Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04-09-2024 13:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cc5e6853a6f44bcaaae7fe53edec3610N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
cc5e6853a6f44bcaaae7fe53edec3610N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
cc5e6853a6f44bcaaae7fe53edec3610N.exe
-
Size
512KB
-
MD5
cc5e6853a6f44bcaaae7fe53edec3610
-
SHA1
1fb2d50e12d5965cc0684a39754d280f2511d88d
-
SHA256
046e32d8e5f197f45e56089f4a58dfdab7c0aa5c0dd5bda44c244c10871a61e5
-
SHA512
7357111c8d3d5df6bb2787566f9f37ce54aa79a04b710bf4d71b17525b3ca0987b228ae335efb2f37bd6f303b49d374ee08955a08daafb36c6ab9767686c03fd
-
SSDEEP
6144:ExCZJOnroUdXHaEn/TNId/1fonlId/1fon/T2oI0YokOsfY7Uon2Kr:yCPadXHaINIVIIVy2oIvPKiKr
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldhdlnli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oafacn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abdfkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fekclnif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kakednfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eimelg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfddci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhkgnkoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moglpedd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgkjch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfmlok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agiahlkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nahdapae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pohnnqgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afpbkicl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ainnhdbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpihbjmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqmicpbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flbhia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbnbhfde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deokja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jflnafno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aglnnkid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqpbboeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaqdpjia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfddci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfeagefd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgjjoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oklifdmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flboch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nggjog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okneldkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqofippg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okbhlm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnghhqdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feofmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkdqdokk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bngfli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icbbimih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgemahmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Najjmjkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnienqbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maoakaip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elilmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplkhf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjomldfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gogjflhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nglcjfie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhkgnkoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmhofbma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elilmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Focakm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dolinf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgbkgmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehofhdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhbbmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdllffpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cifmoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jckeokan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhjpceko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aamipe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlmegd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ononmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoekde32.exe -
Executes dropped EXE 64 IoCs
pid Process 3712 Kfidgk32.exe 2996 Kfkamk32.exe 2508 Kmeiie32.exe 2592 Lhjnfn32.exe 1264 Ljkghi32.exe 1432 Lmjcdd32.exe 4704 Leqkeajd.exe 3076 Lfbgmj32.exe 5804 Loiong32.exe 1444 Lmlpjdgo.exe 4352 Lechkaga.exe 2936 Ldfhgn32.exe 5564 Lfddci32.exe 5876 Lkppchfi.exe 4620 Lmnlpcel.exe 5212 Lajhpbme.exe 5156 Ldhdlnli.exe 3472 Lhdqml32.exe 6076 Lkbmih32.exe 2792 Lmqiec32.exe 4632 Mehafq32.exe 4924 Mhfmbl32.exe 648 Mginniij.exe 5464 Mopeofjl.exe 5692 Maoakaip.exe 5572 Mdmngm32.exe 4356 Mgkjch32.exe 4004 Mobbdf32.exe 4976 Maaoaa32.exe 2824 Meljappg.exe 3596 Mhkgnkoj.exe 4512 Mkicjgnn.exe 4068 Mmhofbma.exe 1464 Meoggpmd.exe 3220 Mhmcck32.exe 880 Mgpcohcb.exe 3408 Moglpedd.exe 5256 Maehlqch.exe 4076 Mdddhlbl.exe 3884 Mgbpdgap.exe 2520 Moiheebb.exe 3828 Nahdapae.exe 4676 Ndfanlpi.exe 5176 Nhbmnj32.exe 1936 Nkpijfgf.exe 592 Nnoefagj.exe 4344 Najagp32.exe 2388 Ndinck32.exe 4136 Nggjog32.exe 2532 Nonbqd32.exe 4968 Namnmp32.exe 4240 Ndkjik32.exe 3404 Nhffijdm.exe 5896 Nkebee32.exe 1044 Noqofdlj.exe 2988 Naokbokn.exe 1184 Ndmgnkja.exe 2860 Nglcjfie.exe 5848 Nkgoke32.exe 3156 Nnfkgp32.exe 5748 Nemchn32.exe 4416 Nhkpdi32.exe 4816 Ngnppfgb.exe 4672 Noehac32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kkjfda32.dll Hfgloiqf.exe File created C:\Windows\SysWOW64\Lhfcek32.dll Jifabb32.exe File created C:\Windows\SysWOW64\Bjqelb32.dll Bhbahm32.exe File created C:\Windows\SysWOW64\Iobilpno.dll Cnhlgc32.exe File opened for modification C:\Windows\SysWOW64\Poeahaib.exe Pgoigcip.exe File created C:\Windows\SysWOW64\Plogne32.dll Bfieagka.exe File created C:\Windows\SysWOW64\Ljccfoqj.dll Ghpooanf.exe File opened for modification C:\Windows\SysWOW64\Lmjcdd32.exe Ljkghi32.exe File opened for modification C:\Windows\SysWOW64\Epehnhbj.exe Elilmi32.exe File created C:\Windows\SysWOW64\Flopmh32.dll Fifomlap.exe File opened for modification C:\Windows\SysWOW64\Jckeokan.exe Jqmicpbj.exe File opened for modification C:\Windows\SysWOW64\Npadcfnl.exe Ngipjp32.exe File created C:\Windows\SysWOW64\Aphigedp.dll Ejiiippb.exe File opened for modification C:\Windows\SysWOW64\Jhqqlmba.exe Ijkdkq32.exe File opened for modification C:\Windows\SysWOW64\Lmnlpcel.exe Lkppchfi.exe File created C:\Windows\SysWOW64\Qnhkpgaj.dll Nhkpdi32.exe File created C:\Windows\SysWOW64\Ogjpld32.exe Odkcpi32.exe File opened for modification C:\Windows\SysWOW64\Kmbfiokn.exe Kjcjmclj.exe File opened for modification C:\Windows\SysWOW64\Faamghko.exe Fbnmkk32.exe File created C:\Windows\SysWOW64\Najagp32.exe Nnoefagj.exe File created C:\Windows\SysWOW64\Mfpegl32.dll Ohdbkh32.exe File created C:\Windows\SysWOW64\Mejnfo32.dll Npadcfnl.exe File created C:\Windows\SysWOW64\Gioejo32.dll Lkppchfi.exe File created C:\Windows\SysWOW64\Ledioi32.dll Qbmpjkqk.exe File created C:\Windows\SysWOW64\Gaoihfoo.exe Glbapoqh.exe File created C:\Windows\SysWOW64\Oidfpeba.dll Pgaelcgm.exe File opened for modification C:\Windows\SysWOW64\Ciefek32.exe Cbknhqbl.exe File created C:\Windows\SysWOW64\Agckiqgg.exe Aeeomegd.exe File opened for modification C:\Windows\SysWOW64\Jjemle32.exe Jggapj32.exe File created C:\Windows\SysWOW64\Lgpbpopl.dll Lmjcdd32.exe File created C:\Windows\SysWOW64\Iaofbqgi.dll Oacdmo32.exe File opened for modification C:\Windows\SysWOW64\Dnghhqdk.exe Dijppjfd.exe File created C:\Windows\SysWOW64\Gpmpcc32.dll Cbnbhfde.exe File created C:\Windows\SysWOW64\Pjbofkpn.dll Ellicihn.exe File created C:\Windows\SysWOW64\Oddmoj32.exe Oafacn32.exe File opened for modification C:\Windows\SysWOW64\Qdflaa32.exe Pnlcdg32.exe File created C:\Windows\SysWOW64\Ohpiphlb.exe Oddmoj32.exe File created C:\Windows\SysWOW64\Fnkcdoia.dll Dpdogj32.exe File created C:\Windows\SysWOW64\Flboch32.exe Fhgccijm.exe File opened for modification C:\Windows\SysWOW64\Ajodef32.exe Aqfolqna.exe File opened for modification C:\Windows\SysWOW64\Nnoefagj.exe Nkpijfgf.exe File opened for modification C:\Windows\SysWOW64\Nggjog32.exe Ndinck32.exe File created C:\Windows\SysWOW64\Agacalbb.dll Flpbnh32.exe File created C:\Windows\SysWOW64\Iehkefih.dll Kjopbd32.exe File created C:\Windows\SysWOW64\Mmdlflki.exe Mfkcibdl.exe File created C:\Windows\SysWOW64\Nmpkakak.exe Nkboeobh.exe File opened for modification C:\Windows\SysWOW64\Ghpooanf.exe Gogjflhf.exe File created C:\Windows\SysWOW64\Ikjcmi32.exe Ijgjpaao.exe File opened for modification C:\Windows\SysWOW64\Onmahojj.exe Okneldkf.exe File opened for modification C:\Windows\SysWOW64\Fbjjkble.exe Flpbnh32.exe File created C:\Windows\SysWOW64\Dnginbho.dll Qghlmbae.exe File opened for modification C:\Windows\SysWOW64\Agobna32.exe Adqeaf32.exe File created C:\Windows\SysWOW64\Aohfdnil.exe Ainnhdbp.exe File created C:\Windows\SysWOW64\Cnbfgh32.exe Chinkndp.exe File created C:\Windows\SysWOW64\Dimcppgm.exe Deagoa32.exe File opened for modification C:\Windows\SysWOW64\Gohapb32.exe Fljedg32.exe File opened for modification C:\Windows\SysWOW64\Lechkaga.exe Lmlpjdgo.exe File created C:\Windows\SysWOW64\Henjep32.dll Mopeofjl.exe File opened for modification C:\Windows\SysWOW64\Jmopmalc.exe Jicdlc32.exe File opened for modification C:\Windows\SysWOW64\Qjcdih32.exe Qgehml32.exe File created C:\Windows\SysWOW64\Ofdabl32.dll Gaoihfoo.exe File opened for modification C:\Windows\SysWOW64\Doqbifpl.exe Dpnbmi32.exe File created C:\Windows\SysWOW64\Jicdlc32.exe Jcgldl32.exe File opened for modification C:\Windows\SysWOW64\Nhffijdm.exe Ndkjik32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11292 12228 WerFault.exe 563 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhfmbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flpbnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmmkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkqhpmkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikcmmjkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogjpld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoekde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gohapb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqpbboeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbknhqbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaqdpjia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghpooanf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najagp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcgldl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hepoddcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmmedi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkebee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deagoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnnoip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbnmkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcphpdil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pndhhnda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmpkakak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpklql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opjgidfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfedmfqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgehml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgbpdgap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbihmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjcjmclj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndjcne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eijigg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgomaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afpbkicl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clbmfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehkcgkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpcdof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfpenj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kciaqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpelqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ficlmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cc5e6853a6f44bcaaae7fe53edec3610N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nggjog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjghdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeffnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfgefg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhammfci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejiiippb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgkjch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bghddp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnghhqdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afdkfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkhjpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbnbhfde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpglmjoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqbbno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kakednfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meljappg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaenkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdaqhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okbhlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flekihpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggfobofl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnpgdmjd.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Econlc32.dll" Fpcdof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miklkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fifhbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maehlqch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blpmkn32.dll" Oafacn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pndhhnda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clffalkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dngobghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqfkba32.dll" Ghdhja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cndpaojf.dll" Cejaobel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoconenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajhndgjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakpih32.dll" Bgjjoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfhcmcqo.dll" Eiobbgcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elgohj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elilmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfndbnlp.dll" Kakednfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciefek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egenpjlf.dll" Fongpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgpcohcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ledioi32.dll" Qbmpjkqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afdkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feifgnki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdmngm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjoenl32.dll" Pdpmkhjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanpok32.dll" Abgcqjhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfaglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faijmmkf.dll" Fifhbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgefmhck.dll" Odkcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnpibh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfgefg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmfodn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbkeacqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jckeokan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kconbh32.dll" Kpilekqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohnknf32.dll" Ngipjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mginniij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohpiphlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dliffkod.dll" Dfqdid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eapccljk.dll" Dlpigk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfbiobf.dll" Fgmllpng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okbhlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldnekoch.dll" Cgaqphgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgaqphgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eimelg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmhofbma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imhjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfjood32.dll" Niihlkdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoengj32.dll" Fajgfiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjcjmclj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfkcibdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgomaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poeahaib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plogne32.dll" Bfieagka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iajncdql.dll" Cihjeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpihbjmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beefhclj.dll" Elgohj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mopeofjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljhchc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdofpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijgjpaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faopah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gccmaack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gipbck32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2512 wrote to memory of 3712 2512 cc5e6853a6f44bcaaae7fe53edec3610N.exe 90 PID 2512 wrote to memory of 3712 2512 cc5e6853a6f44bcaaae7fe53edec3610N.exe 90 PID 2512 wrote to memory of 3712 2512 cc5e6853a6f44bcaaae7fe53edec3610N.exe 90 PID 3712 wrote to memory of 2996 3712 Kfidgk32.exe 91 PID 3712 wrote to memory of 2996 3712 Kfidgk32.exe 91 PID 3712 wrote to memory of 2996 3712 Kfidgk32.exe 91 PID 2996 wrote to memory of 2508 2996 Kfkamk32.exe 92 PID 2996 wrote to memory of 2508 2996 Kfkamk32.exe 92 PID 2996 wrote to memory of 2508 2996 Kfkamk32.exe 92 PID 2508 wrote to memory of 2592 2508 Kmeiie32.exe 94 PID 2508 wrote to memory of 2592 2508 Kmeiie32.exe 94 PID 2508 wrote to memory of 2592 2508 Kmeiie32.exe 94 PID 2592 wrote to memory of 1264 2592 Lhjnfn32.exe 96 PID 2592 wrote to memory of 1264 2592 Lhjnfn32.exe 96 PID 2592 wrote to memory of 1264 2592 Lhjnfn32.exe 96 PID 1264 wrote to memory of 1432 1264 Ljkghi32.exe 97 PID 1264 wrote to memory of 1432 1264 Ljkghi32.exe 97 PID 1264 wrote to memory of 1432 1264 Ljkghi32.exe 97 PID 1432 wrote to memory of 4704 1432 Lmjcdd32.exe 98 PID 1432 wrote to memory of 4704 1432 Lmjcdd32.exe 98 PID 1432 wrote to memory of 4704 1432 Lmjcdd32.exe 98 PID 4704 wrote to memory of 3076 4704 Leqkeajd.exe 99 PID 4704 wrote to memory of 3076 4704 Leqkeajd.exe 99 PID 4704 wrote to memory of 3076 4704 Leqkeajd.exe 99 PID 3076 wrote to memory of 5804 3076 Lfbgmj32.exe 100 PID 3076 wrote to memory of 5804 3076 Lfbgmj32.exe 100 PID 3076 wrote to memory of 5804 3076 Lfbgmj32.exe 100 PID 5804 wrote to memory of 1444 5804 Loiong32.exe 101 PID 5804 wrote to memory of 1444 5804 Loiong32.exe 101 PID 5804 wrote to memory of 1444 5804 Loiong32.exe 101 PID 1444 wrote to memory of 4352 1444 Lmlpjdgo.exe 102 PID 1444 wrote to memory of 4352 1444 Lmlpjdgo.exe 102 PID 1444 wrote to memory of 4352 1444 Lmlpjdgo.exe 102 PID 4352 wrote to memory of 2936 4352 Lechkaga.exe 103 PID 4352 wrote to memory of 2936 4352 Lechkaga.exe 103 PID 4352 wrote to memory of 2936 4352 Lechkaga.exe 103 PID 2936 wrote to memory of 5564 2936 Ldfhgn32.exe 104 PID 2936 wrote to memory of 5564 2936 Ldfhgn32.exe 104 PID 2936 wrote to memory of 5564 2936 Ldfhgn32.exe 104 PID 5564 wrote to memory of 5876 5564 Lfddci32.exe 105 PID 5564 wrote to memory of 5876 5564 Lfddci32.exe 105 PID 5564 wrote to memory of 5876 5564 Lfddci32.exe 105 PID 5876 wrote to memory of 4620 5876 Lkppchfi.exe 106 PID 5876 wrote to memory of 4620 5876 Lkppchfi.exe 106 PID 5876 wrote to memory of 4620 5876 Lkppchfi.exe 106 PID 4620 wrote to memory of 5212 4620 Lmnlpcel.exe 107 PID 4620 wrote to memory of 5212 4620 Lmnlpcel.exe 107 PID 4620 wrote to memory of 5212 4620 Lmnlpcel.exe 107 PID 5212 wrote to memory of 5156 5212 Lajhpbme.exe 108 PID 5212 wrote to memory of 5156 5212 Lajhpbme.exe 108 PID 5212 wrote to memory of 5156 5212 Lajhpbme.exe 108 PID 5156 wrote to memory of 3472 5156 Ldhdlnli.exe 109 PID 5156 wrote to memory of 3472 5156 Ldhdlnli.exe 109 PID 5156 wrote to memory of 3472 5156 Ldhdlnli.exe 109 PID 3472 wrote to memory of 6076 3472 Lhdqml32.exe 110 PID 3472 wrote to memory of 6076 3472 Lhdqml32.exe 110 PID 3472 wrote to memory of 6076 3472 Lhdqml32.exe 110 PID 6076 wrote to memory of 2792 6076 Lkbmih32.exe 111 PID 6076 wrote to memory of 2792 6076 Lkbmih32.exe 111 PID 6076 wrote to memory of 2792 6076 Lkbmih32.exe 111 PID 2792 wrote to memory of 4632 2792 Lmqiec32.exe 112 PID 2792 wrote to memory of 4632 2792 Lmqiec32.exe 112 PID 2792 wrote to memory of 4632 2792 Lmqiec32.exe 112 PID 4632 wrote to memory of 4924 4632 Mehafq32.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc5e6853a6f44bcaaae7fe53edec3610N.exe"C:\Users\Admin\AppData\Local\Temp\cc5e6853a6f44bcaaae7fe53edec3610N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Kfidgk32.exeC:\Windows\system32\Kfidgk32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\Kfkamk32.exeC:\Windows\system32\Kfkamk32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Kmeiie32.exeC:\Windows\system32\Kmeiie32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Lhjnfn32.exeC:\Windows\system32\Lhjnfn32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Ljkghi32.exeC:\Windows\system32\Ljkghi32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Lmjcdd32.exeC:\Windows\system32\Lmjcdd32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Leqkeajd.exeC:\Windows\system32\Leqkeajd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\Lfbgmj32.exeC:\Windows\system32\Lfbgmj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\Loiong32.exeC:\Windows\system32\Loiong32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5804 -
C:\Windows\SysWOW64\Lmlpjdgo.exeC:\Windows\system32\Lmlpjdgo.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Lechkaga.exeC:\Windows\system32\Lechkaga.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\Ldfhgn32.exeC:\Windows\system32\Ldfhgn32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Lfddci32.exeC:\Windows\system32\Lfddci32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5564 -
C:\Windows\SysWOW64\Lkppchfi.exeC:\Windows\system32\Lkppchfi.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5876 -
C:\Windows\SysWOW64\Lmnlpcel.exeC:\Windows\system32\Lmnlpcel.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Lajhpbme.exeC:\Windows\system32\Lajhpbme.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5212 -
C:\Windows\SysWOW64\Ldhdlnli.exeC:\Windows\system32\Ldhdlnli.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5156 -
C:\Windows\SysWOW64\Lhdqml32.exeC:\Windows\system32\Lhdqml32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\Lkbmih32.exeC:\Windows\system32\Lkbmih32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6076 -
C:\Windows\SysWOW64\Lmqiec32.exeC:\Windows\system32\Lmqiec32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Mehafq32.exeC:\Windows\system32\Mehafq32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\Mhfmbl32.exeC:\Windows\system32\Mhfmbl32.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4924 -
C:\Windows\SysWOW64\Mginniij.exeC:\Windows\system32\Mginniij.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:648 -
C:\Windows\SysWOW64\Mopeofjl.exeC:\Windows\system32\Mopeofjl.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5464 -
C:\Windows\SysWOW64\Maoakaip.exeC:\Windows\system32\Maoakaip.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5692 -
C:\Windows\SysWOW64\Mdmngm32.exeC:\Windows\system32\Mdmngm32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:5572 -
C:\Windows\SysWOW64\Mgkjch32.exeC:\Windows\system32\Mgkjch32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4356 -
C:\Windows\SysWOW64\Mobbdf32.exeC:\Windows\system32\Mobbdf32.exe29⤵
- Executes dropped EXE
PID:4004 -
C:\Windows\SysWOW64\Maaoaa32.exeC:\Windows\system32\Maaoaa32.exe30⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\Meljappg.exeC:\Windows\system32\Meljappg.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Mhkgnkoj.exeC:\Windows\system32\Mhkgnkoj.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Mkicjgnn.exeC:\Windows\system32\Mkicjgnn.exe33⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Mmhofbma.exeC:\Windows\system32\Mmhofbma.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4068 -
C:\Windows\SysWOW64\Meoggpmd.exeC:\Windows\system32\Meoggpmd.exe35⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Mhmcck32.exeC:\Windows\system32\Mhmcck32.exe36⤵
- Executes dropped EXE
PID:3220 -
C:\Windows\SysWOW64\Mgpcohcb.exeC:\Windows\system32\Mgpcohcb.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Moglpedd.exeC:\Windows\system32\Moglpedd.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\Maehlqch.exeC:\Windows\system32\Maehlqch.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:5256 -
C:\Windows\SysWOW64\Mdddhlbl.exeC:\Windows\system32\Mdddhlbl.exe40⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Mgbpdgap.exeC:\Windows\system32\Mgbpdgap.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3884 -
C:\Windows\SysWOW64\Moiheebb.exeC:\Windows\system32\Moiheebb.exe42⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Nahdapae.exeC:\Windows\system32\Nahdapae.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3828 -
C:\Windows\SysWOW64\Ndfanlpi.exeC:\Windows\system32\Ndfanlpi.exe44⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Nhbmnj32.exeC:\Windows\system32\Nhbmnj32.exe45⤵
- Executes dropped EXE
PID:5176 -
C:\Windows\SysWOW64\Nkpijfgf.exeC:\Windows\system32\Nkpijfgf.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Nnoefagj.exeC:\Windows\system32\Nnoefagj.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:592 -
C:\Windows\SysWOW64\Najagp32.exeC:\Windows\system32\Najagp32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4344 -
C:\Windows\SysWOW64\Ndinck32.exeC:\Windows\system32\Ndinck32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Nggjog32.exeC:\Windows\system32\Nggjog32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4136 -
C:\Windows\SysWOW64\Nonbqd32.exeC:\Windows\system32\Nonbqd32.exe51⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Namnmp32.exeC:\Windows\system32\Namnmp32.exe52⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Ndkjik32.exeC:\Windows\system32\Ndkjik32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4240 -
C:\Windows\SysWOW64\Nhffijdm.exeC:\Windows\system32\Nhffijdm.exe54⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Nkebee32.exeC:\Windows\system32\Nkebee32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5896 -
C:\Windows\SysWOW64\Noqofdlj.exeC:\Windows\system32\Noqofdlj.exe56⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Naokbokn.exeC:\Windows\system32\Naokbokn.exe57⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Ndmgnkja.exeC:\Windows\system32\Ndmgnkja.exe58⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Nglcjfie.exeC:\Windows\system32\Nglcjfie.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Nkgoke32.exeC:\Windows\system32\Nkgoke32.exe60⤵
- Executes dropped EXE
PID:5848 -
C:\Windows\SysWOW64\Nnfkgp32.exeC:\Windows\system32\Nnfkgp32.exe61⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Nemchn32.exeC:\Windows\system32\Nemchn32.exe62⤵
- Executes dropped EXE
PID:5748 -
C:\Windows\SysWOW64\Nhkpdi32.exeC:\Windows\system32\Nhkpdi32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4416 -
C:\Windows\SysWOW64\Ngnppfgb.exeC:\Windows\system32\Ngnppfgb.exe64⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Noehac32.exeC:\Windows\system32\Noehac32.exe65⤵
- Executes dropped EXE
PID:4672 -
C:\Windows\SysWOW64\Oacdmo32.exeC:\Windows\system32\Oacdmo32.exe66⤵
- Drops file in System32 directory
PID:1332 -
C:\Windows\SysWOW64\Odbpij32.exeC:\Windows\system32\Odbpij32.exe67⤵PID:2352
-
C:\Windows\SysWOW64\Ohnljine.exeC:\Windows\system32\Ohnljine.exe68⤵PID:3168
-
C:\Windows\SysWOW64\Oklifdmi.exeC:\Windows\system32\Oklifdmi.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5108 -
C:\Windows\SysWOW64\Onjebpml.exeC:\Windows\system32\Onjebpml.exe70⤵PID:1944
-
C:\Windows\SysWOW64\Oafacn32.exeC:\Windows\system32\Oafacn32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1436 -
C:\Windows\SysWOW64\Oddmoj32.exeC:\Windows\system32\Oddmoj32.exe72⤵
- Drops file in System32 directory
PID:5620 -
C:\Windows\SysWOW64\Ohpiphlb.exeC:\Windows\system32\Ohpiphlb.exe73⤵
- Modifies registry class
PID:4712 -
C:\Windows\SysWOW64\Okneldkf.exeC:\Windows\system32\Okneldkf.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5460 -
C:\Windows\SysWOW64\Onmahojj.exeC:\Windows\system32\Onmahojj.exe75⤵PID:5080
-
C:\Windows\SysWOW64\Oediim32.exeC:\Windows\system32\Oediim32.exe76⤵PID:1620
-
C:\Windows\SysWOW64\Ohbfeh32.exeC:\Windows\system32\Ohbfeh32.exe77⤵PID:1200
-
C:\Windows\SysWOW64\Okqbac32.exeC:\Windows\system32\Okqbac32.exe78⤵PID:6084
-
C:\Windows\SysWOW64\Ononmo32.exeC:\Windows\system32\Ononmo32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3516 -
C:\Windows\SysWOW64\Oeffnl32.exeC:\Windows\system32\Oeffnl32.exe80⤵
- System Location Discovery: System Language Discovery
PID:1180 -
C:\Windows\SysWOW64\Ohdbkh32.exeC:\Windows\system32\Ohdbkh32.exe81⤵
- Drops file in System32 directory
PID:6116 -
C:\Windows\SysWOW64\Okcogc32.exeC:\Windows\system32\Okcogc32.exe82⤵PID:1888
-
C:\Windows\SysWOW64\Oookgbpj.exeC:\Windows\system32\Oookgbpj.exe83⤵PID:5192
-
C:\Windows\SysWOW64\Oamgcm32.exeC:\Windows\system32\Oamgcm32.exe84⤵PID:1780
-
C:\Windows\SysWOW64\Odkcpi32.exeC:\Windows\system32\Odkcpi32.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:6112 -
C:\Windows\SysWOW64\Ogjpld32.exeC:\Windows\system32\Ogjpld32.exe86⤵
- System Location Discovery: System Language Discovery
PID:1008 -
C:\Windows\SysWOW64\Okeklcen.exeC:\Windows\system32\Okeklcen.exe87⤵PID:3632
-
C:\Windows\SysWOW64\Pndhhnda.exeC:\Windows\system32\Pndhhnda.exe88⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:708 -
C:\Windows\SysWOW64\Pfkpiled.exeC:\Windows\system32\Pfkpiled.exe89⤵PID:4208
-
C:\Windows\SysWOW64\Philfgdh.exeC:\Windows\system32\Philfgdh.exe90⤵PID:4280
-
C:\Windows\SysWOW64\Pkhhbbck.exeC:\Windows\system32\Pkhhbbck.exe91⤵PID:5968
-
C:\Windows\SysWOW64\Pnfdnnbo.exeC:\Windows\system32\Pnfdnnbo.exe92⤵PID:4736
-
C:\Windows\SysWOW64\Pfmlok32.exeC:\Windows\system32\Pfmlok32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4476 -
C:\Windows\SysWOW64\Pdpmkhjl.exeC:\Windows\system32\Pdpmkhjl.exe94⤵
- Modifies registry class
PID:5392 -
C:\Windows\SysWOW64\Pgoigcip.exeC:\Windows\system32\Pgoigcip.exe95⤵
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Poeahaib.exeC:\Windows\system32\Poeahaib.exe96⤵
- Modifies registry class
PID:4400 -
C:\Windows\SysWOW64\Pbdmdlie.exeC:\Windows\system32\Pbdmdlie.exe97⤵PID:5040
-
C:\Windows\SysWOW64\Pdbiphhi.exeC:\Windows\system32\Pdbiphhi.exe98⤵PID:1828
-
C:\Windows\SysWOW64\Pgaelcgm.exeC:\Windows\system32\Pgaelcgm.exe99⤵
- Drops file in System32 directory
PID:5824 -
C:\Windows\SysWOW64\Pohnnqgo.exeC:\Windows\system32\Pohnnqgo.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3344 -
C:\Windows\SysWOW64\Pbfjjlgc.exeC:\Windows\system32\Pbfjjlgc.exe101⤵PID:3756
-
C:\Windows\SysWOW64\Pfbfjk32.exeC:\Windows\system32\Pfbfjk32.exe102⤵PID:244
-
C:\Windows\SysWOW64\Phpbffnp.exeC:\Windows\system32\Phpbffnp.exe103⤵PID:3916
-
C:\Windows\SysWOW64\Pkonbamc.exeC:\Windows\system32\Pkonbamc.exe104⤵PID:1140
-
C:\Windows\SysWOW64\Pnmjomlg.exeC:\Windows\system32\Pnmjomlg.exe105⤵PID:3440
-
C:\Windows\SysWOW64\Qnpgdmjd.exeC:\Windows\system32\Qnpgdmjd.exe106⤵
- System Location Discovery: System Language Discovery
PID:5740 -
C:\Windows\SysWOW64\Qffoejkg.exeC:\Windows\system32\Qffoejkg.exe107⤵PID:2776
-
C:\Windows\SysWOW64\Qdipag32.exeC:\Windows\system32\Qdipag32.exe108⤵PID:4912
-
C:\Windows\SysWOW64\Qghlmbae.exeC:\Windows\system32\Qghlmbae.exe109⤵
- Drops file in System32 directory
PID:5012 -
C:\Windows\SysWOW64\Qoocnpag.exeC:\Windows\system32\Qoocnpag.exe110⤵PID:5216
-
C:\Windows\SysWOW64\Qbmpjkqk.exeC:\Windows\system32\Qbmpjkqk.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Qdllffpo.exeC:\Windows\system32\Qdllffpo.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1804 -
C:\Windows\SysWOW64\Agjhbbob.exeC:\Windows\system32\Agjhbbob.exe113⤵PID:392
-
C:\Windows\SysWOW64\Akfdcq32.exeC:\Windows\system32\Akfdcq32.exe114⤵PID:1340
-
C:\Windows\SysWOW64\Afkipi32.exeC:\Windows\system32\Afkipi32.exe115⤵PID:4488
-
C:\Windows\SysWOW64\Aijeme32.exeC:\Windows\system32\Aijeme32.exe116⤵PID:5164
-
C:\Windows\SysWOW64\Aocmio32.exeC:\Windows\system32\Aocmio32.exe117⤵PID:428
-
C:\Windows\SysWOW64\Abbiej32.exeC:\Windows\system32\Abbiej32.exe118⤵PID:2896
-
C:\Windows\SysWOW64\Adqeaf32.exeC:\Windows\system32\Adqeaf32.exe119⤵
- Drops file in System32 directory
PID:5408 -
C:\Windows\SysWOW64\Agobna32.exeC:\Windows\system32\Agobna32.exe120⤵PID:5772
-
C:\Windows\SysWOW64\Aofjoo32.exeC:\Windows\system32\Aofjoo32.exe121⤵PID:1668
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-