Analysis
-
max time kernel
117s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
17/08/2024, 22:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
95285196e9e0bdf490e95c72b83722d0N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
95285196e9e0bdf490e95c72b83722d0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
95285196e9e0bdf490e95c72b83722d0N.exe
-
Size
96KB
-
MD5
95285196e9e0bdf490e95c72b83722d0
-
SHA1
59815447d15bcc9156731091f9f38bf050a2f6d7
-
SHA256
fdf78d68646652e73163291e6165f8ea1ebee828c73e8005c400191755af4bd2
-
SHA512
d99ca5394741e55f507dbfbbc8c5ed0088347513b586e5ad372c559f62bfd3498ae7e51e56bb29a5bc7a0cdfeab07e54af5acc2f265f41ecbcdd47b17af4f6ab
-
SSDEEP
1536:SEF+lXXky59nqjqDcbdn7Svs2LVsBMu/HCmiDcg3MZRP3cEW3AE:S0+JXjDcbd2NVa6miEo
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeofcpjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccbojk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loicnemp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlnlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjcnoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjgpqjqa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiflgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mafoal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fknido32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdipnedn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkpgdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mihngj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cplfcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chgkgmoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhbcaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbnajcig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkflii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fobodn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omaepoml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inkgdjqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kchhholk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkkmoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndlanf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekcpdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipcjlaqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbbodk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acfpilmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjglpncm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joijpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkdmneoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfgadbcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmeaaboe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jphcgq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcdlpklh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnqolikm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkpkepnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbomdjoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlodma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jndjoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eopbooqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjpipkgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giafmfad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnogakma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odiagj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olpiig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bccihj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elgmbnfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiphpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhjjle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glkinb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgkncfdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfaedeme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffbjpfmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlcmhann.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgahcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koafcppm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpnchjpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbkgjgqi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgahcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apjdin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mboekp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilohnopg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piaiko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haggkf32.exe -
Executes dropped EXE 64 IoCs
pid Process 2288 Agkfil32.exe 2192 Akfbjkdj.exe 2016 Aeofcpjj.exe 2760 Akhopj32.exe 1208 Angklf32.exe 2596 Agoodkgk.exe 2884 Ajnlqgfo.exe 2528 Apjdin32.exe 1364 Acfpilmp.exe 2152 Bmndbb32.exe 2960 Bajqcqli.exe 2252 Bfgikgjq.exe 2964 Bieegcid.exe 832 Bpomdmqa.exe 2844 Bckidl32.exe 1464 Bfifqg32.exe 2444 Bigbmb32.exe 796 Blfnin32.exe 1556 Bndjei32.exe 2344 Bbpffhnb.exe 2400 Benbbcmf.exe 1736 Bijobb32.exe 892 Blhkon32.exe 1928 Boggkicf.exe 2100 Baecgdbj.exe 2200 Coidpiac.exe 3052 Cbdpag32.exe 2872 Cdflhppk.exe 2116 Clmdjmpm.exe 2736 Cokqfhpa.exe 2604 Cdhino32.exe 2720 Ckbakiee.exe 2052 Conmkh32.exe 1244 Caligc32.exe 1100 Cpojcpcm.exe 2188 Cdkfco32.exe 664 Cgibpj32.exe 2284 Cignlf32.exe 2488 Caofmc32.exe 1296 Cdmbiojc.exe 2084 Cgkoejig.exe 820 Cijkaehj.exe 2260 Cmegbd32.exe 2468 Ccbojk32.exe 1492 Cgnkkjgd.exe 2360 Dilggefh.exe 2668 Dljdcqek.exe 1772 Dpfpco32.exe 2900 Dcdlpklh.exe 3048 Dgphpi32.exe 2832 Dindme32.exe 1532 Dhadhakp.exe 2772 Dphmiokb.exe 2632 Dcgiejje.exe 2548 Dajiag32.exe 2576 Deeeafii.exe 2952 Dhcanahm.exe 2300 Dlomnp32.exe 2316 Donijk32.exe 1704 Dciekjhc.exe 2000 Degage32.exe 2236 Ddjbbbna.exe 1264 Dhfnca32.exe 932 Dkdjol32.exe -
Loads dropped DLL 64 IoCs
pid Process 2072 95285196e9e0bdf490e95c72b83722d0N.exe 2072 95285196e9e0bdf490e95c72b83722d0N.exe 2288 Agkfil32.exe 2288 Agkfil32.exe 2192 Akfbjkdj.exe 2192 Akfbjkdj.exe 2016 Aeofcpjj.exe 2016 Aeofcpjj.exe 2760 Akhopj32.exe 2760 Akhopj32.exe 1208 Angklf32.exe 1208 Angklf32.exe 2596 Agoodkgk.exe 2596 Agoodkgk.exe 2884 Ajnlqgfo.exe 2884 Ajnlqgfo.exe 2528 Apjdin32.exe 2528 Apjdin32.exe 1364 Acfpilmp.exe 1364 Acfpilmp.exe 2152 Bmndbb32.exe 2152 Bmndbb32.exe 2960 Bajqcqli.exe 2960 Bajqcqli.exe 2252 Bfgikgjq.exe 2252 Bfgikgjq.exe 2964 Bieegcid.exe 2964 Bieegcid.exe 832 Bpomdmqa.exe 832 Bpomdmqa.exe 2844 Bckidl32.exe 2844 Bckidl32.exe 1464 Bfifqg32.exe 1464 Bfifqg32.exe 2444 Bigbmb32.exe 2444 Bigbmb32.exe 796 Blfnin32.exe 796 Blfnin32.exe 1556 Bndjei32.exe 1556 Bndjei32.exe 2344 Bbpffhnb.exe 2344 Bbpffhnb.exe 2400 Benbbcmf.exe 2400 Benbbcmf.exe 1736 Bijobb32.exe 1736 Bijobb32.exe 892 Blhkon32.exe 892 Blhkon32.exe 1928 Boggkicf.exe 1928 Boggkicf.exe 2100 Baecgdbj.exe 2100 Baecgdbj.exe 2200 Coidpiac.exe 2200 Coidpiac.exe 3052 Cbdpag32.exe 3052 Cbdpag32.exe 2872 Cdflhppk.exe 2872 Cdflhppk.exe 2116 Clmdjmpm.exe 2116 Clmdjmpm.exe 2736 Cokqfhpa.exe 2736 Cokqfhpa.exe 2604 Cdhino32.exe 2604 Cdhino32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hhaogp32.exe Hebckd32.exe File created C:\Windows\SysWOW64\Idmqai32.dll Hhaogp32.exe File created C:\Windows\SysWOW64\Lpnhmi32.dll Fojnhlch.exe File created C:\Windows\SysWOW64\Ifkecl32.exe Idligq32.exe File created C:\Windows\SysWOW64\Jcnloa32.exe Jdklcebk.exe File opened for modification C:\Windows\SysWOW64\Ainhln32.exe Aebllocg.exe File created C:\Windows\SysWOW64\Gccjbo32.exe Gepjgaid.exe File opened for modification C:\Windows\SysWOW64\Ijddokdo.exe Ihehbpel.exe File created C:\Windows\SysWOW64\Caofmc32.exe Cignlf32.exe File created C:\Windows\SysWOW64\Fgfemm32.dll Pkgonf32.exe File created C:\Windows\SysWOW64\Hppjland.dll Gepjgaid.exe File created C:\Windows\SysWOW64\Hpjlca32.dll Idligq32.exe File created C:\Windows\SysWOW64\Ipcjlaqd.exe Iapjad32.exe File created C:\Windows\SysWOW64\Cijkaehj.exe Cgkoejig.exe File opened for modification C:\Windows\SysWOW64\Lkhfhaea.exe Lhjjle32.exe File opened for modification C:\Windows\SysWOW64\Phdiglap.exe Piaiko32.exe File created C:\Windows\SysWOW64\Njeikpij.exe Nbnajcig.exe File created C:\Windows\SysWOW64\Gjjlfjoo.exe Gfnpek32.exe File created C:\Windows\SysWOW64\Ppanehoa.dll Nlgfbh32.exe File created C:\Windows\SysWOW64\Digipn32.dll Eained32.exe File created C:\Windows\SysWOW64\Eghcckld.exe Ediggoma.exe File opened for modification C:\Windows\SysWOW64\Madbll32.exe Mbabpodi.exe File created C:\Windows\SysWOW64\Johdlh32.dll Jpbmhf32.exe File created C:\Windows\SysWOW64\Lmphlhmc.dll Fjpbeecn.exe File created C:\Windows\SysWOW64\Gbmdpg32.exe Gnahoh32.exe File created C:\Windows\SysWOW64\Pekolc32.dll Jeafgiai.exe File created C:\Windows\SysWOW64\Bkbbnb32.dll Ihhlbegd.exe File opened for modification C:\Windows\SysWOW64\Fkkmoo32.exe Fgpqnpjh.exe File created C:\Windows\SysWOW64\Bqfcci32.dll Jhboidoj.exe File opened for modification C:\Windows\SysWOW64\Kpdjnefm.exe Klinmg32.exe File created C:\Windows\SysWOW64\Nibola32.dll Kpdjnefm.exe File created C:\Windows\SysWOW64\Ibghnjnm.dll Ddgnbl32.exe File created C:\Windows\SysWOW64\Bndjei32.exe Blfnin32.exe File created C:\Windows\SysWOW64\Phdiglap.exe Piaiko32.exe File created C:\Windows\SysWOW64\Anegij32.dll Iaicpepa.exe File opened for modification C:\Windows\SysWOW64\Kooimpao.exe Kpliac32.exe File created C:\Windows\SysWOW64\Ogjjie32.exe Odknmi32.exe File opened for modification C:\Windows\SysWOW64\Pgcmoc32.exe Poldnf32.exe File created C:\Windows\SysWOW64\Ebbkhp32.dll Ddeammok.exe File created C:\Windows\SysWOW64\Nnpbejpb.dll Gebflaga.exe File opened for modification C:\Windows\SysWOW64\Jflikm32.exe Jcnloa32.exe File opened for modification C:\Windows\SysWOW64\Clqjblij.exe Cibnfpjg.exe File opened for modification C:\Windows\SysWOW64\Hffpiikm.exe Hgconl32.exe File opened for modification C:\Windows\SysWOW64\Haoggh32.exe Hlbooaoe.exe File created C:\Windows\SysWOW64\Hkahhl32.dll Bojmogak.exe File created C:\Windows\SysWOW64\Eained32.exe Enmbeehg.exe File opened for modification C:\Windows\SysWOW64\Fdicfbpl.exe Fbkgjgqi.exe File opened for modification C:\Windows\SysWOW64\Jllggbde.exe Jinkkgeb.exe File created C:\Windows\SysWOW64\Kgoknohj.exe Khlkba32.exe File opened for modification C:\Windows\SysWOW64\Aediaoae.exe Afaieb32.exe File opened for modification C:\Windows\SysWOW64\Ikiedq32.exe Ihkihe32.exe File opened for modification C:\Windows\SysWOW64\Fojnhlch.exe Fmlblq32.exe File opened for modification C:\Windows\SysWOW64\Jegheghc.exe Jbhlilip.exe File created C:\Windows\SysWOW64\Gongob32.dll Khlkba32.exe File opened for modification C:\Windows\SysWOW64\Caofmc32.exe Cignlf32.exe File opened for modification C:\Windows\SysWOW64\Hcmmhmhd.exe Hpaaho32.exe File created C:\Windows\SysWOW64\Iapjad32.exe Iiiapg32.exe File created C:\Windows\SysWOW64\Beogneel.dll Hbgjoo32.exe File created C:\Windows\SysWOW64\Ieepad32.exe Iaicpepa.exe File created C:\Windows\SysWOW64\Gkgnmi32.dll Onhkan32.exe File created C:\Windows\SysWOW64\Oecpeqdo.exe Odbcnh32.exe File created C:\Windows\SysWOW64\Qmpafnld.exe Qjaejbmq.exe File created C:\Windows\SysWOW64\Qaibiqdo.dll Hmphfc32.exe File opened for modification C:\Windows\SysWOW64\Kpliac32.exe Knnmeh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7740 7716 WerFault.exe 727 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akfbjkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbfqfppe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kabbehjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknani32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcaankpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joajdmma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddeia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbeakllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiccbfoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poegde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifecen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bojmogak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eained32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epflbbpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkkmoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gefjlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkflii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebnokjpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcnkemgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amdkam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niopgljl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nolhoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okciddnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcljjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jggljqcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgleep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljljenoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgkncfdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbcaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhobbqkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdklcebk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bekobn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cijkaehj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccbojk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekkppkpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnogakma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcfjik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbpaef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hffpiikm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpodbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eloimcca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjeckk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbboa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffnpdip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbfpcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbckeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padcqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjoheb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhkka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgnkkjgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgpqnpjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fehjcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjheklqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acqpdgni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gndedhdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gepjgaid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egpdom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idaimfjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmpafnld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gigllafc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgkoejig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcdlpklh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dphmiokb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbkfpb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacacmdn.dll" Cmkmao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnahoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqomai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Madbll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oocqan32.dll" Phibbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpijl32.dll" Badlln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eccadhkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbjapi32.dll" Fhpflblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoglkk32.dll" Ggofcmih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjmbohhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efjklh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fobodn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bglhcihn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpnogmbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idmqai32.dll" Hhaogp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbdfoiki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgbmdphe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkeqobld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gndedhdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcaqggik.dll" Gglimm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgphpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbgjoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiolfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knlpphnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khakhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acmlqg32.dll" Bnagecdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmfblk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eijpll32.dll" Gccjbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cokqfhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmiimabd.dll" Abfmecba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jajcaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgleep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjocja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fliefa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclbnhmo.dll" Cpojcpcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caofmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gckknqkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihkihe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhfgnc32.dll" Iognjojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmbdm32.dll" Epnkfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eefffo32.dll" Knnmeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpejcnlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeiekgfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liddljan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alqljjam.dll" Ainhln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eemded32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffomjgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmaialjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddgnbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjpbeecn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcnkemgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjiiemaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjehem32.dll" Jkdanngk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpfamd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqfdlmic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmabaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aakepd32.dll" Cijkaehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkmlca32.dll" Gfippego.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhfnca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnhhpaio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpbgjj32.dll" Afolpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnglkj32.dll" Bjcnoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkmmdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bamnjpji.dll" Kdaoacif.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2072 wrote to memory of 2288 2072 95285196e9e0bdf490e95c72b83722d0N.exe 29 PID 2072 wrote to memory of 2288 2072 95285196e9e0bdf490e95c72b83722d0N.exe 29 PID 2072 wrote to memory of 2288 2072 95285196e9e0bdf490e95c72b83722d0N.exe 29 PID 2072 wrote to memory of 2288 2072 95285196e9e0bdf490e95c72b83722d0N.exe 29 PID 2288 wrote to memory of 2192 2288 Agkfil32.exe 30 PID 2288 wrote to memory of 2192 2288 Agkfil32.exe 30 PID 2288 wrote to memory of 2192 2288 Agkfil32.exe 30 PID 2288 wrote to memory of 2192 2288 Agkfil32.exe 30 PID 2192 wrote to memory of 2016 2192 Akfbjkdj.exe 31 PID 2192 wrote to memory of 2016 2192 Akfbjkdj.exe 31 PID 2192 wrote to memory of 2016 2192 Akfbjkdj.exe 31 PID 2192 wrote to memory of 2016 2192 Akfbjkdj.exe 31 PID 2016 wrote to memory of 2760 2016 Aeofcpjj.exe 32 PID 2016 wrote to memory of 2760 2016 Aeofcpjj.exe 32 PID 2016 wrote to memory of 2760 2016 Aeofcpjj.exe 32 PID 2016 wrote to memory of 2760 2016 Aeofcpjj.exe 32 PID 2760 wrote to memory of 1208 2760 Akhopj32.exe 33 PID 2760 wrote to memory of 1208 2760 Akhopj32.exe 33 PID 2760 wrote to memory of 1208 2760 Akhopj32.exe 33 PID 2760 wrote to memory of 1208 2760 Akhopj32.exe 33 PID 1208 wrote to memory of 2596 1208 Angklf32.exe 34 PID 1208 wrote to memory of 2596 1208 Angklf32.exe 34 PID 1208 wrote to memory of 2596 1208 Angklf32.exe 34 PID 1208 wrote to memory of 2596 1208 Angklf32.exe 34 PID 2596 wrote to memory of 2884 2596 Agoodkgk.exe 35 PID 2596 wrote to memory of 2884 2596 Agoodkgk.exe 35 PID 2596 wrote to memory of 2884 2596 Agoodkgk.exe 35 PID 2596 wrote to memory of 2884 2596 Agoodkgk.exe 35 PID 2884 wrote to memory of 2528 2884 Ajnlqgfo.exe 36 PID 2884 wrote to memory of 2528 2884 Ajnlqgfo.exe 36 PID 2884 wrote to memory of 2528 2884 Ajnlqgfo.exe 36 PID 2884 wrote to memory of 2528 2884 Ajnlqgfo.exe 36 PID 2528 wrote to memory of 1364 2528 Apjdin32.exe 37 PID 2528 wrote to memory of 1364 2528 Apjdin32.exe 37 PID 2528 wrote to memory of 1364 2528 Apjdin32.exe 37 PID 2528 wrote to memory of 1364 2528 Apjdin32.exe 37 PID 1364 wrote to memory of 2152 1364 Acfpilmp.exe 38 PID 1364 wrote to memory of 2152 1364 Acfpilmp.exe 38 PID 1364 wrote to memory of 2152 1364 Acfpilmp.exe 38 PID 1364 wrote to memory of 2152 1364 Acfpilmp.exe 38 PID 2152 wrote to memory of 2960 2152 Bmndbb32.exe 39 PID 2152 wrote to memory of 2960 2152 Bmndbb32.exe 39 PID 2152 wrote to memory of 2960 2152 Bmndbb32.exe 39 PID 2152 wrote to memory of 2960 2152 Bmndbb32.exe 39 PID 2960 wrote to memory of 2252 2960 Bajqcqli.exe 40 PID 2960 wrote to memory of 2252 2960 Bajqcqli.exe 40 PID 2960 wrote to memory of 2252 2960 Bajqcqli.exe 40 PID 2960 wrote to memory of 2252 2960 Bajqcqli.exe 40 PID 2252 wrote to memory of 2964 2252 Bfgikgjq.exe 41 PID 2252 wrote to memory of 2964 2252 Bfgikgjq.exe 41 PID 2252 wrote to memory of 2964 2252 Bfgikgjq.exe 41 PID 2252 wrote to memory of 2964 2252 Bfgikgjq.exe 41 PID 2964 wrote to memory of 832 2964 Bieegcid.exe 42 PID 2964 wrote to memory of 832 2964 Bieegcid.exe 42 PID 2964 wrote to memory of 832 2964 Bieegcid.exe 42 PID 2964 wrote to memory of 832 2964 Bieegcid.exe 42 PID 832 wrote to memory of 2844 832 Bpomdmqa.exe 43 PID 832 wrote to memory of 2844 832 Bpomdmqa.exe 43 PID 832 wrote to memory of 2844 832 Bpomdmqa.exe 43 PID 832 wrote to memory of 2844 832 Bpomdmqa.exe 43 PID 2844 wrote to memory of 1464 2844 Bckidl32.exe 44 PID 2844 wrote to memory of 1464 2844 Bckidl32.exe 44 PID 2844 wrote to memory of 1464 2844 Bckidl32.exe 44 PID 2844 wrote to memory of 1464 2844 Bckidl32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\95285196e9e0bdf490e95c72b83722d0N.exe"C:\Users\Admin\AppData\Local\Temp\95285196e9e0bdf490e95c72b83722d0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Agkfil32.exeC:\Windows\system32\Agkfil32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Akfbjkdj.exeC:\Windows\system32\Akfbjkdj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Aeofcpjj.exeC:\Windows\system32\Aeofcpjj.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Akhopj32.exeC:\Windows\system32\Akhopj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Angklf32.exeC:\Windows\system32\Angklf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Agoodkgk.exeC:\Windows\system32\Agoodkgk.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Ajnlqgfo.exeC:\Windows\system32\Ajnlqgfo.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Apjdin32.exeC:\Windows\system32\Apjdin32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Acfpilmp.exeC:\Windows\system32\Acfpilmp.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Bmndbb32.exeC:\Windows\system32\Bmndbb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Bajqcqli.exeC:\Windows\system32\Bajqcqli.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Bfgikgjq.exeC:\Windows\system32\Bfgikgjq.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Bieegcid.exeC:\Windows\system32\Bieegcid.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Bpomdmqa.exeC:\Windows\system32\Bpomdmqa.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Bckidl32.exeC:\Windows\system32\Bckidl32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Bfifqg32.exeC:\Windows\system32\Bfifqg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1464 -
C:\Windows\SysWOW64\Bigbmb32.exeC:\Windows\system32\Bigbmb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Blfnin32.exeC:\Windows\system32\Blfnin32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:796 -
C:\Windows\SysWOW64\Bndjei32.exeC:\Windows\system32\Bndjei32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Bbpffhnb.exeC:\Windows\system32\Bbpffhnb.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2344 -
C:\Windows\SysWOW64\Benbbcmf.exeC:\Windows\system32\Benbbcmf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Bijobb32.exeC:\Windows\system32\Bijobb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Blhkon32.exeC:\Windows\system32\Blhkon32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Boggkicf.exeC:\Windows\system32\Boggkicf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928 -
C:\Windows\SysWOW64\Baecgdbj.exeC:\Windows\system32\Baecgdbj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Windows\SysWOW64\Coidpiac.exeC:\Windows\system32\Coidpiac.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Cbdpag32.exeC:\Windows\system32\Cbdpag32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Cdflhppk.exeC:\Windows\system32\Cdflhppk.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Clmdjmpm.exeC:\Windows\system32\Clmdjmpm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Windows\SysWOW64\Cokqfhpa.exeC:\Windows\system32\Cokqfhpa.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Cdhino32.exeC:\Windows\system32\Cdhino32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Ckbakiee.exeC:\Windows\system32\Ckbakiee.exe33⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Conmkh32.exeC:\Windows\system32\Conmkh32.exe34⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Caligc32.exeC:\Windows\system32\Caligc32.exe35⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Cpojcpcm.exeC:\Windows\system32\Cpojcpcm.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1100 -
C:\Windows\SysWOW64\Cdkfco32.exeC:\Windows\system32\Cdkfco32.exe37⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Cgibpj32.exeC:\Windows\system32\Cgibpj32.exe38⤵
- Executes dropped EXE
PID:664 -
C:\Windows\SysWOW64\Cignlf32.exeC:\Windows\system32\Cignlf32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Caofmc32.exeC:\Windows\system32\Caofmc32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Cdmbiojc.exeC:\Windows\system32\Cdmbiojc.exe41⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Cgkoejig.exeC:\Windows\system32\Cgkoejig.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2084 -
C:\Windows\SysWOW64\Cijkaehj.exeC:\Windows\system32\Cijkaehj.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:820 -
C:\Windows\SysWOW64\Cmegbd32.exeC:\Windows\system32\Cmegbd32.exe44⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Ccbojk32.exeC:\Windows\system32\Ccbojk32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2468 -
C:\Windows\SysWOW64\Cgnkkjgd.exeC:\Windows\system32\Cgnkkjgd.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\SysWOW64\Dilggefh.exeC:\Windows\system32\Dilggefh.exe47⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Dljdcqek.exeC:\Windows\system32\Dljdcqek.exe48⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Dpfpco32.exeC:\Windows\system32\Dpfpco32.exe49⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Dcdlpklh.exeC:\Windows\system32\Dcdlpklh.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\Dgphpi32.exeC:\Windows\system32\Dgphpi32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Dindme32.exeC:\Windows\system32\Dindme32.exe52⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Dhadhakp.exeC:\Windows\system32\Dhadhakp.exe53⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Dphmiokb.exeC:\Windows\system32\Dphmiokb.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2772 -
C:\Windows\SysWOW64\Dcgiejje.exeC:\Windows\system32\Dcgiejje.exe55⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Dajiag32.exeC:\Windows\system32\Dajiag32.exe56⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Deeeafii.exeC:\Windows\system32\Deeeafii.exe57⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Dhcanahm.exeC:\Windows\system32\Dhcanahm.exe58⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Dlomnp32.exeC:\Windows\system32\Dlomnp32.exe59⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Donijk32.exeC:\Windows\system32\Donijk32.exe60⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Dciekjhc.exeC:\Windows\system32\Dciekjhc.exe61⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Degage32.exeC:\Windows\system32\Degage32.exe62⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Ddjbbbna.exeC:\Windows\system32\Ddjbbbna.exe63⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Dhfnca32.exeC:\Windows\system32\Dhfnca32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1264 -
C:\Windows\SysWOW64\Dkdjol32.exeC:\Windows\system32\Dkdjol32.exe65⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Dopfpkng.exeC:\Windows\system32\Dopfpkng.exe66⤵PID:1332
-
C:\Windows\SysWOW64\Dnbfkh32.exeC:\Windows\system32\Dnbfkh32.exe67⤵PID:2204
-
C:\Windows\SysWOW64\Dejnme32.exeC:\Windows\system32\Dejnme32.exe68⤵PID:700
-
C:\Windows\SysWOW64\Dhhkiq32.exeC:\Windows\system32\Dhhkiq32.exe69⤵PID:1968
-
C:\Windows\SysWOW64\Dgkkdnkb.exeC:\Windows\system32\Dgkkdnkb.exe70⤵PID:2516
-
C:\Windows\SysWOW64\Dobcekld.exeC:\Windows\system32\Dobcekld.exe71⤵PID:2732
-
C:\Windows\SysWOW64\Daqoafkh.exeC:\Windows\system32\Daqoafkh.exe72⤵PID:2624
-
C:\Windows\SysWOW64\Epcomc32.exeC:\Windows\system32\Epcomc32.exe73⤵PID:2664
-
C:\Windows\SysWOW64\Ehkgnpbe.exeC:\Windows\system32\Ehkgnpbe.exe74⤵PID:1816
-
C:\Windows\SysWOW64\Egmhjm32.exeC:\Windows\system32\Egmhjm32.exe75⤵PID:1768
-
C:\Windows\SysWOW64\Ejldfh32.exeC:\Windows\system32\Ejldfh32.exe76⤵PID:2944
-
C:\Windows\SysWOW64\Engpfgql.exeC:\Windows\system32\Engpfgql.exe77⤵PID:2392
-
C:\Windows\SysWOW64\Epflbbpp.exeC:\Windows\system32\Epflbbpp.exe78⤵
- System Location Discovery: System Language Discovery
PID:2464 -
C:\Windows\SysWOW64\Edahca32.exeC:\Windows\system32\Edahca32.exe79⤵PID:952
-
C:\Windows\SysWOW64\Egpdom32.exeC:\Windows\system32\Egpdom32.exe80⤵
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\Ekkppkpf.exeC:\Windows\system32\Ekkppkpf.exe81⤵
- System Location Discovery: System Language Discovery
PID:2440 -
C:\Windows\SysWOW64\Enjmlgoj.exeC:\Windows\system32\Enjmlgoj.exe82⤵PID:1840
-
C:\Windows\SysWOW64\Elmmhc32.exeC:\Windows\system32\Elmmhc32.exe83⤵PID:1732
-
C:\Windows\SysWOW64\Ephihbnm.exeC:\Windows\system32\Ephihbnm.exe84⤵PID:1652
-
C:\Windows\SysWOW64\Eddeia32.exeC:\Windows\system32\Eddeia32.exe85⤵
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Egbaelej.exeC:\Windows\system32\Egbaelej.exe86⤵PID:2744
-
C:\Windows\SysWOW64\Ejqmahdn.exeC:\Windows\system32\Ejqmahdn.exe87⤵PID:2764
-
C:\Windows\SysWOW64\Eloimcca.exeC:\Windows\system32\Eloimcca.exe88⤵
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\Ehfjbd32.exeC:\Windows\system32\Ehfjbd32.exe89⤵PID:2616
-
C:\Windows\SysWOW64\Elafbcao.exeC:\Windows\system32\Elafbcao.exe90⤵PID:1272
-
C:\Windows\SysWOW64\Eopbooqb.exeC:\Windows\system32\Eopbooqb.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2508 -
C:\Windows\SysWOW64\Ebnokjpf.exeC:\Windows\system32\Ebnokjpf.exe92⤵
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\Efjklh32.exeC:\Windows\system32\Efjklh32.exe93⤵
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Ehhghdgc.exeC:\Windows\system32\Ehhghdgc.exe94⤵PID:1092
-
C:\Windows\SysWOW64\Fmcchb32.exeC:\Windows\system32\Fmcchb32.exe95⤵PID:2172
-
C:\Windows\SysWOW64\Fobodn32.exeC:\Windows\system32\Fobodn32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:568 -
C:\Windows\SysWOW64\Fcnkemgi.exeC:\Windows\system32\Fcnkemgi.exe97⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Fflgahfm.exeC:\Windows\system32\Fflgahfm.exe98⤵PID:2128
-
C:\Windows\SysWOW64\Fdohme32.exeC:\Windows\system32\Fdohme32.exe99⤵PID:604
-
C:\Windows\SysWOW64\Fhjcmcep.exeC:\Windows\system32\Fhjcmcep.exe100⤵PID:2752
-
C:\Windows\SysWOW64\Fkipiodd.exeC:\Windows\system32\Fkipiodd.exe101⤵PID:2808
-
C:\Windows\SysWOW64\Fnglekch.exeC:\Windows\system32\Fnglekch.exe102⤵PID:1552
-
C:\Windows\SysWOW64\Fbchfi32.exeC:\Windows\system32\Fbchfi32.exe103⤵PID:2348
-
C:\Windows\SysWOW64\Fdadbd32.exeC:\Windows\system32\Fdadbd32.exe104⤵PID:2968
-
C:\Windows\SysWOW64\Fgpqnpjh.exeC:\Windows\system32\Fgpqnpjh.exe105⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Windows\SysWOW64\Fkkmoo32.exeC:\Windows\system32\Fkkmoo32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:784 -
C:\Windows\SysWOW64\Fniikj32.exeC:\Windows\system32\Fniikj32.exe107⤵PID:2788
-
C:\Windows\SysWOW64\Fbeeliin.exeC:\Windows\system32\Fbeeliin.exe108⤵PID:912
-
C:\Windows\SysWOW64\Fdcahdib.exeC:\Windows\system32\Fdcahdib.exe109⤵PID:1232
-
C:\Windows\SysWOW64\Fgbmdphe.exeC:\Windows\system32\Fgbmdphe.exe110⤵
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Fknido32.exeC:\Windows\system32\Fknido32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2728 -
C:\Windows\SysWOW64\Fjpipkgi.exeC:\Windows\system32\Fjpipkgi.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2888 -
C:\Windows\SysWOW64\Fnleqj32.exeC:\Windows\system32\Fnleqj32.exe113⤵PID:2676
-
C:\Windows\SysWOW64\Fqjbme32.exeC:\Windows\system32\Fqjbme32.exe114⤵PID:2092
-
C:\Windows\SysWOW64\Fcinia32.exeC:\Windows\system32\Fcinia32.exe115⤵PID:2292
-
C:\Windows\SysWOW64\Fkpfjnnl.exeC:\Windows\system32\Fkpfjnnl.exe116⤵PID:2980
-
C:\Windows\SysWOW64\Fjbfek32.exeC:\Windows\system32\Fjbfek32.exe117⤵PID:2076
-
C:\Windows\SysWOW64\Fmabaf32.exeC:\Windows\system32\Fmabaf32.exe118⤵
- Modifies registry class
PID:924 -
C:\Windows\SysWOW64\Fehjcc32.exeC:\Windows\system32\Fehjcc32.exe119⤵
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Windows\SysWOW64\Gckknqkg.exeC:\Windows\system32\Gckknqkg.exe120⤵
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Ggfgoo32.exeC:\Windows\system32\Ggfgoo32.exe121⤵PID:2708
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-