Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-09-2024 01:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ba11778507dc9ee12b6147ad0ccc1e2601157e0435d21994edf8d7898fcf0dda.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
ba11778507dc9ee12b6147ad0ccc1e2601157e0435d21994edf8d7898fcf0dda.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
ba11778507dc9ee12b6147ad0ccc1e2601157e0435d21994edf8d7898fcf0dda.exe
-
Size
52KB
-
MD5
63042e15cc64a3c524bb133657ea4940
-
SHA1
f44d9f3bac57e5c126c74fbf4a5870731f570b6f
-
SHA256
ba11778507dc9ee12b6147ad0ccc1e2601157e0435d21994edf8d7898fcf0dda
-
SHA512
29b8d0033f7ec312e907fcb4d305ca5e3af6e0f52c186a14fabbf35b4bb27ed3c2b452bd170711165a82bb54143ff45fa951791dc861b06e6bc0c8fec4693c74
-
SSDEEP
768:AXBE35FwaqLia8JgOylB6a5lxuPkkfc3LUiR/1H5l:AXBEJpva8JNyl4a553
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abngmihi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcijhnld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqoggb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dehkkq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jliden32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmkndq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfhkhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmkpbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfpgmmpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogfjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjnelk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdgdjimg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcddcoki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdfakod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mikjfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nljoig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcppimfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eamhbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gchdga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klbgkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afhokgme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dopijpab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjpabj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbbiofea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmjlfecl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npcodf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndoked32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Degdaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjnelk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkbgnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekqcpfbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlfhon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npcodf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdkcgqad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjkhgkca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eogfeeoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmgoaeeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcfqioif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmfmpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olfoee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnakkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cffkleae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddjemgal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dopijpab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifeflh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llnggk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqcgkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkaemafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdnigifi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aamchpmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfkegd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Damokbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehddijaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flnlkgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfqegfpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpbmgj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Demefpjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hckjdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cehbdcmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elijijpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbcmahid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkffacpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikkhcpng.exe -
Executes dropped EXE 64 IoCs
pid Process 3504 Ahffjq32.exe 3980 Ajdbfl32.exe 1968 Aanjcfqf.exe 644 Adlfoapj.exe 3948 Alcnpopl.exe 1988 Abngmihi.exe 2920 Belcidgm.exe 2520 Bhjoepfq.exe 2524 Bjikaked.exe 3264 Bbpcbiff.exe 2932 Bdapja32.exe 4012 Bjkhgkca.exe 3952 Bngdgj32.exe 208 Beqldd32.exe 656 Bjnelk32.exe 1680 Bagmiehl.exe 2252 Bdfiephp.exe 784 Bjpabj32.exe 2544 Bbgich32.exe 5052 Bdhfkp32.exe 2624 Blonlm32.exe 4048 Cehbdcmp.exe 4744 Chfoqnlc.exe 4776 Copgnh32.exe 3664 Caocjd32.exe 4928 Cdmofoag.exe 2488 Cldggmbj.exe 3020 Cobcchan.exe 4732 Cbnpcg32.exe 1660 Cellpb32.exe 1984 Ckidhi32.exe 2976 Cbplif32.exe 4328 Ceoheb32.exe 516 Cliabl32.exe 3040 Cklanieo.exe 2504 Cbbiofea.exe 4656 Caeijc32.exe 3328 Cddefn32.exe 2064 Clkngl32.exe 2440 Cknnchcl.exe 1224 Dbefdfco.exe 3364 Dahfpb32.exe 1220 Dlmjmkjo.exe 2724 Dolfigic.exe 824 Dajbebhf.exe 4800 Defofa32.exe 4412 Dhdkbl32.exe 3600 Dkbgnh32.exe 2448 Doncofgp.exe 400 Damokbfd.exe 2128 Dehkkq32.exe 4580 Dhfhhl32.exe 4976 Dlbchkfj.exe 512 Dclleemf.exe 1128 Daolqa32.exe 1848 Ddmhmm32.exe 924 Dldpnj32.exe 1060 Dcnhjdkd.exe 1808 Demefpjh.exe 3944 Ddpebm32.exe 764 Dlgmcj32.exe 2360 Eoeipeah.exe 2596 Eacelapl.exe 3208 Edbbhlop.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Belcidgm.exe Abngmihi.exe File created C:\Windows\SysWOW64\Qabdlocn.dll Nckepbgf.exe File created C:\Windows\SysWOW64\Jlfciocm.dll Pfjcji32.exe File created C:\Windows\SysWOW64\Jeolhdjj.exe Jfllmg32.exe File created C:\Windows\SysWOW64\Domldpcd.exe Dffdcccb.exe File created C:\Windows\SysWOW64\Nodiig32.dll Dffdcccb.exe File created C:\Windows\SysWOW64\Heapfm32.dll Ndagjd32.exe File created C:\Windows\SysWOW64\Afafca32.dll Pnoneglj.exe File opened for modification C:\Windows\SysWOW64\Cehbdcmp.exe Blonlm32.exe File created C:\Windows\SysWOW64\Inkgdi32.dll Jfqegfpj.exe File opened for modification C:\Windows\SysWOW64\Ldjhcgll.exe Lmppfm32.exe File opened for modification C:\Windows\SysWOW64\Aefbcogf.exe Aakfcp32.exe File created C:\Windows\SysWOW64\Bjnelk32.exe Beqldd32.exe File opened for modification C:\Windows\SysWOW64\Iicbhcik.exe Ifeflh32.exe File opened for modification C:\Windows\SysWOW64\Aedfnoii.exe Afcfph32.exe File created C:\Windows\SysWOW64\Kpkobkej.dll Icfjpm32.exe File created C:\Windows\SysWOW64\Qqoggb32.exe Pnakkf32.exe File opened for modification C:\Windows\SysWOW64\Alcnpopl.exe Adlfoapj.exe File created C:\Windows\SysWOW64\Bbgich32.exe Bjpabj32.exe File created C:\Windows\SysWOW64\Ikngjoid.dll Foebfc32.exe File opened for modification C:\Windows\SysWOW64\Cbbiofea.exe Cklanieo.exe File opened for modification C:\Windows\SysWOW64\Ipmjen32.exe Iicbhcik.exe File created C:\Windows\SysWOW64\Cfmamdkm.exe Celeel32.exe File created C:\Windows\SysWOW64\Kogfbg32.dll Cliabl32.exe File opened for modification C:\Windows\SysWOW64\Npabof32.exe Nlefngkd.exe File opened for modification C:\Windows\SysWOW64\Pckfnn32.exe Pqmjab32.exe File opened for modification C:\Windows\SysWOW64\Beeodm32.exe Baicdncn.exe File created C:\Windows\SysWOW64\Hiqllfiq.exe Hfbppkjm.exe File created C:\Windows\SysWOW64\Nnpimkfl.exe Neialnfj.exe File created C:\Windows\SysWOW64\Pqcgkc32.exe Onekoh32.exe File opened for modification C:\Windows\SysWOW64\Afhokgme.exe Ageopj32.exe File created C:\Windows\SysWOW64\Ceoheb32.exe Cbplif32.exe File opened for modification C:\Windows\SysWOW64\Defofa32.exe Dajbebhf.exe File created C:\Windows\SysWOW64\Febkkp32.dll Fhljjiki.exe File created C:\Windows\SysWOW64\Ndagjd32.exe Nljoig32.exe File opened for modification C:\Windows\SysWOW64\Ogfjgo32.exe Ockngp32.exe File opened for modification C:\Windows\SysWOW64\Acbmnmdi.exe Aqdqbaee.exe File created C:\Windows\SysWOW64\Ddmhmm32.exe Daolqa32.exe File opened for modification C:\Windows\SysWOW64\Megdfnhm.exe Mchhjbii.exe File created C:\Windows\SysWOW64\Olaejfag.exe Onneoi32.exe File created C:\Windows\SysWOW64\Caeijc32.exe Cbbiofea.exe File created C:\Windows\SysWOW64\Jidjej32.dll Pnjejgpo.exe File opened for modification C:\Windows\SysWOW64\Bappnpkh.exe Afjlqgkb.exe File opened for modification C:\Windows\SysWOW64\Copgnh32.exe Chfoqnlc.exe File opened for modification C:\Windows\SysWOW64\Gmebkf32.exe Gcmnbpaa.exe File opened for modification C:\Windows\SysWOW64\Lmbmlmbl.exe Lekekp32.exe File opened for modification C:\Windows\SysWOW64\Cbplif32.exe Ckidhi32.exe File created C:\Windows\SysWOW64\Pfeiojnj.exe Pcgmbnnf.exe File created C:\Windows\SysWOW64\Kbcehe32.exe Kpeilj32.exe File created C:\Windows\SysWOW64\Gmjikh32.dll Bfabaf32.exe File opened for modification C:\Windows\SysWOW64\Kfeobe32.exe Kdgbfj32.exe File opened for modification C:\Windows\SysWOW64\Ngkjlpkj.exe Npabof32.exe File opened for modification C:\Windows\SysWOW64\Nfpgmmpb.exe Ngmgap32.exe File created C:\Windows\SysWOW64\Bacdhldd.dll Neknam32.exe File created C:\Windows\SysWOW64\Pnakkf32.exe Pfjcji32.exe File created C:\Windows\SysWOW64\Neiaabhd.dll ba11778507dc9ee12b6147ad0ccc1e2601157e0435d21994edf8d7898fcf0dda.exe File created C:\Windows\SysWOW64\Dolfigic.exe Dlmjmkjo.exe File created C:\Windows\SysWOW64\Aejmjd32.dll Jcnppl32.exe File created C:\Windows\SysWOW64\Mcefpb32.dll Hejjfgmb.exe File created C:\Windows\SysWOW64\Mchhjbii.exe Mpjlngje.exe File created C:\Windows\SysWOW64\Dahfpb32.exe Dbefdfco.exe File created C:\Windows\SysWOW64\Ccbcnd32.dll Dlmjmkjo.exe File opened for modification C:\Windows\SysWOW64\Hmabgdmd.exe Hejjfgmb.exe File opened for modification C:\Windows\SysWOW64\Kihdjqfc.exe Kemhia32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9360 9268 WerFault.exe 427 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckidhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Demefpjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eehdbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fleidhfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdlhki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eccbed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhimdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jckcklfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbolmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olaejfag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdapabjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfcogecg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foceqceh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpdqemjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgjadb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ockngp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iicbhcik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdkcgqad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djmgiboq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdegdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmlhle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kianiamk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Minglmdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ambgha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chlngg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjpabj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcddcoki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anogldng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfkegd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foholc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmcomdkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojplhkdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmefd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Megdfnhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnpimkfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blonlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dldpnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoeipeah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afaijhcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmjfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmkjnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbgich32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clkngl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhdkbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Damokbfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfifpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iijobeaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pckfnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdcolh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dajbebhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehddijaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcgmbnnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmamdkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Degdaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeanao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbgfmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lplpmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmppfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anhaledo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnfmmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dffdcccb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danefkqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afjlqgkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdapja32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Foceqceh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmfmpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdcolh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} ba11778507dc9ee12b6147ad0ccc1e2601157e0435d21994edf8d7898fcf0dda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikhknppj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cellpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llfmpo32.dll" Eacelapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmjlfecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjbid32.dll" Cfmamdkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edkdnkge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okoiamon.dll" Kianiamk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbhocegl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lekekp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bebbom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cenloq32.dll" Ckidhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggckiccp.dll" Dehkkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lagkbcpp.dll" Lbebneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogifmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdkcgqad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afcfph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afhokgme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cndinalo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbpcbiff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkaemafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Megdfnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlciih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onneoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agbbjkhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfcogecg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcagnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neialnfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odjjqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npokka32.dll" Capiemme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elijijpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jckcklfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgokd32.dll" Ngmgap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jalpdh32.dll" Gmebkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiqllfiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npcodf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqehlmla.dll" Cbnpcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gchdga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcfqioif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hejjfgmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiaeni32.dll" Pfeiojnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deddgb32.dll" Kmfmpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baicdncn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npabof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afafca32.dll" Pnoneglj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anmjfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anogldng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnfmmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Celeel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nljebqca.dll" Cknnchcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edbbhlop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npddcf32.dll" Hkdbca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbmmb32.dll" Lmppfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opjeee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfhplg32.dll" Mgjadb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cldggmbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hklijm32.dll" Cddefn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dajbebhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhdkbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdqgphem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfflmkng.dll" Dbefdfco.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2844 wrote to memory of 3504 2844 ba11778507dc9ee12b6147ad0ccc1e2601157e0435d21994edf8d7898fcf0dda.exe 82 PID 2844 wrote to memory of 3504 2844 ba11778507dc9ee12b6147ad0ccc1e2601157e0435d21994edf8d7898fcf0dda.exe 82 PID 2844 wrote to memory of 3504 2844 ba11778507dc9ee12b6147ad0ccc1e2601157e0435d21994edf8d7898fcf0dda.exe 82 PID 3504 wrote to memory of 3980 3504 Ahffjq32.exe 83 PID 3504 wrote to memory of 3980 3504 Ahffjq32.exe 83 PID 3504 wrote to memory of 3980 3504 Ahffjq32.exe 83 PID 3980 wrote to memory of 1968 3980 Ajdbfl32.exe 84 PID 3980 wrote to memory of 1968 3980 Ajdbfl32.exe 84 PID 3980 wrote to memory of 1968 3980 Ajdbfl32.exe 84 PID 1968 wrote to memory of 644 1968 Aanjcfqf.exe 85 PID 1968 wrote to memory of 644 1968 Aanjcfqf.exe 85 PID 1968 wrote to memory of 644 1968 Aanjcfqf.exe 85 PID 644 wrote to memory of 3948 644 Adlfoapj.exe 86 PID 644 wrote to memory of 3948 644 Adlfoapj.exe 86 PID 644 wrote to memory of 3948 644 Adlfoapj.exe 86 PID 3948 wrote to memory of 1988 3948 Alcnpopl.exe 87 PID 3948 wrote to memory of 1988 3948 Alcnpopl.exe 87 PID 3948 wrote to memory of 1988 3948 Alcnpopl.exe 87 PID 1988 wrote to memory of 2920 1988 Abngmihi.exe 89 PID 1988 wrote to memory of 2920 1988 Abngmihi.exe 89 PID 1988 wrote to memory of 2920 1988 Abngmihi.exe 89 PID 2920 wrote to memory of 2520 2920 Belcidgm.exe 90 PID 2920 wrote to memory of 2520 2920 Belcidgm.exe 90 PID 2920 wrote to memory of 2520 2920 Belcidgm.exe 90 PID 2520 wrote to memory of 2524 2520 Bhjoepfq.exe 91 PID 2520 wrote to memory of 2524 2520 Bhjoepfq.exe 91 PID 2520 wrote to memory of 2524 2520 Bhjoepfq.exe 91 PID 2524 wrote to memory of 3264 2524 Bjikaked.exe 92 PID 2524 wrote to memory of 3264 2524 Bjikaked.exe 92 PID 2524 wrote to memory of 3264 2524 Bjikaked.exe 92 PID 3264 wrote to memory of 2932 3264 Bbpcbiff.exe 93 PID 3264 wrote to memory of 2932 3264 Bbpcbiff.exe 93 PID 3264 wrote to memory of 2932 3264 Bbpcbiff.exe 93 PID 2932 wrote to memory of 4012 2932 Bdapja32.exe 95 PID 2932 wrote to memory of 4012 2932 Bdapja32.exe 95 PID 2932 wrote to memory of 4012 2932 Bdapja32.exe 95 PID 4012 wrote to memory of 3952 4012 Bjkhgkca.exe 96 PID 4012 wrote to memory of 3952 4012 Bjkhgkca.exe 96 PID 4012 wrote to memory of 3952 4012 Bjkhgkca.exe 96 PID 3952 wrote to memory of 208 3952 Bngdgj32.exe 97 PID 3952 wrote to memory of 208 3952 Bngdgj32.exe 97 PID 3952 wrote to memory of 208 3952 Bngdgj32.exe 97 PID 208 wrote to memory of 656 208 Beqldd32.exe 98 PID 208 wrote to memory of 656 208 Beqldd32.exe 98 PID 208 wrote to memory of 656 208 Beqldd32.exe 98 PID 656 wrote to memory of 1680 656 Bjnelk32.exe 100 PID 656 wrote to memory of 1680 656 Bjnelk32.exe 100 PID 656 wrote to memory of 1680 656 Bjnelk32.exe 100 PID 1680 wrote to memory of 2252 1680 Bagmiehl.exe 101 PID 1680 wrote to memory of 2252 1680 Bagmiehl.exe 101 PID 1680 wrote to memory of 2252 1680 Bagmiehl.exe 101 PID 2252 wrote to memory of 784 2252 Bdfiephp.exe 102 PID 2252 wrote to memory of 784 2252 Bdfiephp.exe 102 PID 2252 wrote to memory of 784 2252 Bdfiephp.exe 102 PID 784 wrote to memory of 2544 784 Bjpabj32.exe 103 PID 784 wrote to memory of 2544 784 Bjpabj32.exe 103 PID 784 wrote to memory of 2544 784 Bjpabj32.exe 103 PID 2544 wrote to memory of 5052 2544 Bbgich32.exe 104 PID 2544 wrote to memory of 5052 2544 Bbgich32.exe 104 PID 2544 wrote to memory of 5052 2544 Bbgich32.exe 104 PID 5052 wrote to memory of 2624 5052 Bdhfkp32.exe 105 PID 5052 wrote to memory of 2624 5052 Bdhfkp32.exe 105 PID 5052 wrote to memory of 2624 5052 Bdhfkp32.exe 105 PID 2624 wrote to memory of 4048 2624 Blonlm32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba11778507dc9ee12b6147ad0ccc1e2601157e0435d21994edf8d7898fcf0dda.exe"C:\Users\Admin\AppData\Local\Temp\ba11778507dc9ee12b6147ad0ccc1e2601157e0435d21994edf8d7898fcf0dda.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Ahffjq32.exeC:\Windows\system32\Ahffjq32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\Ajdbfl32.exeC:\Windows\system32\Ajdbfl32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\Aanjcfqf.exeC:\Windows\system32\Aanjcfqf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Adlfoapj.exeC:\Windows\system32\Adlfoapj.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\Alcnpopl.exeC:\Windows\system32\Alcnpopl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Abngmihi.exeC:\Windows\system32\Abngmihi.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Belcidgm.exeC:\Windows\system32\Belcidgm.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Bhjoepfq.exeC:\Windows\system32\Bhjoepfq.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Bjikaked.exeC:\Windows\system32\Bjikaked.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Bbpcbiff.exeC:\Windows\system32\Bbpcbiff.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\Bdapja32.exeC:\Windows\system32\Bdapja32.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Bjkhgkca.exeC:\Windows\system32\Bjkhgkca.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Bngdgj32.exeC:\Windows\system32\Bngdgj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\Beqldd32.exeC:\Windows\system32\Beqldd32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\Bjnelk32.exeC:\Windows\system32\Bjnelk32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\Bagmiehl.exeC:\Windows\system32\Bagmiehl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Bdfiephp.exeC:\Windows\system32\Bdfiephp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Bjpabj32.exeC:\Windows\system32\Bjpabj32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\Bbgich32.exeC:\Windows\system32\Bbgich32.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Bdhfkp32.exeC:\Windows\system32\Bdhfkp32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Blonlm32.exeC:\Windows\system32\Blonlm32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Cehbdcmp.exeC:\Windows\system32\Cehbdcmp.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Chfoqnlc.exeC:\Windows\system32\Chfoqnlc.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4744 -
C:\Windows\SysWOW64\Copgnh32.exeC:\Windows\system32\Copgnh32.exe25⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Caocjd32.exeC:\Windows\system32\Caocjd32.exe26⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Cdmofoag.exeC:\Windows\system32\Cdmofoag.exe27⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Cldggmbj.exeC:\Windows\system32\Cldggmbj.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Cobcchan.exeC:\Windows\system32\Cobcchan.exe29⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Cbnpcg32.exeC:\Windows\system32\Cbnpcg32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:4732 -
C:\Windows\SysWOW64\Cellpb32.exeC:\Windows\system32\Cellpb32.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Ckidhi32.exeC:\Windows\system32\Ckidhi32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Cbplif32.exeC:\Windows\system32\Cbplif32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Ceoheb32.exeC:\Windows\system32\Ceoheb32.exe34⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Cliabl32.exeC:\Windows\system32\Cliabl32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:516 -
C:\Windows\SysWOW64\Cklanieo.exeC:\Windows\system32\Cklanieo.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3040 -
C:\Windows\SysWOW64\Cbbiofea.exeC:\Windows\system32\Cbbiofea.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Caeijc32.exeC:\Windows\system32\Caeijc32.exe38⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Cddefn32.exeC:\Windows\system32\Cddefn32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:3328 -
C:\Windows\SysWOW64\Clkngl32.exeC:\Windows\system32\Clkngl32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2064 -
C:\Windows\SysWOW64\Cknnchcl.exeC:\Windows\system32\Cknnchcl.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Dbefdfco.exeC:\Windows\system32\Dbefdfco.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1224 -
C:\Windows\SysWOW64\Dahfpb32.exeC:\Windows\system32\Dahfpb32.exe43⤵
- Executes dropped EXE
PID:3364 -
C:\Windows\SysWOW64\Dlmjmkjo.exeC:\Windows\system32\Dlmjmkjo.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1220 -
C:\Windows\SysWOW64\Dolfigic.exeC:\Windows\system32\Dolfigic.exe45⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Dajbebhf.exeC:\Windows\system32\Dajbebhf.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:824 -
C:\Windows\SysWOW64\Defofa32.exeC:\Windows\system32\Defofa32.exe47⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Dhdkbl32.exeC:\Windows\system32\Dhdkbl32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4412 -
C:\Windows\SysWOW64\Dkbgnh32.exeC:\Windows\system32\Dkbgnh32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Doncofgp.exeC:\Windows\system32\Doncofgp.exe50⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Damokbfd.exeC:\Windows\system32\Damokbfd.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:400 -
C:\Windows\SysWOW64\Dehkkq32.exeC:\Windows\system32\Dehkkq32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Dhfhhl32.exeC:\Windows\system32\Dhfhhl32.exe53⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Dlbchkfj.exeC:\Windows\system32\Dlbchkfj.exe54⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\Dclleemf.exeC:\Windows\system32\Dclleemf.exe55⤵
- Executes dropped EXE
PID:512 -
C:\Windows\SysWOW64\Daolqa32.exeC:\Windows\system32\Daolqa32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1128 -
C:\Windows\SysWOW64\Ddmhmm32.exeC:\Windows\system32\Ddmhmm32.exe57⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Dldpnj32.exeC:\Windows\system32\Dldpnj32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:924 -
C:\Windows\SysWOW64\Dcnhjdkd.exeC:\Windows\system32\Dcnhjdkd.exe59⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Demefpjh.exeC:\Windows\system32\Demefpjh.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1808 -
C:\Windows\SysWOW64\Ddpebm32.exeC:\Windows\system32\Ddpebm32.exe61⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Dlgmcj32.exeC:\Windows\system32\Dlgmcj32.exe62⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Eoeipeah.exeC:\Windows\system32\Eoeipeah.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Windows\SysWOW64\Eacelapl.exeC:\Windows\system32\Eacelapl.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Edbbhlop.exeC:\Windows\system32\Edbbhlop.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:3208 -
C:\Windows\SysWOW64\Elijijpb.exeC:\Windows\system32\Elijijpb.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1132 -
C:\Windows\SysWOW64\Eogfeeoe.exeC:\Windows\system32\Eogfeeoe.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4576 -
C:\Windows\SysWOW64\Eccbed32.exeC:\Windows\system32\Eccbed32.exe68⤵
- System Location Discovery: System Language Discovery
PID:220 -
C:\Windows\SysWOW64\Eeanao32.exeC:\Windows\system32\Eeanao32.exe69⤵
- System Location Discovery: System Language Discovery
PID:4624 -
C:\Windows\SysWOW64\Eddomlmm.exeC:\Windows\system32\Eddomlmm.exe70⤵PID:4160
-
C:\Windows\SysWOW64\Ehpjnk32.exeC:\Windows\system32\Ehpjnk32.exe71⤵PID:4816
-
C:\Windows\SysWOW64\Eojbkemc.exeC:\Windows\system32\Eojbkemc.exe72⤵PID:3672
-
C:\Windows\SysWOW64\Ehbgcjcc.exeC:\Windows\system32\Ehbgcjcc.exe73⤵PID:2704
-
C:\Windows\SysWOW64\Ekqcpfbg.exeC:\Windows\system32\Ekqcpfbg.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3452 -
C:\Windows\SysWOW64\Ehddijaq.exeC:\Windows\system32\Ehddijaq.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4652 -
C:\Windows\SysWOW64\Eamhbp32.exeC:\Windows\system32\Eamhbp32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4932 -
C:\Windows\SysWOW64\Eehdbn32.exeC:\Windows\system32\Eehdbn32.exe77⤵
- System Location Discovery: System Language Discovery
PID:4060 -
C:\Windows\SysWOW64\Edkdnkge.exeC:\Windows\system32\Edkdnkge.exe78⤵
- Modifies registry class
PID:3868 -
C:\Windows\SysWOW64\Ekemke32.exeC:\Windows\system32\Ekemke32.exe79⤵PID:2860
-
C:\Windows\SysWOW64\Faoegofo.exeC:\Windows\system32\Faoegofo.exe80⤵PID:1656
-
C:\Windows\SysWOW64\Fhimdi32.exeC:\Windows\system32\Fhimdi32.exe81⤵
- System Location Discovery: System Language Discovery
PID:4428 -
C:\Windows\SysWOW64\Fleidhfd.exeC:\Windows\system32\Fleidhfd.exe82⤵
- System Location Discovery: System Language Discovery
PID:4192 -
C:\Windows\SysWOW64\Foceqceh.exeC:\Windows\system32\Foceqceh.exe83⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Fhljjiki.exeC:\Windows\system32\Fhljjiki.exe84⤵
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Foebfc32.exeC:\Windows\system32\Foebfc32.exe85⤵
- Drops file in System32 directory
PID:4088 -
C:\Windows\SysWOW64\Fadobo32.exeC:\Windows\system32\Fadobo32.exe86⤵PID:1748
-
C:\Windows\SysWOW64\Foholc32.exeC:\Windows\system32\Foholc32.exe87⤵
- System Location Discovery: System Language Discovery
PID:3700 -
C:\Windows\SysWOW64\Fdegdj32.exeC:\Windows\system32\Fdegdj32.exe88⤵
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\Fdgdjimg.exeC:\Windows\system32\Fdgdjimg.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2944 -
C:\Windows\SysWOW64\Flnlkgnj.exeC:\Windows\system32\Flnlkgnj.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2392 -
C:\Windows\SysWOW64\Gkalfc32.exeC:\Windows\system32\Gkalfc32.exe91⤵PID:2988
-
C:\Windows\SysWOW64\Gchdga32.exeC:\Windows\system32\Gchdga32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:116 -
C:\Windows\SysWOW64\Gdiaoike.exeC:\Windows\system32\Gdiaoike.exe93⤵PID:1240
-
C:\Windows\SysWOW64\Gfimilbh.exeC:\Windows\system32\Gfimilbh.exe94⤵PID:332
-
C:\Windows\SysWOW64\Gkffacpo.exeC:\Windows\system32\Gkffacpo.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2928 -
C:\Windows\SysWOW64\Gcmnbpaa.exeC:\Windows\system32\Gcmnbpaa.exe96⤵
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Gmebkf32.exeC:\Windows\system32\Gmebkf32.exe97⤵
- Modifies registry class
PID:4312 -
C:\Windows\SysWOW64\Gdqgphem.exeC:\Windows\system32\Gdqgphem.exe98⤵
- Modifies registry class
PID:1256 -
C:\Windows\SysWOW64\Gmgoaeeo.exeC:\Windows\system32\Gmgoaeeo.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5140 -
C:\Windows\SysWOW64\Gcagnp32.exeC:\Windows\system32\Gcagnp32.exe100⤵
- Modifies registry class
PID:5184 -
C:\Windows\SysWOW64\Gfpcjk32.exeC:\Windows\system32\Gfpcjk32.exe101⤵PID:5236
-
C:\Windows\SysWOW64\Hmjlfecl.exeC:\Windows\system32\Hmjlfecl.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5288 -
C:\Windows\SysWOW64\Hkmlbb32.exeC:\Windows\system32\Hkmlbb32.exe103⤵PID:5328
-
C:\Windows\SysWOW64\Hcddcoki.exeC:\Windows\system32\Hcddcoki.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5380 -
C:\Windows\SysWOW64\Hbgdol32.exeC:\Windows\system32\Hbgdol32.exe105⤵PID:5444
-
C:\Windows\SysWOW64\Hfbppkjm.exeC:\Windows\system32\Hfbppkjm.exe106⤵
- Drops file in System32 directory
PID:5496 -
C:\Windows\SysWOW64\Hiqllfiq.exeC:\Windows\system32\Hiqllfiq.exe107⤵
- Modifies registry class
PID:5552 -
C:\Windows\SysWOW64\Hmlhle32.exeC:\Windows\system32\Hmlhle32.exe108⤵
- System Location Discovery: System Language Discovery
PID:5600 -
C:\Windows\SysWOW64\Hcfqioif.exeC:\Windows\system32\Hcfqioif.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5648 -
C:\Windows\SysWOW64\Hbiadl32.exeC:\Windows\system32\Hbiadl32.exe110⤵PID:5704
-
C:\Windows\SysWOW64\Hegmqg32.exeC:\Windows\system32\Hegmqg32.exe111⤵PID:5756
-
C:\Windows\SysWOW64\Hmoead32.exeC:\Windows\system32\Hmoead32.exe112⤵PID:5836
-
C:\Windows\SysWOW64\Hkaemafa.exeC:\Windows\system32\Hkaemafa.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5884 -
C:\Windows\SysWOW64\Hchmno32.exeC:\Windows\system32\Hchmno32.exe114⤵PID:5940
-
C:\Windows\SysWOW64\Hfgjjj32.exeC:\Windows\system32\Hfgjjj32.exe115⤵PID:5984
-
C:\Windows\SysWOW64\Hejjfgmb.exeC:\Windows\system32\Hejjfgmb.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:6028 -
C:\Windows\SysWOW64\Hmabgdmd.exeC:\Windows\system32\Hmabgdmd.exe117⤵PID:6076
-
C:\Windows\SysWOW64\Hkdbca32.exeC:\Windows\system32\Hkdbca32.exe118⤵
- Modifies registry class
PID:6128 -
C:\Windows\SysWOW64\Hckjdn32.exeC:\Windows\system32\Hckjdn32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5180 -
C:\Windows\SysWOW64\Hfifpj32.exeC:\Windows\system32\Hfifpj32.exe120⤵
- System Location Discovery: System Language Discovery
PID:5252 -
C:\Windows\SysWOW64\Hmcomdkb.exeC:\Windows\system32\Hmcomdkb.exe121⤵
- System Location Discovery: System Language Discovery
PID:5316
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-