Analysis
-
max time kernel
93s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/11/2024, 16:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
de8f44a224555d04a25dc1d0f24c41396ff57defd8727001b58d88201777f6b3.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
de8f44a224555d04a25dc1d0f24c41396ff57defd8727001b58d88201777f6b3.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
de8f44a224555d04a25dc1d0f24c41396ff57defd8727001b58d88201777f6b3.exe
-
Size
428KB
-
MD5
1158f88f62ef37314db933547e7eca7e
-
SHA1
57ffd7af69a83f88d242488a765638ac931e5cf6
-
SHA256
de8f44a224555d04a25dc1d0f24c41396ff57defd8727001b58d88201777f6b3
-
SHA512
c95680d1e724d00ff4b9892b253e12b565d5c255ec1495266a3caca01e41f8a1619f2e01e3957711b122682fe0bc9f82dbc921bf4cd93fd2e71ce0a1cf96d7cf
-
SSDEEP
12288:sode5hjtFrNF5h0EJtws15tPWu5Ls15tw:sl5hjLZF5h0E/Tg+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qafcfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoqiqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpgggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iipdgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcmebpak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlabpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoggjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eflmbqqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhpdjbda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bolill32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkefgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqfnmjpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehlpfjkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqomiffj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhjcfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gagjlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idclop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgepedch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elfhdhag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkkice32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hphfhgla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijldmja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohaobfod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjjjej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efbjlbih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jljpoqdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcphgi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lepmhijl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibmchp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlomep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phnehkhb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nilijl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcdnpfjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifaqhga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idgejomj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inpjbecj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgablbno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhnmliii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgqdmmil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nghfof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgfjmhnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdmjlp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lanbablg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Himgag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcehgkdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mklbjcpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pghpecfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqhpoeno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbgjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fainjong.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kginmnod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pijnbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpdjadik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jinaeidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agflga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aohflb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccghio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djbfqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnlincim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phnehkhb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mapgnpla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkngopag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihdhedio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbmedgal.exe -
Executes dropped EXE 64 IoCs
pid Process 2068 Ddqbicea.exe 2544 Doffgmdg.exe 3716 Dkocamhi.exe 4092 Ekapgmff.exe 3804 Eegddefl.exe 2212 Edonkaia.exe 4640 Ekkcmknk.exe 1104 Eeqgjdna.exe 2336 Fajeeeac.exe 2252 Fopbdi32.exe 2328 Fdmjlp32.exe 1144 Fkgbijdn.exe 3740 Faqkedkk.exe 1996 Ghkcbn32.exe 3128 Gacgkcih.exe 4668 Ghdfhm32.exe 740 Galjabam.exe 4536 Hdmccmno.exe 4564 Hdpphm32.exe 1920 Hkihegdi.exe 1400 Hddiclhf.exe 2928 Ihbbjk32.exe 2044 Iggokg32.exe 3032 Ibmchp32.exe 2232 Ikehaejk.exe 2680 Ikjale32.exe 5040 Jbdiio32.exe 4132 Jinaeidp.exe 3840 Jedbjj32.exe 1620 Jegopjha.exe 2916 Jkcdbc32.exe 644 Jgjegd32.exe 4072 Knfjinhj.exe 3884 Kfnaklil.exe 2104 Knifon32.exe 3604 Kinklg32.exe 3852 Knkcdn32.exe 2192 Kiqgbf32.exe 2796 Klocnbcn.exe 3496 Keghgg32.exe 2704 Lnpmpmpo.exe 3948 Lejelg32.exe 4064 Llcmia32.exe 2932 Lelabgfi.exe 1288 Lpafopeo.exe 2920 Lijjhe32.exe 4716 Logbpljg.exe 5036 Llkcjpiq.exe 4364 Lfpggiif.exe 2768 Mpilpo32.exe 5016 Mlomep32.exe 1564 Mlaijo32.exe 1552 Mejnce32.exe 3708 Mppbqn32.exe 1764 Mpbofm32.exe 1496 Mflgcg32.exe 3792 Noihmi32.exe 4616 Nhbmeo32.exe 404 Nefmoc32.exe 2340 Nlpelmgi.exe 4908 Nghfof32.exe 1072 Ogjcde32.exe 2304 Opbhmk32.exe 3920 Oiklfqpj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hcemppib.dll Mpilpo32.exe File opened for modification C:\Windows\SysWOW64\Fmihoqjc.exe Ekjlbejp.exe File created C:\Windows\SysWOW64\Diecii32.dll Giiljp32.exe File created C:\Windows\SysWOW64\Dgpqjc32.dll Flbhpfgj.exe File created C:\Windows\SysWOW64\Lgkkgdaj.dll Dkocamhi.exe File opened for modification C:\Windows\SysWOW64\Hkfeea32.exe Hjghknkm.exe File opened for modification C:\Windows\SysWOW64\Kqbbedfd.exe Kginmnod.exe File created C:\Windows\SysWOW64\Mflceppn.dll Nbgjha32.exe File created C:\Windows\SysWOW64\Jinaeidp.exe Jbdiio32.exe File opened for modification C:\Windows\SysWOW64\Aofjfcco.exe Agkebqfd.exe File created C:\Windows\SysWOW64\Aiknmbee.dll Bhbapabo.exe File created C:\Windows\SysWOW64\Dbbdpddd.exe Dmelhmfm.exe File created C:\Windows\SysWOW64\Ipkioqdh.dll Mlomep32.exe File created C:\Windows\SysWOW64\Phkahe32.exe Pkgaoq32.exe File opened for modification C:\Windows\SysWOW64\Bhgjka32.exe Bcjbbj32.exe File created C:\Windows\SysWOW64\Jgaaai32.exe Jphieo32.exe File created C:\Windows\SysWOW64\Kcdabhmg.exe Kmjien32.exe File opened for modification C:\Windows\SysWOW64\Lckgcggo.exe Lqmkglhk.exe File created C:\Windows\SysWOW64\Gaemfmdj.exe Ggoiiddd.exe File created C:\Windows\SysWOW64\Dofegc32.dll Fghche32.exe File created C:\Windows\SysWOW64\Dfacgm32.dll Dcdnpfjd.exe File opened for modification C:\Windows\SysWOW64\Igcdpknp.exe Ipjlca32.exe File opened for modification C:\Windows\SysWOW64\Mflgcg32.exe Mpbofm32.exe File opened for modification C:\Windows\SysWOW64\Bjbmjdia.exe Bolill32.exe File created C:\Windows\SysWOW64\Lqgjaa32.dll Llhpjj32.exe File opened for modification C:\Windows\SysWOW64\Kjipdc32.exe Kcphgi32.exe File created C:\Windows\SysWOW64\Kqbbedfd.exe Kginmnod.exe File opened for modification C:\Windows\SysWOW64\Haqmbk32.exe Hkfeea32.exe File created C:\Windows\SysWOW64\Qnnpajai.dll Ldfjbkbg.exe File created C:\Windows\SysWOW64\Mbplhl32.dll Ljeppa32.exe File opened for modification C:\Windows\SysWOW64\Cjjjej32.exe Bcmebpak.exe File created C:\Windows\SysWOW64\Hggpbi32.dll Ekkcmknk.exe File created C:\Windows\SysWOW64\Knpabh32.dll Ghdfhm32.exe File created C:\Windows\SysWOW64\Pkbhcale.exe Ohaobfod.exe File created C:\Windows\SysWOW64\Nikaolkd.dll Emlbhl32.exe File opened for modification C:\Windows\SysWOW64\Ddqbicea.exe de8f44a224555d04a25dc1d0f24c41396ff57defd8727001b58d88201777f6b3.exe File created C:\Windows\SysWOW64\Nqgjgo32.dll Inpjbecj.exe File created C:\Windows\SysWOW64\Kgopomle.dll Jqkleell.exe File created C:\Windows\SysWOW64\Qhpbnk32.exe Pgoefbpa.exe File created C:\Windows\SysWOW64\Pbjkhdme.dll Kaihfc32.exe File created C:\Windows\SysWOW64\Qhpkcdbd.exe Qafcfj32.exe File created C:\Windows\SysWOW64\Pgfdpodi.dll Fdmjlp32.exe File created C:\Windows\SysWOW64\Ggoiiddd.exe Gpealj32.exe File created C:\Windows\SysWOW64\Kqhalm32.exe Kkkice32.exe File created C:\Windows\SysWOW64\Fkgbijdn.exe Fdmjlp32.exe File created C:\Windows\SysWOW64\Iipdgg32.exe Idclop32.exe File created C:\Windows\SysWOW64\Ncbfjdcd.exe Nminnj32.exe File opened for modification C:\Windows\SysWOW64\Jbcbniig.exe Jgnnapja.exe File created C:\Windows\SysWOW64\Ehjcaj32.exe Eapkdpfb.exe File opened for modification C:\Windows\SysWOW64\Fangen32.exe Fkdoidbe.exe File opened for modification C:\Windows\SysWOW64\Oielpk32.exe Nbigna32.exe File created C:\Windows\SysWOW64\Fifhjjed.exe Ffglnofp.exe File created C:\Windows\SysWOW64\Lmfhamlm.exe Lgipie32.exe File opened for modification C:\Windows\SysWOW64\Pghpecfi.exe Ppljcjao.exe File created C:\Windows\SysWOW64\Migpomld.exe Mapgnpla.exe File created C:\Windows\SysWOW64\Acglfm32.exe Qhbhid32.exe File opened for modification C:\Windows\SysWOW64\Cbdhof32.exe Cjicjc32.exe File opened for modification C:\Windows\SysWOW64\Ffnigpok.exe Eijinlpa.exe File created C:\Windows\SysWOW64\Neeefpjg.dll Lckgcggo.exe File created C:\Windows\SysWOW64\Pgigeedf.dll Kfnaklil.exe File opened for modification C:\Windows\SysWOW64\Gikbej32.exe Gdnimc32.exe File created C:\Windows\SysWOW64\Iibbnobh.dll Idclop32.exe File opened for modification C:\Windows\SysWOW64\Inpjbecj.exe Idgejomj.exe File created C:\Windows\SysWOW64\Ajpafqpd.dll Ghkcbn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9344 10204 WerFault.exe 470 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfeea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agkebqfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppojm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbpdhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hddiclhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnpmpmpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjaplgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naeaio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffglnofp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ochjjebe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eabhjpdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maiamqaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Malnbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meigiofm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijldmja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afokhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjicjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llcmia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffephohc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfaodnne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcakfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iggokg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logbpljg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgjlkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkbhcale.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkngopag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkmgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkieec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doffgmdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihbbjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkcdbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhopok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmmgiigb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlaijo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phnehkhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obpmopdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcabom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idloeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjgcnckl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiqgbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llkcjpiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mejnce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haqmbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njkile32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmdapilj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpgggc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggclim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekapgmff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjoipf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjipdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gacgkcih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikjale32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lelabgfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcmebpak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikgnlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgcqcmgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbkkmcgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkgaoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcjbbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gapdkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggoiiddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqkleell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmfhamlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohbflmbp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdlcai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfkbhb32.dll" Nljefh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbgjha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jphieo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nebcdgjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mankabfa.dll" Eaieca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhpbnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iboici32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haedic32.dll" Pghpecfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hifaqhga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keghgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inlgbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkilnfpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejhpme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Indojl32.dll" Ebijqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmfglfle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geilph32.dll" Jljpoqdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mekmdhpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ochjjebe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpjaplgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjeqblql.dll" Ikpgkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmflonmn.dll" Cccdii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iidnbk32.dll" Fdkmgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkcklagl.dll" Glpdad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljeppa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmihoqjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjdhjm32.dll" Lhopok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acglfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emlbhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcphgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doffgmdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjfgedel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihfjejqe.dll" Cbdhof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpakni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igcdpknp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icmbklaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llncce32.dll" Mjclapbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqmijd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaqqdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbdiio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diecii32.dll" Giiljp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnogbjoc.dll" Gapdkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hapopo32.dll" Nijldmja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjfgedel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pifnnane.dll" Dmcobm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laacdm32.dll" Efbjlbih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahkflc32.dll" Gdnimc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgoefbpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mklbjcpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fepkdi32.dll" Ldkdmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obkgpqcb.dll" Nbigna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plbmlj32.dll" Aonmknfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmdapilj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Naeaio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkindqem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffqfmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolqnl32.dll" Fdgcldio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dckadnek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkcdbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnoodied.dll" Jjemcjqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Falflhkg.dll" Lnhhkedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmcobm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddqbicea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aalhdk32.dll" Nefmoc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3088 wrote to memory of 2068 3088 de8f44a224555d04a25dc1d0f24c41396ff57defd8727001b58d88201777f6b3.exe 83 PID 3088 wrote to memory of 2068 3088 de8f44a224555d04a25dc1d0f24c41396ff57defd8727001b58d88201777f6b3.exe 83 PID 3088 wrote to memory of 2068 3088 de8f44a224555d04a25dc1d0f24c41396ff57defd8727001b58d88201777f6b3.exe 83 PID 2068 wrote to memory of 2544 2068 Ddqbicea.exe 84 PID 2068 wrote to memory of 2544 2068 Ddqbicea.exe 84 PID 2068 wrote to memory of 2544 2068 Ddqbicea.exe 84 PID 2544 wrote to memory of 3716 2544 Doffgmdg.exe 85 PID 2544 wrote to memory of 3716 2544 Doffgmdg.exe 85 PID 2544 wrote to memory of 3716 2544 Doffgmdg.exe 85 PID 3716 wrote to memory of 4092 3716 Dkocamhi.exe 86 PID 3716 wrote to memory of 4092 3716 Dkocamhi.exe 86 PID 3716 wrote to memory of 4092 3716 Dkocamhi.exe 86 PID 4092 wrote to memory of 3804 4092 Ekapgmff.exe 88 PID 4092 wrote to memory of 3804 4092 Ekapgmff.exe 88 PID 4092 wrote to memory of 3804 4092 Ekapgmff.exe 88 PID 3804 wrote to memory of 2212 3804 Eegddefl.exe 90 PID 3804 wrote to memory of 2212 3804 Eegddefl.exe 90 PID 3804 wrote to memory of 2212 3804 Eegddefl.exe 90 PID 2212 wrote to memory of 4640 2212 Edonkaia.exe 91 PID 2212 wrote to memory of 4640 2212 Edonkaia.exe 91 PID 2212 wrote to memory of 4640 2212 Edonkaia.exe 91 PID 4640 wrote to memory of 1104 4640 Ekkcmknk.exe 92 PID 4640 wrote to memory of 1104 4640 Ekkcmknk.exe 92 PID 4640 wrote to memory of 1104 4640 Ekkcmknk.exe 92 PID 1104 wrote to memory of 2336 1104 Eeqgjdna.exe 94 PID 1104 wrote to memory of 2336 1104 Eeqgjdna.exe 94 PID 1104 wrote to memory of 2336 1104 Eeqgjdna.exe 94 PID 2336 wrote to memory of 2252 2336 Fajeeeac.exe 95 PID 2336 wrote to memory of 2252 2336 Fajeeeac.exe 95 PID 2336 wrote to memory of 2252 2336 Fajeeeac.exe 95 PID 2252 wrote to memory of 2328 2252 Fopbdi32.exe 96 PID 2252 wrote to memory of 2328 2252 Fopbdi32.exe 96 PID 2252 wrote to memory of 2328 2252 Fopbdi32.exe 96 PID 2328 wrote to memory of 1144 2328 Fdmjlp32.exe 97 PID 2328 wrote to memory of 1144 2328 Fdmjlp32.exe 97 PID 2328 wrote to memory of 1144 2328 Fdmjlp32.exe 97 PID 1144 wrote to memory of 3740 1144 Fkgbijdn.exe 98 PID 1144 wrote to memory of 3740 1144 Fkgbijdn.exe 98 PID 1144 wrote to memory of 3740 1144 Fkgbijdn.exe 98 PID 3740 wrote to memory of 1996 3740 Faqkedkk.exe 99 PID 3740 wrote to memory of 1996 3740 Faqkedkk.exe 99 PID 3740 wrote to memory of 1996 3740 Faqkedkk.exe 99 PID 1996 wrote to memory of 3128 1996 Ghkcbn32.exe 100 PID 1996 wrote to memory of 3128 1996 Ghkcbn32.exe 100 PID 1996 wrote to memory of 3128 1996 Ghkcbn32.exe 100 PID 3128 wrote to memory of 4668 3128 Gacgkcih.exe 101 PID 3128 wrote to memory of 4668 3128 Gacgkcih.exe 101 PID 3128 wrote to memory of 4668 3128 Gacgkcih.exe 101 PID 4668 wrote to memory of 740 4668 Ghdfhm32.exe 102 PID 4668 wrote to memory of 740 4668 Ghdfhm32.exe 102 PID 4668 wrote to memory of 740 4668 Ghdfhm32.exe 102 PID 740 wrote to memory of 4536 740 Galjabam.exe 103 PID 740 wrote to memory of 4536 740 Galjabam.exe 103 PID 740 wrote to memory of 4536 740 Galjabam.exe 103 PID 4536 wrote to memory of 4564 4536 Hdmccmno.exe 104 PID 4536 wrote to memory of 4564 4536 Hdmccmno.exe 104 PID 4536 wrote to memory of 4564 4536 Hdmccmno.exe 104 PID 4564 wrote to memory of 1920 4564 Hdpphm32.exe 105 PID 4564 wrote to memory of 1920 4564 Hdpphm32.exe 105 PID 4564 wrote to memory of 1920 4564 Hdpphm32.exe 105 PID 1920 wrote to memory of 1400 1920 Hkihegdi.exe 106 PID 1920 wrote to memory of 1400 1920 Hkihegdi.exe 106 PID 1920 wrote to memory of 1400 1920 Hkihegdi.exe 106 PID 1400 wrote to memory of 2928 1400 Hddiclhf.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\de8f44a224555d04a25dc1d0f24c41396ff57defd8727001b58d88201777f6b3.exe"C:\Users\Admin\AppData\Local\Temp\de8f44a224555d04a25dc1d0f24c41396ff57defd8727001b58d88201777f6b3.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\Ddqbicea.exeC:\Windows\system32\Ddqbicea.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Doffgmdg.exeC:\Windows\system32\Doffgmdg.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Dkocamhi.exeC:\Windows\system32\Dkocamhi.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\Ekapgmff.exeC:\Windows\system32\Ekapgmff.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\Eegddefl.exeC:\Windows\system32\Eegddefl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\Edonkaia.exeC:\Windows\system32\Edonkaia.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Ekkcmknk.exeC:\Windows\system32\Ekkcmknk.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\Eeqgjdna.exeC:\Windows\system32\Eeqgjdna.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Fajeeeac.exeC:\Windows\system32\Fajeeeac.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Fopbdi32.exeC:\Windows\system32\Fopbdi32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Fdmjlp32.exeC:\Windows\system32\Fdmjlp32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Fkgbijdn.exeC:\Windows\system32\Fkgbijdn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Faqkedkk.exeC:\Windows\system32\Faqkedkk.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\Ghkcbn32.exeC:\Windows\system32\Ghkcbn32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Gacgkcih.exeC:\Windows\system32\Gacgkcih.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\Ghdfhm32.exeC:\Windows\system32\Ghdfhm32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\Galjabam.exeC:\Windows\system32\Galjabam.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\Hdmccmno.exeC:\Windows\system32\Hdmccmno.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Hdpphm32.exeC:\Windows\system32\Hdpphm32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Hkihegdi.exeC:\Windows\system32\Hkihegdi.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Hddiclhf.exeC:\Windows\system32\Hddiclhf.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Ihbbjk32.exeC:\Windows\system32\Ihbbjk32.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2928 -
C:\Windows\SysWOW64\Iggokg32.exeC:\Windows\system32\Iggokg32.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Windows\SysWOW64\Ibmchp32.exeC:\Windows\system32\Ibmchp32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Ikehaejk.exeC:\Windows\system32\Ikehaejk.exe26⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Ikjale32.exeC:\Windows\system32\Ikjale32.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Windows\SysWOW64\Jbdiio32.exeC:\Windows\system32\Jbdiio32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5040 -
C:\Windows\SysWOW64\Jinaeidp.exeC:\Windows\system32\Jinaeidp.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Jedbjj32.exeC:\Windows\system32\Jedbjj32.exe30⤵
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Jegopjha.exeC:\Windows\system32\Jegopjha.exe31⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Jgeklege.exeC:\Windows\system32\Jgeklege.exe32⤵PID:2220
-
C:\Windows\SysWOW64\Jkcdbc32.exeC:\Windows\system32\Jkcdbc32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Jgjegd32.exeC:\Windows\system32\Jgjegd32.exe34⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Knfjinhj.exeC:\Windows\system32\Knfjinhj.exe35⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Kfnaklil.exeC:\Windows\system32\Kfnaklil.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3884 -
C:\Windows\SysWOW64\Knifon32.exeC:\Windows\system32\Knifon32.exe37⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Kinklg32.exeC:\Windows\system32\Kinklg32.exe38⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Knkcdn32.exeC:\Windows\system32\Knkcdn32.exe39⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Kiqgbf32.exeC:\Windows\system32\Kiqgbf32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\Klocnbcn.exeC:\Windows\system32\Klocnbcn.exe41⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Keghgg32.exeC:\Windows\system32\Keghgg32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:3496 -
C:\Windows\SysWOW64\Lnpmpmpo.exeC:\Windows\system32\Lnpmpmpo.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Windows\SysWOW64\Lejelg32.exeC:\Windows\system32\Lejelg32.exe44⤵
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\Llcmia32.exeC:\Windows\system32\Llcmia32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4064 -
C:\Windows\SysWOW64\Lelabgfi.exeC:\Windows\system32\Lelabgfi.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Lpafopeo.exeC:\Windows\system32\Lpafopeo.exe47⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Lijjhe32.exeC:\Windows\system32\Lijjhe32.exe48⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Logbpljg.exeC:\Windows\system32\Logbpljg.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4716 -
C:\Windows\SysWOW64\Llkcjpiq.exeC:\Windows\system32\Llkcjpiq.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5036 -
C:\Windows\SysWOW64\Lfpggiif.exeC:\Windows\system32\Lfpggiif.exe51⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Mpilpo32.exeC:\Windows\system32\Mpilpo32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Mlomep32.exeC:\Windows\system32\Mlomep32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5016 -
C:\Windows\SysWOW64\Mlaijo32.exeC:\Windows\system32\Mlaijo32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1564 -
C:\Windows\SysWOW64\Mejnce32.exeC:\Windows\system32\Mejnce32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Windows\SysWOW64\Mppbqn32.exeC:\Windows\system32\Mppbqn32.exe56⤵
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\Mpbofm32.exeC:\Windows\system32\Mpbofm32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Mflgcg32.exeC:\Windows\system32\Mflgcg32.exe58⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Noihmi32.exeC:\Windows\system32\Noihmi32.exe59⤵
- Executes dropped EXE
PID:3792 -
C:\Windows\SysWOW64\Nhbmeo32.exeC:\Windows\system32\Nhbmeo32.exe60⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Nefmoc32.exeC:\Windows\system32\Nefmoc32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:404 -
C:\Windows\SysWOW64\Nlpelmgi.exeC:\Windows\system32\Nlpelmgi.exe62⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Nghfof32.exeC:\Windows\system32\Nghfof32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Ogjcde32.exeC:\Windows\system32\Ogjcde32.exe64⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Opbhmk32.exeC:\Windows\system32\Opbhmk32.exe65⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Oiklfqpj.exeC:\Windows\system32\Oiklfqpj.exe66⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Opgahjed.exeC:\Windows\system32\Opgahjed.exe67⤵PID:4924
-
C:\Windows\SysWOW64\Ohbflmbp.exeC:\Windows\system32\Ohbflmbp.exe68⤵
- System Location Discovery: System Language Discovery
PID:4860 -
C:\Windows\SysWOW64\Ochjjebe.exeC:\Windows\system32\Ochjjebe.exe69⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3156 -
C:\Windows\SysWOW64\Ppljcjao.exeC:\Windows\system32\Ppljcjao.exe70⤵
- Drops file in System32 directory
PID:532 -
C:\Windows\SysWOW64\Pghpecfi.exeC:\Windows\system32\Pghpecfi.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Pgjlkc32.exeC:\Windows\system32\Pgjlkc32.exe72⤵
- System Location Discovery: System Language Discovery
PID:1504 -
C:\Windows\SysWOW64\Phnehkhb.exeC:\Windows\system32\Phnehkhb.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4336 -
C:\Windows\SysWOW64\Ppemihid.exeC:\Windows\system32\Ppemihid.exe74⤵PID:4172
-
C:\Windows\SysWOW64\Pgoefbpa.exeC:\Windows\system32\Pgoefbpa.exe75⤵
- Drops file in System32 directory
- Modifies registry class
PID:4124 -
C:\Windows\SysWOW64\Qhpbnk32.exeC:\Windows\system32\Qhpbnk32.exe76⤵
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Qgablbno.exeC:\Windows\system32\Qgablbno.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1100 -
C:\Windows\SysWOW64\Qlnkdilf.exeC:\Windows\system32\Qlnkdilf.exe78⤵PID:2160
-
C:\Windows\SysWOW64\Affomo32.exeC:\Windows\system32\Affomo32.exe79⤵PID:4292
-
C:\Windows\SysWOW64\Aqlcjgbl.exeC:\Windows\system32\Aqlcjgbl.exe80⤵PID:1004
-
C:\Windows\SysWOW64\Agflga32.exeC:\Windows\system32\Agflga32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3276 -
C:\Windows\SysWOW64\Agkebqfd.exeC:\Windows\system32\Agkebqfd.exe82⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5048 -
C:\Windows\SysWOW64\Aofjfcco.exeC:\Windows\system32\Aofjfcco.exe83⤵PID:2216
-
C:\Windows\SysWOW64\Aohflb32.exeC:\Windows\system32\Aohflb32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3636 -
C:\Windows\SysWOW64\Biqkdhhm.exeC:\Windows\system32\Biqkdhhm.exe85⤵PID:4696
-
C:\Windows\SysWOW64\Bgdhhoni.exeC:\Windows\system32\Bgdhhoni.exe86⤵PID:5096
-
C:\Windows\SysWOW64\Bgfdnolf.exeC:\Windows\system32\Bgfdnolf.exe87⤵PID:4312
-
C:\Windows\SysWOW64\Bcmebpak.exeC:\Windows\system32\Bcmebpak.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3236 -
C:\Windows\SysWOW64\Cjjjej32.exeC:\Windows\system32\Cjjjej32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3980 -
C:\Windows\SysWOW64\Cpipbpcj.exeC:\Windows\system32\Cpipbpcj.exe90⤵PID:880
-
C:\Windows\SysWOW64\Ccghio32.exeC:\Windows\system32\Ccghio32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5148 -
C:\Windows\SysWOW64\Cakibchj.exeC:\Windows\system32\Cakibchj.exe92⤵PID:5188
-
C:\Windows\SysWOW64\Cmaigd32.exeC:\Windows\system32\Cmaigd32.exe93⤵PID:5232
-
C:\Windows\SysWOW64\Dckadnek.exeC:\Windows\system32\Dckadnek.exe94⤵
- Modifies registry class
PID:5280 -
C:\Windows\SysWOW64\Djhffhke.exeC:\Windows\system32\Djhffhke.exe95⤵PID:5324
-
C:\Windows\SysWOW64\Dhlgpljo.exeC:\Windows\system32\Dhlgpljo.exe96⤵PID:5368
-
C:\Windows\SysWOW64\Dadkhapo.exeC:\Windows\system32\Dadkhapo.exe97⤵PID:5408
-
C:\Windows\SysWOW64\Dhpqkk32.exeC:\Windows\system32\Dhpqkk32.exe98⤵PID:5456
-
C:\Windows\SysWOW64\Djomgg32.exeC:\Windows\system32\Djomgg32.exe99⤵PID:5504
-
C:\Windows\SysWOW64\Eaieca32.exeC:\Windows\system32\Eaieca32.exe100⤵
- Modifies registry class
PID:5544 -
C:\Windows\SysWOW64\Ehbmpkcf.exeC:\Windows\system32\Ehbmpkcf.exe101⤵PID:5592
-
C:\Windows\SysWOW64\Efhjag32.exeC:\Windows\system32\Efhjag32.exe102⤵PID:5640
-
C:\Windows\SysWOW64\Eiffmc32.exeC:\Windows\system32\Eiffmc32.exe103⤵PID:5688
-
C:\Windows\SysWOW64\Eppojm32.exeC:\Windows\system32\Eppojm32.exe104⤵
- System Location Discovery: System Language Discovery
PID:5744 -
C:\Windows\SysWOW64\Efjgggfl.exeC:\Windows\system32\Efjgggfl.exe105⤵PID:5804
-
C:\Windows\SysWOW64\Eihccbep.exeC:\Windows\system32\Eihccbep.exe106⤵PID:5864
-
C:\Windows\SysWOW64\Eapkdpfb.exeC:\Windows\system32\Eapkdpfb.exe107⤵
- Drops file in System32 directory
PID:5904 -
C:\Windows\SysWOW64\Ehjcaj32.exeC:\Windows\system32\Ehjcaj32.exe108⤵PID:5976
-
C:\Windows\SysWOW64\Ejhpme32.exeC:\Windows\system32\Ejhpme32.exe109⤵
- Modifies registry class
PID:6024 -
C:\Windows\SysWOW64\Eabhjpdo.exeC:\Windows\system32\Eabhjpdo.exe110⤵
- System Location Discovery: System Language Discovery
PID:6096 -
C:\Windows\SysWOW64\Ehlpfjkl.exeC:\Windows\system32\Ehlpfjkl.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:228 -
C:\Windows\SysWOW64\Ekjlbejp.exeC:\Windows\system32\Ekjlbejp.exe112⤵
- Drops file in System32 directory
PID:5168 -
C:\Windows\SysWOW64\Fmihoqjc.exeC:\Windows\system32\Fmihoqjc.exe113⤵
- Modifies registry class
PID:5268 -
C:\Windows\SysWOW64\Fpgeklig.exeC:\Windows\system32\Fpgeklig.exe114⤵PID:5320
-
C:\Windows\SysWOW64\Fhnmliii.exeC:\Windows\system32\Fhnmliii.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5404 -
C:\Windows\SysWOW64\Fipica32.exeC:\Windows\system32\Fipica32.exe116⤵PID:5496
-
C:\Windows\SysWOW64\Fpjaplgd.exeC:\Windows\system32\Fpjaplgd.exe117⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5556 -
C:\Windows\SysWOW64\Fhqiai32.exeC:\Windows\system32\Fhqiai32.exe118⤵PID:5624
-
C:\Windows\SysWOW64\Fibfiame.exeC:\Windows\system32\Fibfiame.exe119⤵PID:5684
-
C:\Windows\SysWOW64\Fainjong.exeC:\Windows\system32\Fainjong.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5796 -
C:\Windows\SysWOW64\Fdgjfjmk.exeC:\Windows\system32\Fdgjfjmk.exe121⤵PID:5892
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-