Analysis
-
max time kernel
114s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24-08-2024 15:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
87c4225a846d5b1c587333c97d1c60b0N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
87c4225a846d5b1c587333c97d1c60b0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
87c4225a846d5b1c587333c97d1c60b0N.exe
-
Size
896KB
-
MD5
87c4225a846d5b1c587333c97d1c60b0
-
SHA1
5096f60308c7467fae719fd8c423e1d4a6aa5ad3
-
SHA256
e7568cb7ba4efbfc881fc3678b74dc6a352d8cbc9a7939465dcc1b8442a3a7d0
-
SHA512
0c24f2c3200c3925499aec632a444f036b36cb00811536eee7e21ee4d3e5ab0eb1ec2f40ca99fbdb123d09dddb7981d26f5546e7fe77365e0a33ebb1fd7c6156
-
SSDEEP
3072:cws+cIFiiLtY9YSaLRFh48/cuxGzt68pXBnPiU14:dZcIEiL+YlFiWFAECXdPih
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcffnbee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpgmhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpeiie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfbaalbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncmhko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ockdmmoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pciqnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljpaqmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afcmfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckdkhq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckggnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqjbddpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfmfefni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kedlip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lljdai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lakfeodm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcmodajm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfpell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhanngbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abfdpfaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apjdikqd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmjmekgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmbegqjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpacqg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocnlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeocna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcaipa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nimmifgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omopjcjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paihlpfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckggnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeapcq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Objkmkjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmphaaln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpjmph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iehmmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhoahh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmhbqbae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppgomnai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkmeha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpfmlghd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgfbbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfpell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niojoeel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofckhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofckhj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oflmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abhqefpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hemmac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipihpkkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oihmedma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koajmepf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljdkll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqfbpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocihgnam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjffpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpjmph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abhqefpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeapcq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfbaalbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocnabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oflmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmbegqjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apggckbf.exe -
Executes dropped EXE 64 IoCs
pid Process 4992 Hhdcmp32.exe 2380 Hnnljj32.exe 884 Hbnaeh32.exe 3648 Hemmac32.exe 4676 Iafkld32.exe 1408 Ihpcinld.exe 2828 Ipihpkkd.exe 3868 Iehmmb32.exe 3864 Jocnlg32.exe 4580 Jpbjfjci.exe 3364 Jbagbebm.exe 1812 Jeocna32.exe 4328 Jpegkj32.exe 3444 Jbccge32.exe 3652 Jeapcq32.exe 1792 Jhplpl32.exe 4252 Jpgdai32.exe 3076 Jbepme32.exe 2180 Kedlip32.exe 3640 Khbiello.exe 1652 Kpiqfima.exe 2620 Kbhmbdle.exe 5112 Kefiopki.exe 1744 Kheekkjl.exe 2916 Kplmliko.exe 4884 Kcjjhdjb.exe 2132 Kidben32.exe 3756 Klbnajqc.exe 3292 Koajmepf.exe 5088 Kapfiqoj.exe 4424 Kifojnol.exe 1180 Klekfinp.exe 2028 Kocgbend.exe 4688 Kabcopmg.exe 644 Kofdhd32.exe 1440 Kadpdp32.exe 2288 Likhem32.exe 4728 Lljdai32.exe 3664 Lpepbgbd.exe 2472 Lcclncbh.exe 4568 Lebijnak.exe 5024 Lhqefjpo.exe 2352 Lpgmhg32.exe 5140 Laiipofp.exe 5180 Ljpaqmgb.exe 5228 Llnnmhfe.exe 5260 Lomjicei.exe 5300 Lakfeodm.exe 5340 Ljbnfleo.exe 5380 Llqjbhdc.exe 5420 Loofnccf.exe 5460 Lancko32.exe 5504 Ljdkll32.exe 5540 Llcghg32.exe 5580 Loacdc32.exe 5620 Lcmodajm.exe 5660 Mfkkqmiq.exe 5700 Mhjhmhhd.exe 5740 Mpapnfhg.exe 5780 Mcoljagj.exe 5820 Mfnhfm32.exe 5860 Mhldbh32.exe 5900 Mpclce32.exe 5940 Mcaipa32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Koajmepf.exe Klbnajqc.exe File opened for modification C:\Windows\SysWOW64\Oifppdpd.exe Ofgdcipq.exe File created C:\Windows\SysWOW64\Mpiedk32.dll Pciqnk32.exe File opened for modification C:\Windows\SysWOW64\Oqklkbbi.exe Omopjcjp.exe File opened for modification C:\Windows\SysWOW64\Pfagighf.exe Pcbkml32.exe File created C:\Windows\SysWOW64\Abfdpfaj.exe Apggckbf.exe File created C:\Windows\SysWOW64\Benibond.dll Jpgdai32.exe File created C:\Windows\SysWOW64\Laiipofp.exe Lpgmhg32.exe File created C:\Windows\SysWOW64\Ohfkgknc.dll Mpapnfhg.exe File created C:\Windows\SysWOW64\Ipdbmgdb.dll Lancko32.exe File created C:\Windows\SysWOW64\Kpikki32.dll Opbean32.exe File created C:\Windows\SysWOW64\Qfmfefni.exe Qcnjijoe.exe File opened for modification C:\Windows\SysWOW64\Lcmodajm.exe Loacdc32.exe File created C:\Windows\SysWOW64\Balgcpkn.dll Oqklkbbi.exe File created C:\Windows\SysWOW64\Klhhpb32.dll Ockdmmoj.exe File created C:\Windows\SysWOW64\Defbaa32.dll Ljbnfleo.exe File created C:\Windows\SysWOW64\Chjjqebm.dll Pcegclgp.exe File created C:\Windows\SysWOW64\Bigpblgh.dll Ccdihbgg.exe File opened for modification C:\Windows\SysWOW64\Ckdkhq32.exe Cdjblf32.exe File created C:\Windows\SysWOW64\Lcmodajm.exe Loacdc32.exe File created C:\Windows\SysWOW64\Nmaciefp.exe Njbgmjgl.exe File created C:\Windows\SysWOW64\Nqoloc32.exe Nmcpoedn.exe File created C:\Windows\SysWOW64\Dcffnbee.exe Dphiaffa.exe File opened for modification C:\Windows\SysWOW64\Hbnaeh32.exe Hnnljj32.exe File opened for modification C:\Windows\SysWOW64\Jocnlg32.exe Iehmmb32.exe File opened for modification C:\Windows\SysWOW64\Cmpjoloh.exe Cgfbbb32.exe File created C:\Windows\SysWOW64\Kebkgjkg.dll Nqcejcha.exe File opened for modification C:\Windows\SysWOW64\Pjaleemj.exe Pfepdg32.exe File opened for modification C:\Windows\SysWOW64\Bgdemb32.exe Bdeiqgkj.exe File opened for modification C:\Windows\SysWOW64\Pmphaaln.exe Pjaleemj.exe File opened for modification C:\Windows\SysWOW64\Amkhmoap.exe Ajmladbl.exe File created C:\Windows\SysWOW64\Baepolni.exe Aaiqcnhg.exe File created C:\Windows\SysWOW64\Bpjmph32.exe Bmladm32.exe File opened for modification C:\Windows\SysWOW64\Cpljehpo.exe Cibain32.exe File created C:\Windows\SysWOW64\Lakfeodm.exe Lomjicei.exe File created C:\Windows\SysWOW64\Nfldgk32.exe Ncmhko32.exe File created C:\Windows\SysWOW64\Nffaen32.dll Pcbkml32.exe File opened for modification C:\Windows\SysWOW64\Cdjblf32.exe Cmpjoloh.exe File created C:\Windows\SysWOW64\Apjdikqd.exe Amkhmoap.exe File opened for modification C:\Windows\SysWOW64\Ncpeaoih.exe Nqaiecjd.exe File created C:\Windows\SysWOW64\Oikjkc32.exe Oflmnh32.exe File created C:\Windows\SysWOW64\Pencqe32.dll Paihlpfi.exe File created C:\Windows\SysWOW64\Pfepdg32.exe Pcgdhkem.exe File created C:\Windows\SysWOW64\Aeodmbol.dll Pblajhje.exe File created C:\Windows\SysWOW64\Jeapcq32.exe Jbccge32.exe File created C:\Windows\SysWOW64\Gpdbcaok.dll Kefiopki.exe File opened for modification C:\Windows\SysWOW64\Mfpell32.exe Mcaipa32.exe File opened for modification C:\Windows\SysWOW64\Oflmnh32.exe Ocnabm32.exe File created C:\Windows\SysWOW64\Lgidjfjk.dll Qjffpe32.exe File created C:\Windows\SysWOW64\Inmalg32.dll Qikbaaml.exe File opened for modification C:\Windows\SysWOW64\Kidben32.exe Kcjjhdjb.exe File created C:\Windows\SysWOW64\Mcaipa32.exe Mpclce32.exe File created C:\Windows\SysWOW64\Njogfipp.dll Ncbafoge.exe File created C:\Windows\SysWOW64\Ofjqihnn.exe Ockdmmoj.exe File created C:\Windows\SysWOW64\Hpkdfd32.dll Oikjkc32.exe File opened for modification C:\Windows\SysWOW64\Pbcncibp.exe Ppdbgncl.exe File created C:\Windows\SysWOW64\Polcjq32.dll Ajmladbl.exe File created C:\Windows\SysWOW64\Jpgdai32.exe Jhplpl32.exe File created C:\Windows\SysWOW64\Mpapnfhg.exe Mhjhmhhd.exe File created C:\Windows\SysWOW64\Bpldbefn.dll Oqhoeb32.exe File created C:\Windows\SysWOW64\Ahfmjddg.dll Kofdhd32.exe File opened for modification C:\Windows\SysWOW64\Mfenglqf.exe Mcfbkpab.exe File created C:\Windows\SysWOW64\Nblolm32.exe Nciopppp.exe File opened for modification C:\Windows\SysWOW64\Abhqefpg.exe Apjdikqd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7204 6300 WerFault.exe 284 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqklkbbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfagighf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abhqefpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmladm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnnljj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kapfiqoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noppeaed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojqcnhkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgdemb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckidcpjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeapcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loacdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objkmkjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpiqfima.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kplmliko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcbkml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcjjhdjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpepbgbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjjfdfbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgomnai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caqpkjcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdolgfbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcoljagj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njbgmjgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piapkbeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmbgdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhckcgpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqjbddpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncpeaoih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbcncibp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klbnajqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lancko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfnhfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcfbkpab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acqgojmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfepdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pblajhje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkmeha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhplpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpgmhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcmodajm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfccogfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbafoge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afockelf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipihpkkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llqjbhdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhjhmhhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmaciefp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oifppdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmhbqbae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcnjijoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihpcinld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khbiello.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljdkll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfkkqmiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbonoghb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abfdpfaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgfbbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckggnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loofnccf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nblolm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opbean32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmphaaln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofckhj32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpiqfima.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljdkll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfbaalbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ockdmmoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afcmfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckggnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kifojnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqaiecjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeodmbol.dll" Pblajhje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkmeha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhjhmhhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjgkan32.dll" Pqbala32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfccogfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafpga32.dll" Qpbnhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dohnnkjk.dll" Afockelf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kedlip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llnnmhfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpapnfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckmcadl.dll" Oiagde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acqgojmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqhoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipimhnjc.dll" Qcnjijoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkmeha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cibain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpbjfjci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clpchk32.dll" Jeapcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpgdai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpagaf32.dll" Piapkbeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djkpla32.dll" Pjcikejg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leeigm32.dll" Qfmfefni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apjdikqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kheekkjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lljdai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpgmhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqoloc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ookoaokf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbagbebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Balgcpkn.dll" Oqklkbbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejimf32.dll" Ocihgnam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fknofqcc.dll" Piocecgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcgdhkem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhdjkflc.dll" Amikgpcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfqnbjfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofgdcipq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceohefin.dll" Mfbaalbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nimmifgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opbean32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klbnajqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhoahh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abfdpfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faagecfk.dll" Cgmhcaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgmhcaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpqiega.dll" Mcdeeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhhqamj.dll" Nijqcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caqpkjcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klndfknp.dll" Nfnamjhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdolgfbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpegkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kapfiqoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kofdhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfagighf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjcikejg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdflknog.dll" Mhjhmhhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pafkgphl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5032 wrote to memory of 4992 5032 87c4225a846d5b1c587333c97d1c60b0N.exe 91 PID 5032 wrote to memory of 4992 5032 87c4225a846d5b1c587333c97d1c60b0N.exe 91 PID 5032 wrote to memory of 4992 5032 87c4225a846d5b1c587333c97d1c60b0N.exe 91 PID 4992 wrote to memory of 2380 4992 Hhdcmp32.exe 92 PID 4992 wrote to memory of 2380 4992 Hhdcmp32.exe 92 PID 4992 wrote to memory of 2380 4992 Hhdcmp32.exe 92 PID 2380 wrote to memory of 884 2380 Hnnljj32.exe 93 PID 2380 wrote to memory of 884 2380 Hnnljj32.exe 93 PID 2380 wrote to memory of 884 2380 Hnnljj32.exe 93 PID 884 wrote to memory of 3648 884 Hbnaeh32.exe 94 PID 884 wrote to memory of 3648 884 Hbnaeh32.exe 94 PID 884 wrote to memory of 3648 884 Hbnaeh32.exe 94 PID 3648 wrote to memory of 4676 3648 Hemmac32.exe 95 PID 3648 wrote to memory of 4676 3648 Hemmac32.exe 95 PID 3648 wrote to memory of 4676 3648 Hemmac32.exe 95 PID 4676 wrote to memory of 1408 4676 Iafkld32.exe 96 PID 4676 wrote to memory of 1408 4676 Iafkld32.exe 96 PID 4676 wrote to memory of 1408 4676 Iafkld32.exe 96 PID 1408 wrote to memory of 2828 1408 Ihpcinld.exe 97 PID 1408 wrote to memory of 2828 1408 Ihpcinld.exe 97 PID 1408 wrote to memory of 2828 1408 Ihpcinld.exe 97 PID 2828 wrote to memory of 3868 2828 Ipihpkkd.exe 99 PID 2828 wrote to memory of 3868 2828 Ipihpkkd.exe 99 PID 2828 wrote to memory of 3868 2828 Ipihpkkd.exe 99 PID 3868 wrote to memory of 3864 3868 Iehmmb32.exe 100 PID 3868 wrote to memory of 3864 3868 Iehmmb32.exe 100 PID 3868 wrote to memory of 3864 3868 Iehmmb32.exe 100 PID 3864 wrote to memory of 4580 3864 Jocnlg32.exe 101 PID 3864 wrote to memory of 4580 3864 Jocnlg32.exe 101 PID 3864 wrote to memory of 4580 3864 Jocnlg32.exe 101 PID 4580 wrote to memory of 3364 4580 Jpbjfjci.exe 102 PID 4580 wrote to memory of 3364 4580 Jpbjfjci.exe 102 PID 4580 wrote to memory of 3364 4580 Jpbjfjci.exe 102 PID 3364 wrote to memory of 1812 3364 Jbagbebm.exe 103 PID 3364 wrote to memory of 1812 3364 Jbagbebm.exe 103 PID 3364 wrote to memory of 1812 3364 Jbagbebm.exe 103 PID 1812 wrote to memory of 4328 1812 Jeocna32.exe 104 PID 1812 wrote to memory of 4328 1812 Jeocna32.exe 104 PID 1812 wrote to memory of 4328 1812 Jeocna32.exe 104 PID 4328 wrote to memory of 3444 4328 Jpegkj32.exe 105 PID 4328 wrote to memory of 3444 4328 Jpegkj32.exe 105 PID 4328 wrote to memory of 3444 4328 Jpegkj32.exe 105 PID 3444 wrote to memory of 3652 3444 Jbccge32.exe 106 PID 3444 wrote to memory of 3652 3444 Jbccge32.exe 106 PID 3444 wrote to memory of 3652 3444 Jbccge32.exe 106 PID 3652 wrote to memory of 1792 3652 Jeapcq32.exe 107 PID 3652 wrote to memory of 1792 3652 Jeapcq32.exe 107 PID 3652 wrote to memory of 1792 3652 Jeapcq32.exe 107 PID 1792 wrote to memory of 4252 1792 Jhplpl32.exe 108 PID 1792 wrote to memory of 4252 1792 Jhplpl32.exe 108 PID 1792 wrote to memory of 4252 1792 Jhplpl32.exe 108 PID 4252 wrote to memory of 3076 4252 Jpgdai32.exe 109 PID 4252 wrote to memory of 3076 4252 Jpgdai32.exe 109 PID 4252 wrote to memory of 3076 4252 Jpgdai32.exe 109 PID 3076 wrote to memory of 2180 3076 Jbepme32.exe 110 PID 3076 wrote to memory of 2180 3076 Jbepme32.exe 110 PID 3076 wrote to memory of 2180 3076 Jbepme32.exe 110 PID 2180 wrote to memory of 3640 2180 Kedlip32.exe 111 PID 2180 wrote to memory of 3640 2180 Kedlip32.exe 111 PID 2180 wrote to memory of 3640 2180 Kedlip32.exe 111 PID 3640 wrote to memory of 1652 3640 Khbiello.exe 112 PID 3640 wrote to memory of 1652 3640 Khbiello.exe 112 PID 3640 wrote to memory of 1652 3640 Khbiello.exe 112 PID 1652 wrote to memory of 2620 1652 Kpiqfima.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\87c4225a846d5b1c587333c97d1c60b0N.exe"C:\Users\Admin\AppData\Local\Temp\87c4225a846d5b1c587333c97d1c60b0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Hhdcmp32.exeC:\Windows\system32\Hhdcmp32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Hnnljj32.exeC:\Windows\system32\Hnnljj32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Hbnaeh32.exeC:\Windows\system32\Hbnaeh32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Hemmac32.exeC:\Windows\system32\Hemmac32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\Iafkld32.exeC:\Windows\system32\Iafkld32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Ihpcinld.exeC:\Windows\system32\Ihpcinld.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\Ipihpkkd.exeC:\Windows\system32\Ipihpkkd.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Iehmmb32.exeC:\Windows\system32\Iehmmb32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\SysWOW64\Jocnlg32.exeC:\Windows\system32\Jocnlg32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\Jpbjfjci.exeC:\Windows\system32\Jpbjfjci.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Jbagbebm.exeC:\Windows\system32\Jbagbebm.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\Jeocna32.exeC:\Windows\system32\Jeocna32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Jpegkj32.exeC:\Windows\system32\Jpegkj32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\Jbccge32.exeC:\Windows\system32\Jbccge32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\Jeapcq32.exeC:\Windows\system32\Jeapcq32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\Jhplpl32.exeC:\Windows\system32\Jhplpl32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Jpgdai32.exeC:\Windows\system32\Jpgdai32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\Jbepme32.exeC:\Windows\system32\Jbepme32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\Kedlip32.exeC:\Windows\system32\Kedlip32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Khbiello.exeC:\Windows\system32\Khbiello.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\Kpiqfima.exeC:\Windows\system32\Kpiqfima.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Kbhmbdle.exeC:\Windows\system32\Kbhmbdle.exe23⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Kefiopki.exeC:\Windows\system32\Kefiopki.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5112 -
C:\Windows\SysWOW64\Kheekkjl.exeC:\Windows\system32\Kheekkjl.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Kplmliko.exeC:\Windows\system32\Kplmliko.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Kcjjhdjb.exeC:\Windows\system32\Kcjjhdjb.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4884 -
C:\Windows\SysWOW64\Kidben32.exeC:\Windows\system32\Kidben32.exe28⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Klbnajqc.exeC:\Windows\system32\Klbnajqc.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3756 -
C:\Windows\SysWOW64\Koajmepf.exeC:\Windows\system32\Koajmepf.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Kapfiqoj.exeC:\Windows\system32\Kapfiqoj.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5088 -
C:\Windows\SysWOW64\Kifojnol.exeC:\Windows\system32\Kifojnol.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:4424 -
C:\Windows\SysWOW64\Klekfinp.exeC:\Windows\system32\Klekfinp.exe33⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Kocgbend.exeC:\Windows\system32\Kocgbend.exe34⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Kabcopmg.exeC:\Windows\system32\Kabcopmg.exe35⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\Kofdhd32.exeC:\Windows\system32\Kofdhd32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:644 -
C:\Windows\SysWOW64\Kadpdp32.exeC:\Windows\system32\Kadpdp32.exe37⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Likhem32.exeC:\Windows\system32\Likhem32.exe38⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Lljdai32.exeC:\Windows\system32\Lljdai32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4728 -
C:\Windows\SysWOW64\Lpepbgbd.exeC:\Windows\system32\Lpepbgbd.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3664 -
C:\Windows\SysWOW64\Lcclncbh.exeC:\Windows\system32\Lcclncbh.exe41⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Lebijnak.exeC:\Windows\system32\Lebijnak.exe42⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Lhqefjpo.exeC:\Windows\system32\Lhqefjpo.exe43⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Lpgmhg32.exeC:\Windows\system32\Lpgmhg32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Laiipofp.exeC:\Windows\system32\Laiipofp.exe45⤵
- Executes dropped EXE
PID:5140 -
C:\Windows\SysWOW64\Ljpaqmgb.exeC:\Windows\system32\Ljpaqmgb.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5180 -
C:\Windows\SysWOW64\Llnnmhfe.exeC:\Windows\system32\Llnnmhfe.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:5228 -
C:\Windows\SysWOW64\Lomjicei.exeC:\Windows\system32\Lomjicei.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5260 -
C:\Windows\SysWOW64\Lakfeodm.exeC:\Windows\system32\Lakfeodm.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5300 -
C:\Windows\SysWOW64\Ljbnfleo.exeC:\Windows\system32\Ljbnfleo.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5340 -
C:\Windows\SysWOW64\Llqjbhdc.exeC:\Windows\system32\Llqjbhdc.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5380 -
C:\Windows\SysWOW64\Loofnccf.exeC:\Windows\system32\Loofnccf.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5420 -
C:\Windows\SysWOW64\Lancko32.exeC:\Windows\system32\Lancko32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5460 -
C:\Windows\SysWOW64\Ljdkll32.exeC:\Windows\system32\Ljdkll32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5504 -
C:\Windows\SysWOW64\Llcghg32.exeC:\Windows\system32\Llcghg32.exe55⤵
- Executes dropped EXE
PID:5540 -
C:\Windows\SysWOW64\Loacdc32.exeC:\Windows\system32\Loacdc32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5580 -
C:\Windows\SysWOW64\Lcmodajm.exeC:\Windows\system32\Lcmodajm.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5620 -
C:\Windows\SysWOW64\Mfkkqmiq.exeC:\Windows\system32\Mfkkqmiq.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5660 -
C:\Windows\SysWOW64\Mhjhmhhd.exeC:\Windows\system32\Mhjhmhhd.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5700 -
C:\Windows\SysWOW64\Mpapnfhg.exeC:\Windows\system32\Mpapnfhg.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5740 -
C:\Windows\SysWOW64\Mcoljagj.exeC:\Windows\system32\Mcoljagj.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5780 -
C:\Windows\SysWOW64\Mfnhfm32.exeC:\Windows\system32\Mfnhfm32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5820 -
C:\Windows\SysWOW64\Mhldbh32.exeC:\Windows\system32\Mhldbh32.exe63⤵
- Executes dropped EXE
PID:5860 -
C:\Windows\SysWOW64\Mpclce32.exeC:\Windows\system32\Mpclce32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5900 -
C:\Windows\SysWOW64\Mcaipa32.exeC:\Windows\system32\Mcaipa32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5940 -
C:\Windows\SysWOW64\Mfpell32.exeC:\Windows\system32\Mfpell32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5980 -
C:\Windows\SysWOW64\Mhoahh32.exeC:\Windows\system32\Mhoahh32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6016 -
C:\Windows\SysWOW64\Mpeiie32.exeC:\Windows\system32\Mpeiie32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6060 -
C:\Windows\SysWOW64\Mcdeeq32.exeC:\Windows\system32\Mcdeeq32.exe69⤵
- Modifies registry class
PID:6100 -
C:\Windows\SysWOW64\Mfbaalbi.exeC:\Windows\system32\Mfbaalbi.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6140 -
C:\Windows\SysWOW64\Mhanngbl.exeC:\Windows\system32\Mhanngbl.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3468 -
C:\Windows\SysWOW64\Mokfja32.exeC:\Windows\system32\Mokfja32.exe72⤵PID:4124
-
C:\Windows\SysWOW64\Mcfbkpab.exeC:\Windows\system32\Mcfbkpab.exe73⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\Mfenglqf.exeC:\Windows\system32\Mfenglqf.exe74⤵PID:2624
-
C:\Windows\SysWOW64\Mhckcgpj.exeC:\Windows\system32\Mhckcgpj.exe75⤵
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\SysWOW64\Mqjbddpl.exeC:\Windows\system32\Mqjbddpl.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5168 -
C:\Windows\SysWOW64\Nciopppp.exeC:\Windows\system32\Nciopppp.exe77⤵
- Drops file in System32 directory
PID:5248 -
C:\Windows\SysWOW64\Nblolm32.exeC:\Windows\system32\Nblolm32.exe78⤵
- System Location Discovery: System Language Discovery
PID:5324 -
C:\Windows\SysWOW64\Njbgmjgl.exeC:\Windows\system32\Njbgmjgl.exe79⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1120 -
C:\Windows\SysWOW64\Nmaciefp.exeC:\Windows\system32\Nmaciefp.exe80⤵
- System Location Discovery: System Language Discovery
PID:5456 -
C:\Windows\SysWOW64\Noppeaed.exeC:\Windows\system32\Noppeaed.exe81⤵
- System Location Discovery: System Language Discovery
PID:5536 -
C:\Windows\SysWOW64\Nbnlaldg.exeC:\Windows\system32\Nbnlaldg.exe82⤵PID:5628
-
C:\Windows\SysWOW64\Nfihbk32.exeC:\Windows\system32\Nfihbk32.exe83⤵PID:5696
-
C:\Windows\SysWOW64\Nmcpoedn.exeC:\Windows\system32\Nmcpoedn.exe84⤵
- Drops file in System32 directory
PID:5804 -
C:\Windows\SysWOW64\Nqoloc32.exeC:\Windows\system32\Nqoloc32.exe85⤵
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Ncmhko32.exeC:\Windows\system32\Ncmhko32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5928 -
C:\Windows\SysWOW64\Nfldgk32.exeC:\Windows\system32\Nfldgk32.exe87⤵PID:6004
-
C:\Windows\SysWOW64\Nijqcf32.exeC:\Windows\system32\Nijqcf32.exe88⤵
- Modifies registry class
PID:6088 -
C:\Windows\SysWOW64\Nqaiecjd.exeC:\Windows\system32\Nqaiecjd.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:3488 -
C:\Windows\SysWOW64\Ncpeaoih.exeC:\Windows\system32\Ncpeaoih.exe90⤵
- System Location Discovery: System Language Discovery
PID:6180 -
C:\Windows\SysWOW64\Nfnamjhk.exeC:\Windows\system32\Nfnamjhk.exe91⤵
- Modifies registry class
PID:6224 -
C:\Windows\SysWOW64\Nimmifgo.exeC:\Windows\system32\Nimmifgo.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6268 -
C:\Windows\SysWOW64\Nqcejcha.exeC:\Windows\system32\Nqcejcha.exe93⤵
- Drops file in System32 directory
PID:6308 -
C:\Windows\SysWOW64\Ncbafoge.exeC:\Windows\system32\Ncbafoge.exe94⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6348 -
C:\Windows\SysWOW64\Nfqnbjfi.exeC:\Windows\system32\Nfqnbjfi.exe95⤵
- Modifies registry class
PID:6392 -
C:\Windows\SysWOW64\Niojoeel.exeC:\Windows\system32\Niojoeel.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6432 -
C:\Windows\SysWOW64\Nqfbpb32.exeC:\Windows\system32\Nqfbpb32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6472 -
C:\Windows\SysWOW64\Ocdnln32.exeC:\Windows\system32\Ocdnln32.exe98⤵PID:6512
-
C:\Windows\SysWOW64\Ofckhj32.exeC:\Windows\system32\Ofckhj32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:6552 -
C:\Windows\SysWOW64\Oiagde32.exeC:\Windows\system32\Oiagde32.exe100⤵
- Modifies registry class
PID:6592 -
C:\Windows\SysWOW64\Oqhoeb32.exeC:\Windows\system32\Oqhoeb32.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:6632 -
C:\Windows\SysWOW64\Ookoaokf.exeC:\Windows\system32\Ookoaokf.exe102⤵
- Modifies registry class
PID:6672 -
C:\Windows\SysWOW64\Objkmkjj.exeC:\Windows\system32\Objkmkjj.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:6712 -
C:\Windows\SysWOW64\Ojqcnhkl.exeC:\Windows\system32\Ojqcnhkl.exe104⤵
- System Location Discovery: System Language Discovery
PID:6752 -
C:\Windows\SysWOW64\Omopjcjp.exeC:\Windows\system32\Omopjcjp.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6792 -
C:\Windows\SysWOW64\Oqklkbbi.exeC:\Windows\system32\Oqklkbbi.exe106⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6832 -
C:\Windows\SysWOW64\Ocihgnam.exeC:\Windows\system32\Ocihgnam.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6872 -
C:\Windows\SysWOW64\Ofgdcipq.exeC:\Windows\system32\Ofgdcipq.exe108⤵
- Drops file in System32 directory
- Modifies registry class
PID:6912 -
C:\Windows\SysWOW64\Oifppdpd.exeC:\Windows\system32\Oifppdpd.exe109⤵
- System Location Discovery: System Language Discovery
PID:6952 -
C:\Windows\SysWOW64\Oophlo32.exeC:\Windows\system32\Oophlo32.exe110⤵PID:6992
-
C:\Windows\SysWOW64\Ockdmmoj.exeC:\Windows\system32\Ockdmmoj.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:7032 -
C:\Windows\SysWOW64\Ofjqihnn.exeC:\Windows\system32\Ofjqihnn.exe112⤵PID:7072
-
C:\Windows\SysWOW64\Oihmedma.exeC:\Windows\system32\Oihmedma.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7112 -
C:\Windows\SysWOW64\Opbean32.exeC:\Windows\system32\Opbean32.exe114⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:7152 -
C:\Windows\SysWOW64\Ocnabm32.exeC:\Windows\system32\Ocnabm32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Oflmnh32.exeC:\Windows\system32\Oflmnh32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1900 -
C:\Windows\SysWOW64\Oikjkc32.exeC:\Windows\system32\Oikjkc32.exe117⤵
- Drops file in System32 directory
PID:5188 -
C:\Windows\SysWOW64\Pqbala32.exeC:\Windows\system32\Pqbala32.exe118⤵
- Modifies registry class
PID:5332 -
C:\Windows\SysWOW64\Ppdbgncl.exeC:\Windows\system32\Ppdbgncl.exe119⤵
- Drops file in System32 directory
PID:5452 -
C:\Windows\SysWOW64\Pbcncibp.exeC:\Windows\system32\Pbcncibp.exe120⤵
- System Location Discovery: System Language Discovery
PID:5612 -
C:\Windows\SysWOW64\Pjjfdfbb.exeC:\Windows\system32\Pjjfdfbb.exe121⤵
- System Location Discovery: System Language Discovery
PID:820
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-