Analysis
-
max time kernel
114s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/09/2024, 18:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d49ca848d9b97856889dae18b8845090N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
d49ca848d9b97856889dae18b8845090N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
d49ca848d9b97856889dae18b8845090N.exe
-
Size
187KB
-
MD5
d49ca848d9b97856889dae18b8845090
-
SHA1
5011f8732df0655990cb3997f9c511613f421b15
-
SHA256
3ad343ca7b1fb59dfffb2ea18d1747661b2e79dbe86b7292f4674b86a8d9a564
-
SHA512
a4346d889503bde8db09312d3c16c5ad3f9c8dae76159fb23b3bce2e33ef7c5873e14a13d4d76b26586e373ff05672b15583f64d22dd242c10f25c94cb8b1cf3
-
SSDEEP
3072:ZQoSvy7rLNy2znqgWoejZl2NkzwH5GJks8WYlOWe7VsayDZVZev1N:2xvy7VymnqgWj99zwZ9s8SZq/svL
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hclccd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhppik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Abpmpkoh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gheodg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahinbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dalkek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmnpfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hclccd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdbmfhbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jihngboe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opopdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnjgog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbnmkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Didqkeeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fcbgfhii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fidbgm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjlcmdbb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iapbodql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mboqnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkonbamc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bejhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjoeoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfljnejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eoladdeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njmopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpgbgpbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnabladg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eojeodga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcknee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjamhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aklciimh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpbaga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejglcq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jelhcd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjcdih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjnndime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qhddgofo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjcmpepm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhjcbljf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kbbhka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfonnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfbfjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebbmpmnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpoiho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iglhob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbieebha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfnpca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhpdkm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inhmqlmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmebblf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Defajqko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jonlimkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnnoip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdppaidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpglmjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdffah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phpklp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpgbgpbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmnpfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmmakk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gklnem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mbcjimda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Limpiomm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mapgfk32.exe -
Executes dropped EXE 64 IoCs
pid Process 3260 Clgmkbna.exe 664 Cfmahknh.exe 2352 Cepadh32.exe 3140 Dfonnk32.exe 5112 Dmifkecb.exe 4368 Dpgbgpbe.exe 2088 Dedkogqm.exe 3180 Dmkcpdao.exe 2376 Dbhlikpf.exe 2104 Dmnpfd32.exe 2060 Dpllbp32.exe 1348 Didqkeeq.exe 1072 Dpoiho32.exe 1820 Digmqe32.exe 4656 Edlann32.exe 2480 Egknji32.exe 1972 Elhfbp32.exe 4152 Eepkkefp.exe 2004 Edakimoo.exe 4740 Eebgqe32.exe 2536 Ephlnn32.exe 4420 Ecfhji32.exe 3780 Eeddfe32.exe 2776 Enllgbcl.exe 860 Fnnimbaj.exe 3172 Fckaeioa.exe 2884 Fnqebaog.exe 3788 Fcmnkh32.exe 2040 Fncbha32.exe 3952 Fgkfqgce.exe 3332 Fpckjlje.exe 4624 Fcbgfhii.exe 1988 Fpfholhc.exe 2028 Ffcpgcfj.exe 888 Glmhdm32.exe 1604 Gddqejni.exe 3184 Ggbmafnm.exe 3596 Gnlenp32.exe 4408 Ggdigekj.exe 3608 Glabolja.exe 2056 Gckjlf32.exe 3620 Gjebiq32.exe 1092 Gqokekph.exe 3108 Ggicbe32.exe 3068 Gmfkjl32.exe 1016 Gcpcgfmi.exe 2240 Hfnpca32.exe 1728 Hdppaidl.exe 1592 Hgnlmdcp.exe 5000 Hmkeekag.exe 2680 Hdbmfhbi.exe 4648 Hjoeoo32.exe 828 Hmmakk32.exe 116 Hcgjhega.exe 4444 Hjabdo32.exe 2872 Hdffah32.exe 4124 Hcifmdeo.exe 2308 Hfhbipdb.exe 2968 Hmbkfjko.exe 4556 Hclccd32.exe 3352 Iggocbke.exe 3988 Inagpm32.exe 1824 Idkpmgjo.exe 652 Ifmldo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Okneldkf.exe Oafacn32.exe File created C:\Windows\SysWOW64\Bgokdomj.exe Bfnnmg32.exe File created C:\Windows\SysWOW64\Ejfcjp32.dll Defajqko.exe File created C:\Windows\SysWOW64\Kelpjn32.dll Gjebiq32.exe File created C:\Windows\SysWOW64\Cjbnqa32.dll Pjlnhi32.exe File created C:\Windows\SysWOW64\Dchknl32.dll Fkehdnee.exe File created C:\Windows\SysWOW64\Mfbgapco.dll Ghgeoq32.exe File created C:\Windows\SysWOW64\Nnnodhei.dll Ijlkfg32.exe File created C:\Windows\SysWOW64\Glmhdm32.exe Ffcpgcfj.exe File created C:\Windows\SysWOW64\Kdbbihid.dll Gqokekph.exe File opened for modification C:\Windows\SysWOW64\Ijonfmbn.exe Iebfmfdg.exe File created C:\Windows\SysWOW64\Afnefieo.exe Akhaipei.exe File opened for modification C:\Windows\SysWOW64\Bejhhd32.exe Bbklli32.exe File created C:\Windows\SysWOW64\Laiiombp.dll Dpoiho32.exe File opened for modification C:\Windows\SysWOW64\Fnnimbaj.exe Enllgbcl.exe File created C:\Windows\SysWOW64\Qhekaejj.exe Pgeogb32.exe File opened for modification C:\Windows\SysWOW64\Iabodcnj.exe Iocchhof.exe File created C:\Windows\SysWOW64\Ncbfcp32.exe Mimbfg32.exe File created C:\Windows\SysWOW64\Mhdpjm32.dll Jndmlj32.exe File created C:\Windows\SysWOW64\Oafacn32.exe Oogdfc32.exe File created C:\Windows\SysWOW64\Akghjq32.dll Aohfdnil.exe File created C:\Windows\SysWOW64\Jhhgefed.dll Dalkek32.exe File opened for modification C:\Windows\SysWOW64\Lobhqdec.exe Ljephmgl.exe File created C:\Windows\SysWOW64\Dnkbcp32.exe Dgaiffii.exe File created C:\Windows\SysWOW64\Jhqqlmba.exe Jbghpc32.exe File created C:\Windows\SysWOW64\Lijlii32.exe Lflpmn32.exe File created C:\Windows\SysWOW64\Lokldg32.exe Lechkaga.exe File opened for modification C:\Windows\SysWOW64\Pfbfjk32.exe Pnknim32.exe File created C:\Windows\SysWOW64\Eodeek32.dll Fgmllpng.exe File created C:\Windows\SysWOW64\Nhfoocaa.exe Nalgbi32.exe File created C:\Windows\SysWOW64\Qcoaqo32.dll Bjkcqdje.exe File created C:\Windows\SysWOW64\Bkpjjj32.dll d49ca848d9b97856889dae18b8845090N.exe File opened for modification C:\Windows\SysWOW64\Dhmgfm32.exe Dijgjpip.exe File created C:\Windows\SysWOW64\Kjamhd32.exe Kaihonhl.exe File created C:\Windows\SysWOW64\Edgccoai.dll Jloibkhh.exe File created C:\Windows\SysWOW64\Midfjnge.exe Mjafoapj.exe File created C:\Windows\SysWOW64\Kohcfcqo.dll Phpklp32.exe File created C:\Windows\SysWOW64\Jkomhhae.exe Jhqqlmba.exe File created C:\Windows\SysWOW64\Akaaggld.dll Dpllbp32.exe File created C:\Windows\SysWOW64\Okneldkf.exe Oafacn32.exe File created C:\Windows\SysWOW64\Nmlafe32.dll Chinkndp.exe File created C:\Windows\SysWOW64\Hhobjf32.exe Hgmebnpd.exe File created C:\Windows\SysWOW64\Lpelqj32.exe Likcdpop.exe File created C:\Windows\SysWOW64\Fnghjd32.dll Mmfaafej.exe File opened for modification C:\Windows\SysWOW64\Nleaha32.exe Nfhipj32.exe File opened for modification C:\Windows\SysWOW64\Dbhlikpf.exe Dmkcpdao.exe File created C:\Windows\SysWOW64\Gpmpcc32.dll Cbnbhfde.exe File created C:\Windows\SysWOW64\Jdlbgl32.dll Hjieii32.exe File created C:\Windows\SysWOW64\Neknbkci.dll Dioiki32.exe File created C:\Windows\SysWOW64\Mimbfg32.exe Mbcjimda.exe File created C:\Windows\SysWOW64\Kconbh32.dll Kaflio32.exe File created C:\Windows\SysWOW64\Modkhnci.dll Mapgfk32.exe File opened for modification C:\Windows\SysWOW64\Aklciimh.exe Adbkmo32.exe File created C:\Windows\SysWOW64\Kjfmminc.exe Kfkamk32.exe File created C:\Windows\SysWOW64\Emjfif32.dll Cbihmg32.exe File created C:\Windows\SysWOW64\Lcpkmaqn.dll Eojeodga.exe File created C:\Windows\SysWOW64\Pbhmepaa.dll Hpaqqdjj.exe File opened for modification C:\Windows\SysWOW64\Jihngboe.exe Jckeokan.exe File created C:\Windows\SysWOW64\Ddmlgm32.dll Bjcmpepm.exe File created C:\Windows\SysWOW64\Qhdpkoii.dll Gklnem32.exe File opened for modification C:\Windows\SysWOW64\Gaoihfoo.exe Goamlkpk.exe File created C:\Windows\SysWOW64\Mjehok32.exe Mboqnm32.exe File opened for modification C:\Windows\SysWOW64\Chinkndp.exe Cblebgfh.exe File opened for modification C:\Windows\SysWOW64\Hjoeoo32.exe Hdbmfhbi.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12180 12048 WerFault.exe 591 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnnimbaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdppaidl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddokabk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgaiffii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljoiibbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hccomh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieiajckh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iabodcnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nplkhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odaiodbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eliecc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egknji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfnpca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfidgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgeogb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kppbejka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lobhqdec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmjinjnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mboqnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mflidl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggicbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcgjhega.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ignnjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hedhoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefedcmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dedkogqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbglgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfhgcbfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mapgfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gklnem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pncanhaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmmpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gedohfmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lijlii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khcgfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpbbak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jicdlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpbaga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnjgog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbphcpog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmopj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijonfmbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfemdcba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoladdeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjlnhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkbkoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmnpfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifmldo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdffah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgkaip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcikfcab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaefne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnhlgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbdano32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nleaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diopep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cepadh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Minipm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecfhji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfgloiqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phiekaql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfeoijbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pknghk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dioiki32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlnkgbhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nglcjfie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Abpmpkoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hfgloiqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmepf32.dll" Ieiajckh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jcknee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjcol32.dll" Lijlii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ehpmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hqjcgbbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lcnkli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lijlii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmidfo32.dll" Fgkfqgce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfemoei.dll" Elilmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pddokabk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hkodak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qpmmfbfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Deqqek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgmhaapa.dll" Fncbha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgcijglg.dll" Jgekdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkofokch.dll" Kjfmminc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiljbjbl.dll" Hjnndime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kppbejka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Npcaie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgonpaol.dll" Iheaqolo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mflidl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID d49ca848d9b97856889dae18b8845090N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefpidln.dll" Nmlhaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fifomlap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifleji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhjoiniq.dll" Onngci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajmgof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Paocim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plmamn32.dll" Bgfhnpde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bejhhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebbmpmnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ihjjln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdofh32.dll" Pohnnqgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Elnehifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajbfppjh.dll" Feifgnki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Econlc32.dll" Fpcdof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljeeki32.dll" Nkboeobh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gajfpi32.dll" Bqbohocd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbinlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hchihhng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fclpgc32.dll" Fckaeioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fgkfqgce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhkmohka.dll" Lajhpbme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nmlhaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pkonbamc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neknbkci.dll" Dioiki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dnkbcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Elaobdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Glabolja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnammclg.dll" Ifmldo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npoehn32.dll" Lmgfod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pnknim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ogmiepcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cbiabq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchknl32.dll" Fkehdnee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfdfhe32.dll" Kmaooihb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jclljaei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqbgcd32.dll" Gipbck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaaljg32.dll" Jfgnka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbogaaom.dll" Mdodbf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4832 wrote to memory of 3260 4832 d49ca848d9b97856889dae18b8845090N.exe 90 PID 4832 wrote to memory of 3260 4832 d49ca848d9b97856889dae18b8845090N.exe 90 PID 4832 wrote to memory of 3260 4832 d49ca848d9b97856889dae18b8845090N.exe 90 PID 3260 wrote to memory of 664 3260 Clgmkbna.exe 91 PID 3260 wrote to memory of 664 3260 Clgmkbna.exe 91 PID 3260 wrote to memory of 664 3260 Clgmkbna.exe 91 PID 664 wrote to memory of 2352 664 Cfmahknh.exe 92 PID 664 wrote to memory of 2352 664 Cfmahknh.exe 92 PID 664 wrote to memory of 2352 664 Cfmahknh.exe 92 PID 2352 wrote to memory of 3140 2352 Cepadh32.exe 93 PID 2352 wrote to memory of 3140 2352 Cepadh32.exe 93 PID 2352 wrote to memory of 3140 2352 Cepadh32.exe 93 PID 3140 wrote to memory of 5112 3140 Dfonnk32.exe 94 PID 3140 wrote to memory of 5112 3140 Dfonnk32.exe 94 PID 3140 wrote to memory of 5112 3140 Dfonnk32.exe 94 PID 5112 wrote to memory of 4368 5112 Dmifkecb.exe 95 PID 5112 wrote to memory of 4368 5112 Dmifkecb.exe 95 PID 5112 wrote to memory of 4368 5112 Dmifkecb.exe 95 PID 4368 wrote to memory of 2088 4368 Dpgbgpbe.exe 97 PID 4368 wrote to memory of 2088 4368 Dpgbgpbe.exe 97 PID 4368 wrote to memory of 2088 4368 Dpgbgpbe.exe 97 PID 2088 wrote to memory of 3180 2088 Dedkogqm.exe 98 PID 2088 wrote to memory of 3180 2088 Dedkogqm.exe 98 PID 2088 wrote to memory of 3180 2088 Dedkogqm.exe 98 PID 3180 wrote to memory of 2376 3180 Dmkcpdao.exe 99 PID 3180 wrote to memory of 2376 3180 Dmkcpdao.exe 99 PID 3180 wrote to memory of 2376 3180 Dmkcpdao.exe 99 PID 2376 wrote to memory of 2104 2376 Dbhlikpf.exe 100 PID 2376 wrote to memory of 2104 2376 Dbhlikpf.exe 100 PID 2376 wrote to memory of 2104 2376 Dbhlikpf.exe 100 PID 2104 wrote to memory of 2060 2104 Dmnpfd32.exe 101 PID 2104 wrote to memory of 2060 2104 Dmnpfd32.exe 101 PID 2104 wrote to memory of 2060 2104 Dmnpfd32.exe 101 PID 2060 wrote to memory of 1348 2060 Dpllbp32.exe 103 PID 2060 wrote to memory of 1348 2060 Dpllbp32.exe 103 PID 2060 wrote to memory of 1348 2060 Dpllbp32.exe 103 PID 1348 wrote to memory of 1072 1348 Didqkeeq.exe 104 PID 1348 wrote to memory of 1072 1348 Didqkeeq.exe 104 PID 1348 wrote to memory of 1072 1348 Didqkeeq.exe 104 PID 1072 wrote to memory of 1820 1072 Dpoiho32.exe 105 PID 1072 wrote to memory of 1820 1072 Dpoiho32.exe 105 PID 1072 wrote to memory of 1820 1072 Dpoiho32.exe 105 PID 1820 wrote to memory of 4656 1820 Digmqe32.exe 106 PID 1820 wrote to memory of 4656 1820 Digmqe32.exe 106 PID 1820 wrote to memory of 4656 1820 Digmqe32.exe 106 PID 4656 wrote to memory of 2480 4656 Edlann32.exe 107 PID 4656 wrote to memory of 2480 4656 Edlann32.exe 107 PID 4656 wrote to memory of 2480 4656 Edlann32.exe 107 PID 2480 wrote to memory of 1972 2480 Egknji32.exe 109 PID 2480 wrote to memory of 1972 2480 Egknji32.exe 109 PID 2480 wrote to memory of 1972 2480 Egknji32.exe 109 PID 1972 wrote to memory of 4152 1972 Elhfbp32.exe 110 PID 1972 wrote to memory of 4152 1972 Elhfbp32.exe 110 PID 1972 wrote to memory of 4152 1972 Elhfbp32.exe 110 PID 4152 wrote to memory of 2004 4152 Eepkkefp.exe 111 PID 4152 wrote to memory of 2004 4152 Eepkkefp.exe 111 PID 4152 wrote to memory of 2004 4152 Eepkkefp.exe 111 PID 2004 wrote to memory of 4740 2004 Edakimoo.exe 112 PID 2004 wrote to memory of 4740 2004 Edakimoo.exe 112 PID 2004 wrote to memory of 4740 2004 Edakimoo.exe 112 PID 4740 wrote to memory of 2536 4740 Eebgqe32.exe 113 PID 4740 wrote to memory of 2536 4740 Eebgqe32.exe 113 PID 4740 wrote to memory of 2536 4740 Eebgqe32.exe 113 PID 2536 wrote to memory of 4420 2536 Ephlnn32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\d49ca848d9b97856889dae18b8845090N.exe"C:\Users\Admin\AppData\Local\Temp\d49ca848d9b97856889dae18b8845090N.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Clgmkbna.exeC:\Windows\system32\Clgmkbna.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\Cfmahknh.exeC:\Windows\system32\Cfmahknh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\Cepadh32.exeC:\Windows\system32\Cepadh32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Dfonnk32.exeC:\Windows\system32\Dfonnk32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\Dmifkecb.exeC:\Windows\system32\Dmifkecb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\Dpgbgpbe.exeC:\Windows\system32\Dpgbgpbe.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\Dedkogqm.exeC:\Windows\system32\Dedkogqm.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Dmkcpdao.exeC:\Windows\system32\Dmkcpdao.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\Dbhlikpf.exeC:\Windows\system32\Dbhlikpf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Dmnpfd32.exeC:\Windows\system32\Dmnpfd32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Dpllbp32.exeC:\Windows\system32\Dpllbp32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Didqkeeq.exeC:\Windows\system32\Didqkeeq.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Dpoiho32.exeC:\Windows\system32\Dpoiho32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Digmqe32.exeC:\Windows\system32\Digmqe32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Edlann32.exeC:\Windows\system32\Edlann32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\Egknji32.exeC:\Windows\system32\Egknji32.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Elhfbp32.exeC:\Windows\system32\Elhfbp32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Eepkkefp.exeC:\Windows\system32\Eepkkefp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\Edakimoo.exeC:\Windows\system32\Edakimoo.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Eebgqe32.exeC:\Windows\system32\Eebgqe32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\Ephlnn32.exeC:\Windows\system32\Ephlnn32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Ecfhji32.exeC:\Windows\system32\Ecfhji32.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4420 -
C:\Windows\SysWOW64\Eeddfe32.exeC:\Windows\system32\Eeddfe32.exe24⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Enllgbcl.exeC:\Windows\system32\Enllgbcl.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Fnnimbaj.exeC:\Windows\system32\Fnnimbaj.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:860 -
C:\Windows\SysWOW64\Fckaeioa.exeC:\Windows\system32\Fckaeioa.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:3172 -
C:\Windows\SysWOW64\Fnqebaog.exeC:\Windows\system32\Fnqebaog.exe28⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Fcmnkh32.exeC:\Windows\system32\Fcmnkh32.exe29⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\Fncbha32.exeC:\Windows\system32\Fncbha32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Fgkfqgce.exeC:\Windows\system32\Fgkfqgce.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:3952 -
C:\Windows\SysWOW64\Fpckjlje.exeC:\Windows\system32\Fpckjlje.exe32⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Fcbgfhii.exeC:\Windows\system32\Fcbgfhii.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Fpfholhc.exeC:\Windows\system32\Fpfholhc.exe34⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Ffcpgcfj.exeC:\Windows\system32\Ffcpgcfj.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Glmhdm32.exeC:\Windows\system32\Glmhdm32.exe36⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Gddqejni.exeC:\Windows\system32\Gddqejni.exe37⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Ggbmafnm.exeC:\Windows\system32\Ggbmafnm.exe38⤵
- Executes dropped EXE
PID:3184 -
C:\Windows\SysWOW64\Gnlenp32.exeC:\Windows\system32\Gnlenp32.exe39⤵
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Ggdigekj.exeC:\Windows\system32\Ggdigekj.exe40⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Glabolja.exeC:\Windows\system32\Glabolja.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:3608 -
C:\Windows\SysWOW64\Gckjlf32.exeC:\Windows\system32\Gckjlf32.exe42⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Gjebiq32.exeC:\Windows\system32\Gjebiq32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3620 -
C:\Windows\SysWOW64\Gqokekph.exeC:\Windows\system32\Gqokekph.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Ggicbe32.exeC:\Windows\system32\Ggicbe32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3108 -
C:\Windows\SysWOW64\Gmfkjl32.exeC:\Windows\system32\Gmfkjl32.exe46⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Gcpcgfmi.exeC:\Windows\system32\Gcpcgfmi.exe47⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Hfnpca32.exeC:\Windows\system32\Hfnpca32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2240 -
C:\Windows\SysWOW64\Hdppaidl.exeC:\Windows\system32\Hdppaidl.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1728 -
C:\Windows\SysWOW64\Hgnlmdcp.exeC:\Windows\system32\Hgnlmdcp.exe50⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Hmkeekag.exeC:\Windows\system32\Hmkeekag.exe51⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Hdbmfhbi.exeC:\Windows\system32\Hdbmfhbi.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Hjoeoo32.exeC:\Windows\system32\Hjoeoo32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4648 -
C:\Windows\SysWOW64\Hmmakk32.exeC:\Windows\system32\Hmmakk32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Hcgjhega.exeC:\Windows\system32\Hcgjhega.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:116 -
C:\Windows\SysWOW64\Hjabdo32.exeC:\Windows\system32\Hjabdo32.exe56⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Hdffah32.exeC:\Windows\system32\Hdffah32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Windows\SysWOW64\Hcifmdeo.exeC:\Windows\system32\Hcifmdeo.exe58⤵
- Executes dropped EXE
PID:4124 -
C:\Windows\SysWOW64\Hfhbipdb.exeC:\Windows\system32\Hfhbipdb.exe59⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Hmbkfjko.exeC:\Windows\system32\Hmbkfjko.exe60⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Hclccd32.exeC:\Windows\system32\Hclccd32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Iggocbke.exeC:\Windows\system32\Iggocbke.exe62⤵
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\Inagpm32.exeC:\Windows\system32\Inagpm32.exe63⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Idkpmgjo.exeC:\Windows\system32\Idkpmgjo.exe64⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Ifmldo32.exeC:\Windows\system32\Ifmldo32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:652 -
C:\Windows\SysWOW64\Imfdaigj.exeC:\Windows\system32\Imfdaigj.exe66⤵PID:3424
-
C:\Windows\SysWOW64\Iglhob32.exeC:\Windows\system32\Iglhob32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2828 -
C:\Windows\SysWOW64\Ijjekn32.exeC:\Windows\system32\Ijjekn32.exe68⤵PID:228
-
C:\Windows\SysWOW64\Ifaepolg.exeC:\Windows\system32\Ifaepolg.exe69⤵PID:4528
-
C:\Windows\SysWOW64\Inhmqlmj.exeC:\Windows\system32\Inhmqlmj.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5128 -
C:\Windows\SysWOW64\Iebfmfdg.exeC:\Windows\system32\Iebfmfdg.exe71⤵
- Drops file in System32 directory
PID:5168 -
C:\Windows\SysWOW64\Ijonfmbn.exeC:\Windows\system32\Ijonfmbn.exe72⤵
- System Location Discovery: System Language Discovery
PID:5208 -
C:\Windows\SysWOW64\Iedbcebd.exeC:\Windows\system32\Iedbcebd.exe73⤵PID:5248
-
C:\Windows\SysWOW64\Icgbob32.exeC:\Windows\system32\Icgbob32.exe74⤵PID:5288
-
C:\Windows\SysWOW64\Jjakkmpk.exeC:\Windows\system32\Jjakkmpk.exe75⤵PID:5328
-
C:\Windows\SysWOW64\Jmpgghoo.exeC:\Windows\system32\Jmpgghoo.exe76⤵PID:5368
-
C:\Windows\SysWOW64\Jgekdq32.exeC:\Windows\system32\Jgekdq32.exe77⤵
- Modifies registry class
PID:5408 -
C:\Windows\SysWOW64\Jnocakfb.exeC:\Windows\system32\Jnocakfb.exe78⤵PID:5448
-
C:\Windows\SysWOW64\Jclljaei.exeC:\Windows\system32\Jclljaei.exe79⤵
- Modifies registry class
PID:5488 -
C:\Windows\SysWOW64\Jnapgjdo.exeC:\Windows\system32\Jnapgjdo.exe80⤵PID:5528
-
C:\Windows\SysWOW64\Jelhcd32.exeC:\Windows\system32\Jelhcd32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5568 -
C:\Windows\SysWOW64\Jndmlj32.exeC:\Windows\system32\Jndmlj32.exe82⤵
- Drops file in System32 directory
PID:5612 -
C:\Windows\SysWOW64\Jfoaam32.exeC:\Windows\system32\Jfoaam32.exe83⤵PID:5656
-
C:\Windows\SysWOW64\Jaefne32.exeC:\Windows\system32\Jaefne32.exe84⤵
- System Location Discovery: System Language Discovery
PID:5696 -
C:\Windows\SysWOW64\Knifging.exeC:\Windows\system32\Knifging.exe85⤵PID:5740
-
C:\Windows\SysWOW64\Khakqo32.exeC:\Windows\system32\Khakqo32.exe86⤵PID:5784
-
C:\Windows\SysWOW64\Kfdklllb.exeC:\Windows\system32\Kfdklllb.exe87⤵PID:5828
-
C:\Windows\SysWOW64\Khcgfo32.exeC:\Windows\system32\Khcgfo32.exe88⤵
- System Location Discovery: System Language Discovery
PID:5872 -
C:\Windows\SysWOW64\Knmpbi32.exeC:\Windows\system32\Knmpbi32.exe89⤵PID:5916
-
C:\Windows\SysWOW64\Kdjhkp32.exeC:\Windows\system32\Kdjhkp32.exe90⤵PID:5960
-
C:\Windows\SysWOW64\Kfidgk32.exeC:\Windows\system32\Kfidgk32.exe91⤵
- System Location Discovery: System Language Discovery
PID:6004 -
C:\Windows\SysWOW64\Kanidd32.exeC:\Windows\system32\Kanidd32.exe92⤵PID:6056
-
C:\Windows\SysWOW64\Kdmeqo32.exeC:\Windows\system32\Kdmeqo32.exe93⤵PID:6128
-
C:\Windows\SysWOW64\Kfkamk32.exeC:\Windows\system32\Kfkamk32.exe94⤵
- Drops file in System32 directory
PID:5160 -
C:\Windows\SysWOW64\Kjfmminc.exeC:\Windows\system32\Kjfmminc.exe95⤵
- Modifies registry class
PID:5232 -
C:\Windows\SysWOW64\Kaqejcep.exeC:\Windows\system32\Kaqejcep.exe96⤵PID:5300
-
C:\Windows\SysWOW64\Ldoafodd.exeC:\Windows\system32\Ldoafodd.exe97⤵PID:5352
-
C:\Windows\SysWOW64\Lfmnbjcg.exeC:\Windows\system32\Lfmnbjcg.exe98⤵PID:5456
-
C:\Windows\SysWOW64\Lmgfod32.exeC:\Windows\system32\Lmgfod32.exe99⤵
- Modifies registry class
PID:5520 -
C:\Windows\SysWOW64\Lhmjlm32.exeC:\Windows\system32\Lhmjlm32.exe100⤵PID:5580
-
C:\Windows\SysWOW64\Lhogamih.exeC:\Windows\system32\Lhogamih.exe101⤵PID:5664
-
C:\Windows\SysWOW64\Lechkaga.exeC:\Windows\system32\Lechkaga.exe102⤵
- Drops file in System32 directory
PID:5732 -
C:\Windows\SysWOW64\Lokldg32.exeC:\Windows\system32\Lokldg32.exe103⤵PID:5816
-
C:\Windows\SysWOW64\Lajhpbme.exeC:\Windows\system32\Lajhpbme.exe104⤵
- Modifies registry class
PID:5856 -
C:\Windows\SysWOW64\Lhdqml32.exeC:\Windows\system32\Lhdqml32.exe105⤵PID:5936
-
C:\Windows\SysWOW64\Mginniij.exeC:\Windows\system32\Mginniij.exe106⤵PID:6000
-
C:\Windows\SysWOW64\Mejnlpai.exeC:\Windows\system32\Mejnlpai.exe107⤵PID:6108
-
C:\Windows\SysWOW64\Mhhjhlqm.exeC:\Windows\system32\Mhhjhlqm.exe108⤵PID:5152
-
C:\Windows\SysWOW64\Mmebpbod.exeC:\Windows\system32\Mmebpbod.exe109⤵PID:5284
-
C:\Windows\SysWOW64\Mdokmm32.exeC:\Windows\system32\Mdokmm32.exe110⤵PID:2436
-
C:\Windows\SysWOW64\Mgngih32.exeC:\Windows\system32\Mgngih32.exe111⤵PID:1156
-
C:\Windows\SysWOW64\Mackfa32.exeC:\Windows\system32\Mackfa32.exe112⤵PID:3624
-
C:\Windows\SysWOW64\Mmjlkb32.exeC:\Windows\system32\Mmjlkb32.exe113⤵PID:5576
-
C:\Windows\SysWOW64\Mhppik32.exeC:\Windows\system32\Mhppik32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5712 -
C:\Windows\SysWOW64\Nmlhaa32.exeC:\Windows\system32\Nmlhaa32.exe115⤵
- Modifies registry class
PID:5824 -
C:\Windows\SysWOW64\Nnoefagj.exeC:\Windows\system32\Nnoefagj.exe116⤵PID:5908
-
C:\Windows\SysWOW64\Nnabladg.exeC:\Windows\system32\Nnabladg.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6044 -
C:\Windows\SysWOW64\Ngifef32.exeC:\Windows\system32\Ngifef32.exe118⤵PID:5140
-
C:\Windows\SysWOW64\Naokbokn.exeC:\Windows\system32\Naokbokn.exe119⤵PID:5344
-
C:\Windows\SysWOW64\Nglcjfie.exeC:\Windows\system32\Nglcjfie.exe120⤵
- Modifies registry class
PID:5436 -
C:\Windows\SysWOW64\Ndpcdjho.exeC:\Windows\system32\Ndpcdjho.exe121⤵PID:5588
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-