Analysis
-
max time kernel
114s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25-08-2024 01:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b7f561d99f5f94cac68433c3d0797380N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
b7f561d99f5f94cac68433c3d0797380N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
b7f561d99f5f94cac68433c3d0797380N.exe
-
Size
136KB
-
MD5
b7f561d99f5f94cac68433c3d0797380
-
SHA1
d47fe0c0d71dc91d62e4c96804ac4783ab08972f
-
SHA256
53e7c4e9b1f9f292a3dddfc78906214dd94a35e28b919d8df1463aaf50be8b98
-
SHA512
bc356ab542035da2ebb966f73e1f55f3955d51264dac91cebf75907fed2009f93c183ac53f2a9fb3aa2c5d99837b547207a4c600d799be0bf9f6cf17ae785971
-
SSDEEP
3072:Wat3VZofLDLR41ayPXuhuXGQmVDeCyqOGbo92ynn:Wat3SDL211PXuapoaCPXbo92ynn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfgahikm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpjjpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imhjlb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdbiphhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndjcne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nandhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pncanhaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkicjgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gomkkagl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijedehgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niglfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nolekd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhehkepj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjdbda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkdiog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deagoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppamjcpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djklgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiaqnagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfkcibdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmdbooik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbpolb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgpbhmna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kidmcqeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbqonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpqklh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjjjghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poagma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbmpjkqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkhjpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odkcpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Donecfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akopoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfemdcba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Necqbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okcogc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfpidk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agobna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhefmjlp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afnefieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhicoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbdmdlie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agjhbbob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnlpgibd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogpfko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljmmcbdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfomda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adkelplc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogqmee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjebpml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpnkdfko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfpkbfdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odaiodbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gojnfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mginniij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bngfli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diamko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqmplbpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcqgahoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogmiepcf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgagjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpdogj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gllajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoladdeo.exe -
Executes dropped EXE 64 IoCs
pid Process 652 Leedqa32.exe 3528 Lfgahikm.exe 2056 Lkbmih32.exe 1688 Lmqiec32.exe 3932 Malefbkc.exe 4380 Mehafq32.exe 4968 Mhfmbl32.exe 5304 Mginniij.exe 3592 Mkdiog32.exe 4412 Mmcfkc32.exe 1368 Maoakaip.exe 1488 Mdmngm32.exe 1944 Mhhjhlqm.exe 5920 Mkgfdgpq.exe 2688 Mobbdf32.exe 392 Maaoaa32.exe 4540 Mdokmm32.exe 3676 Mhkgnkoj.exe 3436 Mkicjgnn.exe 432 Moeoje32.exe 4628 Mmhofbma.exe 3336 Mackfa32.exe 1340 Mdagbl32.exe 4480 Mhmcck32.exe 4848 Mgpcohcb.exe 1636 Moglpedd.exe 6072 Maehlqch.exe 1940 Meadlo32.exe 2776 Mhppik32.exe 2108 Mgbpdgap.exe 4036 Moiheebb.exe 4900 Nmlhaa32.exe 5484 Necqbo32.exe 780 Ndfanlpi.exe 4920 Ngemjg32.exe 1464 Nolekd32.exe 2380 Najagp32.exe 3616 Ndinck32.exe 5936 Nhdicjfp.exe 6064 Nkbfpeec.exe 4076 Nnabladg.exe 5076 Nehjmnei.exe 5036 Ndkjik32.exe 1236 Ngifef32.exe 1528 Noqofdlj.exe 5856 Naokbokn.exe 4548 Nejgbn32.exe 4268 Nhicoi32.exe 2404 Nglcjfie.exe 2364 Nockkcjg.exe 6080 Naaghoik.exe 2436 Ndpcdjho.exe 4796 Ngnppfgb.exe 3184 Nkjlqd32.exe 3844 Onhhmpoo.exe 540 Oeopnmoa.exe 1540 Odbpij32.exe 2656 Ogqmee32.exe 796 Oklifdmi.exe 4272 Onjebpml.exe 2964 Oafacn32.exe 6116 Oddmoj32.exe 5756 Ogcike32.exe 4916 Okneldkf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ndjcne32.exe Nalgbi32.exe File opened for modification C:\Windows\SysWOW64\Nhicoi32.exe Nejgbn32.exe File opened for modification C:\Windows\SysWOW64\Bndjfjhl.exe Bpaikm32.exe File created C:\Windows\SysWOW64\Mhemcq32.dll Ehkcgkdj.exe File created C:\Windows\SysWOW64\Mgieqpje.dll Jcgldl32.exe File created C:\Windows\SysWOW64\Jqklnp32.exe Jjqdafmp.exe File created C:\Windows\SysWOW64\Jnkqlk32.dll Bhgjcmfi.exe File created C:\Windows\SysWOW64\Bkdqdokk.exe Bghddp32.exe File created C:\Windows\SysWOW64\Eiopdhnf.dll Bfieagka.exe File created C:\Windows\SysWOW64\Ahnljade.dll Kanbjn32.exe File created C:\Windows\SysWOW64\Fcpnhp32.dll Lhcjbfag.exe File created C:\Windows\SysWOW64\Pnenchoc.exe Pgkegn32.exe File created C:\Windows\SysWOW64\Ophoih32.dll Pgcbbc32.exe File opened for modification C:\Windows\SysWOW64\Fghcqq32.exe Foakpc32.exe File opened for modification C:\Windows\SysWOW64\Gpjjpe32.exe Ghcbohpp.exe File created C:\Windows\SysWOW64\Dcofdpfp.dll Ppamjcpj.exe File opened for modification C:\Windows\SysWOW64\Ndhgie32.exe Najjmjkg.exe File opened for modification C:\Windows\SysWOW64\Mdmngm32.exe Maoakaip.exe File opened for modification C:\Windows\SysWOW64\Mgbpdgap.exe Mhppik32.exe File opened for modification C:\Windows\SysWOW64\Necqbo32.exe Nmlhaa32.exe File created C:\Windows\SysWOW64\Gpodkdll.exe Ghgljg32.exe File created C:\Windows\SysWOW64\Jflnafno.exe Jihngboe.exe File created C:\Windows\SysWOW64\Mackfa32.exe Mmhofbma.exe File created C:\Windows\SysWOW64\Lfcmhc32.exe Lhammfci.exe File opened for modification C:\Windows\SysWOW64\Mmcfkc32.exe Mkdiog32.exe File created C:\Windows\SysWOW64\Clkaqh32.dll Cejaobel.exe File created C:\Windows\SysWOW64\Dpdogj32.exe Dlicflic.exe File created C:\Windows\SysWOW64\Ohcakk32.dll Fibfbm32.exe File opened for modification C:\Windows\SysWOW64\Libido32.exe Lfcmhc32.exe File created C:\Windows\SysWOW64\Oenmdg32.dll Dhdmfljb.exe File opened for modification C:\Windows\SysWOW64\Fgffka32.exe Fplnogmb.exe File opened for modification C:\Windows\SysWOW64\Hpcmfchg.exe Hhleefhe.exe File opened for modification C:\Windows\SysWOW64\Hhehkepj.exe Hfgloiqf.exe File created C:\Windows\SysWOW64\Ledioi32.dll Qbmpjkqk.exe File created C:\Windows\SysWOW64\Igadaq32.dll Akmjdpac.exe File opened for modification C:\Windows\SysWOW64\Cfjnhe32.exe Cppelkeb.exe File created C:\Windows\SysWOW64\Hpejlc32.exe Hhobjf32.exe File created C:\Windows\SysWOW64\Kplijk32.exe Kaihonhl.exe File created C:\Windows\SysWOW64\Lfaqcclf.exe Lccdghmc.exe File opened for modification C:\Windows\SysWOW64\Nhhldc32.exe Nandhi32.exe File created C:\Windows\SysWOW64\Cpflhb32.dll Ogefqeaj.exe File opened for modification C:\Windows\SysWOW64\Afnefieo.exe Abbiej32.exe File opened for modification C:\Windows\SysWOW64\Epbkhhel.exe Ehkcgkdj.exe File opened for modification C:\Windows\SysWOW64\Ghcbohpp.exe Gedfblql.exe File created C:\Windows\SysWOW64\Jamenc32.dll Jcpojk32.exe File opened for modification C:\Windows\SysWOW64\Pgihanii.exe Opopdd32.exe File created C:\Windows\SysWOW64\Abflab32.dll Cnboma32.exe File opened for modification C:\Windows\SysWOW64\Pnfdnnbo.exe Pocdba32.exe File created C:\Windows\SysWOW64\Pnkehf32.dll Dlkplk32.exe File created C:\Windows\SysWOW64\Kgemahmg.exe Kakednfj.exe File opened for modification C:\Windows\SysWOW64\Lmfodn32.exe Ljhchc32.exe File opened for modification C:\Windows\SysWOW64\Ngklppei.exe Nhhldc32.exe File created C:\Windows\SysWOW64\Aqfolqna.exe Akjgdjoj.exe File created C:\Windows\SysWOW64\Nhicoi32.exe Nejgbn32.exe File created C:\Windows\SysWOW64\Geijac32.dll Cblebgfh.exe File created C:\Windows\SysWOW64\Iqombb32.exe Imcqacfq.exe File created C:\Windows\SysWOW64\Jihngboe.exe Jckeokan.exe File opened for modification C:\Windows\SysWOW64\Kcehejic.exe Kaflio32.exe File opened for modification C:\Windows\SysWOW64\Pocdba32.exe Pgllad32.exe File opened for modification C:\Windows\SysWOW64\Eppobi32.exe Ehifak32.exe File opened for modification C:\Windows\SysWOW64\Oeopnmoa.exe Onhhmpoo.exe File opened for modification C:\Windows\SysWOW64\Anncek32.exe Aeeomegd.exe File created C:\Windows\SysWOW64\Imcqacfq.exe Ijedehgm.exe File opened for modification C:\Windows\SysWOW64\Imfmgcdn.exe Ihjafd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11956 8152 WerFault.exe 569 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfpidk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biljib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fibfbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odaiodbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbphcpog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fplnogmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Labkempb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndhgie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogbbqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhcfleff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjjjghg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naaghoik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgllad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agaoca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhldc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pncanhaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adnbapjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdeffgff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afkipi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpnkdfko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fghcqq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpeaeedg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghqeihbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhcjbfag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaejhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akfdcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbqonf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhmgfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjcjmclj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moglpedd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odkcpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gebimmco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gplged32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kidmcqeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Minipm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bglgdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najagp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poeahaib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnmjomlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imfmgcdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icdoolge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbpolb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhefmjlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnaffdfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maoakaip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehifak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlkplk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhgjll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfniikha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Midfjnge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nieoal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfngcdhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoladdeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Homcbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icklhnop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijngkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opopdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmqiec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqombb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjdbda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngklppei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pohnnqgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fikihlmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaihonhl.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abbiej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnicai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlicflic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imcqacfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmhofbma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbqampo.dll" Oediim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fghcqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcdhkd32.dll" Fiilblom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kidmcqeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnqeip32.dll" Nolekd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plbggp32.dll" Dbehienn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfemdcba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dehnpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehkcgkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhefmjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oifglb32.dll" Fpnkdfko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inopfb32.dll" Mpqklh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onjebpml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfkpiled.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiaofa32.dll" Aeeomegd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oediim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeodqocd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eedmlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkcboj32.dll" Gebimmco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhleefhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Midfjnge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnolia32.dll" Mdlgmgdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Najjmjkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onakco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nandhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdllffpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfmcgm32.dll" Hllkqdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mffjnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkpjo32.dll" Pncanhaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjacpfqm.dll" Akopoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlkiaece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaamjnbg.dll" Pdeffgff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfpidk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oebdml32.dll" Gomkkagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omlkmign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oklifdmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Miipencp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leedqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfgloiqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akopoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aocmio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gohapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmkheljf.dll" Hgpbhmna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abflab32.dll" Cnboma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joabhd32.dll" Pfpidk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcommoin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhjpceko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phmnfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nepgghpg.dll" Ahkkhnpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odifjipd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijedehgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lapopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlqmgaad.dll" Cbiabq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmdccgi.dll" Dhcfleff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clpppmqn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghgljg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijngkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eohhie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgpcohcb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3104 wrote to memory of 652 3104 b7f561d99f5f94cac68433c3d0797380N.exe 93 PID 3104 wrote to memory of 652 3104 b7f561d99f5f94cac68433c3d0797380N.exe 93 PID 3104 wrote to memory of 652 3104 b7f561d99f5f94cac68433c3d0797380N.exe 93 PID 652 wrote to memory of 3528 652 Leedqa32.exe 94 PID 652 wrote to memory of 3528 652 Leedqa32.exe 94 PID 652 wrote to memory of 3528 652 Leedqa32.exe 94 PID 3528 wrote to memory of 2056 3528 Lfgahikm.exe 95 PID 3528 wrote to memory of 2056 3528 Lfgahikm.exe 95 PID 3528 wrote to memory of 2056 3528 Lfgahikm.exe 95 PID 2056 wrote to memory of 1688 2056 Lkbmih32.exe 96 PID 2056 wrote to memory of 1688 2056 Lkbmih32.exe 96 PID 2056 wrote to memory of 1688 2056 Lkbmih32.exe 96 PID 1688 wrote to memory of 3932 1688 Lmqiec32.exe 97 PID 1688 wrote to memory of 3932 1688 Lmqiec32.exe 97 PID 1688 wrote to memory of 3932 1688 Lmqiec32.exe 97 PID 3932 wrote to memory of 4380 3932 Malefbkc.exe 98 PID 3932 wrote to memory of 4380 3932 Malefbkc.exe 98 PID 3932 wrote to memory of 4380 3932 Malefbkc.exe 98 PID 4380 wrote to memory of 4968 4380 Mehafq32.exe 99 PID 4380 wrote to memory of 4968 4380 Mehafq32.exe 99 PID 4380 wrote to memory of 4968 4380 Mehafq32.exe 99 PID 4968 wrote to memory of 5304 4968 Mhfmbl32.exe 100 PID 4968 wrote to memory of 5304 4968 Mhfmbl32.exe 100 PID 4968 wrote to memory of 5304 4968 Mhfmbl32.exe 100 PID 5304 wrote to memory of 3592 5304 Mginniij.exe 101 PID 5304 wrote to memory of 3592 5304 Mginniij.exe 101 PID 5304 wrote to memory of 3592 5304 Mginniij.exe 101 PID 3592 wrote to memory of 4412 3592 Mkdiog32.exe 102 PID 3592 wrote to memory of 4412 3592 Mkdiog32.exe 102 PID 3592 wrote to memory of 4412 3592 Mkdiog32.exe 102 PID 4412 wrote to memory of 1368 4412 Mmcfkc32.exe 103 PID 4412 wrote to memory of 1368 4412 Mmcfkc32.exe 103 PID 4412 wrote to memory of 1368 4412 Mmcfkc32.exe 103 PID 1368 wrote to memory of 1488 1368 Maoakaip.exe 104 PID 1368 wrote to memory of 1488 1368 Maoakaip.exe 104 PID 1368 wrote to memory of 1488 1368 Maoakaip.exe 104 PID 1488 wrote to memory of 1944 1488 Mdmngm32.exe 105 PID 1488 wrote to memory of 1944 1488 Mdmngm32.exe 105 PID 1488 wrote to memory of 1944 1488 Mdmngm32.exe 105 PID 1944 wrote to memory of 5920 1944 Mhhjhlqm.exe 106 PID 1944 wrote to memory of 5920 1944 Mhhjhlqm.exe 106 PID 1944 wrote to memory of 5920 1944 Mhhjhlqm.exe 106 PID 5920 wrote to memory of 2688 5920 Mkgfdgpq.exe 107 PID 5920 wrote to memory of 2688 5920 Mkgfdgpq.exe 107 PID 5920 wrote to memory of 2688 5920 Mkgfdgpq.exe 107 PID 2688 wrote to memory of 392 2688 Mobbdf32.exe 108 PID 2688 wrote to memory of 392 2688 Mobbdf32.exe 108 PID 2688 wrote to memory of 392 2688 Mobbdf32.exe 108 PID 392 wrote to memory of 4540 392 Maaoaa32.exe 109 PID 392 wrote to memory of 4540 392 Maaoaa32.exe 109 PID 392 wrote to memory of 4540 392 Maaoaa32.exe 109 PID 4540 wrote to memory of 3676 4540 Mdokmm32.exe 110 PID 4540 wrote to memory of 3676 4540 Mdokmm32.exe 110 PID 4540 wrote to memory of 3676 4540 Mdokmm32.exe 110 PID 3676 wrote to memory of 3436 3676 Mhkgnkoj.exe 111 PID 3676 wrote to memory of 3436 3676 Mhkgnkoj.exe 111 PID 3676 wrote to memory of 3436 3676 Mhkgnkoj.exe 111 PID 3436 wrote to memory of 432 3436 Mkicjgnn.exe 112 PID 3436 wrote to memory of 432 3436 Mkicjgnn.exe 112 PID 3436 wrote to memory of 432 3436 Mkicjgnn.exe 112 PID 432 wrote to memory of 4628 432 Moeoje32.exe 113 PID 432 wrote to memory of 4628 432 Moeoje32.exe 113 PID 432 wrote to memory of 4628 432 Moeoje32.exe 113 PID 4628 wrote to memory of 3336 4628 Mmhofbma.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7f561d99f5f94cac68433c3d0797380N.exe"C:\Users\Admin\AppData\Local\Temp\b7f561d99f5f94cac68433c3d0797380N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\Leedqa32.exeC:\Windows\system32\Leedqa32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\Lfgahikm.exeC:\Windows\system32\Lfgahikm.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Lkbmih32.exeC:\Windows\system32\Lkbmih32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Lmqiec32.exeC:\Windows\system32\Lmqiec32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Malefbkc.exeC:\Windows\system32\Malefbkc.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\Mehafq32.exeC:\Windows\system32\Mehafq32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\Mhfmbl32.exeC:\Windows\system32\Mhfmbl32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Mginniij.exeC:\Windows\system32\Mginniij.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5304 -
C:\Windows\SysWOW64\Mkdiog32.exeC:\Windows\system32\Mkdiog32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\Mmcfkc32.exeC:\Windows\system32\Mmcfkc32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Maoakaip.exeC:\Windows\system32\Maoakaip.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Mdmngm32.exeC:\Windows\system32\Mdmngm32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Mhhjhlqm.exeC:\Windows\system32\Mhhjhlqm.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Mkgfdgpq.exeC:\Windows\system32\Mkgfdgpq.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5920 -
C:\Windows\SysWOW64\Mobbdf32.exeC:\Windows\system32\Mobbdf32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Maaoaa32.exeC:\Windows\system32\Maaoaa32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Mdokmm32.exeC:\Windows\system32\Mdokmm32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Mhkgnkoj.exeC:\Windows\system32\Mhkgnkoj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\Mkicjgnn.exeC:\Windows\system32\Mkicjgnn.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\Moeoje32.exeC:\Windows\system32\Moeoje32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Mmhofbma.exeC:\Windows\system32\Mmhofbma.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\Mackfa32.exeC:\Windows\system32\Mackfa32.exe23⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\Mdagbl32.exeC:\Windows\system32\Mdagbl32.exe24⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Mhmcck32.exeC:\Windows\system32\Mhmcck32.exe25⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Mgpcohcb.exeC:\Windows\system32\Mgpcohcb.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:4848 -
C:\Windows\SysWOW64\Moglpedd.exeC:\Windows\system32\Moglpedd.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1636 -
C:\Windows\SysWOW64\Maehlqch.exeC:\Windows\system32\Maehlqch.exe28⤵
- Executes dropped EXE
PID:6072 -
C:\Windows\SysWOW64\Meadlo32.exeC:\Windows\system32\Meadlo32.exe29⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Mhppik32.exeC:\Windows\system32\Mhppik32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Mgbpdgap.exeC:\Windows\system32\Mgbpdgap.exe31⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Moiheebb.exeC:\Windows\system32\Moiheebb.exe32⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Nmlhaa32.exeC:\Windows\system32\Nmlhaa32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4900 -
C:\Windows\SysWOW64\Necqbo32.exeC:\Windows\system32\Necqbo32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5484 -
C:\Windows\SysWOW64\Ndfanlpi.exeC:\Windows\system32\Ndfanlpi.exe35⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Ngemjg32.exeC:\Windows\system32\Ngemjg32.exe36⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Nolekd32.exeC:\Windows\system32\Nolekd32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1464 -
C:\Windows\SysWOW64\Najagp32.exeC:\Windows\system32\Najagp32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\Ndinck32.exeC:\Windows\system32\Ndinck32.exe39⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Nhdicjfp.exeC:\Windows\system32\Nhdicjfp.exe40⤵
- Executes dropped EXE
PID:5936 -
C:\Windows\SysWOW64\Nkbfpeec.exeC:\Windows\system32\Nkbfpeec.exe41⤵
- Executes dropped EXE
PID:6064 -
C:\Windows\SysWOW64\Nnabladg.exeC:\Windows\system32\Nnabladg.exe42⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Nehjmnei.exeC:\Windows\system32\Nehjmnei.exe43⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Ndkjik32.exeC:\Windows\system32\Ndkjik32.exe44⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Ngifef32.exeC:\Windows\system32\Ngifef32.exe45⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Noqofdlj.exeC:\Windows\system32\Noqofdlj.exe46⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Naokbokn.exeC:\Windows\system32\Naokbokn.exe47⤵
- Executes dropped EXE
PID:5856 -
C:\Windows\SysWOW64\Nejgbn32.exeC:\Windows\system32\Nejgbn32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4548 -
C:\Windows\SysWOW64\Nhicoi32.exeC:\Windows\system32\Nhicoi32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Nglcjfie.exeC:\Windows\system32\Nglcjfie.exe50⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Nockkcjg.exeC:\Windows\system32\Nockkcjg.exe51⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Naaghoik.exeC:\Windows\system32\Naaghoik.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6080 -
C:\Windows\SysWOW64\Ndpcdjho.exeC:\Windows\system32\Ndpcdjho.exe53⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Ngnppfgb.exeC:\Windows\system32\Ngnppfgb.exe54⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Nkjlqd32.exeC:\Windows\system32\Nkjlqd32.exe55⤵
- Executes dropped EXE
PID:3184 -
C:\Windows\SysWOW64\Onhhmpoo.exeC:\Windows\system32\Onhhmpoo.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3844 -
C:\Windows\SysWOW64\Oeopnmoa.exeC:\Windows\system32\Oeopnmoa.exe57⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Odbpij32.exeC:\Windows\system32\Odbpij32.exe58⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Ogqmee32.exeC:\Windows\system32\Ogqmee32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Oklifdmi.exeC:\Windows\system32\Oklifdmi.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:796 -
C:\Windows\SysWOW64\Onjebpml.exeC:\Windows\system32\Onjebpml.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4272 -
C:\Windows\SysWOW64\Oafacn32.exeC:\Windows\system32\Oafacn32.exe62⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Oddmoj32.exeC:\Windows\system32\Oddmoj32.exe63⤵
- Executes dropped EXE
PID:6116 -
C:\Windows\SysWOW64\Ogcike32.exeC:\Windows\system32\Ogcike32.exe64⤵
- Executes dropped EXE
PID:5756 -
C:\Windows\SysWOW64\Okneldkf.exeC:\Windows\system32\Okneldkf.exe65⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Onmahojj.exeC:\Windows\system32\Onmahojj.exe66⤵PID:1676
-
C:\Windows\SysWOW64\Oediim32.exeC:\Windows\system32\Oediim32.exe67⤵
- Modifies registry class
PID:3928 -
C:\Windows\SysWOW64\Odgjdibf.exeC:\Windows\system32\Odgjdibf.exe68⤵PID:1968
-
C:\Windows\SysWOW64\Ogefqeaj.exeC:\Windows\system32\Ogefqeaj.exe69⤵
- Drops file in System32 directory
PID:820 -
C:\Windows\SysWOW64\Okqbac32.exeC:\Windows\system32\Okqbac32.exe70⤵PID:1328
-
C:\Windows\SysWOW64\Ononmo32.exeC:\Windows\system32\Ononmo32.exe71⤵PID:5264
-
C:\Windows\SysWOW64\Oeffnl32.exeC:\Windows\system32\Oeffnl32.exe72⤵PID:1204
-
C:\Windows\SysWOW64\Odifjipd.exeC:\Windows\system32\Odifjipd.exe73⤵
- Modifies registry class
PID:4736 -
C:\Windows\SysWOW64\Oggbfdog.exeC:\Windows\system32\Oggbfdog.exe74⤵PID:2164
-
C:\Windows\SysWOW64\Okcogc32.exeC:\Windows\system32\Okcogc32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1076 -
C:\Windows\SysWOW64\Onakco32.exeC:\Windows\system32\Onakco32.exe76⤵
- Modifies registry class
PID:4652 -
C:\Windows\SysWOW64\Oamgcm32.exeC:\Windows\system32\Oamgcm32.exe77⤵PID:4712
-
C:\Windows\SysWOW64\Odkcpi32.exeC:\Windows\system32\Odkcpi32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3244 -
C:\Windows\SysWOW64\Ohgopgfj.exeC:\Windows\system32\Ohgopgfj.exe79⤵PID:4444
-
C:\Windows\SysWOW64\Okeklcen.exeC:\Windows\system32\Okeklcen.exe80⤵PID:4616
-
C:\Windows\SysWOW64\Poagma32.exeC:\Windows\system32\Poagma32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2568 -
C:\Windows\SysWOW64\Paocim32.exeC:\Windows\system32\Paocim32.exe82⤵PID:4316
-
C:\Windows\SysWOW64\Pfkpiled.exeC:\Windows\system32\Pfkpiled.exe83⤵
- Modifies registry class
PID:6052 -
C:\Windows\SysWOW64\Philfgdh.exeC:\Windows\system32\Philfgdh.exe84⤵PID:5908
-
C:\Windows\SysWOW64\Pgllad32.exeC:\Windows\system32\Pgllad32.exe85⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1332 -
C:\Windows\SysWOW64\Pocdba32.exeC:\Windows\system32\Pocdba32.exe86⤵
- Drops file in System32 directory
PID:3444 -
C:\Windows\SysWOW64\Pnfdnnbo.exeC:\Windows\system32\Pnfdnnbo.exe87⤵PID:3224
-
C:\Windows\SysWOW64\Pfmlok32.exeC:\Windows\system32\Pfmlok32.exe88⤵PID:6092
-
C:\Windows\SysWOW64\Pdpmkhjl.exeC:\Windows\system32\Pdpmkhjl.exe89⤵PID:5852
-
C:\Windows\SysWOW64\Pgoigcip.exeC:\Windows\system32\Pgoigcip.exe90⤵PID:4224
-
C:\Windows\SysWOW64\Poeahaib.exeC:\Windows\system32\Poeahaib.exe91⤵
- System Location Discovery: System Language Discovery
PID:3884 -
C:\Windows\SysWOW64\Pbdmdlie.exeC:\Windows\system32\Pbdmdlie.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5660 -
C:\Windows\SysWOW64\Pfpidk32.exeC:\Windows\system32\Pfpidk32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6040 -
C:\Windows\SysWOW64\Pdbiphhi.exeC:\Windows\system32\Pdbiphhi.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1392 -
C:\Windows\SysWOW64\Pgaelcgm.exeC:\Windows\system32\Pgaelcgm.exe95⤵PID:1372
-
C:\Windows\SysWOW64\Pklamb32.exeC:\Windows\system32\Pklamb32.exe96⤵PID:1880
-
C:\Windows\SysWOW64\Pohnnqgo.exeC:\Windows\system32\Pohnnqgo.exe97⤵
- System Location Discovery: System Language Discovery
PID:536 -
C:\Windows\SysWOW64\Pbfjjlgc.exeC:\Windows\system32\Pbfjjlgc.exe98⤵PID:3664
-
C:\Windows\SysWOW64\Pdeffgff.exeC:\Windows\system32\Pdeffgff.exe99⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5696 -
C:\Windows\SysWOW64\Phpbffnp.exeC:\Windows\system32\Phpbffnp.exe100⤵PID:1736
-
C:\Windows\SysWOW64\Pgcbbc32.exeC:\Windows\system32\Pgcbbc32.exe101⤵
- Drops file in System32 directory
PID:4632 -
C:\Windows\SysWOW64\Pojjcp32.exeC:\Windows\system32\Pojjcp32.exe102⤵PID:4364
-
C:\Windows\SysWOW64\Pnmjomlg.exeC:\Windows\system32\Pnmjomlg.exe103⤵
- System Location Discovery: System Language Discovery
PID:3960 -
C:\Windows\SysWOW64\Pdgckg32.exeC:\Windows\system32\Pdgckg32.exe104⤵PID:5164
-
C:\Windows\SysWOW64\Qbkcek32.exeC:\Windows\system32\Qbkcek32.exe105⤵PID:5140
-
C:\Windows\SysWOW64\Qdipag32.exeC:\Windows\system32\Qdipag32.exe106⤵PID:6016
-
C:\Windows\SysWOW64\Qhekaejj.exeC:\Windows\system32\Qhekaejj.exe107⤵PID:5460
-
C:\Windows\SysWOW64\Qghlmbae.exeC:\Windows\system32\Qghlmbae.exe108⤵PID:4424
-
C:\Windows\SysWOW64\Qoocnpag.exeC:\Windows\system32\Qoocnpag.exe109⤵PID:2848
-
C:\Windows\SysWOW64\Qbmpjkqk.exeC:\Windows\system32\Qbmpjkqk.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4004 -
C:\Windows\SysWOW64\Qdllffpo.exeC:\Windows\system32\Qdllffpo.exe111⤵
- Modifies registry class
PID:5792 -
C:\Windows\SysWOW64\Agjhbbob.exeC:\Windows\system32\Agjhbbob.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1952 -
C:\Windows\SysWOW64\Akfdcq32.exeC:\Windows\system32\Akfdcq32.exe113⤵
- System Location Discovery: System Language Discovery
PID:428 -
C:\Windows\SysWOW64\Andqol32.exeC:\Windows\system32\Andqol32.exe114⤵PID:3212
-
C:\Windows\SysWOW64\Afkipi32.exeC:\Windows\system32\Afkipi32.exe115⤵
- System Location Discovery: System Language Discovery
PID:4072 -
C:\Windows\SysWOW64\Aijeme32.exeC:\Windows\system32\Aijeme32.exe116⤵PID:5688
-
C:\Windows\SysWOW64\Agmehamp.exeC:\Windows\system32\Agmehamp.exe117⤵PID:1188
-
C:\Windows\SysWOW64\Aocmio32.exeC:\Windows\system32\Aocmio32.exe118⤵
- Modifies registry class
PID:5480 -
C:\Windows\SysWOW64\Abbiej32.exeC:\Windows\system32\Abbiej32.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Afnefieo.exeC:\Windows\system32\Afnefieo.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4912 -
C:\Windows\SysWOW64\Ailabddb.exeC:\Windows\system32\Ailabddb.exe121⤵PID:4816
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-