Analysis
-
max time kernel
115s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07/09/2024, 09:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cb76826e94671d4b89043dcd5a2b2460N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
cb76826e94671d4b89043dcd5a2b2460N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
cb76826e94671d4b89043dcd5a2b2460N.exe
-
Size
91KB
-
MD5
cb76826e94671d4b89043dcd5a2b2460
-
SHA1
f8559dcb2e5f55cfb1f5951e5dce2b95ee8cd7a7
-
SHA256
681d3a245a17970d4a8b9604b3965f6b6a50ee6d77863319a12f28948ad4e468
-
SHA512
1ef5a69f669f5604d8d904972d7eb3f0169ca5effeab22ee8ea3c93b8aea00beb08004ba4acd505a63ce94f189a9395ee70fd9e638e2d3864dcace4922ec7f62
-
SSDEEP
1536:Xuq7Y0cEq79fF3qxxBMDrAg3/Bk2VllLBsLnVLdGUHyNwtN4/nLLVaBlEaaaaaaa:XuKY0cEG9fF3qx3qBkCllLBsLnVUUHyM
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cakpccfh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hffbjihi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjghaiep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pahpbdcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlefhmaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgdohl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Allpak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Addaeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mebked32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojnpla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfjeaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fokhodmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nghfep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbaofa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djqbhkia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eblgmmgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmkggbpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmdeie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpbmpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfhehdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nidfll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Camenm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edqdle32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddpjhcjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpeifp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odjjjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dffdmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edqdle32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflemjkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkpgbjdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjggkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llfjek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmdhaiji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnlghf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nelmlfpk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phmodooi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgfhcicp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgagogib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fainaihj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbobqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mabdjida.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkdlinbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbdjahii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mikjpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Domlnfib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkhndmdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daaoil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niablfol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akenfifb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjnqoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nadjec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naggjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnokkjij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqmadj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfgfnoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljffqbmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmfnlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgaknngj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knmifaii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aklcghpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhenll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aalbcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caicndhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjagfi32.exe -
Executes dropped EXE 64 IoCs
pid Process 4820 Klbgdb32.exe 1448 Kdioep32.exe 2348 Kifhnf32.exe 4880 Kbnlgled.exe 4860 Kemhcgdg.exe 1692 Lpbmpp32.exe 3316 Lflemjkj.exe 1028 Lpeifp32.exe 1620 Lfoabjih.exe 2840 Lmijod32.exe 2888 Ldbbln32.exe 4360 Ledocfnp.exe 5024 Liojde32.exe 4120 Lpicaome.exe 768 Lefkiflm.exe 1948 Llpcfp32.exe 5096 Lgfhcicp.exe 4616 Lmpppc32.exe 1056 Mdjhlmai.exe 2836 Mghdiiam.exe 2760 Mpqian32.exe 4040 Mgjanh32.exe 4344 Memajeee.exe 4992 Miimjd32.exe 4600 Mcabcido.exe 4840 Mikjpc32.exe 1016 Mliflo32.exe 3652 Mccoiibl.exe 4440 Mebked32.exe 4776 Mpgobm32.exe 3224 Mgagogib.exe 1660 Nnkpla32.exe 1036 Ndehhlgl.exe 2680 Ngdddg32.exe 5064 Nibpqb32.exe 4924 Nplhmmmp.exe 2784 Ngfqjg32.exe 1480 Neiaeckg.exe 1744 Nlcibn32.exe 3016 Ncmaohja.exe 3096 Nghmpf32.exe 1432 Njgjlban.exe 232 Nlefhmaa.exe 3868 Ncondg32.exe 664 Ngkjefqh.exe 4968 Nnebap32.exe 3608 Ncakjg32.exe 3660 Ojlcgani.exe 4856 Opekckee.exe 3416 Ojnpla32.exe 3632 Olllhl32.exe 1844 Ocfdefbf.exe 1436 Ojplbq32.exe 3024 Oqjeok32.exe 4604 Odfqoiii.exe 3872 Ojbigpgq.exe 2960 Oqmadj32.exe 2928 Ocknpf32.exe 2956 Ofijla32.exe 3740 Omcbikda.exe 1688 Odjjjh32.exe 4368 Ogiffd32.exe 4864 Pncocnld.exe 2536 Pdmgph32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kiejijgl.exe Kanbhlfj.exe File opened for modification C:\Windows\SysWOW64\Ljkplaie.exe Labkcl32.exe File opened for modification C:\Windows\SysWOW64\Elieqbig.exe Emfeee32.exe File opened for modification C:\Windows\SysWOW64\Lqohcfqk.exe Lnalgjah.exe File created C:\Windows\SysWOW64\Nlefhmaa.exe Njgjlban.exe File created C:\Windows\SysWOW64\Aaecbpjl.dll Bjeape32.exe File opened for modification C:\Windows\SysWOW64\Efopha32.exe Edqdle32.exe File created C:\Windows\SysWOW64\Hjiegh32.exe Hkfellmb.exe File created C:\Windows\SysWOW64\Npkoncgo.dll Pmgclplg.exe File created C:\Windows\SysWOW64\Qopimo32.dll Aaeeilck.exe File created C:\Windows\SysWOW64\Ljaang32.dll Bhiple32.exe File created C:\Windows\SysWOW64\Oqmadj32.exe Ojbigpgq.exe File opened for modification C:\Windows\SysWOW64\Gdamccoc.exe Fgmljoqi.exe File created C:\Windows\SysWOW64\Nmbcjjmb.dll Hnlghf32.exe File opened for modification C:\Windows\SysWOW64\Ffccijeh.exe Fcdfmo32.exe File created C:\Windows\SysWOW64\Pdchoj32.exe Pmjpbpje.exe File created C:\Windows\SysWOW64\Hkleaa32.exe Hfomij32.exe File created C:\Windows\SysWOW64\Leakcq32.exe Lfnkhcel.exe File created C:\Windows\SysWOW64\Njimhp32.dll Jbhlpb32.exe File created C:\Windows\SysWOW64\Nqpefd32.dll Menipb32.exe File opened for modification C:\Windows\SysWOW64\Ledocfnp.exe Ldbbln32.exe File created C:\Windows\SysWOW64\Eiffdmbe.exe Ddinlf32.exe File created C:\Windows\SysWOW64\Addaeg32.exe Aaeeilck.exe File opened for modification C:\Windows\SysWOW64\Ooijpk32.exe Oimbgddo.exe File created C:\Windows\SysWOW64\Dhfkopma.dll Aalbcm32.exe File opened for modification C:\Windows\SysWOW64\Dkpchgck.exe Dagoob32.exe File created C:\Windows\SysWOW64\Noqodb32.exe Nidfll32.exe File opened for modification C:\Windows\SysWOW64\Fpnkbema.exe Fidbekfe.exe File created C:\Windows\SysWOW64\Hoohehpn.dll Fmbkkjlk.exe File created C:\Windows\SysWOW64\Ficfdc32.dll Dbicmg32.exe File created C:\Windows\SysWOW64\Neofne32.dll Lkbokobd.exe File created C:\Windows\SysWOW64\Okolibgd.dll Hfdfdjjl.exe File opened for modification C:\Windows\SysWOW64\Jijahbde.exe Jbpikh32.exe File created C:\Windows\SysWOW64\Ljkplaie.exe Labkcl32.exe File created C:\Windows\SysWOW64\Aklcghpj.exe Acaocf32.exe File created C:\Windows\SysWOW64\Comjahke.dll Hffbjihi.exe File created C:\Windows\SysWOW64\Ddinlf32.exe Didjnn32.exe File opened for modification C:\Windows\SysWOW64\Olianpee.exe Oacmqgfo.exe File created C:\Windows\SysWOW64\Jnliemdp.exe Jgbahc32.exe File opened for modification C:\Windows\SysWOW64\Nibpqb32.exe Ngdddg32.exe File opened for modification C:\Windows\SysWOW64\Olllhl32.exe Ojnpla32.exe File created C:\Windows\SysWOW64\Ckeoplfd.dll Bjjafjec.exe File created C:\Windows\SysWOW64\Inlkkeig.dll Egpgcg32.exe File opened for modification C:\Windows\SysWOW64\Afpbigeo.exe Agmbnk32.exe File created C:\Windows\SysWOW64\Ihlbnf32.dll Jhdabl32.exe File opened for modification C:\Windows\SysWOW64\Eeqboa32.exe Epcjgj32.exe File created C:\Windows\SysWOW64\Lqfncejc.exe Ljlfgk32.exe File opened for modification C:\Windows\SysWOW64\Ojbigpgq.exe Odfqoiii.exe File created C:\Windows\SysWOW64\Pddmqgmi.exe Pmmeojmg.exe File created C:\Windows\SysWOW64\Fokhodmb.exe Eknpie32.exe File created C:\Windows\SysWOW64\Gbblppkd.dll Ffccijeh.exe File opened for modification C:\Windows\SysWOW64\Fmadachp.exe Fjchehil.exe File created C:\Windows\SysWOW64\Oemkdl32.dll Jipnac32.exe File opened for modification C:\Windows\SysWOW64\Olbkoeaf.exe Ohgonf32.exe File created C:\Windows\SysWOW64\Nfkooc32.dll Cjndfcmb.exe File created C:\Windows\SysWOW64\Lgalmfla.dll Jbfojb32.exe File opened for modification C:\Windows\SysWOW64\Lnhhbpok.exe Lljlfdph.exe File opened for modification C:\Windows\SysWOW64\Bcjbid32.exe Bhenll32.exe File created C:\Windows\SysWOW64\Bjfonjjb.dll Cjbfgm32.exe File created C:\Windows\SysWOW64\Bpffplcg.dll Oaeclqpq.exe File created C:\Windows\SysWOW64\Caaaao32.dll Gamjhmlp.exe File created C:\Windows\SysWOW64\Mkenen32.dll Oelfaplo.exe File created C:\Windows\SysWOW64\Efnmdmga.dll Lfoabjih.exe File created C:\Windows\SysWOW64\Lbnimeja.dll Ioogbo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 756 5808 WerFault.exe 866 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmadachp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjnqoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnchlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfeihpcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpcbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Domlnfib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidfll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpihph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odabblag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgaknngj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fidbekfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efkfndgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gghekgbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljoblj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ledocfnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efmccaol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnndnfck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpkmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmofnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inhfdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alojkfno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epcjgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqcgeiie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbicjicp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loiolfbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daaoil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmhpnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfhpaghj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgkclc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnlelogl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oipegj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afbhdapp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjbfgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amfhehdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pohnkoja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnfecn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aalbcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bajndk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moglnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mabdjida.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anhlcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oognjkdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngkjefqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdjlooel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhkpbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oookeqbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjgnfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nibpqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miecpgii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noknnmof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phmodooi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doakecbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aehenbhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckccoelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cooooc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncakjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnhdhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkghnmpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mncachab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naggjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnlfomip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgagogib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goghkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjeno32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpbinch.dll" Jjbjjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddbfnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieidjdia.dll" Miliqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egcpfc32.dll" Dmhidg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgdnnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikfghc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlcckife.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnahqjgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flmhak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbicjicp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijedcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cooooc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkcham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gabqhdqe.dll" Odabblag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pocdpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgnkehpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmaomg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chehpnne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oolgek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkghnmpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjggkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddinlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnpgmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhoilcil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbqjojdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ollenf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffcjcpid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiglab32.dll" Bmecgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdkgdhkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfomij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckgfcael.dll" Ilgcpkqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjeodmgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggicpcjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldkdcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckmmnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcdaib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leakcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ollenf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaadnc32.dll" Ooijpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bopmclfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkejdgbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhaddcch.dll" Dpiaeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnomllii.dll" Lmpppc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnonolag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iimjjm32.dll" Jbicjicp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdchoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cacakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbdca32.dll" Afpbigeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mabdjida.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqbjqn32.dll" Dpdhjcpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lonkgb32.dll" Njpbnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifciblna.dll" Cooooc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmhidg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcmkhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Miimjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afcfimgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jppmaf32.dll" Jiehmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edcqbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olfehpgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpqgaedg.dll" Olennj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmdmh32.dll" Ddhhqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpkilhhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doakecbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhaaeh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4284 wrote to memory of 4820 4284 cb76826e94671d4b89043dcd5a2b2460N.exe 90 PID 4284 wrote to memory of 4820 4284 cb76826e94671d4b89043dcd5a2b2460N.exe 90 PID 4284 wrote to memory of 4820 4284 cb76826e94671d4b89043dcd5a2b2460N.exe 90 PID 4820 wrote to memory of 1448 4820 Klbgdb32.exe 91 PID 4820 wrote to memory of 1448 4820 Klbgdb32.exe 91 PID 4820 wrote to memory of 1448 4820 Klbgdb32.exe 91 PID 1448 wrote to memory of 2348 1448 Kdioep32.exe 93 PID 1448 wrote to memory of 2348 1448 Kdioep32.exe 93 PID 1448 wrote to memory of 2348 1448 Kdioep32.exe 93 PID 2348 wrote to memory of 4880 2348 Kifhnf32.exe 95 PID 2348 wrote to memory of 4880 2348 Kifhnf32.exe 95 PID 2348 wrote to memory of 4880 2348 Kifhnf32.exe 95 PID 4880 wrote to memory of 4860 4880 Kbnlgled.exe 96 PID 4880 wrote to memory of 4860 4880 Kbnlgled.exe 96 PID 4880 wrote to memory of 4860 4880 Kbnlgled.exe 96 PID 4860 wrote to memory of 1692 4860 Kemhcgdg.exe 97 PID 4860 wrote to memory of 1692 4860 Kemhcgdg.exe 97 PID 4860 wrote to memory of 1692 4860 Kemhcgdg.exe 97 PID 1692 wrote to memory of 3316 1692 Lpbmpp32.exe 98 PID 1692 wrote to memory of 3316 1692 Lpbmpp32.exe 98 PID 1692 wrote to memory of 3316 1692 Lpbmpp32.exe 98 PID 3316 wrote to memory of 1028 3316 Lflemjkj.exe 99 PID 3316 wrote to memory of 1028 3316 Lflemjkj.exe 99 PID 3316 wrote to memory of 1028 3316 Lflemjkj.exe 99 PID 1028 wrote to memory of 1620 1028 Lpeifp32.exe 101 PID 1028 wrote to memory of 1620 1028 Lpeifp32.exe 101 PID 1028 wrote to memory of 1620 1028 Lpeifp32.exe 101 PID 1620 wrote to memory of 2840 1620 Lfoabjih.exe 102 PID 1620 wrote to memory of 2840 1620 Lfoabjih.exe 102 PID 1620 wrote to memory of 2840 1620 Lfoabjih.exe 102 PID 2840 wrote to memory of 2888 2840 Lmijod32.exe 103 PID 2840 wrote to memory of 2888 2840 Lmijod32.exe 103 PID 2840 wrote to memory of 2888 2840 Lmijod32.exe 103 PID 2888 wrote to memory of 4360 2888 Ldbbln32.exe 104 PID 2888 wrote to memory of 4360 2888 Ldbbln32.exe 104 PID 2888 wrote to memory of 4360 2888 Ldbbln32.exe 104 PID 4360 wrote to memory of 5024 4360 Ledocfnp.exe 105 PID 4360 wrote to memory of 5024 4360 Ledocfnp.exe 105 PID 4360 wrote to memory of 5024 4360 Ledocfnp.exe 105 PID 5024 wrote to memory of 4120 5024 Liojde32.exe 106 PID 5024 wrote to memory of 4120 5024 Liojde32.exe 106 PID 5024 wrote to memory of 4120 5024 Liojde32.exe 106 PID 4120 wrote to memory of 768 4120 Lpicaome.exe 107 PID 4120 wrote to memory of 768 4120 Lpicaome.exe 107 PID 4120 wrote to memory of 768 4120 Lpicaome.exe 107 PID 768 wrote to memory of 1948 768 Lefkiflm.exe 108 PID 768 wrote to memory of 1948 768 Lefkiflm.exe 108 PID 768 wrote to memory of 1948 768 Lefkiflm.exe 108 PID 1948 wrote to memory of 5096 1948 Llpcfp32.exe 109 PID 1948 wrote to memory of 5096 1948 Llpcfp32.exe 109 PID 1948 wrote to memory of 5096 1948 Llpcfp32.exe 109 PID 5096 wrote to memory of 4616 5096 Lgfhcicp.exe 110 PID 5096 wrote to memory of 4616 5096 Lgfhcicp.exe 110 PID 5096 wrote to memory of 4616 5096 Lgfhcicp.exe 110 PID 4616 wrote to memory of 1056 4616 Lmpppc32.exe 111 PID 4616 wrote to memory of 1056 4616 Lmpppc32.exe 111 PID 4616 wrote to memory of 1056 4616 Lmpppc32.exe 111 PID 1056 wrote to memory of 2836 1056 Mdjhlmai.exe 112 PID 1056 wrote to memory of 2836 1056 Mdjhlmai.exe 112 PID 1056 wrote to memory of 2836 1056 Mdjhlmai.exe 112 PID 2836 wrote to memory of 2760 2836 Mghdiiam.exe 113 PID 2836 wrote to memory of 2760 2836 Mghdiiam.exe 113 PID 2836 wrote to memory of 2760 2836 Mghdiiam.exe 113 PID 2760 wrote to memory of 4040 2760 Mpqian32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb76826e94671d4b89043dcd5a2b2460N.exe"C:\Users\Admin\AppData\Local\Temp\cb76826e94671d4b89043dcd5a2b2460N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\Klbgdb32.exeC:\Windows\system32\Klbgdb32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\Kdioep32.exeC:\Windows\system32\Kdioep32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Kifhnf32.exeC:\Windows\system32\Kifhnf32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Kbnlgled.exeC:\Windows\system32\Kbnlgled.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\Kemhcgdg.exeC:\Windows\system32\Kemhcgdg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\Lpbmpp32.exeC:\Windows\system32\Lpbmpp32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Lflemjkj.exeC:\Windows\system32\Lflemjkj.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\Lpeifp32.exeC:\Windows\system32\Lpeifp32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Lfoabjih.exeC:\Windows\system32\Lfoabjih.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Lmijod32.exeC:\Windows\system32\Lmijod32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Ldbbln32.exeC:\Windows\system32\Ldbbln32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Ledocfnp.exeC:\Windows\system32\Ledocfnp.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\SysWOW64\Liojde32.exeC:\Windows\system32\Liojde32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\Lpicaome.exeC:\Windows\system32\Lpicaome.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\Lefkiflm.exeC:\Windows\system32\Lefkiflm.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Llpcfp32.exeC:\Windows\system32\Llpcfp32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Lgfhcicp.exeC:\Windows\system32\Lgfhcicp.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Lmpppc32.exeC:\Windows\system32\Lmpppc32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\Mdjhlmai.exeC:\Windows\system32\Mdjhlmai.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Mghdiiam.exeC:\Windows\system32\Mghdiiam.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Mpqian32.exeC:\Windows\system32\Mpqian32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Mgjanh32.exeC:\Windows\system32\Mgjanh32.exe23⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Memajeee.exeC:\Windows\system32\Memajeee.exe24⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Miimjd32.exeC:\Windows\system32\Miimjd32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:4992 -
C:\Windows\SysWOW64\Mcabcido.exeC:\Windows\system32\Mcabcido.exe26⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Mikjpc32.exeC:\Windows\system32\Mikjpc32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Mliflo32.exeC:\Windows\system32\Mliflo32.exe28⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Mccoiibl.exeC:\Windows\system32\Mccoiibl.exe29⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Mebked32.exeC:\Windows\system32\Mebked32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Mpgobm32.exeC:\Windows\system32\Mpgobm32.exe31⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Mgagogib.exeC:\Windows\system32\Mgagogib.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3224 -
C:\Windows\SysWOW64\Nnkpla32.exeC:\Windows\system32\Nnkpla32.exe33⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Ndehhlgl.exeC:\Windows\system32\Ndehhlgl.exe34⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Ngdddg32.exeC:\Windows\system32\Ngdddg32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Nibpqb32.exeC:\Windows\system32\Nibpqb32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5064 -
C:\Windows\SysWOW64\Nplhmmmp.exeC:\Windows\system32\Nplhmmmp.exe37⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Ngfqjg32.exeC:\Windows\system32\Ngfqjg32.exe38⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Neiaeckg.exeC:\Windows\system32\Neiaeckg.exe39⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Nlcibn32.exeC:\Windows\system32\Nlcibn32.exe40⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Ncmaohja.exeC:\Windows\system32\Ncmaohja.exe41⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Nghmpf32.exeC:\Windows\system32\Nghmpf32.exe42⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Njgjlban.exeC:\Windows\system32\Njgjlban.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1432 -
C:\Windows\SysWOW64\Nlefhmaa.exeC:\Windows\system32\Nlefhmaa.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Ncondg32.exeC:\Windows\system32\Ncondg32.exe45⤵
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\Ngkjefqh.exeC:\Windows\system32\Ngkjefqh.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:664 -
C:\Windows\SysWOW64\Nnebap32.exeC:\Windows\system32\Nnebap32.exe47⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Ncakjg32.exeC:\Windows\system32\Ncakjg32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3608 -
C:\Windows\SysWOW64\Ojlcgani.exeC:\Windows\system32\Ojlcgani.exe49⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Opekckee.exeC:\Windows\system32\Opekckee.exe50⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Ojnpla32.exeC:\Windows\system32\Ojnpla32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3416 -
C:\Windows\SysWOW64\Olllhl32.exeC:\Windows\system32\Olllhl32.exe52⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\Ocfdefbf.exeC:\Windows\system32\Ocfdefbf.exe53⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Ojplbq32.exeC:\Windows\system32\Ojplbq32.exe54⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Oqjeok32.exeC:\Windows\system32\Oqjeok32.exe55⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Odfqoiii.exeC:\Windows\system32\Odfqoiii.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4604 -
C:\Windows\SysWOW64\Ojbigpgq.exeC:\Windows\system32\Ojbigpgq.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3872 -
C:\Windows\SysWOW64\Oqmadj32.exeC:\Windows\system32\Oqmadj32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Ocknpf32.exeC:\Windows\system32\Ocknpf32.exe59⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Ofijla32.exeC:\Windows\system32\Ofijla32.exe60⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Omcbikda.exeC:\Windows\system32\Omcbikda.exe61⤵
- Executes dropped EXE
PID:3740 -
C:\Windows\SysWOW64\Odjjjh32.exeC:\Windows\system32\Odjjjh32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Ogiffd32.exeC:\Windows\system32\Ogiffd32.exe63⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Pncocnld.exeC:\Windows\system32\Pncocnld.exe64⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Pdmgph32.exeC:\Windows\system32\Pdmgph32.exe65⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Pgkclc32.exeC:\Windows\system32\Pgkclc32.exe66⤵
- System Location Discovery: System Language Discovery
PID:4564 -
C:\Windows\SysWOW64\Pjjoho32.exeC:\Windows\system32\Pjjoho32.exe67⤵PID:1824
-
C:\Windows\SysWOW64\Pqcgeiie.exeC:\Windows\system32\Pqcgeiie.exe68⤵
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\Pgnpacpb.exeC:\Windows\system32\Pgnpacpb.exe69⤵PID:1632
-
C:\Windows\SysWOW64\Pjllnopf.exeC:\Windows\system32\Pjllnopf.exe70⤵PID:3712
-
C:\Windows\SysWOW64\Pmjhjjoj.exeC:\Windows\system32\Pmjhjjoj.exe71⤵PID:5136
-
C:\Windows\SysWOW64\Pcdqfd32.exeC:\Windows\system32\Pcdqfd32.exe72⤵PID:5184
-
C:\Windows\SysWOW64\Pfbmbp32.exeC:\Windows\system32\Pfbmbp32.exe73⤵PID:5224
-
C:\Windows\SysWOW64\Pmmeojmg.exeC:\Windows\system32\Pmmeojmg.exe74⤵
- Drops file in System32 directory
PID:5264 -
C:\Windows\SysWOW64\Pddmqgmi.exeC:\Windows\system32\Pddmqgmi.exe75⤵PID:5304
-
C:\Windows\SysWOW64\Pfeihpcg.exeC:\Windows\system32\Pfeihpcg.exe76⤵
- System Location Discovery: System Language Discovery
PID:5344 -
C:\Windows\SysWOW64\Pnlaimcj.exeC:\Windows\system32\Pnlaimcj.exe77⤵PID:5384
-
C:\Windows\SysWOW64\Pqknehcn.exeC:\Windows\system32\Pqknehcn.exe78⤵PID:5424
-
C:\Windows\SysWOW64\Qgdfbb32.exeC:\Windows\system32\Qgdfbb32.exe79⤵PID:5464
-
C:\Windows\SysWOW64\Qfgfnoae.exeC:\Windows\system32\Qfgfnoae.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5504 -
C:\Windows\SysWOW64\Qnonolag.exeC:\Windows\system32\Qnonolag.exe81⤵
- Modifies registry class
PID:5544 -
C:\Windows\SysWOW64\Qjeodmgk.exeC:\Windows\system32\Qjeodmgk.exe82⤵
- Modifies registry class
PID:5588 -
C:\Windows\SysWOW64\Qmckpifo.exeC:\Windows\system32\Qmckpifo.exe83⤵PID:5632
-
C:\Windows\SysWOW64\Amfhehdl.exeC:\Windows\system32\Amfhehdl.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5676 -
C:\Windows\SysWOW64\Acppbb32.exeC:\Windows\system32\Acppbb32.exe85⤵PID:5716
-
C:\Windows\SysWOW64\Acbmhbjf.exeC:\Windows\system32\Acbmhbjf.exe86⤵PID:5764
-
C:\Windows\SysWOW64\Afcfimgg.exeC:\Windows\system32\Afcfimgg.exe87⤵
- Modifies registry class
PID:5808 -
C:\Windows\SysWOW64\Ajanplmn.exeC:\Windows\system32\Ajanplmn.exe88⤵PID:5852
-
C:\Windows\SysWOW64\Amoklgla.exeC:\Windows\system32\Amoklgla.exe89⤵PID:5896
-
C:\Windows\SysWOW64\Aefbmdmd.exeC:\Windows\system32\Aefbmdmd.exe90⤵PID:5940
-
C:\Windows\SysWOW64\Bnogfj32.exeC:\Windows\system32\Bnogfj32.exe91⤵PID:5984
-
C:\Windows\SysWOW64\Bgglop32.exeC:\Windows\system32\Bgglop32.exe92⤵PID:6028
-
C:\Windows\SysWOW64\Bfjljlap.exeC:\Windows\system32\Bfjljlap.exe93⤵PID:6072
-
C:\Windows\SysWOW64\Beklhd32.exeC:\Windows\system32\Beklhd32.exe94⤵PID:6112
-
C:\Windows\SysWOW64\Bgjhdo32.exeC:\Windows\system32\Bgjhdo32.exe95⤵PID:5132
-
C:\Windows\SysWOW64\Babmme32.exeC:\Windows\system32\Babmme32.exe96⤵PID:5212
-
C:\Windows\SysWOW64\Bjjafjec.exeC:\Windows\system32\Bjjafjec.exe97⤵
- Drops file in System32 directory
PID:5272 -
C:\Windows\SysWOW64\Badibd32.exeC:\Windows\system32\Badibd32.exe98⤵PID:5352
-
C:\Windows\SysWOW64\Bfabkk32.exeC:\Windows\system32\Bfabkk32.exe99⤵PID:5416
-
C:\Windows\SysWOW64\Bmkjgebd.exeC:\Windows\system32\Bmkjgebd.exe100⤵PID:5488
-
C:\Windows\SysWOW64\Ccebdpia.exeC:\Windows\system32\Ccebdpia.exe101⤵PID:5560
-
C:\Windows\SysWOW64\Cjokaj32.exeC:\Windows\system32\Cjokaj32.exe102⤵PID:5628
-
C:\Windows\SysWOW64\Caicndhk.exeC:\Windows\system32\Caicndhk.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5700 -
C:\Windows\SysWOW64\Chckjn32.exeC:\Windows\system32\Chckjn32.exe104⤵PID:5772
-
C:\Windows\SysWOW64\Cjagfi32.exeC:\Windows\system32\Cjagfi32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5848 -
C:\Windows\SysWOW64\Cmpcbe32.exeC:\Windows\system32\Cmpcbe32.exe106⤵
- System Location Discovery: System Language Discovery
PID:5936 -
C:\Windows\SysWOW64\Cakpccfh.exeC:\Windows\system32\Cakpccfh.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5980 -
C:\Windows\SysWOW64\Cdjlooel.exeC:\Windows\system32\Cdjlooel.exe108⤵
- System Location Discovery: System Language Discovery
PID:6108 -
C:\Windows\SysWOW64\Chehpnne.exeC:\Windows\system32\Chehpnne.exe109⤵
- Modifies registry class
PID:5168 -
C:\Windows\SysWOW64\Cjddlimi.exeC:\Windows\system32\Cjddlimi.exe110⤵PID:5248
-
C:\Windows\SysWOW64\Cnopmh32.exeC:\Windows\system32\Cnopmh32.exe111⤵PID:5368
-
C:\Windows\SysWOW64\Ceihibmo.exeC:\Windows\system32\Ceihibmo.exe112⤵PID:5452
-
C:\Windows\SysWOW64\Cfjeaj32.exeC:\Windows\system32\Cfjeaj32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5572 -
C:\Windows\SysWOW64\Cfmafjqj.exeC:\Windows\system32\Cfmafjqj.exe114⤵PID:5684
-
C:\Windows\SysWOW64\Cmgjcd32.exeC:\Windows\system32\Cmgjcd32.exe115⤵PID:2768
-
C:\Windows\SysWOW64\Djkjmh32.exeC:\Windows\system32\Djkjmh32.exe116⤵PID:5784
-
C:\Windows\SysWOW64\Dfakaile.exeC:\Windows\system32\Dfakaile.exe117⤵PID:2284
-
C:\Windows\SysWOW64\Djmgbhen.exeC:\Windows\system32\Djmgbhen.exe118⤵PID:5976
-
C:\Windows\SysWOW64\Dagoob32.exeC:\Windows\system32\Dagoob32.exe119⤵
- Drops file in System32 directory
PID:6124 -
C:\Windows\SysWOW64\Dkpchgck.exeC:\Windows\system32\Dkpchgck.exe120⤵PID:5260
-
C:\Windows\SysWOW64\Ddhhqm32.exeC:\Windows\system32\Ddhhqm32.exe121⤵
- Modifies registry class
PID:5472
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-