Analysis
-
max time kernel
110s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13/09/2024, 03:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
adc9a6325e3637bef54d770ad849a030N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
adc9a6325e3637bef54d770ad849a030N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
adc9a6325e3637bef54d770ad849a030N.exe
-
Size
84KB
-
MD5
adc9a6325e3637bef54d770ad849a030
-
SHA1
39ec0b917fc4c646a74ee7049c9c0ad99407e45c
-
SHA256
f221569e412f4ea96aafe9a7ec3199f8645b708ea147de42e19a10296146c742
-
SHA512
ae024c0c7e3e89e7376db61d37602696b003dfe1b25f7d68f7190a9d247a5fce0891cee7a209415aceac8c6baaeb7d85173b0cf553ab40bde6363ea6e4110b01
-
SSDEEP
1536:dVFxVpuynYkD3ihNIk9qQNY1jytrH9wJd867uIWWyWWWWWWWWWWWWWWLWWWWWWWQ:dlVppnPDmNd9I1jYrdwT8Xc75wzTK6CU
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcpkolcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjflna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfkiom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdgjnimf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajdhppfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beghnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbeanfgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhfhdd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qebfli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alhnebia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmlklm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lincpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcienm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glnkkhla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbdfjnbn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oglpfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opaqog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oljnjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgenpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpbdme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acoineja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kppfkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmofpaai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmmdfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfpmnajf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oknbhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfiljmqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfneem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oljnjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfahkibd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eonkeabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkfjik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beelig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnknbmii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjoqahhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgpfjcio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhfhdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfnjoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad adc9a6325e3637bef54d770ad849a030N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncbgdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ognmlg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eejgaaka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inoiogpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbgnbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bclnemjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmllfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmjgqfgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eegcal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocemah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehkpcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcenlecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eelmmkec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnigfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkmkbcin.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojlbnm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koooph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbmebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjeedk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liepjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdellb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjpgknlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goeagd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcdompoq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfcliknd.exe -
Executes dropped EXE 64 IoCs
pid Process 6128 Kdqbacdl.exe 5200 Kfonmncp.exe 5532 Kinkijcc.exe 3880 Kadbjgcf.exe 4760 Kbfobo32.exe 5416 Kfakbnam.exe 5964 Kipgoiqa.exe 2288 Kpjpkchn.exe 1980 Kdellb32.exe 6096 Kfdhhn32.exe 6056 Kibddi32.exe 2960 Kailef32.exe 5852 Kpllacfk.exe 5148 Kbjhmoeo.exe 5844 Lkaqnlfa.exe 2324 Lalikfmn.exe 3908 Lbmebn32.exe 2792 Ligmohki.exe 4880 Lmbipg32.exe 432 Ldlamajo.exe 1904 Lkfjik32.exe 1180 Liijehif.exe 4004 Lapbfeih.exe 4456 Ldonbq32.exe 960 Lgmknl32.exe 5608 Lilgjh32.exe 5360 Labole32.exe 5204 Ldakhq32.exe 5652 Lgpgdl32.exe 5004 Lincpg32.exe 5424 Laelad32.exe 4608 Ldchmpdg.exe 3040 Mgbdilck.exe 5436 Mkmpjj32.exe 2532 Mmllfe32.exe 5604 Mpjhba32.exe 5456 Mcienm32.exe 4976 Mgdqokah.exe 4592 Mibmkfql.exe 4972 Majeldan.exe 4804 Mpmehq32.exe 3604 Mgfmdk32.exe 1116 Miejqf32.exe 412 Mnqfaegb.exe 1672 Mpobmqff.exe 1540 Mcmnilei.exe 1880 Mkdfkiel.exe 4308 Manngc32.exe 5572 Mpaocpdc.exe 2396 Mcpkolcg.exe 5476 Mkgcpi32.exe 3452 Mneold32.exe 3516 Mpckhp32.exe 3064 Ncbgdk32.exe 4204 Ngncejim.exe 4992 Nnglbd32.exe 452 Nachbbic.exe 4376 Ncddjk32.exe 6124 Nkklkhpc.exe 5552 Nnjhgcog.exe 5440 Npheconk.exe 4572 Ncgapjmo.exe 3944 Nkniahna.exe 4400 Njqild32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kbqolijn.exe Klffpp32.exe File created C:\Windows\SysWOW64\Llpifn32.exe Kiamjb32.exe File opened for modification C:\Windows\SysWOW64\Daeapn32.exe Ddaagjhn.exe File opened for modification C:\Windows\SysWOW64\Jfbalc32.exe Johipioi.exe File created C:\Windows\SysWOW64\Oacaek32.dll Kfakbnam.exe File created C:\Windows\SysWOW64\Fdpgeagk.dll Mkdfkiel.exe File created C:\Windows\SysWOW64\Dfdpfblm.dll Aghhidem.exe File created C:\Windows\SysWOW64\Ichlop32.exe Iichag32.exe File created C:\Windows\SysWOW64\Ngpddnha.dll Mdldih32.exe File created C:\Windows\SysWOW64\Dcilabnp.dll Jicjnncg.exe File created C:\Windows\SysWOW64\Iqpeab32.dll Lilgjh32.exe File created C:\Windows\SysWOW64\Qgmone32.dll Gaaqmp32.exe File opened for modification C:\Windows\SysWOW64\Fggljb32.exe Fajcbk32.exe File opened for modification C:\Windows\SysWOW64\Kphbfg32.exe Kecnin32.exe File created C:\Windows\SysWOW64\Nnnkhmgf.exe Nibogn32.exe File opened for modification C:\Windows\SysWOW64\Ojlbnm32.exe Odoief32.exe File created C:\Windows\SysWOW64\Bclnemjf.exe Bmbfhb32.exe File created C:\Windows\SysWOW64\Jicjnncg.exe Jojeeimf.exe File created C:\Windows\SysWOW64\Elbbil32.exe Eehjlbmd.exe File created C:\Windows\SysWOW64\Ickidp32.exe Imaqhell.exe File opened for modification C:\Windows\SysWOW64\Bgenpl32.exe Bmpibc32.exe File created C:\Windows\SysWOW64\Hpjhneah.dll Ojlihc32.exe File opened for modification C:\Windows\SysWOW64\Onmnda32.exe Oknbhe32.exe File created C:\Windows\SysWOW64\Eikmpdmh.dll Qcefhfbl.exe File opened for modification C:\Windows\SysWOW64\Delkpc32.exe Daaopeoh.exe File created C:\Windows\SysWOW64\Abifdlmj.dll Afjajj32.exe File created C:\Windows\SysWOW64\Oholkmjm.dll Eegcal32.exe File created C:\Windows\SysWOW64\Aaamdnhd.dll Alhnebia.exe File created C:\Windows\SysWOW64\Iigfippg.dll Bdjijcpd.exe File opened for modification C:\Windows\SysWOW64\Ddoklpnl.exe Delkpc32.exe File opened for modification C:\Windows\SysWOW64\Qfcliknd.exe Qcdompoq.exe File created C:\Windows\SysWOW64\Jlmdiq32.exe Jiogme32.exe File opened for modification C:\Windows\SysWOW64\Ioofijgc.exe Iggnhmfa.exe File opened for modification C:\Windows\SysWOW64\Jhighpla.exe Ibpokede.exe File created C:\Windows\SysWOW64\Aljjbj32.dll Kfnqha32.exe File created C:\Windows\SysWOW64\Agjeoc32.exe Acoineja.exe File created C:\Windows\SysWOW64\Abdbefmd.dll Bnigfm32.exe File opened for modification C:\Windows\SysWOW64\Dlipbm32.exe Dacked32.exe File created C:\Windows\SysWOW64\Peikggaf.dll Fdbqhnng.exe File opened for modification C:\Windows\SysWOW64\Gojjbdmg.exe Gbfjhpnn.exe File created C:\Windows\SysWOW64\Ieckgdip.dll Lpbdme32.exe File opened for modification C:\Windows\SysWOW64\Leaqebil.exe Llillm32.exe File created C:\Windows\SysWOW64\Afgedk32.exe Aciiho32.exe File created C:\Windows\SysWOW64\Ioofijgc.exe Iggnhmfa.exe File created C:\Windows\SysWOW64\Amgffg32.dll Npheconk.exe File opened for modification C:\Windows\SysWOW64\Qjakjphf.exe Qkokoc32.exe File opened for modification C:\Windows\SysWOW64\Ajfdeoda.exe Akcdjb32.exe File created C:\Windows\SysWOW64\Picoohdl.dll Dlipbm32.exe File created C:\Windows\SysWOW64\Mofejg32.dll Jmajoc32.exe File created C:\Windows\SysWOW64\Iipena32.dll Pfleildl.exe File opened for modification C:\Windows\SysWOW64\Kibddi32.exe Kfdhhn32.exe File created C:\Windows\SysWOW64\Nbmjmj32.dll Nnglbd32.exe File created C:\Windows\SysWOW64\Emccchck.dll Bjbdan32.exe File created C:\Windows\SysWOW64\Conihj32.exe Clomlo32.exe File opened for modification C:\Windows\SysWOW64\Caglifgc.exe Coipmkho.exe File opened for modification C:\Windows\SysWOW64\Ibipem32.exe Ieeoki32.exe File created C:\Windows\SysWOW64\Bgenpl32.exe Bmpibc32.exe File created C:\Windows\SysWOW64\Ghpkkc32.exe Ggpoqq32.exe File created C:\Windows\SysWOW64\Mhqbdb32.dll Kdellb32.exe File created C:\Windows\SysWOW64\Kagcplmo.dll Onmnda32.exe File created C:\Windows\SysWOW64\Ldefkphp.dll Acjpce32.exe File created C:\Windows\SysWOW64\Beghnf32.exe Ballnhaq.exe File opened for modification C:\Windows\SysWOW64\Dldfgnqa.exe Dhhjgo32.exe File created C:\Windows\SysWOW64\Eejgaaka.exe Eclkefln.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12088 11924 WerFault.exe 597 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpllacfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcienm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abbfalpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afokejdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfcnggao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdflpdhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnokiqlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pccibf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeilmhei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmiifpin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbjhmoeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkbblg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gojjbdmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caiadpae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfonmncp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocemah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgdlbpag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dobbcipe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leodob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dapheokm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abkpamff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclkefln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ackeno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkichj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpifn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcpbpooc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ninelobb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgpfjcio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkmkbcin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klnmpnli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiamjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpjpkchn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgdqokah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daobjeak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eehjlbmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfegiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpfnheef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aabigiik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aglbdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cechje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Embhfngc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlbobkja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cepdjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfigd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daaopeoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbbhogdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldonbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npheconk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abpill32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjdafm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkdfkiel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afgedk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgibgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npkaiolh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eolejhgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndhceg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcpfbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhjpbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoecclon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbopeoqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aghhidem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpiahk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjldkhjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgbdilck.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ognmlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amocqe32.dll" Ecngkfjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfhglm32.dll" Pjpkilbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffebcmoa.dll" Bgenpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgfmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ionbbi32.dll" Hkjnmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieobag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchgij32.dll" Kfngbhpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acnbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elaapp32.dll" Kfdhhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgebmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cndfbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fklieh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcboen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liepjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akjblj32.dll" Oqinjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilidhn32.dll" Ncbgdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbiedb32.dll" Pkgend32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkjnmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmlenpl.dll" Iichag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eencemmo.dll" Ibpfel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dapheokm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmghjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkaqnlfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdccf32.dll" Ehhlcgfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjdafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbhndf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcdompoq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oncknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poibii32.dll" Liijehif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mneold32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbmlnjkh.dll" Npkaiolh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oklebf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocgjfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejmdmnih.dll" Gchchbcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ninelobb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lalikfmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acglcpmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akcdjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpnqkb32.dll" Lpbkgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnknbmii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmppokfo.dll" Nahanb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojlihc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehqgdppc.dll" Pnokiqlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poiagf32.dll" Pclcagkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjbdan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkchldai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdgjnimf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miqlnadi.dll" Mlbobkja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnjhgcog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oekmbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bclnemjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eelmmkec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nibogn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bejedfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkgfck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfngbhpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehhlcgfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqgjlkch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lioibidb.dll" Pjhhdapa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Magminon.dll" Qbdjpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjakjphf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imcmme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcehdn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2560 wrote to memory of 6128 2560 adc9a6325e3637bef54d770ad849a030N.exe 85 PID 2560 wrote to memory of 6128 2560 adc9a6325e3637bef54d770ad849a030N.exe 85 PID 2560 wrote to memory of 6128 2560 adc9a6325e3637bef54d770ad849a030N.exe 85 PID 6128 wrote to memory of 5200 6128 Kdqbacdl.exe 86 PID 6128 wrote to memory of 5200 6128 Kdqbacdl.exe 86 PID 6128 wrote to memory of 5200 6128 Kdqbacdl.exe 86 PID 5200 wrote to memory of 5532 5200 Kfonmncp.exe 87 PID 5200 wrote to memory of 5532 5200 Kfonmncp.exe 87 PID 5200 wrote to memory of 5532 5200 Kfonmncp.exe 87 PID 5532 wrote to memory of 3880 5532 Kinkijcc.exe 88 PID 5532 wrote to memory of 3880 5532 Kinkijcc.exe 88 PID 5532 wrote to memory of 3880 5532 Kinkijcc.exe 88 PID 3880 wrote to memory of 4760 3880 Kadbjgcf.exe 90 PID 3880 wrote to memory of 4760 3880 Kadbjgcf.exe 90 PID 3880 wrote to memory of 4760 3880 Kadbjgcf.exe 90 PID 4760 wrote to memory of 5416 4760 Kbfobo32.exe 91 PID 4760 wrote to memory of 5416 4760 Kbfobo32.exe 91 PID 4760 wrote to memory of 5416 4760 Kbfobo32.exe 91 PID 5416 wrote to memory of 5964 5416 Kfakbnam.exe 92 PID 5416 wrote to memory of 5964 5416 Kfakbnam.exe 92 PID 5416 wrote to memory of 5964 5416 Kfakbnam.exe 92 PID 5964 wrote to memory of 2288 5964 Kipgoiqa.exe 93 PID 5964 wrote to memory of 2288 5964 Kipgoiqa.exe 93 PID 5964 wrote to memory of 2288 5964 Kipgoiqa.exe 93 PID 2288 wrote to memory of 1980 2288 Kpjpkchn.exe 94 PID 2288 wrote to memory of 1980 2288 Kpjpkchn.exe 94 PID 2288 wrote to memory of 1980 2288 Kpjpkchn.exe 94 PID 1980 wrote to memory of 6096 1980 Kdellb32.exe 95 PID 1980 wrote to memory of 6096 1980 Kdellb32.exe 95 PID 1980 wrote to memory of 6096 1980 Kdellb32.exe 95 PID 6096 wrote to memory of 6056 6096 Kfdhhn32.exe 96 PID 6096 wrote to memory of 6056 6096 Kfdhhn32.exe 96 PID 6096 wrote to memory of 6056 6096 Kfdhhn32.exe 96 PID 6056 wrote to memory of 2960 6056 Kibddi32.exe 97 PID 6056 wrote to memory of 2960 6056 Kibddi32.exe 97 PID 6056 wrote to memory of 2960 6056 Kibddi32.exe 97 PID 2960 wrote to memory of 5852 2960 Kailef32.exe 98 PID 2960 wrote to memory of 5852 2960 Kailef32.exe 98 PID 2960 wrote to memory of 5852 2960 Kailef32.exe 98 PID 5852 wrote to memory of 5148 5852 Kpllacfk.exe 99 PID 5852 wrote to memory of 5148 5852 Kpllacfk.exe 99 PID 5852 wrote to memory of 5148 5852 Kpllacfk.exe 99 PID 5148 wrote to memory of 5844 5148 Kbjhmoeo.exe 100 PID 5148 wrote to memory of 5844 5148 Kbjhmoeo.exe 100 PID 5148 wrote to memory of 5844 5148 Kbjhmoeo.exe 100 PID 5844 wrote to memory of 2324 5844 Lkaqnlfa.exe 101 PID 5844 wrote to memory of 2324 5844 Lkaqnlfa.exe 101 PID 5844 wrote to memory of 2324 5844 Lkaqnlfa.exe 101 PID 2324 wrote to memory of 3908 2324 Lalikfmn.exe 102 PID 2324 wrote to memory of 3908 2324 Lalikfmn.exe 102 PID 2324 wrote to memory of 3908 2324 Lalikfmn.exe 102 PID 3908 wrote to memory of 2792 3908 Lbmebn32.exe 103 PID 3908 wrote to memory of 2792 3908 Lbmebn32.exe 103 PID 3908 wrote to memory of 2792 3908 Lbmebn32.exe 103 PID 2792 wrote to memory of 4880 2792 Ligmohki.exe 104 PID 2792 wrote to memory of 4880 2792 Ligmohki.exe 104 PID 2792 wrote to memory of 4880 2792 Ligmohki.exe 104 PID 4880 wrote to memory of 432 4880 Lmbipg32.exe 105 PID 4880 wrote to memory of 432 4880 Lmbipg32.exe 105 PID 4880 wrote to memory of 432 4880 Lmbipg32.exe 105 PID 432 wrote to memory of 1904 432 Ldlamajo.exe 106 PID 432 wrote to memory of 1904 432 Ldlamajo.exe 106 PID 432 wrote to memory of 1904 432 Ldlamajo.exe 106 PID 1904 wrote to memory of 1180 1904 Lkfjik32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\adc9a6325e3637bef54d770ad849a030N.exe"C:\Users\Admin\AppData\Local\Temp\adc9a6325e3637bef54d770ad849a030N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Kdqbacdl.exeC:\Windows\system32\Kdqbacdl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6128 -
C:\Windows\SysWOW64\Kfonmncp.exeC:\Windows\system32\Kfonmncp.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5200 -
C:\Windows\SysWOW64\Kinkijcc.exeC:\Windows\system32\Kinkijcc.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5532 -
C:\Windows\SysWOW64\Kadbjgcf.exeC:\Windows\system32\Kadbjgcf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\SysWOW64\Kbfobo32.exeC:\Windows\system32\Kbfobo32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\Kfakbnam.exeC:\Windows\system32\Kfakbnam.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5416 -
C:\Windows\SysWOW64\Kipgoiqa.exeC:\Windows\system32\Kipgoiqa.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5964 -
C:\Windows\SysWOW64\Kpjpkchn.exeC:\Windows\system32\Kpjpkchn.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Kdellb32.exeC:\Windows\system32\Kdellb32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Kfdhhn32.exeC:\Windows\system32\Kfdhhn32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:6096 -
C:\Windows\SysWOW64\Kibddi32.exeC:\Windows\system32\Kibddi32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6056 -
C:\Windows\SysWOW64\Kailef32.exeC:\Windows\system32\Kailef32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Kpllacfk.exeC:\Windows\system32\Kpllacfk.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5852 -
C:\Windows\SysWOW64\Kbjhmoeo.exeC:\Windows\system32\Kbjhmoeo.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5148 -
C:\Windows\SysWOW64\Lkaqnlfa.exeC:\Windows\system32\Lkaqnlfa.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5844 -
C:\Windows\SysWOW64\Lalikfmn.exeC:\Windows\system32\Lalikfmn.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Lbmebn32.exeC:\Windows\system32\Lbmebn32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\Ligmohki.exeC:\Windows\system32\Ligmohki.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Lmbipg32.exeC:\Windows\system32\Lmbipg32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\Ldlamajo.exeC:\Windows\system32\Ldlamajo.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Lkfjik32.exeC:\Windows\system32\Lkfjik32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Liijehif.exeC:\Windows\system32\Liijehif.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:1180 -
C:\Windows\SysWOW64\Lapbfeih.exeC:\Windows\system32\Lapbfeih.exe24⤵
- Executes dropped EXE
PID:4004 -
C:\Windows\SysWOW64\Ldonbq32.exeC:\Windows\system32\Ldonbq32.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4456 -
C:\Windows\SysWOW64\Lgmknl32.exeC:\Windows\system32\Lgmknl32.exe26⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Lilgjh32.exeC:\Windows\system32\Lilgjh32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5608 -
C:\Windows\SysWOW64\Labole32.exeC:\Windows\system32\Labole32.exe28⤵
- Executes dropped EXE
PID:5360 -
C:\Windows\SysWOW64\Ldakhq32.exeC:\Windows\system32\Ldakhq32.exe29⤵
- Executes dropped EXE
PID:5204 -
C:\Windows\SysWOW64\Lgpgdl32.exeC:\Windows\system32\Lgpgdl32.exe30⤵
- Executes dropped EXE
PID:5652 -
C:\Windows\SysWOW64\Lincpg32.exeC:\Windows\system32\Lincpg32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Laelad32.exeC:\Windows\system32\Laelad32.exe32⤵
- Executes dropped EXE
PID:5424 -
C:\Windows\SysWOW64\Ldchmpdg.exeC:\Windows\system32\Ldchmpdg.exe33⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Mgbdilck.exeC:\Windows\system32\Mgbdilck.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3040 -
C:\Windows\SysWOW64\Mkmpjj32.exeC:\Windows\system32\Mkmpjj32.exe35⤵
- Executes dropped EXE
PID:5436 -
C:\Windows\SysWOW64\Mmllfe32.exeC:\Windows\system32\Mmllfe32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Mpjhba32.exeC:\Windows\system32\Mpjhba32.exe37⤵
- Executes dropped EXE
PID:5604 -
C:\Windows\SysWOW64\Mcienm32.exeC:\Windows\system32\Mcienm32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5456 -
C:\Windows\SysWOW64\Mgdqokah.exeC:\Windows\system32\Mgdqokah.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4976 -
C:\Windows\SysWOW64\Mibmkfql.exeC:\Windows\system32\Mibmkfql.exe40⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Majeldan.exeC:\Windows\system32\Majeldan.exe41⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Mpmehq32.exeC:\Windows\system32\Mpmehq32.exe42⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Mgfmdk32.exeC:\Windows\system32\Mgfmdk32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:3604 -
C:\Windows\SysWOW64\Miejqf32.exeC:\Windows\system32\Miejqf32.exe44⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Mnqfaegb.exeC:\Windows\system32\Mnqfaegb.exe45⤵
- Executes dropped EXE
PID:412 -
C:\Windows\SysWOW64\Mpobmqff.exeC:\Windows\system32\Mpobmqff.exe46⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Mcmnilei.exeC:\Windows\system32\Mcmnilei.exe47⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Mkdfkiel.exeC:\Windows\system32\Mkdfkiel.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1880 -
C:\Windows\SysWOW64\Manngc32.exeC:\Windows\system32\Manngc32.exe49⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Mpaocpdc.exeC:\Windows\system32\Mpaocpdc.exe50⤵
- Executes dropped EXE
PID:5572 -
C:\Windows\SysWOW64\Mcpkolcg.exeC:\Windows\system32\Mcpkolcg.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Mkgcpi32.exeC:\Windows\system32\Mkgcpi32.exe52⤵
- Executes dropped EXE
PID:5476 -
C:\Windows\SysWOW64\Mneold32.exeC:\Windows\system32\Mneold32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:3452 -
C:\Windows\SysWOW64\Mpckhp32.exeC:\Windows\system32\Mpckhp32.exe54⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Ncbgdk32.exeC:\Windows\system32\Ncbgdk32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Ngncejim.exeC:\Windows\system32\Ngncejim.exe56⤵
- Executes dropped EXE
PID:4204 -
C:\Windows\SysWOW64\Nnglbd32.exeC:\Windows\system32\Nnglbd32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4992 -
C:\Windows\SysWOW64\Nachbbic.exeC:\Windows\system32\Nachbbic.exe58⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Ncddjk32.exeC:\Windows\system32\Ncddjk32.exe59⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Nkklkhpc.exeC:\Windows\system32\Nkklkhpc.exe60⤵
- Executes dropped EXE
PID:6124 -
C:\Windows\SysWOW64\Nnjhgcog.exeC:\Windows\system32\Nnjhgcog.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:5552 -
C:\Windows\SysWOW64\Npheconk.exeC:\Windows\system32\Npheconk.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5440 -
C:\Windows\SysWOW64\Ncgapjmo.exeC:\Windows\system32\Ncgapjmo.exe63⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Nkniahna.exeC:\Windows\system32\Nkniahna.exe64⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Njqild32.exeC:\Windows\system32\Njqild32.exe65⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Nahanb32.exeC:\Windows\system32\Nahanb32.exe66⤵
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Npkaiolh.exeC:\Windows\system32\Npkaiolh.exe67⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6004 -
C:\Windows\SysWOW64\Ncinejkl.exeC:\Windows\system32\Ncinejkl.exe68⤵PID:2300
-
C:\Windows\SysWOW64\Nkpffgkn.exeC:\Windows\system32\Nkpffgkn.exe69⤵PID:1604
-
C:\Windows\SysWOW64\Njcfbd32.exeC:\Windows\system32\Njcfbd32.exe70⤵PID:3884
-
C:\Windows\SysWOW64\Nqmnon32.exeC:\Windows\system32\Nqmnon32.exe71⤵PID:2924
-
C:\Windows\SysWOW64\Nckjkj32.exeC:\Windows\system32\Nckjkj32.exe72⤵PID:4872
-
C:\Windows\SysWOW64\Nkbblg32.exeC:\Windows\system32\Nkbblg32.exe73⤵
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\Njebgdpf.exeC:\Windows\system32\Njebgdpf.exe74⤵PID:3496
-
C:\Windows\SysWOW64\Nalkiaah.exeC:\Windows\system32\Nalkiaah.exe75⤵PID:1952
-
C:\Windows\SysWOW64\Okeoag32.exeC:\Windows\system32\Okeoag32.exe76⤵PID:3748
-
C:\Windows\SysWOW64\Oncknb32.exeC:\Windows\system32\Oncknb32.exe77⤵
- Modifies registry class
PID:4560 -
C:\Windows\SysWOW64\Oqagjneq.exeC:\Windows\system32\Oqagjneq.exe78⤵PID:5232
-
C:\Windows\SysWOW64\Odmcjl32.exeC:\Windows\system32\Odmcjl32.exe79⤵PID:1292
-
C:\Windows\SysWOW64\Oglpfh32.exeC:\Windows\system32\Oglpfh32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5276 -
C:\Windows\SysWOW64\Ojjlbc32.exeC:\Windows\system32\Ojjlbc32.exe81⤵PID:656
-
C:\Windows\SysWOW64\Oqddomcn.exeC:\Windows\system32\Oqddomcn.exe82⤵PID:1568
-
C:\Windows\SysWOW64\Odpppl32.exeC:\Windows\system32\Odpppl32.exe83⤵PID:5252
-
C:\Windows\SysWOW64\Ognmlg32.exeC:\Windows\system32\Ognmlg32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4896 -
C:\Windows\SysWOW64\Ojlihc32.exeC:\Windows\system32\Ojlihc32.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Oqfaem32.exeC:\Windows\system32\Oqfaem32.exe86⤵PID:5448
-
C:\Windows\SysWOW64\Ocemah32.exeC:\Windows\system32\Ocemah32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3584 -
C:\Windows\SysWOW64\Oklebf32.exeC:\Windows\system32\Oklebf32.exe88⤵
- Modifies registry class
PID:5384 -
C:\Windows\SysWOW64\Oqinjm32.exeC:\Windows\system32\Oqinjm32.exe89⤵
- Modifies registry class
PID:5024 -
C:\Windows\SysWOW64\Ocgjfh32.exeC:\Windows\system32\Ocgjfh32.exe90⤵
- Modifies registry class
PID:5236 -
C:\Windows\SysWOW64\Oknbhe32.exeC:\Windows\system32\Oknbhe32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1908 -
C:\Windows\SysWOW64\Onmnda32.exeC:\Windows\system32\Onmnda32.exe92⤵
- Drops file in System32 directory
PID:3216 -
C:\Windows\SysWOW64\Pbhjdpgk.exeC:\Windows\system32\Pbhjdpgk.exe93⤵PID:4140
-
C:\Windows\SysWOW64\Pqkjpl32.exeC:\Windows\system32\Pqkjpl32.exe94⤵PID:5700
-
C:\Windows\SysWOW64\Pciglhmi.exeC:\Windows\system32\Pciglhmi.exe95⤵PID:1688
-
C:\Windows\SysWOW64\Pgebmf32.exeC:\Windows\system32\Pgebmf32.exe96⤵
- Modifies registry class
PID:4952 -
C:\Windows\SysWOW64\Pkqomeml.exeC:\Windows\system32\Pkqomeml.exe97⤵PID:2260
-
C:\Windows\SysWOW64\Pnokiqlo.exeC:\Windows\system32\Pnokiqlo.exe98⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5128 -
C:\Windows\SysWOW64\Pbjgjo32.exeC:\Windows\system32\Pbjgjo32.exe99⤵PID:2096
-
C:\Windows\SysWOW64\Pdicfk32.exeC:\Windows\system32\Pdicfk32.exe100⤵PID:5588
-
C:\Windows\SysWOW64\Pclcagkg.exeC:\Windows\system32\Pclcagkg.exe101⤵
- Modifies registry class
PID:5860 -
C:\Windows\SysWOW64\Pggobf32.exeC:\Windows\system32\Pggobf32.exe102⤵PID:5904
-
C:\Windows\SysWOW64\Pjflna32.exeC:\Windows\system32\Pjflna32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3916 -
C:\Windows\SysWOW64\Pnahopjm.exeC:\Windows\system32\Pnahopjm.exe104⤵PID:3640
-
C:\Windows\SysWOW64\Pqpdkliq.exeC:\Windows\system32\Pqpdkliq.exe105⤵PID:2516
-
C:\Windows\SysWOW64\Pdkplj32.exeC:\Windows\system32\Pdkplj32.exe106⤵PID:3972
-
C:\Windows\SysWOW64\Pcnpgghd.exeC:\Windows\system32\Pcnpgghd.exe107⤵PID:556
-
C:\Windows\SysWOW64\Pgjlhfam.exeC:\Windows\system32\Pgjlhfam.exe108⤵PID:5988
-
C:\Windows\SysWOW64\Pjhhdapa.exeC:\Windows\system32\Pjhhdapa.exe109⤵
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Pncddp32.exeC:\Windows\system32\Pncddp32.exe110⤵PID:3984
-
C:\Windows\SysWOW64\Pbopeoqc.exeC:\Windows\system32\Pbopeoqc.exe111⤵
- System Location Discovery: System Language Discovery
PID:6100 -
C:\Windows\SysWOW64\Pdnmajpg.exeC:\Windows\system32\Pdnmajpg.exe112⤵PID:4016
-
C:\Windows\SysWOW64\Pglimeok.exeC:\Windows\system32\Pglimeok.exe113⤵PID:4268
-
C:\Windows\SysWOW64\Pkgend32.exeC:\Windows\system32\Pkgend32.exe114⤵
- Modifies registry class
PID:4984 -
C:\Windows\SysWOW64\Pjjeiann.exeC:\Windows\system32\Pjjeiann.exe115⤵PID:3404
-
C:\Windows\SysWOW64\Pbamknoq.exeC:\Windows\system32\Pbamknoq.exe116⤵PID:3224
-
C:\Windows\SysWOW64\Pqdmfk32.exeC:\Windows\system32\Pqdmfk32.exe117⤵PID:4708
-
C:\Windows\SysWOW64\Pepigjnd.exeC:\Windows\system32\Pepigjnd.exe118⤵PID:5156
-
C:\Windows\SysWOW64\Pccibf32.exeC:\Windows\system32\Pccibf32.exe119⤵
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Pgnecemh.exeC:\Windows\system32\Pgnecemh.exe120⤵PID:2744
-
C:\Windows\SysWOW64\Pjmaoq32.exeC:\Windows\system32\Pjmaoq32.exe121⤵PID:5848
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-