Analysis
-
max time kernel
131s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-09-2024 23:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
75d66f7bdbb609e13b9910245bced3b66b9479da209c0a2fb998441a8738b607.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
75d66f7bdbb609e13b9910245bced3b66b9479da209c0a2fb998441a8738b607.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
75d66f7bdbb609e13b9910245bced3b66b9479da209c0a2fb998441a8738b607.exe
-
Size
94KB
-
MD5
1cf5421cc88ec3a18401fcf93c5160f2
-
SHA1
1be2fd80aa7b785799196258d6ee1141da9c8885
-
SHA256
75d66f7bdbb609e13b9910245bced3b66b9479da209c0a2fb998441a8738b607
-
SHA512
19058d66cec8693749a932d0c6013748eadd7a716c46e9f48d827d826bd5260b7da2f5accabb7296b9c40c4f4bd4080c63d2c6cad1a3df6072c960d744973bb5
-
SSDEEP
1536:/X4oPl0QHK/NaNU1PYj2LPnaIZTJ+7LhkiB0MPiKeEAgv:/o6lhHIceFPaMU7uihJ5v
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ononmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hohjgpmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gckcap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfkamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdpmkhjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agobna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjomldfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pocdba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Didjqoae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdmikb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndinck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcnkli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfkamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiilblom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqaiga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgeogb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfcelml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkpbpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndkjik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oediim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Didjqoae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebcdjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbknhqbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djbbhafj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enpknplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgaelcgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdeffgff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmdlflki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckmmpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oahnhncc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkonbamc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnhjig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgjcfgoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmghklif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkcjjhgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbniai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eflceb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpelqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cemndbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhdmfljb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Limpiomm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lplaaiqd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhnichde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmnlpcel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgngih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofhcdlgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnhacn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhckeeam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meadlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgbpdgap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nockkcjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpomem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clpppmqn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldjkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mklpof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abpmpkoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flghognq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgdlcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmdbooik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogcike32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjfoja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgcbbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnnoip32.exe -
Executes dropped EXE 64 IoCs
pid Process 1544 Kfkamk32.exe 2364 Kmeiie32.exe 1756 Lhjnfn32.exe 1904 Lfmnbjcg.exe 2088 Lacbpccn.exe 4112 Ljkghi32.exe 1432 Laeoec32.exe 856 Lfbgmj32.exe 6116 Laglkb32.exe 1444 Ldfhgn32.exe 1944 Lmnlpcel.exe 1980 Lfgahikm.exe 2420 Lmqiec32.exe 5132 Mdkabmjf.exe 5224 Mkdiog32.exe 3472 Mhhjhlqm.exe 5824 Maaoaa32.exe 2456 Mgngih32.exe 5748 Mackfa32.exe 4544 Meoggpmd.exe 1548 Mklpof32.exe 3940 Mmjlkb32.exe 3464 Meadlo32.exe 2772 Mgbpdgap.exe 820 Moiheebb.exe 3972 Nmlhaa32.exe 2796 Necqbo32.exe 3344 Nhbmnj32.exe 3016 Ngemjg32.exe 1004 Nolekd32.exe 1140 Nnoefagj.exe 3616 Nefmgogl.exe 5452 Ndinck32.exe 5732 Nggjog32.exe 4912 Nkbfpeec.exe 4740 Nnabladg.exe 4404 Namnmp32.exe 5064 Ndkjik32.exe 4576 Ngifef32.exe 3660 Nkebee32.exe 2484 Noqofdlj.exe 4548 Naokbokn.exe 1796 Nejgbn32.exe 2852 Nhicoi32.exe 5352 Nkgoke32.exe 4400 Nockkcjg.exe 6056 Naaghoik.exe 2572 Ndpcdjho.exe 4412 Nhkpdi32.exe 2996 Nkjlqd32.exe 4352 Noehac32.exe 1040 Onhhmpoo.exe 5920 Oacdmo32.exe 3528 Odbpij32.exe 5260 Ohnljine.exe 3276 Ogqmee32.exe 5156 Oklifdmi.exe 3680 Onjebpml.exe 2092 Oeamcmmo.exe 4532 Oddmoj32.exe 5336 Ohpiphlb.exe 1008 Ogcike32.exe 4592 Oojalb32.exe 4220 Onmahojj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cnglpdin.dll Ahgamo32.exe File opened for modification C:\Windows\SysWOW64\Mdkabmjf.exe Lmqiec32.exe File created C:\Windows\SysWOW64\Nibaepqb.dll Onmahojj.exe File created C:\Windows\SysWOW64\Oggbfdog.exe Odifjipd.exe File opened for modification C:\Windows\SysWOW64\Hofmaq32.exe Hpcmfchg.exe File opened for modification C:\Windows\SysWOW64\Hcdfho32.exe Hohjgpmo.exe File created C:\Windows\SysWOW64\Nojgmmgl.dll Oknnanhj.exe File created C:\Windows\SysWOW64\Mmjlkb32.exe Mklpof32.exe File created C:\Windows\SysWOW64\Pbdgkjib.dll Pfmlok32.exe File created C:\Windows\SysWOW64\Ggoiap32.exe Fhnichde.exe File opened for modification C:\Windows\SysWOW64\Cejjdlap.exe Cbknhqbl.exe File opened for modification C:\Windows\SysWOW64\Cbnknpqj.exe Cnboma32.exe File created C:\Windows\SysWOW64\Onccdj32.dll Dajnol32.exe File created C:\Windows\SysWOW64\Nhkpdi32.exe Ndpcdjho.exe File created C:\Windows\SysWOW64\Gpdlfdin.dll Oeffnl32.exe File created C:\Windows\SysWOW64\Aohfdnil.exe Akmjdpac.exe File created C:\Windows\SysWOW64\Bkfmjnii.exe Bihancje.exe File created C:\Windows\SysWOW64\Nghhhc32.dll Flghognq.exe File created C:\Windows\SysWOW64\Oedeli32.dll Mjafoapj.exe File created C:\Windows\SysWOW64\Jeqgecof.dll Odifjipd.exe File created C:\Windows\SysWOW64\Mdodbf32.exe Mmdlflki.exe File opened for modification C:\Windows\SysWOW64\Oknnanhj.exe Ogbbqo32.exe File opened for modification C:\Windows\SysWOW64\Nnabladg.exe Nkbfpeec.exe File created C:\Windows\SysWOW64\Andqol32.exe Akfdcq32.exe File created C:\Windows\SysWOW64\Hgdlcm32.exe Homcbo32.exe File created C:\Windows\SysWOW64\Gonngd32.dll Mjfoja32.exe File created C:\Windows\SysWOW64\Mgngih32.exe Maaoaa32.exe File opened for modification C:\Windows\SysWOW64\Nmlhaa32.exe Moiheebb.exe File created C:\Windows\SysWOW64\Dpmihlcf.dll Bihancje.exe File opened for modification C:\Windows\SysWOW64\Decdeama.exe Dojlhg32.exe File opened for modification C:\Windows\SysWOW64\Dalkek32.exe Dnnoip32.exe File created C:\Windows\SysWOW64\Pdeffgff.exe Pbfjjlgc.exe File created C:\Windows\SysWOW64\Bejhhd32.exe Bnppkj32.exe File opened for modification C:\Windows\SysWOW64\Eifffoob.exe Eekjep32.exe File opened for modification C:\Windows\SysWOW64\Jflnafno.exe Jfjakgpa.exe File opened for modification C:\Windows\SysWOW64\Ogmiepcf.exe Npcaie32.exe File created C:\Windows\SysWOW64\Kaihqipl.dll Ogqmee32.exe File created C:\Windows\SysWOW64\Bbbada32.dll Pdbiphhi.exe File opened for modification C:\Windows\SysWOW64\Fpqgjf32.exe Fhiphi32.exe File created C:\Windows\SysWOW64\Cdnchk32.dll Homcbo32.exe File created C:\Windows\SysWOW64\Lfloio32.dll Oggllnkl.exe File created C:\Windows\SysWOW64\Nnabladg.exe Nkbfpeec.exe File opened for modification C:\Windows\SysWOW64\Pdeffgff.exe Pbfjjlgc.exe File created C:\Windows\SysWOW64\Mjoqjkkb.dll Bpfcelml.exe File created C:\Windows\SysWOW64\Cnlpgibd.exe Ciogobcm.exe File created C:\Windows\SysWOW64\Oaegbm32.dll Fibfbm32.exe File created C:\Windows\SysWOW64\Mmpbkm32.exe Mjafoapj.exe File created C:\Windows\SysWOW64\Ejqdci32.dll Oookgbpj.exe File opened for modification C:\Windows\SysWOW64\Adnilfnl.exe Abpmpkoh.exe File opened for modification C:\Windows\SysWOW64\Ggoiap32.exe Fhnichde.exe File created C:\Windows\SysWOW64\Kljhfc32.dll Hfpenj32.exe File created C:\Windows\SysWOW64\Fnknkkci.dll Ogbbqo32.exe File created C:\Windows\SysWOW64\Pdpmkhjl.exe Pfmlok32.exe File opened for modification C:\Windows\SysWOW64\Dbgdnelk.exe Dolinf32.exe File created C:\Windows\SysWOW64\Conpjg32.dll Gegchl32.exe File created C:\Windows\SysWOW64\Jcgldl32.exe Jokpcmmj.exe File created C:\Windows\SysWOW64\Cbiabq32.exe Cqiehnml.exe File created C:\Windows\SysWOW64\Miagbi32.dll Cejjdlap.exe File created C:\Windows\SysWOW64\Gcdnbiac.dll Okqbac32.exe File created C:\Windows\SysWOW64\Mcjkng32.dll Pgoigcip.exe File created C:\Windows\SysWOW64\Maghkogk.dll Qdipag32.exe File opened for modification C:\Windows\SysWOW64\Dpglmjoj.exe Dlkplk32.exe File created C:\Windows\SysWOW64\Meahle32.dll Epehnhbj.exe File created C:\Windows\SysWOW64\Limpiomm.exe Lcqgahoe.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10884 10788 WerFault.exe 485 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmnlpcel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdlgmgdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogdofo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhbmnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbbblhnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmbfiokn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eieplhlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elaobdmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clpppmqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clbmfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noqofdlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjggede.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbfema32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aohfdnil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdfho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifleji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ophjdehd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhaope32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dolinf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dehnpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eldbbjof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoekde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhhjhlqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgngih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onmahojj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cehdib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lacbpccn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofhcdlgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbdmdlie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdbiphhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgaelcgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbifol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Necqbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afnefieo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icpecm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laglkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldfhgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pklamb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aokcjngj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihheqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijngkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogqmee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glqkefff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnhacn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cejjdlap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deejpjgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndkjik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdipag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnnllhpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpkppbho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfbgmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbmpjkqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgfhnpde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfehpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eldlhckj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opjgidfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laeoec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjgpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpjjpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnnoip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mackfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfmlok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhdmfljb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebcdjc32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbgdnelk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcdfho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npjnbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 75d66f7bdbb609e13b9910245bced3b66b9479da209c0a2fb998441a8738b607.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfmnbjcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aijeme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ainnhdbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgokdomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lahjag32.dll" Jfgefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpelqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfcmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ononmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qomghp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afpbkicl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dafhdj32.dll" Pdmikb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhehkepj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nalgbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngifef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdbiphhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lofllk32.dll" Aijeme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehofco32.dll" Mgbpdgap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbeobhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpnngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkkdccim.dll" Necqbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oalpigkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmdccgi.dll" Djbbhafj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnoiqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djpfbahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deejpjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmaho32.dll" Nefmgogl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgllad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjafoapj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Miipencp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajjjjghg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlbfmjqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eifffoob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoekde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imneeb32.dll" Ljmmcbdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbfema32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhaapee.dll" Ndkjik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popdldep.dll" Agjhbbob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chfaenfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfjebllk.dll" Cbnknpqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinndkag.dll" Dlnlak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhemcq32.dll" Ehkcgkdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Migcpneb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eieplhlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aokcjngj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnppkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnebmgjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npcaie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfjpai32.dll" Qgehml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahpdcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbbkbbkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjomldfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgjaf32.dll" Aokcjngj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akghjq32.dll" Aeglbeea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plogne32.dll" Belemd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkcancmc.dll" Cbknhqbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elaobdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnknkkci.dll" Ogbbqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcpfdg32.dll" Laglkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agjhbbob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppcjmk32.dll" Anfmeldl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5684 wrote to memory of 1544 5684 75d66f7bdbb609e13b9910245bced3b66b9479da209c0a2fb998441a8738b607.exe 90 PID 5684 wrote to memory of 1544 5684 75d66f7bdbb609e13b9910245bced3b66b9479da209c0a2fb998441a8738b607.exe 90 PID 5684 wrote to memory of 1544 5684 75d66f7bdbb609e13b9910245bced3b66b9479da209c0a2fb998441a8738b607.exe 90 PID 1544 wrote to memory of 2364 1544 Kfkamk32.exe 91 PID 1544 wrote to memory of 2364 1544 Kfkamk32.exe 91 PID 1544 wrote to memory of 2364 1544 Kfkamk32.exe 91 PID 2364 wrote to memory of 1756 2364 Kmeiie32.exe 92 PID 2364 wrote to memory of 1756 2364 Kmeiie32.exe 92 PID 2364 wrote to memory of 1756 2364 Kmeiie32.exe 92 PID 1756 wrote to memory of 1904 1756 Lhjnfn32.exe 93 PID 1756 wrote to memory of 1904 1756 Lhjnfn32.exe 93 PID 1756 wrote to memory of 1904 1756 Lhjnfn32.exe 93 PID 1904 wrote to memory of 2088 1904 Lfmnbjcg.exe 94 PID 1904 wrote to memory of 2088 1904 Lfmnbjcg.exe 94 PID 1904 wrote to memory of 2088 1904 Lfmnbjcg.exe 94 PID 2088 wrote to memory of 4112 2088 Lacbpccn.exe 96 PID 2088 wrote to memory of 4112 2088 Lacbpccn.exe 96 PID 2088 wrote to memory of 4112 2088 Lacbpccn.exe 96 PID 4112 wrote to memory of 1432 4112 Ljkghi32.exe 97 PID 4112 wrote to memory of 1432 4112 Ljkghi32.exe 97 PID 4112 wrote to memory of 1432 4112 Ljkghi32.exe 97 PID 1432 wrote to memory of 856 1432 Laeoec32.exe 98 PID 1432 wrote to memory of 856 1432 Laeoec32.exe 98 PID 1432 wrote to memory of 856 1432 Laeoec32.exe 98 PID 856 wrote to memory of 6116 856 Lfbgmj32.exe 100 PID 856 wrote to memory of 6116 856 Lfbgmj32.exe 100 PID 856 wrote to memory of 6116 856 Lfbgmj32.exe 100 PID 6116 wrote to memory of 1444 6116 Laglkb32.exe 101 PID 6116 wrote to memory of 1444 6116 Laglkb32.exe 101 PID 6116 wrote to memory of 1444 6116 Laglkb32.exe 101 PID 1444 wrote to memory of 1944 1444 Ldfhgn32.exe 102 PID 1444 wrote to memory of 1944 1444 Ldfhgn32.exe 102 PID 1444 wrote to memory of 1944 1444 Ldfhgn32.exe 102 PID 1944 wrote to memory of 1980 1944 Lmnlpcel.exe 103 PID 1944 wrote to memory of 1980 1944 Lmnlpcel.exe 103 PID 1944 wrote to memory of 1980 1944 Lmnlpcel.exe 103 PID 1980 wrote to memory of 2420 1980 Lfgahikm.exe 104 PID 1980 wrote to memory of 2420 1980 Lfgahikm.exe 104 PID 1980 wrote to memory of 2420 1980 Lfgahikm.exe 104 PID 2420 wrote to memory of 5132 2420 Lmqiec32.exe 105 PID 2420 wrote to memory of 5132 2420 Lmqiec32.exe 105 PID 2420 wrote to memory of 5132 2420 Lmqiec32.exe 105 PID 5132 wrote to memory of 5224 5132 Mdkabmjf.exe 107 PID 5132 wrote to memory of 5224 5132 Mdkabmjf.exe 107 PID 5132 wrote to memory of 5224 5132 Mdkabmjf.exe 107 PID 5224 wrote to memory of 3472 5224 Mkdiog32.exe 108 PID 5224 wrote to memory of 3472 5224 Mkdiog32.exe 108 PID 5224 wrote to memory of 3472 5224 Mkdiog32.exe 108 PID 3472 wrote to memory of 5824 3472 Mhhjhlqm.exe 109 PID 3472 wrote to memory of 5824 3472 Mhhjhlqm.exe 109 PID 3472 wrote to memory of 5824 3472 Mhhjhlqm.exe 109 PID 5824 wrote to memory of 2456 5824 Maaoaa32.exe 110 PID 5824 wrote to memory of 2456 5824 Maaoaa32.exe 110 PID 5824 wrote to memory of 2456 5824 Maaoaa32.exe 110 PID 2456 wrote to memory of 5748 2456 Mgngih32.exe 111 PID 2456 wrote to memory of 5748 2456 Mgngih32.exe 111 PID 2456 wrote to memory of 5748 2456 Mgngih32.exe 111 PID 5748 wrote to memory of 4544 5748 Mackfa32.exe 112 PID 5748 wrote to memory of 4544 5748 Mackfa32.exe 112 PID 5748 wrote to memory of 4544 5748 Mackfa32.exe 112 PID 4544 wrote to memory of 1548 4544 Meoggpmd.exe 113 PID 4544 wrote to memory of 1548 4544 Meoggpmd.exe 113 PID 4544 wrote to memory of 1548 4544 Meoggpmd.exe 113 PID 1548 wrote to memory of 3940 1548 Mklpof32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\75d66f7bdbb609e13b9910245bced3b66b9479da209c0a2fb998441a8738b607.exe"C:\Users\Admin\AppData\Local\Temp\75d66f7bdbb609e13b9910245bced3b66b9479da209c0a2fb998441a8738b607.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5684 -
C:\Windows\SysWOW64\Kfkamk32.exeC:\Windows\system32\Kfkamk32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Kmeiie32.exeC:\Windows\system32\Kmeiie32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Lhjnfn32.exeC:\Windows\system32\Lhjnfn32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Lfmnbjcg.exeC:\Windows\system32\Lfmnbjcg.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Lacbpccn.exeC:\Windows\system32\Lacbpccn.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Ljkghi32.exeC:\Windows\system32\Ljkghi32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\Laeoec32.exeC:\Windows\system32\Laeoec32.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Lfbgmj32.exeC:\Windows\system32\Lfbgmj32.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Laglkb32.exeC:\Windows\system32\Laglkb32.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:6116 -
C:\Windows\SysWOW64\Ldfhgn32.exeC:\Windows\system32\Ldfhgn32.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Lmnlpcel.exeC:\Windows\system32\Lmnlpcel.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Lfgahikm.exeC:\Windows\system32\Lfgahikm.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Lmqiec32.exeC:\Windows\system32\Lmqiec32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Mdkabmjf.exeC:\Windows\system32\Mdkabmjf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5132 -
C:\Windows\SysWOW64\Mkdiog32.exeC:\Windows\system32\Mkdiog32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5224 -
C:\Windows\SysWOW64\Mhhjhlqm.exeC:\Windows\system32\Mhhjhlqm.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\Maaoaa32.exeC:\Windows\system32\Maaoaa32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5824 -
C:\Windows\SysWOW64\Mgngih32.exeC:\Windows\system32\Mgngih32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Mackfa32.exeC:\Windows\system32\Mackfa32.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5748 -
C:\Windows\SysWOW64\Meoggpmd.exeC:\Windows\system32\Meoggpmd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\Mklpof32.exeC:\Windows\system32\Mklpof32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Mmjlkb32.exeC:\Windows\system32\Mmjlkb32.exe23⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Meadlo32.exeC:\Windows\system32\Meadlo32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Mgbpdgap.exeC:\Windows\system32\Mgbpdgap.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Moiheebb.exeC:\Windows\system32\Moiheebb.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:820 -
C:\Windows\SysWOW64\Nmlhaa32.exeC:\Windows\system32\Nmlhaa32.exe27⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Necqbo32.exeC:\Windows\system32\Necqbo32.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Nhbmnj32.exeC:\Windows\system32\Nhbmnj32.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3344 -
C:\Windows\SysWOW64\Ngemjg32.exeC:\Windows\system32\Ngemjg32.exe30⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Nolekd32.exeC:\Windows\system32\Nolekd32.exe31⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Nnoefagj.exeC:\Windows\system32\Nnoefagj.exe32⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Nefmgogl.exeC:\Windows\system32\Nefmgogl.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:3616 -
C:\Windows\SysWOW64\Ndinck32.exeC:\Windows\system32\Ndinck32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5452 -
C:\Windows\SysWOW64\Nggjog32.exeC:\Windows\system32\Nggjog32.exe35⤵
- Executes dropped EXE
PID:5732 -
C:\Windows\SysWOW64\Nkbfpeec.exeC:\Windows\system32\Nkbfpeec.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4912 -
C:\Windows\SysWOW64\Nnabladg.exeC:\Windows\system32\Nnabladg.exe37⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Namnmp32.exeC:\Windows\system32\Namnmp32.exe38⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Ndkjik32.exeC:\Windows\system32\Ndkjik32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5064 -
C:\Windows\SysWOW64\Ngifef32.exeC:\Windows\system32\Ngifef32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:4576 -
C:\Windows\SysWOW64\Nkebee32.exeC:\Windows\system32\Nkebee32.exe41⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Noqofdlj.exeC:\Windows\system32\Noqofdlj.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\SysWOW64\Naokbokn.exeC:\Windows\system32\Naokbokn.exe43⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Nejgbn32.exeC:\Windows\system32\Nejgbn32.exe44⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Nhicoi32.exeC:\Windows\system32\Nhicoi32.exe45⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Nkgoke32.exeC:\Windows\system32\Nkgoke32.exe46⤵
- Executes dropped EXE
PID:5352 -
C:\Windows\SysWOW64\Nockkcjg.exeC:\Windows\system32\Nockkcjg.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Naaghoik.exeC:\Windows\system32\Naaghoik.exe48⤵
- Executes dropped EXE
PID:6056 -
C:\Windows\SysWOW64\Ndpcdjho.exeC:\Windows\system32\Ndpcdjho.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Nhkpdi32.exeC:\Windows\system32\Nhkpdi32.exe50⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Nkjlqd32.exeC:\Windows\system32\Nkjlqd32.exe51⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Noehac32.exeC:\Windows\system32\Noehac32.exe52⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Onhhmpoo.exeC:\Windows\system32\Onhhmpoo.exe53⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Oacdmo32.exeC:\Windows\system32\Oacdmo32.exe54⤵
- Executes dropped EXE
PID:5920 -
C:\Windows\SysWOW64\Odbpij32.exeC:\Windows\system32\Odbpij32.exe55⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Ohnljine.exeC:\Windows\system32\Ohnljine.exe56⤵
- Executes dropped EXE
PID:5260 -
C:\Windows\SysWOW64\Ogqmee32.exeC:\Windows\system32\Ogqmee32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3276 -
C:\Windows\SysWOW64\Oklifdmi.exeC:\Windows\system32\Oklifdmi.exe58⤵
- Executes dropped EXE
PID:5156 -
C:\Windows\SysWOW64\Onjebpml.exeC:\Windows\system32\Onjebpml.exe59⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Oeamcmmo.exeC:\Windows\system32\Oeamcmmo.exe60⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Oddmoj32.exeC:\Windows\system32\Oddmoj32.exe61⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Ohpiphlb.exeC:\Windows\system32\Ohpiphlb.exe62⤵
- Executes dropped EXE
PID:5336 -
C:\Windows\SysWOW64\Ogcike32.exeC:\Windows\system32\Ogcike32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Oojalb32.exeC:\Windows\system32\Oojalb32.exe64⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Onmahojj.exeC:\Windows\system32\Onmahojj.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4220 -
C:\Windows\SysWOW64\Oahnhncc.exeC:\Windows\system32\Oahnhncc.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2452 -
C:\Windows\SysWOW64\Oediim32.exeC:\Windows\system32\Oediim32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3000 -
C:\Windows\SysWOW64\Ohbfeh32.exeC:\Windows\system32\Ohbfeh32.exe68⤵PID:4384
-
C:\Windows\SysWOW64\Ogefqeaj.exeC:\Windows\system32\Ogefqeaj.exe69⤵PID:5852
-
C:\Windows\SysWOW64\Okqbac32.exeC:\Windows\system32\Okqbac32.exe70⤵
- Drops file in System32 directory
PID:1132 -
C:\Windows\SysWOW64\Ononmo32.exeC:\Windows\system32\Ononmo32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5388 -
C:\Windows\SysWOW64\Oakjnnap.exeC:\Windows\system32\Oakjnnap.exe72⤵PID:6132
-
C:\Windows\SysWOW64\Oeffnl32.exeC:\Windows\system32\Oeffnl32.exe73⤵
- Drops file in System32 directory
PID:4184 -
C:\Windows\SysWOW64\Odifjipd.exeC:\Windows\system32\Odifjipd.exe74⤵
- Drops file in System32 directory
PID:1064 -
C:\Windows\SysWOW64\Oggbfdog.exeC:\Windows\system32\Oggbfdog.exe75⤵PID:2640
-
C:\Windows\SysWOW64\Okcogc32.exeC:\Windows\system32\Okcogc32.exe76⤵PID:4092
-
C:\Windows\SysWOW64\Oookgbpj.exeC:\Windows\system32\Oookgbpj.exe77⤵
- Drops file in System32 directory
PID:4512 -
C:\Windows\SysWOW64\Onakco32.exeC:\Windows\system32\Onakco32.exe78⤵PID:4344
-
C:\Windows\SysWOW64\Ofhcdlgg.exeC:\Windows\system32\Ofhcdlgg.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3260 -
C:\Windows\SysWOW64\Odkcpi32.exeC:\Windows\system32\Odkcpi32.exe80⤵PID:1348
-
C:\Windows\SysWOW64\Ohgopgfj.exeC:\Windows\system32\Ohgopgfj.exe81⤵PID:4712
-
C:\Windows\SysWOW64\Paocim32.exeC:\Windows\system32\Paocim32.exe82⤵PID:3128
-
C:\Windows\SysWOW64\Pdnpeh32.exeC:\Windows\system32\Pdnpeh32.exe83⤵PID:5424
-
C:\Windows\SysWOW64\Philfgdh.exeC:\Windows\system32\Philfgdh.exe84⤵PID:2992
-
C:\Windows\SysWOW64\Pgllad32.exeC:\Windows\system32\Pgllad32.exe85⤵
- Modifies registry class
PID:4240 -
C:\Windows\SysWOW64\Pocdba32.exeC:\Windows\system32\Pocdba32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1656 -
C:\Windows\SysWOW64\Pnfdnnbo.exeC:\Windows\system32\Pnfdnnbo.exe87⤵PID:3932
-
C:\Windows\SysWOW64\Pfmlok32.exeC:\Windows\system32\Pfmlok32.exe88⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3588 -
C:\Windows\SysWOW64\Pdpmkhjl.exeC:\Windows\system32\Pdpmkhjl.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2408 -
C:\Windows\SysWOW64\Pgoigcip.exeC:\Windows\system32\Pgoigcip.exe90⤵
- Drops file in System32 directory
PID:4416 -
C:\Windows\SysWOW64\Pkjegb32.exeC:\Windows\system32\Pkjegb32.exe91⤵PID:2908
-
C:\Windows\SysWOW64\Pnhacn32.exeC:\Windows\system32\Pnhacn32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4876 -
C:\Windows\SysWOW64\Pbdmdlie.exeC:\Windows\system32\Pbdmdlie.exe93⤵
- System Location Discovery: System Language Discovery
PID:116 -
C:\Windows\SysWOW64\Pdbiphhi.exeC:\Windows\system32\Pdbiphhi.exe94⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6092 -
C:\Windows\SysWOW64\Pgaelcgm.exeC:\Windows\system32\Pgaelcgm.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1524 -
C:\Windows\SysWOW64\Pklamb32.exeC:\Windows\system32\Pklamb32.exe96⤵
- System Location Discovery: System Language Discovery
PID:3244 -
C:\Windows\SysWOW64\Pnknim32.exeC:\Windows\system32\Pnknim32.exe97⤵PID:3852
-
C:\Windows\SysWOW64\Pbfjjlgc.exeC:\Windows\system32\Pbfjjlgc.exe98⤵
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\Pdeffgff.exeC:\Windows\system32\Pdeffgff.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4456 -
C:\Windows\SysWOW64\Pgcbbc32.exeC:\Windows\system32\Pgcbbc32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2864 -
C:\Windows\SysWOW64\Pkonbamc.exeC:\Windows\system32\Pkonbamc.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4732 -
C:\Windows\SysWOW64\Pbifol32.exeC:\Windows\system32\Pbifol32.exe102⤵
- System Location Discovery: System Language Discovery
PID:1392 -
C:\Windows\SysWOW64\Pdgckg32.exeC:\Windows\system32\Pdgckg32.exe103⤵PID:1328
-
C:\Windows\SysWOW64\Pgeogb32.exeC:\Windows\system32\Pgeogb32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5536 -
C:\Windows\SysWOW64\Qomghp32.exeC:\Windows\system32\Qomghp32.exe105⤵
- Modifies registry class
PID:4928 -
C:\Windows\SysWOW64\Qbkcek32.exeC:\Windows\system32\Qbkcek32.exe106⤵PID:748
-
C:\Windows\SysWOW64\Qdipag32.exeC:\Windows\system32\Qdipag32.exe107⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Windows\SysWOW64\Qbmpjkqk.exeC:\Windows\system32\Qbmpjkqk.exe108⤵
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\Qfilkj32.exeC:\Windows\system32\Qfilkj32.exe109⤵PID:4068
-
C:\Windows\SysWOW64\Agjhbbob.exeC:\Windows\system32\Agjhbbob.exe110⤵
- Modifies registry class
PID:1052 -
C:\Windows\SysWOW64\Akfdcq32.exeC:\Windows\system32\Akfdcq32.exe111⤵
- Drops file in System32 directory
PID:4328 -
C:\Windows\SysWOW64\Andqol32.exeC:\Windows\system32\Andqol32.exe112⤵PID:452
-
C:\Windows\SysWOW64\Abpmpkoh.exeC:\Windows\system32\Abpmpkoh.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Adnilfnl.exeC:\Windows\system32\Adnilfnl.exe114⤵PID:6076
-
C:\Windows\SysWOW64\Aijeme32.exeC:\Windows\system32\Aijeme32.exe115⤵
- Modifies registry class
PID:4924 -
C:\Windows\SysWOW64\Akhaipei.exeC:\Windows\system32\Akhaipei.exe116⤵PID:4540
-
C:\Windows\SysWOW64\Anfmeldl.exeC:\Windows\system32\Anfmeldl.exe117⤵
- Modifies registry class
PID:3408 -
C:\Windows\SysWOW64\Abbiej32.exeC:\Windows\system32\Abbiej32.exe118⤵PID:1920
-
C:\Windows\SysWOW64\Afnefieo.exeC:\Windows\system32\Afnefieo.exe119⤵
- System Location Discovery: System Language Discovery
PID:3192 -
C:\Windows\SysWOW64\Ailabddb.exeC:\Windows\system32\Ailabddb.exe120⤵PID:4704
-
C:\Windows\SysWOW64\Agobna32.exeC:\Windows\system32\Agobna32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3592
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-