Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2024, 04:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
49dcabad790df9fdb35977e0170d6b5a71e38f3a9035173b2afb5d4572e81d63N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
49dcabad790df9fdb35977e0170d6b5a71e38f3a9035173b2afb5d4572e81d63N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
49dcabad790df9fdb35977e0170d6b5a71e38f3a9035173b2afb5d4572e81d63N.exe
-
Size
89KB
-
MD5
329695d24e9f38a41b8afeba2b523160
-
SHA1
53f11dd60c603322a25d23bc54d0e5f71dee36e2
-
SHA256
49dcabad790df9fdb35977e0170d6b5a71e38f3a9035173b2afb5d4572e81d63
-
SHA512
23d74cec50759cb099ffe7b5eb0e891a74b2692676c6a44d0df6209a7ec8b4a21f20e8abf01af168b6f5e956d21ecdb0434c6992940eaa333fe08a2e713b4a35
-
SSDEEP
1536:lY7QA1vzWc2tyI/x6ssG1tNIj64cklExkg8Fk:lY7Q4vzWcGH/x6ssRcklakgwk
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnnllhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlqpaafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iglhob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpklql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkhceh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eilfldoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elilmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnapgjdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbnbhfde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgfmeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jclljaei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dolinf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fghcqq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oileakbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgijkgeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgijkgeh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dendok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mejnlpai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghjhofjg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmmmnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnnimbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbpolb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljncnhhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onhhmpoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogjpld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqghcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddekmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfhgcbfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qhddgofo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhobjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afnefieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Foakpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljjpnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nggjog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pacfjfej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Decdeama.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbonm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcipcnac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppdjpcng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfmekm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeglbeea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnhlgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imknli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aijeme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpejlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfilkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgagjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chinkndp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elgohj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaifbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fempbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agqhik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agjhbbob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kppbejka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhllni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcmpgpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpilekqj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Googaaej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnenchoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnoiqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dicbfhni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddekmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aokcjngj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anncek32.exe -
Executes dropped EXE 64 IoCs
pid Process 4832 Cemeoh32.exe 748 Cpcila32.exe 3356 Cepadh32.exe 1388 Ddqbbo32.exe 3328 Dinjjf32.exe 4424 Dpgbgpbe.exe 5020 Dfakcj32.exe 1236 Dlncla32.exe 4404 Ddekmo32.exe 2920 Dibdeegc.exe 708 Dlqpaafg.exe 8 Ddhhbngi.exe 1004 Deidjf32.exe 1172 Dpoiho32.exe 2732 Dghadidj.exe 3588 Eleimp32.exe 4820 Egknji32.exe 980 Elhfbp32.exe 4372 Egmjpi32.exe 4760 Eilfldoi.exe 2028 Emgblc32.exe 4108 Ecdkdj32.exe 2564 Eebgqe32.exe 4616 Emioab32.exe 3656 Ephlnn32.exe 2828 Edcgnmml.exe 4412 Eeddfe32.exe 3344 Elolco32.exe 3168 Fnnimbaj.exe 2388 Fgfmeg32.exe 3140 Fgijkgeh.exe 3236 Ffnglc32.exe 3544 Fcbgfhii.exe 4528 Ffpcbchm.exe 1092 Fcddkggf.exe 2308 Gphddlfp.exe 1232 Gnlenp32.exe 2060 Gdfmkjlg.exe 3556 Glabolja.exe 2312 Gckjlf32.exe 4968 Gggfme32.exe 3612 Gjebiq32.exe 5056 Ggicbe32.exe 2016 Gnckooob.exe 3552 Gglpgd32.exe 4912 Hqddqj32.exe 3152 Hqfqfj32.exe 4744 Hnmnengg.exe 2132 Hcifmdeo.exe 3780 Inagpm32.exe 1672 Iqpclh32.exe 3500 Ifmldo32.exe 3180 Ienlbf32.exe 1732 Iglhob32.exe 3772 Imiagi32.exe 1144 Icciccmd.exe 2404 Ifaepolg.exe 3268 Imknli32.exe 3856 Iebfmfdg.exe 3196 Ifcben32.exe 2880 Inkjfk32.exe 4640 Iaifbg32.exe 2592 Jgcooaah.exe 4428 Jnmglk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ohcigb32.dll Edcgnmml.exe File created C:\Windows\SysWOW64\Fgijkgeh.exe Fgfmeg32.exe File opened for modification C:\Windows\SysWOW64\Kfkamk32.exe Kejeebpl.exe File created C:\Windows\SysWOW64\Nagngjmj.exe Njmejp32.exe File created C:\Windows\SysWOW64\Bopfdc32.dll Pddokabk.exe File created C:\Windows\SysWOW64\Bhbahm32.exe Anmmkd32.exe File opened for modification C:\Windows\SysWOW64\Omlkmign.exe Oknnanhj.exe File created C:\Windows\SysWOW64\Ppffec32.exe Pacfjfej.exe File opened for modification C:\Windows\SysWOW64\Agqhik32.exe Ahngmnnd.exe File created C:\Windows\SysWOW64\Mhfmbl32.exe Lfgahikm.exe File opened for modification C:\Windows\SysWOW64\Mdddhlbl.exe Mmjlkb32.exe File created C:\Windows\SysWOW64\Bghddp32.exe Bejhhd32.exe File opened for modification C:\Windows\SysWOW64\Elgohj32.exe Eemgkpef.exe File opened for modification C:\Windows\SysWOW64\Flpbnh32.exe Fibfbm32.exe File opened for modification C:\Windows\SysWOW64\Igieoleg.exe Iqombb32.exe File opened for modification C:\Windows\SysWOW64\Deidjf32.exe Ddhhbngi.exe File created C:\Windows\SysWOW64\Fjmaii32.dll Gcmpgpkp.exe File opened for modification C:\Windows\SysWOW64\Mjfoja32.exe Mhhcne32.exe File opened for modification C:\Windows\SysWOW64\Mmiealgc.exe Mdaqhf32.exe File created C:\Windows\SysWOW64\Fkgkle32.dll Phkaqqoi.exe File created C:\Windows\SysWOW64\Ffnglc32.exe Fgijkgeh.exe File created C:\Windows\SysWOW64\Jgobcb32.dll Kjfmminc.exe File created C:\Windows\SysWOW64\Okpkgm32.exe Ohaokbfd.exe File created C:\Windows\SysWOW64\Opopdd32.exe Oalpigkb.exe File opened for modification C:\Windows\SysWOW64\Deejpjgc.exe Dbgndoho.exe File created C:\Windows\SysWOW64\Cbjeeion.dll Eblgon32.exe File created C:\Windows\SysWOW64\Fpopekeb.dll Ephlnn32.exe File created C:\Windows\SysWOW64\Fgmeobin.dll Ignnjk32.exe File created C:\Windows\SysWOW64\Dpbmfghh.dll Mmiealgc.exe File created C:\Windows\SysWOW64\Jjlmcilb.dll Dendok32.exe File created C:\Windows\SysWOW64\Qfckpa32.dll Bkjpkg32.exe File created C:\Windows\SysWOW64\Idqogkic.dll Ckoifgmb.exe File created C:\Windows\SysWOW64\Ddqbbo32.exe Cepadh32.exe File opened for modification C:\Windows\SysWOW64\Eleimp32.exe Dghadidj.exe File created C:\Windows\SysWOW64\Bmmcco32.dll Iglhob32.exe File created C:\Windows\SysWOW64\Jokpcmmj.exe Igpkok32.exe File opened for modification C:\Windows\SysWOW64\Nffceq32.exe Najjmjkg.exe File opened for modification C:\Windows\SysWOW64\Oileakbj.exe Ohkijc32.exe File created C:\Windows\SysWOW64\Gdfmkjlg.exe Gnlenp32.exe File created C:\Windows\SysWOW64\Nhdicjfp.exe Nefmgogl.exe File opened for modification C:\Windows\SysWOW64\Agckiqgg.exe Afboah32.exe File created C:\Windows\SysWOW64\Cejaobel.exe Cblebgfh.exe File created C:\Windows\SysWOW64\Pgpobmca.exe Ppffec32.exe File created C:\Windows\SysWOW64\Pndhhnda.exe Ogjpld32.exe File created C:\Windows\SysWOW64\Jncemmid.dll Fidbgm32.exe File opened for modification C:\Windows\SysWOW64\Fhllni32.exe Fiilblom.exe File opened for modification C:\Windows\SysWOW64\Hlhaee32.exe Hjieii32.exe File created C:\Windows\SysWOW64\Mhhcne32.exe Mpqklh32.exe File created C:\Windows\SysWOW64\Bflajb32.dll Gphddlfp.exe File opened for modification C:\Windows\SysWOW64\Kejeebpl.exe Kanidd32.exe File created C:\Windows\SysWOW64\Mhkcpd32.dll Lfgahikm.exe File opened for modification C:\Windows\SysWOW64\Dojlhg32.exe Dpglmjoj.exe File created C:\Windows\SysWOW64\Dfjood32.dll Naqqmieo.exe File created C:\Windows\SysWOW64\Edcgnmml.exe Ephlnn32.exe File created C:\Windows\SysWOW64\Pfkpiled.exe Pndhhnda.exe File created C:\Windows\SysWOW64\Aijeme32.exe Abpmpkoh.exe File created C:\Windows\SysWOW64\Fcdpakhk.dll Beobcdoi.exe File created C:\Windows\SysWOW64\Mnedig32.dll Hjpkjh32.exe File created C:\Windows\SysWOW64\Edmleg32.dll Ppdjpcng.exe File opened for modification C:\Windows\SysWOW64\Djklgb32.exe Dendok32.exe File created C:\Windows\SysWOW64\Hnmnengg.exe Hqfqfj32.exe File opened for modification C:\Windows\SysWOW64\Bbpeghpe.exe Bpaikm32.exe File created C:\Windows\SysWOW64\Mkjpnc32.dll Jfgefg32.exe File created C:\Windows\SysWOW64\Nfndbnlp.dll Kfeagefd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10620 10500 WerFault.exe 511 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abflfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpqklh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elaobdmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpgbgpbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgoolbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogcike32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnpibh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deagoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kceoppmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inkjfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnmglk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eebgqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deokja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngipjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mejnlpai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpeaeedg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmejp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Namnmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cemeoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffnglc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khonkogj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngifef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lglcag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnnimbaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gebimmco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naaghoik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kciaqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdfmkjlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpmbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Malnklgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnlenp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afboah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eedmlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcfjfqah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfcdaehf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gglpgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oogdfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onmahojj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oggbfdog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgamo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqdlmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cejjdlap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cepadh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capkim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dicbfhni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agobna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbjjkble.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfaqcclf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnlpgibd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjbhph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfgefg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aijeme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnoiqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciqmjkno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkqdnkge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mklpof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abpmpkoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flpbnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljmmcbdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mphamg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqpbboeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dioiki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dghadidj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgnbg32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifhac32.dll" Ngklppei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplceabf.dll" Mhmcck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bejhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hphfac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjbhph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihmnldib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfhgcbfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfihoghm.dll" Abdoqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmjlkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmneemaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Diopep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Namnmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aeglbeea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdpakhk.dll" Beobcdoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oolnabal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klgnnd32.dll" Bbpeghpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eoekde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcdfho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bechccgd.dll" Ddhhbngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Deidjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffnglc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elnfkp32.dll" Lndfchdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Malnklgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agnkck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahngmnnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhkmohka.dll" Lhadgmge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihbeo32.dll" Onmahojj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnjgog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcbgfhii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfniikha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fepade32.dll" Kpilekqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iehkefih.dll" Kfcdaehf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehpmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldgnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgpobmca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abflfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nieoal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnnimbaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbfjjlgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfpenj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlogfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oknnanhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dabmnd32.dll" Ciqmjkno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ephlnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ephlnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Googaaej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgqfbo32.dll" Mmbopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioaegj32.dll" Mapgfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfafpcai.dll" Njmejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfjpai32.dll" Qkqdnkge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bqpbboeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elomej32.dll" Kceoppmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kacofh32.dll" Pfkpiled.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbkbj32.dll" Hgbonm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cngjjm32.dll" Igieoleg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phfhfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkofdlq.dll" Adpogp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djmima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjffpb32.dll" Cejaobel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gebimmco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igghilhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllfihmi.dll" Jmopmalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnkilbni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inefak32.dll" Jnocakfb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 516 wrote to memory of 4832 516 49dcabad790df9fdb35977e0170d6b5a71e38f3a9035173b2afb5d4572e81d63N.exe 89 PID 516 wrote to memory of 4832 516 49dcabad790df9fdb35977e0170d6b5a71e38f3a9035173b2afb5d4572e81d63N.exe 89 PID 516 wrote to memory of 4832 516 49dcabad790df9fdb35977e0170d6b5a71e38f3a9035173b2afb5d4572e81d63N.exe 89 PID 4832 wrote to memory of 748 4832 Cemeoh32.exe 90 PID 4832 wrote to memory of 748 4832 Cemeoh32.exe 90 PID 4832 wrote to memory of 748 4832 Cemeoh32.exe 90 PID 748 wrote to memory of 3356 748 Cpcila32.exe 91 PID 748 wrote to memory of 3356 748 Cpcila32.exe 91 PID 748 wrote to memory of 3356 748 Cpcila32.exe 91 PID 3356 wrote to memory of 1388 3356 Cepadh32.exe 92 PID 3356 wrote to memory of 1388 3356 Cepadh32.exe 92 PID 3356 wrote to memory of 1388 3356 Cepadh32.exe 92 PID 1388 wrote to memory of 3328 1388 Ddqbbo32.exe 93 PID 1388 wrote to memory of 3328 1388 Ddqbbo32.exe 93 PID 1388 wrote to memory of 3328 1388 Ddqbbo32.exe 93 PID 3328 wrote to memory of 4424 3328 Dinjjf32.exe 94 PID 3328 wrote to memory of 4424 3328 Dinjjf32.exe 94 PID 3328 wrote to memory of 4424 3328 Dinjjf32.exe 94 PID 4424 wrote to memory of 5020 4424 Dpgbgpbe.exe 95 PID 4424 wrote to memory of 5020 4424 Dpgbgpbe.exe 95 PID 4424 wrote to memory of 5020 4424 Dpgbgpbe.exe 95 PID 5020 wrote to memory of 1236 5020 Dfakcj32.exe 96 PID 5020 wrote to memory of 1236 5020 Dfakcj32.exe 96 PID 5020 wrote to memory of 1236 5020 Dfakcj32.exe 96 PID 1236 wrote to memory of 4404 1236 Dlncla32.exe 97 PID 1236 wrote to memory of 4404 1236 Dlncla32.exe 97 PID 1236 wrote to memory of 4404 1236 Dlncla32.exe 97 PID 4404 wrote to memory of 2920 4404 Ddekmo32.exe 98 PID 4404 wrote to memory of 2920 4404 Ddekmo32.exe 98 PID 4404 wrote to memory of 2920 4404 Ddekmo32.exe 98 PID 2920 wrote to memory of 708 2920 Dibdeegc.exe 99 PID 2920 wrote to memory of 708 2920 Dibdeegc.exe 99 PID 2920 wrote to memory of 708 2920 Dibdeegc.exe 99 PID 708 wrote to memory of 8 708 Dlqpaafg.exe 100 PID 708 wrote to memory of 8 708 Dlqpaafg.exe 100 PID 708 wrote to memory of 8 708 Dlqpaafg.exe 100 PID 8 wrote to memory of 1004 8 Ddhhbngi.exe 101 PID 8 wrote to memory of 1004 8 Ddhhbngi.exe 101 PID 8 wrote to memory of 1004 8 Ddhhbngi.exe 101 PID 1004 wrote to memory of 1172 1004 Deidjf32.exe 102 PID 1004 wrote to memory of 1172 1004 Deidjf32.exe 102 PID 1004 wrote to memory of 1172 1004 Deidjf32.exe 102 PID 1172 wrote to memory of 2732 1172 Dpoiho32.exe 103 PID 1172 wrote to memory of 2732 1172 Dpoiho32.exe 103 PID 1172 wrote to memory of 2732 1172 Dpoiho32.exe 103 PID 2732 wrote to memory of 3588 2732 Dghadidj.exe 104 PID 2732 wrote to memory of 3588 2732 Dghadidj.exe 104 PID 2732 wrote to memory of 3588 2732 Dghadidj.exe 104 PID 3588 wrote to memory of 4820 3588 Eleimp32.exe 105 PID 3588 wrote to memory of 4820 3588 Eleimp32.exe 105 PID 3588 wrote to memory of 4820 3588 Eleimp32.exe 105 PID 4820 wrote to memory of 980 4820 Egknji32.exe 106 PID 4820 wrote to memory of 980 4820 Egknji32.exe 106 PID 4820 wrote to memory of 980 4820 Egknji32.exe 106 PID 980 wrote to memory of 4372 980 Elhfbp32.exe 107 PID 980 wrote to memory of 4372 980 Elhfbp32.exe 107 PID 980 wrote to memory of 4372 980 Elhfbp32.exe 107 PID 4372 wrote to memory of 4760 4372 Egmjpi32.exe 108 PID 4372 wrote to memory of 4760 4372 Egmjpi32.exe 108 PID 4372 wrote to memory of 4760 4372 Egmjpi32.exe 108 PID 4760 wrote to memory of 2028 4760 Eilfldoi.exe 109 PID 4760 wrote to memory of 2028 4760 Eilfldoi.exe 109 PID 4760 wrote to memory of 2028 4760 Eilfldoi.exe 109 PID 2028 wrote to memory of 4108 2028 Emgblc32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\49dcabad790df9fdb35977e0170d6b5a71e38f3a9035173b2afb5d4572e81d63N.exe"C:\Users\Admin\AppData\Local\Temp\49dcabad790df9fdb35977e0170d6b5a71e38f3a9035173b2afb5d4572e81d63N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SysWOW64\Cemeoh32.exeC:\Windows\system32\Cemeoh32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Cpcila32.exeC:\Windows\system32\Cpcila32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Cepadh32.exeC:\Windows\system32\Cepadh32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Ddqbbo32.exeC:\Windows\system32\Ddqbbo32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Dinjjf32.exeC:\Windows\system32\Dinjjf32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\Dpgbgpbe.exeC:\Windows\system32\Dpgbgpbe.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\Dfakcj32.exeC:\Windows\system32\Dfakcj32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\Dlncla32.exeC:\Windows\system32\Dlncla32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Ddekmo32.exeC:\Windows\system32\Ddekmo32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\Dibdeegc.exeC:\Windows\system32\Dibdeegc.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Dlqpaafg.exeC:\Windows\system32\Dlqpaafg.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Windows\SysWOW64\Ddhhbngi.exeC:\Windows\system32\Ddhhbngi.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\Deidjf32.exeC:\Windows\system32\Deidjf32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Dpoiho32.exeC:\Windows\system32\Dpoiho32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\Dghadidj.exeC:\Windows\system32\Dghadidj.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Eleimp32.exeC:\Windows\system32\Eleimp32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\Egknji32.exeC:\Windows\system32\Egknji32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\Elhfbp32.exeC:\Windows\system32\Elhfbp32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\Egmjpi32.exeC:\Windows\system32\Egmjpi32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\Eilfldoi.exeC:\Windows\system32\Eilfldoi.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\Emgblc32.exeC:\Windows\system32\Emgblc32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Ecdkdj32.exeC:\Windows\system32\Ecdkdj32.exe23⤵
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Eebgqe32.exeC:\Windows\system32\Eebgqe32.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2564 -
C:\Windows\SysWOW64\Emioab32.exeC:\Windows\system32\Emioab32.exe25⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Ephlnn32.exeC:\Windows\system32\Ephlnn32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3656 -
C:\Windows\SysWOW64\Edcgnmml.exeC:\Windows\system32\Edcgnmml.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Eeddfe32.exeC:\Windows\system32\Eeddfe32.exe28⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Elolco32.exeC:\Windows\system32\Elolco32.exe29⤵
- Executes dropped EXE
PID:3344 -
C:\Windows\SysWOW64\Fnnimbaj.exeC:\Windows\system32\Fnnimbaj.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3168 -
C:\Windows\SysWOW64\Fgfmeg32.exeC:\Windows\system32\Fgfmeg32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Fgijkgeh.exeC:\Windows\system32\Fgijkgeh.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3140 -
C:\Windows\SysWOW64\Ffnglc32.exeC:\Windows\system32\Ffnglc32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3236 -
C:\Windows\SysWOW64\Fcbgfhii.exeC:\Windows\system32\Fcbgfhii.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:3544 -
C:\Windows\SysWOW64\Ffpcbchm.exeC:\Windows\system32\Ffpcbchm.exe35⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Fcddkggf.exeC:\Windows\system32\Fcddkggf.exe36⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Gphddlfp.exeC:\Windows\system32\Gphddlfp.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Gnlenp32.exeC:\Windows\system32\Gnlenp32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1232 -
C:\Windows\SysWOW64\Gdfmkjlg.exeC:\Windows\system32\Gdfmkjlg.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\Glabolja.exeC:\Windows\system32\Glabolja.exe40⤵
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Gckjlf32.exeC:\Windows\system32\Gckjlf32.exe41⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Gggfme32.exeC:\Windows\system32\Gggfme32.exe42⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Gjebiq32.exeC:\Windows\system32\Gjebiq32.exe43⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Ggicbe32.exeC:\Windows\system32\Ggicbe32.exe44⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Gnckooob.exeC:\Windows\system32\Gnckooob.exe45⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Gglpgd32.exeC:\Windows\system32\Gglpgd32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3552 -
C:\Windows\SysWOW64\Hqddqj32.exeC:\Windows\system32\Hqddqj32.exe47⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Hqfqfj32.exeC:\Windows\system32\Hqfqfj32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3152 -
C:\Windows\SysWOW64\Hnmnengg.exeC:\Windows\system32\Hnmnengg.exe49⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Hcifmdeo.exeC:\Windows\system32\Hcifmdeo.exe50⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Inagpm32.exeC:\Windows\system32\Inagpm32.exe51⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Iqpclh32.exeC:\Windows\system32\Iqpclh32.exe52⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Ifmldo32.exeC:\Windows\system32\Ifmldo32.exe53⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Ienlbf32.exeC:\Windows\system32\Ienlbf32.exe54⤵
- Executes dropped EXE
PID:3180 -
C:\Windows\SysWOW64\Iglhob32.exeC:\Windows\system32\Iglhob32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Imiagi32.exeC:\Windows\system32\Imiagi32.exe56⤵
- Executes dropped EXE
PID:3772 -
C:\Windows\SysWOW64\Icciccmd.exeC:\Windows\system32\Icciccmd.exe57⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Ifaepolg.exeC:\Windows\system32\Ifaepolg.exe58⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Imknli32.exeC:\Windows\system32\Imknli32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3268 -
C:\Windows\SysWOW64\Iebfmfdg.exeC:\Windows\system32\Iebfmfdg.exe60⤵
- Executes dropped EXE
PID:3856 -
C:\Windows\SysWOW64\Ifcben32.exeC:\Windows\system32\Ifcben32.exe61⤵
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\Inkjfk32.exeC:\Windows\system32\Inkjfk32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\Iaifbg32.exeC:\Windows\system32\Iaifbg32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Jgcooaah.exeC:\Windows\system32\Jgcooaah.exe64⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Jnmglk32.exeC:\Windows\system32\Jnmglk32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4428 -
C:\Windows\SysWOW64\Jakchf32.exeC:\Windows\system32\Jakchf32.exe66⤵PID:2272
-
C:\Windows\SysWOW64\Jgekdq32.exeC:\Windows\system32\Jgekdq32.exe67⤵PID:4180
-
C:\Windows\SysWOW64\Jnocakfb.exeC:\Windows\system32\Jnocakfb.exe68⤵
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Jclljaei.exeC:\Windows\system32\Jclljaei.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3252 -
C:\Windows\SysWOW64\Jnapgjdo.exeC:\Windows\system32\Jnapgjdo.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1844 -
C:\Windows\SysWOW64\Jfmekm32.exeC:\Windows\system32\Jfmekm32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5160 -
C:\Windows\SysWOW64\Khonkogj.exeC:\Windows\system32\Khonkogj.exe72⤵
- System Location Discovery: System Language Discovery
PID:5200 -
C:\Windows\SysWOW64\Kmlgcf32.exeC:\Windows\system32\Kmlgcf32.exe73⤵PID:5240
-
C:\Windows\SysWOW64\Kceoppmo.exeC:\Windows\system32\Kceoppmo.exe74⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5284 -
C:\Windows\SysWOW64\Kjpgmj32.exeC:\Windows\system32\Kjpgmj32.exe75⤵PID:5324
-
C:\Windows\SysWOW64\Kallod32.exeC:\Windows\system32\Kallod32.exe76⤵PID:5364
-
C:\Windows\SysWOW64\Knpmhh32.exeC:\Windows\system32\Knpmhh32.exe77⤵PID:5404
-
C:\Windows\SysWOW64\Kanidd32.exeC:\Windows\system32\Kanidd32.exe78⤵
- Drops file in System32 directory
PID:5452 -
C:\Windows\SysWOW64\Kejeebpl.exeC:\Windows\system32\Kejeebpl.exe79⤵
- Drops file in System32 directory
PID:5484 -
C:\Windows\SysWOW64\Kfkamk32.exeC:\Windows\system32\Kfkamk32.exe80⤵PID:5564
-
C:\Windows\SysWOW64\Kjfmminc.exeC:\Windows\system32\Kjfmminc.exe81⤵
- Drops file in System32 directory
PID:5604 -
C:\Windows\SysWOW64\Lndfchdj.exeC:\Windows\system32\Lndfchdj.exe82⤵
- Modifies registry class
PID:5648 -
C:\Windows\SysWOW64\Lennpb32.exeC:\Windows\system32\Lennpb32.exe83⤵PID:5692
-
C:\Windows\SysWOW64\Ljncnhhk.exeC:\Windows\system32\Ljncnhhk.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5736 -
C:\Windows\SysWOW64\Lmlpjdgo.exeC:\Windows\system32\Lmlpjdgo.exe85⤵PID:5780
-
C:\Windows\SysWOW64\Lhadgmge.exeC:\Windows\system32\Lhadgmge.exe86⤵
- Modifies registry class
PID:5824 -
C:\Windows\SysWOW64\Lhdqml32.exeC:\Windows\system32\Lhdqml32.exe87⤵PID:5872
-
C:\Windows\SysWOW64\Lfgahikm.exeC:\Windows\system32\Lfgahikm.exe88⤵
- Drops file in System32 directory
PID:5912 -
C:\Windows\SysWOW64\Mhfmbl32.exeC:\Windows\system32\Mhfmbl32.exe89⤵PID:5964
-
C:\Windows\SysWOW64\Mopeofjl.exeC:\Windows\system32\Mopeofjl.exe90⤵PID:6008
-
C:\Windows\SysWOW64\Mejnlpai.exeC:\Windows\system32\Mejnlpai.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:6052 -
C:\Windows\SysWOW64\Mdmngm32.exeC:\Windows\system32\Mdmngm32.exe92⤵PID:6092
-
C:\Windows\SysWOW64\Mobbdf32.exeC:\Windows\system32\Mobbdf32.exe93⤵PID:6140
-
C:\Windows\SysWOW64\Mmebpbod.exeC:\Windows\system32\Mmebpbod.exe94⤵PID:5156
-
C:\Windows\SysWOW64\Meljappg.exeC:\Windows\system32\Meljappg.exe95⤵PID:5236
-
C:\Windows\SysWOW64\Mmhofbma.exeC:\Windows\system32\Mmhofbma.exe96⤵PID:5320
-
C:\Windows\SysWOW64\Mhmcck32.exeC:\Windows\system32\Mhmcck32.exe97⤵
- Modifies registry class
PID:5388 -
C:\Windows\SysWOW64\Mklpof32.exeC:\Windows\system32\Mklpof32.exe98⤵
- System Location Discovery: System Language Discovery
PID:5476 -
C:\Windows\SysWOW64\Mmjlkb32.exeC:\Windows\system32\Mmjlkb32.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:5580 -
C:\Windows\SysWOW64\Mdddhlbl.exeC:\Windows\system32\Mdddhlbl.exe100⤵PID:5636
-
C:\Windows\SysWOW64\Mgbpdgap.exeC:\Windows\system32\Mgbpdgap.exe101⤵PID:5704
-
C:\Windows\SysWOW64\Nahdapae.exeC:\Windows\system32\Nahdapae.exe102⤵PID:5772
-
C:\Windows\SysWOW64\Ndfanlpi.exeC:\Windows\system32\Ndfanlpi.exe103⤵PID:5844
-
C:\Windows\SysWOW64\Nkpijfgf.exeC:\Windows\system32\Nkpijfgf.exe104⤵PID:5904
-
C:\Windows\SysWOW64\Nefmgogl.exeC:\Windows\system32\Nefmgogl.exe105⤵
- Drops file in System32 directory
PID:5976 -
C:\Windows\SysWOW64\Nhdicjfp.exeC:\Windows\system32\Nhdicjfp.exe106⤵PID:6048
-
C:\Windows\SysWOW64\Nggjog32.exeC:\Windows\system32\Nggjog32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6108 -
C:\Windows\SysWOW64\Namnmp32.exeC:\Windows\system32\Namnmp32.exe108⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5144 -
C:\Windows\SysWOW64\Ndkjik32.exeC:\Windows\system32\Ndkjik32.exe109⤵PID:5292
-
C:\Windows\SysWOW64\Ngifef32.exeC:\Windows\system32\Ngifef32.exe110⤵
- System Location Discovery: System Language Discovery
PID:5396 -
C:\Windows\SysWOW64\Nkebee32.exeC:\Windows\system32\Nkebee32.exe111⤵PID:5572
-
C:\Windows\SysWOW64\Nejgbn32.exeC:\Windows\system32\Nejgbn32.exe112⤵PID:5720
-
C:\Windows\SysWOW64\Nkgoke32.exeC:\Windows\system32\Nkgoke32.exe113⤵PID:5864
-
C:\Windows\SysWOW64\Naaghoik.exeC:\Windows\system32\Naaghoik.exe114⤵
- System Location Discovery: System Language Discovery
PID:5992 -
C:\Windows\SysWOW64\Ndpcdjho.exeC:\Windows\system32\Ndpcdjho.exe115⤵PID:6100
-
C:\Windows\SysWOW64\Noehac32.exeC:\Windows\system32\Noehac32.exe116⤵PID:5224
-
C:\Windows\SysWOW64\Onhhmpoo.exeC:\Windows\system32\Onhhmpoo.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5356 -
C:\Windows\SysWOW64\Ohnljine.exeC:\Windows\system32\Ohnljine.exe118⤵PID:5688
-
C:\Windows\SysWOW64\Oogdfc32.exeC:\Windows\system32\Oogdfc32.exe119⤵
- System Location Discovery: System Language Discovery
PID:5792 -
C:\Windows\SysWOW64\Oafacn32.exeC:\Windows\system32\Oafacn32.exe120⤵PID:6080
-
C:\Windows\SysWOW64\Ogcike32.exeC:\Windows\system32\Ogcike32.exe121⤵
- System Location Discovery: System Language Discovery
PID:5268
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-