Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-09-2024 05:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c5c4bcefb8f33d80197ca0238af6e2e0N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
c5c4bcefb8f33d80197ca0238af6e2e0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
c5c4bcefb8f33d80197ca0238af6e2e0N.exe
-
Size
60KB
-
MD5
c5c4bcefb8f33d80197ca0238af6e2e0
-
SHA1
ca58f533a4a72938fc839ab063230d55ef56f4f9
-
SHA256
213c86b09bc6a37e64b4189e80d102a7b9b2c00108def7f983b1a90114b8ce5a
-
SHA512
ada376941f3ce561b237a460f1f9818d91ae0616e6a25748e30560aeb3782e7ac1e479a39b9051731d44dd806fccaa9e9fd63eb21ab8c12a2dec7498af997d02
-
SSDEEP
768:DoBRJqtWXtQP2Y3X7HN1oAygGvYkRg4Rus5drKfW8r/1H5VB+XdnhMl/Xdnhps:D6JVivLHNqLBlRgJsCfW85PB86l1rs
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbpedjnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnhgjaml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaebef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbebbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qacameaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpkdjofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llqjbhdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhaggp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jikoopij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llqjbhdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cklhcfle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekjded32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdpcal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enpfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhqefjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Modpib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpeiie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfccogfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bddcenpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caageq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Likhem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhhdnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dggbcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbojlfdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iahgad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhkbdmbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Padnaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cocjiehd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebifmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqmojd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfihbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nofefp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpdennml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iolhkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doccpcja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fofilp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbccge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kofdhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidlqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnlhncgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgeenfog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iojkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcoccc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ookoaokf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egaejeej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpfbcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdkifmjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlhqcgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adcjop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opbean32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpdennml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhkbdmbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpbjfjci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kakmna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kifojnol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niojoeel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bacjdbch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnlhncgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooibkpmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Momcpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpolbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hecjke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfbaalbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcbkml32.exe -
Executes dropped EXE 64 IoCs
pid Process 4016 Pnplfj32.exe 4712 Panhbfep.exe 632 Pdmdnadc.exe 4204 Qfkqjmdg.exe 1504 Qobhkjdi.exe 4148 Qmeigg32.exe 4344 Qdoacabq.exe 4540 Qfmmplad.exe 1884 Qodeajbg.exe 3972 Qacameaj.exe 4008 Qdaniq32.exe 4136 Afpjel32.exe 2448 Aogbfi32.exe 4940 Aaenbd32.exe 2312 Adcjop32.exe 468 Aoioli32.exe 1048 Aagkhd32.exe 5036 Ahaceo32.exe 804 Aokkahlo.exe 4484 Amnlme32.exe 3052 Adhdjpjf.exe 1968 Akblfj32.exe 1928 Aaldccip.exe 1556 Adkqoohc.exe 3932 Agimkk32.exe 1484 Aopemh32.exe 3600 Apaadpng.exe 4668 Bgkiaj32.exe 2396 Bobabg32.exe 4572 Baannc32.exe 3588 Bgnffj32.exe 3928 Bacjdbch.exe 4724 Bhmbqm32.exe 1772 Bklomh32.exe 3016 Bmjkic32.exe 1600 Bddcenpi.exe 2532 Bhpofl32.exe 3220 Bknlbhhe.exe 2716 Bnlhncgi.exe 948 Bpkdjofm.exe 2208 Bkphhgfc.exe 3452 Bajqda32.exe 1236 Cdimqm32.exe 3152 Chdialdl.exe 1796 Conanfli.exe 64 Cammjakm.exe 3780 Cdkifmjq.exe 3024 Cgifbhid.exe 976 Cncnob32.exe 5116 Cdmfllhn.exe 1472 Cglbhhga.exe 4960 Cocjiehd.exe 1800 Caageq32.exe 964 Cdpcal32.exe 828 Ckjknfnh.exe 4820 Cnhgjaml.exe 1580 Chnlgjlb.exe 3560 Cklhcfle.exe 4616 Cnjdpaki.exe 4904 Dhphmj32.exe 3008 Dgcihgaj.exe 1704 Ddgibkpc.exe 1340 Dgeenfog.exe 2060 Dqnjgl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Apaadpng.exe Aopemh32.exe File opened for modification C:\Windows\SysWOW64\Kiikpnmj.exe Kemooo32.exe File created C:\Windows\SysWOW64\Dapgni32.dll Adhdjpjf.exe File opened for modification C:\Windows\SysWOW64\Cglbhhga.exe Cdmfllhn.exe File opened for modification C:\Windows\SysWOW64\Ghojbq32.exe Geanfelc.exe File opened for modification C:\Windows\SysWOW64\Mofmobmo.exe Mlhqcgnk.exe File created C:\Windows\SysWOW64\Oqmhqapg.exe Oifppdpd.exe File created C:\Windows\SysWOW64\Chgnfq32.dll Lebijnak.exe File created C:\Windows\SysWOW64\Dddjmo32.dll Panhbfep.exe File created C:\Windows\SysWOW64\Qodeajbg.exe Qfmmplad.exe File created C:\Windows\SysWOW64\Pipeabep.dll Caageq32.exe File created C:\Windows\SysWOW64\Mjaonjaj.dll Ebkbbmqj.exe File created C:\Windows\SysWOW64\Fofilp32.exe Feqeog32.exe File opened for modification C:\Windows\SysWOW64\Gnnccl32.exe Fkofga32.exe File created C:\Windows\SysWOW64\Ccbolagk.dll Geanfelc.exe File created C:\Windows\SysWOW64\Ojqcnhkl.exe Ocgkan32.exe File created C:\Windows\SysWOW64\Fmbdpnaj.dll Gghdaa32.exe File created C:\Windows\SysWOW64\Momcpa32.exe Mhckcgpj.exe File created C:\Windows\SysWOW64\Piocecgj.exe Pjlcjf32.exe File created C:\Windows\SysWOW64\Hnlodjpa.exe Hlmchoan.exe File created C:\Windows\SysWOW64\Iolhkh32.exe Ilnlom32.exe File created C:\Windows\SysWOW64\Debbff32.dll Kadpdp32.exe File opened for modification C:\Windows\SysWOW64\Pfepdg32.exe Pcgdhkem.exe File opened for modification C:\Windows\SysWOW64\Panhbfep.exe Pnplfj32.exe File created C:\Windows\SysWOW64\Okddnh32.dll Qmeigg32.exe File opened for modification C:\Windows\SysWOW64\Ilnlom32.exe Iahgad32.exe File created C:\Windows\SysWOW64\Gbhibfek.dll Pfepdg32.exe File created C:\Windows\SysWOW64\Agimkk32.exe Adkqoohc.exe File created C:\Windows\SysWOW64\Gkaclqkk.exe Gicgpelg.exe File created C:\Windows\SysWOW64\Aglafhih.dll Iajdgcab.exe File created C:\Windows\SysWOW64\Bmjkic32.exe Bklomh32.exe File created C:\Windows\SysWOW64\Cglbhhga.exe Cdmfllhn.exe File opened for modification C:\Windows\SysWOW64\Fbgbnkfm.exe Fohfbpgi.exe File created C:\Windows\SysWOW64\Benibond.dll Jpgdai32.exe File created C:\Windows\SysWOW64\Mledmg32.exe Mjggal32.exe File created C:\Windows\SysWOW64\Alapqh32.dll Nciopppp.exe File created C:\Windows\SysWOW64\Bpldbefn.dll Oiagde32.exe File created C:\Windows\SysWOW64\Hlhmjl32.dll Pfccogfc.exe File created C:\Windows\SysWOW64\Oiikeffm.dll Dnajppda.exe File created C:\Windows\SysWOW64\Emamkgpg.dll Edionhpn.exe File created C:\Windows\SysWOW64\Hpmhdmea.exe Hlppno32.exe File opened for modification C:\Windows\SysWOW64\Iahgad32.exe Iojkeh32.exe File created C:\Windows\SysWOW64\Lckggdbo.dll Iahgad32.exe File opened for modification C:\Windows\SysWOW64\Oqmhqapg.exe Oifppdpd.exe File opened for modification C:\Windows\SysWOW64\Pimfpc32.exe Pjjfdfbb.exe File opened for modification C:\Windows\SysWOW64\Ahaceo32.exe Aagkhd32.exe File created C:\Windows\SysWOW64\Pdmdnadc.exe Panhbfep.exe File created C:\Windows\SysWOW64\Ehenqf32.dll Dglkoeio.exe File opened for modification C:\Windows\SysWOW64\Niojoeel.exe Nfqnbjfi.exe File opened for modification C:\Windows\SysWOW64\Ppdbgncl.exe Omfekbdh.exe File created C:\Windows\SysWOW64\Kpqgeihg.dll Pcbkml32.exe File created C:\Windows\SysWOW64\Ichqihli.dll Akblfj32.exe File created C:\Windows\SysWOW64\Geldkfpi.exe Gbnhoj32.exe File created C:\Windows\SysWOW64\Kofdhd32.exe Klggli32.exe File created C:\Windows\SysWOW64\Lhqefjpo.exe Lebijnak.exe File opened for modification C:\Windows\SysWOW64\Ocihgnam.exe Oqklkbbi.exe File created C:\Windows\SysWOW64\Ghfedh32.dll Feqeog32.exe File created C:\Windows\SysWOW64\Dnkdmlfj.dll Aagkhd32.exe File created C:\Windows\SysWOW64\Hpfbcn32.exe Ghojbq32.exe File opened for modification C:\Windows\SysWOW64\Hpmhdmea.exe Hlppno32.exe File created C:\Windows\SysWOW64\Bjmkmfbo.dll Koonge32.exe File created C:\Windows\SysWOW64\Bmgjnl32.dll Ppdbgncl.exe File created C:\Windows\SysWOW64\Edplhjhi.exe Doccpcja.exe File opened for modification C:\Windows\SysWOW64\Iialhaad.exe Iajdgcab.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9004 8916 WerFault.exe 389 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chnlgjlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mledmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afpjel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akblfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaldccip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fndpmndl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iolhkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kamjda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmaciefp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqoefand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqbliicp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lojmcdgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edplhjhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eojiqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hahokfag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifmmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbnaeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilfennic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jppnpjel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kemooo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpepbgbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljdkll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bajqda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnlodjpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiccje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pififb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cammjakm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocjiehd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbgbnkfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlhqcgnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhckcgpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekjded32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbnhoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iahgad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibjqaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfihbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llnnmhfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdoacabq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jemfhacc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadpdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddcenpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknlbhhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egaejeej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egcaod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqklkbbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iijfhbhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbcncibp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haaaaeim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjidgkog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiagde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpaihooo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hecjke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbepme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agimkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnlhncgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpolbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilibdmgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khbiello.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klpakj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lchfib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcbkml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qodeajbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgibkpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egened32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjbog32.dll" Jikoopij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mablfnne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhibfek.dll" Pfepdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlmchoan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iafkld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jaonbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpgdai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocnabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iialhaad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ockdmmoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpnjah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfnamjhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" c5c4bcefb8f33d80197ca0238af6e2e0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmeigg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doccpcja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iojkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mledmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhplpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfmlqhcc.dll" Klpakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgjhpcmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kakmna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cammjakm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keoaokpd.dll" Hihibbjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clpchk32.dll" Jeapcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpepbgbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlhqcgnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pidlqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdimqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgeenfog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqiibjlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocgkan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pimfpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpojkp32.dll" Bpkdjofm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enpfan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kadpdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lebijnak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dggbcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aagkhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgifbhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqbliicp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjakdno.dll" Klggli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnfgko32.dll" Likhem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiagde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjlcjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bddcenpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fohfbpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaebef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pboglh32.dll" Iondqhpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joekag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnhgjaml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iondqhpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eghkjdoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhoahh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pidlqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nofefp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amnlme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cncnob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfibjl32.dll" Ghojbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoiaikp.dll" Jlbejloe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mofmobmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caecnh32.dll" Modpib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Panhbfep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adhdjpjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Momcpa32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4552 wrote to memory of 4016 4552 c5c4bcefb8f33d80197ca0238af6e2e0N.exe 83 PID 4552 wrote to memory of 4016 4552 c5c4bcefb8f33d80197ca0238af6e2e0N.exe 83 PID 4552 wrote to memory of 4016 4552 c5c4bcefb8f33d80197ca0238af6e2e0N.exe 83 PID 4016 wrote to memory of 4712 4016 Pnplfj32.exe 84 PID 4016 wrote to memory of 4712 4016 Pnplfj32.exe 84 PID 4016 wrote to memory of 4712 4016 Pnplfj32.exe 84 PID 4712 wrote to memory of 632 4712 Panhbfep.exe 85 PID 4712 wrote to memory of 632 4712 Panhbfep.exe 85 PID 4712 wrote to memory of 632 4712 Panhbfep.exe 85 PID 632 wrote to memory of 4204 632 Pdmdnadc.exe 86 PID 632 wrote to memory of 4204 632 Pdmdnadc.exe 86 PID 632 wrote to memory of 4204 632 Pdmdnadc.exe 86 PID 4204 wrote to memory of 1504 4204 Qfkqjmdg.exe 87 PID 4204 wrote to memory of 1504 4204 Qfkqjmdg.exe 87 PID 4204 wrote to memory of 1504 4204 Qfkqjmdg.exe 87 PID 1504 wrote to memory of 4148 1504 Qobhkjdi.exe 89 PID 1504 wrote to memory of 4148 1504 Qobhkjdi.exe 89 PID 1504 wrote to memory of 4148 1504 Qobhkjdi.exe 89 PID 4148 wrote to memory of 4344 4148 Qmeigg32.exe 90 PID 4148 wrote to memory of 4344 4148 Qmeigg32.exe 90 PID 4148 wrote to memory of 4344 4148 Qmeigg32.exe 90 PID 4344 wrote to memory of 4540 4344 Qdoacabq.exe 91 PID 4344 wrote to memory of 4540 4344 Qdoacabq.exe 91 PID 4344 wrote to memory of 4540 4344 Qdoacabq.exe 91 PID 4540 wrote to memory of 1884 4540 Qfmmplad.exe 92 PID 4540 wrote to memory of 1884 4540 Qfmmplad.exe 92 PID 4540 wrote to memory of 1884 4540 Qfmmplad.exe 92 PID 1884 wrote to memory of 3972 1884 Qodeajbg.exe 93 PID 1884 wrote to memory of 3972 1884 Qodeajbg.exe 93 PID 1884 wrote to memory of 3972 1884 Qodeajbg.exe 93 PID 3972 wrote to memory of 4008 3972 Qacameaj.exe 95 PID 3972 wrote to memory of 4008 3972 Qacameaj.exe 95 PID 3972 wrote to memory of 4008 3972 Qacameaj.exe 95 PID 4008 wrote to memory of 4136 4008 Qdaniq32.exe 96 PID 4008 wrote to memory of 4136 4008 Qdaniq32.exe 96 PID 4008 wrote to memory of 4136 4008 Qdaniq32.exe 96 PID 4136 wrote to memory of 2448 4136 Afpjel32.exe 97 PID 4136 wrote to memory of 2448 4136 Afpjel32.exe 97 PID 4136 wrote to memory of 2448 4136 Afpjel32.exe 97 PID 2448 wrote to memory of 4940 2448 Aogbfi32.exe 98 PID 2448 wrote to memory of 4940 2448 Aogbfi32.exe 98 PID 2448 wrote to memory of 4940 2448 Aogbfi32.exe 98 PID 4940 wrote to memory of 2312 4940 Aaenbd32.exe 99 PID 4940 wrote to memory of 2312 4940 Aaenbd32.exe 99 PID 4940 wrote to memory of 2312 4940 Aaenbd32.exe 99 PID 2312 wrote to memory of 468 2312 Adcjop32.exe 100 PID 2312 wrote to memory of 468 2312 Adcjop32.exe 100 PID 2312 wrote to memory of 468 2312 Adcjop32.exe 100 PID 468 wrote to memory of 1048 468 Aoioli32.exe 102 PID 468 wrote to memory of 1048 468 Aoioli32.exe 102 PID 468 wrote to memory of 1048 468 Aoioli32.exe 102 PID 1048 wrote to memory of 5036 1048 Aagkhd32.exe 103 PID 1048 wrote to memory of 5036 1048 Aagkhd32.exe 103 PID 1048 wrote to memory of 5036 1048 Aagkhd32.exe 103 PID 5036 wrote to memory of 804 5036 Ahaceo32.exe 104 PID 5036 wrote to memory of 804 5036 Ahaceo32.exe 104 PID 5036 wrote to memory of 804 5036 Ahaceo32.exe 104 PID 804 wrote to memory of 4484 804 Aokkahlo.exe 105 PID 804 wrote to memory of 4484 804 Aokkahlo.exe 105 PID 804 wrote to memory of 4484 804 Aokkahlo.exe 105 PID 4484 wrote to memory of 3052 4484 Amnlme32.exe 106 PID 4484 wrote to memory of 3052 4484 Amnlme32.exe 106 PID 4484 wrote to memory of 3052 4484 Amnlme32.exe 106 PID 3052 wrote to memory of 1968 3052 Adhdjpjf.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5c4bcefb8f33d80197ca0238af6e2e0N.exe"C:\Users\Admin\AppData\Local\Temp\c5c4bcefb8f33d80197ca0238af6e2e0N.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\Pnplfj32.exeC:\Windows\system32\Pnplfj32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\Panhbfep.exeC:\Windows\system32\Panhbfep.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\Pdmdnadc.exeC:\Windows\system32\Pdmdnadc.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Qfkqjmdg.exeC:\Windows\system32\Qfkqjmdg.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\Qobhkjdi.exeC:\Windows\system32\Qobhkjdi.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Qmeigg32.exeC:\Windows\system32\Qmeigg32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\Qdoacabq.exeC:\Windows\system32\Qdoacabq.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\Qfmmplad.exeC:\Windows\system32\Qfmmplad.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Qodeajbg.exeC:\Windows\system32\Qodeajbg.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Qacameaj.exeC:\Windows\system32\Qacameaj.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\Qdaniq32.exeC:\Windows\system32\Qdaniq32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\Afpjel32.exeC:\Windows\system32\Afpjel32.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\Aogbfi32.exeC:\Windows\system32\Aogbfi32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Aaenbd32.exeC:\Windows\system32\Aaenbd32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Adcjop32.exeC:\Windows\system32\Adcjop32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Aoioli32.exeC:\Windows\system32\Aoioli32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\Aagkhd32.exeC:\Windows\system32\Aagkhd32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Ahaceo32.exeC:\Windows\system32\Ahaceo32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Aokkahlo.exeC:\Windows\system32\Aokkahlo.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\Amnlme32.exeC:\Windows\system32\Amnlme32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Adhdjpjf.exeC:\Windows\system32\Adhdjpjf.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Akblfj32.exeC:\Windows\system32\Akblfj32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\Aaldccip.exeC:\Windows\system32\Aaldccip.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Windows\SysWOW64\Adkqoohc.exeC:\Windows\system32\Adkqoohc.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Agimkk32.exeC:\Windows\system32\Agimkk32.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3932 -
C:\Windows\SysWOW64\Aopemh32.exeC:\Windows\system32\Aopemh32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Apaadpng.exeC:\Windows\system32\Apaadpng.exe28⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Bgkiaj32.exeC:\Windows\system32\Bgkiaj32.exe29⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Bobabg32.exeC:\Windows\system32\Bobabg32.exe30⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Baannc32.exeC:\Windows\system32\Baannc32.exe31⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Bgnffj32.exeC:\Windows\system32\Bgnffj32.exe32⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Bacjdbch.exeC:\Windows\system32\Bacjdbch.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Bhmbqm32.exeC:\Windows\system32\Bhmbqm32.exe34⤵
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Bklomh32.exeC:\Windows\system32\Bklomh32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1772 -
C:\Windows\SysWOW64\Bmjkic32.exeC:\Windows\system32\Bmjkic32.exe36⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Bddcenpi.exeC:\Windows\system32\Bddcenpi.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Bhpofl32.exeC:\Windows\system32\Bhpofl32.exe38⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Bknlbhhe.exeC:\Windows\system32\Bknlbhhe.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3220 -
C:\Windows\SysWOW64\Bnlhncgi.exeC:\Windows\system32\Bnlhncgi.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Windows\SysWOW64\Bpkdjofm.exeC:\Windows\system32\Bpkdjofm.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:948 -
C:\Windows\SysWOW64\Bkphhgfc.exeC:\Windows\system32\Bkphhgfc.exe42⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Bajqda32.exeC:\Windows\system32\Bajqda32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3452 -
C:\Windows\SysWOW64\Cdimqm32.exeC:\Windows\system32\Cdimqm32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1236 -
C:\Windows\SysWOW64\Chdialdl.exeC:\Windows\system32\Chdialdl.exe45⤵
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\Conanfli.exeC:\Windows\system32\Conanfli.exe46⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Cammjakm.exeC:\Windows\system32\Cammjakm.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:64 -
C:\Windows\SysWOW64\Cdkifmjq.exeC:\Windows\system32\Cdkifmjq.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Cgifbhid.exeC:\Windows\system32\Cgifbhid.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Cncnob32.exeC:\Windows\system32\Cncnob32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:976 -
C:\Windows\SysWOW64\Cdmfllhn.exeC:\Windows\system32\Cdmfllhn.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5116 -
C:\Windows\SysWOW64\Cglbhhga.exeC:\Windows\system32\Cglbhhga.exe52⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Cocjiehd.exeC:\Windows\system32\Cocjiehd.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4960 -
C:\Windows\SysWOW64\Caageq32.exeC:\Windows\system32\Caageq32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Cdpcal32.exeC:\Windows\system32\Cdpcal32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Ckjknfnh.exeC:\Windows\system32\Ckjknfnh.exe56⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Cnhgjaml.exeC:\Windows\system32\Cnhgjaml.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4820 -
C:\Windows\SysWOW64\Chnlgjlb.exeC:\Windows\system32\Chnlgjlb.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1580 -
C:\Windows\SysWOW64\Cklhcfle.exeC:\Windows\system32\Cklhcfle.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Cnjdpaki.exeC:\Windows\system32\Cnjdpaki.exe60⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Dhphmj32.exeC:\Windows\system32\Dhphmj32.exe61⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Dgcihgaj.exeC:\Windows\system32\Dgcihgaj.exe62⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Ddgibkpc.exeC:\Windows\system32\Ddgibkpc.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\SysWOW64\Dgeenfog.exeC:\Windows\system32\Dgeenfog.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1340 -
C:\Windows\SysWOW64\Dqnjgl32.exeC:\Windows\system32\Dqnjgl32.exe65⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Dggbcf32.exeC:\Windows\system32\Dggbcf32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Dnajppda.exeC:\Windows\system32\Dnajppda.exe67⤵
- Drops file in System32 directory
PID:4004 -
C:\Windows\SysWOW64\Dqpfmlce.exeC:\Windows\system32\Dqpfmlce.exe68⤵PID:5028
-
C:\Windows\SysWOW64\Dkekjdck.exeC:\Windows\system32\Dkekjdck.exe69⤵PID:2004
-
C:\Windows\SysWOW64\Dbocfo32.exeC:\Windows\system32\Dbocfo32.exe70⤵PID:1232
-
C:\Windows\SysWOW64\Dhikci32.exeC:\Windows\system32\Dhikci32.exe71⤵PID:4460
-
C:\Windows\SysWOW64\Dglkoeio.exeC:\Windows\system32\Dglkoeio.exe72⤵
- Drops file in System32 directory
PID:3948 -
C:\Windows\SysWOW64\Doccpcja.exeC:\Windows\system32\Doccpcja.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4104 -
C:\Windows\SysWOW64\Edplhjhi.exeC:\Windows\system32\Edplhjhi.exe74⤵
- System Location Discovery: System Language Discovery
PID:1944 -
C:\Windows\SysWOW64\Ekjded32.exeC:\Windows\system32\Ekjded32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3632 -
C:\Windows\SysWOW64\Edbiniff.exeC:\Windows\system32\Edbiniff.exe76⤵PID:4328
-
C:\Windows\SysWOW64\Egaejeej.exeC:\Windows\system32\Egaejeej.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Windows\SysWOW64\Eqiibjlj.exeC:\Windows\system32\Eqiibjlj.exe78⤵
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Ehpadhll.exeC:\Windows\system32\Ehpadhll.exe79⤵PID:2164
-
C:\Windows\SysWOW64\Egcaod32.exeC:\Windows\system32\Egcaod32.exe80⤵
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\Eojiqb32.exeC:\Windows\system32\Eojiqb32.exe81⤵
- System Location Discovery: System Language Discovery
PID:4000 -
C:\Windows\SysWOW64\Ebifmm32.exeC:\Windows\system32\Ebifmm32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4476 -
C:\Windows\SysWOW64\Eqlfhjig.exeC:\Windows\system32\Eqlfhjig.exe83⤵PID:3244
-
C:\Windows\SysWOW64\Ehbnigjj.exeC:\Windows\system32\Ehbnigjj.exe84⤵PID:4356
-
C:\Windows\SysWOW64\Egened32.exeC:\Windows\system32\Egened32.exe85⤵
- System Location Discovery: System Language Discovery
PID:4756 -
C:\Windows\SysWOW64\Enpfan32.exeC:\Windows\system32\Enpfan32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3964 -
C:\Windows\SysWOW64\Ebkbbmqj.exeC:\Windows\system32\Ebkbbmqj.exe87⤵
- Drops file in System32 directory
PID:4836 -
C:\Windows\SysWOW64\Edionhpn.exeC:\Windows\system32\Edionhpn.exe88⤵
- Drops file in System32 directory
PID:3156 -
C:\Windows\SysWOW64\Eghkjdoa.exeC:\Windows\system32\Eghkjdoa.exe89⤵
- Modifies registry class
PID:4732 -
C:\Windows\SysWOW64\Fnbcgn32.exeC:\Windows\system32\Fnbcgn32.exe90⤵PID:1224
-
C:\Windows\SysWOW64\Fbmohmoh.exeC:\Windows\system32\Fbmohmoh.exe91⤵PID:3460
-
C:\Windows\SysWOW64\Figgdg32.exeC:\Windows\system32\Figgdg32.exe92⤵PID:1528
-
C:\Windows\SysWOW64\Fgjhpcmo.exeC:\Windows\system32\Fgjhpcmo.exe93⤵
- Modifies registry class
PID:672 -
C:\Windows\SysWOW64\Fndpmndl.exeC:\Windows\system32\Fndpmndl.exe94⤵
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\Fqbliicp.exeC:\Windows\system32\Fqbliicp.exe95⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1220 -
C:\Windows\SysWOW64\Fgmdec32.exeC:\Windows\system32\Fgmdec32.exe96⤵PID:3532
-
C:\Windows\SysWOW64\Foclgq32.exeC:\Windows\system32\Foclgq32.exe97⤵PID:3992
-
C:\Windows\SysWOW64\Fbbicl32.exeC:\Windows\system32\Fbbicl32.exe98⤵PID:4964
-
C:\Windows\SysWOW64\Feqeog32.exeC:\Windows\system32\Feqeog32.exe99⤵
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Fofilp32.exeC:\Windows\system32\Fofilp32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3176 -
C:\Windows\SysWOW64\Fqgedh32.exeC:\Windows\system32\Fqgedh32.exe101⤵PID:4980
-
C:\Windows\SysWOW64\Finnef32.exeC:\Windows\system32\Finnef32.exe102⤵PID:2484
-
C:\Windows\SysWOW64\Fkmjaa32.exeC:\Windows\system32\Fkmjaa32.exe103⤵PID:5140
-
C:\Windows\SysWOW64\Fohfbpgi.exeC:\Windows\system32\Fohfbpgi.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:5184 -
C:\Windows\SysWOW64\Fbgbnkfm.exeC:\Windows\system32\Fbgbnkfm.exe105⤵
- System Location Discovery: System Language Discovery
PID:5228 -
C:\Windows\SysWOW64\Feenjgfq.exeC:\Windows\system32\Feenjgfq.exe106⤵PID:5272
-
C:\Windows\SysWOW64\Fkofga32.exeC:\Windows\system32\Fkofga32.exe107⤵
- Drops file in System32 directory
PID:5316 -
C:\Windows\SysWOW64\Gnnccl32.exeC:\Windows\system32\Gnnccl32.exe108⤵PID:5360
-
C:\Windows\SysWOW64\Galoohke.exeC:\Windows\system32\Galoohke.exe109⤵PID:5404
-
C:\Windows\SysWOW64\Gicgpelg.exeC:\Windows\system32\Gicgpelg.exe110⤵
- Drops file in System32 directory
PID:5444 -
C:\Windows\SysWOW64\Gkaclqkk.exeC:\Windows\system32\Gkaclqkk.exe111⤵PID:5488
-
C:\Windows\SysWOW64\Gnpphljo.exeC:\Windows\system32\Gnpphljo.exe112⤵PID:5528
-
C:\Windows\SysWOW64\Gejhef32.exeC:\Windows\system32\Gejhef32.exe113⤵PID:5572
-
C:\Windows\SysWOW64\Gghdaa32.exeC:\Windows\system32\Gghdaa32.exe114⤵
- Drops file in System32 directory
PID:5612 -
C:\Windows\SysWOW64\Gpolbo32.exeC:\Windows\system32\Gpolbo32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5656 -
C:\Windows\SysWOW64\Gbnhoj32.exeC:\Windows\system32\Gbnhoj32.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5700 -
C:\Windows\SysWOW64\Geldkfpi.exeC:\Windows\system32\Geldkfpi.exe117⤵PID:5744
-
C:\Windows\SysWOW64\Ggkqgaol.exeC:\Windows\system32\Ggkqgaol.exe118⤵PID:5788
-
C:\Windows\SysWOW64\Gpaihooo.exeC:\Windows\system32\Gpaihooo.exe119⤵
- System Location Discovery: System Language Discovery
PID:5840 -
C:\Windows\SysWOW64\Gbpedjnb.exeC:\Windows\system32\Gbpedjnb.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5892 -
C:\Windows\SysWOW64\Gacepg32.exeC:\Windows\system32\Gacepg32.exe121⤵PID:5932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-