Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 12:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ac6ba8c136b9e1cdca9fb6e0649dc530N.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
ac6ba8c136b9e1cdca9fb6e0649dc530N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
ac6ba8c136b9e1cdca9fb6e0649dc530N.exe
-
Size
135KB
-
MD5
ac6ba8c136b9e1cdca9fb6e0649dc530
-
SHA1
5e0df15c43213366c98c01174ce8448ea9ef251f
-
SHA256
602b224ada29c947a466ec379cd29ebaabd32a7333a018077aea16b0b9a0e6cd
-
SHA512
227ca836d843e2c1ed34b38e29f4a7743115d94faf3d27e6f78cebf9ad6804ddfcc34f491d301a3a45334b301a8cabc7540aa8b1640ed27269dd3d0399f8aef0
-
SSDEEP
3072:My7aYsNEhCC04DcTBK8Qr5+ViKGe7Yfs0a0Uoi:rCnTBK9cViK4fs0l
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqadfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aempffeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfilihkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llhppd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecbjgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcknbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkgpoqma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npjlhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnobdmgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pacomo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oipegj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccieeibp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phieip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbphaoaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgbcfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqadfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deehepba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgoemmkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlgbmmoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oikllkjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijogie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekfaqlho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnkfahig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npnnhfgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ancchnaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmjgfnkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfkelfea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fidbekfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkcham32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cacakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iohjin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifpephpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cicqgpbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoecbgjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epmkqahi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahmqqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckcldohd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnadkjab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ancgjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhokfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnlelogl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfaioj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leakcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkjphfcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmoodfhe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odhmdigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cacakj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddkpmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paelbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmoaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqmlgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daiejk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blqiljch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djilhlpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leabng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgjebjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igoebq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nghfep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdafja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekahem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfhodm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmddgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceglcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfhhkj32.exe -
Executes dropped EXE 64 IoCs
pid Process 1764 Kickhg32.exe 1144 Klbgdb32.exe 1776 Kifhnf32.exe 3048 Kpppkqep.exe 4540 Kemhcgdg.exe 4800 Lpbmpp32.exe 2360 Lbqill32.exe 4836 Lmfmid32.exe 1556 Ldpefojd.exe 2232 Leabng32.exe 1424 Ldbbln32.exe 4920 Liojde32.exe 3560 Lmkfddnb.exe 1948 Lbhomkmi.exe 4184 Libgje32.exe 4208 Ldgkgndl.exe 4288 Liddodbc.exe 1376 Mpnllo32.exe 4496 Mghdiiam.exe 4436 Mmbmec32.exe 4340 Mpqian32.exe 4600 Mdlebm32.exe 220 Mlgjfo32.exe 2376 Mcabcido.exe 2304 Mikjpc32.exe 4584 Mliflo32.exe 4876 Mccoiibl.exe 1660 Mebked32.exe 1560 Mdckbljo.exe 2296 Nnkpla32.exe 3100 Npjlhm32.exe 4900 Nchhdh32.exe 2804 Nefdpdmj.exe 2836 Nlqlmn32.exe 3892 Ndhdnk32.exe 2536 Nnpifalj.exe 2348 Ndjack32.exe 2564 Neknkcie.exe 4568 Nlefhmaa.exe 3688 Ndlnikad.exe 5036 Nfnjqc32.exe 3192 Nlgbmmoo.exe 3648 Ncakjg32.exe 4984 Nfpgfb32.exe 1944 Oljocm32.exe 4756 Ofbdlbcm.exe 3016 Olllhl32.exe 4492 Ogbpfe32.exe 1652 Ojplbq32.exe 3208 Oqjeok32.exe 2004 Ogdmkdhm.exe 2928 Onneho32.exe 4928 Odhmdigf.exe 1432 Ofijla32.exe 1204 Ojefmpen.exe 2764 Omcbikda.exe 3780 Ogiffd32.exe 4980 Pjgbbp32.exe 5024 Pmeook32.exe 4860 Pcpgkejl.exe 3024 Pnekinjb.exe 5128 Pgnpacpb.exe 5168 Pnghnm32.exe 5208 Pqfdji32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Goljee32.dll Dflklc32.exe File created C:\Windows\SysWOW64\Kgfnmjfg.dll Akipgb32.exe File opened for modification C:\Windows\SysWOW64\Nnkpla32.exe Mdckbljo.exe File created C:\Windows\SysWOW64\Oglijl32.dll Ifpephpo.exe File created C:\Windows\SysWOW64\Ahcgifbn.dll Mlbiajmk.exe File opened for modification C:\Windows\SysWOW64\Fpcdme32.exe Fmdhaiji.exe File created C:\Windows\SysWOW64\Domamm32.dll Bjdjfoba.exe File opened for modification C:\Windows\SysWOW64\Fdlmnn32.exe Fifhpe32.exe File created C:\Windows\SysWOW64\Ibkankld.dll Lpbmpp32.exe File opened for modification C:\Windows\SysWOW64\Bnadkjab.exe Bjfhkk32.exe File opened for modification C:\Windows\SysWOW64\Lebjdc32.exe Lqfncejc.exe File created C:\Windows\SysWOW64\Amqfbo32.exe Qhdnjh32.exe File opened for modification C:\Windows\SysWOW64\Cfomkipd.exe Cacakj32.exe File created C:\Windows\SysWOW64\Chjakm32.exe Cdoejn32.exe File opened for modification C:\Windows\SysWOW64\Ooijpk32.exe Okkaim32.exe File opened for modification C:\Windows\SysWOW64\Bkjphfcj.exe Bjican32.exe File opened for modification C:\Windows\SysWOW64\Phodohik.exe Paelbn32.exe File created C:\Windows\SysWOW64\Omcepq32.dll Ekahem32.exe File created C:\Windows\SysWOW64\Ecimng32.dll Infaik32.exe File opened for modification C:\Windows\SysWOW64\Ohgonf32.exe Opljjd32.exe File created C:\Windows\SysWOW64\Flmoaofm.dll Phfhcp32.exe File opened for modification C:\Windows\SysWOW64\Cakiimcl.exe Cicqgpbj.exe File opened for modification C:\Windows\SysWOW64\Eppoqg32.exe Embbdl32.exe File created C:\Windows\SysWOW64\Aqopfakl.exe Qhghedjj.exe File created C:\Windows\SysWOW64\Amjjfa32.exe Aqcjaq32.exe File created C:\Windows\SysWOW64\Iiohon32.dll Jjhjod32.exe File created C:\Windows\SysWOW64\Dmelngqp.exe Dbphaoaj.exe File created C:\Windows\SysWOW64\Kidcdcbh.dll Ldpefojd.exe File created C:\Windows\SysWOW64\Gggfjdlj.exe Gdijnhmf.exe File opened for modification C:\Windows\SysWOW64\Cbkgki32.exe Cdggbebj.exe File opened for modification C:\Windows\SysWOW64\Kjjpjm32.exe Kkgpoqma.exe File opened for modification C:\Windows\SysWOW64\Lqadhe32.exe Lmfhhgfp.exe File created C:\Windows\SysWOW64\Hfgkij32.dll Blqiljch.exe File created C:\Windows\SysWOW64\Oenbgpjl.exe Omgjebjj.exe File created C:\Windows\SysWOW64\Achbgg32.dll Hnhdhm32.exe File opened for modification C:\Windows\SysWOW64\Ljoigq32.exe Lljlfdph.exe File created C:\Windows\SysWOW64\Kghpdjik.dll Idloki32.exe File opened for modification C:\Windows\SysWOW64\Mkcham32.exe Mclppo32.exe File created C:\Windows\SysWOW64\Inljkfef.dll Knlblk32.exe File created C:\Windows\SysWOW64\Hfmpckpd.exe Hnfhbmoa.exe File created C:\Windows\SysWOW64\Hdclejkb.exe Hingha32.exe File opened for modification C:\Windows\SysWOW64\Inbfoolj.exe Ighnbd32.exe File opened for modification C:\Windows\SysWOW64\Paqbgofc.exe Phhnoi32.exe File created C:\Windows\SysWOW64\Bhiple32.exe Boqlcolm.exe File created C:\Windows\SysWOW64\Oaebop32.dll Epfgljlb.exe File created C:\Windows\SysWOW64\Qcbhobdi.dll Cfchfe32.exe File opened for modification C:\Windows\SysWOW64\Jjcqdemp.exe Jjadoe32.exe File created C:\Windows\SysWOW64\Kfanffjl.dll Hjnnbhog.exe File created C:\Windows\SysWOW64\Gampqi32.dll Ebmmhfan.exe File created C:\Windows\SysWOW64\Ealeappp.dll Liojde32.exe File opened for modification C:\Windows\SysWOW64\Benincgl.exe Bmfqlf32.exe File created C:\Windows\SysWOW64\Omqjfa32.dll Ghbiiggb.exe File created C:\Windows\SysWOW64\Jmgjao32.dll Fpcdme32.exe File created C:\Windows\SysWOW64\Ehafopip.dll Paomlela.exe File opened for modification C:\Windows\SysWOW64\Bjican32.exe Bcokddfo.exe File created C:\Windows\SysWOW64\Flekeb32.dll Nfnjqc32.exe File created C:\Windows\SysWOW64\Naolbe32.dll Cdoejn32.exe File created C:\Windows\SysWOW64\Mflgia32.exe Moeohd32.exe File opened for modification C:\Windows\SysWOW64\Mfncoa32.exe Mpdkbgpl.exe File created C:\Windows\SysWOW64\Hbhngckm.dll Eppoqg32.exe File created C:\Windows\SysWOW64\Ndkcnnie.dll Ahgajngo.exe File created C:\Windows\SysWOW64\Mgfopm32.dll Ekfaqlho.exe File created C:\Windows\SysWOW64\Eelneoli.exe Egknhhdj.exe File opened for modification C:\Windows\SysWOW64\Ifklei32.exe Igjlgale.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7120 5164 WerFault.exe 852 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nefdpdmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojplbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aempffeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oimibj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkpgbjdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkefmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjooji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffepojce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahhgegap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddnmbdla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liddodbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nchhdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicqgpbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pojcfidc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqhabg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpbmpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfjjdbko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djjcbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idobkoep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjpqko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlnqimim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcjdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idokahad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelidapa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Benincgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chjakm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keghmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojpdjfdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capinc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfflqg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oikllkjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poggai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glpdho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpnmnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmjgfnkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Libgje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gajnbmnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Occqep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acdbcldh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfghjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fifhpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inbfoolj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pommpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phodohik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fecodqjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mccoiibl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceglcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oipegj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Micfjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nandeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chnigdoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfhodm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfhkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caicndhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljoigq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cinpbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mebked32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlgbmmoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqmjkhqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bihalalg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppoqg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qchlmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bchece32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cigchi32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihfeanao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojdmkad.dll" Pobmfjjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbpoja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqfncejc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eijbjpfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpbghh32.dll" Fnnikq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odadeaio.dll" Pjkech32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emfmid32.dll" Njmehohp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoanaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmdjdbje.dll" Ebpjmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bepeccei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kghpdjik.dll" Idloki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqmjkhqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmagag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqcjaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejelcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inbfoolj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dohkkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iiihad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfkelfea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbnelfah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpopoil.dll" Gpggnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkenen32.dll" Oelfaplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnekpe32.dll" Pcgmld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkokno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhcmgeni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okehop32.dll" Pdjehk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbhngckm.dll" Eppoqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkqloq32.dll" Dlmeecce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knhipo32.dll" Omgjebjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odhmdigf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anjnkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lonige32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgoemmkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cifmmppg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dilfib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpknkbjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmdjmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phhnoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcqiip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjfjn32.dll" Chnigdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emnhjpei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdijnhmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inhnokol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbokbf32.dll" Lbmnboml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqalahmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eooalkbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddabpnod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcknbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dndefjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dipodaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eaddfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbphaoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnhnai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nchhdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elfqpp32.dll" Ogdmkdhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caicndhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdhahmjn.dll" Inbfoolj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iclgnbjb.dll" Bhiple32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djkjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cecjnlcd.dll" Depnja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leendide.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnobdmgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfncoa32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3188 wrote to memory of 1764 3188 ac6ba8c136b9e1cdca9fb6e0649dc530N.exe 91 PID 3188 wrote to memory of 1764 3188 ac6ba8c136b9e1cdca9fb6e0649dc530N.exe 91 PID 3188 wrote to memory of 1764 3188 ac6ba8c136b9e1cdca9fb6e0649dc530N.exe 91 PID 1764 wrote to memory of 1144 1764 Kickhg32.exe 92 PID 1764 wrote to memory of 1144 1764 Kickhg32.exe 92 PID 1764 wrote to memory of 1144 1764 Kickhg32.exe 92 PID 1144 wrote to memory of 1776 1144 Klbgdb32.exe 93 PID 1144 wrote to memory of 1776 1144 Klbgdb32.exe 93 PID 1144 wrote to memory of 1776 1144 Klbgdb32.exe 93 PID 1776 wrote to memory of 3048 1776 Kifhnf32.exe 94 PID 1776 wrote to memory of 3048 1776 Kifhnf32.exe 94 PID 1776 wrote to memory of 3048 1776 Kifhnf32.exe 94 PID 3048 wrote to memory of 4540 3048 Kpppkqep.exe 95 PID 3048 wrote to memory of 4540 3048 Kpppkqep.exe 95 PID 3048 wrote to memory of 4540 3048 Kpppkqep.exe 95 PID 4540 wrote to memory of 4800 4540 Kemhcgdg.exe 97 PID 4540 wrote to memory of 4800 4540 Kemhcgdg.exe 97 PID 4540 wrote to memory of 4800 4540 Kemhcgdg.exe 97 PID 4800 wrote to memory of 2360 4800 Lpbmpp32.exe 98 PID 4800 wrote to memory of 2360 4800 Lpbmpp32.exe 98 PID 4800 wrote to memory of 2360 4800 Lpbmpp32.exe 98 PID 2360 wrote to memory of 4836 2360 Lbqill32.exe 99 PID 2360 wrote to memory of 4836 2360 Lbqill32.exe 99 PID 2360 wrote to memory of 4836 2360 Lbqill32.exe 99 PID 4836 wrote to memory of 1556 4836 Lmfmid32.exe 100 PID 4836 wrote to memory of 1556 4836 Lmfmid32.exe 100 PID 4836 wrote to memory of 1556 4836 Lmfmid32.exe 100 PID 1556 wrote to memory of 2232 1556 Ldpefojd.exe 102 PID 1556 wrote to memory of 2232 1556 Ldpefojd.exe 102 PID 1556 wrote to memory of 2232 1556 Ldpefojd.exe 102 PID 2232 wrote to memory of 1424 2232 Leabng32.exe 103 PID 2232 wrote to memory of 1424 2232 Leabng32.exe 103 PID 2232 wrote to memory of 1424 2232 Leabng32.exe 103 PID 1424 wrote to memory of 4920 1424 Ldbbln32.exe 105 PID 1424 wrote to memory of 4920 1424 Ldbbln32.exe 105 PID 1424 wrote to memory of 4920 1424 Ldbbln32.exe 105 PID 4920 wrote to memory of 3560 4920 Liojde32.exe 106 PID 4920 wrote to memory of 3560 4920 Liojde32.exe 106 PID 4920 wrote to memory of 3560 4920 Liojde32.exe 106 PID 3560 wrote to memory of 1948 3560 Lmkfddnb.exe 107 PID 3560 wrote to memory of 1948 3560 Lmkfddnb.exe 107 PID 3560 wrote to memory of 1948 3560 Lmkfddnb.exe 107 PID 1948 wrote to memory of 4184 1948 Lbhomkmi.exe 108 PID 1948 wrote to memory of 4184 1948 Lbhomkmi.exe 108 PID 1948 wrote to memory of 4184 1948 Lbhomkmi.exe 108 PID 4184 wrote to memory of 4208 4184 Libgje32.exe 109 PID 4184 wrote to memory of 4208 4184 Libgje32.exe 109 PID 4184 wrote to memory of 4208 4184 Libgje32.exe 109 PID 4208 wrote to memory of 4288 4208 Ldgkgndl.exe 110 PID 4208 wrote to memory of 4288 4208 Ldgkgndl.exe 110 PID 4208 wrote to memory of 4288 4208 Ldgkgndl.exe 110 PID 4288 wrote to memory of 1376 4288 Liddodbc.exe 111 PID 4288 wrote to memory of 1376 4288 Liddodbc.exe 111 PID 4288 wrote to memory of 1376 4288 Liddodbc.exe 111 PID 1376 wrote to memory of 4496 1376 Mpnllo32.exe 112 PID 1376 wrote to memory of 4496 1376 Mpnllo32.exe 112 PID 1376 wrote to memory of 4496 1376 Mpnllo32.exe 112 PID 4496 wrote to memory of 4436 4496 Mghdiiam.exe 113 PID 4496 wrote to memory of 4436 4496 Mghdiiam.exe 113 PID 4496 wrote to memory of 4436 4496 Mghdiiam.exe 113 PID 4436 wrote to memory of 4340 4436 Mmbmec32.exe 114 PID 4436 wrote to memory of 4340 4436 Mmbmec32.exe 114 PID 4436 wrote to memory of 4340 4436 Mmbmec32.exe 114 PID 4340 wrote to memory of 4600 4340 Mpqian32.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac6ba8c136b9e1cdca9fb6e0649dc530N.exe"C:\Users\Admin\AppData\Local\Temp\ac6ba8c136b9e1cdca9fb6e0649dc530N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\Kickhg32.exeC:\Windows\system32\Kickhg32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Klbgdb32.exeC:\Windows\system32\Klbgdb32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Kifhnf32.exeC:\Windows\system32\Kifhnf32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Kpppkqep.exeC:\Windows\system32\Kpppkqep.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Kemhcgdg.exeC:\Windows\system32\Kemhcgdg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Lpbmpp32.exeC:\Windows\system32\Lpbmpp32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\Lbqill32.exeC:\Windows\system32\Lbqill32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Lmfmid32.exeC:\Windows\system32\Lmfmid32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Ldpefojd.exeC:\Windows\system32\Ldpefojd.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Leabng32.exeC:\Windows\system32\Leabng32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Ldbbln32.exeC:\Windows\system32\Ldbbln32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Liojde32.exeC:\Windows\system32\Liojde32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Lmkfddnb.exeC:\Windows\system32\Lmkfddnb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\Lbhomkmi.exeC:\Windows\system32\Lbhomkmi.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Libgje32.exeC:\Windows\system32\Libgje32.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\SysWOW64\Ldgkgndl.exeC:\Windows\system32\Ldgkgndl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\Liddodbc.exeC:\Windows\system32\Liddodbc.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\Mpnllo32.exeC:\Windows\system32\Mpnllo32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Mghdiiam.exeC:\Windows\system32\Mghdiiam.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\Mmbmec32.exeC:\Windows\system32\Mmbmec32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\Mpqian32.exeC:\Windows\system32\Mpqian32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\Mdlebm32.exeC:\Windows\system32\Mdlebm32.exe23⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Mlgjfo32.exeC:\Windows\system32\Mlgjfo32.exe24⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Mcabcido.exeC:\Windows\system32\Mcabcido.exe25⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Mikjpc32.exeC:\Windows\system32\Mikjpc32.exe26⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Mliflo32.exeC:\Windows\system32\Mliflo32.exe27⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Mccoiibl.exeC:\Windows\system32\Mccoiibl.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4876 -
C:\Windows\SysWOW64\Mebked32.exeC:\Windows\system32\Mebked32.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\Mdckbljo.exeC:\Windows\system32\Mdckbljo.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1560 -
C:\Windows\SysWOW64\Nnkpla32.exeC:\Windows\system32\Nnkpla32.exe31⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Npjlhm32.exeC:\Windows\system32\Npjlhm32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Nchhdh32.exeC:\Windows\system32\Nchhdh32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4900 -
C:\Windows\SysWOW64\Nefdpdmj.exeC:\Windows\system32\Nefdpdmj.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Nlqlmn32.exeC:\Windows\system32\Nlqlmn32.exe35⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Ndhdnk32.exeC:\Windows\system32\Ndhdnk32.exe36⤵
- Executes dropped EXE
PID:3892 -
C:\Windows\SysWOW64\Nnpifalj.exeC:\Windows\system32\Nnpifalj.exe37⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Ndjack32.exeC:\Windows\system32\Ndjack32.exe38⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Neknkcie.exeC:\Windows\system32\Neknkcie.exe39⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Nlefhmaa.exeC:\Windows\system32\Nlefhmaa.exe40⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Ndlnikad.exeC:\Windows\system32\Ndlnikad.exe41⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Nfnjqc32.exeC:\Windows\system32\Nfnjqc32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5036 -
C:\Windows\SysWOW64\Nlgbmmoo.exeC:\Windows\system32\Nlgbmmoo.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3192 -
C:\Windows\SysWOW64\Ncakjg32.exeC:\Windows\system32\Ncakjg32.exe44⤵
- Executes dropped EXE
PID:3648 -
C:\Windows\SysWOW64\Nfpgfb32.exeC:\Windows\system32\Nfpgfb32.exe45⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Oljocm32.exeC:\Windows\system32\Oljocm32.exe46⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Ofbdlbcm.exeC:\Windows\system32\Ofbdlbcm.exe47⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Olllhl32.exeC:\Windows\system32\Olllhl32.exe48⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Ogbpfe32.exeC:\Windows\system32\Ogbpfe32.exe49⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Ojplbq32.exeC:\Windows\system32\Ojplbq32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\Oqjeok32.exeC:\Windows\system32\Oqjeok32.exe51⤵
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\Ogdmkdhm.exeC:\Windows\system32\Ogdmkdhm.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Onneho32.exeC:\Windows\system32\Onneho32.exe53⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Odhmdigf.exeC:\Windows\system32\Odhmdigf.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4928 -
C:\Windows\SysWOW64\Ofijla32.exeC:\Windows\system32\Ofijla32.exe55⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Ojefmpen.exeC:\Windows\system32\Ojefmpen.exe56⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Omcbikda.exeC:\Windows\system32\Omcbikda.exe57⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Ogiffd32.exeC:\Windows\system32\Ogiffd32.exe58⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Pjgbbp32.exeC:\Windows\system32\Pjgbbp32.exe59⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Pmeook32.exeC:\Windows\system32\Pmeook32.exe60⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Pcpgkejl.exeC:\Windows\system32\Pcpgkejl.exe61⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Pnekinjb.exeC:\Windows\system32\Pnekinjb.exe62⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Pgnpacpb.exeC:\Windows\system32\Pgnpacpb.exe63⤵
- Executes dropped EXE
PID:5128 -
C:\Windows\SysWOW64\Pnghnm32.exeC:\Windows\system32\Pnghnm32.exe64⤵
- Executes dropped EXE
PID:5168 -
C:\Windows\SysWOW64\Pqfdji32.exeC:\Windows\system32\Pqfdji32.exe65⤵
- Executes dropped EXE
PID:5208 -
C:\Windows\SysWOW64\Pfbmbp32.exeC:\Windows\system32\Pfbmbp32.exe66⤵PID:5248
-
C:\Windows\SysWOW64\Pmmeojmg.exeC:\Windows\system32\Pmmeojmg.exe67⤵PID:5292
-
C:\Windows\SysWOW64\Pcgmld32.exeC:\Windows\system32\Pcgmld32.exe68⤵
- Modifies registry class
PID:5336 -
C:\Windows\SysWOW64\Pjqein32.exeC:\Windows\system32\Pjqein32.exe69⤵PID:5376
-
C:\Windows\SysWOW64\Pmoaei32.exeC:\Windows\system32\Pmoaei32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5416 -
C:\Windows\SysWOW64\Pdfjfg32.exeC:\Windows\system32\Pdfjfg32.exe71⤵PID:5456
-
C:\Windows\SysWOW64\Qfgfnoae.exeC:\Windows\system32\Qfgfnoae.exe72⤵PID:5496
-
C:\Windows\SysWOW64\Qqmjkhqk.exeC:\Windows\system32\Qqmjkhqk.exe73⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5536 -
C:\Windows\SysWOW64\Qckfgcpo.exeC:\Windows\system32\Qckfgcpo.exe74⤵PID:5576
-
C:\Windows\SysWOW64\Qnakdl32.exeC:\Windows\system32\Qnakdl32.exe75⤵PID:5616
-
C:\Windows\SysWOW64\Acncmc32.exeC:\Windows\system32\Acncmc32.exe76⤵PID:5656
-
C:\Windows\SysWOW64\Ajhlimei.exeC:\Windows\system32\Ajhlimei.exe77⤵PID:5696
-
C:\Windows\SysWOW64\Ancgjl32.exeC:\Windows\system32\Ancgjl32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5736 -
C:\Windows\SysWOW64\Aqadfg32.exeC:\Windows\system32\Aqadfg32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5772 -
C:\Windows\SysWOW64\Aempffeo.exeC:\Windows\system32\Aempffeo.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5816 -
C:\Windows\SysWOW64\Ajjhom32.exeC:\Windows\system32\Ajjhom32.exe81⤵PID:5852
-
C:\Windows\SysWOW64\Amhdkh32.exeC:\Windows\system32\Amhdkh32.exe82⤵PID:5892
-
C:\Windows\SysWOW64\Afqidnij.exeC:\Windows\system32\Afqidnij.exe83⤵PID:5948
-
C:\Windows\SysWOW64\Aqfmafip.exeC:\Windows\system32\Aqfmafip.exe84⤵PID:6000
-
C:\Windows\SysWOW64\Anjnkk32.exeC:\Windows\system32\Anjnkk32.exe85⤵
- Modifies registry class
PID:6044 -
C:\Windows\SysWOW64\Aedfgeof.exeC:\Windows\system32\Aedfgeof.exe86⤵PID:6108
-
C:\Windows\SysWOW64\Agbbcpnj.exeC:\Windows\system32\Agbbcpnj.exe87⤵PID:5164
-
C:\Windows\SysWOW64\Ajanplmn.exeC:\Windows\system32\Ajanplmn.exe88⤵PID:5236
-
C:\Windows\SysWOW64\Bcicha32.exeC:\Windows\system32\Bcicha32.exe89⤵PID:5332
-
C:\Windows\SysWOW64\Bfhodm32.exeC:\Windows\system32\Bfhodm32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5392 -
C:\Windows\SysWOW64\Bnogfj32.exeC:\Windows\system32\Bnogfj32.exe91⤵PID:5464
-
C:\Windows\SysWOW64\Bmagag32.exeC:\Windows\system32\Bmagag32.exe92⤵
- Modifies registry class
PID:5528 -
C:\Windows\SysWOW64\Beiobd32.exeC:\Windows\system32\Beiobd32.exe93⤵PID:5608
-
C:\Windows\SysWOW64\Bjfhkk32.exeC:\Windows\system32\Bjfhkk32.exe94⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5684 -
C:\Windows\SysWOW64\Bnadkjab.exeC:\Windows\system32\Bnadkjab.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5764 -
C:\Windows\SysWOW64\Bmddgf32.exeC:\Windows\system32\Bmddgf32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5832 -
C:\Windows\SysWOW64\Bcnlcqpi.exeC:\Windows\system32\Bcnlcqpi.exe97⤵PID:5848
-
C:\Windows\SysWOW64\Bgjhdo32.exeC:\Windows\system32\Bgjhdo32.exe98⤵PID:5996
-
C:\Windows\SysWOW64\Bjhdpk32.exeC:\Windows\system32\Bjhdpk32.exe99⤵PID:6060
-
C:\Windows\SysWOW64\Bmfqlf32.exeC:\Windows\system32\Bmfqlf32.exe100⤵
- Drops file in System32 directory
PID:6072 -
C:\Windows\SysWOW64\Benincgl.exeC:\Windows\system32\Benincgl.exe101⤵
- System Location Discovery: System Language Discovery
PID:5232 -
C:\Windows\SysWOW64\Bcqiip32.exeC:\Windows\system32\Bcqiip32.exe102⤵
- Modifies registry class
PID:5372 -
C:\Windows\SysWOW64\Bfoeel32.exeC:\Windows\system32\Bfoeel32.exe103⤵PID:5488
-
C:\Windows\SysWOW64\Bjjafjec.exeC:\Windows\system32\Bjjafjec.exe104⤵PID:5588
-
C:\Windows\SysWOW64\Bnfmfi32.exeC:\Windows\system32\Bnfmfi32.exe105⤵PID:5720
-
C:\Windows\SysWOW64\Bepeccei.exeC:\Windows\system32\Bepeccei.exe106⤵
- Modifies registry class
PID:5784 -
C:\Windows\SysWOW64\Bhnaoodm.exeC:\Windows\system32\Bhnaoodm.exe107⤵PID:5932
-
C:\Windows\SysWOW64\Bmkjgebd.exeC:\Windows\system32\Bmkjgebd.exe108⤵PID:6028
-
C:\Windows\SysWOW64\Bagfhd32.exeC:\Windows\system32\Bagfhd32.exe109⤵PID:5160
-
C:\Windows\SysWOW64\Ccebdpia.exeC:\Windows\system32\Ccebdpia.exe110⤵PID:5324
-
C:\Windows\SysWOW64\Cfcopkie.exeC:\Windows\system32\Cfcopkie.exe111⤵PID:5520
-
C:\Windows\SysWOW64\Cnkfahig.exeC:\Windows\system32\Cnkfahig.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5680 -
C:\Windows\SysWOW64\Caicndhk.exeC:\Windows\system32\Caicndhk.exe113⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5868 -
C:\Windows\SysWOW64\Cedonb32.exeC:\Windows\system32\Cedonb32.exe114⤵PID:6120
-
C:\Windows\SysWOW64\Cffkfkfb.exeC:\Windows\system32\Cffkfkfb.exe115⤵PID:5276
-
C:\Windows\SysWOW64\Cnmcghgd.exeC:\Windows\system32\Cnmcghgd.exe116⤵PID:1372
-
C:\Windows\SysWOW64\Cmpcbe32.exeC:\Windows\system32\Cmpcbe32.exe117⤵PID:5908
-
C:\Windows\SysWOW64\Ceglcb32.exeC:\Windows\system32\Ceglcb32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5560 -
C:\Windows\SysWOW64\Cdjlooel.exeC:\Windows\system32\Cdjlooel.exe119⤵PID:5272
-
C:\Windows\SysWOW64\Cfhhkj32.exeC:\Windows\system32\Cfhhkj32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5840 -
C:\Windows\SysWOW64\Cnopmh32.exeC:\Windows\system32\Cnopmh32.exe121⤵PID:6196
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-