Analysis
-
max time kernel
114s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2024 06:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e910b387d4f7be7b11029d85d42076da3127b878b70b57d45236943bdf1deae9N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
e910b387d4f7be7b11029d85d42076da3127b878b70b57d45236943bdf1deae9N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
e910b387d4f7be7b11029d85d42076da3127b878b70b57d45236943bdf1deae9N.exe
-
Size
96KB
-
MD5
bfe2c41481663a94c12dbbeb6163be80
-
SHA1
a785e472545c7c034753f8f87d0290df6da4af48
-
SHA256
e910b387d4f7be7b11029d85d42076da3127b878b70b57d45236943bdf1deae9
-
SHA512
30d7bf4cb44521bc7d4f5074da2d171003f36c863ebc729543e73376048bdf0eb14188b73c4582c7aa708f517d1c17072cb8a14443c6d69eb9cc60961baf562e
-
SSDEEP
1536:lQOcpTztYCnt7r6cMeCItYrB7sCbQeRMocXtduV9jojTIvjr:lQO2TztYCtv9/4d/QeRiXtd69jc0v
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbhdkml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohmepbki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odhppclh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfpkhjae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmjcdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmqiec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clffalkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gplged32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pafcofcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aklciimh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aklciimh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmeiie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkfmjnii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfeagefd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcmeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okkalnjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oajccgmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ainnhdbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjemle32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpghfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmpkakak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Naqqmieo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbkbbkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khhaanop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aofjoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcpojk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmpkakak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppffec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcnkli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okkalnjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deqqek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohdbkh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clffalkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkamdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clmckmcq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naqqmieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opopdd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mffjnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Maaoaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aiqkmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eldbbjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eeodqocd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icminm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfmlok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegchl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Minipm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pddokabk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qpkppbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdlncn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bihancje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlpigk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fekclnif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mffjnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onngci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oiqomj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfmlok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeglbeea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efampahd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icpecm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhmmieil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjemle32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnopjfgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adnbapjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdcmnfop.exe -
Executes dropped EXE 64 IoCs
pid Process 5044 Kjdqhjpf.exe 1036 Kmbmdeoj.exe 948 Khhaanop.exe 2364 Kmeiie32.exe 2852 Ldoafodd.exe 4796 Lndfchdj.exe 3352 Lacbpccn.exe 3448 Lfpkhjae.exe 2676 Lmjcdd32.exe 3184 Lhogamih.exe 856 Lmlpjdgo.exe 3100 Lechkaga.exe 1676 Lkppchfi.exe 1540 Lajhpbme.exe 5900 Lhdqml32.exe 1888 Lmqiec32.exe 784 Mhfmbl32.exe 1568 Mginniij.exe 4272 Mopeofjl.exe 3676 Mgkjch32.exe 3436 Mkgfdgpq.exe 3680 Maaoaa32.exe 2924 Mhkgnkoj.exe 3336 Mdagbl32.exe 1964 Moglpedd.exe 4592 Mknlef32.exe 1548 Necqbo32.exe 5692 Nkpijfgf.exe 3372 Nggjog32.exe 220 Namnmp32.exe 820 Nejgbn32.exe 1372 Nkgoke32.exe 5868 Nkjlqd32.exe 3056 Oeopnmoa.exe 5724 Oklifdmi.exe 5840 Oafacn32.exe 1004 Ohpiphlb.exe 1140 Onmahojj.exe 5740 Oolnabal.exe 3408 Oakjnnap.exe 5696 Ohdbkh32.exe 4184 Oamgcm32.exe 1064 Ohgopgfj.exe 2640 Pndhhnda.exe 2356 Pgllad32.exe 4884 Pfmlok32.exe 3812 Pnknim32.exe 4364 Phpbffnp.exe 3924 Pfdbpjmi.exe 5368 Pdgckg32.exe 2116 Qdipag32.exe 2872 Akfdcq32.exe 5168 Andqol32.exe 4080 Afkipi32.exe 1040 Aijeme32.exe 5304 Akhaipei.exe 440 Abbiej32.exe 5804 Adqeaf32.exe 1624 Agobna32.exe 5400 Aofjoo32.exe 3140 Abdfkj32.exe 1880 Ainnhdbp.exe 432 Akmjdpac.exe 876 Ankgpk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Eimlgnij.exe Ebcdjc32.exe File created C:\Windows\SysWOW64\Jcpojk32.exe Jqbbno32.exe File created C:\Windows\SysWOW64\Fcpnhp32.dll Libido32.exe File opened for modification C:\Windows\SysWOW64\Pgbkgmao.exe Phpklp32.exe File created C:\Windows\SysWOW64\Akhaipei.exe Aijeme32.exe File created C:\Windows\SysWOW64\Alcolgqi.dll Epbkhhel.exe File created C:\Windows\SysWOW64\Bfoopb32.dll Goadfa32.exe File opened for modification C:\Windows\SysWOW64\Ohobebig.exe Ophjdehd.exe File created C:\Windows\SysWOW64\Khhaanop.exe Kmbmdeoj.exe File opened for modification C:\Windows\SysWOW64\Bkfmjnii.exe Bihancje.exe File opened for modification C:\Windows\SysWOW64\Kqdodo32.exe Jjjggede.exe File opened for modification C:\Windows\SysWOW64\Ophjdehd.exe Oaejhh32.exe File opened for modification C:\Windows\SysWOW64\Bndblcdq.exe Bkefphem.exe File created C:\Windows\SysWOW64\Epiaig32.exe Eipilmgh.exe File created C:\Windows\SysWOW64\Fefjanml.exe Epiaig32.exe File created C:\Windows\SysWOW64\Nmkgdlkh.dll Pncanhaf.exe File created C:\Windows\SysWOW64\Abflab32.dll Ckfofe32.exe File opened for modification C:\Windows\SysWOW64\Lfpkhjae.exe Lacbpccn.exe File opened for modification C:\Windows\SysWOW64\Iqombb32.exe Imcqacfq.exe File created C:\Windows\SysWOW64\Jcacqeaf.dll Nejgbn32.exe File created C:\Windows\SysWOW64\Jebdkl32.dll Blkgen32.exe File created C:\Windows\SysWOW64\Jjjggede.exe Jcpojk32.exe File created C:\Windows\SysWOW64\Ohobebig.exe Ophjdehd.exe File created C:\Windows\SysWOW64\Pbfepjng.dll Pjahchpb.exe File created C:\Windows\SysWOW64\Lpljgpbj.dll Kjdqhjpf.exe File created C:\Windows\SysWOW64\Hgbonm32.exe Hphfac32.exe File opened for modification C:\Windows\SysWOW64\Imcqacfq.exe Icklhnop.exe File opened for modification C:\Windows\SysWOW64\Mpedgghj.exe Miklkm32.exe File opened for modification C:\Windows\SysWOW64\Abgcqjhp.exe Ankgpk32.exe File opened for modification C:\Windows\SysWOW64\Odhppclh.exe Oajccgmd.exe File opened for modification C:\Windows\SysWOW64\Pgihanii.exe Opopdd32.exe File opened for modification C:\Windows\SysWOW64\Pjahchpb.exe Pgbkgmao.exe File created C:\Windows\SysWOW64\Igjhce32.dll Jmmcgbnf.exe File created C:\Windows\SysWOW64\Mdmgdjbb.dll Kfjjbd32.exe File created C:\Windows\SysWOW64\Cjbnqa32.dll Ppffec32.exe File created C:\Windows\SysWOW64\Bfdelf32.dll Onmahojj.exe File created C:\Windows\SysWOW64\Nbddah32.dll Fljedg32.exe File created C:\Windows\SysWOW64\Oknnanhj.exe Ohobebig.exe File created C:\Windows\SysWOW64\Bkamdi32.exe Agcdnjcl.exe File opened for modification C:\Windows\SysWOW64\Ejdonq32.exe Dalkek32.exe File opened for modification C:\Windows\SysWOW64\Ghjhofjg.exe Ggilgn32.exe File created C:\Windows\SysWOW64\Bilflj32.dll Dhcfleff.exe File created C:\Windows\SysWOW64\Kcjael32.dll Qkqdnkge.exe File created C:\Windows\SysWOW64\Nkgoke32.exe Nejgbn32.exe File created C:\Windows\SysWOW64\Qdipag32.exe Pdgckg32.exe File created C:\Windows\SysWOW64\Dlpigk32.exe Dbgdnelk.exe File opened for modification C:\Windows\SysWOW64\Hjpkjh32.exe Hgbonm32.exe File opened for modification C:\Windows\SysWOW64\Hjbhph32.exe Hcipcnac.exe File created C:\Windows\SysWOW64\Onmahojj.exe Ohpiphlb.exe File created C:\Windows\SysWOW64\Fnkbbiqp.dll Akogio32.exe File created C:\Windows\SysWOW64\Fekclnif.exe Flboch32.exe File opened for modification C:\Windows\SysWOW64\Cnnllhpa.exe Clpppmqn.exe File opened for modification C:\Windows\SysWOW64\Cigcjj32.exe Cjfclcpg.exe File opened for modification C:\Windows\SysWOW64\Mkgfdgpq.exe Mgkjch32.exe File created C:\Windows\SysWOW64\Nkjlqd32.exe Nkgoke32.exe File created C:\Windows\SysWOW64\Lfjkngdo.dll Jjemle32.exe File opened for modification C:\Windows\SysWOW64\Jginej32.exe Jmdjha32.exe File created C:\Windows\SysWOW64\Lagepl32.exe Lfaqcclf.exe File opened for modification C:\Windows\SysWOW64\Bkefphem.exe Bdlncn32.exe File created C:\Windows\SysWOW64\Dnjhjpin.dll Kanbjn32.exe File created C:\Windows\SysWOW64\Jmlbab32.dll Lechkaga.exe File opened for modification C:\Windows\SysWOW64\Pndhhnda.exe Ohgopgfj.exe File created C:\Windows\SysWOW64\Bnbmqjjo.exe Bejhhd32.exe File opened for modification C:\Windows\SysWOW64\Eejcki32.exe Eangjkkd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8596 3212 WerFault.exe 411 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggilgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kanbjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mffjnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akmjdpac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnbmqjjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clmckmcq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flekihpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fikihlmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eangjkkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mapgfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpchbhjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ophjdehd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odhppclh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjeaog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcpojk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfjee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdgckg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfnnmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fljedg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghgljg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icklhnop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmlpjdgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohgopgfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afdkfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjemle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciefek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjgemi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oklifdmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bejhhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jokpcmmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmdbooik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okbhlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eimlgnij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najjmjkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnenchoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnlcdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehhpge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blkgen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnpibh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Didjqoae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eekjep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cebdcmhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjdqhjpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebcdjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epgdch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgemahmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oinbgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deqqek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akhaipei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adqeaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiqkmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fempbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpedgghj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgbkgmao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkefphem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeglbeea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgffka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaflio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdlgmgdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phkaqqoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goadfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijjnpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpghfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkpbpp32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohdlpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phiekaql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gacbag32.dll" Deejpjgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oklifdmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abgcqjhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eekjep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kanbjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ophjdehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kldphm32.dll" Adpogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fempbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggilgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbppnnac.dll" Jqklnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mapgfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkdbl32.dll" Oileakbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fljedg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfoopb32.dll" Goadfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhhcne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfomda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnpibh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cebdcmhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjael32.dll" Qkqdnkge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmlpjdgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhkmohka.dll" Lajhpbme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dckfjnkb.dll" Icdoolge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oajccgmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iiokacgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Namnmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcdfho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gginjc32.dll" Hjbhph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imfmgcdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgihanii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkamdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kqdodo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bopfdc32.dll" Pddokabk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgejkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lechkaga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnbmqjjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gebimmco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggafgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agcdnjcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gegchl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgbhdkml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpchbhjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Najjmjkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dngobghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gplged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onngci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mknlef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Necqbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epiflfbm.dll" Phpbffnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onighcgh.dll" Abgcqjhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jamiaq32.dll" Jokpcmmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oknnanhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onbiicqa.dll" Okbhlm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjomldfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iqfcbahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epiaig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hphfac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Migcpneb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfomda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaehfp32.dll" Lpghfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akhaipei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqbbno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjcjmclj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1700 wrote to memory of 5044 1700 e910b387d4f7be7b11029d85d42076da3127b878b70b57d45236943bdf1deae9N.exe 89 PID 1700 wrote to memory of 5044 1700 e910b387d4f7be7b11029d85d42076da3127b878b70b57d45236943bdf1deae9N.exe 89 PID 1700 wrote to memory of 5044 1700 e910b387d4f7be7b11029d85d42076da3127b878b70b57d45236943bdf1deae9N.exe 89 PID 5044 wrote to memory of 1036 5044 Kjdqhjpf.exe 90 PID 5044 wrote to memory of 1036 5044 Kjdqhjpf.exe 90 PID 5044 wrote to memory of 1036 5044 Kjdqhjpf.exe 90 PID 1036 wrote to memory of 948 1036 Kmbmdeoj.exe 91 PID 1036 wrote to memory of 948 1036 Kmbmdeoj.exe 91 PID 1036 wrote to memory of 948 1036 Kmbmdeoj.exe 91 PID 948 wrote to memory of 2364 948 Khhaanop.exe 92 PID 948 wrote to memory of 2364 948 Khhaanop.exe 92 PID 948 wrote to memory of 2364 948 Khhaanop.exe 92 PID 2364 wrote to memory of 2852 2364 Kmeiie32.exe 93 PID 2364 wrote to memory of 2852 2364 Kmeiie32.exe 93 PID 2364 wrote to memory of 2852 2364 Kmeiie32.exe 93 PID 2852 wrote to memory of 4796 2852 Ldoafodd.exe 94 PID 2852 wrote to memory of 4796 2852 Ldoafodd.exe 94 PID 2852 wrote to memory of 4796 2852 Ldoafodd.exe 94 PID 4796 wrote to memory of 3352 4796 Lndfchdj.exe 95 PID 4796 wrote to memory of 3352 4796 Lndfchdj.exe 95 PID 4796 wrote to memory of 3352 4796 Lndfchdj.exe 95 PID 3352 wrote to memory of 3448 3352 Lacbpccn.exe 96 PID 3352 wrote to memory of 3448 3352 Lacbpccn.exe 96 PID 3352 wrote to memory of 3448 3352 Lacbpccn.exe 96 PID 3448 wrote to memory of 2676 3448 Lfpkhjae.exe 97 PID 3448 wrote to memory of 2676 3448 Lfpkhjae.exe 97 PID 3448 wrote to memory of 2676 3448 Lfpkhjae.exe 97 PID 2676 wrote to memory of 3184 2676 Lmjcdd32.exe 98 PID 2676 wrote to memory of 3184 2676 Lmjcdd32.exe 98 PID 2676 wrote to memory of 3184 2676 Lmjcdd32.exe 98 PID 3184 wrote to memory of 856 3184 Lhogamih.exe 99 PID 3184 wrote to memory of 856 3184 Lhogamih.exe 99 PID 3184 wrote to memory of 856 3184 Lhogamih.exe 99 PID 856 wrote to memory of 3100 856 Lmlpjdgo.exe 100 PID 856 wrote to memory of 3100 856 Lmlpjdgo.exe 100 PID 856 wrote to memory of 3100 856 Lmlpjdgo.exe 100 PID 3100 wrote to memory of 1676 3100 Lechkaga.exe 101 PID 3100 wrote to memory of 1676 3100 Lechkaga.exe 101 PID 3100 wrote to memory of 1676 3100 Lechkaga.exe 101 PID 1676 wrote to memory of 1540 1676 Lkppchfi.exe 102 PID 1676 wrote to memory of 1540 1676 Lkppchfi.exe 102 PID 1676 wrote to memory of 1540 1676 Lkppchfi.exe 102 PID 1540 wrote to memory of 5900 1540 Lajhpbme.exe 103 PID 1540 wrote to memory of 5900 1540 Lajhpbme.exe 103 PID 1540 wrote to memory of 5900 1540 Lajhpbme.exe 103 PID 5900 wrote to memory of 1888 5900 Lhdqml32.exe 104 PID 5900 wrote to memory of 1888 5900 Lhdqml32.exe 104 PID 5900 wrote to memory of 1888 5900 Lhdqml32.exe 104 PID 1888 wrote to memory of 784 1888 Lmqiec32.exe 105 PID 1888 wrote to memory of 784 1888 Lmqiec32.exe 105 PID 1888 wrote to memory of 784 1888 Lmqiec32.exe 105 PID 784 wrote to memory of 1568 784 Mhfmbl32.exe 106 PID 784 wrote to memory of 1568 784 Mhfmbl32.exe 106 PID 784 wrote to memory of 1568 784 Mhfmbl32.exe 106 PID 1568 wrote to memory of 4272 1568 Mginniij.exe 107 PID 1568 wrote to memory of 4272 1568 Mginniij.exe 107 PID 1568 wrote to memory of 4272 1568 Mginniij.exe 107 PID 4272 wrote to memory of 3676 4272 Mopeofjl.exe 108 PID 4272 wrote to memory of 3676 4272 Mopeofjl.exe 108 PID 4272 wrote to memory of 3676 4272 Mopeofjl.exe 108 PID 3676 wrote to memory of 3436 3676 Mgkjch32.exe 109 PID 3676 wrote to memory of 3436 3676 Mgkjch32.exe 109 PID 3676 wrote to memory of 3436 3676 Mgkjch32.exe 109 PID 3436 wrote to memory of 3680 3436 Mkgfdgpq.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\e910b387d4f7be7b11029d85d42076da3127b878b70b57d45236943bdf1deae9N.exe"C:\Users\Admin\AppData\Local\Temp\e910b387d4f7be7b11029d85d42076da3127b878b70b57d45236943bdf1deae9N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Kjdqhjpf.exeC:\Windows\system32\Kjdqhjpf.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Kmbmdeoj.exeC:\Windows\system32\Kmbmdeoj.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Khhaanop.exeC:\Windows\system32\Khhaanop.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\Kmeiie32.exeC:\Windows\system32\Kmeiie32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Ldoafodd.exeC:\Windows\system32\Ldoafodd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Lndfchdj.exeC:\Windows\system32\Lndfchdj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\Lacbpccn.exeC:\Windows\system32\Lacbpccn.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\Lfpkhjae.exeC:\Windows\system32\Lfpkhjae.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\Lmjcdd32.exeC:\Windows\system32\Lmjcdd32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Lhogamih.exeC:\Windows\system32\Lhogamih.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\Lmlpjdgo.exeC:\Windows\system32\Lmlpjdgo.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Lechkaga.exeC:\Windows\system32\Lechkaga.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\Lkppchfi.exeC:\Windows\system32\Lkppchfi.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Lajhpbme.exeC:\Windows\system32\Lajhpbme.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Lhdqml32.exeC:\Windows\system32\Lhdqml32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5900 -
C:\Windows\SysWOW64\Lmqiec32.exeC:\Windows\system32\Lmqiec32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Mhfmbl32.exeC:\Windows\system32\Mhfmbl32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\Mginniij.exeC:\Windows\system32\Mginniij.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Mopeofjl.exeC:\Windows\system32\Mopeofjl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\Mgkjch32.exeC:\Windows\system32\Mgkjch32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\Mkgfdgpq.exeC:\Windows\system32\Mkgfdgpq.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\Maaoaa32.exeC:\Windows\system32\Maaoaa32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Mhkgnkoj.exeC:\Windows\system32\Mhkgnkoj.exe24⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Mdagbl32.exeC:\Windows\system32\Mdagbl32.exe25⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\Moglpedd.exeC:\Windows\system32\Moglpedd.exe26⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Mknlef32.exeC:\Windows\system32\Mknlef32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:4592 -
C:\Windows\SysWOW64\Necqbo32.exeC:\Windows\system32\Necqbo32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Nkpijfgf.exeC:\Windows\system32\Nkpijfgf.exe29⤵
- Executes dropped EXE
PID:5692 -
C:\Windows\SysWOW64\Nggjog32.exeC:\Windows\system32\Nggjog32.exe30⤵
- Executes dropped EXE
PID:3372 -
C:\Windows\SysWOW64\Namnmp32.exeC:\Windows\system32\Namnmp32.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:220 -
C:\Windows\SysWOW64\Nejgbn32.exeC:\Windows\system32\Nejgbn32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:820 -
C:\Windows\SysWOW64\Nkgoke32.exeC:\Windows\system32\Nkgoke32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1372 -
C:\Windows\SysWOW64\Nkjlqd32.exeC:\Windows\system32\Nkjlqd32.exe34⤵
- Executes dropped EXE
PID:5868 -
C:\Windows\SysWOW64\Oeopnmoa.exeC:\Windows\system32\Oeopnmoa.exe35⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Oklifdmi.exeC:\Windows\system32\Oklifdmi.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5724 -
C:\Windows\SysWOW64\Oafacn32.exeC:\Windows\system32\Oafacn32.exe37⤵
- Executes dropped EXE
PID:5840 -
C:\Windows\SysWOW64\Ohpiphlb.exeC:\Windows\system32\Ohpiphlb.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1004 -
C:\Windows\SysWOW64\Onmahojj.exeC:\Windows\system32\Onmahojj.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1140 -
C:\Windows\SysWOW64\Oolnabal.exeC:\Windows\system32\Oolnabal.exe40⤵
- Executes dropped EXE
PID:5740 -
C:\Windows\SysWOW64\Oakjnnap.exeC:\Windows\system32\Oakjnnap.exe41⤵
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\Ohdbkh32.exeC:\Windows\system32\Ohdbkh32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5696 -
C:\Windows\SysWOW64\Oamgcm32.exeC:\Windows\system32\Oamgcm32.exe43⤵
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\Ohgopgfj.exeC:\Windows\system32\Ohgopgfj.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1064 -
C:\Windows\SysWOW64\Pndhhnda.exeC:\Windows\system32\Pndhhnda.exe45⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Pgllad32.exeC:\Windows\system32\Pgllad32.exe46⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Pfmlok32.exeC:\Windows\system32\Pfmlok32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Pnknim32.exeC:\Windows\system32\Pnknim32.exe48⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Phpbffnp.exeC:\Windows\system32\Phpbffnp.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:4364 -
C:\Windows\SysWOW64\Pfdbpjmi.exeC:\Windows\system32\Pfdbpjmi.exe50⤵
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Pdgckg32.exeC:\Windows\system32\Pdgckg32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5368 -
C:\Windows\SysWOW64\Qdipag32.exeC:\Windows\system32\Qdipag32.exe52⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Akfdcq32.exeC:\Windows\system32\Akfdcq32.exe53⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Andqol32.exeC:\Windows\system32\Andqol32.exe54⤵
- Executes dropped EXE
PID:5168 -
C:\Windows\SysWOW64\Afkipi32.exeC:\Windows\system32\Afkipi32.exe55⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Aijeme32.exeC:\Windows\system32\Aijeme32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\Akhaipei.exeC:\Windows\system32\Akhaipei.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5304 -
C:\Windows\SysWOW64\Abbiej32.exeC:\Windows\system32\Abbiej32.exe58⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Adqeaf32.exeC:\Windows\system32\Adqeaf32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5804 -
C:\Windows\SysWOW64\Agobna32.exeC:\Windows\system32\Agobna32.exe60⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Aofjoo32.exeC:\Windows\system32\Aofjoo32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5400 -
C:\Windows\SysWOW64\Abdfkj32.exeC:\Windows\system32\Abdfkj32.exe62⤵
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\Ainnhdbp.exeC:\Windows\system32\Ainnhdbp.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Akmjdpac.exeC:\Windows\system32\Akmjdpac.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:432 -
C:\Windows\SysWOW64\Ankgpk32.exeC:\Windows\system32\Ankgpk32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:876 -
C:\Windows\SysWOW64\Abgcqjhp.exeC:\Windows\system32\Abgcqjhp.exe66⤵
- Modifies registry class
PID:4532 -
C:\Windows\SysWOW64\Aiqkmd32.exeC:\Windows\system32\Aiqkmd32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5336 -
C:\Windows\SysWOW64\Akogio32.exeC:\Windows\system32\Akogio32.exe68⤵
- Drops file in System32 directory
PID:1008 -
C:\Windows\SysWOW64\Afdkfh32.exeC:\Windows\system32\Afdkfh32.exe69⤵
- System Location Discovery: System Language Discovery
PID:3176 -
C:\Windows\SysWOW64\Aeglbeea.exeC:\Windows\system32\Aeglbeea.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1804 -
C:\Windows\SysWOW64\Bejhhd32.exeC:\Windows\system32\Bejhhd32.exe71⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1892 -
C:\Windows\SysWOW64\Bnbmqjjo.exeC:\Windows\system32\Bnbmqjjo.exe72⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1132 -
C:\Windows\SysWOW64\Bihancje.exeC:\Windows\system32\Bihancje.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3596 -
C:\Windows\SysWOW64\Bkfmjnii.exeC:\Windows\system32\Bkfmjnii.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5852 -
C:\Windows\SysWOW64\Bpdfpmoo.exeC:\Windows\system32\Bpdfpmoo.exe75⤵PID:4736
-
C:\Windows\SysWOW64\Bfnnmg32.exeC:\Windows\system32\Bfnnmg32.exe76⤵
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\Blkgen32.exeC:\Windows\system32\Blkgen32.exe77⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3736 -
C:\Windows\SysWOW64\Bpfcelml.exeC:\Windows\system32\Bpfcelml.exe78⤵PID:5628
-
C:\Windows\SysWOW64\Bfpkbfdi.exeC:\Windows\system32\Bfpkbfdi.exe79⤵PID:4476
-
C:\Windows\SysWOW64\Clmckmcq.exeC:\Windows\system32\Clmckmcq.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4928 -
C:\Windows\SysWOW64\Clpppmqn.exeC:\Windows\system32\Clpppmqn.exe81⤵
- Drops file in System32 directory
PID:5296 -
C:\Windows\SysWOW64\Cnnllhpa.exeC:\Windows\system32\Cnnllhpa.exe82⤵PID:556
-
C:\Windows\SysWOW64\Cnpibh32.exeC:\Windows\system32\Cnpibh32.exe83⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4892 -
C:\Windows\SysWOW64\Cfgace32.exeC:\Windows\system32\Cfgace32.exe84⤵PID:3888
-
C:\Windows\SysWOW64\Clffalkf.exeC:\Windows\system32\Clffalkf.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1920 -
C:\Windows\SysWOW64\Dngobghg.exeC:\Windows\system32\Dngobghg.exe86⤵
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Dfqdid32.exeC:\Windows\system32\Dfqdid32.exe87⤵PID:5656
-
C:\Windows\SysWOW64\Dbgdnelk.exeC:\Windows\system32\Dbgdnelk.exe88⤵
- Drops file in System32 directory
PID:1456 -
C:\Windows\SysWOW64\Dlpigk32.exeC:\Windows\system32\Dlpigk32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1444 -
C:\Windows\SysWOW64\Dbjade32.exeC:\Windows\system32\Dbjade32.exe90⤵PID:4352
-
C:\Windows\SysWOW64\Didjqoae.exeC:\Windows\system32\Didjqoae.exe91⤵
- System Location Discovery: System Language Discovery
PID:5708 -
C:\Windows\SysWOW64\Dpnbmi32.exeC:\Windows\system32\Dpnbmi32.exe92⤵PID:1696
-
C:\Windows\SysWOW64\Eekjep32.exeC:\Windows\system32\Eekjep32.exe93⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Eldbbjof.exeC:\Windows\system32\Eldbbjof.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4632 -
C:\Windows\SysWOW64\Efjgpc32.exeC:\Windows\system32\Efjgpc32.exe95⤵PID:4220
-
C:\Windows\SysWOW64\Ehkcgkdj.exeC:\Windows\system32\Ehkcgkdj.exe96⤵PID:1940
-
C:\Windows\SysWOW64\Epbkhhel.exeC:\Windows\system32\Epbkhhel.exe97⤵
- Drops file in System32 directory
PID:888 -
C:\Windows\SysWOW64\Ebagdddp.exeC:\Windows\system32\Ebagdddp.exe98⤵PID:2096
-
C:\Windows\SysWOW64\Eeodqocd.exeC:\Windows\system32\Eeodqocd.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5248 -
C:\Windows\SysWOW64\Ebcdjc32.exeC:\Windows\system32\Ebcdjc32.exe100⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1436 -
C:\Windows\SysWOW64\Eimlgnij.exeC:\Windows\system32\Eimlgnij.exe101⤵
- System Location Discovery: System Language Discovery
PID:5096 -
C:\Windows\SysWOW64\Epgdch32.exeC:\Windows\system32\Epgdch32.exe102⤵
- System Location Discovery: System Language Discovery
PID:1236 -
C:\Windows\SysWOW64\Efampahd.exeC:\Windows\system32\Efampahd.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3852 -
C:\Windows\SysWOW64\Eipilmgh.exeC:\Windows\system32\Eipilmgh.exe104⤵
- Drops file in System32 directory
PID:4368 -
C:\Windows\SysWOW64\Epiaig32.exeC:\Windows\system32\Epiaig32.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:4284 -
C:\Windows\SysWOW64\Fefjanml.exeC:\Windows\system32\Fefjanml.exe106⤵PID:3528
-
C:\Windows\SysWOW64\Fplnogmb.exeC:\Windows\system32\Fplnogmb.exe107⤵PID:3144
-
C:\Windows\SysWOW64\Fgffka32.exeC:\Windows\system32\Fgffka32.exe108⤵
- System Location Discovery: System Language Discovery
PID:936 -
C:\Windows\SysWOW64\Fhgccijm.exeC:\Windows\system32\Fhgccijm.exe109⤵PID:3592
-
C:\Windows\SysWOW64\Flboch32.exeC:\Windows\system32\Flboch32.exe110⤵
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Fekclnif.exeC:\Windows\system32\Fekclnif.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4880 -
C:\Windows\SysWOW64\Flekihpc.exeC:\Windows\system32\Flekihpc.exe112⤵
- System Location Discovery: System Language Discovery
PID:2460 -
C:\Windows\SysWOW64\Fcodfa32.exeC:\Windows\system32\Fcodfa32.exe113⤵PID:2084
-
C:\Windows\SysWOW64\Fempbm32.exeC:\Windows\system32\Fempbm32.exe114⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6132 -
C:\Windows\SysWOW64\Flghognq.exeC:\Windows\system32\Flghognq.exe115⤵PID:2760
-
C:\Windows\SysWOW64\Fgmllpng.exeC:\Windows\system32\Fgmllpng.exe116⤵PID:2272
-
C:\Windows\SysWOW64\Fikihlmj.exeC:\Windows\system32\Fikihlmj.exe117⤵
- System Location Discovery: System Language Discovery
PID:5688 -
C:\Windows\SysWOW64\Fljedg32.exeC:\Windows\system32\Fljedg32.exe118⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3668 -
C:\Windows\SysWOW64\Gccmaack.exeC:\Windows\system32\Gccmaack.exe119⤵PID:1768
-
C:\Windows\SysWOW64\Gebimmco.exeC:\Windows\system32\Gebimmco.exe120⤵
- Modifies registry class
PID:4140 -
C:\Windows\SysWOW64\Gojnfb32.exeC:\Windows\system32\Gojnfb32.exe121⤵PID:1828
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-