Analysis
-
max time kernel
110s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2024, 20:13
Static task
static1
Behavioral task
behavioral1
Sample
ff0b1989d9113ccfc424c697e044d710N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
ff0b1989d9113ccfc424c697e044d710N.exe
Resource
win10v2004-20240802-en
General
-
Target
ff0b1989d9113ccfc424c697e044d710N.exe
-
Size
768KB
-
MD5
ff0b1989d9113ccfc424c697e044d710
-
SHA1
7e02199568d8a72dd2a78707a206e47dca395ac8
-
SHA256
e79dcda6b5471af4ce49b067fd4e217f9c8d66e164f0177d384b61a9cd2f2d02
-
SHA512
8902ba6411b2d271e138ded571f9942d851bf2680303d3163e27d26ad6cae480d5f29ffe5e00c73a5824564278d8d4ebee5a291af5e314374f8ef3723d00e8ea
-
SSDEEP
12288:Z7UPNv86IvYvc6IveDVqvQ6IvTPh2kkkkK4kXkkkkkkkkl88888888888888888A:Z733q5hPPh2kkkkK4kXkkkkkkkkH
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqjcabej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbcbadda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcdkfjfm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehkgbgdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edbhgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhcoabbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkdhbmom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggjpqpcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkfdhm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keheno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjijhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkmikpcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghecpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gifogldj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdlcdedp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djnccdnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnnkcibf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjqdkfpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjlgme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmfceoec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehnchgbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgopebma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Halcjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggmlfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikmkilgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inlgegff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmjcip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diadna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpklkkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmmbmkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghcfjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiffpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcfhlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehkgbgdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgpkikbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdfhho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiogcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bichmcae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caafop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccboqkhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpgdng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdjimqjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhgfnfjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmmbmkqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gidbalfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmhfdq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpklkkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcfhlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmfceoec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edpkbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hplgpdaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqhfkcgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjjnjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnjcfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfghfgpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmdofmic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkhppa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkhhgoij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpjjje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekcfealb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjlkpgdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhabkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgkanl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkndpi32.exe -
Executes dropped EXE 64 IoCs
pid Process 704 Bichmcae.exe 696 Cfghfgpo.exe 4596 Cpomom32.exe 4544 Cfielg32.exe 4064 Ccmeek32.exe 1324 Cjgnbedb.exe 768 Cijnnb32.exe 532 Caafop32.exe 4216 Cpdfjlbj.exe 1896 Cgknlj32.exe 4560 Cjijhe32.exe 4212 Cmhfdq32.exe 1908 Cacbdoil.exe 2276 Ccboqkhp.exe 2312 Cgmkai32.exe 5000 Cjlgme32.exe 4540 Ciogiagg.exe 3568 Cmjcip32.exe 3784 Cpipel32.exe 4776 Dcdkfjfm.exe 988 Dfbhbf32.exe 4840 Djnccdnj.exe 3964 Diadna32.exe 2592 Dahlpo32.exe 904 Dpklkkla.exe 116 Dcfhlj32.exe 1776 Dfedhe32.exe 4780 Dicqda32.exe 4368 Dmomdpkk.exe 1152 Dpmiqkjo.exe 1880 Dcieaj32.exe 1596 Dfgame32.exe 1912 Dameknaa.exe 3860 Dppefk32.exe 3160 Dckagiqe.exe 4588 Dhgngh32.exe 2700 Djejcc32.exe 5004 Dihjopom.exe 2228 Daobpnoo.exe 3028 Dpbblj32.exe 1332 Dhijmh32.exe 3052 Dfljhdnf.exe 3396 Djgfic32.exe 3864 Dmfceoec.exe 2248 Daaofm32.exe 1212 Edpkbi32.exe 3992 Ehkgbgdi.exe 3408 Ejjcocdm.exe 4284 Emhpkncq.exe 560 Eadkkm32.exe 3536 Edbhgh32.exe 984 Ehnchgbf.exe 4860 Ejlpdbbj.exe 3248 Eioppo32.exe 3500 Eafhamig.exe 4492 Epihli32.exe 3688 Ehppng32.exe 2928 Efcqicgo.exe 2892 Eiameofb.exe 2596 Emmifn32.exe 1072 Epkebi32.exe 4468 Ehbmcf32.exe 4940 Efemocel.exe 3484 Eicjkodp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cpdfjlbj.exe Caafop32.exe File opened for modification C:\Windows\SysWOW64\Djejcc32.exe Dhgngh32.exe File created C:\Windows\SysWOW64\Mhqnog32.dll Djgfic32.exe File created C:\Windows\SysWOW64\Kiipbi32.dll Edpkbi32.exe File opened for modification C:\Windows\SysWOW64\Epihli32.exe Eafhamig.exe File opened for modification C:\Windows\SysWOW64\Ehbmcf32.exe Epkebi32.exe File created C:\Windows\SysWOW64\Eicjkodp.exe Efemocel.exe File opened for modification C:\Windows\SysWOW64\Kkndpi32.exe Jiogcn32.exe File created C:\Windows\SysWOW64\Dcdkfjfm.exe Cpipel32.exe File opened for modification C:\Windows\SysWOW64\Dmfceoec.exe Djgfic32.exe File opened for modification C:\Windows\SysWOW64\Dpklkkla.exe Dahlpo32.exe File created C:\Windows\SysWOW64\Ehkgbgdi.exe Edpkbi32.exe File opened for modification C:\Windows\SysWOW64\Ghcfjd32.exe Gdgjie32.exe File created C:\Windows\SysWOW64\Ggoilp32.exe Ghlipchd.exe File created C:\Windows\SysWOW64\Hpjjje32.exe Gkkelngg.exe File opened for modification C:\Windows\SysWOW64\Jdobhp32.exe Jbqfld32.exe File created C:\Windows\SysWOW64\Ddefihai.dll Ccmeek32.exe File opened for modification C:\Windows\SysWOW64\Djgfic32.exe Dfljhdnf.exe File created C:\Windows\SysWOW64\Hmphhook.dll Eadkkm32.exe File created C:\Windows\SysWOW64\Iknianao.dll Ehbmcf32.exe File opened for modification C:\Windows\SysWOW64\Fmmbmkqi.exe Fkoeqpae.exe File created C:\Windows\SysWOW64\Ineadh32.exe Hkfdhm32.exe File created C:\Windows\SysWOW64\Jjlkpgdp.exe Jgnndk32.exe File created C:\Windows\SysWOW64\Dcfhlj32.exe Dpklkkla.exe File created C:\Windows\SysWOW64\Dfljhdnf.exe Dhijmh32.exe File opened for modification C:\Windows\SysWOW64\Fppomhjj.exe Famnal32.exe File created C:\Windows\SysWOW64\Gghckqef.exe Ghecpd32.exe File created C:\Windows\SysWOW64\Ikemgf32.dll Gpeaoeha.exe File created C:\Windows\SysWOW64\Hgfolo32.exe Hhcoabbl.exe File opened for modification C:\Windows\SysWOW64\Dpmiqkjo.exe Dmomdpkk.exe File created C:\Windows\SysWOW64\Banlmoig.dll Faddbkmg.exe File opened for modification C:\Windows\SysWOW64\Hkdhbmom.exe Hpodedpg.exe File opened for modification C:\Windows\SysWOW64\Cpomom32.exe Cfghfgpo.exe File created C:\Windows\SysWOW64\Cjlgme32.exe Cgmkai32.exe File created C:\Windows\SysWOW64\Nilpgk32.dll Dfbhbf32.exe File created C:\Windows\SysWOW64\Dhiegpbn.dll Daobpnoo.exe File opened for modification C:\Windows\SysWOW64\Fabhmkoj.exe Fikpknng.exe File created C:\Windows\SysWOW64\Ojopjheb.dll Inndjg32.exe File created C:\Windows\SysWOW64\Kkndpi32.exe Jiogcn32.exe File opened for modification C:\Windows\SysWOW64\Cfghfgpo.exe Bichmcae.exe File opened for modification C:\Windows\SysWOW64\Ejjcocdm.exe Ehkgbgdi.exe File opened for modification C:\Windows\SysWOW64\Eadkkm32.exe Emhpkncq.exe File created C:\Windows\SysWOW64\Jjgaeg32.exe Jgieil32.exe File created C:\Windows\SysWOW64\Dnbegqje.dll Gidbalfm.exe File created C:\Windows\SysWOW64\Kiadimhi.exe Kdfhho32.exe File created C:\Windows\SysWOW64\Daneaj32.dll Kqoecp32.exe File opened for modification C:\Windows\SysWOW64\Fmdofmic.exe Fihcfn32.exe File created C:\Windows\SysWOW64\Jjedohjg.exe Igfhclkd.exe File created C:\Windows\SysWOW64\Dmhfpqnh.dll Bichmcae.exe File created C:\Windows\SysWOW64\Dppefk32.exe Dameknaa.exe File opened for modification C:\Windows\SysWOW64\Fmihal32.exe Fkjleq32.exe File opened for modification C:\Windows\SysWOW64\Gidbalfm.exe Gkabfp32.exe File created C:\Windows\SysWOW64\Cmhfdq32.exe Cjijhe32.exe File created C:\Windows\SysWOW64\Eakall32.exe Eicjkodp.exe File created C:\Windows\SysWOW64\Fgopebma.exe Fhlpie32.exe File created C:\Windows\SysWOW64\Bplfgeal.dll Gmbkhk32.exe File opened for modification C:\Windows\SysWOW64\Cpdfjlbj.exe Caafop32.exe File created C:\Windows\SysWOW64\Kaegijcf.dll Dmomdpkk.exe File created C:\Windows\SysWOW64\Apllncom.dll Fikpknng.exe File created C:\Windows\SysWOW64\Jiogcn32.exe Jqhpbq32.exe File opened for modification C:\Windows\SysWOW64\Kjemfe32.exe Keheno32.exe File opened for modification C:\Windows\SysWOW64\Epnbgill.exe Eakall32.exe File created C:\Windows\SysWOW64\Fhicde32.exe Fdngcgpp.exe File created C:\Windows\SysWOW64\Fkmikpcg.exe Fgamja32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6952 6820 WerFault.exe 261 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjcqqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgknlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpipel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcdkfjfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dihjopom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eadkkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehnchgbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmmbmkqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjijhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhfdq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epihli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eicjkodp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhgfnfjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfdhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjnjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cijnnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caafop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daobpnoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gainmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikpgnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfljhdnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdemdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghecpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggmlfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihoompho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpkikbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kblegblg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggjpqpcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bichmcae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcieaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dameknaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eakall32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epnbgill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fabhmkoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdbqnflk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqhfkcgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikmkilgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqmimped.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epkebi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keheno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmfceoec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkhppa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekcfealb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgaeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbcbadda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqhpbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpdfjlbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejlpdbbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efemocel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkabfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpnknf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gghckqef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpcdifjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkmikpcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gakjcjgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gabqci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpeaoeha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihchhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhjlejb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjdkhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpmiqkjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfgame32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejjcocdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehppng32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gabqci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpjjje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjgaeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjopci32.dll" Jdaompce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnjcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daaofm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggjpqpcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gghckqef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkkelngg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihakbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjemfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kifndm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godhhjgq.dll" Ccboqkhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Banlmoig.dll" Faddbkmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolekl32.dll" Iqhfkcgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kidibiag.dll" Jbnifd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqhpbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkjleq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgfolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cacbdoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgkanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhlpie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgamja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djioefof.dll" Hjdkhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djnccdnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkhppa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epihli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inlgegff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjedohjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glmecj32.dll" Jbllqejj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 ff0b1989d9113ccfc424c697e044d710N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dicqda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkkelngg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhcoabbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmmbmkqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpqgdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbihqkdd.dll" Ghcfjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkndpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcieaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiffpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfielg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pchfbd32.dll" Djnccdnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpmiqkjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID ff0b1989d9113ccfc424c697e044d710N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmegdl32.dll" Cfghfgpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkmikpcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggmlfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgkanl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcfhlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkhcmiii.dll" Eafhamig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggjpqpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijdhoabe.dll" Jjjnjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emhpkncq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fihcfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gapoie32.dll" Kjqdkfpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilpgk32.dll" Dfbhbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbnifd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpgek32.dll" Diadna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fppomhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjcki32.dll" Fkmikpcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqhfkcgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edbhgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qajchh32.dll" Efcqicgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fppomhjj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4016 wrote to memory of 704 4016 ff0b1989d9113ccfc424c697e044d710N.exe 84 PID 4016 wrote to memory of 704 4016 ff0b1989d9113ccfc424c697e044d710N.exe 84 PID 4016 wrote to memory of 704 4016 ff0b1989d9113ccfc424c697e044d710N.exe 84 PID 704 wrote to memory of 696 704 Bichmcae.exe 85 PID 704 wrote to memory of 696 704 Bichmcae.exe 85 PID 704 wrote to memory of 696 704 Bichmcae.exe 85 PID 696 wrote to memory of 4596 696 Cfghfgpo.exe 86 PID 696 wrote to memory of 4596 696 Cfghfgpo.exe 86 PID 696 wrote to memory of 4596 696 Cfghfgpo.exe 86 PID 4596 wrote to memory of 4544 4596 Cpomom32.exe 88 PID 4596 wrote to memory of 4544 4596 Cpomom32.exe 88 PID 4596 wrote to memory of 4544 4596 Cpomom32.exe 88 PID 4544 wrote to memory of 4064 4544 Cfielg32.exe 90 PID 4544 wrote to memory of 4064 4544 Cfielg32.exe 90 PID 4544 wrote to memory of 4064 4544 Cfielg32.exe 90 PID 4064 wrote to memory of 1324 4064 Ccmeek32.exe 91 PID 4064 wrote to memory of 1324 4064 Ccmeek32.exe 91 PID 4064 wrote to memory of 1324 4064 Ccmeek32.exe 91 PID 1324 wrote to memory of 768 1324 Cjgnbedb.exe 92 PID 1324 wrote to memory of 768 1324 Cjgnbedb.exe 92 PID 1324 wrote to memory of 768 1324 Cjgnbedb.exe 92 PID 768 wrote to memory of 532 768 Cijnnb32.exe 93 PID 768 wrote to memory of 532 768 Cijnnb32.exe 93 PID 768 wrote to memory of 532 768 Cijnnb32.exe 93 PID 532 wrote to memory of 4216 532 Caafop32.exe 94 PID 532 wrote to memory of 4216 532 Caafop32.exe 94 PID 532 wrote to memory of 4216 532 Caafop32.exe 94 PID 4216 wrote to memory of 1896 4216 Cpdfjlbj.exe 95 PID 4216 wrote to memory of 1896 4216 Cpdfjlbj.exe 95 PID 4216 wrote to memory of 1896 4216 Cpdfjlbj.exe 95 PID 1896 wrote to memory of 4560 1896 Cgknlj32.exe 96 PID 1896 wrote to memory of 4560 1896 Cgknlj32.exe 96 PID 1896 wrote to memory of 4560 1896 Cgknlj32.exe 96 PID 4560 wrote to memory of 4212 4560 Cjijhe32.exe 97 PID 4560 wrote to memory of 4212 4560 Cjijhe32.exe 97 PID 4560 wrote to memory of 4212 4560 Cjijhe32.exe 97 PID 4212 wrote to memory of 1908 4212 Cmhfdq32.exe 98 PID 4212 wrote to memory of 1908 4212 Cmhfdq32.exe 98 PID 4212 wrote to memory of 1908 4212 Cmhfdq32.exe 98 PID 1908 wrote to memory of 2276 1908 Cacbdoil.exe 99 PID 1908 wrote to memory of 2276 1908 Cacbdoil.exe 99 PID 1908 wrote to memory of 2276 1908 Cacbdoil.exe 99 PID 2276 wrote to memory of 2312 2276 Ccboqkhp.exe 100 PID 2276 wrote to memory of 2312 2276 Ccboqkhp.exe 100 PID 2276 wrote to memory of 2312 2276 Ccboqkhp.exe 100 PID 2312 wrote to memory of 5000 2312 Cgmkai32.exe 101 PID 2312 wrote to memory of 5000 2312 Cgmkai32.exe 101 PID 2312 wrote to memory of 5000 2312 Cgmkai32.exe 101 PID 5000 wrote to memory of 4540 5000 Cjlgme32.exe 102 PID 5000 wrote to memory of 4540 5000 Cjlgme32.exe 102 PID 5000 wrote to memory of 4540 5000 Cjlgme32.exe 102 PID 4540 wrote to memory of 3568 4540 Ciogiagg.exe 103 PID 4540 wrote to memory of 3568 4540 Ciogiagg.exe 103 PID 4540 wrote to memory of 3568 4540 Ciogiagg.exe 103 PID 3568 wrote to memory of 3784 3568 Cmjcip32.exe 104 PID 3568 wrote to memory of 3784 3568 Cmjcip32.exe 104 PID 3568 wrote to memory of 3784 3568 Cmjcip32.exe 104 PID 3784 wrote to memory of 4776 3784 Cpipel32.exe 105 PID 3784 wrote to memory of 4776 3784 Cpipel32.exe 105 PID 3784 wrote to memory of 4776 3784 Cpipel32.exe 105 PID 4776 wrote to memory of 988 4776 Dcdkfjfm.exe 106 PID 4776 wrote to memory of 988 4776 Dcdkfjfm.exe 106 PID 4776 wrote to memory of 988 4776 Dcdkfjfm.exe 106 PID 988 wrote to memory of 4840 988 Dfbhbf32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff0b1989d9113ccfc424c697e044d710N.exe"C:\Users\Admin\AppData\Local\Temp\ff0b1989d9113ccfc424c697e044d710N.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\Bichmcae.exeC:\Windows\system32\Bichmcae.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SysWOW64\Cfghfgpo.exeC:\Windows\system32\Cfghfgpo.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\Cpomom32.exeC:\Windows\system32\Cpomom32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Cfielg32.exeC:\Windows\system32\Cfielg32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\Ccmeek32.exeC:\Windows\system32\Ccmeek32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Cjgnbedb.exeC:\Windows\system32\Cjgnbedb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Cijnnb32.exeC:\Windows\system32\Cijnnb32.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Caafop32.exeC:\Windows\system32\Caafop32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\Cpdfjlbj.exeC:\Windows\system32\Cpdfjlbj.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\Cgknlj32.exeC:\Windows\system32\Cgknlj32.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Cjijhe32.exeC:\Windows\system32\Cjijhe32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Cmhfdq32.exeC:\Windows\system32\Cmhfdq32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\Cacbdoil.exeC:\Windows\system32\Cacbdoil.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Ccboqkhp.exeC:\Windows\system32\Ccboqkhp.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Cgmkai32.exeC:\Windows\system32\Cgmkai32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Cjlgme32.exeC:\Windows\system32\Cjlgme32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Ciogiagg.exeC:\Windows\system32\Ciogiagg.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Cmjcip32.exeC:\Windows\system32\Cmjcip32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\Cpipel32.exeC:\Windows\system32\Cpipel32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\Dcdkfjfm.exeC:\Windows\system32\Dcdkfjfm.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\Dfbhbf32.exeC:\Windows\system32\Dfbhbf32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\SysWOW64\Djnccdnj.exeC:\Windows\system32\Djnccdnj.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4840 -
C:\Windows\SysWOW64\Diadna32.exeC:\Windows\system32\Diadna32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3964 -
C:\Windows\SysWOW64\Dahlpo32.exeC:\Windows\system32\Dahlpo32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Dpklkkla.exeC:\Windows\system32\Dpklkkla.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:904 -
C:\Windows\SysWOW64\Dcfhlj32.exeC:\Windows\system32\Dcfhlj32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:116 -
C:\Windows\SysWOW64\Dfedhe32.exeC:\Windows\system32\Dfedhe32.exe28⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Dicqda32.exeC:\Windows\system32\Dicqda32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4780 -
C:\Windows\SysWOW64\Dmomdpkk.exeC:\Windows\system32\Dmomdpkk.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4368 -
C:\Windows\SysWOW64\Dpmiqkjo.exeC:\Windows\system32\Dpmiqkjo.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Dcieaj32.exeC:\Windows\system32\Dcieaj32.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1880 -
C:\Windows\SysWOW64\Dfgame32.exeC:\Windows\system32\Dfgame32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\Dameknaa.exeC:\Windows\system32\Dameknaa.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1912 -
C:\Windows\SysWOW64\Dppefk32.exeC:\Windows\system32\Dppefk32.exe35⤵
- Executes dropped EXE
PID:3860 -
C:\Windows\SysWOW64\Dckagiqe.exeC:\Windows\system32\Dckagiqe.exe36⤵
- Executes dropped EXE
PID:3160 -
C:\Windows\SysWOW64\Dhgngh32.exeC:\Windows\system32\Dhgngh32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4588 -
C:\Windows\SysWOW64\Djejcc32.exeC:\Windows\system32\Djejcc32.exe38⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Dihjopom.exeC:\Windows\system32\Dihjopom.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5004 -
C:\Windows\SysWOW64\Daobpnoo.exeC:\Windows\system32\Daobpnoo.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\Dpbblj32.exeC:\Windows\system32\Dpbblj32.exe41⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Dhijmh32.exeC:\Windows\system32\Dhijmh32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1332 -
C:\Windows\SysWOW64\Dfljhdnf.exeC:\Windows\system32\Dfljhdnf.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Djgfic32.exeC:\Windows\system32\Djgfic32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3396 -
C:\Windows\SysWOW64\Dmfceoec.exeC:\Windows\system32\Dmfceoec.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3864 -
C:\Windows\SysWOW64\Daaofm32.exeC:\Windows\system32\Daaofm32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Edpkbi32.exeC:\Windows\system32\Edpkbi32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1212 -
C:\Windows\SysWOW64\Ehkgbgdi.exeC:\Windows\system32\Ehkgbgdi.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3992 -
C:\Windows\SysWOW64\Ejjcocdm.exeC:\Windows\system32\Ejjcocdm.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3408 -
C:\Windows\SysWOW64\Emhpkncq.exeC:\Windows\system32\Emhpkncq.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4284 -
C:\Windows\SysWOW64\Eadkkm32.exeC:\Windows\system32\Eadkkm32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:560 -
C:\Windows\SysWOW64\Edbhgh32.exeC:\Windows\system32\Edbhgh32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3536 -
C:\Windows\SysWOW64\Ehnchgbf.exeC:\Windows\system32\Ehnchgbf.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:984 -
C:\Windows\SysWOW64\Ejlpdbbj.exeC:\Windows\system32\Ejlpdbbj.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4860 -
C:\Windows\SysWOW64\Eioppo32.exeC:\Windows\system32\Eioppo32.exe55⤵
- Executes dropped EXE
PID:3248 -
C:\Windows\SysWOW64\Eafhamig.exeC:\Windows\system32\Eafhamig.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3500 -
C:\Windows\SysWOW64\Epihli32.exeC:\Windows\system32\Epihli32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4492 -
C:\Windows\SysWOW64\Ehppng32.exeC:\Windows\system32\Ehppng32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3688 -
C:\Windows\SysWOW64\Efcqicgo.exeC:\Windows\system32\Efcqicgo.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Eiameofb.exeC:\Windows\system32\Eiameofb.exe60⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Emmifn32.exeC:\Windows\system32\Emmifn32.exe61⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Epkebi32.exeC:\Windows\system32\Epkebi32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1072 -
C:\Windows\SysWOW64\Ehbmcf32.exeC:\Windows\system32\Ehbmcf32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4468 -
C:\Windows\SysWOW64\Efemocel.exeC:\Windows\system32\Efemocel.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4940 -
C:\Windows\SysWOW64\Eicjkodp.exeC:\Windows\system32\Eicjkodp.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3484 -
C:\Windows\SysWOW64\Eakall32.exeC:\Windows\system32\Eakall32.exe66⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4116 -
C:\Windows\SysWOW64\Epnbgill.exeC:\Windows\system32\Epnbgill.exe67⤵
- System Location Discovery: System Language Discovery
PID:1656 -
C:\Windows\SysWOW64\Ekcfealb.exeC:\Windows\system32\Ekcfealb.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4668 -
C:\Windows\SysWOW64\Eiffpn32.exeC:\Windows\system32\Eiffpn32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3436 -
C:\Windows\SysWOW64\Famnal32.exeC:\Windows\system32\Famnal32.exe70⤵
- Drops file in System32 directory
PID:4124 -
C:\Windows\SysWOW64\Fppomhjj.exeC:\Windows\system32\Fppomhjj.exe71⤵
- Modifies registry class
PID:4612 -
C:\Windows\SysWOW64\Fhgfnfjl.exeC:\Windows\system32\Fhgfnfjl.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3212 -
C:\Windows\SysWOW64\Ffjgjb32.exeC:\Windows\system32\Ffjgjb32.exe73⤵PID:2100
-
C:\Windows\SysWOW64\Fihcfn32.exeC:\Windows\system32\Fihcfn32.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:748 -
C:\Windows\SysWOW64\Fmdofmic.exeC:\Windows\system32\Fmdofmic.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1876 -
C:\Windows\SysWOW64\Fapkgk32.exeC:\Windows\system32\Fapkgk32.exe76⤵PID:1500
-
C:\Windows\SysWOW64\Fdngcgpp.exeC:\Windows\system32\Fdngcgpp.exe77⤵
- Drops file in System32 directory
PID:5144 -
C:\Windows\SysWOW64\Fhicde32.exeC:\Windows\system32\Fhicde32.exe78⤵PID:5180
-
C:\Windows\SysWOW64\Fkhppa32.exeC:\Windows\system32\Fkhppa32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5216 -
C:\Windows\SysWOW64\Fikpknng.exeC:\Windows\system32\Fikpknng.exe80⤵
- Drops file in System32 directory
PID:5252 -
C:\Windows\SysWOW64\Fabhmkoj.exeC:\Windows\system32\Fabhmkoj.exe81⤵
- System Location Discovery: System Language Discovery
PID:5288 -
C:\Windows\SysWOW64\Fdpdifnm.exeC:\Windows\system32\Fdpdifnm.exe82⤵PID:5324
-
C:\Windows\SysWOW64\Fhlpie32.exeC:\Windows\system32\Fhlpie32.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:5360 -
C:\Windows\SysWOW64\Fgopebma.exeC:\Windows\system32\Fgopebma.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5396 -
C:\Windows\SysWOW64\Fkjleq32.exeC:\Windows\system32\Fkjleq32.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:5432 -
C:\Windows\SysWOW64\Fmihal32.exeC:\Windows\system32\Fmihal32.exe86⤵PID:5468
-
C:\Windows\SysWOW64\Faddbkmg.exeC:\Windows\system32\Faddbkmg.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:5504 -
C:\Windows\SysWOW64\Fpgdng32.exeC:\Windows\system32\Fpgdng32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5544 -
C:\Windows\SysWOW64\Fdbqnflk.exeC:\Windows\system32\Fdbqnflk.exe89⤵
- System Location Discovery: System Language Discovery
PID:5580 -
C:\Windows\SysWOW64\Fgamja32.exeC:\Windows\system32\Fgamja32.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:5616 -
C:\Windows\SysWOW64\Fkmikpcg.exeC:\Windows\system32\Fkmikpcg.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5648 -
C:\Windows\SysWOW64\Fdemdf32.exeC:\Windows\system32\Fdemdf32.exe92⤵
- System Location Discovery: System Language Discovery
PID:5900 -
C:\Windows\SysWOW64\Fkoeqpae.exeC:\Windows\system32\Fkoeqpae.exe93⤵
- Drops file in System32 directory
PID:5932 -
C:\Windows\SysWOW64\Fmmbmkqi.exeC:\Windows\system32\Fmmbmkqi.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5968 -
C:\Windows\SysWOW64\Gainmj32.exeC:\Windows\system32\Gainmj32.exe95⤵
- System Location Discovery: System Language Discovery
PID:6004 -
C:\Windows\SysWOW64\Gdgjie32.exeC:\Windows\system32\Gdgjie32.exe96⤵
- Drops file in System32 directory
PID:6040 -
C:\Windows\SysWOW64\Ghcfjd32.exeC:\Windows\system32\Ghcfjd32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6076 -
C:\Windows\SysWOW64\Gkabfp32.exeC:\Windows\system32\Gkabfp32.exe98⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6112 -
C:\Windows\SysWOW64\Gidbalfm.exeC:\Windows\system32\Gidbalfm.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:684 -
C:\Windows\SysWOW64\Gakjcjgo.exeC:\Windows\system32\Gakjcjgo.exe100⤵
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\Gpnknf32.exeC:\Windows\system32\Gpnknf32.exe101⤵
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\Ghecpd32.exeC:\Windows\system32\Ghecpd32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4048 -
C:\Windows\SysWOW64\Gghckqef.exeC:\Windows\system32\Gghckqef.exe103⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Gifogldj.exeC:\Windows\system32\Gifogldj.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3740 -
C:\Windows\SysWOW64\Gmbkhk32.exeC:\Windows\system32\Gmbkhk32.exe105⤵
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Gpqgdf32.exeC:\Windows\system32\Gpqgdf32.exe106⤵
- Modifies registry class
PID:5172 -
C:\Windows\SysWOW64\Gdlcdedp.exeC:\Windows\system32\Gdlcdedp.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5212 -
C:\Windows\SysWOW64\Ggjpqpcd.exeC:\Windows\system32\Ggjpqpcd.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5284 -
C:\Windows\SysWOW64\Gapdni32.exeC:\Windows\system32\Gapdni32.exe109⤵PID:5492
-
C:\Windows\SysWOW64\Gpcdifjd.exeC:\Windows\system32\Gpcdifjd.exe110⤵
- System Location Discovery: System Language Discovery
PID:5528 -
C:\Windows\SysWOW64\Gdnpjd32.exeC:\Windows\system32\Gdnpjd32.exe111⤵PID:5640
-
C:\Windows\SysWOW64\Ggmlfp32.exeC:\Windows\system32\Ggmlfp32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Gkhhgoij.exeC:\Windows\system32\Gkhhgoij.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5828 -
C:\Windows\SysWOW64\Gikibk32.exeC:\Windows\system32\Gikibk32.exe114⤵PID:3664
-
C:\Windows\SysWOW64\Gabqci32.exeC:\Windows\system32\Gabqci32.exe115⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5876 -
C:\Windows\SysWOW64\Gpeaoeha.exeC:\Windows\system32\Gpeaoeha.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5952 -
C:\Windows\SysWOW64\Ghlipchd.exeC:\Windows\system32\Ghlipchd.exe117⤵
- Drops file in System32 directory
PID:6012 -
C:\Windows\SysWOW64\Ggoilp32.exeC:\Windows\system32\Ggoilp32.exe118⤵PID:6060
-
C:\Windows\SysWOW64\Gkkelngg.exeC:\Windows\system32\Gkkelngg.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:6136 -
C:\Windows\SysWOW64\Hpjjje32.exeC:\Windows\system32\Hpjjje32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Hhabkb32.exeC:\Windows\system32\Hhabkb32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5792 -
C:\Windows\SysWOW64\Hnnkcibf.exeC:\Windows\system32\Hnnkcibf.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5824
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-