Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07/08/2024, 18:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
03d937cd72c7169eb66255ab4d059fb9f15069caf5462d3ef9f775d270fdabe9.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
03d937cd72c7169eb66255ab4d059fb9f15069caf5462d3ef9f775d270fdabe9.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
03d937cd72c7169eb66255ab4d059fb9f15069caf5462d3ef9f775d270fdabe9.exe
-
Size
1.1MB
-
MD5
0f6d35913af8eb1ac411b81763f0ba4e
-
SHA1
b7c15213850ed43b279d408422a3dd215a089b50
-
SHA256
03d937cd72c7169eb66255ab4d059fb9f15069caf5462d3ef9f775d270fdabe9
-
SHA512
d7dcbd89a5c1b089ddcf6875a3243deb9e8565584a8e8b54659f42b2a1c3d73d8489bb579b7b04667852669132de3f5d6b2b6085407411ff69c7aa0b36869bbe
-
SSDEEP
12288:gZbvVm05XEvG6IveDVqvQ6IvYvc6IveDVqvQ6IvIn+v7vc6IveDVqvQ6Iv5d5v7k:X6X1q5h3q5hkntq5hU6X1q5h3B
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgbdcgld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nemmoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcjiff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnlkedai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqbpojnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbchba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnfihkqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnoknihb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hblkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcmdaljn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aajhndkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afjlnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 03d937cd72c7169eb66255ab4d059fb9f15069caf5462d3ef9f775d270fdabe9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dannij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lelchgne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmpolgoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqfmde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioambknl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekdnei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npiiffqe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpeiioac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfdfgiid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjcmebie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgejpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjopcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdigadjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdabcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gojnko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfqmpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hblkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhlpfgbb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plhnda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acmobchj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phodcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dabhdinj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkggg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khbdikip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moobbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcnqpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fipkjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkicaahi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnohlgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odhifjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcifkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djdmffnn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncjginjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oblmdhdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqbdjfln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kilpmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjgpfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmdnbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phfcipoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khbdikip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpleig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbhpch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmnqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdaniq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llcpoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlhbal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcgffqei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpmlnjco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llflea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdbpgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbqmiinl.exe -
Executes dropped EXE 64 IoCs
pid Process 4916 Ipnjab32.exe 1868 Ifjodl32.exe 2272 Iikhfg32.exe 2636 Ibcmom32.exe 4152 Jlkagbej.exe 2692 Jmknaell.exe 2456 Jehokgge.exe 4024 Jpnchp32.exe 3524 Jlednamo.exe 4492 Kpbmco32.exe 3636 Kpeiioac.exe 2868 Kpgfooop.exe 3296 Kfankifm.exe 1660 Kdeoemeg.exe 760 Lbjlfi32.exe 1860 Llcpoo32.exe 3996 Ldleel32.exe 2512 Likjcbkc.exe 1084 Lebkhc32.exe 216 Mbfkbhpa.exe 1004 Megdccmb.exe 4860 Mlampmdo.exe 2496 Migjoaaf.exe 2136 Mlhbal32.exe 232 Ncdgcf32.exe 976 Ncfdie32.exe 3204 Nloiakho.exe 3464 Nfjjppmm.exe 3004 Oncofm32.exe 1408 Olhlhjpd.exe 2024 Oqfdnhfk.exe 5020 Ogbipa32.exe 3564 Pdfjifjo.exe 2752 Pjcbbmif.exe 1808 Pclgkb32.exe 4876 Pjeoglgc.exe 4472 Pqpgdfnp.exe 3776 Pqbdjfln.exe 1680 Pgllfp32.exe 2872 Pjjhbl32.exe 3764 Pdpmpdbd.exe 3364 Pfaigm32.exe 1300 Qqfmde32.exe 2404 Qnjnnj32.exe 1276 Qcgffqei.exe 4928 Ampkof32.exe 516 Acjclpcf.exe 4680 Ajckij32.exe 1812 Ambgef32.exe 4736 Afjlnk32.exe 3424 Amddjegd.exe 3904 Acnlgp32.exe 736 Amgapeea.exe 2576 Afoeiklb.exe 3112 Aminee32.exe 5100 Accfbokl.exe 2776 Bjmnoi32.exe 4532 Bagflcje.exe 2424 Bganhm32.exe 1952 Bjokdipf.exe 2380 Bchomn32.exe 1064 Bjagjhnc.exe 1316 Balpgb32.exe 3428 Bfhhoi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bganhm32.exe Bagflcje.exe File opened for modification C:\Windows\SysWOW64\Fnaokmco.exe Fhdfbfdh.exe File created C:\Windows\SysWOW64\Kaijleme.dll Nbcqiope.exe File created C:\Windows\SysWOW64\Dabhdinj.exe Dikpbl32.exe File created C:\Windows\SysWOW64\Kaedkn32.dll Lndham32.exe File created C:\Windows\SysWOW64\Feaabknn.dll Pcjiff32.exe File opened for modification C:\Windows\SysWOW64\Pefabkej.exe Pkpmdbfd.exe File created C:\Windows\SysWOW64\Accfbokl.exe Aminee32.exe File opened for modification C:\Windows\SysWOW64\Banllbdn.exe Bfhhoi32.exe File created C:\Windows\SysWOW64\Dipidh32.dll Gekcaj32.exe File created C:\Windows\SysWOW64\Mockmala.exe Mhicpg32.exe File created C:\Windows\SysWOW64\Alfgikbb.dll Daediilg.exe File created C:\Windows\SysWOW64\Hjjnae32.exe Hdmein32.exe File created C:\Windows\SysWOW64\Lbekag32.dll Bkkple32.exe File created C:\Windows\SysWOW64\Akcaoeoo.dll Eoideh32.exe File opened for modification C:\Windows\SysWOW64\Ogbipa32.exe Oqfdnhfk.exe File created C:\Windows\SysWOW64\Pagpdj32.dll Edjgfcec.exe File created C:\Windows\SysWOW64\Fkbkdkpp.exe Fdhcgaic.exe File created C:\Windows\SysWOW64\Chalkm32.dll Olijhmgj.exe File created C:\Windows\SysWOW64\Kglmio32.exe Kqbdldnq.exe File opened for modification C:\Windows\SysWOW64\Olhlhjpd.exe Oncofm32.exe File created C:\Windows\SysWOW64\Ohlimd32.exe Ogklelna.exe File created C:\Windows\SysWOW64\Hpdfnolo.exe Hjjnae32.exe File created C:\Windows\SysWOW64\Ncgjgp32.dll Dfoiaj32.exe File created C:\Windows\SysWOW64\Ibfnqmpf.exe Ipgbdbqb.exe File created C:\Windows\SysWOW64\Bjlgdc32.exe Bgnkhg32.exe File created C:\Windows\SysWOW64\Fphppfgi.dll Kjhcjq32.exe File created C:\Windows\SysWOW64\Ieneofbo.dll Cmcolgbj.exe File created C:\Windows\SysWOW64\Nhahaiec.exe Nagpeo32.exe File created C:\Windows\SysWOW64\Kbqceofn.dll Amcehdod.exe File created C:\Windows\SysWOW64\Bcoenmao.exe Bnbmefbg.exe File created C:\Windows\SysWOW64\Leckbi32.dll Qqhcpo32.exe File created C:\Windows\SysWOW64\Jajpge32.dll Cmklglpn.exe File created C:\Windows\SysWOW64\Jgbjbp32.exe Jddnfd32.exe File opened for modification C:\Windows\SysWOW64\Loighj32.exe Kngkqbgl.exe File created C:\Windows\SysWOW64\Cnhgjaml.exe Chkobkod.exe File created C:\Windows\SysWOW64\Qoqbfpfe.dll Acjclpcf.exe File created C:\Windows\SysWOW64\Mmgdfa32.dll Qfpbmfdf.exe File opened for modification C:\Windows\SysWOW64\Afghneoo.exe Acilajpk.exe File created C:\Windows\SysWOW64\Ccemjbpf.dll Gahcmd32.exe File opened for modification C:\Windows\SysWOW64\Nbnpcj32.exe Njghbl32.exe File opened for modification C:\Windows\SysWOW64\Fpggamqc.exe Ffobhg32.exe File opened for modification C:\Windows\SysWOW64\Lgdidgjg.exe Llodgnja.exe File created C:\Windows\SysWOW64\Ealadnik.exe Ekbihd32.exe File opened for modification C:\Windows\SysWOW64\Fmgejhgn.exe Fkihnmhj.exe File created C:\Windows\SysWOW64\Qoelkp32.exe Qlgpod32.exe File created C:\Windows\SysWOW64\Ebnfbcbc.exe Ekdnei32.exe File opened for modification C:\Windows\SysWOW64\Gblbca32.exe Gmojkj32.exe File created C:\Windows\SysWOW64\Phfcipoo.exe Ppolhcnm.exe File created C:\Windows\SysWOW64\Gjjpbg32.dll Ekgbccni.exe File opened for modification C:\Windows\SysWOW64\Cgcmjd32.exe Cpleig32.exe File created C:\Windows\SysWOW64\Moqeaphi.dll Fpeafcfa.exe File created C:\Windows\SysWOW64\Emmoafdl.dll Iddljmpc.exe File created C:\Windows\SysWOW64\Mbighjdd.exe Miaboe32.exe File created C:\Windows\SysWOW64\Onlche32.dll Nabfjpak.exe File opened for modification C:\Windows\SysWOW64\Adcjop32.exe Aogbfi32.exe File created C:\Windows\SysWOW64\Lblaabdp.exe Lehaho32.exe File opened for modification C:\Windows\SysWOW64\Mhppji32.exe Lbchba32.exe File created C:\Windows\SysWOW64\Hmhkgijk.dll Mjdebfnd.exe File created C:\Windows\SysWOW64\Jjgobjmp.dll Nndjndbh.exe File created C:\Windows\SysWOW64\Ponfka32.exe Pefabkej.exe File opened for modification C:\Windows\SysWOW64\Dmennnni.exe Dndnpf32.exe File opened for modification C:\Windows\SysWOW64\Mfhbga32.exe Mcifkf32.exe File created C:\Windows\SysWOW64\Elkadb32.dll Daekdooc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8096 8060 WerFault.exe 1021 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqmhnko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipoopgnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgcjddh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnlhncgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Folaiqng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejlbhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jofalmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohnebd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhlpqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njiegl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnddgjbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qofcff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfkbde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddjpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlkedai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjbcplpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idjlpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egnchd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aglnbhal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akamff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojefobm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfeaopqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gppcmeem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imgicgca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdabcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdhhdlid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfqgab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lejnmncd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdafkdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmmepfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiaoid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imnocf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhpofl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkomneim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabfjpak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agiamhdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccchof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcddcbab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mebcop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgegd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfklhhcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfjjga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaqdegaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdhcgaic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggpbjkpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acilajpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqbkfkal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pibdmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hloqml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifjodl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcpikkge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfgjjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ennqfenp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llcpoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nojanpej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lklbdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iakiia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oelolmnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfjcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmhdkknd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjgfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paeelgnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhhdil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igjeanmj.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibcmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppopjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djfcaohp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfkohq32.dll" Icnklbmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoalgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojenek32.dll" Opqofe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aminee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmnagpbq.dll" Jgdhgmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpmlnjco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opjghl32.dll" Akblfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdabcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhqgik32.dll" Jjgchm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifmqfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojhpimhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdbpgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lplhdc32.dll" Mlampmdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdfjifjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knnckk32.dll" Gglpibgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pokhgc32.dll" Hhihdcbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdpmpdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oocddono.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idkbkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plejdkmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnlkedai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afjlnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bganhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chighhee.dll" Folaiqng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fphnlcdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcnqpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpgnjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flakaffp.dll" Fpjcgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caageq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccchof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmdonkgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddalgo32.dll" Pahilmoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpbpbecj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnoaaaad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aknbkjfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjcmebie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plejdkmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpbmfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phodcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clgbhl32.dll" Ckmonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnojho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpgfooop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfaigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haedpe32.dll" Hjlkge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlhccj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imnocf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olieecnn.dll" Johnamkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcmmhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgdidgjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnlhncgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Accfbokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dogkme32.dll" Hheoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhoaad32.dll" Ngaionfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neafjdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieneofbo.dll" Cmcolgbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaabap32.dll" Ipeeobbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caageq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aimkjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpbbch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfpjcbmh.dll" Lpekef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moobbb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2052 wrote to memory of 4916 2052 03d937cd72c7169eb66255ab4d059fb9f15069caf5462d3ef9f775d270fdabe9.exe 83 PID 2052 wrote to memory of 4916 2052 03d937cd72c7169eb66255ab4d059fb9f15069caf5462d3ef9f775d270fdabe9.exe 83 PID 2052 wrote to memory of 4916 2052 03d937cd72c7169eb66255ab4d059fb9f15069caf5462d3ef9f775d270fdabe9.exe 83 PID 4916 wrote to memory of 1868 4916 Ipnjab32.exe 86 PID 4916 wrote to memory of 1868 4916 Ipnjab32.exe 86 PID 4916 wrote to memory of 1868 4916 Ipnjab32.exe 86 PID 1868 wrote to memory of 2272 1868 Ifjodl32.exe 87 PID 1868 wrote to memory of 2272 1868 Ifjodl32.exe 87 PID 1868 wrote to memory of 2272 1868 Ifjodl32.exe 87 PID 2272 wrote to memory of 2636 2272 Iikhfg32.exe 89 PID 2272 wrote to memory of 2636 2272 Iikhfg32.exe 89 PID 2272 wrote to memory of 2636 2272 Iikhfg32.exe 89 PID 2636 wrote to memory of 4152 2636 Ibcmom32.exe 90 PID 2636 wrote to memory of 4152 2636 Ibcmom32.exe 90 PID 2636 wrote to memory of 4152 2636 Ibcmom32.exe 90 PID 4152 wrote to memory of 2692 4152 Jlkagbej.exe 91 PID 4152 wrote to memory of 2692 4152 Jlkagbej.exe 91 PID 4152 wrote to memory of 2692 4152 Jlkagbej.exe 91 PID 2692 wrote to memory of 2456 2692 Jmknaell.exe 92 PID 2692 wrote to memory of 2456 2692 Jmknaell.exe 92 PID 2692 wrote to memory of 2456 2692 Jmknaell.exe 92 PID 2456 wrote to memory of 4024 2456 Jehokgge.exe 93 PID 2456 wrote to memory of 4024 2456 Jehokgge.exe 93 PID 2456 wrote to memory of 4024 2456 Jehokgge.exe 93 PID 4024 wrote to memory of 3524 4024 Jpnchp32.exe 94 PID 4024 wrote to memory of 3524 4024 Jpnchp32.exe 94 PID 4024 wrote to memory of 3524 4024 Jpnchp32.exe 94 PID 3524 wrote to memory of 4492 3524 Jlednamo.exe 95 PID 3524 wrote to memory of 4492 3524 Jlednamo.exe 95 PID 3524 wrote to memory of 4492 3524 Jlednamo.exe 95 PID 4492 wrote to memory of 3636 4492 Kpbmco32.exe 96 PID 4492 wrote to memory of 3636 4492 Kpbmco32.exe 96 PID 4492 wrote to memory of 3636 4492 Kpbmco32.exe 96 PID 3636 wrote to memory of 2868 3636 Kpeiioac.exe 97 PID 3636 wrote to memory of 2868 3636 Kpeiioac.exe 97 PID 3636 wrote to memory of 2868 3636 Kpeiioac.exe 97 PID 2868 wrote to memory of 3296 2868 Kpgfooop.exe 98 PID 2868 wrote to memory of 3296 2868 Kpgfooop.exe 98 PID 2868 wrote to memory of 3296 2868 Kpgfooop.exe 98 PID 3296 wrote to memory of 1660 3296 Kfankifm.exe 99 PID 3296 wrote to memory of 1660 3296 Kfankifm.exe 99 PID 3296 wrote to memory of 1660 3296 Kfankifm.exe 99 PID 1660 wrote to memory of 760 1660 Kdeoemeg.exe 100 PID 1660 wrote to memory of 760 1660 Kdeoemeg.exe 100 PID 1660 wrote to memory of 760 1660 Kdeoemeg.exe 100 PID 760 wrote to memory of 1860 760 Lbjlfi32.exe 101 PID 760 wrote to memory of 1860 760 Lbjlfi32.exe 101 PID 760 wrote to memory of 1860 760 Lbjlfi32.exe 101 PID 1860 wrote to memory of 3996 1860 Llcpoo32.exe 102 PID 1860 wrote to memory of 3996 1860 Llcpoo32.exe 102 PID 1860 wrote to memory of 3996 1860 Llcpoo32.exe 102 PID 3996 wrote to memory of 2512 3996 Ldleel32.exe 103 PID 3996 wrote to memory of 2512 3996 Ldleel32.exe 103 PID 3996 wrote to memory of 2512 3996 Ldleel32.exe 103 PID 2512 wrote to memory of 1084 2512 Likjcbkc.exe 104 PID 2512 wrote to memory of 1084 2512 Likjcbkc.exe 104 PID 2512 wrote to memory of 1084 2512 Likjcbkc.exe 104 PID 1084 wrote to memory of 216 1084 Lebkhc32.exe 105 PID 1084 wrote to memory of 216 1084 Lebkhc32.exe 105 PID 1084 wrote to memory of 216 1084 Lebkhc32.exe 105 PID 216 wrote to memory of 1004 216 Mbfkbhpa.exe 106 PID 216 wrote to memory of 1004 216 Mbfkbhpa.exe 106 PID 216 wrote to memory of 1004 216 Mbfkbhpa.exe 106 PID 1004 wrote to memory of 4860 1004 Megdccmb.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\03d937cd72c7169eb66255ab4d059fb9f15069caf5462d3ef9f775d270fdabe9.exe"C:\Users\Admin\AppData\Local\Temp\03d937cd72c7169eb66255ab4d059fb9f15069caf5462d3ef9f775d270fdabe9.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Ipnjab32.exeC:\Windows\system32\Ipnjab32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\Ifjodl32.exeC:\Windows\system32\Ifjodl32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Iikhfg32.exeC:\Windows\system32\Iikhfg32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Ibcmom32.exeC:\Windows\system32\Ibcmom32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Jlkagbej.exeC:\Windows\system32\Jlkagbej.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\Jmknaell.exeC:\Windows\system32\Jmknaell.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Jehokgge.exeC:\Windows\system32\Jehokgge.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Jpnchp32.exeC:\Windows\system32\Jpnchp32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\Jlednamo.exeC:\Windows\system32\Jlednamo.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\Kpbmco32.exeC:\Windows\system32\Kpbmco32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\Kpeiioac.exeC:\Windows\system32\Kpeiioac.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\Kpgfooop.exeC:\Windows\system32\Kpgfooop.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Kfankifm.exeC:\Windows\system32\Kfankifm.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\SysWOW64\Kdeoemeg.exeC:\Windows\system32\Kdeoemeg.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Lbjlfi32.exeC:\Windows\system32\Lbjlfi32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Llcpoo32.exeC:\Windows\system32\Llcpoo32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Ldleel32.exeC:\Windows\system32\Ldleel32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\Likjcbkc.exeC:\Windows\system32\Likjcbkc.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Lebkhc32.exeC:\Windows\system32\Lebkhc32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Mbfkbhpa.exeC:\Windows\system32\Mbfkbhpa.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Megdccmb.exeC:\Windows\system32\Megdccmb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Mlampmdo.exeC:\Windows\system32\Mlampmdo.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:4860 -
C:\Windows\SysWOW64\Migjoaaf.exeC:\Windows\system32\Migjoaaf.exe24⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Mlhbal32.exeC:\Windows\system32\Mlhbal32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Ncdgcf32.exeC:\Windows\system32\Ncdgcf32.exe26⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Ncfdie32.exeC:\Windows\system32\Ncfdie32.exe27⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Nloiakho.exeC:\Windows\system32\Nloiakho.exe28⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Nlaegk32.exeC:\Windows\system32\Nlaegk32.exe29⤵PID:964
-
C:\Windows\SysWOW64\Nfjjppmm.exeC:\Windows\system32\Nfjjppmm.exe30⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Oncofm32.exeC:\Windows\system32\Oncofm32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Olhlhjpd.exeC:\Windows\system32\Olhlhjpd.exe32⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Oqfdnhfk.exeC:\Windows\system32\Oqfdnhfk.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\Ogbipa32.exeC:\Windows\system32\Ogbipa32.exe34⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Pdfjifjo.exeC:\Windows\system32\Pdfjifjo.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:3564 -
C:\Windows\SysWOW64\Pjcbbmif.exeC:\Windows\system32\Pjcbbmif.exe36⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Pclgkb32.exeC:\Windows\system32\Pclgkb32.exe37⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Pjeoglgc.exeC:\Windows\system32\Pjeoglgc.exe38⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Pqpgdfnp.exeC:\Windows\system32\Pqpgdfnp.exe39⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Pqbdjfln.exeC:\Windows\system32\Pqbdjfln.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3776 -
C:\Windows\SysWOW64\Pgllfp32.exeC:\Windows\system32\Pgllfp32.exe41⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Pjjhbl32.exeC:\Windows\system32\Pjjhbl32.exe42⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Pdpmpdbd.exeC:\Windows\system32\Pdpmpdbd.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:3764 -
C:\Windows\SysWOW64\Pfaigm32.exeC:\Windows\system32\Pfaigm32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:3364 -
C:\Windows\SysWOW64\Qqfmde32.exeC:\Windows\system32\Qqfmde32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Qnjnnj32.exeC:\Windows\system32\Qnjnnj32.exe46⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Ampkof32.exeC:\Windows\system32\Ampkof32.exe48⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Acjclpcf.exeC:\Windows\system32\Acjclpcf.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:516 -
C:\Windows\SysWOW64\Ajckij32.exeC:\Windows\system32\Ajckij32.exe50⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Ambgef32.exeC:\Windows\system32\Ambgef32.exe51⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Afjlnk32.exeC:\Windows\system32\Afjlnk32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4736 -
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe53⤵
- Executes dropped EXE
PID:3424 -
C:\Windows\SysWOW64\Acnlgp32.exeC:\Windows\system32\Acnlgp32.exe54⤵
- Executes dropped EXE
PID:3904 -
C:\Windows\SysWOW64\Amgapeea.exeC:\Windows\system32\Amgapeea.exe55⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe56⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Aminee32.exeC:\Windows\system32\Aminee32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3112 -
C:\Windows\SysWOW64\Accfbokl.exeC:\Windows\system32\Accfbokl.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:5100 -
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe59⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4532 -
C:\Windows\SysWOW64\Bganhm32.exeC:\Windows\system32\Bganhm32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Bjokdipf.exeC:\Windows\system32\Bjokdipf.exe62⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Bchomn32.exeC:\Windows\system32\Bchomn32.exe63⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Bjagjhnc.exeC:\Windows\system32\Bjagjhnc.exe64⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Balpgb32.exeC:\Windows\system32\Balpgb32.exe65⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3428 -
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe67⤵PID:3392
-
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe68⤵
- System Location Discovery: System Language Discovery
PID:452 -
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe69⤵
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe70⤵PID:2904
-
C:\Windows\SysWOW64\Cmgjgcgo.exeC:\Windows\system32\Cmgjgcgo.exe71⤵PID:3492
-
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4792 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe73⤵PID:1592
-
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe74⤵PID:1924
-
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe75⤵PID:1320
-
C:\Windows\SysWOW64\Cmlcbbcj.exeC:\Windows\system32\Cmlcbbcj.exe76⤵PID:2524
-
C:\Windows\SysWOW64\Cdfkolkf.exeC:\Windows\system32\Cdfkolkf.exe77⤵PID:4728
-
C:\Windows\SysWOW64\Cmnpgb32.exeC:\Windows\system32\Cmnpgb32.exe78⤵PID:4824
-
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe79⤵
- System Location Discovery: System Language Discovery
PID:1980 -
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe80⤵PID:2468
-
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe81⤵PID:4344
-
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe82⤵PID:3040
-
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1092 -
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe84⤵PID:4700
-
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe85⤵PID:1744
-
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe86⤵PID:1788
-
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe87⤵PID:924
-
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe88⤵PID:4220
-
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe89⤵
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe90⤵PID:4952
-
C:\Windows\SysWOW64\Dahhio32.exeC:\Windows\system32\Dahhio32.exe91⤵PID:3184
-
C:\Windows\SysWOW64\Egdqae32.exeC:\Windows\system32\Egdqae32.exe92⤵PID:544
-
C:\Windows\SysWOW64\Eolhbc32.exeC:\Windows\system32\Eolhbc32.exe93⤵PID:3416
-
C:\Windows\SysWOW64\Eajeon32.exeC:\Windows\system32\Eajeon32.exe94⤵PID:3496
-
C:\Windows\SysWOW64\Ehdmlhcj.exeC:\Windows\system32\Ehdmlhcj.exe95⤵PID:4132
-
C:\Windows\SysWOW64\Ekbihd32.exeC:\Windows\system32\Ekbihd32.exe96⤵
- Drops file in System32 directory
PID:1376 -
C:\Windows\SysWOW64\Ealadnik.exeC:\Windows\system32\Ealadnik.exe97⤵PID:1684
-
C:\Windows\SysWOW64\Ekefmc32.exeC:\Windows\system32\Ekefmc32.exe98⤵PID:4980
-
C:\Windows\SysWOW64\Eaonjngh.exeC:\Windows\system32\Eaonjngh.exe99⤵PID:5148
-
C:\Windows\SysWOW64\Edmjfifl.exeC:\Windows\system32\Edmjfifl.exe100⤵PID:5188
-
C:\Windows\SysWOW64\Ekgbccni.exeC:\Windows\system32\Ekgbccni.exe101⤵
- Drops file in System32 directory
PID:5236 -
C:\Windows\SysWOW64\Eemgplno.exeC:\Windows\system32\Eemgplno.exe102⤵PID:5276
-
C:\Windows\SysWOW64\Egnchd32.exeC:\Windows\system32\Egnchd32.exe103⤵
- System Location Discovery: System Language Discovery
PID:5324 -
C:\Windows\SysWOW64\Feocelll.exeC:\Windows\system32\Feocelll.exe104⤵PID:5368
-
C:\Windows\SysWOW64\Fhmpagkp.exeC:\Windows\system32\Fhmpagkp.exe105⤵PID:5412
-
C:\Windows\SysWOW64\Foghnabl.exeC:\Windows\system32\Foghnabl.exe106⤵PID:5456
-
C:\Windows\SysWOW64\Feapkk32.exeC:\Windows\system32\Feapkk32.exe107⤵PID:5500
-
C:\Windows\SysWOW64\Fhpmgg32.exeC:\Windows\system32\Fhpmgg32.exe108⤵PID:5544
-
C:\Windows\SysWOW64\Fojedapj.exeC:\Windows\system32\Fojedapj.exe109⤵PID:5588
-
C:\Windows\SysWOW64\Fnmepn32.exeC:\Windows\system32\Fnmepn32.exe110⤵PID:5632
-
C:\Windows\SysWOW64\Fedmqk32.exeC:\Windows\system32\Fedmqk32.exe111⤵PID:5680
-
C:\Windows\SysWOW64\Fhbimf32.exeC:\Windows\system32\Fhbimf32.exe112⤵PID:5724
-
C:\Windows\SysWOW64\Folaiqng.exeC:\Windows\system32\Folaiqng.exe113⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5768 -
C:\Windows\SysWOW64\Fajnfl32.exeC:\Windows\system32\Fajnfl32.exe114⤵PID:5808
-
C:\Windows\SysWOW64\Fhdfbfdh.exeC:\Windows\system32\Fhdfbfdh.exe115⤵
- Drops file in System32 directory
PID:5856 -
C:\Windows\SysWOW64\Fnaokmco.exeC:\Windows\system32\Fnaokmco.exe116⤵PID:5900
-
C:\Windows\SysWOW64\Fdkggg32.exeC:\Windows\system32\Fdkggg32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5940 -
C:\Windows\SysWOW64\Fkeodaai.exeC:\Windows\system32\Fkeodaai.exe118⤵PID:5988
-
C:\Windows\SysWOW64\Gekcaj32.exeC:\Windows\system32\Gekcaj32.exe119⤵
- Drops file in System32 directory
PID:6032 -
C:\Windows\SysWOW64\Gglpibgm.exeC:\Windows\system32\Gglpibgm.exe120⤵
- Modifies registry class
PID:6076 -
C:\Windows\SysWOW64\Gochjpho.exeC:\Windows\system32\Gochjpho.exe121⤵PID:6112
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-