Analysis
-
max time kernel
105s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25-08-2024 08:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d54de7de0dbd3dc931a1711be2e64830N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
d54de7de0dbd3dc931a1711be2e64830N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
d54de7de0dbd3dc931a1711be2e64830N.exe
-
Size
80KB
-
MD5
d54de7de0dbd3dc931a1711be2e64830
-
SHA1
3595ed6d5e4491a33d00be5ce5418d7659903d65
-
SHA256
cb2633264e61dbeeef3fe8ec0d4d62fd68604d1f9df9e52ce8e929bb63789b8f
-
SHA512
5c61465eb756bc2ba5c89cfcbd25c79f14031c4a615ef71d4c85c9faa9b1bdf158cf46ad8efca3d885990f6e95eef63fdb519e96daf37c8e09bb0b47eac5110f
-
SSDEEP
1536:7rwTd3EbIgeUft3JRYpS+KWiOyeq2Cu5VRj962LxJ9VqDlzVxyh+CbxMa:nwTd0b1t3ApS+KWiOyeq2Cu5VRjlxJ95
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhhpop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahdpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcmbee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nndjndbh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nflkbanj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppgegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Codhnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cimmggfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfohgqlg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogcnmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmdcfidg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kofkbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljeafb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfiddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjicdmmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elnoopdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmiclo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gphphj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgflcifg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nflkbanj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfgdpmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiobceef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilafiihp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhclmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlolpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njfagf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akdilipp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dafppp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnjgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfjola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkogiikb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjadje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbmingjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maiccajf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bacjdbch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkpmdbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiloco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glkmmefl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iidphgcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnmhpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpbpbecj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlepcdoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coiaiakf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epikpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igdnabjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olicnfco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iefgbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jedccfqg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngkqbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqafhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbqqkkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffmfchle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifomll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kflide32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qklmpalf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhclmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fihnomjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pibdmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cioilg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pocpfphe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aefjii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkmdkgob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfokoelp.exe -
Executes dropped EXE 64 IoCs
pid Process 2736 Oeoblb32.exe 4964 Olijhmgj.exe 3388 Oohgdhfn.exe 1380 Oafcqcea.exe 2836 Ohpkmn32.exe 4516 Pkogiikb.exe 4320 Pcepkfld.exe 100 Piphgq32.exe 1752 Plndcl32.exe 4968 Pkadoiip.exe 1092 Pakllc32.exe 4904 Pibdmp32.exe 4276 Plpqil32.exe 2892 Pcjiff32.exe 1324 Pidabppl.exe 3448 Pkenjh32.exe 4704 Papfgbmg.exe 3228 Pifnhpmi.exe 412 Plejdkmm.exe 532 Pcobaedj.exe 1644 Pabblb32.exe 5032 Qhlkilba.exe 4524 Qlggjk32.exe 1408 Qcaofebg.exe 2176 Qepkbpak.exe 2580 Qhngolpo.exe 1844 Qkmdkgob.exe 1068 Qaflgago.exe 4656 Qebhhp32.exe 1960 Ahqddk32.exe 1196 Allpejfe.exe 4028 Aojlaeei.exe 3976 Aaiimadl.exe 3760 Ajpqnneo.exe 4424 Ahcajk32.exe 768 Aakebqbj.exe 4104 Afgacokc.exe 4076 Alqjpi32.exe 3120 Aoofle32.exe 736 Ackbmcjl.exe 4976 Afinioip.exe 3028 Ahgjejhd.exe 1628 Akffafgg.exe 1248 Acmobchj.exe 4792 Afkknogn.exe 3952 Ahjgjj32.exe 3752 Acokhc32.exe 4900 Bfngdn32.exe 4344 Bjicdmmd.exe 3492 Bkkple32.exe 3296 Boflmdkk.exe 4828 Bfpdin32.exe 2264 Bhoqeibl.exe 1448 Bkmmaeap.exe 5016 Bcddcbab.exe 640 Bfbaonae.exe 632 Bhamkipi.exe 440 Bmlilh32.exe 1052 Bcfahbpo.exe 1712 Bbiado32.exe 744 Bhcjqinf.exe 4732 Bmofagfp.exe 4692 Bombmcec.exe 4328 Bblnindg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bknlbhhe.exe Bhpofl32.exe File created C:\Windows\SysWOW64\Cdmfllhn.exe Caojpaij.exe File opened for modification C:\Windows\SysWOW64\Akffafgg.exe Ahgjejhd.exe File created C:\Windows\SysWOW64\Kmdpiacg.dll Bddjpd32.exe File created C:\Windows\SysWOW64\Mjfmcmai.dll Cbfgkffn.exe File opened for modification C:\Windows\SysWOW64\Aokkahlo.exe Agdcpkll.exe File created C:\Windows\SysWOW64\Ghqomgid.dll Gbmingjo.exe File created C:\Windows\SysWOW64\Ldcadhpd.dll Jlhljhbg.exe File opened for modification C:\Windows\SysWOW64\Dfiildio.exe Dbnmke32.exe File created C:\Windows\SysWOW64\Bbikhdcm.dll Ppgegd32.exe File created C:\Windows\SysWOW64\Adfonlkp.dll Jpcapp32.exe File opened for modification C:\Windows\SysWOW64\Oabhfg32.exe Ondljl32.exe File created C:\Windows\SysWOW64\Qobhkjdi.exe Qjfmkk32.exe File opened for modification C:\Windows\SysWOW64\Ahdpjn32.exe Aajhndkb.exe File opened for modification C:\Windows\SysWOW64\Gkhkjd32.exe Giinpa32.exe File created C:\Windows\SysWOW64\Neiqnh32.dll Bebjdgmj.exe File created C:\Windows\SysWOW64\Cfbcke32.exe Cbfgkffn.exe File opened for modification C:\Windows\SysWOW64\Ieidhh32.exe Ickglm32.exe File opened for modification C:\Windows\SysWOW64\Ahgjejhd.exe Afinioip.exe File created C:\Windows\SysWOW64\Nopfpgip.exe Nmbjcljl.exe File opened for modification C:\Windows\SysWOW64\Pifnhpmi.exe Papfgbmg.exe File created C:\Windows\SysWOW64\Kmephjke.dll Pplobcpp.exe File created C:\Windows\SysWOW64\Cikamapb.dll Hfhgkmpj.exe File created C:\Windows\SysWOW64\Keiifian.dll Qjfmkk32.exe File created C:\Windows\SysWOW64\Cglbhhga.exe Cdmfllhn.exe File opened for modification C:\Windows\SysWOW64\Jekqmhia.exe Jghpbk32.exe File created C:\Windows\SysWOW64\Okddnh32.dll Qobhkjdi.exe File opened for modification C:\Windows\SysWOW64\Gmdcfidg.exe Gemkelcd.exe File opened for modification C:\Windows\SysWOW64\Gkmdecbg.exe Gbfldf32.exe File created C:\Windows\SysWOW64\Ckhecmcf.exe Chiigadc.exe File created C:\Windows\SysWOW64\Eadhip32.dll Ckhecmcf.exe File opened for modification C:\Windows\SysWOW64\Efblbbqd.exe Enkdaepb.exe File created C:\Windows\SysWOW64\Hhbdbmfg.dll Pkbjjbda.exe File created C:\Windows\SysWOW64\Bnkbcj32.exe Bohbhmfm.exe File opened for modification C:\Windows\SysWOW64\Dbnmke32.exe Dooaoj32.exe File created C:\Windows\SysWOW64\Ilcldb32.exe Iidphgcn.exe File opened for modification C:\Windows\SysWOW64\Fdqfll32.exe Fpejlmcf.exe File created C:\Windows\SysWOW64\Plbhknkl.dll Hienlpel.exe File created C:\Windows\SysWOW64\Hgfoqnae.dll Lenicahg.exe File created C:\Windows\SysWOW64\Bomfgoah.dll Mjdebfnd.exe File created C:\Windows\SysWOW64\Nfaemp32.exe Ncchae32.exe File opened for modification C:\Windows\SysWOW64\Aamknj32.exe Aonoao32.exe File created C:\Windows\SysWOW64\Pqindg32.dll Blqllqqa.exe File created C:\Windows\SysWOW64\Fllkqn32.exe Fimodc32.exe File created C:\Windows\SysWOW64\Eglmfnhm.dll Baadiiif.exe File created C:\Windows\SysWOW64\Bacjdbch.exe Bkibgh32.exe File created C:\Windows\SysWOW64\Lcnmin32.exe Lnadagbm.exe File created C:\Windows\SysWOW64\Ihbjebjh.dll Pmcclm32.exe File created C:\Windows\SysWOW64\Gepgfb32.dll Fmhdkknd.exe File created C:\Windows\SysWOW64\Famkjfqd.dll Lqmmmmph.exe File created C:\Windows\SysWOW64\Ddgplado.exe Dnmhpg32.exe File created C:\Windows\SysWOW64\Oppceehj.dll Nfohgqlg.exe File created C:\Windows\SysWOW64\Oenqhaga.dll Eiobceef.exe File opened for modification C:\Windows\SysWOW64\Giinpa32.exe Gfkbde32.exe File created C:\Windows\SysWOW64\Anaemfem.dll Jddnfd32.exe File created C:\Windows\SysWOW64\Klbbcjfp.dll Okkdic32.exe File created C:\Windows\SysWOW64\Ennamn32.dll Chnlgjlb.exe File opened for modification C:\Windows\SysWOW64\Epikpo32.exe Elnoopdj.exe File created C:\Windows\SysWOW64\Ojbacd32.exe Oeehkn32.exe File opened for modification C:\Windows\SysWOW64\Cdpjlb32.exe Cnfaohbj.exe File created C:\Windows\SysWOW64\Phfcipoo.exe Ppolhcnm.exe File opened for modification C:\Windows\SysWOW64\Ppahmb32.exe Pnplfj32.exe File opened for modification C:\Windows\SysWOW64\Ccgjopal.exe Ciafbg32.exe File created C:\Windows\SysWOW64\Ohhnbhok.exe Oejbfmpg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 15156 14928 WerFault.exe 795 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hehkajig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kodnmkap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqbpojnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afkknogn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpcodihc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icfekc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkgcea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbpjaeoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bajqda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkipgpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adndoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhclmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbbffdlq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobhkjdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncchae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paeelgnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjpfjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlghoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkbjjbda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfodeohd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iidphgcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpfbjlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmofagfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cioilg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aamknj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkogiikb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccgjopal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohkkhhmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coohhlpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Johnamkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoofle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfqmpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejchhgid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hildmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmoiqneg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Felbnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnnjmbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpcbhji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfkbde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkhkjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqbdldnq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nenbjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adfnofpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgflcifg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpfgmnfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfcipoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfcnpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oghghb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipkjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfheof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njinmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjeljhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phdnngdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlgepanl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jngbjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kofkbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbqqkkbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkgkapm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkdbacp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Malpia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iliinc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbcmakpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpejlmcf.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbiado32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oohgdhfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agadmk32.dll" Pcobaedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbnkonbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfqmpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmnqjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pldcjeia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcifkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpecbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iphioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmjcf32.dll" Gmojkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhlkilba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iknmla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njkkbehl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gingkqkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljfhqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aojefobm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcfimfi.dll" Pjpfjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cofecami.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jngbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfjola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccphhl32.dll" Qaflgago.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjadje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlgpod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idaiki32.dll" Phfcipoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnaaib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flqdlnde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpcblj32.dll" Jgnqgqan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oogpjbbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Komhll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lncjlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oingap32.dll" Afpjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgnffj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkoqgjn.dll" Gigaka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkjeomld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfcnpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qobhkjdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhngolpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcniglmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjpode32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmmqhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anclbkbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcjiff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffclcgfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eppjfgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlgepanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iohmnmmb.dll" Akdilipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcddcbab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldcadhpd.dll" Jlhljhbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aonoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqafhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfbiemdb.dll" Njpdnedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knnhjcog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhidngmn.dll" Eblpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ackhdo32.dll" Gfokoelp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hipmfjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgbefe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddfbhfmf.dll" Aoofle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljhefhha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddligq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knhebpni.dll" Pcepkfld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfpdin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijcjmmil.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4024 wrote to memory of 2736 4024 d54de7de0dbd3dc931a1711be2e64830N.exe 86 PID 4024 wrote to memory of 2736 4024 d54de7de0dbd3dc931a1711be2e64830N.exe 86 PID 4024 wrote to memory of 2736 4024 d54de7de0dbd3dc931a1711be2e64830N.exe 86 PID 2736 wrote to memory of 4964 2736 Oeoblb32.exe 87 PID 2736 wrote to memory of 4964 2736 Oeoblb32.exe 87 PID 2736 wrote to memory of 4964 2736 Oeoblb32.exe 87 PID 4964 wrote to memory of 3388 4964 Olijhmgj.exe 88 PID 4964 wrote to memory of 3388 4964 Olijhmgj.exe 88 PID 4964 wrote to memory of 3388 4964 Olijhmgj.exe 88 PID 3388 wrote to memory of 1380 3388 Oohgdhfn.exe 89 PID 3388 wrote to memory of 1380 3388 Oohgdhfn.exe 89 PID 3388 wrote to memory of 1380 3388 Oohgdhfn.exe 89 PID 1380 wrote to memory of 2836 1380 Oafcqcea.exe 90 PID 1380 wrote to memory of 2836 1380 Oafcqcea.exe 90 PID 1380 wrote to memory of 2836 1380 Oafcqcea.exe 90 PID 2836 wrote to memory of 4516 2836 Ohpkmn32.exe 91 PID 2836 wrote to memory of 4516 2836 Ohpkmn32.exe 91 PID 2836 wrote to memory of 4516 2836 Ohpkmn32.exe 91 PID 4516 wrote to memory of 4320 4516 Pkogiikb.exe 92 PID 4516 wrote to memory of 4320 4516 Pkogiikb.exe 92 PID 4516 wrote to memory of 4320 4516 Pkogiikb.exe 92 PID 4320 wrote to memory of 100 4320 Pcepkfld.exe 93 PID 4320 wrote to memory of 100 4320 Pcepkfld.exe 93 PID 4320 wrote to memory of 100 4320 Pcepkfld.exe 93 PID 100 wrote to memory of 1752 100 Piphgq32.exe 94 PID 100 wrote to memory of 1752 100 Piphgq32.exe 94 PID 100 wrote to memory of 1752 100 Piphgq32.exe 94 PID 1752 wrote to memory of 4968 1752 Plndcl32.exe 95 PID 1752 wrote to memory of 4968 1752 Plndcl32.exe 95 PID 1752 wrote to memory of 4968 1752 Plndcl32.exe 95 PID 4968 wrote to memory of 1092 4968 Pkadoiip.exe 97 PID 4968 wrote to memory of 1092 4968 Pkadoiip.exe 97 PID 4968 wrote to memory of 1092 4968 Pkadoiip.exe 97 PID 1092 wrote to memory of 4904 1092 Pakllc32.exe 98 PID 1092 wrote to memory of 4904 1092 Pakllc32.exe 98 PID 1092 wrote to memory of 4904 1092 Pakllc32.exe 98 PID 4904 wrote to memory of 4276 4904 Pibdmp32.exe 99 PID 4904 wrote to memory of 4276 4904 Pibdmp32.exe 99 PID 4904 wrote to memory of 4276 4904 Pibdmp32.exe 99 PID 4276 wrote to memory of 2892 4276 Plpqil32.exe 100 PID 4276 wrote to memory of 2892 4276 Plpqil32.exe 100 PID 4276 wrote to memory of 2892 4276 Plpqil32.exe 100 PID 2892 wrote to memory of 1324 2892 Pcjiff32.exe 102 PID 2892 wrote to memory of 1324 2892 Pcjiff32.exe 102 PID 2892 wrote to memory of 1324 2892 Pcjiff32.exe 102 PID 1324 wrote to memory of 3448 1324 Pidabppl.exe 103 PID 1324 wrote to memory of 3448 1324 Pidabppl.exe 103 PID 1324 wrote to memory of 3448 1324 Pidabppl.exe 103 PID 3448 wrote to memory of 4704 3448 Pkenjh32.exe 104 PID 3448 wrote to memory of 4704 3448 Pkenjh32.exe 104 PID 3448 wrote to memory of 4704 3448 Pkenjh32.exe 104 PID 4704 wrote to memory of 3228 4704 Papfgbmg.exe 105 PID 4704 wrote to memory of 3228 4704 Papfgbmg.exe 105 PID 4704 wrote to memory of 3228 4704 Papfgbmg.exe 105 PID 3228 wrote to memory of 412 3228 Pifnhpmi.exe 107 PID 3228 wrote to memory of 412 3228 Pifnhpmi.exe 107 PID 3228 wrote to memory of 412 3228 Pifnhpmi.exe 107 PID 412 wrote to memory of 532 412 Plejdkmm.exe 108 PID 412 wrote to memory of 532 412 Plejdkmm.exe 108 PID 412 wrote to memory of 532 412 Plejdkmm.exe 108 PID 532 wrote to memory of 1644 532 Pcobaedj.exe 109 PID 532 wrote to memory of 1644 532 Pcobaedj.exe 109 PID 532 wrote to memory of 1644 532 Pcobaedj.exe 109 PID 1644 wrote to memory of 5032 1644 Pabblb32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\d54de7de0dbd3dc931a1711be2e64830N.exe"C:\Users\Admin\AppData\Local\Temp\d54de7de0dbd3dc931a1711be2e64830N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\Oeoblb32.exeC:\Windows\system32\Oeoblb32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Olijhmgj.exeC:\Windows\system32\Olijhmgj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Oohgdhfn.exeC:\Windows\system32\Oohgdhfn.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\Oafcqcea.exeC:\Windows\system32\Oafcqcea.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Ohpkmn32.exeC:\Windows\system32\Ohpkmn32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Pkogiikb.exeC:\Windows\system32\Pkogiikb.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Pcepkfld.exeC:\Windows\system32\Pcepkfld.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\Piphgq32.exeC:\Windows\system32\Piphgq32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:100 -
C:\Windows\SysWOW64\Plndcl32.exeC:\Windows\system32\Plndcl32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Pkadoiip.exeC:\Windows\system32\Pkadoiip.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\Pibdmp32.exeC:\Windows\system32\Pibdmp32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\Plpqil32.exeC:\Windows\system32\Plpqil32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\Pcjiff32.exeC:\Windows\system32\Pcjiff32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Pidabppl.exeC:\Windows\system32\Pidabppl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Pkenjh32.exeC:\Windows\system32\Pkenjh32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\Pifnhpmi.exeC:\Windows\system32\Pifnhpmi.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\Plejdkmm.exeC:\Windows\system32\Plejdkmm.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\Pcobaedj.exeC:\Windows\system32\Pcobaedj.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\Pabblb32.exeC:\Windows\system32\Pabblb32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Qhlkilba.exeC:\Windows\system32\Qhlkilba.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:5032 -
C:\Windows\SysWOW64\Qlggjk32.exeC:\Windows\system32\Qlggjk32.exe24⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Qcaofebg.exeC:\Windows\system32\Qcaofebg.exe25⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Qepkbpak.exeC:\Windows\system32\Qepkbpak.exe26⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Qhngolpo.exeC:\Windows\system32\Qhngolpo.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Qkmdkgob.exeC:\Windows\system32\Qkmdkgob.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Qaflgago.exeC:\Windows\system32\Qaflgago.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:1068 -
C:\Windows\SysWOW64\Qebhhp32.exeC:\Windows\system32\Qebhhp32.exe30⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Ahqddk32.exeC:\Windows\system32\Ahqddk32.exe31⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Allpejfe.exeC:\Windows\system32\Allpejfe.exe32⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Aojlaeei.exeC:\Windows\system32\Aojlaeei.exe33⤵
- Executes dropped EXE
PID:4028 -
C:\Windows\SysWOW64\Aaiimadl.exeC:\Windows\system32\Aaiimadl.exe34⤵
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Ajpqnneo.exeC:\Windows\system32\Ajpqnneo.exe35⤵
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\Ahcajk32.exeC:\Windows\system32\Ahcajk32.exe36⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Aakebqbj.exeC:\Windows\system32\Aakebqbj.exe37⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Afgacokc.exeC:\Windows\system32\Afgacokc.exe38⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Alqjpi32.exeC:\Windows\system32\Alqjpi32.exe39⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Aoofle32.exeC:\Windows\system32\Aoofle32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3120 -
C:\Windows\SysWOW64\Ackbmcjl.exeC:\Windows\system32\Ackbmcjl.exe41⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Afinioip.exeC:\Windows\system32\Afinioip.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4976 -
C:\Windows\SysWOW64\Ahgjejhd.exeC:\Windows\system32\Ahgjejhd.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Akffafgg.exeC:\Windows\system32\Akffafgg.exe44⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Acmobchj.exeC:\Windows\system32\Acmobchj.exe45⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Afkknogn.exeC:\Windows\system32\Afkknogn.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4792 -
C:\Windows\SysWOW64\Ahjgjj32.exeC:\Windows\system32\Ahjgjj32.exe47⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Acokhc32.exeC:\Windows\system32\Acokhc32.exe48⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\Bfngdn32.exeC:\Windows\system32\Bfngdn32.exe49⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Bjicdmmd.exeC:\Windows\system32\Bjicdmmd.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Bkkple32.exeC:\Windows\system32\Bkkple32.exe51⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Boflmdkk.exeC:\Windows\system32\Boflmdkk.exe52⤵
- Executes dropped EXE
PID:3296 -
C:\Windows\SysWOW64\Bfpdin32.exeC:\Windows\system32\Bfpdin32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:4828 -
C:\Windows\SysWOW64\Bhoqeibl.exeC:\Windows\system32\Bhoqeibl.exe54⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Bkmmaeap.exeC:\Windows\system32\Bkmmaeap.exe55⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Bcddcbab.exeC:\Windows\system32\Bcddcbab.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:5016 -
C:\Windows\SysWOW64\Bfbaonae.exeC:\Windows\system32\Bfbaonae.exe57⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Bhamkipi.exeC:\Windows\system32\Bhamkipi.exe58⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Bmlilh32.exeC:\Windows\system32\Bmlilh32.exe59⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Bcfahbpo.exeC:\Windows\system32\Bcfahbpo.exe60⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Bbiado32.exeC:\Windows\system32\Bbiado32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Bhcjqinf.exeC:\Windows\system32\Bhcjqinf.exe62⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Bmofagfp.exeC:\Windows\system32\Bmofagfp.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4732 -
C:\Windows\SysWOW64\Bombmcec.exeC:\Windows\system32\Bombmcec.exe64⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Bblnindg.exeC:\Windows\system32\Bblnindg.exe65⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Bjbfklei.exeC:\Windows\system32\Bjbfklei.exe66⤵PID:4112
-
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe67⤵PID:4664
-
C:\Windows\SysWOW64\Bbnkonbd.exeC:\Windows\system32\Bbnkonbd.exe68⤵
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Cjecpkcg.exeC:\Windows\system32\Cjecpkcg.exe69⤵PID:4300
-
C:\Windows\SysWOW64\Cmcolgbj.exeC:\Windows\system32\Cmcolgbj.exe70⤵PID:4720
-
C:\Windows\SysWOW64\Cobkhb32.exeC:\Windows\system32\Cobkhb32.exe71⤵PID:2136
-
C:\Windows\SysWOW64\Cfldelik.exeC:\Windows\system32\Cfldelik.exe72⤵PID:5056
-
C:\Windows\SysWOW64\Codhnb32.exeC:\Windows\system32\Codhnb32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:968 -
C:\Windows\SysWOW64\Cbbdjm32.exeC:\Windows\system32\Cbbdjm32.exe74⤵PID:628
-
C:\Windows\SysWOW64\Cimmggfl.exeC:\Windows\system32\Cimmggfl.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4332 -
C:\Windows\SysWOW64\Cofecami.exeC:\Windows\system32\Cofecami.exe76⤵
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Cfqmpl32.exeC:\Windows\system32\Cfqmpl32.exe77⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3280 -
C:\Windows\SysWOW64\Cioilg32.exeC:\Windows\system32\Cioilg32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Coiaiakf.exeC:\Windows\system32\Coiaiakf.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2728 -
C:\Windows\SysWOW64\Cbgnemjj.exeC:\Windows\system32\Cbgnemjj.exe80⤵PID:5060
-
C:\Windows\SysWOW64\Cfcjfk32.exeC:\Windows\system32\Cfcjfk32.exe81⤵PID:4588
-
C:\Windows\SysWOW64\Ciafbg32.exeC:\Windows\system32\Ciafbg32.exe82⤵
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\Ccgjopal.exeC:\Windows\system32\Ccgjopal.exe83⤵
- System Location Discovery: System Language Discovery
PID:3840 -
C:\Windows\SysWOW64\Djqblj32.exeC:\Windows\system32\Djqblj32.exe84⤵PID:1144
-
C:\Windows\SysWOW64\Dmoohe32.exeC:\Windows\system32\Dmoohe32.exe85⤵PID:2100
-
C:\Windows\SysWOW64\Dcigeooj.exeC:\Windows\system32\Dcigeooj.exe86⤵PID:4540
-
C:\Windows\SysWOW64\Djcoai32.exeC:\Windows\system32\Djcoai32.exe87⤵PID:4500
-
C:\Windows\SysWOW64\Dkdliame.exeC:\Windows\system32\Dkdliame.exe88⤵PID:4032
-
C:\Windows\SysWOW64\Dckdjomg.exeC:\Windows\system32\Dckdjomg.exe89⤵PID:4000
-
C:\Windows\SysWOW64\Dihlbf32.exeC:\Windows\system32\Dihlbf32.exe90⤵PID:2416
-
C:\Windows\SysWOW64\Dlghoa32.exeC:\Windows\system32\Dlghoa32.exe91⤵
- System Location Discovery: System Language Discovery
PID:5132 -
C:\Windows\SysWOW64\Dcnqpo32.exeC:\Windows\system32\Dcnqpo32.exe92⤵PID:5184
-
C:\Windows\SysWOW64\Dbqqkkbo.exeC:\Windows\system32\Dbqqkkbo.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5232 -
C:\Windows\SysWOW64\Djhimica.exeC:\Windows\system32\Djhimica.exe94⤵PID:5280
-
C:\Windows\SysWOW64\Dikihe32.exeC:\Windows\system32\Dikihe32.exe95⤵PID:5324
-
C:\Windows\SysWOW64\Dlieda32.exeC:\Windows\system32\Dlieda32.exe96⤵PID:5368
-
C:\Windows\SysWOW64\Dcpmen32.exeC:\Windows\system32\Dcpmen32.exe97⤵PID:5416
-
C:\Windows\SysWOW64\Dbcmakpl.exeC:\Windows\system32\Dbcmakpl.exe98⤵
- System Location Discovery: System Language Discovery
PID:5460 -
C:\Windows\SysWOW64\Djjebh32.exeC:\Windows\system32\Djjebh32.exe99⤵PID:5504
-
C:\Windows\SysWOW64\Dmhand32.exeC:\Windows\system32\Dmhand32.exe100⤵PID:5548
-
C:\Windows\SysWOW64\Ecbjkngo.exeC:\Windows\system32\Ecbjkngo.exe101⤵PID:5592
-
C:\Windows\SysWOW64\Efafgifc.exeC:\Windows\system32\Efafgifc.exe102⤵PID:5636
-
C:\Windows\SysWOW64\Eiobceef.exeC:\Windows\system32\Eiobceef.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5680 -
C:\Windows\SysWOW64\Elnoopdj.exeC:\Windows\system32\Elnoopdj.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5724 -
C:\Windows\SysWOW64\Epikpo32.exeC:\Windows\system32\Epikpo32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5768 -
C:\Windows\SysWOW64\Ebhglj32.exeC:\Windows\system32\Ebhglj32.exe106⤵PID:5812
-
C:\Windows\SysWOW64\Ejoomhmi.exeC:\Windows\system32\Ejoomhmi.exe107⤵PID:5856
-
C:\Windows\SysWOW64\Emmkiclm.exeC:\Windows\system32\Emmkiclm.exe108⤵PID:5900
-
C:\Windows\SysWOW64\Eplgeokq.exeC:\Windows\system32\Eplgeokq.exe109⤵PID:5944
-
C:\Windows\SysWOW64\Elbhjp32.exeC:\Windows\system32\Elbhjp32.exe110⤵PID:5984
-
C:\Windows\SysWOW64\Eblpgjha.exeC:\Windows\system32\Eblpgjha.exe111⤵
- Modifies registry class
PID:6032 -
C:\Windows\SysWOW64\Ejchhgid.exeC:\Windows\system32\Ejchhgid.exe112⤵
- System Location Discovery: System Language Discovery
PID:6092 -
C:\Windows\SysWOW64\Embddb32.exeC:\Windows\system32\Embddb32.exe113⤵PID:5128
-
C:\Windows\SysWOW64\Eppqqn32.exeC:\Windows\system32\Eppqqn32.exe114⤵PID:5220
-
C:\Windows\SysWOW64\Ebommi32.exeC:\Windows\system32\Ebommi32.exe115⤵PID:5312
-
C:\Windows\SysWOW64\Efjimhnh.exeC:\Windows\system32\Efjimhnh.exe116⤵PID:5400
-
C:\Windows\SysWOW64\Eiieicml.exeC:\Windows\system32\Eiieicml.exe117⤵PID:5472
-
C:\Windows\SysWOW64\Elgaeolp.exeC:\Windows\system32\Elgaeolp.exe118⤵PID:5556
-
C:\Windows\SysWOW64\Fpbmfn32.exeC:\Windows\system32\Fpbmfn32.exe119⤵PID:5624
-
C:\Windows\SysWOW64\Fcniglmb.exeC:\Windows\system32\Fcniglmb.exe120⤵
- Modifies registry class
PID:5732 -
C:\Windows\SysWOW64\Ffmfchle.exeC:\Windows\system32\Ffmfchle.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5840
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-