PID:4788 -
C:\Windows\SysWOW64\Hdefkcle.exeC:\Windows\system32\Hdefkcle.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:704 -
C:\Windows\SysWOW64\Hgdbgoki.exeC:\Windows\system32\Hgdbgoki.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4176 -
C:\Windows\SysWOW64\Hkoogn32.exeC:\Windows\system32\Hkoogn32.exe83⤵PID:2900
-
C:\Windows\SysWOW64\Haigdh32.exeC:\Windows\system32\Haigdh32.exe84⤵PID:448
-
C:\Windows\SysWOW64\Hplgpdaj.exeC:\Windows\system32\Hplgpdaj.exe85⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3624 -
C:\Windows\SysWOW64\Hkakmmap.exeC:\Windows\system32\Hkakmmap.exe86⤵PID:4156
-
C:\Windows\SysWOW64\Hnpgiipc.exeC:\Windows\system32\Hnpgiipc.exe87⤵
- Modifies registry class
PID:4284 -
C:\Windows\SysWOW64\Hdjpfc32.exeC:\Windows\system32\Hdjpfc32.exe88⤵
- System Location Discovery: System Language Discovery
PID:5140 -
C:\Windows\SysWOW64\Hghlbn32.exeC:\Windows\system32\Hghlbn32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5228 -
C:\Windows\SysWOW64\Hnbdohnq.exeC:\Windows\system32\Hnbdohnq.exe90⤵PID:5272
-
C:\Windows\SysWOW64\Hpaqkd32.exeC:\Windows\system32\Hpaqkd32.exe91⤵
- Drops file in System32 directory
PID:5316 -
C:\Windows\SysWOW64\Hhhhla32.exeC:\Windows\system32\Hhhhla32.exe92⤵PID:5360
-
C:\Windows\SysWOW64\Hkfdhm32.exeC:\Windows\system32\Hkfdhm32.exe93⤵PID:5404
-
C:\Windows\SysWOW64\Ijiecide.exeC:\Windows\system32\Ijiecide.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:5448 -
C:\Windows\SysWOW64\Iapmegdg.exeC:\Windows\system32\Iapmegdg.exe95⤵
- Drops file in System32 directory
PID:5492 -
C:\Windows\SysWOW64\Ikianl32.exeC:\Windows\system32\Ikianl32.exe96⤵PID:5536
-
C:\Windows\SysWOW64\Ingnjh32.exeC:\Windows\system32\Ingnjh32.exe97⤵PID:5580
-
C:\Windows\SysWOW64\Igpbbm32.exeC:\Windows\system32\Igpbbm32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5624 -
C:\Windows\SysWOW64\Idcbla32.exeC:\Windows\system32\Idcbla32.exe99⤵PID:5668
-
C:\Windows\SysWOW64\Ihoompho.exeC:\Windows\system32\Ihoompho.exe100⤵PID:5712
-
C:\Windows\SysWOW64\Idfoaa32.exeC:\Windows\system32\Idfoaa32.exe101⤵PID:5756
-
C:\Windows\SysWOW64\Ikpgnk32.exeC:\Windows\system32\Ikpgnk32.exe102⤵PID:5800
-
C:\Windows\SysWOW64\Ijbhjhlj.exeC:\Windows\system32\Ijbhjhlj.exe103⤵
- Drops file in System32 directory
PID:5844 -
C:\Windows\SysWOW64\Iqmpfb32.exeC:\Windows\system32\Iqmpfb32.exe104⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5884 -
C:\Windows\SysWOW64\Jkbddk32.exeC:\Windows\system32\Jkbddk32.exe105⤵PID:5932
-
C:\Windows\SysWOW64\Jqomlb32.exeC:\Windows\system32\Jqomlb32.exe106⤵
- Drops file in System32 directory
PID:5976 -
C:\Windows\SysWOW64\Jgieil32.exeC:\Windows\system32\Jgieil32.exe107⤵
- System Location Discovery: System Language Discovery
PID:6024 -
C:\Windows\SysWOW64\Jncmefpn.exeC:\Windows\system32\Jncmefpn.exe108⤵
- System Location Discovery: System Language Discovery
PID:6060 -
C:\Windows\SysWOW64\Jbnifd32.exeC:\Windows\system32\Jbnifd32.exe109⤵
- Drops file in System32 directory
PID:6112 -
C:\Windows\SysWOW64\Jdmebp32.exeC:\Windows\system32\Jdmebp32.exe110⤵PID:5172
-
C:\Windows\SysWOW64\Jgkanl32.exeC:\Windows\system32\Jgkanl32.exe111⤵
- System Location Discovery: System Language Discovery
PID:5264 -
C:\Windows\SysWOW64\Jjjnjg32.exeC:\Windows\system32\Jjjnjg32.exe112⤵
- Drops file in System32 directory
PID:5344 -
C:\Windows\SysWOW64\Jnejkfnk.exeC:\Windows\system32\Jnejkfnk.exe113⤵
- Drops file in System32 directory
PID:5432 -
C:\Windows\SysWOW64\Jbqfld32.exeC:\Windows\system32\Jbqfld32.exe114⤵PID:5544
-
C:\Windows\SysWOW64\Jdobhp32.exeC:\Windows\system32\Jdobhp32.exe115⤵PID:5616
-
C:\Windows\SysWOW64\Jhknhona.exeC:\Windows\system32\Jhknhona.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5704 -
C:\Windows\SysWOW64\Jkijdj32.exeC:\Windows\system32\Jkijdj32.exe117⤵PID:5784
-
C:\Windows\SysWOW64\Jjlkpgdp.exeC:\Windows\system32\Jjlkpgdp.exe118⤵
- Drops file in System32 directory
PID:5880 -
C:\Windows\SysWOW64\Jbcbadda.exeC:\Windows\system32\Jbcbadda.exe119⤵PID:5992
-
C:\Windows\SysWOW64\Jqfcmq32.exeC:\Windows\system32\Jqfcmq32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6104 -
C:\Windows\SysWOW64\Jhmknn32.exeC:\Windows\system32\Jhmknn32.exe121⤵PID:5136
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-