Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01-09-2024 17:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
78cd71a2b0c344e778c31129c6f688e0N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
78cd71a2b0c344e778c31129c6f688e0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
78cd71a2b0c344e778c31129c6f688e0N.exe
-
Size
96KB
-
MD5
78cd71a2b0c344e778c31129c6f688e0
-
SHA1
dbb4eb75625d2bdcdec18ed578f1b21e23a22cbc
-
SHA256
1fc5f4ebf256a56f7a5bb51efa8665c45b1b95c3d6f90b977fdb9c2981aa630a
-
SHA512
9c2698d21bd7c736372c9b909e31fa5d7947904dea46a1a0056976ceb5dd82749f375f762d4c470e11b688c15ba1a9747f8ff9b0188b8263b3a3c45063abc1a2
-
SSDEEP
1536:4/kqospVGu2NiGtZ0wROiconF217XHeCCzItotyr/BOmwCMy0QiLiizHNQNdq:4/1TGu2NZMoM1H7QIGtyr5OmwCMyELiY
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogikogj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihgdopjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppdpie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apdhpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aemhmjbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aoelfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bidcig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cliefa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmjgcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmjgcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcafiha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obdpcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmcggj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qlmmce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qbgeppiq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoanoibj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjkdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kandiceg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmndem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Picakl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifcnjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpbeaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjmfof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qianmjam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alpjiepa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djdlpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djkbqdlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djnofcjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmkbhf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opajlgog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiqdflop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnnhec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nneglpnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndalc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eomddj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efiifd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eghepgcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjnado32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdbehb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpflndlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjfpogoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdlqeodk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpldao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djfied32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfmikefg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofnooa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffgehbpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdnkncnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlohkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omejflna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egapph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejpllc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emqdnnei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgmokf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpdclgbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oelfoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgegml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gahiqieb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omggkklo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bolbfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alpjiepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agjgam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blnfjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnnmioql.exe -
Executes dropped EXE 64 IoCs
pid Process 3172 Nllkej32.exe 5068 Nfbocc32.exe 1564 Nlohkj32.exe 1068 Nbiphddc.exe 3488 Negldocg.exe 4564 Nmndem32.exe 2704 Nnpamejg.exe 1220 Neiijo32.exe 2684 Nlcafiha.exe 4284 Oelfoo32.exe 4160 Omcnplpd.exe 5092 Opajlgog.exe 3052 Obpfhcnk.exe 1716 Ofkbia32.exe 2724 Oijnem32.exe 2240 Omejflna.exe 4300 Opcgbgme.exe 2728 Onfgnd32.exe 3400 Obbcnbli.exe 2572 Ofnooa32.exe 4312 Oilkkm32.exe 2348 Omggkklo.exe 1008 Opfcgg32.exe 4612 Onicccam.exe 4460 Obdpcb32.exe 4616 Oeclpn32.exe 1416 Oinhplac.exe 1072 Ophpmf32.exe 1016 Obglib32.exe 3088 Oeehem32.exe 4376 Oiqdflop.exe 3236 Oloabgnd.exe 800 Ponmnc32.exe 2252 Pfdeop32.exe 4628 Pegekmed.exe 4052 Picakl32.exe 3040 Plangg32.exe 4600 Popjdb32.exe 4448 Pbkfdacn.exe 2692 Pfgaep32.exe 1528 Pejbqmca.exe 3744 Pmajajcd.exe 3480 Pldjmg32.exe 3748 Pobfib32.exe 3924 Pbnbja32.exe 540 Pelofl32.exe 4796 Pihkfkih.exe 5132 Pmcggj32.exe 5164 Ppacce32.exe 5204 Podcobgp.exe 5244 Pbpooq32.exe 5292 Pflkpoha.exe 5332 Pijglkge.exe 5372 Plhchffi.exe 5412 Ppdpie32.exe 5452 Pogpdaem.exe 5492 Pfnheo32.exe 5532 Peahalmj.exe 5572 Pildaj32.exe 5612 Pmhpbiml.exe 5652 Qpflndlp.exe 5692 Qoimja32.exe 5732 Qbehjplc.exe 5772 Qecegkkg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Eomddj32.exe Eqjdhmpe.exe File created C:\Windows\SysWOW64\Gfdahg32.dll Hflhjona.exe File created C:\Windows\SysWOW64\Bkddahgm.dll Pildaj32.exe File opened for modification C:\Windows\SysWOW64\Pflkpoha.exe Pbpooq32.exe File created C:\Windows\SysWOW64\Bochgnmm.exe Bjfpogoe.exe File created C:\Windows\SysWOW64\Oijnem32.exe Ofkbia32.exe File created C:\Windows\SysWOW64\Cpbeaq32.exe Clgiqblf.exe File created C:\Windows\SysWOW64\Fmcjjl32.exe Fjennp32.exe File created C:\Windows\SysWOW64\Jokobi32.exe Jmkbhf32.exe File created C:\Windows\SysWOW64\Pplehglo.dll Opfcgg32.exe File created C:\Windows\SysWOW64\Ihdlkkgj.dll Bidcig32.exe File created C:\Windows\SysWOW64\Elecphbo.dll Echpdioi.exe File created C:\Windows\SysWOW64\Pkpcjo32.dll Khlfamho.exe File created C:\Windows\SysWOW64\Cjkfgi32.dll Oiqdflop.exe File created C:\Windows\SysWOW64\Oeehem32.exe Obglib32.exe File opened for modification C:\Windows\SysWOW64\Enkhlbqa.exe Ejpllc32.exe File opened for modification C:\Windows\SysWOW64\Ngbepeqa.exe Nipedh32.exe File created C:\Windows\SysWOW64\Obpfhcnk.exe Opajlgog.exe File created C:\Windows\SysWOW64\Eofnkb32.dll Gfqhnq32.exe File created C:\Windows\SysWOW64\Hcibbd32.exe Gakffi32.exe File created C:\Windows\SysWOW64\Nlohkj32.exe Nfbocc32.exe File created C:\Windows\SysWOW64\Kandiceg.exe Jkdlmimk.exe File opened for modification C:\Windows\SysWOW64\Dfkmefhj.exe Dcmqijif.exe File created C:\Windows\SysWOW64\Njicdlbj.dll Dleeap32.exe File created C:\Windows\SysWOW64\Aehnak32.exe Abibeo32.exe File created C:\Windows\SysWOW64\Adlpce32.dll Oinhplac.exe File created C:\Windows\SysWOW64\Mmdell32.dll Cgojcj32.exe File created C:\Windows\SysWOW64\Khlfamho.exe Kgmjgjal.exe File opened for modification C:\Windows\SysWOW64\Oijnem32.exe Ofkbia32.exe File created C:\Windows\SysWOW64\Apkfje32.dll Jkapgjpm.exe File created C:\Windows\SysWOW64\Nqniqq32.dll Gjjgipbk.exe File created C:\Windows\SysWOW64\Bgegml32.exe Bcjklmik.exe File created C:\Windows\SysWOW64\Bjocjmnc.dll Gcmbffmq.exe File created C:\Windows\SysWOW64\Iojfnj32.dll Picakl32.exe File created C:\Windows\SysWOW64\Hdiiimgf.dll Aobopp32.exe File created C:\Windows\SysWOW64\Ccjdck32.exe Coohclcp.exe File created C:\Windows\SysWOW64\Goahjc32.dll Fnlqcp32.exe File opened for modification C:\Windows\SysWOW64\Nnpamejg.exe Nmndem32.exe File created C:\Windows\SysWOW64\Lddabi32.dll Cccnblaq.exe File created C:\Windows\SysWOW64\Fjennp32.exe Ffibmang.exe File created C:\Windows\SysWOW64\Kijppj32.dll Podcobgp.exe File opened for modification C:\Windows\SysWOW64\Fnnmioql.exe Ffgehbpj.exe File opened for modification C:\Windows\SysWOW64\Bochgnmm.exe Bjfpogoe.exe File created C:\Windows\SysWOW64\Qlmmce32.exe Qioagj32.exe File created C:\Windows\SysWOW64\Pfgaep32.exe Pbkfdacn.exe File created C:\Windows\SysWOW64\Idhlqa32.dll Nbiphddc.exe File opened for modification C:\Windows\SysWOW64\Ofkbia32.exe Obpfhcnk.exe File opened for modification C:\Windows\SysWOW64\Cgccnjed.exe Cchgnk32.exe File created C:\Windows\SysWOW64\Jikfce32.dll Eooajjdm.exe File created C:\Windows\SysWOW64\Nfbocc32.exe Nllkej32.exe File created C:\Windows\SysWOW64\Fnidnp32.exe Fjnhmalh.exe File created C:\Windows\SysWOW64\Lmepnjna.dll Befjcija.exe File created C:\Windows\SysWOW64\Djdlpe32.exe Ccjdck32.exe File created C:\Windows\SysWOW64\Dnphqcko.exe Djdlpe32.exe File opened for modification C:\Windows\SysWOW64\Pobfib32.exe Pldjmg32.exe File created C:\Windows\SysWOW64\Nkpnfc32.exe Ngbepeqa.exe File opened for modification C:\Windows\SysWOW64\Pelofl32.exe Pbnbja32.exe File created C:\Windows\SysWOW64\Blboeb32.exe Bidcig32.exe File created C:\Windows\SysWOW64\Ocebdfnf.dll Cpgnlppj.exe File created C:\Windows\SysWOW64\Ffibmang.exe Fckfafoc.exe File created C:\Windows\SysWOW64\Lhpalbaf.dll Gjnado32.exe File created C:\Windows\SysWOW64\Pmclmmmg.dll Hfaaen32.exe File created C:\Windows\SysWOW64\Nhlkkgpg.dll Nlcafiha.exe File opened for modification C:\Windows\SysWOW64\Ihgdopjg.exe Iooofjdf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4964 8948 WerFault.exe 372 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Popjdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkjifk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgmjgjal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opfcgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppdpie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeaahi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eomddj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emqdnnei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffgehbpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dndalc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjqnio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaggpbmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blpbpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpikap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egapph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghbamc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgobjhkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaacpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhcekao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgkfih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfbocc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofnooa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blnfjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfkmefhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppacce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aonfeqoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggiogdej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcjonjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpkilf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqcjankm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnpamejg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeehem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ponmnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnidnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obbcnbli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oloabgnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agjgam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmlkbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfqhnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbljaoje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obglib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbpooq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pflkpoha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abibeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clnoaafo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmcjjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iooofjdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbnbja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aobopp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alfpjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjpbeefk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eghepgcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnofpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgdphikd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlohkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eooajjdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idgncbfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cojohm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djkbqdlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcmbffmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aogikogj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coohclcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdlpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqcnhn32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Echpdioi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npehif32.dll" Gpkilf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kandiceg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emkhdp32.dll" Obdpcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdmihpi.dll" Appodcde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amcpngco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgccnjed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndcejl32.dll" Pbnbja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Coohclcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amachhea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agldgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aemhmjbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bochgnmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnfejeci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qmmimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfqkepba.dll" Amofch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emcacncf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gakffi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dqndmojb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjlkga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbljaoje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eooajjdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdphcclk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Befjcija.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eomddj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqbage32.dll" Enpaga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmclmmmg.dll" Hfaaen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbljaoje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cggchcod.dll" Qoimja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhidap32.dll" Qioagj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qmmimh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpikap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbpnokh.dll" Laqjfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpkpehjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kndeod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdboh32.dll" Mbljaoje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fochjj32.dll" Gpdclgbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qoimja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aihcmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffgehbpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khlfamho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhmohk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qlmmce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpbeaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njicdlbj.dll" Dleeap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oeehem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dqcnhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enpaga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhlkkgpg.dll" Nlcafiha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhkbapl.dll" Qmmimh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmndem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjaaehkf.dll" Ppdpie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nendebog.dll" Fnidnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bolbfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdphcclk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpeeibfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbkfdacn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqmapjng.dll" Apmboc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihggcjbl.dll" Haooahoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgaipnm.dll" Pejbqmca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgegml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dokpdelj.dll" 78cd71a2b0c344e778c31129c6f688e0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omcnplpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aihcmi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2936 wrote to memory of 3172 2936 78cd71a2b0c344e778c31129c6f688e0N.exe 90 PID 2936 wrote to memory of 3172 2936 78cd71a2b0c344e778c31129c6f688e0N.exe 90 PID 2936 wrote to memory of 3172 2936 78cd71a2b0c344e778c31129c6f688e0N.exe 90 PID 3172 wrote to memory of 5068 3172 Nllkej32.exe 91 PID 3172 wrote to memory of 5068 3172 Nllkej32.exe 91 PID 3172 wrote to memory of 5068 3172 Nllkej32.exe 91 PID 5068 wrote to memory of 1564 5068 Nfbocc32.exe 92 PID 5068 wrote to memory of 1564 5068 Nfbocc32.exe 92 PID 5068 wrote to memory of 1564 5068 Nfbocc32.exe 92 PID 1564 wrote to memory of 1068 1564 Nlohkj32.exe 93 PID 1564 wrote to memory of 1068 1564 Nlohkj32.exe 93 PID 1564 wrote to memory of 1068 1564 Nlohkj32.exe 93 PID 1068 wrote to memory of 3488 1068 Nbiphddc.exe 94 PID 1068 wrote to memory of 3488 1068 Nbiphddc.exe 94 PID 1068 wrote to memory of 3488 1068 Nbiphddc.exe 94 PID 3488 wrote to memory of 4564 3488 Negldocg.exe 95 PID 3488 wrote to memory of 4564 3488 Negldocg.exe 95 PID 3488 wrote to memory of 4564 3488 Negldocg.exe 95 PID 4564 wrote to memory of 2704 4564 Nmndem32.exe 97 PID 4564 wrote to memory of 2704 4564 Nmndem32.exe 97 PID 4564 wrote to memory of 2704 4564 Nmndem32.exe 97 PID 2704 wrote to memory of 1220 2704 Nnpamejg.exe 98 PID 2704 wrote to memory of 1220 2704 Nnpamejg.exe 98 PID 2704 wrote to memory of 1220 2704 Nnpamejg.exe 98 PID 1220 wrote to memory of 2684 1220 Neiijo32.exe 99 PID 1220 wrote to memory of 2684 1220 Neiijo32.exe 99 PID 1220 wrote to memory of 2684 1220 Neiijo32.exe 99 PID 2684 wrote to memory of 4284 2684 Nlcafiha.exe 101 PID 2684 wrote to memory of 4284 2684 Nlcafiha.exe 101 PID 2684 wrote to memory of 4284 2684 Nlcafiha.exe 101 PID 4284 wrote to memory of 4160 4284 Oelfoo32.exe 102 PID 4284 wrote to memory of 4160 4284 Oelfoo32.exe 102 PID 4284 wrote to memory of 4160 4284 Oelfoo32.exe 102 PID 4160 wrote to memory of 5092 4160 Omcnplpd.exe 103 PID 4160 wrote to memory of 5092 4160 Omcnplpd.exe 103 PID 4160 wrote to memory of 5092 4160 Omcnplpd.exe 103 PID 5092 wrote to memory of 3052 5092 Opajlgog.exe 104 PID 5092 wrote to memory of 3052 5092 Opajlgog.exe 104 PID 5092 wrote to memory of 3052 5092 Opajlgog.exe 104 PID 3052 wrote to memory of 1716 3052 Obpfhcnk.exe 105 PID 3052 wrote to memory of 1716 3052 Obpfhcnk.exe 105 PID 3052 wrote to memory of 1716 3052 Obpfhcnk.exe 105 PID 1716 wrote to memory of 2724 1716 Ofkbia32.exe 106 PID 1716 wrote to memory of 2724 1716 Ofkbia32.exe 106 PID 1716 wrote to memory of 2724 1716 Ofkbia32.exe 106 PID 2724 wrote to memory of 2240 2724 Oijnem32.exe 107 PID 2724 wrote to memory of 2240 2724 Oijnem32.exe 107 PID 2724 wrote to memory of 2240 2724 Oijnem32.exe 107 PID 2240 wrote to memory of 4300 2240 Omejflna.exe 108 PID 2240 wrote to memory of 4300 2240 Omejflna.exe 108 PID 2240 wrote to memory of 4300 2240 Omejflna.exe 108 PID 4300 wrote to memory of 2728 4300 Opcgbgme.exe 109 PID 4300 wrote to memory of 2728 4300 Opcgbgme.exe 109 PID 4300 wrote to memory of 2728 4300 Opcgbgme.exe 109 PID 2728 wrote to memory of 3400 2728 Onfgnd32.exe 110 PID 2728 wrote to memory of 3400 2728 Onfgnd32.exe 110 PID 2728 wrote to memory of 3400 2728 Onfgnd32.exe 110 PID 3400 wrote to memory of 2572 3400 Obbcnbli.exe 111 PID 3400 wrote to memory of 2572 3400 Obbcnbli.exe 111 PID 3400 wrote to memory of 2572 3400 Obbcnbli.exe 111 PID 2572 wrote to memory of 4312 2572 Ofnooa32.exe 112 PID 2572 wrote to memory of 4312 2572 Ofnooa32.exe 112 PID 2572 wrote to memory of 4312 2572 Ofnooa32.exe 112 PID 4312 wrote to memory of 2348 4312 Oilkkm32.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\78cd71a2b0c344e778c31129c6f688e0N.exe"C:\Users\Admin\AppData\Local\Temp\78cd71a2b0c344e778c31129c6f688e0N.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Nllkej32.exeC:\Windows\system32\Nllkej32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\Nfbocc32.exeC:\Windows\system32\Nfbocc32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Nlohkj32.exeC:\Windows\system32\Nlohkj32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Nbiphddc.exeC:\Windows\system32\Nbiphddc.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Negldocg.exeC:\Windows\system32\Negldocg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\Nmndem32.exeC:\Windows\system32\Nmndem32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Nnpamejg.exeC:\Windows\system32\Nnpamejg.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Neiijo32.exeC:\Windows\system32\Neiijo32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Nlcafiha.exeC:\Windows\system32\Nlcafiha.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Oelfoo32.exeC:\Windows\system32\Oelfoo32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\Omcnplpd.exeC:\Windows\system32\Omcnplpd.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\Opajlgog.exeC:\Windows\system32\Opajlgog.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\Obpfhcnk.exeC:\Windows\system32\Obpfhcnk.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Ofkbia32.exeC:\Windows\system32\Ofkbia32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Oijnem32.exeC:\Windows\system32\Oijnem32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Omejflna.exeC:\Windows\system32\Omejflna.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Opcgbgme.exeC:\Windows\system32\Opcgbgme.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\Onfgnd32.exeC:\Windows\system32\Onfgnd32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Obbcnbli.exeC:\Windows\system32\Obbcnbli.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\Ofnooa32.exeC:\Windows\system32\Ofnooa32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Oilkkm32.exeC:\Windows\system32\Oilkkm32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\Omggkklo.exeC:\Windows\system32\Omggkklo.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Opfcgg32.exeC:\Windows\system32\Opfcgg32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1008 -
C:\Windows\SysWOW64\Onicccam.exeC:\Windows\system32\Onicccam.exe25⤵
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\Obdpcb32.exeC:\Windows\system32\Obdpcb32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4460 -
C:\Windows\SysWOW64\Oeclpn32.exeC:\Windows\system32\Oeclpn32.exe27⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Oinhplac.exeC:\Windows\system32\Oinhplac.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1416 -
C:\Windows\SysWOW64\Ophpmf32.exeC:\Windows\system32\Ophpmf32.exe29⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Obglib32.exeC:\Windows\system32\Obglib32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1016 -
C:\Windows\SysWOW64\Oeehem32.exeC:\Windows\system32\Oeehem32.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3088 -
C:\Windows\SysWOW64\Oiqdflop.exeC:\Windows\system32\Oiqdflop.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4376 -
C:\Windows\SysWOW64\Oloabgnd.exeC:\Windows\system32\Oloabgnd.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3236 -
C:\Windows\SysWOW64\Ponmnc32.exeC:\Windows\system32\Ponmnc32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:800 -
C:\Windows\SysWOW64\Pfdeop32.exeC:\Windows\system32\Pfdeop32.exe35⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Pegekmed.exeC:\Windows\system32\Pegekmed.exe36⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Picakl32.exeC:\Windows\system32\Picakl32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4052 -
C:\Windows\SysWOW64\Plangg32.exeC:\Windows\system32\Plangg32.exe38⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Popjdb32.exeC:\Windows\system32\Popjdb32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4600 -
C:\Windows\SysWOW64\Pbkfdacn.exeC:\Windows\system32\Pbkfdacn.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4448 -
C:\Windows\SysWOW64\Pfgaep32.exeC:\Windows\system32\Pfgaep32.exe41⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Pejbqmca.exeC:\Windows\system32\Pejbqmca.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Pmajajcd.exeC:\Windows\system32\Pmajajcd.exe43⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Pldjmg32.exeC:\Windows\system32\Pldjmg32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3480 -
C:\Windows\SysWOW64\Pobfib32.exeC:\Windows\system32\Pobfib32.exe45⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Pbnbja32.exeC:\Windows\system32\Pbnbja32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3924 -
C:\Windows\SysWOW64\Pelofl32.exeC:\Windows\system32\Pelofl32.exe47⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Pihkfkih.exeC:\Windows\system32\Pihkfkih.exe48⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Pmcggj32.exeC:\Windows\system32\Pmcggj32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5132 -
C:\Windows\SysWOW64\Ppacce32.exeC:\Windows\system32\Ppacce32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5164 -
C:\Windows\SysWOW64\Podcobgp.exeC:\Windows\system32\Podcobgp.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5204 -
C:\Windows\SysWOW64\Pbpooq32.exeC:\Windows\system32\Pbpooq32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5244 -
C:\Windows\SysWOW64\Pflkpoha.exeC:\Windows\system32\Pflkpoha.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5292 -
C:\Windows\SysWOW64\Pijglkge.exeC:\Windows\system32\Pijglkge.exe54⤵
- Executes dropped EXE
PID:5332 -
C:\Windows\SysWOW64\Plhchffi.exeC:\Windows\system32\Plhchffi.exe55⤵
- Executes dropped EXE
PID:5372 -
C:\Windows\SysWOW64\Ppdpie32.exeC:\Windows\system32\Ppdpie32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5412 -
C:\Windows\SysWOW64\Pogpdaem.exeC:\Windows\system32\Pogpdaem.exe57⤵
- Executes dropped EXE
PID:5452 -
C:\Windows\SysWOW64\Pfnheo32.exeC:\Windows\system32\Pfnheo32.exe58⤵
- Executes dropped EXE
PID:5492 -
C:\Windows\SysWOW64\Peahalmj.exeC:\Windows\system32\Peahalmj.exe59⤵
- Executes dropped EXE
PID:5532 -
C:\Windows\SysWOW64\Pildaj32.exeC:\Windows\system32\Pildaj32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5572 -
C:\Windows\SysWOW64\Pmhpbiml.exeC:\Windows\system32\Pmhpbiml.exe61⤵
- Executes dropped EXE
PID:5612 -
C:\Windows\SysWOW64\Qpflndlp.exeC:\Windows\system32\Qpflndlp.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5652 -
C:\Windows\SysWOW64\Qoimja32.exeC:\Windows\system32\Qoimja32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:5692 -
C:\Windows\SysWOW64\Qbehjplc.exeC:\Windows\system32\Qbehjplc.exe64⤵
- Executes dropped EXE
PID:5732 -
C:\Windows\SysWOW64\Qecegkkg.exeC:\Windows\system32\Qecegkkg.exe65⤵
- Executes dropped EXE
PID:5772 -
C:\Windows\SysWOW64\Qioagj32.exeC:\Windows\system32\Qioagj32.exe66⤵
- Drops file in System32 directory
- Modifies registry class
PID:5808 -
C:\Windows\SysWOW64\Qlmmce32.exeC:\Windows\system32\Qlmmce32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5852 -
C:\Windows\SysWOW64\Qpiiddjm.exeC:\Windows\system32\Qpiiddjm.exe68⤵PID:5888
-
C:\Windows\SysWOW64\Qbgeppiq.exeC:\Windows\system32\Qbgeppiq.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5924 -
C:\Windows\SysWOW64\Qfbaqnbj.exeC:\Windows\system32\Qfbaqnbj.exe70⤵PID:5972
-
C:\Windows\SysWOW64\Qianmjam.exeC:\Windows\system32\Qianmjam.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6004 -
C:\Windows\SysWOW64\Qmmimh32.exeC:\Windows\system32\Qmmimh32.exe72⤵
- Modifies registry class
PID:6044 -
C:\Windows\SysWOW64\Alpjiepa.exeC:\Windows\system32\Alpjiepa.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6092 -
C:\Windows\SysWOW64\Apkfid32.exeC:\Windows\system32\Apkfid32.exe74⤵PID:6124
-
C:\Windows\SysWOW64\Aonfeqoe.exeC:\Windows\system32\Aonfeqoe.exe75⤵
- System Location Discovery: System Language Discovery
PID:4784 -
C:\Windows\SysWOW64\Abibeo32.exeC:\Windows\system32\Abibeo32.exe76⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4148 -
C:\Windows\SysWOW64\Aehnak32.exeC:\Windows\system32\Aehnak32.exe77⤵PID:1108
-
C:\Windows\SysWOW64\Aicjbiok.exeC:\Windows\system32\Aicjbiok.exe78⤵PID:2848
-
C:\Windows\SysWOW64\Amofch32.exeC:\Windows\system32\Amofch32.exe79⤵
- Modifies registry class
PID:4408 -
C:\Windows\SysWOW64\Apmboc32.exeC:\Windows\system32\Apmboc32.exe80⤵
- Modifies registry class
PID:3584 -
C:\Windows\SysWOW64\Aopbkpmb.exeC:\Windows\system32\Aopbkpmb.exe81⤵PID:5096
-
C:\Windows\SysWOW64\Aggklnnd.exeC:\Windows\system32\Aggklnnd.exe82⤵PID:5140
-
C:\Windows\SysWOW64\Aejkgj32.exeC:\Windows\system32\Aejkgj32.exe83⤵PID:5212
-
C:\Windows\SysWOW64\Amachhea.exeC:\Windows\system32\Amachhea.exe84⤵
- Modifies registry class
PID:5268 -
C:\Windows\SysWOW64\Appodcde.exeC:\Windows\system32\Appodcde.exe85⤵
- Modifies registry class
PID:5360 -
C:\Windows\SysWOW64\Aobopp32.exeC:\Windows\system32\Aobopp32.exe86⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5388 -
C:\Windows\SysWOW64\Agjgam32.exeC:\Windows\system32\Agjgam32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5480 -
C:\Windows\SysWOW64\Aemhmjbl.exeC:\Windows\system32\Aemhmjbl.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5540 -
C:\Windows\SysWOW64\Aihcmi32.exeC:\Windows\system32\Aihcmi32.exe89⤵
- Modifies registry class
PID:5600 -
C:\Windows\SysWOW64\Amcpngco.exeC:\Windows\system32\Amcpngco.exe90⤵
- Modifies registry class
PID:5632 -
C:\Windows\SysWOW64\Alfpjd32.exeC:\Windows\system32\Alfpjd32.exe91⤵
- System Location Discovery: System Language Discovery
PID:5740 -
C:\Windows\SysWOW64\Aoelfp32.exeC:\Windows\system32\Aoelfp32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5800 -
C:\Windows\SysWOW64\Agldgm32.exeC:\Windows\system32\Agldgm32.exe93⤵
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Aeodbjqj.exeC:\Windows\system32\Aeodbjqj.exe94⤵PID:5916
-
C:\Windows\SysWOW64\Aijpch32.exeC:\Windows\system32\Aijpch32.exe95⤵PID:5952
-
C:\Windows\SysWOW64\Alimodhf.exeC:\Windows\system32\Alimodhf.exe96⤵PID:6012
-
C:\Windows\SysWOW64\Apdhpb32.exeC:\Windows\system32\Apdhpb32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6100 -
C:\Windows\SysWOW64\Aogikogj.exeC:\Windows\system32\Aogikogj.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4224 -
C:\Windows\SysWOW64\Agnalmhl.exeC:\Windows\system32\Agnalmhl.exe99⤵PID:4808
-
C:\Windows\SysWOW64\Aeaahi32.exeC:\Windows\system32\Aeaahi32.exe100⤵
- System Location Discovery: System Language Discovery
PID:4680 -
C:\Windows\SysWOW64\Bpgeeb32.exeC:\Windows\system32\Bpgeeb32.exe101⤵PID:4544
-
C:\Windows\SysWOW64\Blnfjc32.exeC:\Windows\system32\Blnfjc32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5232 -
C:\Windows\SysWOW64\Bolbfo32.exeC:\Windows\system32\Bolbfo32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5308 -
C:\Windows\SysWOW64\Bgcjgl32.exeC:\Windows\system32\Bgcjgl32.exe104⤵PID:5524
-
C:\Windows\SysWOW64\Befjcija.exeC:\Windows\system32\Befjcija.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:5512 -
C:\Windows\SysWOW64\Blpbpc32.exeC:\Windows\system32\Blpbpc32.exe106⤵
- System Location Discovery: System Language Discovery
PID:5596 -
C:\Windows\SysWOW64\Bpkopajg.exeC:\Windows\system32\Bpkopajg.exe107⤵PID:5700
-
C:\Windows\SysWOW64\Bcjklmik.exeC:\Windows\system32\Bcjklmik.exe108⤵
- Drops file in System32 directory
PID:5936 -
C:\Windows\SysWOW64\Bgegml32.exeC:\Windows\system32\Bgegml32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5876 -
C:\Windows\SysWOW64\Bidcig32.exeC:\Windows\system32\Bidcig32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1328 -
C:\Windows\SysWOW64\Blboeb32.exeC:\Windows\system32\Blboeb32.exe111⤵PID:6076
-
C:\Windows\SysWOW64\Bpnkfa32.exeC:\Windows\system32\Bpnkfa32.exe112⤵PID:2188
-
C:\Windows\SysWOW64\Bghcbkpa.exeC:\Windows\system32\Bghcbkpa.exe113⤵PID:4952
-
C:\Windows\SysWOW64\Bjfpogoe.exeC:\Windows\system32\Bjfpogoe.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Bochgnmm.exeC:\Windows\system32\Bochgnmm.exe115⤵
- Modifies registry class
PID:1892 -
C:\Windows\SysWOW64\Cjhmdfmc.exeC:\Windows\system32\Cjhmdfmc.exe116⤵PID:5316
-
C:\Windows\SysWOW64\Clgiqblf.exeC:\Windows\system32\Clgiqblf.exe117⤵
- Drops file in System32 directory
PID:5764 -
C:\Windows\SysWOW64\Cpbeaq32.exeC:\Windows\system32\Cpbeaq32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Cglmnk32.exeC:\Windows\system32\Cglmnk32.exe119⤵PID:5840
-
C:\Windows\SysWOW64\Cnfejeci.exeC:\Windows\system32\Cnfejeci.exe120⤵
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Cliefa32.exeC:\Windows\system32\Cliefa32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4764
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-