Analysis
-
max time kernel
96s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13/09/2024, 03:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eb37f6011d473263187380470de35f7b0aca9ba355ccf298e5ee18527dd2ae5d.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
eb37f6011d473263187380470de35f7b0aca9ba355ccf298e5ee18527dd2ae5d.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
eb37f6011d473263187380470de35f7b0aca9ba355ccf298e5ee18527dd2ae5d.exe
-
Size
96KB
-
MD5
17b62f3813a41ae183b7cf72ff942fe2
-
SHA1
8fd66600dbe6942d6c5e2796cecad968c9f1ea3b
-
SHA256
eb37f6011d473263187380470de35f7b0aca9ba355ccf298e5ee18527dd2ae5d
-
SHA512
e2c00104828036d9a953d6148d93322e71eb93263ebd98b780d3c6799775322400c78e65fa2e6a968b49c136e35935159be2310f7d382e8e63fe8944855d3ee4
-
SSDEEP
1536:yd9wWVCnJlxjEY0Js4kIMYV+Ugs4kw8I0AMYEQcoUgs4kw8I0AMYEQcoUgs4kw8c:CdVCnJf4s4kIMYUUgs4kw8I0AMYEQcon
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdaniq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkicaahi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiokinbk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Holfoqcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hehkajig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjgeedch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajpqnneo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afgacokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmdgikhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Panhbfep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pemomqcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idkkpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmbanbmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiipmhmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klfaapbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcepkfld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piijno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgpcliao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcpahpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkjeomld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfcnpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piijno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qohpkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ackbmcjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkmmaeap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdepgkgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eehicoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oocmii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bopocbcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oloahhki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjgfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aokkahlo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaalblgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddjmba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hehkajig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljqhkckn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcelpggq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oadfkdgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coknoaic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baadiiif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqndhcdc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkohaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfglfdkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfchlbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onapdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjiipk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjnmpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djcoai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgkdbacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bebjdgmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpkibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqdaadln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmepam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpenfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aggpfkjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebommi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckmonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jngbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koaagkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcpjnjii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cobkhb32.exe -
Executes dropped EXE 64 IoCs
pid Process 3896 Nimbkc32.exe 2584 Nlkngo32.exe 2388 Nojjcj32.exe 3268 Nahgoe32.exe 3796 Nlnkmnah.exe 5108 Nolgijpk.exe 1824 Najceeoo.exe 4216 Nhdlao32.exe 2264 Okchnk32.exe 1876 Objpoh32.exe 780 Oehlkc32.exe 3496 Olbdhn32.exe 4852 Oblmdhdo.exe 3320 Oekiqccc.exe 3272 Oldamm32.exe 1448 Oocmii32.exe 2464 Oemefcap.exe 1748 Ohkbbn32.exe 3764 Okjnnj32.exe 3724 Oadfkdgd.exe 1892 Oiknlagg.exe 3064 Oklkdi32.exe 2744 Obcceg32.exe 1496 Oeaoab32.exe 2468 Ohpkmn32.exe 3412 Pcepkfld.exe 4440 Pedlgbkh.exe 3176 Plndcl32.exe 2552 Polppg32.exe 4504 Pefhlaie.exe 4108 Phedhmhi.exe 2888 Pkcadhgm.exe 4480 Poomegpf.exe 4144 Pamiaboj.exe 3976 Peieba32.exe 3676 Plbmokop.exe 4892 Poajkgnc.exe 2752 Papfgbmg.exe 3276 Pekbga32.exe 1908 Phincl32.exe 8 Pkhjph32.exe 1344 Pcobaedj.exe 2728 Pemomqcn.exe 4720 Piijno32.exe 3944 Qhlkilba.exe 3172 Qkjgegae.exe 4664 Qcaofebg.exe 3476 Qadoba32.exe 1320 Qhngolpo.exe 5016 Qljcoj32.exe 3736 Qohpkf32.exe 1328 Qaflgago.exe 4456 Ajndioga.exe 4056 Ahqddk32.exe 4336 Aojlaeei.exe 4004 Aaiimadl.exe 3740 Ajpqnneo.exe 2480 Alnmjjdb.exe 912 Aomifecf.exe 4388 Afgacokc.exe 212 Ahenokjf.exe 4728 Aoofle32.exe 3076 Ackbmcjl.exe 3000 Ajdjin32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ppadmq32.dll Oogpjbbb.exe File created C:\Windows\SysWOW64\Pjpbba32.dll Eehicoel.exe File created C:\Windows\SysWOW64\Kfcfimfi.dll Pnkbkk32.exe File created C:\Windows\SysWOW64\Qdoacabq.exe Qpcecb32.exe File created C:\Windows\SysWOW64\Fccfqqkf.dll Bhoqeibl.exe File opened for modification C:\Windows\SysWOW64\Omqmop32.exe Oloahhki.exe File created C:\Windows\SysWOW64\Epmmqheb.exe Eehicoel.exe File created C:\Windows\SysWOW64\Bgbpaipl.exe Bphgeo32.exe File opened for modification C:\Windows\SysWOW64\Dbicpfdk.exe Dokgdkeh.exe File created C:\Windows\SysWOW64\Ofpnmakg.dll Epmmqheb.exe File created C:\Windows\SysWOW64\Dcpmen32.exe Dlieda32.exe File created C:\Windows\SysWOW64\Ckjbhmad.exe Clgbmp32.exe File created C:\Windows\SysWOW64\Nobkpkdh.dll Dmcain32.exe File opened for modification C:\Windows\SysWOW64\Fealin32.exe Fbbpmb32.exe File opened for modification C:\Windows\SysWOW64\Afgacokc.exe Aomifecf.exe File created C:\Windows\SysWOW64\Pbjnik32.dll Flinkojm.exe File opened for modification C:\Windows\SysWOW64\Mjokgg32.exe Mgaokl32.exe File created C:\Windows\SysWOW64\Omqmop32.exe Oloahhki.exe File created C:\Windows\SysWOW64\Cbfgkffn.exe Cohkokgj.exe File opened for modification C:\Windows\SysWOW64\Kegpifod.exe Komhll32.exe File created C:\Windows\SysWOW64\Ebhglj32.exe Elnoopdj.exe File opened for modification C:\Windows\SysWOW64\Nmgjia32.exe Nlfnaicd.exe File created C:\Windows\SysWOW64\Kbmimp32.dll Lmaamn32.exe File created C:\Windows\SysWOW64\Pplobcpp.exe Paiogf32.exe File created C:\Windows\SysWOW64\Oenqhaga.dll Emkndc32.exe File opened for modification C:\Windows\SysWOW64\Dmlkhofd.exe Cdecgbfa.exe File created C:\Windows\SysWOW64\Kkbfan32.dll Nmipdk32.exe File created C:\Windows\SysWOW64\Qljcoj32.exe Qhngolpo.exe File opened for modification C:\Windows\SysWOW64\Dfjpfj32.exe Dckdjomg.exe File created C:\Windows\SysWOW64\Cohkokgj.exe Ckmonl32.exe File opened for modification C:\Windows\SysWOW64\Kcpjnjii.exe Kodnmkap.exe File created C:\Windows\SysWOW64\Pbhafkok.dll Nqbpojnp.exe File opened for modification C:\Windows\SysWOW64\Boldhf32.exe Bhblllfo.exe File opened for modification C:\Windows\SysWOW64\Ackbmcjl.exe Aoofle32.exe File created C:\Windows\SysWOW64\Blhpqhlh.exe Bfngdn32.exe File created C:\Windows\SysWOW64\Dkbocbog.exe Diccgfpd.exe File created C:\Windows\SysWOW64\Glengm32.exe Gbmingjo.exe File created C:\Windows\SysWOW64\Qfohjf32.dll Qaalblgi.exe File created C:\Windows\SysWOW64\Jhijep32.dll Cpfcfmlp.exe File created C:\Windows\SysWOW64\Oblmdhdo.exe Olbdhn32.exe File created C:\Windows\SysWOW64\Oflpld32.dll Oekiqccc.exe File created C:\Windows\SysWOW64\Dfefkkqp.exe Dbjkkl32.exe File created C:\Windows\SysWOW64\Hplicjok.exe Hkpqkcpd.exe File created C:\Windows\SysWOW64\Dmennnni.exe Dbpjaeoc.exe File opened for modification C:\Windows\SysWOW64\Cammjakm.exe Cdimqm32.exe File created C:\Windows\SysWOW64\Nolgijpk.exe Nlnkmnah.exe File opened for modification C:\Windows\SysWOW64\Phincl32.exe Pekbga32.exe File opened for modification C:\Windows\SysWOW64\Iojbpo32.exe Ipgbdbqb.exe File created C:\Windows\SysWOW64\Qmfqknfm.dll Lfjfecno.exe File created C:\Windows\SysWOW64\Bdmmeo32.exe Aaoaic32.exe File created C:\Windows\SysWOW64\Nmigoagp.exe Njkkbehl.exe File created C:\Windows\SysWOW64\Qcaofebg.exe Qkjgegae.exe File created C:\Windows\SysWOW64\Ehcplf32.dll Dnpdegjp.exe File created C:\Windows\SysWOW64\Hmmfmhll.exe Hfcnpn32.exe File created C:\Windows\SysWOW64\Edqnimdf.dll Kjgeedch.exe File created C:\Windows\SysWOW64\Cgqlcg32.exe Cpfcfmlp.exe File opened for modification C:\Windows\SysWOW64\Paeelgnj.exe Pfoann32.exe File created C:\Windows\SysWOW64\Qhlkilba.exe Piijno32.exe File created C:\Windows\SysWOW64\Klobfk32.dll Ahqddk32.exe File created C:\Windows\SysWOW64\Jgbjbp32.exe Jddnfd32.exe File created C:\Windows\SysWOW64\Chmbeqne.dll Mjmoag32.exe File created C:\Windows\SysWOW64\Pjldplpd.dll Baadiiif.exe File created C:\Windows\SysWOW64\Igdgglfl.exe Ipjoja32.exe File created C:\Windows\SysWOW64\Gjmgfljg.dll Lekmnajj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13652 13572 WerFault.exe 693 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmbbejp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekkkoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoclopne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peieba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hildmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkconn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqdaadln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mminhceb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcoaglhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plndcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poomegpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pamiaboj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilqoobdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oplfkeob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaldccip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najceeoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebimgcfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncchb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcpjnjii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojlaeei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkalplel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgaokl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckclhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjlhgaqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaiimadl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmepam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enkdaepb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqhdbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaflgago.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjnmpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqikmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdbfab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlolpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Komhll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nolgijpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahjgjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcngpjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkndie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbmokop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbeapmll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djelgied.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbjmhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllbaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjdpelnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qohpkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eleepoob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fllkqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oloahhki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Albpkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiglnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phonha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhngolpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plkpcfal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdickcpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epmmqheb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hplbickp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnkmnah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofecami.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epndknin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hienlpel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhokljge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmonl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coiaiakf.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjodla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddfbhfmf.dll" Aoofle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njiekege.dll" Bfngdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Belqaa32.dll" Fdepgkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hienlpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlgpod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gldglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmbphg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpeahb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahdpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqpakfgb.dll" Acmobchj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfefkkqp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jokkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iadenp32.dll" Nolgijpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eblpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jofill32.dll" Gpnmbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifona32.dll" Pemomqcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjgeedch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlieda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikdcmpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjkfjbc.dll" Ojdnid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdbfab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ignlbcmf.dll" Jgbchj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjpode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edqnimdf.dll" Kjgeedch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfefkkqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjmgfljg.dll" Lekmnajj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Napjdpcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiebgmkm.dll" Qodeajbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll" Ddgibkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clgbmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddjmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fofdocoe.dll" Dmennnni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffceip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmkigh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akepfpcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bllbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hknkchkd.dll" Glgcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahjgjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elgaeolp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfjfecno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nimbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knknhqjn.dll" Dbcmakpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aogiap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okchnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbcmakpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgflcifg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckmonl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hildmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lblldc32.dll" Iojbpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mogcihaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebejfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mknjbg32.dll" Higjaoci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjaabq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbjodaqj.dll" Flpmagqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbjena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkgdfb32.dll" Ofmdio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfhllkp.dll" Holfoqcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phajna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oehlkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbibld32.dll" Ckjbhmad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncchae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipmbjgpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgmjmjnb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3148 wrote to memory of 3896 3148 eb37f6011d473263187380470de35f7b0aca9ba355ccf298e5ee18527dd2ae5d.exe 83 PID 3148 wrote to memory of 3896 3148 eb37f6011d473263187380470de35f7b0aca9ba355ccf298e5ee18527dd2ae5d.exe 83 PID 3148 wrote to memory of 3896 3148 eb37f6011d473263187380470de35f7b0aca9ba355ccf298e5ee18527dd2ae5d.exe 83 PID 3896 wrote to memory of 2584 3896 Nimbkc32.exe 84 PID 3896 wrote to memory of 2584 3896 Nimbkc32.exe 84 PID 3896 wrote to memory of 2584 3896 Nimbkc32.exe 84 PID 2584 wrote to memory of 2388 2584 Nlkngo32.exe 85 PID 2584 wrote to memory of 2388 2584 Nlkngo32.exe 85 PID 2584 wrote to memory of 2388 2584 Nlkngo32.exe 85 PID 2388 wrote to memory of 3268 2388 Nojjcj32.exe 86 PID 2388 wrote to memory of 3268 2388 Nojjcj32.exe 86 PID 2388 wrote to memory of 3268 2388 Nojjcj32.exe 86 PID 3268 wrote to memory of 3796 3268 Nahgoe32.exe 87 PID 3268 wrote to memory of 3796 3268 Nahgoe32.exe 87 PID 3268 wrote to memory of 3796 3268 Nahgoe32.exe 87 PID 3796 wrote to memory of 5108 3796 Nlnkmnah.exe 88 PID 3796 wrote to memory of 5108 3796 Nlnkmnah.exe 88 PID 3796 wrote to memory of 5108 3796 Nlnkmnah.exe 88 PID 5108 wrote to memory of 1824 5108 Nolgijpk.exe 89 PID 5108 wrote to memory of 1824 5108 Nolgijpk.exe 89 PID 5108 wrote to memory of 1824 5108 Nolgijpk.exe 89 PID 1824 wrote to memory of 4216 1824 Najceeoo.exe 90 PID 1824 wrote to memory of 4216 1824 Najceeoo.exe 90 PID 1824 wrote to memory of 4216 1824 Najceeoo.exe 90 PID 4216 wrote to memory of 2264 4216 Nhdlao32.exe 91 PID 4216 wrote to memory of 2264 4216 Nhdlao32.exe 91 PID 4216 wrote to memory of 2264 4216 Nhdlao32.exe 91 PID 2264 wrote to memory of 1876 2264 Okchnk32.exe 92 PID 2264 wrote to memory of 1876 2264 Okchnk32.exe 92 PID 2264 wrote to memory of 1876 2264 Okchnk32.exe 92 PID 1876 wrote to memory of 780 1876 Objpoh32.exe 94 PID 1876 wrote to memory of 780 1876 Objpoh32.exe 94 PID 1876 wrote to memory of 780 1876 Objpoh32.exe 94 PID 780 wrote to memory of 3496 780 Oehlkc32.exe 95 PID 780 wrote to memory of 3496 780 Oehlkc32.exe 95 PID 780 wrote to memory of 3496 780 Oehlkc32.exe 95 PID 3496 wrote to memory of 4852 3496 Olbdhn32.exe 96 PID 3496 wrote to memory of 4852 3496 Olbdhn32.exe 96 PID 3496 wrote to memory of 4852 3496 Olbdhn32.exe 96 PID 4852 wrote to memory of 3320 4852 Oblmdhdo.exe 97 PID 4852 wrote to memory of 3320 4852 Oblmdhdo.exe 97 PID 4852 wrote to memory of 3320 4852 Oblmdhdo.exe 97 PID 3320 wrote to memory of 3272 3320 Oekiqccc.exe 99 PID 3320 wrote to memory of 3272 3320 Oekiqccc.exe 99 PID 3320 wrote to memory of 3272 3320 Oekiqccc.exe 99 PID 3272 wrote to memory of 1448 3272 Oldamm32.exe 100 PID 3272 wrote to memory of 1448 3272 Oldamm32.exe 100 PID 3272 wrote to memory of 1448 3272 Oldamm32.exe 100 PID 1448 wrote to memory of 2464 1448 Oocmii32.exe 101 PID 1448 wrote to memory of 2464 1448 Oocmii32.exe 101 PID 1448 wrote to memory of 2464 1448 Oocmii32.exe 101 PID 2464 wrote to memory of 1748 2464 Oemefcap.exe 103 PID 2464 wrote to memory of 1748 2464 Oemefcap.exe 103 PID 2464 wrote to memory of 1748 2464 Oemefcap.exe 103 PID 1748 wrote to memory of 3764 1748 Ohkbbn32.exe 104 PID 1748 wrote to memory of 3764 1748 Ohkbbn32.exe 104 PID 1748 wrote to memory of 3764 1748 Ohkbbn32.exe 104 PID 3764 wrote to memory of 3724 3764 Okjnnj32.exe 105 PID 3764 wrote to memory of 3724 3764 Okjnnj32.exe 105 PID 3764 wrote to memory of 3724 3764 Okjnnj32.exe 105 PID 3724 wrote to memory of 1892 3724 Oadfkdgd.exe 106 PID 3724 wrote to memory of 1892 3724 Oadfkdgd.exe 106 PID 3724 wrote to memory of 1892 3724 Oadfkdgd.exe 106 PID 1892 wrote to memory of 3064 1892 Oiknlagg.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb37f6011d473263187380470de35f7b0aca9ba355ccf298e5ee18527dd2ae5d.exe"C:\Users\Admin\AppData\Local\Temp\eb37f6011d473263187380470de35f7b0aca9ba355ccf298e5ee18527dd2ae5d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\Nimbkc32.exeC:\Windows\system32\Nimbkc32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\Nlkngo32.exeC:\Windows\system32\Nlkngo32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Nahgoe32.exeC:\Windows\system32\Nahgoe32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\SysWOW64\Nlnkmnah.exeC:\Windows\system32\Nlnkmnah.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\SysWOW64\Nolgijpk.exeC:\Windows\system32\Nolgijpk.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\Najceeoo.exeC:\Windows\system32\Najceeoo.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Nhdlao32.exeC:\Windows\system32\Nhdlao32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Objpoh32.exeC:\Windows\system32\Objpoh32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\Olbdhn32.exeC:\Windows\system32\Olbdhn32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\Oblmdhdo.exeC:\Windows\system32\Oblmdhdo.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Oekiqccc.exeC:\Windows\system32\Oekiqccc.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\Oocmii32.exeC:\Windows\system32\Oocmii32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Ohkbbn32.exeC:\Windows\system32\Ohkbbn32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Okjnnj32.exeC:\Windows\system32\Okjnnj32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\Oadfkdgd.exeC:\Windows\system32\Oadfkdgd.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\Oiknlagg.exeC:\Windows\system32\Oiknlagg.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Oklkdi32.exeC:\Windows\system32\Oklkdi32.exe23⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Obcceg32.exeC:\Windows\system32\Obcceg32.exe24⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Oeaoab32.exeC:\Windows\system32\Oeaoab32.exe25⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Ohpkmn32.exeC:\Windows\system32\Ohpkmn32.exe26⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Pcepkfld.exeC:\Windows\system32\Pcepkfld.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3412 -
C:\Windows\SysWOW64\Pedlgbkh.exeC:\Windows\system32\Pedlgbkh.exe28⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Plndcl32.exeC:\Windows\system32\Plndcl32.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3176 -
C:\Windows\SysWOW64\Polppg32.exeC:\Windows\system32\Polppg32.exe30⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Pefhlaie.exeC:\Windows\system32\Pefhlaie.exe31⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe32⤵
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Pkcadhgm.exeC:\Windows\system32\Pkcadhgm.exe33⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Poomegpf.exeC:\Windows\system32\Poomegpf.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4480 -
C:\Windows\SysWOW64\Pamiaboj.exeC:\Windows\system32\Pamiaboj.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4144 -
C:\Windows\SysWOW64\Peieba32.exeC:\Windows\system32\Peieba32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3976 -
C:\Windows\SysWOW64\Plbmokop.exeC:\Windows\system32\Plbmokop.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3676 -
C:\Windows\SysWOW64\Poajkgnc.exeC:\Windows\system32\Poajkgnc.exe38⤵
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe39⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3276 -
C:\Windows\SysWOW64\Phincl32.exeC:\Windows\system32\Phincl32.exe41⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe42⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Pcobaedj.exeC:\Windows\system32\Pcobaedj.exe43⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Pemomqcn.exeC:\Windows\system32\Pemomqcn.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Piijno32.exeC:\Windows\system32\Piijno32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4720 -
C:\Windows\SysWOW64\Qhlkilba.exeC:\Windows\system32\Qhlkilba.exe46⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3172 -
C:\Windows\SysWOW64\Qcaofebg.exeC:\Windows\system32\Qcaofebg.exe48⤵
- Executes dropped EXE
PID:4664 -
C:\Windows\SysWOW64\Qadoba32.exeC:\Windows\system32\Qadoba32.exe49⤵
- Executes dropped EXE
PID:3476 -
C:\Windows\SysWOW64\Qhngolpo.exeC:\Windows\system32\Qhngolpo.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1320 -
C:\Windows\SysWOW64\Qljcoj32.exeC:\Windows\system32\Qljcoj32.exe51⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Qohpkf32.exeC:\Windows\system32\Qohpkf32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3736 -
C:\Windows\SysWOW64\Qaflgago.exeC:\Windows\system32\Qaflgago.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1328 -
C:\Windows\SysWOW64\Ajndioga.exeC:\Windows\system32\Ajndioga.exe54⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Ahqddk32.exeC:\Windows\system32\Ahqddk32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4056 -
C:\Windows\SysWOW64\Aojlaeei.exeC:\Windows\system32\Aojlaeei.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4336 -
C:\Windows\SysWOW64\Aaiimadl.exeC:\Windows\system32\Aaiimadl.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4004 -
C:\Windows\SysWOW64\Ajpqnneo.exeC:\Windows\system32\Ajpqnneo.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3740 -
C:\Windows\SysWOW64\Alnmjjdb.exeC:\Windows\system32\Alnmjjdb.exe59⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Aomifecf.exeC:\Windows\system32\Aomifecf.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:912 -
C:\Windows\SysWOW64\Afgacokc.exeC:\Windows\system32\Afgacokc.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Ahenokjf.exeC:\Windows\system32\Ahenokjf.exe62⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Aoofle32.exeC:\Windows\system32\Aoofle32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4728 -
C:\Windows\SysWOW64\Ackbmcjl.exeC:\Windows\system32\Ackbmcjl.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Ajdjin32.exeC:\Windows\system32\Ajdjin32.exe65⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Ahgjejhd.exeC:\Windows\system32\Ahgjejhd.exe66⤵PID:2876
-
C:\Windows\SysWOW64\Acmobchj.exeC:\Windows\system32\Acmobchj.exe67⤵
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Afkknogn.exeC:\Windows\system32\Afkknogn.exe68⤵PID:3372
-
C:\Windows\SysWOW64\Ahjgjj32.exeC:\Windows\system32\Ahjgjj32.exe69⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3912 -
C:\Windows\SysWOW64\Aodogdmn.exeC:\Windows\system32\Aodogdmn.exe70⤵PID:1400
-
C:\Windows\SysWOW64\Bfngdn32.exeC:\Windows\system32\Bfngdn32.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:4612 -
C:\Windows\SysWOW64\Blhpqhlh.exeC:\Windows\system32\Blhpqhlh.exe72⤵PID:3648
-
C:\Windows\SysWOW64\Bcahmb32.exeC:\Windows\system32\Bcahmb32.exe73⤵PID:4624
-
C:\Windows\SysWOW64\Bfpdin32.exeC:\Windows\system32\Bfpdin32.exe74⤵PID:3500
-
C:\Windows\SysWOW64\Bhoqeibl.exeC:\Windows\system32\Bhoqeibl.exe75⤵
- Drops file in System32 directory
PID:3708 -
C:\Windows\SysWOW64\Bkmmaeap.exeC:\Windows\system32\Bkmmaeap.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2320 -
C:\Windows\SysWOW64\Bbgeno32.exeC:\Windows\system32\Bbgeno32.exe77⤵PID:736
-
C:\Windows\SysWOW64\Bjnmpl32.exeC:\Windows\system32\Bjnmpl32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\Bmlilh32.exeC:\Windows\system32\Bmlilh32.exe79⤵PID:4376
-
C:\Windows\SysWOW64\Bokehc32.exeC:\Windows\system32\Bokehc32.exe80⤵PID:2064
-
C:\Windows\SysWOW64\Bfendmoc.exeC:\Windows\system32\Bfendmoc.exe81⤵PID:2072
-
C:\Windows\SysWOW64\Bmofagfp.exeC:\Windows\system32\Bmofagfp.exe82⤵PID:3240
-
C:\Windows\SysWOW64\Bcinna32.exeC:\Windows\system32\Bcinna32.exe83⤵PID:3984
-
C:\Windows\SysWOW64\Bheffh32.exeC:\Windows\system32\Bheffh32.exe84⤵PID:2692
-
C:\Windows\SysWOW64\Bopocbcq.exeC:\Windows\system32\Bopocbcq.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1760 -
C:\Windows\SysWOW64\Bbnkonbd.exeC:\Windows\system32\Bbnkonbd.exe86⤵PID:4472
-
C:\Windows\SysWOW64\Cjecpkcg.exeC:\Windows\system32\Cjecpkcg.exe87⤵PID:1916
-
C:\Windows\SysWOW64\Cobkhb32.exeC:\Windows\system32\Cobkhb32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1984 -
C:\Windows\SysWOW64\Cbphdn32.exeC:\Windows\system32\Cbphdn32.exe89⤵PID:4136
-
C:\Windows\SysWOW64\Cjgpfk32.exeC:\Windows\system32\Cjgpfk32.exe90⤵PID:1540
-
C:\Windows\SysWOW64\Cmflbf32.exeC:\Windows\system32\Cmflbf32.exe91⤵PID:4232
-
C:\Windows\SysWOW64\Ckilmcgb.exeC:\Windows\system32\Ckilmcgb.exe92⤵PID:3340
-
C:\Windows\SysWOW64\Cbbdjm32.exeC:\Windows\system32\Cbbdjm32.exe93⤵PID:992
-
C:\Windows\SysWOW64\Cjjlkk32.exeC:\Windows\system32\Cjjlkk32.exe94⤵PID:2316
-
C:\Windows\SysWOW64\Cimmggfl.exeC:\Windows\system32\Cimmggfl.exe95⤵PID:5056
-
C:\Windows\SysWOW64\Cofecami.exeC:\Windows\system32\Cofecami.exe96⤵
- System Location Discovery: System Language Discovery
PID:1912 -
C:\Windows\SysWOW64\Cbeapmll.exeC:\Windows\system32\Cbeapmll.exe97⤵
- System Location Discovery: System Language Discovery
PID:4060 -
C:\Windows\SysWOW64\Cfqmpl32.exeC:\Windows\system32\Cfqmpl32.exe98⤵PID:3964
-
C:\Windows\SysWOW64\Cioilg32.exeC:\Windows\system32\Cioilg32.exe99⤵PID:5128
-
C:\Windows\SysWOW64\Cmjemflb.exeC:\Windows\system32\Cmjemflb.exe100⤵PID:5172
-
C:\Windows\SysWOW64\Coiaiakf.exeC:\Windows\system32\Coiaiakf.exe101⤵
- System Location Discovery: System Language Discovery
PID:5216 -
C:\Windows\SysWOW64\Ccdnjp32.exeC:\Windows\system32\Ccdnjp32.exe102⤵PID:5260
-
C:\Windows\SysWOW64\Cfcjfk32.exeC:\Windows\system32\Cfcjfk32.exe103⤵PID:5304
-
C:\Windows\SysWOW64\Ciafbg32.exeC:\Windows\system32\Ciafbg32.exe104⤵PID:5348
-
C:\Windows\SysWOW64\Cmmbbejp.exeC:\Windows\system32\Cmmbbejp.exe105⤵
- System Location Discovery: System Language Discovery
PID:5408 -
C:\Windows\SysWOW64\Coknoaic.exeC:\Windows\system32\Coknoaic.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5452 -
C:\Windows\SysWOW64\Dbjkkl32.exeC:\Windows\system32\Dbjkkl32.exe107⤵
- Drops file in System32 directory
PID:5516 -
C:\Windows\SysWOW64\Dfefkkqp.exeC:\Windows\system32\Dfefkkqp.exe108⤵
- Modifies registry class
PID:5568 -
C:\Windows\SysWOW64\Diccgfpd.exeC:\Windows\system32\Diccgfpd.exe109⤵
- Drops file in System32 directory
PID:5632 -
C:\Windows\SysWOW64\Dkbocbog.exeC:\Windows\system32\Dkbocbog.exe110⤵PID:5684
-
C:\Windows\SysWOW64\Djcoai32.exeC:\Windows\system32\Djcoai32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5732 -
C:\Windows\SysWOW64\Dmalne32.exeC:\Windows\system32\Dmalne32.exe112⤵PID:5792
-
C:\Windows\SysWOW64\Dkdliame.exeC:\Windows\system32\Dkdliame.exe113⤵PID:5844
-
C:\Windows\SysWOW64\Dpphjp32.exeC:\Windows\system32\Dpphjp32.exe114⤵PID:5892
-
C:\Windows\SysWOW64\Dckdjomg.exeC:\Windows\system32\Dckdjomg.exe115⤵
- Drops file in System32 directory
PID:5944 -
C:\Windows\SysWOW64\Dfjpfj32.exeC:\Windows\system32\Dfjpfj32.exe116⤵PID:6016
-
C:\Windows\SysWOW64\Djelgied.exeC:\Windows\system32\Djelgied.exe117⤵
- System Location Discovery: System Language Discovery
PID:6060 -
C:\Windows\SysWOW64\Dlghoa32.exeC:\Windows\system32\Dlghoa32.exe118⤵PID:6116
-
C:\Windows\SysWOW64\Dbqqkkbo.exeC:\Windows\system32\Dbqqkkbo.exe119⤵PID:5136
-
C:\Windows\SysWOW64\Dflmlj32.exeC:\Windows\system32\Dflmlj32.exe120⤵PID:5196
-
C:\Windows\SysWOW64\Dikihe32.exeC:\Windows\system32\Dikihe32.exe121⤵PID:5276
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-