Analysis
-
max time kernel
91s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
26-08-2024 02:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
57ef1c40391295e31291ef8f543266a0N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
57ef1c40391295e31291ef8f543266a0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
57ef1c40391295e31291ef8f543266a0N.exe
-
Size
71KB
-
MD5
57ef1c40391295e31291ef8f543266a0
-
SHA1
1f7ed8f0368592685268649dd4afd2f0a0011957
-
SHA256
b5b30715a161dabeb20ff55cf3e3134ded59e009a1596491469fba2eb61f19e4
-
SHA512
f7d542f0325a5ba5b6e907ebb33ddd14ab1c13128eb179efc3653e113144c62080769f6ca99cc179feee6a631581c2a3ebe89e2df630ccb1513952a6e506242e
-
SSDEEP
1536:AYdo8Ek9G7nL0eo5QblzvTlgNRRQ2DbEyRCRRRoR4Rk:bd9FYkeo0zLlqReIEy032ya
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahhchk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghpkbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Meffjjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qonlhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Naionh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cenmfbml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnqhkcdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmoekf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndbile32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgmilmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hahljg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ionehnbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgaoic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdblkoco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbkgig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbfldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dckcnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gajlac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inebpgbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhehfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eoomai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhkclc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qmpplh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echlmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mchokq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meffjjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bdipfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gapoob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jofdll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apfici32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnnkec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anhbdpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmdefk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgobcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpodgocb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmohjooe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkmghe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmgodc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aejglo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceickb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebnmpemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlkcbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oojfnakl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbppdfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfoanp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pipjpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhlcal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afpapcnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahljg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilkpac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijampgde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdkhag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lkcgapjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnkfcjqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oipcnieb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hajhpgag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idmnga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkoqmhii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kheofahm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqamla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gphlgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bodhjdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjoiiffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Flfnhnfm.exe -
Executes dropped EXE 64 IoCs
pid Process 2964 Pmqffonj.exe 2896 Qfikod32.exe 3032 Qmcclolh.exe 3012 Qpaohjkk.exe 2956 Qaqlbmbn.exe 840 Acohnhab.exe 696 Ajipkb32.exe 1064 Apfici32.exe 2248 Afpapcnc.exe 2984 Amjiln32.exe 1604 Ankedf32.exe 1884 Afbnec32.exe 2924 Ahcjmkbo.exe 768 Apkbnibq.exe 596 Abinjdad.exe 2140 Ajdcofop.exe 2160 Aankkqfl.exe 988 Aejglo32.exe 1536 Ahhchk32.exe 1640 Bobleeef.exe 1748 Baqhapdj.exe 1948 Bjiljf32.exe 660 Bodhjdcc.exe 1532 Bfpmog32.exe 1740 Bmjekahk.exe 2808 Bphaglgo.exe 2908 Bbfnchfb.exe 3028 Bgdfjfmi.exe 2832 Bmnofp32.exe 2224 Blaobmkq.exe 1796 Ceickb32.exe 304 Clclhmin.exe 1036 Ccnddg32.exe 2400 Ckiiiine.exe 2384 Ccpqjfnh.exe 2724 Cenmfbml.exe 1444 Clhecl32.exe 536 Cdcjgnbc.exe 1744 Ckmbdh32.exe 2364 Chabmm32.exe 1800 Cgdciiod.exe 884 Dnnkec32.exe 1792 Dckcnj32.exe 780 Dnqhkcdo.exe 1768 Dpodgocb.exe 800 Dcmpcjcf.exe 2324 Dflmpebj.exe 1224 Djghpd32.exe 2812 Dleelp32.exe 1688 Dcpmijqc.exe 3000 Dfniee32.exe 804 Dlhaaogd.exe 2996 Dofnnkfg.exe 1684 Dcbjni32.exe 2116 Dfpfke32.exe 3056 Dhobgp32.exe 2940 Dljngoea.exe 584 Doijcjde.exe 1244 Dbggpfci.exe 2072 Edeclabl.exe 756 Ekpkhkji.exe 2648 Eokgij32.exe 2256 Ebicee32.exe 2460 Edhpaa32.exe -
Loads dropped DLL 64 IoCs
pid Process 2748 57ef1c40391295e31291ef8f543266a0N.exe 2748 57ef1c40391295e31291ef8f543266a0N.exe 2964 Pmqffonj.exe 2964 Pmqffonj.exe 2896 Qfikod32.exe 2896 Qfikod32.exe 3032 Qmcclolh.exe 3032 Qmcclolh.exe 3012 Qpaohjkk.exe 3012 Qpaohjkk.exe 2956 Qaqlbmbn.exe 2956 Qaqlbmbn.exe 840 Acohnhab.exe 840 Acohnhab.exe 696 Ajipkb32.exe 696 Ajipkb32.exe 1064 Apfici32.exe 1064 Apfici32.exe 2248 Afpapcnc.exe 2248 Afpapcnc.exe 2984 Amjiln32.exe 2984 Amjiln32.exe 1604 Ankedf32.exe 1604 Ankedf32.exe 1884 Afbnec32.exe 1884 Afbnec32.exe 2924 Ahcjmkbo.exe 2924 Ahcjmkbo.exe 768 Apkbnibq.exe 768 Apkbnibq.exe 596 Abinjdad.exe 596 Abinjdad.exe 2140 Ajdcofop.exe 2140 Ajdcofop.exe 2160 Aankkqfl.exe 2160 Aankkqfl.exe 988 Aejglo32.exe 988 Aejglo32.exe 1536 Ahhchk32.exe 1536 Ahhchk32.exe 1640 Bobleeef.exe 1640 Bobleeef.exe 1748 Baqhapdj.exe 1748 Baqhapdj.exe 1948 Bjiljf32.exe 1948 Bjiljf32.exe 660 Bodhjdcc.exe 660 Bodhjdcc.exe 1532 Bfpmog32.exe 1532 Bfpmog32.exe 1740 Bmjekahk.exe 1740 Bmjekahk.exe 2808 Bphaglgo.exe 2808 Bphaglgo.exe 2908 Bbfnchfb.exe 2908 Bbfnchfb.exe 3028 Bgdfjfmi.exe 3028 Bgdfjfmi.exe 2832 Bmnofp32.exe 2832 Bmnofp32.exe 2224 Blaobmkq.exe 2224 Blaobmkq.exe 1796 Ceickb32.exe 1796 Ceickb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Chabmm32.exe Ckmbdh32.exe File created C:\Windows\SysWOW64\Ibadnhmb.exe Ikjlmjmp.exe File opened for modification C:\Windows\SysWOW64\Jgnchplb.exe Jhkclc32.exe File created C:\Windows\SysWOW64\Gdkniice.dll Geddoa32.exe File created C:\Windows\SysWOW64\Dflmpebj.exe Dcmpcjcf.exe File created C:\Windows\SysWOW64\Pkhnioha.dll Dchpnd32.exe File created C:\Windows\SysWOW64\Jafmngde.exe Johaalea.exe File opened for modification C:\Windows\SysWOW64\Bdipfi32.exe Befpkmph.exe File opened for modification C:\Windows\SysWOW64\Okkfmmqj.exe Ocdnloph.exe File created C:\Windows\SysWOW64\Gmadkcmq.dll Nogmin32.exe File created C:\Windows\SysWOW64\Bdggbp32.dll Ihcfan32.exe File created C:\Windows\SysWOW64\Nomphm32.exe Nlocka32.exe File created C:\Windows\SysWOW64\Ljecbkfm.dll Igpdnlgd.exe File opened for modification C:\Windows\SysWOW64\Biiiempl.exe Bfjmia32.exe File opened for modification C:\Windows\SysWOW64\Hnflnfbm.exe Hfodmhbk.exe File opened for modification C:\Windows\SysWOW64\Lckpbm32.exe Lkcgapjl.exe File created C:\Windows\SysWOW64\Knoaeimg.exe Kfgjdlme.exe File opened for modification C:\Windows\SysWOW64\Mpkjgckc.exe Mmmnkglp.exe File created C:\Windows\SysWOW64\Qgiplffm.exe Qekdpkgj.exe File opened for modification C:\Windows\SysWOW64\Aidpjm32.exe Afecna32.exe File created C:\Windows\SysWOW64\Idgjqook.exe Iplnpq32.exe File opened for modification C:\Windows\SysWOW64\Aankkqfl.exe Ajdcofop.exe File created C:\Windows\SysWOW64\Dmgbpm32.dll Dcpmijqc.exe File created C:\Windows\SysWOW64\Gjdhaj32.dll Bmohjooe.exe File created C:\Windows\SysWOW64\Olbfgj32.dll Hfodmhbk.exe File created C:\Windows\SysWOW64\Jofdll32.exe Jpcdqpqj.exe File created C:\Windows\SysWOW64\Jdlclo32.exe Jlekja32.exe File created C:\Windows\SysWOW64\Jbijcgbc.exe Jojnglco.exe File opened for modification C:\Windows\SysWOW64\Ninjjf32.exe Nebnigmp.exe File created C:\Windows\SysWOW64\Kljmfe32.dll Apfici32.exe File created C:\Windows\SysWOW64\Qbbbol32.dll Kcimhpma.exe File opened for modification C:\Windows\SysWOW64\Lhklha32.exe Lcppgbjd.exe File opened for modification C:\Windows\SysWOW64\Nfmahkhh.exe Nbbegl32.exe File created C:\Windows\SysWOW64\Jpbbmmhm.dll Hlmphp32.exe File created C:\Windows\SysWOW64\Jneoojeb.exe Jobocn32.exe File created C:\Windows\SysWOW64\Kobkbaac.exe Kjebjjck.exe File created C:\Windows\SysWOW64\Elookl32.dll Ceacoqfi.exe File opened for modification C:\Windows\SysWOW64\Glaiak32.exe Gibmep32.exe File opened for modification C:\Windows\SysWOW64\Mdmhfpkg.exe Manljd32.exe File created C:\Windows\SysWOW64\Cmfnjnin.exe Cglfndaa.exe File created C:\Windows\SysWOW64\Lcjcogfe.dll Enhcnd32.exe File opened for modification C:\Windows\SysWOW64\Feiaknmg.exe Fnoiocfj.exe File opened for modification C:\Windows\SysWOW64\Ahhchk32.exe Aejglo32.exe File created C:\Windows\SysWOW64\Cadmjo32.dll Pfoanp32.exe File created C:\Windows\SysWOW64\Nmlddd32.dll Fjhgidjk.exe File created C:\Windows\SysWOW64\Nnekggoo.dll Migdig32.exe File created C:\Windows\SysWOW64\Ghpkbn32.exe Gaebfdba.exe File opened for modification C:\Windows\SysWOW64\Lgbibb32.exe Kfaljjdj.exe File created C:\Windows\SysWOW64\Ohbjgg32.exe Oecnkk32.exe File created C:\Windows\SysWOW64\Hffjng32.exe Hdhnal32.exe File opened for modification C:\Windows\SysWOW64\Ikgfdlcb.exe Igkjcm32.exe File created C:\Windows\SysWOW64\Nhpabdqd.exe Npiiafpa.exe File created C:\Windows\SysWOW64\Mpnehd32.dll Fmgcepio.exe File created C:\Windows\SysWOW64\Kbppdfmk.exe Knddcg32.exe File opened for modification C:\Windows\SysWOW64\Lbbiii32.exe Lnfmhj32.exe File opened for modification C:\Windows\SysWOW64\Oibpdico.exe Ocihgo32.exe File created C:\Windows\SysWOW64\Olgpff32.exe Oihdjk32.exe File created C:\Windows\SysWOW64\Lhiqbpqm.dll Gipqpplq.exe File created C:\Windows\SysWOW64\Lfilnh32.exe Lckpbm32.exe File created C:\Windows\SysWOW64\Gnfmhdpb.dll Magfjebk.exe File created C:\Windows\SysWOW64\Oeoedmpg.dll Nfmahkhh.exe File opened for modification C:\Windows\SysWOW64\Mffkgl32.exe Mchokq32.exe File created C:\Windows\SysWOW64\Ejlnjg32.exe Efpbih32.exe File created C:\Windows\SysWOW64\Pqgbah32.exe Pipjpj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7032 6964 WerFault.exe 667 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlocka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaebfdba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpgglifo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebdoocdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geddoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfihml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocihgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maapjjml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nogmin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmpplh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdgcaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hadhjaaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlhaaogd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Memlki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onocon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aepnkjcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpoibp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpghfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfikod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckiiiine.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhobgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flfnhnfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmneebeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oomlfpdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgdciiod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijopjhfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjqiok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oddbqhkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blibghmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnkpcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Manljd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oibpdico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjqhef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmlckehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qonlhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biiiempl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfnkji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogmngn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjebjjck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcbmmbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dchpnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjcieg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqdelh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgeabi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Habkeacd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaciom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cipleo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnhgoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejdaoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfniee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooemcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oojfnakl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miiaogio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbihl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoqhncgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elejqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nobpmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aakhkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekhjlioa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jghcbjll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 57ef1c40391295e31291ef8f543266a0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfpfke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqhdfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbmco32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafehn32.dll" Clhecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dakpiajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohnaohff.dll" Hajhpgag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ohpnag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ieppjclf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjilde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbppdfmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ffiepg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Heonpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kdjceb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hpghfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dbggpfci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libiii32.dll" Ejdaoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlelkn32.dll" Iockhigl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Apnhggln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dibhjokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oecnkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dnhgoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fbfldc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hlcbfnjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gdkebolm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jneoojeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cdnjaibm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idbgbahq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajjinaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dokpie32.dll" Hhlcal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmpbja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Khglkqfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ccpqjfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehcgkpie.dll" Enkdda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icijhlgk.dll" Idmnga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nifgekbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmohjooe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chblqlcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fjdnne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fbpfeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gihnkejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lglbcaph.dll" Cipleo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fcoolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjgld32.dll" Iabhdefo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jofdll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpgdad32.dll" Jbijcgbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hahjkl32.dll" Dljngoea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aglmbfdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cmfnjnin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlcbociq.dll" Jnpoie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gnlpeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kggfnoch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpegp32.dll" Bhnffi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dcjmcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gindjqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pehccb32.dll" Jgmlmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ghpkbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgiobadq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lehfafgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmdefk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eplmflde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhjgll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inngpj32.dll" Ankedf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbfpkj32.dll" Ffghjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amjiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhonin32.dll" Fnkpcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Anhbdpje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fdgefn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2748 wrote to memory of 2964 2748 57ef1c40391295e31291ef8f543266a0N.exe 30 PID 2748 wrote to memory of 2964 2748 57ef1c40391295e31291ef8f543266a0N.exe 30 PID 2748 wrote to memory of 2964 2748 57ef1c40391295e31291ef8f543266a0N.exe 30 PID 2748 wrote to memory of 2964 2748 57ef1c40391295e31291ef8f543266a0N.exe 30 PID 2964 wrote to memory of 2896 2964 Pmqffonj.exe 31 PID 2964 wrote to memory of 2896 2964 Pmqffonj.exe 31 PID 2964 wrote to memory of 2896 2964 Pmqffonj.exe 31 PID 2964 wrote to memory of 2896 2964 Pmqffonj.exe 31 PID 2896 wrote to memory of 3032 2896 Qfikod32.exe 32 PID 2896 wrote to memory of 3032 2896 Qfikod32.exe 32 PID 2896 wrote to memory of 3032 2896 Qfikod32.exe 32 PID 2896 wrote to memory of 3032 2896 Qfikod32.exe 32 PID 3032 wrote to memory of 3012 3032 Qmcclolh.exe 33 PID 3032 wrote to memory of 3012 3032 Qmcclolh.exe 33 PID 3032 wrote to memory of 3012 3032 Qmcclolh.exe 33 PID 3032 wrote to memory of 3012 3032 Qmcclolh.exe 33 PID 3012 wrote to memory of 2956 3012 Qpaohjkk.exe 34 PID 3012 wrote to memory of 2956 3012 Qpaohjkk.exe 34 PID 3012 wrote to memory of 2956 3012 Qpaohjkk.exe 34 PID 3012 wrote to memory of 2956 3012 Qpaohjkk.exe 34 PID 2956 wrote to memory of 840 2956 Qaqlbmbn.exe 35 PID 2956 wrote to memory of 840 2956 Qaqlbmbn.exe 35 PID 2956 wrote to memory of 840 2956 Qaqlbmbn.exe 35 PID 2956 wrote to memory of 840 2956 Qaqlbmbn.exe 35 PID 840 wrote to memory of 696 840 Acohnhab.exe 36 PID 840 wrote to memory of 696 840 Acohnhab.exe 36 PID 840 wrote to memory of 696 840 Acohnhab.exe 36 PID 840 wrote to memory of 696 840 Acohnhab.exe 36 PID 696 wrote to memory of 1064 696 Ajipkb32.exe 37 PID 696 wrote to memory of 1064 696 Ajipkb32.exe 37 PID 696 wrote to memory of 1064 696 Ajipkb32.exe 37 PID 696 wrote to memory of 1064 696 Ajipkb32.exe 37 PID 1064 wrote to memory of 2248 1064 Apfici32.exe 38 PID 1064 wrote to memory of 2248 1064 Apfici32.exe 38 PID 1064 wrote to memory of 2248 1064 Apfici32.exe 38 PID 1064 wrote to memory of 2248 1064 Apfici32.exe 38 PID 2248 wrote to memory of 2984 2248 Afpapcnc.exe 39 PID 2248 wrote to memory of 2984 2248 Afpapcnc.exe 39 PID 2248 wrote to memory of 2984 2248 Afpapcnc.exe 39 PID 2248 wrote to memory of 2984 2248 Afpapcnc.exe 39 PID 2984 wrote to memory of 1604 2984 Amjiln32.exe 40 PID 2984 wrote to memory of 1604 2984 Amjiln32.exe 40 PID 2984 wrote to memory of 1604 2984 Amjiln32.exe 40 PID 2984 wrote to memory of 1604 2984 Amjiln32.exe 40 PID 1604 wrote to memory of 1884 1604 Ankedf32.exe 41 PID 1604 wrote to memory of 1884 1604 Ankedf32.exe 41 PID 1604 wrote to memory of 1884 1604 Ankedf32.exe 41 PID 1604 wrote to memory of 1884 1604 Ankedf32.exe 41 PID 1884 wrote to memory of 2924 1884 Afbnec32.exe 42 PID 1884 wrote to memory of 2924 1884 Afbnec32.exe 42 PID 1884 wrote to memory of 2924 1884 Afbnec32.exe 42 PID 1884 wrote to memory of 2924 1884 Afbnec32.exe 42 PID 2924 wrote to memory of 768 2924 Ahcjmkbo.exe 43 PID 2924 wrote to memory of 768 2924 Ahcjmkbo.exe 43 PID 2924 wrote to memory of 768 2924 Ahcjmkbo.exe 43 PID 2924 wrote to memory of 768 2924 Ahcjmkbo.exe 43 PID 768 wrote to memory of 596 768 Apkbnibq.exe 44 PID 768 wrote to memory of 596 768 Apkbnibq.exe 44 PID 768 wrote to memory of 596 768 Apkbnibq.exe 44 PID 768 wrote to memory of 596 768 Apkbnibq.exe 44 PID 596 wrote to memory of 2140 596 Abinjdad.exe 45 PID 596 wrote to memory of 2140 596 Abinjdad.exe 45 PID 596 wrote to memory of 2140 596 Abinjdad.exe 45 PID 596 wrote to memory of 2140 596 Abinjdad.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\57ef1c40391295e31291ef8f543266a0N.exe"C:\Users\Admin\AppData\Local\Temp\57ef1c40391295e31291ef8f543266a0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Pmqffonj.exeC:\Windows\system32\Pmqffonj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Qfikod32.exeC:\Windows\system32\Qfikod32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Qmcclolh.exeC:\Windows\system32\Qmcclolh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Qpaohjkk.exeC:\Windows\system32\Qpaohjkk.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Qaqlbmbn.exeC:\Windows\system32\Qaqlbmbn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Acohnhab.exeC:\Windows\system32\Acohnhab.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Ajipkb32.exeC:\Windows\system32\Ajipkb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\Apfici32.exeC:\Windows\system32\Apfici32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Afpapcnc.exeC:\Windows\system32\Afpapcnc.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Amjiln32.exeC:\Windows\system32\Amjiln32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Ankedf32.exeC:\Windows\system32\Ankedf32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Afbnec32.exeC:\Windows\system32\Afbnec32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Ahcjmkbo.exeC:\Windows\system32\Ahcjmkbo.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Apkbnibq.exeC:\Windows\system32\Apkbnibq.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Abinjdad.exeC:\Windows\system32\Abinjdad.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\SysWOW64\Ajdcofop.exeC:\Windows\system32\Ajdcofop.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Aankkqfl.exeC:\Windows\system32\Aankkqfl.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Aejglo32.exeC:\Windows\system32\Aejglo32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:988 -
C:\Windows\SysWOW64\Ahhchk32.exeC:\Windows\system32\Ahhchk32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Bobleeef.exeC:\Windows\system32\Bobleeef.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\Baqhapdj.exeC:\Windows\system32\Baqhapdj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Bjiljf32.exeC:\Windows\system32\Bjiljf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\Bodhjdcc.exeC:\Windows\system32\Bodhjdcc.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:660 -
C:\Windows\SysWOW64\Bfpmog32.exeC:\Windows\system32\Bfpmog32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Bmjekahk.exeC:\Windows\system32\Bmjekahk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Bphaglgo.exeC:\Windows\system32\Bphaglgo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Bbfnchfb.exeC:\Windows\system32\Bbfnchfb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Bgdfjfmi.exeC:\Windows\system32\Bgdfjfmi.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Bmnofp32.exeC:\Windows\system32\Bmnofp32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Blaobmkq.exeC:\Windows\system32\Blaobmkq.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Ceickb32.exeC:\Windows\system32\Ceickb32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1796 -
C:\Windows\SysWOW64\Clclhmin.exeC:\Windows\system32\Clclhmin.exe33⤵
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\Ccnddg32.exeC:\Windows\system32\Ccnddg32.exe34⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Ckiiiine.exeC:\Windows\system32\Ckiiiine.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\Ccpqjfnh.exeC:\Windows\system32\Ccpqjfnh.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Cenmfbml.exeC:\Windows\system32\Cenmfbml.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Clhecl32.exeC:\Windows\system32\Clhecl32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1444 -
C:\Windows\SysWOW64\Cdcjgnbc.exeC:\Windows\system32\Cdcjgnbc.exe39⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Ckmbdh32.exeC:\Windows\system32\Ckmbdh32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Chabmm32.exeC:\Windows\system32\Chabmm32.exe41⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Cgdciiod.exeC:\Windows\system32\Cgdciiod.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1800 -
C:\Windows\SysWOW64\Dnnkec32.exeC:\Windows\system32\Dnnkec32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Dckcnj32.exeC:\Windows\system32\Dckcnj32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Dnqhkcdo.exeC:\Windows\system32\Dnqhkcdo.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Dpodgocb.exeC:\Windows\system32\Dpodgocb.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Dcmpcjcf.exeC:\Windows\system32\Dcmpcjcf.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:800 -
C:\Windows\SysWOW64\Dflmpebj.exeC:\Windows\system32\Dflmpebj.exe48⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Djghpd32.exeC:\Windows\system32\Djghpd32.exe49⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Dleelp32.exeC:\Windows\system32\Dleelp32.exe50⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Dcpmijqc.exeC:\Windows\system32\Dcpmijqc.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Dfniee32.exeC:\Windows\system32\Dfniee32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\Dlhaaogd.exeC:\Windows\system32\Dlhaaogd.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:804 -
C:\Windows\SysWOW64\Dofnnkfg.exeC:\Windows\system32\Dofnnkfg.exe54⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Dcbjni32.exeC:\Windows\system32\Dcbjni32.exe55⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Dfpfke32.exeC:\Windows\system32\Dfpfke32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\Dhobgp32.exeC:\Windows\system32\Dhobgp32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Dljngoea.exeC:\Windows\system32\Dljngoea.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Doijcjde.exeC:\Windows\system32\Doijcjde.exe59⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Dbggpfci.exeC:\Windows\system32\Dbggpfci.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Edeclabl.exeC:\Windows\system32\Edeclabl.exe61⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Ekpkhkji.exeC:\Windows\system32\Ekpkhkji.exe62⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Eokgij32.exeC:\Windows\system32\Eokgij32.exe63⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Ebicee32.exeC:\Windows\system32\Ebicee32.exe64⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Edhpaa32.exeC:\Windows\system32\Edhpaa32.exe65⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Egflml32.exeC:\Windows\system32\Egflml32.exe66⤵PID:3064
-
C:\Windows\SysWOW64\Eomdoj32.exeC:\Windows\system32\Eomdoj32.exe67⤵PID:1664
-
C:\Windows\SysWOW64\Eqopfbfn.exeC:\Windows\system32\Eqopfbfn.exe68⤵PID:2768
-
C:\Windows\SysWOW64\Edjlgq32.exeC:\Windows\system32\Edjlgq32.exe69⤵PID:2860
-
C:\Windows\SysWOW64\Ehfhgogp.exeC:\Windows\system32\Ehfhgogp.exe70⤵PID:2784
-
C:\Windows\SysWOW64\Ekddck32.exeC:\Windows\system32\Ekddck32.exe71⤵PID:2704
-
C:\Windows\SysWOW64\Ebnmpemq.exeC:\Windows\system32\Ebnmpemq.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1488 -
C:\Windows\SysWOW64\Eqamla32.exeC:\Windows\system32\Eqamla32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2928 -
C:\Windows\SysWOW64\Egkehllh.exeC:\Windows\system32\Egkehllh.exe74⤵PID:3052
-
C:\Windows\SysWOW64\Ekfaij32.exeC:\Windows\system32\Ekfaij32.exe75⤵PID:1176
-
C:\Windows\SysWOW64\Emhnqbjo.exeC:\Windows\system32\Emhnqbjo.exe76⤵PID:2380
-
C:\Windows\SysWOW64\Eqcjaa32.exeC:\Windows\system32\Eqcjaa32.exe77⤵PID:2352
-
C:\Windows\SysWOW64\Ecbfmm32.exeC:\Windows\system32\Ecbfmm32.exe78⤵PID:2196
-
C:\Windows\SysWOW64\Efpbih32.exeC:\Windows\system32\Efpbih32.exe79⤵
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Ejlnjg32.exeC:\Windows\system32\Ejlnjg32.exe80⤵PID:1508
-
C:\Windows\SysWOW64\Engjkeab.exeC:\Windows\system32\Engjkeab.exe81⤵PID:2228
-
C:\Windows\SysWOW64\Fphgbn32.exeC:\Windows\system32\Fphgbn32.exe82⤵PID:2376
-
C:\Windows\SysWOW64\Ffboohnm.exeC:\Windows\system32\Ffboohnm.exe83⤵PID:672
-
C:\Windows\SysWOW64\Fiakkcma.exeC:\Windows\system32\Fiakkcma.exe84⤵PID:2788
-
C:\Windows\SysWOW64\Fmlglb32.exeC:\Windows\system32\Fmlglb32.exe85⤵PID:3044
-
C:\Windows\SysWOW64\Fcfohlmg.exeC:\Windows\system32\Fcfohlmg.exe86⤵PID:1912
-
C:\Windows\SysWOW64\Fbipdi32.exeC:\Windows\system32\Fbipdi32.exe87⤵PID:2272
-
C:\Windows\SysWOW64\Fjqhef32.exeC:\Windows\system32\Fjqhef32.exe88⤵
- System Location Discovery: System Language Discovery
PID:444 -
C:\Windows\SysWOW64\Fmodaadg.exeC:\Windows\system32\Fmodaadg.exe89⤵PID:1004
-
C:\Windows\SysWOW64\Ffghjg32.exeC:\Windows\system32\Ffghjg32.exe90⤵
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Fiedfb32.exeC:\Windows\system32\Fiedfb32.exe91⤵PID:272
-
C:\Windows\SysWOW64\Fmaqgaae.exeC:\Windows\system32\Fmaqgaae.exe92⤵PID:476
-
C:\Windows\SysWOW64\Fppmcmah.exeC:\Windows\system32\Fppmcmah.exe93⤵PID:896
-
C:\Windows\SysWOW64\Ffiepg32.exeC:\Windows\system32\Ffiepg32.exe94⤵
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Fihalb32.exeC:\Windows\system32\Fihalb32.exe95⤵PID:3020
-
C:\Windows\SysWOW64\Flfnhnfm.exeC:\Windows\system32\Flfnhnfm.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\Fpbihl32.exeC:\Windows\system32\Fpbihl32.exe97⤵
- System Location Discovery: System Language Discovery
PID:1092 -
C:\Windows\SysWOW64\Fbpfeh32.exeC:\Windows\system32\Fbpfeh32.exe98⤵
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Facfpddd.exeC:\Windows\system32\Facfpddd.exe99⤵PID:2760
-
C:\Windows\SysWOW64\Fijnabef.exeC:\Windows\system32\Fijnabef.exe100⤵PID:2208
-
C:\Windows\SysWOW64\Glijnmdj.exeC:\Windows\system32\Glijnmdj.exe101⤵PID:1376
-
C:\Windows\SysWOW64\Gngfjicn.exeC:\Windows\system32\Gngfjicn.exe102⤵PID:1020
-
C:\Windows\SysWOW64\Gaebfdba.exeC:\Windows\system32\Gaebfdba.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\Ghpkbn32.exeC:\Windows\system32\Ghpkbn32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Gjngoj32.exeC:\Windows\system32\Gjngoj32.exe105⤵PID:2536
-
C:\Windows\SysWOW64\Gmlckehe.exeC:\Windows\system32\Gmlckehe.exe106⤵
- System Location Discovery: System Language Discovery
PID:1924 -
C:\Windows\SysWOW64\Gdflgo32.exeC:\Windows\system32\Gdflgo32.exe107⤵PID:1852
-
C:\Windows\SysWOW64\Gfdhck32.exeC:\Windows\system32\Gfdhck32.exe108⤵PID:2032
-
C:\Windows\SysWOW64\Gnlpeh32.exeC:\Windows\system32\Gnlpeh32.exe109⤵
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Gajlac32.exeC:\Windows\system32\Gajlac32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2868 -
C:\Windows\SysWOW64\Gfgdij32.exeC:\Windows\system32\Gfgdij32.exe111⤵PID:2712
-
C:\Windows\SysWOW64\Gieaef32.exeC:\Windows\system32\Gieaef32.exe112⤵PID:2752
-
C:\Windows\SysWOW64\Gmamfddp.exeC:\Windows\system32\Gmamfddp.exe113⤵PID:2856
-
C:\Windows\SysWOW64\Gpoibp32.exeC:\Windows\system32\Gpoibp32.exe114⤵
- System Location Discovery: System Language Discovery
PID:588 -
C:\Windows\SysWOW64\Gdkebolm.exeC:\Windows\system32\Gdkebolm.exe115⤵
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Gjemoi32.exeC:\Windows\system32\Gjemoi32.exe116⤵PID:2020
-
C:\Windows\SysWOW64\Gihnkejd.exeC:\Windows\system32\Gihnkejd.exe117⤵
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Hbpbck32.exeC:\Windows\system32\Hbpbck32.exe118⤵PID:592
-
C:\Windows\SysWOW64\Heonpf32.exeC:\Windows\system32\Heonpf32.exe119⤵
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Hmefad32.exeC:\Windows\system32\Hmefad32.exe120⤵PID:1132
-
C:\Windows\SysWOW64\Hlhfmqge.exeC:\Windows\system32\Hlhfmqge.exe121⤵PID:1164
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-