Analysis
-
max time kernel
113s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18/08/2024, 09:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
79f10b31ba2ab58cf31a6166495deb60N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
79f10b31ba2ab58cf31a6166495deb60N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
79f10b31ba2ab58cf31a6166495deb60N.exe
-
Size
406KB
-
MD5
79f10b31ba2ab58cf31a6166495deb60
-
SHA1
b8ef32bf0e8bb969ddadbc39405244c88f0423c6
-
SHA256
e8f240a53d3a7701b1066b73432e6df6b04abdaeb64318ae28160ba3f2a113f1
-
SHA512
380473f70cce01b30e19092f71d6cdfad1e78eb94068378642126ef3f483b1de6bc18a6a39ce3552cc996b8c00b1376f3ea622d8796ce6810e00452f7a549ef6
-
SSDEEP
6144:YpnryVy1fU5U5Xj1XH5U5Xj83XH5U1XH5U5Xj8s5DXH5U5qXH5XXH5U5oXH:sCMp3Ma3M3MvD3Mq3B3Mo3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caafop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daobpnoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkecjajp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipcmpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbqfld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nilimgci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epglgjbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oomkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpfbpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gplnigpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbqfld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efnpcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dameknaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pijene32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejgpom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmomdpkk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdmebp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhmknn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgpkikbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Negjfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efqdcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhgfnfjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pagfhgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpnmknlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iglobgoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciljcbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnpgiipc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lapojmeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oegcmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emooag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfglqjak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffipol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfghfgpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpbkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efqdcd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibgcef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oielcfko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckhcpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djbfcnfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiokcdhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmoqobmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgakek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfgame32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmdofmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faddbkmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnmbipln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkencj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcfhlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dajien32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiogcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daobpnoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llnmfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjhcbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oloodb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdmpiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkcahfla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmejnacf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dajien32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ephabclf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmchlfeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdipdobg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdglfmfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhgfnfjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llnmfg32.exe -
Executes dropped EXE 64 IoCs
pid Process 4612 Bgakek32.exe 2352 Bichmcae.exe 4596 Bqjpnqag.exe 3664 Cgdhkk32.exe 1144 Cfghfgpo.exe 1520 Ciedbcob.exe 2620 Calldppd.exe 3992 Cgfdqjga.exe 4104 Cjeamffe.exe 4188 Cmcmiaei.exe 3088 Cpaiemdl.exe 5092 Cgiafjeo.exe 3916 Cflaag32.exe 4916 Cjgnbedb.exe 1908 Cmejnacf.exe 2276 Caafop32.exe 4336 Cpdfjlbj.exe 5000 Ccpbkk32.exe 4856 Cgknlj32.exe 2644 Cfnngfjf.exe 2988 Ciljcbij.exe 2072 Cacbdoil.exe 1136 Cpfbpl32.exe 932 Ccboqkhp.exe 2284 Cgmkai32.exe 1524 Cjlgme32.exe 4972 Cmjcip32.exe 3040 Cafojogj.exe 1624 Dcdkfjfm.exe 232 Dgpggiof.exe 4368 Dfbhbf32.exe 224 Djnccdnj.exe 744 Diadna32.exe 452 Dmmpopmn.exe 2528 Dpklkkla.exe 4492 Dcfhlj32.exe 1196 Dgbdlimd.exe 3240 Dfedhe32.exe 2700 Dicqda32.exe 2080 Dmomdpkk.exe 4376 Dajien32.exe 2996 Dpmiqkjo.exe 560 Dcieaj32.exe 1664 Dfgame32.exe 4176 Dfgame32.exe 4984 Djcmnd32.exe 4580 Diemiqqp.exe 1852 Dameknaa.exe 4440 Dppefk32.exe 3744 Dckagiqe.exe 4024 Dhgngh32.exe 2192 Djejcc32.exe 3692 Dihjopom.exe 5024 Dmcfpo32.exe 2904 Daobpnoo.exe 1984 Dpbblj32.exe 1700 Ddnnlinc.exe 3972 Dfljhdnf.exe 4044 Djgfic32.exe 804 Dijgdpmj.exe 4520 Dmfceoec.exe 3032 Epdoajdg.exe 4588 Edpkbi32.exe 2212 Efngnd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mhqnog32.dll Dijgdpmj.exe File created C:\Windows\SysWOW64\Npojbnma.dll Epdoajdg.exe File created C:\Windows\SysWOW64\Naealjbg.exe Nofepocc.exe File created C:\Windows\SysWOW64\Nbdmfmjj.exe Nkmedp32.exe File created C:\Windows\SysWOW64\Pkpkam32.exe Pagfhgba.exe File opened for modification C:\Windows\SysWOW64\Gdfcoo32.exe Gmmkbemm.exe File created C:\Windows\SysWOW64\Gfglqjak.exe Gdipdobg.exe File opened for modification C:\Windows\SysWOW64\Cacbdoil.exe Ciljcbij.exe File opened for modification C:\Windows\SysWOW64\Lnhpgcnf.exe Lkickgob.exe File created C:\Windows\SysWOW64\Ocblhj32.dll Mjhcbb32.exe File created C:\Windows\SysWOW64\Nogena32.dll Nbmgenpa.exe File created C:\Windows\SysWOW64\Bffmhlhe.dll Dpakad32.exe File created C:\Windows\SysWOW64\Koghon32.dll Elobgdbj.exe File created C:\Windows\SysWOW64\Mfohdamk.dll Ffnijlje.exe File created C:\Windows\SysWOW64\Ciljcbij.exe Cfnngfjf.exe File created C:\Windows\SysWOW64\Onioknhb.dll Nabdfjdj.exe File created C:\Windows\SysWOW64\Hppipnji.exe Hmamdbke.exe File created C:\Windows\SysWOW64\Fkmikpcg.exe Fhnmoedd.exe File created C:\Windows\SysWOW64\Eimcjp32.exe Efngnd32.exe File opened for modification C:\Windows\SysWOW64\Edbhgh32.exe Epglgjbd.exe File created C:\Windows\SysWOW64\Dlcehe32.dll Igpbbm32.exe File created C:\Windows\SysWOW64\Ibjpkeml.exe Ijbhjhlj.exe File created C:\Windows\SysWOW64\Nilpgk32.dll Dfbhbf32.exe File opened for modification C:\Windows\SysWOW64\Mnmbipln.exe Mipiaimf.exe File created C:\Windows\SysWOW64\Dmomdpkk.exe Dicqda32.exe File created C:\Windows\SysWOW64\Niipebej.dll Bcledg32.exe File opened for modification C:\Windows\SysWOW64\Dhgngh32.exe Dckagiqe.exe File created C:\Windows\SysWOW64\Jiogcn32.exe Jqhpbq32.exe File created C:\Windows\SysWOW64\Ggjapi32.dll Kifndm32.exe File created C:\Windows\SysWOW64\Icofliil.exe Hppipnji.exe File created C:\Windows\SysWOW64\Pchfbd32.dll Djnccdnj.exe File opened for modification C:\Windows\SysWOW64\Oloodb32.exe Oiqbhg32.exe File opened for modification C:\Windows\SysWOW64\Alpqbnbb.exe Acglih32.exe File created C:\Windows\SysWOW64\Hgafaoml.exe Hpgnde32.exe File created C:\Windows\SysWOW64\Oobdkmif.exe Olchoajb.exe File opened for modification C:\Windows\SysWOW64\Kkejph32.exe Kifndm32.exe File created C:\Windows\SysWOW64\Emklpn32.exe Efqdcd32.exe File opened for modification C:\Windows\SysWOW64\Dpklkkla.exe Dmmpopmn.exe File created C:\Windows\SysWOW64\Iikink32.dll Jbqfld32.exe File created C:\Windows\SysWOW64\Ldojggpb.dll Dfgame32.exe File created C:\Windows\SysWOW64\Ikjgie32.exe Ipeckm32.exe File created C:\Windows\SysWOW64\Kepjpn32.dll Fpehhh32.exe File created C:\Windows\SysWOW64\Nbkkpnbd.exe Noooop32.exe File created C:\Windows\SysWOW64\Gglelj32.exe Gdnipn32.exe File created C:\Windows\SysWOW64\Djnccdnj.exe Dfbhbf32.exe File created C:\Windows\SysWOW64\Bkqngbid.dll Laihinkg.exe File created C:\Windows\SysWOW64\Klobmc32.dll Gmmkbemm.exe File created C:\Windows\SysWOW64\Kkgffh32.exe Kbobmbjd.exe File opened for modification C:\Windows\SysWOW64\Dmqbpiem.exe Djbfcnfi.exe File created C:\Windows\SysWOW64\Ohafndha.exe Oinfbg32.exe File created C:\Windows\SysWOW64\Mpcanc32.dll Mhjgfg32.exe File opened for modification C:\Windows\SysWOW64\Naealjbg.exe Nofepocc.exe File opened for modification C:\Windows\SysWOW64\Ejgpom32.exe Dpakad32.exe File opened for modification C:\Windows\SysWOW64\Hgqogiip.exe Hpggjobc.exe File created C:\Windows\SysWOW64\Cjeamffe.exe Cgfdqjga.exe File created C:\Windows\SysWOW64\Lipqjk32.exe Laihinkg.exe File created C:\Windows\SysWOW64\Nofepocc.exe Nkkiop32.exe File created C:\Windows\SysWOW64\Acpfhi32.exe Qeleoe32.exe File opened for modification C:\Windows\SysWOW64\Igdknmmf.exe Ibgcef32.exe File opened for modification C:\Windows\SysWOW64\Ecfjhabl.exe Elobgdbj.exe File created C:\Windows\SysWOW64\Oclpomkh.dll Hpnmknlk.exe File created C:\Windows\SysWOW64\Ifpjpjlc.dll Ikfnnf32.exe File created C:\Windows\SysWOW64\Opgmijml.dll Jhknhona.exe File opened for modification C:\Windows\SysWOW64\Dmcoei32.exe Djdcim32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9400 10224 WerFault.exe 467 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbabed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emghphoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcieaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epglgjbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efqdcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neigljah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbpdkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmamdbke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edbhgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmmbmkqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idaffb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boecoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpohbbfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiokcdhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhicde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gikibk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhhacopd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llnmfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Migfkjea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcoei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emelkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmhagf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calldppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnhhnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acpfhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfokkbbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmnmcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkflaokm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbdmfmjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Negjfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkkiop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ephabclf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfedhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfgame32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibgcef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjnjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbaobb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejpbel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epfelcni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efbjom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkcahfla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpaiemdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laflcomj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjhcbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dibjik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djbfcnfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Infgoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niilghel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pichdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nljeicbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgakek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dppefk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgcjpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbddoohl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbhnjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjgnbedb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbmgenpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nilimgci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacbdoil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdmebp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkejph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okbopoeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emlbkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejnfol32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggjpqpcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jiogcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lojaaciq.dll" Ckcjdhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmchlfeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klobmc32.dll" Gmmkbemm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epihli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnhhnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fajaehpa.dll" Mbhnjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhicep32.dll" Fflmel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijiecide.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipcmpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldojggpb.dll" Dfgame32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emfekc32.dll" Okbopoeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klmopn32.dll" Hkadbgnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcpkcmmg.dll" Icofliil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djejcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqhfkcgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nppndq32.dll" Pciphjga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckcjdhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbbjaa32.dll" Cgmkai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnjlmblc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okpbjoge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okflll32.dll" Hiokcdhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iikink32.dll" Jbqfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llnmfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbafo32.dll" Ejgpom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gifhmfqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikfnnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpniea32.dll" Dihjopom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hplgpdaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnmibb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdfcoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pijene32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbehfa32.dll" Dkafef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpoolddq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjdnnfn.dll" Gdfcoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emoekm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcpaomp.dll" Knaigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgngki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okdleo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npacpejf.dll" Einiei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbggelmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gppqip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hknohmop.dll" Dckagiqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igpbbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lambdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooknkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgakek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ingnjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmopljd.dll" Nbkkpnbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpnmknlk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjgnbedb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiokcdhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hanpoggj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbobppbf.dll" Cmjcip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keheno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efnpcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgqogiip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpfkhdhc.dll" Ggjpqpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjghnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjcodl32.dll" Okpbjoge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oobdkmif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epfelcni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmjnme32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2244 wrote to memory of 4612 2244 79f10b31ba2ab58cf31a6166495deb60N.exe 84 PID 2244 wrote to memory of 4612 2244 79f10b31ba2ab58cf31a6166495deb60N.exe 84 PID 2244 wrote to memory of 4612 2244 79f10b31ba2ab58cf31a6166495deb60N.exe 84 PID 4612 wrote to memory of 2352 4612 Bgakek32.exe 86 PID 4612 wrote to memory of 2352 4612 Bgakek32.exe 86 PID 4612 wrote to memory of 2352 4612 Bgakek32.exe 86 PID 2352 wrote to memory of 4596 2352 Bichmcae.exe 87 PID 2352 wrote to memory of 4596 2352 Bichmcae.exe 87 PID 2352 wrote to memory of 4596 2352 Bichmcae.exe 87 PID 4596 wrote to memory of 3664 4596 Bqjpnqag.exe 88 PID 4596 wrote to memory of 3664 4596 Bqjpnqag.exe 88 PID 4596 wrote to memory of 3664 4596 Bqjpnqag.exe 88 PID 3664 wrote to memory of 1144 3664 Cgdhkk32.exe 89 PID 3664 wrote to memory of 1144 3664 Cgdhkk32.exe 89 PID 3664 wrote to memory of 1144 3664 Cgdhkk32.exe 89 PID 1144 wrote to memory of 1520 1144 Cfghfgpo.exe 90 PID 1144 wrote to memory of 1520 1144 Cfghfgpo.exe 90 PID 1144 wrote to memory of 1520 1144 Cfghfgpo.exe 90 PID 1520 wrote to memory of 2620 1520 Ciedbcob.exe 91 PID 1520 wrote to memory of 2620 1520 Ciedbcob.exe 91 PID 1520 wrote to memory of 2620 1520 Ciedbcob.exe 91 PID 2620 wrote to memory of 3992 2620 Calldppd.exe 92 PID 2620 wrote to memory of 3992 2620 Calldppd.exe 92 PID 2620 wrote to memory of 3992 2620 Calldppd.exe 92 PID 3992 wrote to memory of 4104 3992 Cgfdqjga.exe 93 PID 3992 wrote to memory of 4104 3992 Cgfdqjga.exe 93 PID 3992 wrote to memory of 4104 3992 Cgfdqjga.exe 93 PID 4104 wrote to memory of 4188 4104 Cjeamffe.exe 94 PID 4104 wrote to memory of 4188 4104 Cjeamffe.exe 94 PID 4104 wrote to memory of 4188 4104 Cjeamffe.exe 94 PID 4188 wrote to memory of 3088 4188 Cmcmiaei.exe 95 PID 4188 wrote to memory of 3088 4188 Cmcmiaei.exe 95 PID 4188 wrote to memory of 3088 4188 Cmcmiaei.exe 95 PID 3088 wrote to memory of 5092 3088 Cpaiemdl.exe 96 PID 3088 wrote to memory of 5092 3088 Cpaiemdl.exe 96 PID 3088 wrote to memory of 5092 3088 Cpaiemdl.exe 96 PID 5092 wrote to memory of 3916 5092 Cgiafjeo.exe 97 PID 5092 wrote to memory of 3916 5092 Cgiafjeo.exe 97 PID 5092 wrote to memory of 3916 5092 Cgiafjeo.exe 97 PID 3916 wrote to memory of 4916 3916 Cflaag32.exe 98 PID 3916 wrote to memory of 4916 3916 Cflaag32.exe 98 PID 3916 wrote to memory of 4916 3916 Cflaag32.exe 98 PID 4916 wrote to memory of 1908 4916 Cjgnbedb.exe 99 PID 4916 wrote to memory of 1908 4916 Cjgnbedb.exe 99 PID 4916 wrote to memory of 1908 4916 Cjgnbedb.exe 99 PID 1908 wrote to memory of 2276 1908 Cmejnacf.exe 100 PID 1908 wrote to memory of 2276 1908 Cmejnacf.exe 100 PID 1908 wrote to memory of 2276 1908 Cmejnacf.exe 100 PID 2276 wrote to memory of 4336 2276 Caafop32.exe 101 PID 2276 wrote to memory of 4336 2276 Caafop32.exe 101 PID 2276 wrote to memory of 4336 2276 Caafop32.exe 101 PID 4336 wrote to memory of 5000 4336 Cpdfjlbj.exe 102 PID 4336 wrote to memory of 5000 4336 Cpdfjlbj.exe 102 PID 4336 wrote to memory of 5000 4336 Cpdfjlbj.exe 102 PID 5000 wrote to memory of 4856 5000 Ccpbkk32.exe 103 PID 5000 wrote to memory of 4856 5000 Ccpbkk32.exe 103 PID 5000 wrote to memory of 4856 5000 Ccpbkk32.exe 103 PID 4856 wrote to memory of 2644 4856 Cgknlj32.exe 104 PID 4856 wrote to memory of 2644 4856 Cgknlj32.exe 104 PID 4856 wrote to memory of 2644 4856 Cgknlj32.exe 104 PID 2644 wrote to memory of 2988 2644 Cfnngfjf.exe 105 PID 2644 wrote to memory of 2988 2644 Cfnngfjf.exe 105 PID 2644 wrote to memory of 2988 2644 Cfnngfjf.exe 105 PID 2988 wrote to memory of 2072 2988 Ciljcbij.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\79f10b31ba2ab58cf31a6166495deb60N.exe"C:\Users\Admin\AppData\Local\Temp\79f10b31ba2ab58cf31a6166495deb60N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Bgakek32.exeC:\Windows\system32\Bgakek32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\Bichmcae.exeC:\Windows\system32\Bichmcae.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Bqjpnqag.exeC:\Windows\system32\Bqjpnqag.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Cgdhkk32.exeC:\Windows\system32\Cgdhkk32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\Cfghfgpo.exeC:\Windows\system32\Cfghfgpo.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Ciedbcob.exeC:\Windows\system32\Ciedbcob.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Calldppd.exeC:\Windows\system32\Calldppd.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Cgfdqjga.exeC:\Windows\system32\Cgfdqjga.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\Cjeamffe.exeC:\Windows\system32\Cjeamffe.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\Cmcmiaei.exeC:\Windows\system32\Cmcmiaei.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\Cpaiemdl.exeC:\Windows\system32\Cpaiemdl.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\Cgiafjeo.exeC:\Windows\system32\Cgiafjeo.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\Cflaag32.exeC:\Windows\system32\Cflaag32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\Cjgnbedb.exeC:\Windows\system32\Cjgnbedb.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\Cmejnacf.exeC:\Windows\system32\Cmejnacf.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Caafop32.exeC:\Windows\system32\Caafop32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Cpdfjlbj.exeC:\Windows\system32\Cpdfjlbj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\Ccpbkk32.exeC:\Windows\system32\Ccpbkk32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Cgknlj32.exeC:\Windows\system32\Cgknlj32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\Cfnngfjf.exeC:\Windows\system32\Cfnngfjf.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Ciljcbij.exeC:\Windows\system32\Ciljcbij.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Cacbdoil.exeC:\Windows\system32\Cacbdoil.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Windows\SysWOW64\Cpfbpl32.exeC:\Windows\system32\Cpfbpl32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Ccboqkhp.exeC:\Windows\system32\Ccboqkhp.exe25⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Cgmkai32.exeC:\Windows\system32\Cgmkai32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Cjlgme32.exeC:\Windows\system32\Cjlgme32.exe27⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Cmjcip32.exeC:\Windows\system32\Cmjcip32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:4972 -
C:\Windows\SysWOW64\Cafojogj.exeC:\Windows\system32\Cafojogj.exe29⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Dcdkfjfm.exeC:\Windows\system32\Dcdkfjfm.exe30⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Dgpggiof.exeC:\Windows\system32\Dgpggiof.exe31⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Dfbhbf32.exeC:\Windows\system32\Dfbhbf32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4368 -
C:\Windows\SysWOW64\Djnccdnj.exeC:\Windows\system32\Djnccdnj.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:224 -
C:\Windows\SysWOW64\Diadna32.exeC:\Windows\system32\Diadna32.exe34⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Dmmpopmn.exeC:\Windows\system32\Dmmpopmn.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:452 -
C:\Windows\SysWOW64\Dpklkkla.exeC:\Windows\system32\Dpklkkla.exe36⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Dcfhlj32.exeC:\Windows\system32\Dcfhlj32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Dgbdlimd.exeC:\Windows\system32\Dgbdlimd.exe38⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Dfedhe32.exeC:\Windows\system32\Dfedhe32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3240 -
C:\Windows\SysWOW64\Dicqda32.exeC:\Windows\system32\Dicqda32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Dmomdpkk.exeC:\Windows\system32\Dmomdpkk.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Dajien32.exeC:\Windows\system32\Dajien32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Dpmiqkjo.exeC:\Windows\system32\Dpmiqkjo.exe43⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Dcieaj32.exeC:\Windows\system32\Dcieaj32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:560 -
C:\Windows\SysWOW64\Dfgame32.exeC:\Windows\system32\Dfgame32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1664 -
C:\Windows\SysWOW64\Dfgame32.exeC:\Windows\system32\Dfgame32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4176 -
C:\Windows\SysWOW64\Djcmnd32.exeC:\Windows\system32\Djcmnd32.exe47⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Diemiqqp.exeC:\Windows\system32\Diemiqqp.exe48⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Dameknaa.exeC:\Windows\system32\Dameknaa.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Dppefk32.exeC:\Windows\system32\Dppefk32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4440 -
C:\Windows\SysWOW64\Dckagiqe.exeC:\Windows\system32\Dckagiqe.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3744 -
C:\Windows\SysWOW64\Dhgngh32.exeC:\Windows\system32\Dhgngh32.exe52⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Djejcc32.exeC:\Windows\system32\Djejcc32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Dihjopom.exeC:\Windows\system32\Dihjopom.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:3692 -
C:\Windows\SysWOW64\Dmcfpo32.exeC:\Windows\system32\Dmcfpo32.exe55⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Daobpnoo.exeC:\Windows\system32\Daobpnoo.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Dpbblj32.exeC:\Windows\system32\Dpbblj32.exe57⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Ddnnlinc.exeC:\Windows\system32\Ddnnlinc.exe58⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Dfljhdnf.exeC:\Windows\system32\Dfljhdnf.exe59⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Djgfic32.exeC:\Windows\system32\Djgfic32.exe60⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Dijgdpmj.exeC:\Windows\system32\Dijgdpmj.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:804 -
C:\Windows\SysWOW64\Dmfceoec.exeC:\Windows\system32\Dmfceoec.exe62⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Epdoajdg.exeC:\Windows\system32\Epdoajdg.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Edpkbi32.exeC:\Windows\system32\Edpkbi32.exe64⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Efngnd32.exeC:\Windows\system32\Efngnd32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2212 -
C:\Windows\SysWOW64\Eimcjp32.exeC:\Windows\system32\Eimcjp32.exe66⤵PID:1820
-
C:\Windows\SysWOW64\Emhpkncq.exeC:\Windows\system32\Emhpkncq.exe67⤵PID:212
-
C:\Windows\SysWOW64\Epglgjbd.exeC:\Windows\system32\Epglgjbd.exe68⤵
- System Location Discovery: System Language Discovery
PID:1072 -
C:\Windows\SysWOW64\Epglgjbd.exeC:\Windows\system32\Epglgjbd.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4412 -
C:\Windows\SysWOW64\Edbhgh32.exeC:\Windows\system32\Edbhgh32.exe70⤵
- System Location Discovery: System Language Discovery
PID:4172 -
C:\Windows\SysWOW64\Ehnchgbf.exeC:\Windows\system32\Ehnchgbf.exe71⤵PID:4064
-
C:\Windows\SysWOW64\Efqdcd32.exeC:\Windows\system32\Efqdcd32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4364 -
C:\Windows\SysWOW64\Emklpn32.exeC:\Windows\system32\Emklpn32.exe73⤵PID:2608
-
C:\Windows\SysWOW64\Epihli32.exeC:\Windows\system32\Epihli32.exe74⤵
- Modifies registry class
PID:4308 -
C:\Windows\SysWOW64\Emoekm32.exeC:\Windows\system32\Emoekm32.exe75⤵
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Fhgfnfjl.exeC:\Windows\system32\Fhgfnfjl.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3400 -
C:\Windows\SysWOW64\Fkecjajp.exeC:\Windows\system32\Fkecjajp.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:748 -
C:\Windows\SysWOW64\Fmdofmic.exeC:\Windows\system32\Fmdofmic.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2760 -
C:\Windows\SysWOW64\Fpbkbhhg.exeC:\Windows\system32\Fpbkbhhg.exe79⤵PID:3672
-
C:\Windows\SysWOW64\Fhicde32.exeC:\Windows\system32\Fhicde32.exe80⤵
- System Location Discovery: System Language Discovery
PID:1776 -
C:\Windows\SysWOW64\Fpehhh32.exeC:\Windows\system32\Fpehhh32.exe81⤵
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Fhlpie32.exeC:\Windows\system32\Fhlpie32.exe82⤵PID:4576
-
C:\Windows\SysWOW64\Fkjleq32.exeC:\Windows\system32\Fkjleq32.exe83⤵PID:336
-
C:\Windows\SysWOW64\Fimlamle.exeC:\Windows\system32\Fimlamle.exe84⤵PID:1420
-
C:\Windows\SysWOW64\Faddbkmg.exeC:\Windows\system32\Faddbkmg.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1828 -
C:\Windows\SysWOW64\Fhnmoedd.exeC:\Windows\system32\Fhnmoedd.exe86⤵
- Drops file in System32 directory
PID:4636 -
C:\Windows\SysWOW64\Fkmikpcg.exeC:\Windows\system32\Fkmikpcg.exe87⤵PID:4536
-
C:\Windows\SysWOW64\Fmkeglbk.exeC:\Windows\system32\Fmkeglbk.exe88⤵PID:4548
-
C:\Windows\SysWOW64\Fpiacgbo.exeC:\Windows\system32\Fpiacgbo.exe89⤵PID:1556
-
C:\Windows\SysWOW64\Fgcjpa32.exeC:\Windows\system32\Fgcjpa32.exe90⤵
- System Location Discovery: System Language Discovery
PID:4284 -
C:\Windows\SysWOW64\Fmmbmkqi.exeC:\Windows\system32\Fmmbmkqi.exe91⤵
- System Location Discovery: System Language Discovery
PID:696 -
C:\Windows\SysWOW64\Gplnigpl.exeC:\Windows\system32\Gplnigpl.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4192 -
C:\Windows\SysWOW64\Gkabfp32.exeC:\Windows\system32\Gkabfp32.exe93⤵PID:2520
-
C:\Windows\SysWOW64\Gmpobk32.exeC:\Windows\system32\Gmpobk32.exe94⤵PID:2232
-
C:\Windows\SysWOW64\Gakjcjgo.exeC:\Windows\system32\Gakjcjgo.exe95⤵PID:2160
-
C:\Windows\SysWOW64\Gifogldj.exeC:\Windows\system32\Gifogldj.exe96⤵PID:1112
-
C:\Windows\SysWOW64\Gdlcdedp.exeC:\Windows\system32\Gdlcdedp.exe97⤵PID:1252
-
C:\Windows\SysWOW64\Ggjpqpcd.exeC:\Windows\system32\Ggjpqpcd.exe98⤵
- Modifies registry class
PID:5148 -
C:\Windows\SysWOW64\Gkflaokm.exeC:\Windows\system32\Gkflaokm.exe99⤵
- System Location Discovery: System Language Discovery
PID:5188 -
C:\Windows\SysWOW64\Gpcdifjd.exeC:\Windows\system32\Gpcdifjd.exe100⤵PID:5240
-
C:\Windows\SysWOW64\Gikibk32.exeC:\Windows\system32\Gikibk32.exe101⤵
- System Location Discovery: System Language Discovery
PID:5280 -
C:\Windows\SysWOW64\Gabqci32.exeC:\Windows\system32\Gabqci32.exe102⤵PID:5316
-
C:\Windows\SysWOW64\Gdqmpd32.exeC:\Windows\system32\Gdqmpd32.exe103⤵PID:5360
-
C:\Windows\SysWOW64\Hpgnde32.exeC:\Windows\system32\Hpgnde32.exe104⤵
- Drops file in System32 directory
PID:5408 -
C:\Windows\SysWOW64\Hgafaoml.exeC:\Windows\system32\Hgafaoml.exe105⤵PID:5460
-
C:\Windows\SysWOW64\Hkmbbn32.exeC:\Windows\system32\Hkmbbn32.exe106⤵PID:5500
-
C:\Windows\SysWOW64\Hpjjje32.exeC:\Windows\system32\Hpjjje32.exe107⤵PID:5544
-
C:\Windows\SysWOW64\Hgdbgoki.exeC:\Windows\system32\Hgdbgoki.exe108⤵PID:5584
-
C:\Windows\SysWOW64\Hjbocjjm.exeC:\Windows\system32\Hjbocjjm.exe109⤵PID:5628
-
C:\Windows\SysWOW64\Hplgpdaj.exeC:\Windows\system32\Hplgpdaj.exe110⤵
- Modifies registry class
PID:5668 -
C:\Windows\SysWOW64\Hkakmmap.exeC:\Windows\system32\Hkakmmap.exe111⤵PID:5716
-
C:\Windows\SysWOW64\Hnpgiipc.exeC:\Windows\system32\Hnpgiipc.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5756 -
C:\Windows\SysWOW64\Hhelfapi.exeC:\Windows\system32\Hhelfapi.exe113⤵PID:5800
-
C:\Windows\SysWOW64\Hjghnj32.exeC:\Windows\system32\Hjghnj32.exe114⤵
- Modifies registry class
PID:5840 -
C:\Windows\SysWOW64\Hanpoggj.exeC:\Windows\system32\Hanpoggj.exe115⤵
- Modifies registry class
PID:5880 -
C:\Windows\SysWOW64\Ijiecide.exeC:\Windows\system32\Ijiecide.exe116⤵
- Modifies registry class
PID:5920 -
C:\Windows\SysWOW64\Ipcmpc32.exeC:\Windows\system32\Ipcmpc32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5960 -
C:\Windows\SysWOW64\Igmemnco.exeC:\Windows\system32\Igmemnco.exe118⤵PID:6008
-
C:\Windows\SysWOW64\Ingnjh32.exeC:\Windows\system32\Ingnjh32.exe119⤵
- Modifies registry class
PID:6044 -
C:\Windows\SysWOW64\Iqejfc32.exeC:\Windows\system32\Iqejfc32.exe120⤵PID:6080
-
C:\Windows\SysWOW64\Idaffb32.exeC:\Windows\system32\Idaffb32.exe121⤵
- System Location Discovery: System Language Discovery
PID:6124
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-