Analysis
-
max time kernel
97s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/09/2024, 09:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8d6e0d4ee5469f24748c7350449e0a30N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
8d6e0d4ee5469f24748c7350449e0a30N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
8d6e0d4ee5469f24748c7350449e0a30N.exe
-
Size
208KB
-
MD5
8d6e0d4ee5469f24748c7350449e0a30
-
SHA1
8b4389beb8c7d1ef306d90ae208a912021ada46e
-
SHA256
84ed490a35bbe0f5980669064f6c00bb59e0faaae1c9f0420a81091ad9d70bf2
-
SHA512
c02bf5936fe1d452a274bacb70f99031f1b1fdb029b8f19f45b4aaf20d10ce1abe6c38b07474f3b00d64fa43c6211eae125f30ac5685e1ef671ef786e2014fc5
-
SSDEEP
3072:JYieIcuPPA79Oe1ItHOVMgu+tAcrbFAJc+RsUi1aVDkOvhJjvJ4vnZy7L5AuJk:kuiAtulrtMsQB+vn87L5Az
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmbfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njefqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofcmfodb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mplhql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oncofm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ampkof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ageolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bebblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nphhmj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfdie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njqmepik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpcfkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogbipa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcoenmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Calhnpgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogbipa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aabmqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njnpppkn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ambgef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpppnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdehlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdkcde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilghlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfhdlh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmiciaaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnbmefbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmijbcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmlcbbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncfdie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgddhf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oddmdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aglemn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmgfda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afjlnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjeoglgc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqbdjfln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcebhoii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doilmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njnpppkn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjhlml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdfjifjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlhbal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojllan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfckahdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocgmpccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfcfml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgkjhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmlpoqpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmmnjfnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afhohlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajkaii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipbdmaah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogpmjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qqfmde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afjlnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnbmefbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpeiioac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjegled.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nilcjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anadoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmlcbbcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgbdlf32.exe -
Executes dropped EXE 64 IoCs
pid Process 4840 Ipknlb32.exe 212 Iehfdi32.exe 2664 Ipnjab32.exe 1600 Iblfnn32.exe 3816 Iejcji32.exe 4072 Ippggbck.exe 532 Ifjodl32.exe 916 Ilghlc32.exe 3216 Ipbdmaah.exe 1336 Ifllil32.exe 2456 Jioaqfcc.exe 3084 Jpijnqkp.exe 316 Jbhfjljd.exe 3780 Jefbfgig.exe 2196 Jianff32.exe 2328 Jcgbco32.exe 848 Jehokgge.exe 1380 Jmpgldhg.exe 2016 Jblpek32.exe 1980 Jifhaenk.exe 1608 Jpppnp32.exe 4124 Kboljk32.exe 4992 Kemhff32.exe 2056 Klgqcqkl.exe 1932 Kdnidn32.exe 4908 Kepelfam.exe 2796 Kpeiioac.exe 2724 Kbceejpf.exe 1528 Kmijbcpl.exe 4308 Kipkhdeq.exe 1212 Klngdpdd.exe 516 Kfckahdj.exe 1324 Kibgmdcn.exe 3916 Klqcioba.exe 2176 Kdgljmcd.exe 4092 Lffhfh32.exe 452 Leihbeib.exe 2116 Llcpoo32.exe 3104 Ldjhpl32.exe 3972 Lfhdlh32.exe 4780 Llemdo32.exe 2440 Ldleel32.exe 4356 Liimncmf.exe 972 Lpcfkm32.exe 3300 Lbabgh32.exe 4880 Lmgfda32.exe 3492 Ldanqkki.exe 4600 Lmiciaaj.exe 1072 Mdckfk32.exe 4036 Medgncoe.exe 4696 Mmlpoqpg.exe 4448 Mdehlk32.exe 4364 Mgddhf32.exe 3532 Mmnldp32.exe 1856 Mplhql32.exe 2892 Mgfqmfde.exe 2672 Miemjaci.exe 5000 Mlcifmbl.exe 3768 Mcmabg32.exe 2684 Mmbfpp32.exe 2720 Mpablkhc.exe 5020 Mgkjhe32.exe 4952 Miifeq32.exe 4644 Mlhbal32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Olhlhjpd.exe Ojjolnaq.exe File opened for modification C:\Windows\SysWOW64\Pdkcde32.exe Pmdkch32.exe File opened for modification C:\Windows\SysWOW64\Anadoi32.exe Afjlnk32.exe File opened for modification C:\Windows\SysWOW64\Bmngqdpj.exe Bnkgeg32.exe File created C:\Windows\SysWOW64\Kofpij32.dll Beglgani.exe File opened for modification C:\Windows\SysWOW64\Dmcibama.exe Dopigd32.exe File created C:\Windows\SysWOW64\Iblfnn32.exe Ipnjab32.exe File created C:\Windows\SysWOW64\Leihbeib.exe Lffhfh32.exe File opened for modification C:\Windows\SysWOW64\Ldanqkki.exe Lmgfda32.exe File created C:\Windows\SysWOW64\Miifeq32.exe Mgkjhe32.exe File created C:\Windows\SysWOW64\Jpcmfk32.dll Pmidog32.exe File created C:\Windows\SysWOW64\Ehmdjdgk.dll Ajanck32.exe File created C:\Windows\SysWOW64\Oahicipe.dll Aglemn32.exe File created C:\Windows\SysWOW64\Gfkfpo32.dll Kdgljmcd.exe File opened for modification C:\Windows\SysWOW64\Npcoakfp.exe Mlhbal32.exe File created C:\Windows\SysWOW64\Njnpppkn.exe Ngpccdlj.exe File created C:\Windows\SysWOW64\Olcbmj32.exe Njefqo32.exe File created C:\Windows\SysWOW64\Pfaigm32.exe Pcbmka32.exe File created C:\Windows\SysWOW64\Poahbe32.dll Ddonekbl.exe File created C:\Windows\SysWOW64\Mmnldp32.exe Mgddhf32.exe File created C:\Windows\SysWOW64\Gmcfdb32.dll Dmefhako.exe File created C:\Windows\SysWOW64\Gbdhjm32.dll Neeqea32.exe File created C:\Windows\SysWOW64\Mkijij32.dll Cmgjgcgo.exe File created C:\Windows\SysWOW64\Nbgngp32.dll Dejacond.exe File opened for modification C:\Windows\SysWOW64\Dogogcpo.exe Dkkcge32.exe File created C:\Windows\SysWOW64\Medgncoe.exe Mdckfk32.exe File created C:\Windows\SysWOW64\Empblm32.dll Nfgmjqop.exe File created C:\Windows\SysWOW64\Nggjdc32.exe Ndhmhh32.exe File created C:\Windows\SysWOW64\Dhfajjoj.exe Cegdnopg.exe File created C:\Windows\SysWOW64\Kpeiioac.exe Kepelfam.exe File created C:\Windows\SysWOW64\Mlhbal32.exe Miifeq32.exe File created C:\Windows\SysWOW64\Ogpmjb32.exe Odapnf32.exe File created C:\Windows\SysWOW64\Dgbdlf32.exe Dddhpjof.exe File created C:\Windows\SysWOW64\Ejckel32.dll Jioaqfcc.exe File opened for modification C:\Windows\SysWOW64\Pjeoglgc.exe Pfjcgn32.exe File created C:\Windows\SysWOW64\Ambgef32.exe Afhohlbj.exe File created C:\Windows\SysWOW64\Ffpmlcim.dll Cjpckf32.exe File created C:\Windows\SysWOW64\Onjegled.exe Ofcmfodb.exe File opened for modification C:\Windows\SysWOW64\Mpablkhc.exe Mmbfpp32.exe File created C:\Windows\SysWOW64\Ncdgcf32.exe Nljofl32.exe File created C:\Windows\SysWOW64\Pdmpje32.exe Pqbdjfln.exe File created C:\Windows\SysWOW64\Pjjhbl32.exe Pgllfp32.exe File opened for modification C:\Windows\SysWOW64\Pmidog32.exe Pjjhbl32.exe File created C:\Windows\SysWOW64\Dejacond.exe Dmcibama.exe File opened for modification C:\Windows\SysWOW64\Djgjlelk.exe Dhhnpjmh.exe File created C:\Windows\SysWOW64\Kipkhdeq.exe Kmijbcpl.exe File opened for modification C:\Windows\SysWOW64\Dmefhako.exe Djgjlelk.exe File created C:\Windows\SysWOW64\Jcgbco32.exe Jianff32.exe File created C:\Windows\SysWOW64\Ncmlocln.dll Lffhfh32.exe File created C:\Windows\SysWOW64\Agocgbni.dll Npcoakfp.exe File opened for modification C:\Windows\SysWOW64\Bjagjhnc.exe Bgcknmop.exe File opened for modification C:\Windows\SysWOW64\Cjpckf32.exe Cdfkolkf.exe File opened for modification C:\Windows\SysWOW64\Dkkcge32.exe Dhmgki32.exe File created C:\Windows\SysWOW64\Ipbdmaah.exe Ilghlc32.exe File created C:\Windows\SysWOW64\Qciaajej.dll Qdbiedpa.exe File created C:\Windows\SysWOW64\Ldjhpl32.exe Llcpoo32.exe File created C:\Windows\SysWOW64\Nlaqpipg.dll Pflplnlg.exe File opened for modification C:\Windows\SysWOW64\Pdpmpdbd.exe Pmidog32.exe File opened for modification C:\Windows\SysWOW64\Aqppkd32.exe Anadoi32.exe File created C:\Windows\SysWOW64\Lommhphi.dll Bfabnjjp.exe File created C:\Windows\SysWOW64\Cmlcbbcj.exe Cnicfe32.exe File opened for modification C:\Windows\SysWOW64\Lfhdlh32.exe Ldjhpl32.exe File opened for modification C:\Windows\SysWOW64\Bfdodjhm.exe Bcebhoii.exe File opened for modification C:\Windows\SysWOW64\Bfhhoi32.exe Beglgani.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7636 7532 WerFault.exe 310 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdbiedpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodbbdbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfnjafap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adgbpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhfajjoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kboljk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpeiioac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogpmjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnonbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjeoglgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ippggbck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klngdpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnneknob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aadifclh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjcbbmif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjpckf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfiafg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deokon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdifoehl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmngqdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenahpha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogogcpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ognpebpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onjegled.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anadoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmgfda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgddhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcmabg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogkcpbam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddhpjof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lffhfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocpgod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojllan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgcbgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgbdlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmdkch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgllfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ambgef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chcddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhnpjmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njefqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocgmpccl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgioqq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajanck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klqcioba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngmgne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcijeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aabmqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cagobalc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ampkof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfabnjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dopigd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dejacond.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjbpaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Delnin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdnidn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpcfkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmfhig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agoabn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcebhoii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kibgmdcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfaigm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdfkolkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calhnpgn.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgddhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll" Ojllan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll" Pdifoehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfaigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdhhdlid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Miifeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll" Nljofl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdnidn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmiciaaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmlpoqpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncfdie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnonbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocgmpccl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfckahdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llcpoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhpcomb.dll" Liimncmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmiciaaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmnldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngmgne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojllan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcijeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ampkof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chcddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jianff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebinhj32.dll" Mdehlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll" Oddmdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll" Pclgkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmdkch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll" Aglemn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgcknmop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olkhmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll" Oqhacgdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pclgkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgcbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkkcge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lffhfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll" Nfgmjqop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dodbbdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifjodl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nphhmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kipkhdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndhmhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgioqq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjjhbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqijje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll" Bjagjhnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lffhfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldleel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmoahijl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dejacond.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdnidn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceghl32.dll" Kepelfam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kipkhdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojlbcgp.dll" Ldjhpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncdgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocpgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll" Bgcknmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll" Cagobalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjpckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhhnpjmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll" Dhmgki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojaelm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1476 wrote to memory of 4840 1476 8d6e0d4ee5469f24748c7350449e0a30N.exe 83 PID 1476 wrote to memory of 4840 1476 8d6e0d4ee5469f24748c7350449e0a30N.exe 83 PID 1476 wrote to memory of 4840 1476 8d6e0d4ee5469f24748c7350449e0a30N.exe 83 PID 4840 wrote to memory of 212 4840 Ipknlb32.exe 84 PID 4840 wrote to memory of 212 4840 Ipknlb32.exe 84 PID 4840 wrote to memory of 212 4840 Ipknlb32.exe 84 PID 212 wrote to memory of 2664 212 Iehfdi32.exe 85 PID 212 wrote to memory of 2664 212 Iehfdi32.exe 85 PID 212 wrote to memory of 2664 212 Iehfdi32.exe 85 PID 2664 wrote to memory of 1600 2664 Ipnjab32.exe 86 PID 2664 wrote to memory of 1600 2664 Ipnjab32.exe 86 PID 2664 wrote to memory of 1600 2664 Ipnjab32.exe 86 PID 1600 wrote to memory of 3816 1600 Iblfnn32.exe 87 PID 1600 wrote to memory of 3816 1600 Iblfnn32.exe 87 PID 1600 wrote to memory of 3816 1600 Iblfnn32.exe 87 PID 3816 wrote to memory of 4072 3816 Iejcji32.exe 88 PID 3816 wrote to memory of 4072 3816 Iejcji32.exe 88 PID 3816 wrote to memory of 4072 3816 Iejcji32.exe 88 PID 4072 wrote to memory of 532 4072 Ippggbck.exe 89 PID 4072 wrote to memory of 532 4072 Ippggbck.exe 89 PID 4072 wrote to memory of 532 4072 Ippggbck.exe 89 PID 532 wrote to memory of 916 532 Ifjodl32.exe 90 PID 532 wrote to memory of 916 532 Ifjodl32.exe 90 PID 532 wrote to memory of 916 532 Ifjodl32.exe 90 PID 916 wrote to memory of 3216 916 Ilghlc32.exe 91 PID 916 wrote to memory of 3216 916 Ilghlc32.exe 91 PID 916 wrote to memory of 3216 916 Ilghlc32.exe 91 PID 3216 wrote to memory of 1336 3216 Ipbdmaah.exe 92 PID 3216 wrote to memory of 1336 3216 Ipbdmaah.exe 92 PID 3216 wrote to memory of 1336 3216 Ipbdmaah.exe 92 PID 1336 wrote to memory of 2456 1336 Ifllil32.exe 93 PID 1336 wrote to memory of 2456 1336 Ifllil32.exe 93 PID 1336 wrote to memory of 2456 1336 Ifllil32.exe 93 PID 2456 wrote to memory of 3084 2456 Jioaqfcc.exe 95 PID 2456 wrote to memory of 3084 2456 Jioaqfcc.exe 95 PID 2456 wrote to memory of 3084 2456 Jioaqfcc.exe 95 PID 3084 wrote to memory of 316 3084 Jpijnqkp.exe 96 PID 3084 wrote to memory of 316 3084 Jpijnqkp.exe 96 PID 3084 wrote to memory of 316 3084 Jpijnqkp.exe 96 PID 316 wrote to memory of 3780 316 Jbhfjljd.exe 97 PID 316 wrote to memory of 3780 316 Jbhfjljd.exe 97 PID 316 wrote to memory of 3780 316 Jbhfjljd.exe 97 PID 3780 wrote to memory of 2196 3780 Jefbfgig.exe 98 PID 3780 wrote to memory of 2196 3780 Jefbfgig.exe 98 PID 3780 wrote to memory of 2196 3780 Jefbfgig.exe 98 PID 2196 wrote to memory of 2328 2196 Jianff32.exe 100 PID 2196 wrote to memory of 2328 2196 Jianff32.exe 100 PID 2196 wrote to memory of 2328 2196 Jianff32.exe 100 PID 2328 wrote to memory of 848 2328 Jcgbco32.exe 101 PID 2328 wrote to memory of 848 2328 Jcgbco32.exe 101 PID 2328 wrote to memory of 848 2328 Jcgbco32.exe 101 PID 848 wrote to memory of 1380 848 Jehokgge.exe 102 PID 848 wrote to memory of 1380 848 Jehokgge.exe 102 PID 848 wrote to memory of 1380 848 Jehokgge.exe 102 PID 1380 wrote to memory of 2016 1380 Jmpgldhg.exe 105 PID 1380 wrote to memory of 2016 1380 Jmpgldhg.exe 105 PID 1380 wrote to memory of 2016 1380 Jmpgldhg.exe 105 PID 2016 wrote to memory of 1980 2016 Jblpek32.exe 106 PID 2016 wrote to memory of 1980 2016 Jblpek32.exe 106 PID 2016 wrote to memory of 1980 2016 Jblpek32.exe 106 PID 1980 wrote to memory of 1608 1980 Jifhaenk.exe 107 PID 1980 wrote to memory of 1608 1980 Jifhaenk.exe 107 PID 1980 wrote to memory of 1608 1980 Jifhaenk.exe 107 PID 1608 wrote to memory of 4124 1608 Jpppnp32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d6e0d4ee5469f24748c7350449e0a30N.exe"C:\Users\Admin\AppData\Local\Temp\8d6e0d4ee5469f24748c7350449e0a30N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Ipknlb32.exeC:\Windows\system32\Ipknlb32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Iehfdi32.exeC:\Windows\system32\Iehfdi32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\Ipnjab32.exeC:\Windows\system32\Ipnjab32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Iblfnn32.exeC:\Windows\system32\Iblfnn32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Iejcji32.exeC:\Windows\system32\Iejcji32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\Ippggbck.exeC:\Windows\system32\Ippggbck.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\Ifjodl32.exeC:\Windows\system32\Ifjodl32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\Ilghlc32.exeC:\Windows\system32\Ilghlc32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Ipbdmaah.exeC:\Windows\system32\Ipbdmaah.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\Ifllil32.exeC:\Windows\system32\Ifllil32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Jioaqfcc.exeC:\Windows\system32\Jioaqfcc.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Jpijnqkp.exeC:\Windows\system32\Jpijnqkp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\Jbhfjljd.exeC:\Windows\system32\Jbhfjljd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Jefbfgig.exeC:\Windows\system32\Jefbfgig.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\Jianff32.exeC:\Windows\system32\Jianff32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Jcgbco32.exeC:\Windows\system32\Jcgbco32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Jehokgge.exeC:\Windows\system32\Jehokgge.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Jmpgldhg.exeC:\Windows\system32\Jmpgldhg.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Jblpek32.exeC:\Windows\system32\Jblpek32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Jifhaenk.exeC:\Windows\system32\Jifhaenk.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Jpppnp32.exeC:\Windows\system32\Jpppnp32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Kboljk32.exeC:\Windows\system32\Kboljk32.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4124 -
C:\Windows\SysWOW64\Kemhff32.exeC:\Windows\system32\Kemhff32.exe24⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Klgqcqkl.exeC:\Windows\system32\Klgqcqkl.exe25⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Kdnidn32.exeC:\Windows\system32\Kdnidn32.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Kepelfam.exeC:\Windows\system32\Kepelfam.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4908 -
C:\Windows\SysWOW64\Kpeiioac.exeC:\Windows\system32\Kpeiioac.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Windows\SysWOW64\Kbceejpf.exeC:\Windows\system32\Kbceejpf.exe29⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Kmijbcpl.exeC:\Windows\system32\Kmijbcpl.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Kipkhdeq.exeC:\Windows\system32\Kipkhdeq.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:4308 -
C:\Windows\SysWOW64\Klngdpdd.exeC:\Windows\system32\Klngdpdd.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1212 -
C:\Windows\SysWOW64\Kfckahdj.exeC:\Windows\system32\Kfckahdj.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:516 -
C:\Windows\SysWOW64\Kibgmdcn.exeC:\Windows\system32\Kibgmdcn.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1324 -
C:\Windows\SysWOW64\Klqcioba.exeC:\Windows\system32\Klqcioba.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3916 -
C:\Windows\SysWOW64\Kdgljmcd.exeC:\Windows\system32\Kdgljmcd.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Lffhfh32.exeC:\Windows\system32\Lffhfh32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4092 -
C:\Windows\SysWOW64\Leihbeib.exeC:\Windows\system32\Leihbeib.exe38⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Llcpoo32.exeC:\Windows\system32\Llcpoo32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Ldjhpl32.exeC:\Windows\system32\Ldjhpl32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3104 -
C:\Windows\SysWOW64\Lfhdlh32.exeC:\Windows\system32\Lfhdlh32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Llemdo32.exeC:\Windows\system32\Llemdo32.exe42⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Ldleel32.exeC:\Windows\system32\Ldleel32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Liimncmf.exeC:\Windows\system32\Liimncmf.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:4356 -
C:\Windows\SysWOW64\Lpcfkm32.exeC:\Windows\system32\Lpcfkm32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:972 -
C:\Windows\SysWOW64\Lbabgh32.exeC:\Windows\system32\Lbabgh32.exe46⤵
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\Lmgfda32.exeC:\Windows\system32\Lmgfda32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4880 -
C:\Windows\SysWOW64\Ldanqkki.exeC:\Windows\system32\Ldanqkki.exe48⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Lmiciaaj.exeC:\Windows\system32\Lmiciaaj.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4600 -
C:\Windows\SysWOW64\Mdckfk32.exeC:\Windows\system32\Mdckfk32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1072 -
C:\Windows\SysWOW64\Medgncoe.exeC:\Windows\system32\Medgncoe.exe51⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Mmlpoqpg.exeC:\Windows\system32\Mmlpoqpg.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4696 -
C:\Windows\SysWOW64\Mdehlk32.exeC:\Windows\system32\Mdehlk32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4448 -
C:\Windows\SysWOW64\Mgddhf32.exeC:\Windows\system32\Mgddhf32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4364 -
C:\Windows\SysWOW64\Mmnldp32.exeC:\Windows\system32\Mmnldp32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:3532 -
C:\Windows\SysWOW64\Mplhql32.exeC:\Windows\system32\Mplhql32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Mgfqmfde.exeC:\Windows\system32\Mgfqmfde.exe57⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Miemjaci.exeC:\Windows\system32\Miemjaci.exe58⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Mlcifmbl.exeC:\Windows\system32\Mlcifmbl.exe59⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Mcmabg32.exeC:\Windows\system32\Mcmabg32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3768 -
C:\Windows\SysWOW64\Mmbfpp32.exeC:\Windows\system32\Mmbfpp32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Mpablkhc.exeC:\Windows\system32\Mpablkhc.exe62⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Mgkjhe32.exeC:\Windows\system32\Mgkjhe32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5020 -
C:\Windows\SysWOW64\Miifeq32.exeC:\Windows\system32\Miifeq32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4952 -
C:\Windows\SysWOW64\Mlhbal32.exeC:\Windows\system32\Mlhbal32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4644 -
C:\Windows\SysWOW64\Npcoakfp.exeC:\Windows\system32\Npcoakfp.exe66⤵
- Drops file in System32 directory
PID:4592 -
C:\Windows\SysWOW64\Ngmgne32.exeC:\Windows\system32\Ngmgne32.exe67⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3620 -
C:\Windows\SysWOW64\Nilcjp32.exeC:\Windows\system32\Nilcjp32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1180 -
C:\Windows\SysWOW64\Nljofl32.exeC:\Windows\system32\Nljofl32.exe69⤵
- Drops file in System32 directory
- Modifies registry class
PID:1208 -
C:\Windows\SysWOW64\Ncdgcf32.exeC:\Windows\system32\Ncdgcf32.exe70⤵
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Ngpccdlj.exeC:\Windows\system32\Ngpccdlj.exe71⤵
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\Njnpppkn.exeC:\Windows\system32\Njnpppkn.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4876 -
C:\Windows\SysWOW64\Nphhmj32.exeC:\Windows\system32\Nphhmj32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4348 -
C:\Windows\SysWOW64\Ncfdie32.exeC:\Windows\system32\Ncfdie32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Neeqea32.exeC:\Windows\system32\Neeqea32.exe75⤵
- Drops file in System32 directory
PID:1116 -
C:\Windows\SysWOW64\Njqmepik.exeC:\Windows\system32\Njqmepik.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2896 -
C:\Windows\SysWOW64\Npjebj32.exeC:\Windows\system32\Npjebj32.exe77⤵PID:2552
-
C:\Windows\SysWOW64\Ngdmod32.exeC:\Windows\system32\Ngdmod32.exe78⤵PID:1028
-
C:\Windows\SysWOW64\Nfgmjqop.exeC:\Windows\system32\Nfgmjqop.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:4468 -
C:\Windows\SysWOW64\Nnneknob.exeC:\Windows\system32\Nnneknob.exe80⤵
- System Location Discovery: System Language Discovery
PID:3824 -
C:\Windows\SysWOW64\Ndhmhh32.exeC:\Windows\system32\Ndhmhh32.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:4172 -
C:\Windows\SysWOW64\Nggjdc32.exeC:\Windows\system32\Nggjdc32.exe82⤵PID:4076
-
C:\Windows\SysWOW64\Njefqo32.exeC:\Windows\system32\Njefqo32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Windows\SysWOW64\Olcbmj32.exeC:\Windows\system32\Olcbmj32.exe84⤵PID:3168
-
C:\Windows\SysWOW64\Odkjng32.exeC:\Windows\system32\Odkjng32.exe85⤵PID:2908
-
C:\Windows\SysWOW64\Oncofm32.exeC:\Windows\system32\Oncofm32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4144 -
C:\Windows\SysWOW64\Ocpgod32.exeC:\Windows\system32\Ocpgod32.exe87⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Ogkcpbam.exeC:\Windows\system32\Ogkcpbam.exe88⤵
- System Location Discovery: System Language Discovery
PID:3264 -
C:\Windows\SysWOW64\Ojjolnaq.exeC:\Windows\system32\Ojjolnaq.exe89⤵
- Drops file in System32 directory
PID:1224 -
C:\Windows\SysWOW64\Olhlhjpd.exeC:\Windows\system32\Olhlhjpd.exe90⤵PID:2040
-
C:\Windows\SysWOW64\Opdghh32.exeC:\Windows\system32\Opdghh32.exe91⤵PID:4836
-
C:\Windows\SysWOW64\Ocbddc32.exeC:\Windows\system32\Ocbddc32.exe92⤵PID:1612
-
C:\Windows\SysWOW64\Ognpebpj.exeC:\Windows\system32\Ognpebpj.exe93⤵
- System Location Discovery: System Language Discovery
PID:3872 -
C:\Windows\SysWOW64\Ojllan32.exeC:\Windows\system32\Ojllan32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5132 -
C:\Windows\SysWOW64\Olkhmi32.exeC:\Windows\system32\Olkhmi32.exe95⤵
- Modifies registry class
PID:5180 -
C:\Windows\SysWOW64\Odapnf32.exeC:\Windows\system32\Odapnf32.exe96⤵
- Drops file in System32 directory
PID:5224 -
C:\Windows\SysWOW64\Ogpmjb32.exeC:\Windows\system32\Ogpmjb32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5264 -
C:\Windows\SysWOW64\Ofcmfodb.exeC:\Windows\system32\Ofcmfodb.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5320 -
C:\Windows\SysWOW64\Onjegled.exeC:\Windows\system32\Onjegled.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5388 -
C:\Windows\SysWOW64\Oqhacgdh.exeC:\Windows\system32\Oqhacgdh.exe100⤵
- Modifies registry class
PID:5436 -
C:\Windows\SysWOW64\Oddmdf32.exeC:\Windows\system32\Oddmdf32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5480 -
C:\Windows\SysWOW64\Ocgmpccl.exeC:\Windows\system32\Ocgmpccl.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5524 -
C:\Windows\SysWOW64\Ogbipa32.exeC:\Windows\system32\Ogbipa32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5572 -
C:\Windows\SysWOW64\Ojaelm32.exeC:\Windows\system32\Ojaelm32.exe104⤵
- Modifies registry class
PID:5616 -
C:\Windows\SysWOW64\Pmoahijl.exeC:\Windows\system32\Pmoahijl.exe105⤵
- Modifies registry class
PID:5660 -
C:\Windows\SysWOW64\Pdfjifjo.exeC:\Windows\system32\Pdfjifjo.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5708 -
C:\Windows\SysWOW64\Pcijeb32.exeC:\Windows\system32\Pcijeb32.exe107⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5756 -
C:\Windows\SysWOW64\Pfhfan32.exeC:\Windows\system32\Pfhfan32.exe108⤵PID:5804
-
C:\Windows\SysWOW64\Pjcbbmif.exeC:\Windows\system32\Pjcbbmif.exe109⤵
- System Location Discovery: System Language Discovery
PID:5848 -
C:\Windows\SysWOW64\Pnonbk32.exeC:\Windows\system32\Pnonbk32.exe110⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5896 -
C:\Windows\SysWOW64\Pqmjog32.exeC:\Windows\system32\Pqmjog32.exe111⤵PID:5944
-
C:\Windows\SysWOW64\Pdifoehl.exeC:\Windows\system32\Pdifoehl.exe112⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5992 -
C:\Windows\SysWOW64\Pclgkb32.exeC:\Windows\system32\Pclgkb32.exe113⤵
- Modifies registry class
PID:6040 -
C:\Windows\SysWOW64\Pfjcgn32.exeC:\Windows\system32\Pfjcgn32.exe114⤵
- Drops file in System32 directory
PID:6088 -
C:\Windows\SysWOW64\Pjeoglgc.exeC:\Windows\system32\Pjeoglgc.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:6136 -
C:\Windows\SysWOW64\Pmdkch32.exeC:\Windows\system32\Pmdkch32.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5164 -
C:\Windows\SysWOW64\Pdkcde32.exeC:\Windows\system32\Pdkcde32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5236 -
C:\Windows\SysWOW64\Pgioqq32.exeC:\Windows\system32\Pgioqq32.exe118⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5308 -
C:\Windows\SysWOW64\Pflplnlg.exeC:\Windows\system32\Pflplnlg.exe119⤵
- Drops file in System32 directory
PID:5428 -
C:\Windows\SysWOW64\Pjhlml32.exeC:\Windows\system32\Pjhlml32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5492 -
C:\Windows\SysWOW64\Pmfhig32.exeC:\Windows\system32\Pmfhig32.exe121⤵
- System Location Discovery: System Language Discovery
PID:5556
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-