Analysis
-
max time kernel
94s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2024 23:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f21dd94b9df1cb7246024cd63735c271396317e1d616acabecbb7a62f8486e56.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
f21dd94b9df1cb7246024cd63735c271396317e1d616acabecbb7a62f8486e56.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
f21dd94b9df1cb7246024cd63735c271396317e1d616acabecbb7a62f8486e56.exe
-
Size
108KB
-
MD5
ef8bedb124c93dec72f2feef24f930b9
-
SHA1
d1075fca6d49b9ea48240df5a39d88191ebde95b
-
SHA256
f21dd94b9df1cb7246024cd63735c271396317e1d616acabecbb7a62f8486e56
-
SHA512
e1dd9f826007beec22298bd6285fe7337b57161f5153bc43dc6701f3c3937ba022c100cc6c319a66c309f684492bcca16e002d5021ec864c9c508edd9b486bf4
-
SSDEEP
1536:QLIJZp68/bwiHUpwINb5iPNiHN0mMwB+rjm8NiIqhn3HQ8BawTj2wQ3K:V7p78CINliPN30UjmOiBn3w8BdTj2h3K
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhbolp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adhdjpjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfcfmlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbphdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfokoelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqlfhjig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlegnjbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cndeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckhecmcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhaggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lllagh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epndknin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Modpib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeddnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enigke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llodgnja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llnnmhfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojajin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klggli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmikeaap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkpmdbfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apjkcadp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocgkan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaoaic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljpaqmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajdjin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odoogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poimpapp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opeiadfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obnehj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Padnaq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjjpnlbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgpcliao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpofii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igpdfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkhapk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kocgbend.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akamff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qklmpalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nijqcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiobceef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbofcghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dokgdkeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imiehfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhnojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kefiopki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fipkjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llodgnja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcimdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lchfib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkobmnka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfdjinjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpmdfonj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnbgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmflbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffclcgfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnindhpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dngjff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aokkahlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iolhkh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikdcmpnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kclgmq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnfpcag.exe -
Executes dropped EXE 64 IoCs
pid Process 2560 Llhikacp.exe 4356 Mbbagk32.exe 5032 Meamcg32.exe 636 Mhoipb32.exe 3448 Mbenmk32.exe 3016 Mahnhhod.exe 1416 Mlmbfqoj.exe 4536 Mbgjbkfg.exe 4516 Maodigil.exe 5092 Mifljdjo.exe 3592 Njghbl32.exe 4820 Naaqofgj.exe 244 Nhkikq32.exe 4716 Neoieenp.exe 3480 Nliaao32.exe 4664 Nognnj32.exe 512 Neafjdkn.exe 2232 Nlkngo32.exe 744 Nbefdijg.exe 4176 Nahgoe32.exe 4856 Nhbolp32.exe 1716 Nolgijpk.exe 5024 Niakfbpa.exe 4064 Nhdlao32.exe 4960 Nlphbnoe.exe 1356 Ohghgodi.exe 2656 Olbdhn32.exe 3704 Oaompd32.exe 4204 Oaajed32.exe 5036 Okjnnj32.exe 4604 Ohnohn32.exe 1040 Oafcqcea.exe 4828 Pojcjh32.exe 3792 Pedlgbkh.exe 3332 Pakllc32.exe 216 Phedhmhi.exe 3952 Poomegpf.exe 2280 Peieba32.exe 3300 Pkenjh32.exe 32 Pifnhpmi.exe 4272 Pocfpf32.exe 1984 Pabblb32.exe 4088 Piijno32.exe 2228 Qofcff32.exe 4956 Qepkbpak.exe 1484 Qljcoj32.exe 384 Qaflgago.exe 3084 Ajndioga.exe 3244 Acfhad32.exe 3648 Aeddnp32.exe 1168 Akamff32.exe 628 Afgacokc.exe 1940 Ahenokjf.exe 3112 Akcjkfij.exe 3276 Ackbmcjl.exe 4832 Ajdjin32.exe 4364 Akffafgg.exe 2016 Afkknogn.exe 3796 Aleckinj.exe 3688 Akhcfe32.exe 2140 Abbkcpma.exe 3340 Blhpqhlh.exe 2080 Bfpdin32.exe 4492 Bljlfh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pbmmao32.dll Gdcliikj.exe File created C:\Windows\SysWOW64\Ekamnhne.dll Kcbfcigf.exe File created C:\Windows\SysWOW64\Eoepebho.exe Ekjded32.exe File opened for modification C:\Windows\SysWOW64\Ofegni32.exe Ocgkan32.exe File opened for modification C:\Windows\SysWOW64\Oqklkbbi.exe Oiccje32.exe File created C:\Windows\SysWOW64\Bfendmoc.exe Bhamkipi.exe File created C:\Windows\SysWOW64\Joicekop.dll Lgjijmin.exe File opened for modification C:\Windows\SysWOW64\Eifaim32.exe Efgemb32.exe File opened for modification C:\Windows\SysWOW64\Hekgfj32.exe Hblkjo32.exe File created C:\Windows\SysWOW64\Fnbcgn32.exe Eghkjdoa.exe File created C:\Windows\SysWOW64\Jfpqiega.dll Mcdeeq32.exe File created C:\Windows\SysWOW64\Ecgflaec.dll Gfheof32.exe File created C:\Windows\SysWOW64\Gingkqkd.exe Gkkgpc32.exe File created C:\Windows\SysWOW64\Ongbqjjf.dll Dmadco32.exe File created C:\Windows\SysWOW64\Eifaim32.exe Efgemb32.exe File opened for modification C:\Windows\SysWOW64\Agdcpkll.exe Apjkcadp.exe File created C:\Windows\SysWOW64\Bkfmmb32.dll Nqmojd32.exe File created C:\Windows\SysWOW64\Ddfbhfmf.dll Akcjkfij.exe File opened for modification C:\Windows\SysWOW64\Jjjpnlbd.exe Jgkdbacp.exe File opened for modification C:\Windows\SysWOW64\Mccfdmmo.exe Mnfnlf32.exe File created C:\Windows\SysWOW64\Fbiipkjk.dll Mjmoag32.exe File opened for modification C:\Windows\SysWOW64\Nenbjo32.exe Ngjbaj32.exe File opened for modification C:\Windows\SysWOW64\Iamamcop.exe Ibjqaf32.exe File created C:\Windows\SysWOW64\Maodigil.exe Mbgjbkfg.exe File created C:\Windows\SysWOW64\Mhckcgpj.exe Mbibfm32.exe File created C:\Windows\SysWOW64\Hhfjcdon.dll Afkknogn.exe File created C:\Windows\SysWOW64\Mbibld32.dll Cofnik32.exe File created C:\Windows\SysWOW64\Hiipmhmk.exe Hemdlj32.exe File created C:\Windows\SysWOW64\Ggmkff32.dll Jljbeali.exe File created C:\Windows\SysWOW64\Ldpnmg32.dll Mqkiok32.exe File created C:\Windows\SysWOW64\Eqdpgk32.exe Doccpcja.exe File opened for modification C:\Windows\SysWOW64\Fohfbpgi.exe Fganqbgg.exe File created C:\Windows\SysWOW64\Ejlgio32.dll Lmbhgd32.exe File opened for modification C:\Windows\SysWOW64\Pfepdg32.exe Paihlpfi.exe File created C:\Windows\SysWOW64\Fnebjidl.dll Lpepbgbd.exe File created C:\Windows\SysWOW64\Oibqpk32.dll Nhahaiec.exe File opened for modification C:\Windows\SysWOW64\Ddjmba32.exe Dnpdegjp.exe File created C:\Windows\SysWOW64\Oajgdm32.dll Pjlcjf32.exe File created C:\Windows\SysWOW64\Kqmkae32.exe Kjccdkki.exe File created C:\Windows\SysWOW64\Hblkjo32.exe Hmpcbhji.exe File created C:\Windows\SysWOW64\Dggbcf32.exe Dqnjgl32.exe File created C:\Windows\SysWOW64\Hmokmkpo.dll Kkeldnpi.exe File created C:\Windows\SysWOW64\Fogmlp32.dll Hmbphg32.exe File opened for modification C:\Windows\SysWOW64\Koaagkcb.exe Kpoalo32.exe File opened for modification C:\Windows\SysWOW64\Nfohgqlg.exe Nqbpojnp.exe File opened for modification C:\Windows\SysWOW64\Damfao32.exe Doojec32.exe File opened for modification C:\Windows\SysWOW64\Ggkqgaol.exe Gaqhjggp.exe File created C:\Windows\SysWOW64\Iogopi32.exe Ilibdmgp.exe File created C:\Windows\SysWOW64\Nnkpnclp.exe Nhahaiec.exe File created C:\Windows\SysWOW64\Ackbmcjl.exe Akcjkfij.exe File created C:\Windows\SysWOW64\Cbphdn32.exe Cmcolgbj.exe File created C:\Windows\SysWOW64\Khacqh32.dll Diccgfpd.exe File created C:\Windows\SysWOW64\Ljeffhcd.dll Hgkkkcbc.exe File opened for modification C:\Windows\SysWOW64\Phigif32.exe Pejkmk32.exe File opened for modification C:\Windows\SysWOW64\Mhckcgpj.exe Mbibfm32.exe File created C:\Windows\SysWOW64\Akcjkfij.exe Ahenokjf.exe File created C:\Windows\SysWOW64\Eiobceef.exe Dmhand32.exe File created C:\Windows\SysWOW64\Mdeodj32.dll Ljhefhha.exe File created C:\Windows\SysWOW64\Iikmbh32.exe Ibaeen32.exe File opened for modification C:\Windows\SysWOW64\Npbceggm.exe Njfkmphe.exe File opened for modification C:\Windows\SysWOW64\Nlkngo32.exe Neafjdkn.exe File created C:\Windows\SysWOW64\Ncgjlnfh.dll Kmfhkf32.exe File created C:\Windows\SysWOW64\Nmbjcljl.exe Mjcngpjh.exe File opened for modification C:\Windows\SysWOW64\Ofhknodl.exe Opnbae32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 15880 15656 WerFault.exe 897 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afkknogn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfbaonae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoioli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flfkkhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcifkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bahdob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjmba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hloqml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boenhgdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hldiinke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqmojd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfojdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmpqfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icnklbmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnlmhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaplqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbhmbdle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofgdcipq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afgacokc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ponfka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhkfkmmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbnfleo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkipkani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnfpcag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adhdjpjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mahnhhod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kofdhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfodeohd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnmopk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qljcoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhdcmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Momcpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poomegpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipkjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlegnjbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcldb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iphioh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcbfcigf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahmjjoig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjlkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngkqbgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpbjkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjidgkog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfkbde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqndhcdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dolmodpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hahokfag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqpamb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdhbmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hemdlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbihjifh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doccpcja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqgedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjoppf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpjoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmmqhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opeiadfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnhgjaml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njghbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcigeooj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jinboekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfkmphe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbjbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcmdaljn.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dolmodpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpdbcaok.dll" Kefiopki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elgaeolp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iekkfckg.dll" Kjepjkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anmfbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnhqepf.dll" Efgemb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpmdfonj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nolgijpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akcjkfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajdjin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leabba32.dll" Iloidijb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnpabe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deqcbpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jklliiom.dll" Iahgad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gingkqkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdhbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onkidm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cklgfgfg.dll" Bnoddcef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haaaaeim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjlalkmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 f21dd94b9df1cb7246024cd63735c271396317e1d616acabecbb7a62f8486e56.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qaflgago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paplcg32.dll" Efccmidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlhkf32.dll" Ckhecmcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idefqiag.dll" Lokdnjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccbakce.dll" Fibhpbea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ackhdo32.dll" Gkkgpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohmhmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opnbae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akffafgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgehfkop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iogkekkb.dll" Cfnjpfcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fechomko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfiop32.dll" Ibcaknbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlolpq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hicpgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhdlao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngbjmd32.dll" Poimpapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmpga32.dll" Oaplqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahofoogd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkidpke.dll" Ckebcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehndnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dngjff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpclce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbjnik32.dll" Flinkojm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkdoio32.dll" Imnocf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjjbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdihjbp.dll" Inebjihf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maodigil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgdejd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ponfka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aafemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnobcjlg.dll" Gnpphljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjpekc32.dll" Pkpmdbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfnjpfcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hibjli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jepjhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lphdhn32.dll" Jpegkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjgeopm.dll" Nqbpojnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egcaod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqppci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hihibbjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmflbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnindhpg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4580 wrote to memory of 2560 4580 f21dd94b9df1cb7246024cd63735c271396317e1d616acabecbb7a62f8486e56.exe 82 PID 4580 wrote to memory of 2560 4580 f21dd94b9df1cb7246024cd63735c271396317e1d616acabecbb7a62f8486e56.exe 82 PID 4580 wrote to memory of 2560 4580 f21dd94b9df1cb7246024cd63735c271396317e1d616acabecbb7a62f8486e56.exe 82 PID 2560 wrote to memory of 4356 2560 Llhikacp.exe 83 PID 2560 wrote to memory of 4356 2560 Llhikacp.exe 83 PID 2560 wrote to memory of 4356 2560 Llhikacp.exe 83 PID 4356 wrote to memory of 5032 4356 Mbbagk32.exe 84 PID 4356 wrote to memory of 5032 4356 Mbbagk32.exe 84 PID 4356 wrote to memory of 5032 4356 Mbbagk32.exe 84 PID 5032 wrote to memory of 636 5032 Meamcg32.exe 85 PID 5032 wrote to memory of 636 5032 Meamcg32.exe 85 PID 5032 wrote to memory of 636 5032 Meamcg32.exe 85 PID 636 wrote to memory of 3448 636 Mhoipb32.exe 86 PID 636 wrote to memory of 3448 636 Mhoipb32.exe 86 PID 636 wrote to memory of 3448 636 Mhoipb32.exe 86 PID 3448 wrote to memory of 3016 3448 Mbenmk32.exe 87 PID 3448 wrote to memory of 3016 3448 Mbenmk32.exe 87 PID 3448 wrote to memory of 3016 3448 Mbenmk32.exe 87 PID 3016 wrote to memory of 1416 3016 Mahnhhod.exe 88 PID 3016 wrote to memory of 1416 3016 Mahnhhod.exe 88 PID 3016 wrote to memory of 1416 3016 Mahnhhod.exe 88 PID 1416 wrote to memory of 4536 1416 Mlmbfqoj.exe 89 PID 1416 wrote to memory of 4536 1416 Mlmbfqoj.exe 89 PID 1416 wrote to memory of 4536 1416 Mlmbfqoj.exe 89 PID 4536 wrote to memory of 4516 4536 Mbgjbkfg.exe 90 PID 4536 wrote to memory of 4516 4536 Mbgjbkfg.exe 90 PID 4536 wrote to memory of 4516 4536 Mbgjbkfg.exe 90 PID 4516 wrote to memory of 5092 4516 Maodigil.exe 91 PID 4516 wrote to memory of 5092 4516 Maodigil.exe 91 PID 4516 wrote to memory of 5092 4516 Maodigil.exe 91 PID 5092 wrote to memory of 3592 5092 Mifljdjo.exe 92 PID 5092 wrote to memory of 3592 5092 Mifljdjo.exe 92 PID 5092 wrote to memory of 3592 5092 Mifljdjo.exe 92 PID 3592 wrote to memory of 4820 3592 Njghbl32.exe 93 PID 3592 wrote to memory of 4820 3592 Njghbl32.exe 93 PID 3592 wrote to memory of 4820 3592 Njghbl32.exe 93 PID 4820 wrote to memory of 244 4820 Naaqofgj.exe 94 PID 4820 wrote to memory of 244 4820 Naaqofgj.exe 94 PID 4820 wrote to memory of 244 4820 Naaqofgj.exe 94 PID 244 wrote to memory of 4716 244 Nhkikq32.exe 95 PID 244 wrote to memory of 4716 244 Nhkikq32.exe 95 PID 244 wrote to memory of 4716 244 Nhkikq32.exe 95 PID 4716 wrote to memory of 3480 4716 Neoieenp.exe 96 PID 4716 wrote to memory of 3480 4716 Neoieenp.exe 96 PID 4716 wrote to memory of 3480 4716 Neoieenp.exe 96 PID 3480 wrote to memory of 4664 3480 Nliaao32.exe 97 PID 3480 wrote to memory of 4664 3480 Nliaao32.exe 97 PID 3480 wrote to memory of 4664 3480 Nliaao32.exe 97 PID 4664 wrote to memory of 512 4664 Nognnj32.exe 98 PID 4664 wrote to memory of 512 4664 Nognnj32.exe 98 PID 4664 wrote to memory of 512 4664 Nognnj32.exe 98 PID 512 wrote to memory of 2232 512 Neafjdkn.exe 99 PID 512 wrote to memory of 2232 512 Neafjdkn.exe 99 PID 512 wrote to memory of 2232 512 Neafjdkn.exe 99 PID 2232 wrote to memory of 744 2232 Nlkngo32.exe 100 PID 2232 wrote to memory of 744 2232 Nlkngo32.exe 100 PID 2232 wrote to memory of 744 2232 Nlkngo32.exe 100 PID 744 wrote to memory of 4176 744 Nbefdijg.exe 101 PID 744 wrote to memory of 4176 744 Nbefdijg.exe 101 PID 744 wrote to memory of 4176 744 Nbefdijg.exe 101 PID 4176 wrote to memory of 4856 4176 Nahgoe32.exe 102 PID 4176 wrote to memory of 4856 4176 Nahgoe32.exe 102 PID 4176 wrote to memory of 4856 4176 Nahgoe32.exe 102 PID 4856 wrote to memory of 1716 4856 Nhbolp32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\f21dd94b9df1cb7246024cd63735c271396317e1d616acabecbb7a62f8486e56.exe"C:\Users\Admin\AppData\Local\Temp\f21dd94b9df1cb7246024cd63735c271396317e1d616acabecbb7a62f8486e56.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Mhoipb32.exeC:\Windows\system32\Mhoipb32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\Mahnhhod.exeC:\Windows\system32\Mahnhhod.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Mbgjbkfg.exeC:\Windows\system32\Mbgjbkfg.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\Njghbl32.exeC:\Windows\system32\Njghbl32.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\Naaqofgj.exeC:\Windows\system32\Naaqofgj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\Nhkikq32.exeC:\Windows\system32\Nhkikq32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Windows\SysWOW64\Neoieenp.exeC:\Windows\system32\Neoieenp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Nliaao32.exeC:\Windows\system32\Nliaao32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\Neafjdkn.exeC:\Windows\system32\Neafjdkn.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\Nlkngo32.exeC:\Windows\system32\Nlkngo32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Nbefdijg.exeC:\Windows\system32\Nbefdijg.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\Nahgoe32.exeC:\Windows\system32\Nahgoe32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\SysWOW64\Nhbolp32.exeC:\Windows\system32\Nhbolp32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\Nolgijpk.exeC:\Windows\system32\Nolgijpk.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Niakfbpa.exeC:\Windows\system32\Niakfbpa.exe24⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Nhdlao32.exeC:\Windows\system32\Nhdlao32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:4064 -
C:\Windows\SysWOW64\Nlphbnoe.exeC:\Windows\system32\Nlphbnoe.exe26⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Ohghgodi.exeC:\Windows\system32\Ohghgodi.exe27⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Olbdhn32.exeC:\Windows\system32\Olbdhn32.exe28⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe29⤵
- Executes dropped EXE
PID:3704 -
C:\Windows\SysWOW64\Oaajed32.exeC:\Windows\system32\Oaajed32.exe30⤵
- Executes dropped EXE
PID:4204 -
C:\Windows\SysWOW64\Okjnnj32.exeC:\Windows\system32\Okjnnj32.exe31⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Ohnohn32.exeC:\Windows\system32\Ohnohn32.exe32⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Oafcqcea.exeC:\Windows\system32\Oafcqcea.exe33⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Pojcjh32.exeC:\Windows\system32\Pojcjh32.exe34⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Pedlgbkh.exeC:\Windows\system32\Pedlgbkh.exe35⤵
- Executes dropped EXE
PID:3792 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe36⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe37⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Poomegpf.exeC:\Windows\system32\Poomegpf.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3952 -
C:\Windows\SysWOW64\Peieba32.exeC:\Windows\system32\Peieba32.exe39⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Plbmokop.exeC:\Windows\system32\Plbmokop.exe40⤵PID:4400
-
C:\Windows\SysWOW64\Pkenjh32.exeC:\Windows\system32\Pkenjh32.exe41⤵
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\Pifnhpmi.exeC:\Windows\system32\Pifnhpmi.exe42⤵
- Executes dropped EXE
PID:32 -
C:\Windows\SysWOW64\Pocfpf32.exeC:\Windows\system32\Pocfpf32.exe43⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Pabblb32.exeC:\Windows\system32\Pabblb32.exe44⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Piijno32.exeC:\Windows\system32\Piijno32.exe45⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Qofcff32.exeC:\Windows\system32\Qofcff32.exe46⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Qepkbpak.exeC:\Windows\system32\Qepkbpak.exe47⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Qljcoj32.exeC:\Windows\system32\Qljcoj32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Windows\SysWOW64\Qaflgago.exeC:\Windows\system32\Qaflgago.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:384 -
C:\Windows\SysWOW64\Ajndioga.exeC:\Windows\system32\Ajndioga.exe50⤵
- Executes dropped EXE
PID:3084 -
C:\Windows\SysWOW64\Acfhad32.exeC:\Windows\system32\Acfhad32.exe51⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Aeddnp32.exeC:\Windows\system32\Aeddnp32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3648 -
C:\Windows\SysWOW64\Akamff32.exeC:\Windows\system32\Akamff32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Afgacokc.exeC:\Windows\system32\Afgacokc.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:628 -
C:\Windows\SysWOW64\Ahenokjf.exeC:\Windows\system32\Ahenokjf.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1940 -
C:\Windows\SysWOW64\Akcjkfij.exeC:\Windows\system32\Akcjkfij.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3112 -
C:\Windows\SysWOW64\Ackbmcjl.exeC:\Windows\system32\Ackbmcjl.exe57⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Ajdjin32.exeC:\Windows\system32\Ajdjin32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4832 -
C:\Windows\SysWOW64\Akffafgg.exeC:\Windows\system32\Akffafgg.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:4364 -
C:\Windows\SysWOW64\Afkknogn.exeC:\Windows\system32\Afkknogn.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Windows\SysWOW64\Aleckinj.exeC:\Windows\system32\Aleckinj.exe61⤵
- Executes dropped EXE
PID:3796 -
C:\Windows\SysWOW64\Akhcfe32.exeC:\Windows\system32\Akhcfe32.exe62⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Abbkcpma.exeC:\Windows\system32\Abbkcpma.exe63⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Blhpqhlh.exeC:\Windows\system32\Blhpqhlh.exe64⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Bfpdin32.exeC:\Windows\system32\Bfpdin32.exe65⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Bljlfh32.exeC:\Windows\system32\Bljlfh32.exe66⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Bfbaonae.exeC:\Windows\system32\Bfbaonae.exe67⤵
- System Location Discovery: System Language Discovery
PID:4300 -
C:\Windows\SysWOW64\Bhamkipi.exeC:\Windows\system32\Bhamkipi.exe68⤵
- Drops file in System32 directory
PID:3320 -
C:\Windows\SysWOW64\Bfendmoc.exeC:\Windows\system32\Bfendmoc.exe69⤵PID:3348
-
C:\Windows\SysWOW64\Bmofagfp.exeC:\Windows\system32\Bmofagfp.exe70⤵PID:5072
-
C:\Windows\SysWOW64\Bombmcec.exeC:\Windows\system32\Bombmcec.exe71⤵PID:1428
-
C:\Windows\SysWOW64\Bfgjjm32.exeC:\Windows\system32\Bfgjjm32.exe72⤵PID:4740
-
C:\Windows\SysWOW64\Bmabggdm.exeC:\Windows\system32\Bmabggdm.exe73⤵PID:4032
-
C:\Windows\SysWOW64\Bopocbcq.exeC:\Windows\system32\Bopocbcq.exe74⤵PID:2652
-
C:\Windows\SysWOW64\Cihclh32.exeC:\Windows\system32\Cihclh32.exe75⤵PID:4584
-
C:\Windows\SysWOW64\Cmcolgbj.exeC:\Windows\system32\Cmcolgbj.exe76⤵
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Cbphdn32.exeC:\Windows\system32\Cbphdn32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1604 -
C:\Windows\SysWOW64\Cmflbf32.exeC:\Windows\system32\Cmflbf32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:780 -
C:\Windows\SysWOW64\Ckilmcgb.exeC:\Windows\system32\Ckilmcgb.exe79⤵PID:2320
-
C:\Windows\SysWOW64\Cjjlkk32.exeC:\Windows\system32\Cjjlkk32.exe80⤵
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Cmhigf32.exeC:\Windows\system32\Cmhigf32.exe81⤵PID:2208
-
C:\Windows\SysWOW64\Cbeapmll.exeC:\Windows\system32\Cbeapmll.exe82⤵PID:752
-
C:\Windows\SysWOW64\Cmjemflb.exeC:\Windows\system32\Cmjemflb.exe83⤵PID:2296
-
C:\Windows\SysWOW64\Coiaiakf.exeC:\Windows\system32\Coiaiakf.exe84⤵PID:3624
-
C:\Windows\SysWOW64\Cbgnemjj.exeC:\Windows\system32\Cbgnemjj.exe85⤵PID:4440
-
C:\Windows\SysWOW64\Ciafbg32.exeC:\Windows\system32\Ciafbg32.exe86⤵PID:2336
-
C:\Windows\SysWOW64\Ccgjopal.exeC:\Windows\system32\Ccgjopal.exe87⤵PID:2508
-
C:\Windows\SysWOW64\Djqblj32.exeC:\Windows\system32\Djqblj32.exe88⤵PID:3288
-
C:\Windows\SysWOW64\Diccgfpd.exeC:\Windows\system32\Diccgfpd.exe89⤵
- Drops file in System32 directory
PID:4576 -
C:\Windows\SysWOW64\Dkbocbog.exeC:\Windows\system32\Dkbocbog.exe90⤵PID:3520
-
C:\Windows\SysWOW64\Dcigeooj.exeC:\Windows\system32\Dcigeooj.exe91⤵
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Windows\SysWOW64\Dfgcakon.exeC:\Windows\system32\Dfgcakon.exe92⤵PID:4688
-
C:\Windows\SysWOW64\Difpmfna.exeC:\Windows\system32\Difpmfna.exe93⤵PID:3912
-
C:\Windows\SysWOW64\Dbndfl32.exeC:\Windows\system32\Dbndfl32.exe94⤵PID:4312
-
C:\Windows\SysWOW64\Dpbdopck.exeC:\Windows\system32\Dpbdopck.exe95⤵PID:4848
-
C:\Windows\SysWOW64\Dflmlj32.exeC:\Windows\system32\Dflmlj32.exe96⤵PID:1328
-
C:\Windows\SysWOW64\Dikihe32.exeC:\Windows\system32\Dikihe32.exe97⤵PID:4320
-
C:\Windows\SysWOW64\Dbcmakpl.exeC:\Windows\system32\Dbcmakpl.exe98⤵PID:1844
-
C:\Windows\SysWOW64\Dmhand32.exeC:\Windows\system32\Dmhand32.exe99⤵
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Eiobceef.exeC:\Windows\system32\Eiobceef.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1728 -
C:\Windows\SysWOW64\Epikpo32.exeC:\Windows\system32\Epikpo32.exe101⤵PID:2816
-
C:\Windows\SysWOW64\Efccmidp.exeC:\Windows\system32\Efccmidp.exe102⤵
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Ejoomhmi.exeC:\Windows\system32\Ejoomhmi.exe103⤵PID:5128
-
C:\Windows\SysWOW64\Ebjcajjd.exeC:\Windows\system32\Ebjcajjd.exe104⤵PID:5176
-
C:\Windows\SysWOW64\Ejalcgkg.exeC:\Windows\system32\Ejalcgkg.exe105⤵PID:5216
-
C:\Windows\SysWOW64\Emphocjj.exeC:\Windows\system32\Emphocjj.exe106⤵PID:5256
-
C:\Windows\SysWOW64\Epndknin.exeC:\Windows\system32\Epndknin.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5300 -
C:\Windows\SysWOW64\Efhlhh32.exeC:\Windows\system32\Efhlhh32.exe108⤵PID:5344
-
C:\Windows\SysWOW64\Embddb32.exeC:\Windows\system32\Embddb32.exe109⤵PID:5388
-
C:\Windows\SysWOW64\Eppqqn32.exeC:\Windows\system32\Eppqqn32.exe110⤵PID:5432
-
C:\Windows\SysWOW64\Ebommi32.exeC:\Windows\system32\Ebommi32.exe111⤵PID:5468
-
C:\Windows\SysWOW64\Ejfeng32.exeC:\Windows\system32\Ejfeng32.exe112⤵PID:5520
-
C:\Windows\SysWOW64\Elgaeolp.exeC:\Windows\system32\Elgaeolp.exe113⤵
- Modifies registry class
PID:5556 -
C:\Windows\SysWOW64\Ffmfchle.exeC:\Windows\system32\Ffmfchle.exe114⤵PID:5612
-
C:\Windows\SysWOW64\Fikbocki.exeC:\Windows\system32\Fikbocki.exe115⤵PID:5656
-
C:\Windows\SysWOW64\Flinkojm.exeC:\Windows\system32\Flinkojm.exe116⤵
- Modifies registry class
PID:5700 -
C:\Windows\SysWOW64\Fbcfhibj.exeC:\Windows\system32\Fbcfhibj.exe117⤵PID:5744
-
C:\Windows\SysWOW64\Fmikeaap.exeC:\Windows\system32\Fmikeaap.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5788 -
C:\Windows\SysWOW64\Fdccbl32.exeC:\Windows\system32\Fdccbl32.exe119⤵PID:5832
-
C:\Windows\SysWOW64\Ffaong32.exeC:\Windows\system32\Ffaong32.exe120⤵PID:5876
-
C:\Windows\SysWOW64\Fipkjb32.exeC:\Windows\system32\Fipkjb32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5920
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-