Analysis
-
max time kernel
128s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-09-2024 19:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
24fa951fe3b2985acf2c6896170c7d0eca83acd253619501c4de831c2201b088.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
24fa951fe3b2985acf2c6896170c7d0eca83acd253619501c4de831c2201b088.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
24fa951fe3b2985acf2c6896170c7d0eca83acd253619501c4de831c2201b088.exe
-
Size
77KB
-
MD5
4818275ccdbd54ed07f4745e7b28f53b
-
SHA1
81077d5277b34efc71155a3287c3bdb226a6e71d
-
SHA256
24fa951fe3b2985acf2c6896170c7d0eca83acd253619501c4de831c2201b088
-
SHA512
5d2434ac5244c173c8799316f96f5dde246dc797cc9d226eaea4fadd1769d9750f9ac87345c974dccca6f8450c7943581e97c8fb9cd20de26c8d34caadd94955
-
SSDEEP
1536:7UIrNmRokatiG9Q2uU770uzbzHBHHUUU3KTx2LtTwfi+TjRC/D:Bhti7CHBHHUUU6TKRwf1TjYD
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmainn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhaaeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejolm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbmekalo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjpqko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdlmnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcfegddj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nppflh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhlnqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlglcfkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeopll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlcahj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnebap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccnnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Incmie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjkibojb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpijlpnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Makgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocdgpgdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olllhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bamcbebh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doffmgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgeblb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnjqiq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaiocgjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kndeqfhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fajekole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jghhhope.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbobqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iehkmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebkpbfcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caegfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chjakm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iinalcob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idhlkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Docapmlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogfjadfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfjljlap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ingpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omcbikda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kanbhlfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqhabg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjoffm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cahdkcpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojnpla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqhclpcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfgjfnmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkigpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgpmiapc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Headmlpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmbphdll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oacmqgfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olkncpcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcknbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khchdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oflkob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akdpamok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncondg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogdmkdhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdlmnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cogadnfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjmnkjcq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egdqnflp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnpobo32.exe -
Executes dropped EXE 64 IoCs
pid Process 1488 Kfeolkab.exe 1700 Klbgdb32.exe 2128 Kfhkak32.exe 1148 Klddjb32.exe 220 Kdllko32.exe 996 Kemhcgdg.exe 3868 Llgqpakd.exe 3720 Lflemjkj.exe 4968 Lmfmid32.exe 4728 Lfoabjih.exe 3948 Llkjka32.exe 3424 Lbebgkol.exe 5024 Ledocfnp.exe 2568 Llngpq32.exe 1216 Lgckni32.exe 1824 Lmmcjclo.exe 3124 Lbjlbj32.exe 2588 Lmpppc32.exe 3544 Mdjhlmai.exe 1376 Mekdde32.exe 4036 Mpqian32.exe 4436 Mgjanh32.exe 2996 Mmdikbfg.exe 436 Mdnagm32.exe 4476 Mepnoecb.exe 228 Mmgfqbdd.exe 3532 Mgokihke.exe 5040 Mmicfb32.exe 4016 Mpgobm32.exe 3540 Mcfkni32.exe 4568 Nlnpgngj.exe 1504 Nchhdh32.exe 396 Nibpqb32.exe 4216 Nplhmmmp.exe 4984 Ngfqjg32.exe 4184 Nnpifalj.exe 4352 Ndjack32.exe 1744 Neknkcie.exe 2060 Nnbelq32.exe 1988 Nlefhmaa.exe 4940 Ncondg32.exe 1144 Nfnjqc32.exe 1776 Nnebap32.exe 1684 Npconl32.exe 4776 Ngmgkfoe.exe 3624 Ongogpfb.exe 3472 Ocdgpgdi.exe 2832 Ojnpla32.exe 2764 Olllhl32.exe 4708 Ocfdefbf.exe 760 Ojplbq32.exe 3248 Oqjeok32.exe 4884 Ogdmkdhm.exe 216 Ojbigpgq.exe 1620 Olaeclgd.exe 2532 Ogfjadfj.exe 4280 Omcbikda.exe 5096 Odjjjh32.exe 4756 Pflfbqkb.exe 4440 Pjgbbp32.exe 1652 Pmeook32.exe 1884 Pgkclc32.exe 2228 Pnekinjb.exe 1448 Pqcgeiie.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hdenmbqh.dll Fkjdaepm.exe File opened for modification C:\Windows\SysWOW64\Aqdqlgkc.exe Anedpklo.exe File created C:\Windows\SysWOW64\Liicdi32.exe Lkecke32.exe File created C:\Windows\SysWOW64\Fgnolmmk.dll Efkfndgd.exe File opened for modification C:\Windows\SysWOW64\Hlipdg32.exe Heohgm32.exe File created C:\Windows\SysWOW64\Kcanimfq.exe Kpcamagm.exe File created C:\Windows\SysWOW64\Akkfbl32.exe Agojampj.exe File created C:\Windows\SysWOW64\Fojimcda.exe Fipapi32.exe File created C:\Windows\SysWOW64\Mgjanh32.exe Mpqian32.exe File created C:\Windows\SysWOW64\Olnbce32.exe Ogomfo32.exe File opened for modification C:\Windows\SysWOW64\Idhlkp32.exe Ipmpjabo.exe File created C:\Windows\SysWOW64\Ajpofmji.dll Jgbhbj32.exe File opened for modification C:\Windows\SysWOW64\Nejpffbm.exe Nblcjkcj.exe File created C:\Windows\SysWOW64\Ekgglebp.exe Edmook32.exe File created C:\Windows\SysWOW64\Llngpq32.exe Ledocfnp.exe File created C:\Windows\SysWOW64\Cjddlimi.exe Chehpnne.exe File created C:\Windows\SysWOW64\Flodgj32.exe Fiqhko32.exe File opened for modification C:\Windows\SysWOW64\Dqhphnje.exe Dogdqe32.exe File created C:\Windows\SysWOW64\Chehpnne.exe Ceglcb32.exe File created C:\Windows\SysWOW64\Jglkih32.exe Jbobqa32.exe File created C:\Windows\SysWOW64\Kgcqigbl.exe Knjlqa32.exe File created C:\Windows\SysWOW64\Iqfdch32.dll Qhbhon32.exe File created C:\Windows\SysWOW64\Bihpjjod.dll Acobmf32.exe File created C:\Windows\SysWOW64\Baohpklq.exe Bnclol32.exe File created C:\Windows\SysWOW64\Ngfqjg32.exe Nplhmmmp.exe File opened for modification C:\Windows\SysWOW64\Ajnkpf32.exe Aohfbm32.exe File created C:\Windows\SysWOW64\Ogpbli32.dll Kmobghlg.exe File opened for modification C:\Windows\SysWOW64\Kmaomg32.exe Kkpbeodf.exe File opened for modification C:\Windows\SysWOW64\Hojieb32.exe Hmhmnjpi.exe File created C:\Windows\SysWOW64\Pnekinjb.exe Pgkclc32.exe File opened for modification C:\Windows\SysWOW64\Ammnfgnd.exe Aceimbhd.exe File opened for modification C:\Windows\SysWOW64\Iggoaa32.exe Hgeblb32.exe File opened for modification C:\Windows\SysWOW64\Lpdbkj32.exe Lbpbbeoe.exe File created C:\Windows\SysWOW64\Fpcdme32.exe Fiilpk32.exe File opened for modification C:\Windows\SysWOW64\Kgpmiapc.exe Kqfemg32.exe File opened for modification C:\Windows\SysWOW64\Jbbfqgke.exe Jndmjieo.exe File created C:\Windows\SysWOW64\Aqbaac32.dll Objpki32.exe File created C:\Windows\SysWOW64\Iidnhp32.exe Igfale32.exe File created C:\Windows\SysWOW64\Lqanno32.exe Lnbabdli.exe File created C:\Windows\SysWOW64\Mnblmmge.dll Mfelgecl.exe File opened for modification C:\Windows\SysWOW64\Nmomjm32.exe Ngbebfno.exe File created C:\Windows\SysWOW64\Mcfkni32.exe Mpgobm32.exe File opened for modification C:\Windows\SysWOW64\Nlcahj32.exe Ndligm32.exe File created C:\Windows\SysWOW64\Imdljhfl.exe Iihpii32.exe File opened for modification C:\Windows\SysWOW64\Imdljhfl.exe Iihpii32.exe File created C:\Windows\SysWOW64\Ppijhg32.dll Ddapcmeq.exe File created C:\Windows\SysWOW64\Bjmnkjcq.exe Bepeccei.exe File created C:\Windows\SysWOW64\Moglnd32.exe Mlipah32.exe File created C:\Windows\SysWOW64\Phcojd32.exe Pljaodkn.exe File created C:\Windows\SysWOW64\Kpqgaedg.dll Ohjbmklc.exe File created C:\Windows\SysWOW64\Hmhmnjpi.exe Headmlpg.exe File created C:\Windows\SysWOW64\Bhcpgocg.exe Bdhdfq32.exe File created C:\Windows\SysWOW64\Epdnkm32.dll Mqikidhq.exe File created C:\Windows\SysWOW64\Mmdmcd32.dll Mlgamlpl.exe File created C:\Windows\SysWOW64\Jbcfgqqj.dll Kfhkak32.exe File created C:\Windows\SysWOW64\Gkahck32.dll Mpgobm32.exe File created C:\Windows\SysWOW64\Ogomfo32.exe Oikllkjm.exe File opened for modification C:\Windows\SysWOW64\Ajiadfpj.exe Acoihl32.exe File opened for modification C:\Windows\SysWOW64\Efamnq32.exe Ehlpmdfo.exe File opened for modification C:\Windows\SysWOW64\Aohphg32.exe Ajkgppjl.exe File created C:\Windows\SysWOW64\Oabffa32.exe Ondjje32.exe File created C:\Windows\SysWOW64\Alojkfno.exe Qajennni.exe File opened for modification C:\Windows\SysWOW64\Odjjjh32.exe Omcbikda.exe File opened for modification C:\Windows\SysWOW64\Bmagag32.exe Bjckekkk.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8344 9040 WerFault.exe 1076 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncecfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oelfaplo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbkiid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoglpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocfdefbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfdhaemf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhmbkpii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeafge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oceeceif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fidlkebi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fifhpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Findki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fohmgcfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmgefi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjokaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaalnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onfpeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olaeclgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epdaaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iplipk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmeook32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nladckha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capinc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfgime32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgkbdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecbjgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpimig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnegnald.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcbhkgje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djommaop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjemjdkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciqmgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcnifh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aekbdbfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqhabg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loodom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pflfbqkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddinlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjaflpbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckqooo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neknkcie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbfahneb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iibacqhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oagpapnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kldmpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knbhkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkedpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akkfbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edkbikmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhogpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogfcfnco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eigedqhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfnfff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlfcngki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcjghnli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olnbce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiepig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coeeoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gechkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lflemjkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpkloj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akenfifb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pelohn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnhejkob.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akopmhng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epdaaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmfkdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npiplipp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnlhkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajiadfpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acaocf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epdaoo32.dll" Ekfaqlho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaiocgjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amkaqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpibcjol.dll" Cbfekpid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjlgadoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikgnbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kanbhlfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pelohn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdmcih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahlapc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djnfck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgeadmpj.dll" Nmbajc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocbhmfli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpaamk32.dll" Memjoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpaqnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfoako32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cafonn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaalnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bimkga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pommlgmh.dll" Maeaoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cigchi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfcjaec.dll" Gdjiokcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgacdkjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfeolkab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdllko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcebnd32.dll" Gibhlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njcnda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eceiba32.dll" Ocnobf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dogdqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abdpem32.dll" Enomga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcbdad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppqqaeei.dll" Qfjcco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epbkfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnmdifih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emenko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljblffge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfelgecl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgjanh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eacokp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpglji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddphpf32.dll" 24fa951fe3b2985acf2c6896170c7d0eca83acd253619501c4de831c2201b088.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpdiemgp.dll" Dopicego.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djilhlpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdmcd32.dll" Mlgamlpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phodohik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbjddnoc.dll" Fkajbdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkefbl32.dll" Hkfellmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhmbkpii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdknmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fikifjpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pefnookp.dll" Idahfhob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahmqqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iifccj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbfjloda.dll" Qdenjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkfgjanj.dll" Nnpifalj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhfqgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfiamd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1604 wrote to memory of 1488 1604 24fa951fe3b2985acf2c6896170c7d0eca83acd253619501c4de831c2201b088.exe 90 PID 1604 wrote to memory of 1488 1604 24fa951fe3b2985acf2c6896170c7d0eca83acd253619501c4de831c2201b088.exe 90 PID 1604 wrote to memory of 1488 1604 24fa951fe3b2985acf2c6896170c7d0eca83acd253619501c4de831c2201b088.exe 90 PID 1488 wrote to memory of 1700 1488 Kfeolkab.exe 91 PID 1488 wrote to memory of 1700 1488 Kfeolkab.exe 91 PID 1488 wrote to memory of 1700 1488 Kfeolkab.exe 91 PID 1700 wrote to memory of 2128 1700 Klbgdb32.exe 92 PID 1700 wrote to memory of 2128 1700 Klbgdb32.exe 92 PID 1700 wrote to memory of 2128 1700 Klbgdb32.exe 92 PID 2128 wrote to memory of 1148 2128 Kfhkak32.exe 93 PID 2128 wrote to memory of 1148 2128 Kfhkak32.exe 93 PID 2128 wrote to memory of 1148 2128 Kfhkak32.exe 93 PID 1148 wrote to memory of 220 1148 Klddjb32.exe 95 PID 1148 wrote to memory of 220 1148 Klddjb32.exe 95 PID 1148 wrote to memory of 220 1148 Klddjb32.exe 95 PID 220 wrote to memory of 996 220 Kdllko32.exe 96 PID 220 wrote to memory of 996 220 Kdllko32.exe 96 PID 220 wrote to memory of 996 220 Kdllko32.exe 96 PID 996 wrote to memory of 3868 996 Kemhcgdg.exe 97 PID 996 wrote to memory of 3868 996 Kemhcgdg.exe 97 PID 996 wrote to memory of 3868 996 Kemhcgdg.exe 97 PID 3868 wrote to memory of 3720 3868 Llgqpakd.exe 98 PID 3868 wrote to memory of 3720 3868 Llgqpakd.exe 98 PID 3868 wrote to memory of 3720 3868 Llgqpakd.exe 98 PID 3720 wrote to memory of 4968 3720 Lflemjkj.exe 100 PID 3720 wrote to memory of 4968 3720 Lflemjkj.exe 100 PID 3720 wrote to memory of 4968 3720 Lflemjkj.exe 100 PID 4968 wrote to memory of 4728 4968 Lmfmid32.exe 101 PID 4968 wrote to memory of 4728 4968 Lmfmid32.exe 101 PID 4968 wrote to memory of 4728 4968 Lmfmid32.exe 101 PID 4728 wrote to memory of 3948 4728 Lfoabjih.exe 102 PID 4728 wrote to memory of 3948 4728 Lfoabjih.exe 102 PID 4728 wrote to memory of 3948 4728 Lfoabjih.exe 102 PID 3948 wrote to memory of 3424 3948 Llkjka32.exe 103 PID 3948 wrote to memory of 3424 3948 Llkjka32.exe 103 PID 3948 wrote to memory of 3424 3948 Llkjka32.exe 103 PID 3424 wrote to memory of 5024 3424 Lbebgkol.exe 105 PID 3424 wrote to memory of 5024 3424 Lbebgkol.exe 105 PID 3424 wrote to memory of 5024 3424 Lbebgkol.exe 105 PID 5024 wrote to memory of 2568 5024 Ledocfnp.exe 106 PID 5024 wrote to memory of 2568 5024 Ledocfnp.exe 106 PID 5024 wrote to memory of 2568 5024 Ledocfnp.exe 106 PID 2568 wrote to memory of 1216 2568 Llngpq32.exe 107 PID 2568 wrote to memory of 1216 2568 Llngpq32.exe 107 PID 2568 wrote to memory of 1216 2568 Llngpq32.exe 107 PID 1216 wrote to memory of 1824 1216 Lgckni32.exe 108 PID 1216 wrote to memory of 1824 1216 Lgckni32.exe 108 PID 1216 wrote to memory of 1824 1216 Lgckni32.exe 108 PID 1824 wrote to memory of 3124 1824 Lmmcjclo.exe 109 PID 1824 wrote to memory of 3124 1824 Lmmcjclo.exe 109 PID 1824 wrote to memory of 3124 1824 Lmmcjclo.exe 109 PID 3124 wrote to memory of 2588 3124 Lbjlbj32.exe 110 PID 3124 wrote to memory of 2588 3124 Lbjlbj32.exe 110 PID 3124 wrote to memory of 2588 3124 Lbjlbj32.exe 110 PID 2588 wrote to memory of 3544 2588 Lmpppc32.exe 111 PID 2588 wrote to memory of 3544 2588 Lmpppc32.exe 111 PID 2588 wrote to memory of 3544 2588 Lmpppc32.exe 111 PID 3544 wrote to memory of 1376 3544 Mdjhlmai.exe 112 PID 3544 wrote to memory of 1376 3544 Mdjhlmai.exe 112 PID 3544 wrote to memory of 1376 3544 Mdjhlmai.exe 112 PID 1376 wrote to memory of 4036 1376 Mekdde32.exe 113 PID 1376 wrote to memory of 4036 1376 Mekdde32.exe 113 PID 1376 wrote to memory of 4036 1376 Mekdde32.exe 113 PID 4036 wrote to memory of 4436 4036 Mpqian32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\24fa951fe3b2985acf2c6896170c7d0eca83acd253619501c4de831c2201b088.exe"C:\Users\Admin\AppData\Local\Temp\24fa951fe3b2985acf2c6896170c7d0eca83acd253619501c4de831c2201b088.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Kfeolkab.exeC:\Windows\system32\Kfeolkab.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Klbgdb32.exeC:\Windows\system32\Klbgdb32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Kfhkak32.exeC:\Windows\system32\Kfhkak32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Klddjb32.exeC:\Windows\system32\Klddjb32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Kdllko32.exeC:\Windows\system32\Kdllko32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Kemhcgdg.exeC:\Windows\system32\Kemhcgdg.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\Llgqpakd.exeC:\Windows\system32\Llgqpakd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\SysWOW64\Lflemjkj.exeC:\Windows\system32\Lflemjkj.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\Lmfmid32.exeC:\Windows\system32\Lmfmid32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Lfoabjih.exeC:\Windows\system32\Lfoabjih.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SysWOW64\Llkjka32.exeC:\Windows\system32\Llkjka32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Lbebgkol.exeC:\Windows\system32\Lbebgkol.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\Ledocfnp.exeC:\Windows\system32\Ledocfnp.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\Llngpq32.exeC:\Windows\system32\Llngpq32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Lgckni32.exeC:\Windows\system32\Lgckni32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Lmmcjclo.exeC:\Windows\system32\Lmmcjclo.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Lbjlbj32.exeC:\Windows\system32\Lbjlbj32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\Lmpppc32.exeC:\Windows\system32\Lmpppc32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Mdjhlmai.exeC:\Windows\system32\Mdjhlmai.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\Mekdde32.exeC:\Windows\system32\Mekdde32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Mpqian32.exeC:\Windows\system32\Mpqian32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\Mgjanh32.exeC:\Windows\system32\Mgjanh32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:4436 -
C:\Windows\SysWOW64\Mmdikbfg.exeC:\Windows\system32\Mmdikbfg.exe24⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Mdnagm32.exeC:\Windows\system32\Mdnagm32.exe25⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Mepnoecb.exeC:\Windows\system32\Mepnoecb.exe26⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Mmgfqbdd.exeC:\Windows\system32\Mmgfqbdd.exe27⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Mgokihke.exeC:\Windows\system32\Mgokihke.exe28⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Mmicfb32.exeC:\Windows\system32\Mmicfb32.exe29⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Mpgobm32.exeC:\Windows\system32\Mpgobm32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4016 -
C:\Windows\SysWOW64\Mcfkni32.exeC:\Windows\system32\Mcfkni32.exe31⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\Nlnpgngj.exeC:\Windows\system32\Nlnpgngj.exe32⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Nchhdh32.exeC:\Windows\system32\Nchhdh32.exe33⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Nibpqb32.exeC:\Windows\system32\Nibpqb32.exe34⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Nplhmmmp.exeC:\Windows\system32\Nplhmmmp.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4216 -
C:\Windows\SysWOW64\Ngfqjg32.exeC:\Windows\system32\Ngfqjg32.exe36⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Nnpifalj.exeC:\Windows\system32\Nnpifalj.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:4184 -
C:\Windows\SysWOW64\Ndjack32.exeC:\Windows\system32\Ndjack32.exe38⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Neknkcie.exeC:\Windows\system32\Neknkcie.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1744 -
C:\Windows\SysWOW64\Nnbelq32.exeC:\Windows\system32\Nnbelq32.exe40⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Nlefhmaa.exeC:\Windows\system32\Nlefhmaa.exe41⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Ncondg32.exeC:\Windows\system32\Ncondg32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Nfnjqc32.exeC:\Windows\system32\Nfnjqc32.exe43⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Nnebap32.exeC:\Windows\system32\Nnebap32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Npconl32.exeC:\Windows\system32\Npconl32.exe45⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Ngmgkfoe.exeC:\Windows\system32\Ngmgkfoe.exe46⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Ongogpfb.exeC:\Windows\system32\Ongogpfb.exe47⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Ocdgpgdi.exeC:\Windows\system32\Ocdgpgdi.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Ojnpla32.exeC:\Windows\system32\Ojnpla32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Olllhl32.exeC:\Windows\system32\Olllhl32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Ocfdefbf.exeC:\Windows\system32\Ocfdefbf.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4708 -
C:\Windows\SysWOW64\Ojplbq32.exeC:\Windows\system32\Ojplbq32.exe52⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Oqjeok32.exeC:\Windows\system32\Oqjeok32.exe53⤵
- Executes dropped EXE
PID:3248 -
C:\Windows\SysWOW64\Ogdmkdhm.exeC:\Windows\system32\Ogdmkdhm.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Ojbigpgq.exeC:\Windows\system32\Ojbigpgq.exe55⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Olaeclgd.exeC:\Windows\system32\Olaeclgd.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Windows\SysWOW64\Ogfjadfj.exeC:\Windows\system32\Ogfjadfj.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Omcbikda.exeC:\Windows\system32\Omcbikda.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4280 -
C:\Windows\SysWOW64\Odjjjh32.exeC:\Windows\system32\Odjjjh32.exe59⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Pflfbqkb.exeC:\Windows\system32\Pflfbqkb.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4756 -
C:\Windows\SysWOW64\Pjgbbp32.exeC:\Windows\system32\Pjgbbp32.exe61⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Pmeook32.exeC:\Windows\system32\Pmeook32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\Pgkclc32.exeC:\Windows\system32\Pgkclc32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1884 -
C:\Windows\SysWOW64\Pnekinjb.exeC:\Windows\system32\Pnekinjb.exe64⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Pqcgeiie.exeC:\Windows\system32\Pqcgeiie.exe65⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Pcbdad32.exeC:\Windows\system32\Pcbdad32.exe66⤵
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Pmjhjjoj.exeC:\Windows\system32\Pmjhjjoj.exe67⤵PID:3188
-
C:\Windows\SysWOW64\Pdapkgol.exeC:\Windows\system32\Pdapkgol.exe68⤵PID:4380
-
C:\Windows\SysWOW64\Pfbmbp32.exeC:\Windows\system32\Pfbmbp32.exe69⤵PID:1952
-
C:\Windows\SysWOW64\Pmmeojmg.exeC:\Windows\system32\Pmmeojmg.exe70⤵PID:788
-
C:\Windows\SysWOW64\Pcgmld32.exeC:\Windows\system32\Pcgmld32.exe71⤵PID:5136
-
C:\Windows\SysWOW64\Pjqein32.exeC:\Windows\system32\Pjqein32.exe72⤵PID:5180
-
C:\Windows\SysWOW64\Pdfjfg32.exeC:\Windows\system32\Pdfjfg32.exe73⤵PID:5220
-
C:\Windows\SysWOW64\Qgdfbb32.exeC:\Windows\system32\Qgdfbb32.exe74⤵PID:5264
-
C:\Windows\SysWOW64\Qmanji32.exeC:\Windows\system32\Qmanji32.exe75⤵PID:5304
-
C:\Windows\SysWOW64\Qckfgcpo.exeC:\Windows\system32\Qckfgcpo.exe76⤵PID:5344
-
C:\Windows\SysWOW64\Qfjcco32.exeC:\Windows\system32\Qfjcco32.exe77⤵
- Modifies registry class
PID:5384 -
C:\Windows\SysWOW64\Qmckpifo.exeC:\Windows\system32\Qmckpifo.exe78⤵PID:5424
-
C:\Windows\SysWOW64\Aflpio32.exeC:\Windows\system32\Aflpio32.exe79⤵PID:5464
-
C:\Windows\SysWOW64\Aempffeo.exeC:\Windows\system32\Aempffeo.exe80⤵PID:5504
-
C:\Windows\SysWOW64\Agllcadb.exeC:\Windows\system32\Agllcadb.exe81⤵PID:5548
-
C:\Windows\SysWOW64\Anedpklo.exeC:\Windows\system32\Anedpklo.exe82⤵
- Drops file in System32 directory
PID:5588 -
C:\Windows\SysWOW64\Aqdqlgkc.exeC:\Windows\system32\Aqdqlgkc.exe83⤵PID:5632
-
C:\Windows\SysWOW64\Amkaqh32.exeC:\Windows\system32\Amkaqh32.exe84⤵
- Modifies registry class
PID:5680 -
C:\Windows\SysWOW64\Aceimbhd.exeC:\Windows\system32\Aceimbhd.exe85⤵
- Drops file in System32 directory
PID:5724 -
C:\Windows\SysWOW64\Ammnfgnd.exeC:\Windows\system32\Ammnfgnd.exe86⤵PID:5792
-
C:\Windows\SysWOW64\Agbbcpnj.exeC:\Windows\system32\Agbbcpnj.exe87⤵PID:5856
-
C:\Windows\SysWOW64\Amoklgla.exeC:\Windows\system32\Amoklgla.exe88⤵PID:5900
-
C:\Windows\SysWOW64\Aakflf32.exeC:\Windows\system32\Aakflf32.exe89⤵PID:5944
-
C:\Windows\SysWOW64\Bgeoiplh.exeC:\Windows\system32\Bgeoiplh.exe90⤵PID:5988
-
C:\Windows\SysWOW64\Bjckekkk.exeC:\Windows\system32\Bjckekkk.exe91⤵
- Drops file in System32 directory
PID:6032 -
C:\Windows\SysWOW64\Bmagag32.exeC:\Windows\system32\Bmagag32.exe92⤵PID:6076
-
C:\Windows\SysWOW64\Bamcbebh.exeC:\Windows\system32\Bamcbebh.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6120 -
C:\Windows\SysWOW64\Beiobd32.exeC:\Windows\system32\Beiobd32.exe94⤵PID:5152
-
C:\Windows\SysWOW64\Bgglop32.exeC:\Windows\system32\Bgglop32.exe95⤵PID:5228
-
C:\Windows\SysWOW64\Bfjljlap.exeC:\Windows\system32\Bfjljlap.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5296 -
C:\Windows\SysWOW64\Bnadkjab.exeC:\Windows\system32\Bnadkjab.exe97⤵PID:5376
-
C:\Windows\SysWOW64\Bcnlcqpi.exeC:\Windows\system32\Bcnlcqpi.exe98⤵PID:5456
-
C:\Windows\SysWOW64\Bflhplom.exeC:\Windows\system32\Bflhplom.exe99⤵PID:5536
-
C:\Windows\SysWOW64\Bmfqlf32.exeC:\Windows\system32\Bmfqlf32.exe100⤵PID:5596
-
C:\Windows\SysWOW64\Bcqiip32.exeC:\Windows\system32\Bcqiip32.exe101⤵PID:5664
-
C:\Windows\SysWOW64\Bnfmfi32.exeC:\Windows\system32\Bnfmfi32.exe102⤵PID:5756
-
C:\Windows\SysWOW64\Bepeccei.exeC:\Windows\system32\Bepeccei.exe103⤵
- Drops file in System32 directory
PID:5844 -
C:\Windows\SysWOW64\Bjmnkjcq.exeC:\Windows\system32\Bjmnkjcq.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5912 -
C:\Windows\SysWOW64\Cjokaj32.exeC:\Windows\system32\Cjokaj32.exe105⤵
- System Location Discovery: System Language Discovery
PID:5984 -
C:\Windows\SysWOW64\Caicndhk.exeC:\Windows\system32\Caicndhk.exe106⤵PID:6060
-
C:\Windows\SysWOW64\Cffkfkfb.exeC:\Windows\system32\Cffkfkfb.exe107⤵PID:6128
-
C:\Windows\SysWOW64\Cnmcghgd.exeC:\Windows\system32\Cnmcghgd.exe108⤵PID:5260
-
C:\Windows\SysWOW64\Ceglcb32.exeC:\Windows\system32\Ceglcb32.exe109⤵
- Drops file in System32 directory
PID:5440 -
C:\Windows\SysWOW64\Chehpnne.exeC:\Windows\system32\Chehpnne.exe110⤵
- Drops file in System32 directory
PID:5572 -
C:\Windows\SysWOW64\Cjddlimi.exeC:\Windows\system32\Cjddlimi.exe111⤵PID:5692
-
C:\Windows\SysWOW64\Cmbphdll.exeC:\Windows\system32\Cmbphdll.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5920 -
C:\Windows\SysWOW64\Ceihibmo.exeC:\Windows\system32\Ceihibmo.exe113⤵PID:6008
-
C:\Windows\SysWOW64\Chhdemlb.exeC:\Windows\system32\Chhdemlb.exe114⤵PID:5124
-
C:\Windows\SysWOW64\Cfjeaj32.exeC:\Windows\system32\Cfjeaj32.exe115⤵PID:5420
-
C:\Windows\SysWOW64\Cnambg32.exeC:\Windows\system32\Cnambg32.exe116⤵PID:5732
-
C:\Windows\SysWOW64\Capinc32.exeC:\Windows\system32\Capinc32.exe117⤵
- System Location Discovery: System Language Discovery
PID:5964 -
C:\Windows\SysWOW64\Celeoakl.exeC:\Windows\system32\Celeoakl.exe118⤵PID:5608
-
C:\Windows\SysWOW64\Chjakm32.exeC:\Windows\system32\Chjakm32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2592 -
C:\Windows\SysWOW64\Cjhmgh32.exeC:\Windows\system32\Cjhmgh32.exe120⤵PID:4556
-
C:\Windows\SysWOW64\Cndihgal.exeC:\Windows\system32\Cndihgal.exe121⤵PID:6172
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-