Analysis
-
max time kernel
114s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22-08-2024 23:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c3b41825e46c3f93d84a7f3535413c40N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
c3b41825e46c3f93d84a7f3535413c40N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
c3b41825e46c3f93d84a7f3535413c40N.exe
-
Size
96KB
-
MD5
c3b41825e46c3f93d84a7f3535413c40
-
SHA1
b3bda7eaeafb943befbe4c89ac5898cbee1862ec
-
SHA256
ea67528905e1d55404ec3bb76adb5cca51f4d2caafde48039ece6e25c5f8118f
-
SHA512
bbed594604279108fddd6955b6542b4b543290de66d6def9ffe3aea35d2044c5cec1e5b65b06b692c461f82f823f8863ed9a482015e35bfdf13f7984f923ee52
-
SSDEEP
1536:Sz6mVkmOhMxKHEb52L+yaIZTJ+7LhkiB0MPiKeEAgH:SmukmOHk2BaMU7uihJ5
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnhacn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhnichde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akopoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghcbohpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niihlkdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kimgba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ainnhdbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clbmfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gclimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjnihnmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Malefbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hokgmpkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jokpcmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kakednfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnhlgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chinkndp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfnmcnjn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldhdlnli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpfcelml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gledpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kakednfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikjcmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpaikm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fepmgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gikbneio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laiafl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgaqphgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gikbneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epgdch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glpdjpbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdbiphhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dolinf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcjgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akhaipei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fepmgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdgehobe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhfcae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndpcdjho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfghlhmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgagjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfedmfqd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gahcgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieknpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maaoaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bihancje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efampahd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfgnka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkcjjhgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbhpajlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpnngh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akjgdjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eejcki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikmpcicg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfedmfqd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kblkap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deagoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghcbohpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flbhia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfcfnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgfhnpde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Googaaej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljmmcbdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Libido32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjoknhbe.exe -
Executes dropped EXE 64 IoCs
pid Process 2388 Kmbmdeoj.exe 2852 Kdmeqo32.exe 5168 Kjfmminc.exe 1580 Kmeiie32.exe 4112 Lhjnfn32.exe 1180 Ljijci32.exe 5788 Lennpb32.exe 3100 Lfpkhjae.exe 3224 Lmjcdd32.exe 1444 Leqkeajd.exe 4352 Lfbgmj32.exe 2616 Lmlpjdgo.exe 784 Lechkaga.exe 3664 Lhadgmge.exe 5224 Ldhdlnli.exe 432 Lkbmih32.exe 5988 Malefbkc.exe 4632 Mkdiog32.exe 4480 Mdmngm32.exe 5464 Mkgfdgpq.exe 4816 Maaoaa32.exe 1940 Moeoje32.exe 224 Meoggpmd.exe 5576 Mhmcck32.exe 5916 Mmjlkb32.exe 3596 Mdddhlbl.exe 5960 Nmlhaa32.exe 5108 Nhbmnj32.exe 1140 Ngemjg32.exe 3616 Ndinck32.exe 3736 Nehjmnei.exe 2744 Nhffijdm.exe 5664 Nkebee32.exe 2360 Naokbokn.exe 5064 Ndmgnkja.exe 3116 Nockkcjg.exe 5616 Nnfkgp32.exe 4368 Ndpcdjho.exe 5488 Nhkpdi32.exe 2056 Onhhmpoo.exe 3192 Odbpij32.exe 5164 Oogdfc32.exe 4732 Ohpiphlb.exe 5568 Okneldkf.exe 2848 Oediim32.exe 1540 Ogefqeaj.exe 3456 Oakjnnap.exe 2420 Oggbfdog.exe 5140 Okcogc32.exe 3436 Ohgopgfj.exe 4628 Pndhhnda.exe 4824 Pdnpeh32.exe 4452 Pocdba32.exe 428 Pfmlok32.exe 2452 Pdpmkhjl.exe 4228 Phlikg32.exe 2908 Pkjegb32.exe 4976 Pnhacn32.exe 3444 Pdbiphhi.exe 3168 Pgaelcgm.exe 5544 Pklamb32.exe 4736 Pnknim32.exe 1076 Pbfjjlgc.exe 4608 Pdeffgff.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mdlgmgdh.exe Migcpneb.exe File created C:\Windows\SysWOW64\Anhcpeon.exe Akjgdjoj.exe File created C:\Windows\SysWOW64\Cjacpfqm.dll Akopoi32.exe File created C:\Windows\SysWOW64\Iheaqolo.exe Iibaeb32.exe File created C:\Windows\SysWOW64\Jodlof32.exe Jhjcbljf.exe File opened for modification C:\Windows\SysWOW64\Jfgefg32.exe Jgbhdkml.exe File created C:\Windows\SysWOW64\Dajnol32.exe Dlmegd32.exe File created C:\Windows\SysWOW64\Pfkbkibi.dll Gaffbg32.exe File created C:\Windows\SysWOW64\Noajcphe.dll Ieknpb32.exe File created C:\Windows\SysWOW64\Lfqjhmhk.exe Lpgalc32.exe File created C:\Windows\SysWOW64\Jgbhdkml.exe Jokpcmmj.exe File created C:\Windows\SysWOW64\Dliffkod.dll Dpglmjoj.exe File created C:\Windows\SysWOW64\Dipffc32.dll Gegchl32.exe File created C:\Windows\SysWOW64\Ajhndgjj.exe Aqpika32.exe File opened for modification C:\Windows\SysWOW64\Bkjpkg32.exe Bgodjiio.exe File created C:\Windows\SysWOW64\Bilflj32.dll Dnnoip32.exe File opened for modification C:\Windows\SysWOW64\Ebejem32.exe Ejnbdp32.exe File created C:\Windows\SysWOW64\Hipdpbgf.exe Hojpbigq.exe File created C:\Windows\SysWOW64\Mhmcck32.exe Meoggpmd.exe File opened for modification C:\Windows\SysWOW64\Pkjegb32.exe Phlikg32.exe File opened for modification C:\Windows\SysWOW64\Malnklgg.exe Mmpbkm32.exe File created C:\Windows\SysWOW64\Pkqpeh32.dll Kfbmgo32.exe File created C:\Windows\SysWOW64\Ndqmkfni.dll Kjfmminc.exe File created C:\Windows\SysWOW64\Efjgpc32.exe Dblnid32.exe File opened for modification C:\Windows\SysWOW64\Gledpe32.exe Gjghdj32.exe File created C:\Windows\SysWOW64\Cbjeeion.dll Eejcki32.exe File created C:\Windows\SysWOW64\Oakjnnap.exe Ogefqeaj.exe File created C:\Windows\SysWOW64\Jkchehih.dll Eoladdeo.exe File created C:\Windows\SysWOW64\Lhjicplp.dll Pjoknhbe.exe File created C:\Windows\SysWOW64\Pnknim32.exe Pklamb32.exe File created C:\Windows\SysWOW64\Ndinck32.exe Ngemjg32.exe File opened for modification C:\Windows\SysWOW64\Dhbqalle.exe Dpglmjoj.exe File created C:\Windows\SysWOW64\Inbfjlbj.dll Gledpe32.exe File opened for modification C:\Windows\SysWOW64\Ioffhn32.exe Ifnbph32.exe File created C:\Windows\SysWOW64\Imneeb32.dll Lpjelibg.exe File opened for modification C:\Windows\SysWOW64\Hepoddcc.exe Hoefgj32.exe File opened for modification C:\Windows\SysWOW64\Jbieebha.exe Jkomhhae.exe File created C:\Windows\SysWOW64\Fdiqhf32.dll Lfbgmj32.exe File created C:\Windows\SysWOW64\Ejnbdp32.exe Eeailhme.exe File created C:\Windows\SysWOW64\Eejcki32.exe Ejdonq32.exe File created C:\Windows\SysWOW64\Bplmeg32.dll Ciaddaaj.exe File created C:\Windows\SysWOW64\Epgdch32.exe Ehpmbj32.exe File created C:\Windows\SysWOW64\Ggaoeo32.dll Mhefhf32.exe File created C:\Windows\SysWOW64\Cajbli32.dll Ebbmpmnb.exe File created C:\Windows\SysWOW64\Fhbbmc32.exe Ebejem32.exe File opened for modification C:\Windows\SysWOW64\Cbglgg32.exe Cnlpgibd.exe File created C:\Windows\SysWOW64\Bpicmhfo.dll Mmjlkb32.exe File created C:\Windows\SysWOW64\Joabhd32.dll Pnhacn32.exe File created C:\Windows\SysWOW64\Beobcdoi.exe Bbpeghpe.exe File opened for modification C:\Windows\SysWOW64\Ciaddaaj.exe Cfbhhfbg.exe File created C:\Windows\SysWOW64\Kqnnomfq.dll Fplnogmb.exe File created C:\Windows\SysWOW64\Kakednfj.exe Kplijk32.exe File opened for modification C:\Windows\SysWOW64\Nkpbpp32.exe Mhoind32.exe File created C:\Windows\SysWOW64\Jihpdhgg.dll Kmeiie32.exe File created C:\Windows\SysWOW64\Ahkkhnpg.exe Aqdbfa32.exe File opened for modification C:\Windows\SysWOW64\Bbbkbbkg.exe Bkhceh32.exe File created C:\Windows\SysWOW64\Cmfgkihn.dll Gikbneio.exe File created C:\Windows\SysWOW64\Kcphpdil.exe Jodlof32.exe File created C:\Windows\SysWOW64\Lmheph32.exe Lfnmcnjn.exe File opened for modification C:\Windows\SysWOW64\Oiqomj32.exe Odcfdc32.exe File opened for modification C:\Windows\SysWOW64\Chinkndp.exe Cejaobel.exe File opened for modification C:\Windows\SysWOW64\Hodqlq32.exe Gledpe32.exe File created C:\Windows\SysWOW64\Jgfajp32.dll Imfmgcdn.exe File created C:\Windows\SysWOW64\Aidjgo32.dll Nhfoocaa.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11452 11368 WerFault.exe 537 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfilkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbhdkml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbqalle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfgloiqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhkecb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iibaeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nehjmnei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afkipi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnbmqjjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoefgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lennpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoocnpag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpjelibg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgcmeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebbmpmnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmmokgne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghcbohpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgaqphgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dalkek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akopoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghgeoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbgafqla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gikbneio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicqja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eihcln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hokgmpkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnknim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Defajqko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohaokbfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flpkcbqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijdnka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pojjcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abgcqjhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Folkjnbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljijci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgeogb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dblnid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdiamnpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhgjcmfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqmplbpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjafoapj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkjegb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgaelcgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnppkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjjjghg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkhceh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbdano32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c3b41825e46c3f93d84a7f3535413c40N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afdkfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciaddaaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbghpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeeomegd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biedhclh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgagjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qomghp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjoknhbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qajlje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndinck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhndgjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfomda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmlhaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoladdeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhiphi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohgopgfj.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plogne32.dll" Belemd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egfghn32.dll" Lmdbooik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bicbje32.dll" Laiafl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbqiak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mopabjci.dll" Iadljc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpbpopl.dll" Lmjcdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciofjflg.dll" Afnefieo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhnichde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpjelibg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abdoqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adbkmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnoiqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqmplbpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kimgba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ianfdf32.dll" Lfmghdpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhddgofo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iibaeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmlpjdgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnfkgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfkclp32.dll" Bkfmjnii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghgeoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndmgnkja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adeimibe.dll" Mhoind32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkedbmab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnnodhei.dll" Ioffhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kggjghkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlhlleeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkqpeh32.dll" Kfbmgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lihpdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaofbqgi.dll" Onhhmpoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dolinf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghpooanf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhlnjpdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oediim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bejhhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Foenplji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoefgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngemjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfbhhfbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lplaaiqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npcaie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghgeoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfeccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdiqhf32.dll" Lfbgmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nockkcjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cejaobel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmfgna32.dll" Npcaie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oheopk32.dll" Fkgejncb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbpkfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmdfcmid.dll" Lfcfnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldhdlnli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnppkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmhhbnla.dll" Bgmnooom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmgcibf.dll" Gcfjfqah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gheodg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agnkck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kilphk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maaoaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmdlflki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akmjdpac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bngfli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fochecog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eejcki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glngep32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4284 wrote to memory of 2388 4284 c3b41825e46c3f93d84a7f3535413c40N.exe 91 PID 4284 wrote to memory of 2388 4284 c3b41825e46c3f93d84a7f3535413c40N.exe 91 PID 4284 wrote to memory of 2388 4284 c3b41825e46c3f93d84a7f3535413c40N.exe 91 PID 2388 wrote to memory of 2852 2388 Kmbmdeoj.exe 92 PID 2388 wrote to memory of 2852 2388 Kmbmdeoj.exe 92 PID 2388 wrote to memory of 2852 2388 Kmbmdeoj.exe 92 PID 2852 wrote to memory of 5168 2852 Kdmeqo32.exe 93 PID 2852 wrote to memory of 5168 2852 Kdmeqo32.exe 93 PID 2852 wrote to memory of 5168 2852 Kdmeqo32.exe 93 PID 5168 wrote to memory of 1580 5168 Kjfmminc.exe 94 PID 5168 wrote to memory of 1580 5168 Kjfmminc.exe 94 PID 5168 wrote to memory of 1580 5168 Kjfmminc.exe 94 PID 1580 wrote to memory of 4112 1580 Kmeiie32.exe 95 PID 1580 wrote to memory of 4112 1580 Kmeiie32.exe 95 PID 1580 wrote to memory of 4112 1580 Kmeiie32.exe 95 PID 4112 wrote to memory of 1180 4112 Lhjnfn32.exe 96 PID 4112 wrote to memory of 1180 4112 Lhjnfn32.exe 96 PID 4112 wrote to memory of 1180 4112 Lhjnfn32.exe 96 PID 1180 wrote to memory of 5788 1180 Ljijci32.exe 97 PID 1180 wrote to memory of 5788 1180 Ljijci32.exe 97 PID 1180 wrote to memory of 5788 1180 Ljijci32.exe 97 PID 5788 wrote to memory of 3100 5788 Lennpb32.exe 98 PID 5788 wrote to memory of 3100 5788 Lennpb32.exe 98 PID 5788 wrote to memory of 3100 5788 Lennpb32.exe 98 PID 3100 wrote to memory of 3224 3100 Lfpkhjae.exe 99 PID 3100 wrote to memory of 3224 3100 Lfpkhjae.exe 99 PID 3100 wrote to memory of 3224 3100 Lfpkhjae.exe 99 PID 3224 wrote to memory of 1444 3224 Lmjcdd32.exe 100 PID 3224 wrote to memory of 1444 3224 Lmjcdd32.exe 100 PID 3224 wrote to memory of 1444 3224 Lmjcdd32.exe 100 PID 1444 wrote to memory of 4352 1444 Leqkeajd.exe 101 PID 1444 wrote to memory of 4352 1444 Leqkeajd.exe 101 PID 1444 wrote to memory of 4352 1444 Leqkeajd.exe 101 PID 4352 wrote to memory of 2616 4352 Lfbgmj32.exe 103 PID 4352 wrote to memory of 2616 4352 Lfbgmj32.exe 103 PID 4352 wrote to memory of 2616 4352 Lfbgmj32.exe 103 PID 2616 wrote to memory of 784 2616 Lmlpjdgo.exe 104 PID 2616 wrote to memory of 784 2616 Lmlpjdgo.exe 104 PID 2616 wrote to memory of 784 2616 Lmlpjdgo.exe 104 PID 784 wrote to memory of 3664 784 Lechkaga.exe 105 PID 784 wrote to memory of 3664 784 Lechkaga.exe 105 PID 784 wrote to memory of 3664 784 Lechkaga.exe 105 PID 3664 wrote to memory of 5224 3664 Lhadgmge.exe 106 PID 3664 wrote to memory of 5224 3664 Lhadgmge.exe 106 PID 3664 wrote to memory of 5224 3664 Lhadgmge.exe 106 PID 5224 wrote to memory of 432 5224 Ldhdlnli.exe 108 PID 5224 wrote to memory of 432 5224 Ldhdlnli.exe 108 PID 5224 wrote to memory of 432 5224 Ldhdlnli.exe 108 PID 432 wrote to memory of 5988 432 Lkbmih32.exe 109 PID 432 wrote to memory of 5988 432 Lkbmih32.exe 109 PID 432 wrote to memory of 5988 432 Lkbmih32.exe 109 PID 5988 wrote to memory of 4632 5988 Malefbkc.exe 110 PID 5988 wrote to memory of 4632 5988 Malefbkc.exe 110 PID 5988 wrote to memory of 4632 5988 Malefbkc.exe 110 PID 4632 wrote to memory of 4480 4632 Mkdiog32.exe 112 PID 4632 wrote to memory of 4480 4632 Mkdiog32.exe 112 PID 4632 wrote to memory of 4480 4632 Mkdiog32.exe 112 PID 4480 wrote to memory of 5464 4480 Mdmngm32.exe 113 PID 4480 wrote to memory of 5464 4480 Mdmngm32.exe 113 PID 4480 wrote to memory of 5464 4480 Mdmngm32.exe 113 PID 5464 wrote to memory of 4816 5464 Mkgfdgpq.exe 114 PID 5464 wrote to memory of 4816 5464 Mkgfdgpq.exe 114 PID 5464 wrote to memory of 4816 5464 Mkgfdgpq.exe 114 PID 4816 wrote to memory of 1940 4816 Maaoaa32.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3b41825e46c3f93d84a7f3535413c40N.exe"C:\Users\Admin\AppData\Local\Temp\c3b41825e46c3f93d84a7f3535413c40N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\Kmbmdeoj.exeC:\Windows\system32\Kmbmdeoj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Kdmeqo32.exeC:\Windows\system32\Kdmeqo32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Kjfmminc.exeC:\Windows\system32\Kjfmminc.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5168 -
C:\Windows\SysWOW64\Kmeiie32.exeC:\Windows\system32\Kmeiie32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Lhjnfn32.exeC:\Windows\system32\Lhjnfn32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\Ljijci32.exeC:\Windows\system32\Ljijci32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Lennpb32.exeC:\Windows\system32\Lennpb32.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5788 -
C:\Windows\SysWOW64\Lfpkhjae.exeC:\Windows\system32\Lfpkhjae.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\Lmjcdd32.exeC:\Windows\system32\Lmjcdd32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\Leqkeajd.exeC:\Windows\system32\Leqkeajd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Lfbgmj32.exeC:\Windows\system32\Lfbgmj32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\Lmlpjdgo.exeC:\Windows\system32\Lmlpjdgo.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Lechkaga.exeC:\Windows\system32\Lechkaga.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\Lhadgmge.exeC:\Windows\system32\Lhadgmge.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\Ldhdlnli.exeC:\Windows\system32\Ldhdlnli.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5224 -
C:\Windows\SysWOW64\Lkbmih32.exeC:\Windows\system32\Lkbmih32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Malefbkc.exeC:\Windows\system32\Malefbkc.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5988 -
C:\Windows\SysWOW64\Mkdiog32.exeC:\Windows\system32\Mkdiog32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\Mdmngm32.exeC:\Windows\system32\Mdmngm32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Mkgfdgpq.exeC:\Windows\system32\Mkgfdgpq.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5464 -
C:\Windows\SysWOW64\Maaoaa32.exeC:\Windows\system32\Maaoaa32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\Moeoje32.exeC:\Windows\system32\Moeoje32.exe23⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Meoggpmd.exeC:\Windows\system32\Meoggpmd.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:224 -
C:\Windows\SysWOW64\Mhmcck32.exeC:\Windows\system32\Mhmcck32.exe25⤵
- Executes dropped EXE
PID:5576 -
C:\Windows\SysWOW64\Mmjlkb32.exeC:\Windows\system32\Mmjlkb32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5916 -
C:\Windows\SysWOW64\Mdddhlbl.exeC:\Windows\system32\Mdddhlbl.exe27⤵
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Nmlhaa32.exeC:\Windows\system32\Nmlhaa32.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5960 -
C:\Windows\SysWOW64\Nhbmnj32.exeC:\Windows\system32\Nhbmnj32.exe29⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Ngemjg32.exeC:\Windows\system32\Ngemjg32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Ndinck32.exeC:\Windows\system32\Ndinck32.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3616 -
C:\Windows\SysWOW64\Nehjmnei.exeC:\Windows\system32\Nehjmnei.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3736 -
C:\Windows\SysWOW64\Nhffijdm.exeC:\Windows\system32\Nhffijdm.exe33⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Nkebee32.exeC:\Windows\system32\Nkebee32.exe34⤵
- Executes dropped EXE
PID:5664 -
C:\Windows\SysWOW64\Naokbokn.exeC:\Windows\system32\Naokbokn.exe35⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Ndmgnkja.exeC:\Windows\system32\Ndmgnkja.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:5064 -
C:\Windows\SysWOW64\Nockkcjg.exeC:\Windows\system32\Nockkcjg.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:3116 -
C:\Windows\SysWOW64\Nnfkgp32.exeC:\Windows\system32\Nnfkgp32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:5616 -
C:\Windows\SysWOW64\Ndpcdjho.exeC:\Windows\system32\Ndpcdjho.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Nhkpdi32.exeC:\Windows\system32\Nhkpdi32.exe40⤵
- Executes dropped EXE
PID:5488 -
C:\Windows\SysWOW64\Onhhmpoo.exeC:\Windows\system32\Onhhmpoo.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Odbpij32.exeC:\Windows\system32\Odbpij32.exe42⤵
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\Oogdfc32.exeC:\Windows\system32\Oogdfc32.exe43⤵
- Executes dropped EXE
PID:5164 -
C:\Windows\SysWOW64\Ohpiphlb.exeC:\Windows\system32\Ohpiphlb.exe44⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Okneldkf.exeC:\Windows\system32\Okneldkf.exe45⤵
- Executes dropped EXE
PID:5568 -
C:\Windows\SysWOW64\Oediim32.exeC:\Windows\system32\Oediim32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Ogefqeaj.exeC:\Windows\system32\Ogefqeaj.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Oakjnnap.exeC:\Windows\system32\Oakjnnap.exe48⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Oggbfdog.exeC:\Windows\system32\Oggbfdog.exe49⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Okcogc32.exeC:\Windows\system32\Okcogc32.exe50⤵
- Executes dropped EXE
PID:5140 -
C:\Windows\SysWOW64\Ohgopgfj.exeC:\Windows\system32\Ohgopgfj.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3436 -
C:\Windows\SysWOW64\Pndhhnda.exeC:\Windows\system32\Pndhhnda.exe52⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Pdnpeh32.exeC:\Windows\system32\Pdnpeh32.exe53⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Pocdba32.exeC:\Windows\system32\Pocdba32.exe54⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Pfmlok32.exeC:\Windows\system32\Pfmlok32.exe55⤵
- Executes dropped EXE
PID:428 -
C:\Windows\SysWOW64\Pdpmkhjl.exeC:\Windows\system32\Pdpmkhjl.exe56⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Phlikg32.exeC:\Windows\system32\Phlikg32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4228 -
C:\Windows\SysWOW64\Pkjegb32.exeC:\Windows\system32\Pkjegb32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\Pnhacn32.exeC:\Windows\system32\Pnhacn32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4976 -
C:\Windows\SysWOW64\Pdbiphhi.exeC:\Windows\system32\Pdbiphhi.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\Pgaelcgm.exeC:\Windows\system32\Pgaelcgm.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3168 -
C:\Windows\SysWOW64\Pklamb32.exeC:\Windows\system32\Pklamb32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5544 -
C:\Windows\SysWOW64\Pnknim32.exeC:\Windows\system32\Pnknim32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4736 -
C:\Windows\SysWOW64\Pbfjjlgc.exeC:\Windows\system32\Pbfjjlgc.exe64⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Pdeffgff.exeC:\Windows\system32\Pdeffgff.exe65⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Pkonbamc.exeC:\Windows\system32\Pkonbamc.exe66⤵PID:5460
-
C:\Windows\SysWOW64\Pojjcp32.exeC:\Windows\system32\Pojjcp32.exe67⤵
- System Location Discovery: System Language Discovery
PID:4444 -
C:\Windows\SysWOW64\Pnmjomlg.exeC:\Windows\system32\Pnmjomlg.exe68⤵PID:4128
-
C:\Windows\SysWOW64\Pfdbpjmi.exeC:\Windows\system32\Pfdbpjmi.exe69⤵PID:3812
-
C:\Windows\SysWOW64\Pdgckg32.exeC:\Windows\system32\Pdgckg32.exe70⤵PID:1468
-
C:\Windows\SysWOW64\Pgeogb32.exeC:\Windows\system32\Pgeogb32.exe71⤵
- System Location Discovery: System Language Discovery
PID:3468 -
C:\Windows\SysWOW64\Qkakhakq.exeC:\Windows\system32\Qkakhakq.exe72⤵PID:1500
-
C:\Windows\SysWOW64\Qomghp32.exeC:\Windows\system32\Qomghp32.exe73⤵
- System Location Discovery: System Language Discovery
PID:5948 -
C:\Windows\SysWOW64\Qffoejkg.exeC:\Windows\system32\Qffoejkg.exe74⤵PID:6040
-
C:\Windows\SysWOW64\Qhekaejj.exeC:\Windows\system32\Qhekaejj.exe75⤵PID:5564
-
C:\Windows\SysWOW64\Qoocnpag.exeC:\Windows\system32\Qoocnpag.exe76⤵
- System Location Discovery: System Language Discovery
PID:3676 -
C:\Windows\SysWOW64\Qfilkj32.exeC:\Windows\system32\Qfilkj32.exe77⤵
- System Location Discovery: System Language Discovery
PID:5824 -
C:\Windows\SysWOW64\Agjhbbob.exeC:\Windows\system32\Agjhbbob.exe78⤵PID:4424
-
C:\Windows\SysWOW64\Andqol32.exeC:\Windows\system32\Andqol32.exe79⤵PID:5408
-
C:\Windows\SysWOW64\Afkipi32.exeC:\Windows\system32\Afkipi32.exe80⤵
- System Location Discovery: System Language Discovery
PID:6072 -
C:\Windows\SysWOW64\Adnilfnl.exeC:\Windows\system32\Adnilfnl.exe81⤵PID:768
-
C:\Windows\SysWOW64\Agmehamp.exeC:\Windows\system32\Agmehamp.exe82⤵PID:5484
-
C:\Windows\SysWOW64\Akhaipei.exeC:\Windows\system32\Akhaipei.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4508 -
C:\Windows\SysWOW64\Abbiej32.exeC:\Windows\system32\Abbiej32.exe84⤵PID:4984
-
C:\Windows\SysWOW64\Afnefieo.exeC:\Windows\system32\Afnefieo.exe85⤵
- Modifies registry class
PID:4076 -
C:\Windows\SysWOW64\Ailabddb.exeC:\Windows\system32\Ailabddb.exe86⤵PID:4144
-
C:\Windows\SysWOW64\Akjnnpcf.exeC:\Windows\system32\Akjnnpcf.exe87⤵PID:556
-
C:\Windows\SysWOW64\Anijjkbj.exeC:\Windows\system32\Anijjkbj.exe88⤵PID:1792
-
C:\Windows\SysWOW64\Afpbkicl.exeC:\Windows\system32\Afpbkicl.exe89⤵PID:2592
-
C:\Windows\SysWOW64\Ainnhdbp.exeC:\Windows\system32\Ainnhdbp.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5884 -
C:\Windows\SysWOW64\Akmjdpac.exeC:\Windows\system32\Akmjdpac.exe91⤵
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Abgcqjhp.exeC:\Windows\system32\Abgcqjhp.exe92⤵
- System Location Discovery: System Language Discovery
PID:5772 -
C:\Windows\SysWOW64\Aeeomegd.exeC:\Windows\system32\Aeeomegd.exe93⤵
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\Agckiqgg.exeC:\Windows\system32\Agckiqgg.exe94⤵PID:6112
-
C:\Windows\SysWOW64\Akogio32.exeC:\Windows\system32\Akogio32.exe95⤵PID:5308
-
C:\Windows\SysWOW64\Anncek32.exeC:\Windows\system32\Anncek32.exe96⤵PID:244
-
C:\Windows\SysWOW64\Afdkfh32.exeC:\Windows\system32\Afdkfh32.exe97⤵
- System Location Discovery: System Language Discovery
PID:5724 -
C:\Windows\SysWOW64\Bgfhnpde.exeC:\Windows\system32\Bgfhnpde.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1464 -
C:\Windows\SysWOW64\Bnppkj32.exeC:\Windows\system32\Bnppkj32.exe99⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1160 -
C:\Windows\SysWOW64\Bfghlhmd.exeC:\Windows\system32\Bfghlhmd.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2316 -
C:\Windows\SysWOW64\Bejhhd32.exeC:\Windows\system32\Bejhhd32.exe101⤵
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Biedhclh.exeC:\Windows\system32\Biedhclh.exe102⤵
- System Location Discovery: System Language Discovery
PID:5040 -
C:\Windows\SysWOW64\Bkdqdokk.exeC:\Windows\system32\Bkdqdokk.exe103⤵PID:3888
-
C:\Windows\SysWOW64\Bnbmqjjo.exeC:\Windows\system32\Bnbmqjjo.exe104⤵
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Windows\SysWOW64\Bbniai32.exeC:\Windows\system32\Bbniai32.exe105⤵PID:5528
-
C:\Windows\SysWOW64\Belemd32.exeC:\Windows\system32\Belemd32.exe106⤵
- Modifies registry class
PID:4832 -
C:\Windows\SysWOW64\Bihancje.exeC:\Windows\system32\Bihancje.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3916 -
C:\Windows\SysWOW64\Bkfmjnii.exeC:\Windows\system32\Bkfmjnii.exe108⤵
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Bpaikm32.exeC:\Windows\system32\Bpaikm32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5048 -
C:\Windows\SysWOW64\Bbpeghpe.exeC:\Windows\system32\Bbpeghpe.exe110⤵
- Drops file in System32 directory
PID:5908 -
C:\Windows\SysWOW64\Beobcdoi.exeC:\Windows\system32\Beobcdoi.exe111⤵PID:4880
-
C:\Windows\SysWOW64\Bgmnooom.exeC:\Windows\system32\Bgmnooom.exe112⤵
- Modifies registry class
PID:5980 -
C:\Windows\SysWOW64\Bkhjpn32.exeC:\Windows\system32\Bkhjpn32.exe113⤵PID:1804
-
C:\Windows\SysWOW64\Bngfli32.exeC:\Windows\system32\Bngfli32.exe114⤵
- Modifies registry class
PID:5700 -
C:\Windows\SysWOW64\Bbbblhnc.exeC:\Windows\system32\Bbbblhnc.exe115⤵PID:6084
-
C:\Windows\SysWOW64\Beaohcmf.exeC:\Windows\system32\Beaohcmf.exe116⤵PID:4528
-
C:\Windows\SysWOW64\Bgokdomj.exeC:\Windows\system32\Bgokdomj.exe117⤵PID:5180
-
C:\Windows\SysWOW64\Bpfcelml.exeC:\Windows\system32\Bpfcelml.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:856 -
C:\Windows\SysWOW64\Bnicai32.exeC:\Windows\system32\Bnicai32.exe119⤵PID:5096
-
C:\Windows\SysWOW64\Bfpkbfdi.exeC:\Windows\system32\Bfpkbfdi.exe120⤵PID:3952
-
C:\Windows\SysWOW64\Ciogobcm.exeC:\Windows\system32\Ciogobcm.exe121⤵PID:6156
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-