Analysis
-
max time kernel
135s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28-08-2024 23:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
80fb4a4836295ba8a6135b122f5e389bb5191638bc0dd540b5ec26bf3bfa784d.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
80fb4a4836295ba8a6135b122f5e389bb5191638bc0dd540b5ec26bf3bfa784d.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
80fb4a4836295ba8a6135b122f5e389bb5191638bc0dd540b5ec26bf3bfa784d.exe
-
Size
94KB
-
MD5
74f462de65176effd4f27da99a9b8046
-
SHA1
a20717cadad65e891178af417aa507bd59cb9c2a
-
SHA256
80fb4a4836295ba8a6135b122f5e389bb5191638bc0dd540b5ec26bf3bfa784d
-
SHA512
31b55c18b6bbf2c1d0887faf71397e44c69621ca2ca5cc627ae62b16e907211ebf09923c49f29cc4f8d7b0a5e4f63025c5d087585ebb3d7f666e2fb287acdcd3
-
SSDEEP
1536:gVLb6Xsj8LnhNqE2LwaIZTJ+7LhkiB0MPiKeEAgv:gVLb6Xsj8zhNiwaMU7uihJ5v
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libgpooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agniok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deckfkof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhidmlln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fllpegpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pddmga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkoihahd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjlldiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbhocegl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llbpbjlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngfqqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onekoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgplnmib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcgmbnnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aejfce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdbkoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajoaqfjc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncdgfaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnkfhcdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mllchico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mllchico.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdqncffd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pddmga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abngmihi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daolqa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Docmjf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngkjlpkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dopijpab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acjjibbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cknnchcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Megdfnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgllil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjjalepf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfeobe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpnlbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faoegofo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fadobo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfifpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifgbahhe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lffhjcmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lekekp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blkdqnjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foaikdgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anedfffb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baicdncn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdoeaili.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odfqecdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocpgbodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngmgap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddhhggdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbbphh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cacmecno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faabmodl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgoaeeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmkndq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbhocegl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqonpdgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcogecg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eogfeeoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echkqcci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfjcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfonbdij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdjbpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpjlngje.exe -
Executes dropped EXE 64 IoCs
pid Process 3768 Abimaj32.exe 8 Acjjibbm.exe 5112 Alaajobo.exe 5016 Anpnfkac.exe 4540 Aejfce32.exe 1916 Ahhbpp32.exe 1840 Ajfoll32.exe 5080 Abngmihi.exe 3264 Belcidgm.exe 1516 Blfkeo32.exe 2216 Bbpcbiff.exe 3528 Bhmlkpdn.exe 620 Bbbphh32.exe 1500 Beqldd32.exe 456 Blkdqnjd.exe 628 Bbdmmh32.exe 1352 Beciic32.exe 3672 Blmafnhb.exe 4592 Bbgich32.exe 3160 Bajjodfi.exe 4564 Beefocob.exe 1520 Bhdbkonf.exe 3452 Bkbngjmj.exe 4448 Bonjhi32.exe 2984 Cehbdcmp.exe 4052 Cdjbpp32.exe 4088 Caocjd32.exe 3052 Chhkfn32.exe 2616 Ckghbi32.exe 4812 Cellpb32.exe 1628 Chkhln32.exe 1296 Ckidhi32.exe 5116 Coephhok.exe 1920 Cacmecno.exe 2064 Chmeamfk.exe 632 Cogmng32.exe 5040 Cbbiofea.exe 4576 Ceaekade.exe 1220 Chpagmdi.exe 3124 Cknnchcl.exe 4484 Dbefdfco.exe 1424 Decbqabb.exe 3512 Dlmjmkjo.exe 5024 Dolfigic.exe 3604 Dajbebhf.exe 2968 Dhdkbl32.exe 3960 Doncofgp.exe 2928 Damokbfd.exe 1664 Ddklgmeg.exe 4228 Dlbchkfj.exe 3384 Daolqa32.exe 1892 Dhidmlln.exe 1660 Dkgqigka.exe 1064 Docmjf32.exe 3944 Ddpebm32.exe 2236 Dhkackjk.exe 4304 Dkjmogio.exe 4556 Ecqepd32.exe 4664 Eacelapl.exe 408 Eeoalp32.exe 4508 Edbbhlop.exe 816 Ehnnhk32.exe 2548 Ekljdf32.exe 2020 Eogfeeoe.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Belcidgm.exe Abngmihi.exe File created C:\Windows\SysWOW64\Odcdpd32.exe Nlllof32.exe File opened for modification C:\Windows\SysWOW64\Pmmefd32.exe Pjnijihf.exe File created C:\Windows\SysWOW64\Ddpebm32.exe Docmjf32.exe File opened for modification C:\Windows\SysWOW64\Hoakioje.exe Hmcomdkb.exe File created C:\Windows\SysWOW64\Kpeilj32.exe Klimllcd.exe File created C:\Windows\SysWOW64\Diikmo32.dll Mllchico.exe File created C:\Windows\SysWOW64\Cmegcdno.dll Nlllof32.exe File opened for modification C:\Windows\SysWOW64\Aefbcogf.exe Anmjfe32.exe File opened for modification C:\Windows\SysWOW64\Blmafnhb.exe Beciic32.exe File opened for modification C:\Windows\SysWOW64\Pcgmbnnf.exe Pddmga32.exe File created C:\Windows\SysWOW64\Dnbdfk32.dll Caebpm32.exe File created C:\Windows\SysWOW64\Cellpb32.exe Ckghbi32.exe File created C:\Windows\SysWOW64\Eafbaqni.exe Eogfeeoe.exe File created C:\Windows\SysWOW64\Idffifni.dll Hmcomdkb.exe File opened for modification C:\Windows\SysWOW64\Jbcmahid.exe Jmfdiakl.exe File created C:\Windows\SysWOW64\Blfkeo32.exe Belcidgm.exe File created C:\Windows\SysWOW64\Gpkdonbn.dll Dbefdfco.exe File created C:\Windows\SysWOW64\Deddgb32.dll Klimllcd.exe File opened for modification C:\Windows\SysWOW64\Djpcnbmn.exe Dhagbfnj.exe File opened for modification C:\Windows\SysWOW64\Mgokpbeh.exe Mdqncffd.exe File created C:\Windows\SysWOW64\Pqfdac32.exe Pmjhpdil.exe File created C:\Windows\SysWOW64\Jedhei32.dll Cfkegd32.exe File created C:\Windows\SysWOW64\Bmddma32.exe Bjfhae32.exe File created C:\Windows\SysWOW64\Akopddaj.dll Anpnfkac.exe File opened for modification C:\Windows\SysWOW64\Elppii32.exe Eefhmobm.exe File opened for modification C:\Windows\SysWOW64\Edkdnkge.exe Eamhbp32.exe File opened for modification C:\Windows\SysWOW64\Foaikdgk.exe Elbmohhg.exe File created C:\Windows\SysWOW64\Anplga32.dll Ffddnm32.exe File opened for modification C:\Windows\SysWOW64\Lbmhod32.exe Lpnlbi32.exe File created C:\Windows\SysWOW64\Fenfbena.dll Mmkpbl32.exe File created C:\Windows\SysWOW64\Konjho32.dll Ehgqoj32.exe File opened for modification C:\Windows\SysWOW64\Lffhjcmb.exe Ldgkmhno.exe File created C:\Windows\SysWOW64\Cnopcb32.exe Cjddbcgk.exe File created C:\Windows\SysWOW64\Dffdcccb.exe Ddhhggdo.exe File opened for modification C:\Windows\SysWOW64\Bjhdgeai.exe Bfmhff32.exe File created C:\Windows\SysWOW64\Eeoalp32.exe Eacelapl.exe File created C:\Windows\SysWOW64\Hfbppkjm.exe Hbgdol32.exe File created C:\Windows\SysWOW64\Mbijgo32.dll Hbgdol32.exe File created C:\Windows\SysWOW64\Hcmgin32.exe Hoakioje.exe File created C:\Windows\SysWOW64\Jmkndq32.exe Jimenb32.exe File opened for modification C:\Windows\SysWOW64\Minglmdk.exe Mgokpbeh.exe File created C:\Windows\SysWOW64\Mmkpbl32.exe Mgageace.exe File created C:\Windows\SysWOW64\Ookhnoce.dll Abimaj32.exe File opened for modification C:\Windows\SysWOW64\Ffddnm32.exe Fcfhba32.exe File created C:\Windows\SysWOW64\Ldlehg32.exe Lmbmlmbl.exe File created C:\Windows\SysWOW64\Pkpbmggk.dll Mgokpbeh.exe File opened for modification C:\Windows\SysWOW64\Aebihpkl.exe Amkagb32.exe File created C:\Windows\SysWOW64\Olheph32.dll Bappnpkh.exe File created C:\Windows\SysWOW64\Dailkl32.exe Djpcnbmn.exe File created C:\Windows\SysWOW64\Jdiaok32.dll Chkhln32.exe File created C:\Windows\SysWOW64\Hdjmggnq.dll Fbfkhn32.exe File opened for modification C:\Windows\SysWOW64\Jeainchg.exe Jbcmahid.exe File created C:\Windows\SysWOW64\Lmijenkg.exe Lfoaid32.exe File created C:\Windows\SysWOW64\Peodfhjp.dll Bjfhae32.exe File created C:\Windows\SysWOW64\Dkjmogio.exe Dhkackjk.exe File opened for modification C:\Windows\SysWOW64\Imekbc32.exe Heocaf32.exe File created C:\Windows\SysWOW64\Bieplakc.dll Kmadepao.exe File created C:\Windows\SysWOW64\Lfanod32.exe Ldbbbh32.exe File created C:\Windows\SysWOW64\Lpnlbi32.exe Llbpbjlj.exe File created C:\Windows\SysWOW64\Ekljdf32.exe Ehnnhk32.exe File created C:\Windows\SysWOW64\Afafca32.dll Pnoneglj.exe File opened for modification C:\Windows\SysWOW64\Cenakl32.exe Cabfjmkc.exe File opened for modification C:\Windows\SysWOW64\Hfgjjj32.exe Hbknjkno.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10092 10004 WerFault.exe 440 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiqllfiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdkcgqad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcnccm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffkleae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eafbaqni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heocaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdiolj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mllchico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcgopjba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fekahn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jempbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpcenhpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcabjcoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdoeaili.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdbkoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flibpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mepnfone.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgplnmib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ammnmbig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkfhcdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chehfhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehbgcjcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoakioje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdehof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofgmml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qflpoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfhae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhimdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kianiamk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnnlgkho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncdgfaol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqakfdek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onekoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bappnpkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekqcpfbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fccklail.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnmcnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cakpjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dopijpab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajfoll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfanod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oloidfcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffddnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlfhon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmbmlmbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miiman32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocmjlpfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kidkoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Decbqabb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkjmogio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehgqoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbmaim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkffacpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icdmjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icfjpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kikappdq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldbbbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgageace.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danefkqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blfkeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacmecno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cknnchcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doncofgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kemhia32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdnjjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhfgganp.dll" Onekoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aefbcogf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfmhff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbdmmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Foaikdgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imajkn32.dll" Hfifpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaccjp32.dll" Ipmjen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fihfck32.dll" Bmddma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elbmohhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faabmodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcfhba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hegmqg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kidkoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncakqaqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeoalp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kikdno32.dll" Ehnnhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eafbaqni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhpqdkqf.dll" Edkdnkge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Albhmd32.dll" Hegmqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkdbca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpcenhpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndjajeni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mohioc32.dll" Dhidmlln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chehfhhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkgfhh32.dll" Bbgich32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doncofgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icfjpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aejfce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnaofijo.dll" Ehbgcjcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnhblqgk.dll" Gfngdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogkcbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfkegd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhidmlln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alaajobo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmkndq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ookhnoce.dll" Abimaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blapfkad.dll" Oqakfdek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocfhnnd.dll" Aqdqbaee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allndpio.dll" Chehfhhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmkpbinn.dll" Cdoeaili.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gofkmadc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkgqigka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbhocegl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjjalepf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cphmigqk.dll" Cehbdcmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkoihahd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fccklail.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Foceqceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Helflfkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghnelogk.dll" Miiman32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqcgkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmfhlcoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bonjhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amkagb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lffhjcmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elppii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkkmldbd.dll" Lmijenkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anpnfkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eacelapl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhljjiki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpeilj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlefngkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bappnpkh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1580 wrote to memory of 3768 1580 80fb4a4836295ba8a6135b122f5e389bb5191638bc0dd540b5ec26bf3bfa784d.exe 83 PID 1580 wrote to memory of 3768 1580 80fb4a4836295ba8a6135b122f5e389bb5191638bc0dd540b5ec26bf3bfa784d.exe 83 PID 1580 wrote to memory of 3768 1580 80fb4a4836295ba8a6135b122f5e389bb5191638bc0dd540b5ec26bf3bfa784d.exe 83 PID 3768 wrote to memory of 8 3768 Abimaj32.exe 84 PID 3768 wrote to memory of 8 3768 Abimaj32.exe 84 PID 3768 wrote to memory of 8 3768 Abimaj32.exe 84 PID 8 wrote to memory of 5112 8 Acjjibbm.exe 85 PID 8 wrote to memory of 5112 8 Acjjibbm.exe 85 PID 8 wrote to memory of 5112 8 Acjjibbm.exe 85 PID 5112 wrote to memory of 5016 5112 Alaajobo.exe 86 PID 5112 wrote to memory of 5016 5112 Alaajobo.exe 86 PID 5112 wrote to memory of 5016 5112 Alaajobo.exe 86 PID 5016 wrote to memory of 4540 5016 Anpnfkac.exe 87 PID 5016 wrote to memory of 4540 5016 Anpnfkac.exe 87 PID 5016 wrote to memory of 4540 5016 Anpnfkac.exe 87 PID 4540 wrote to memory of 1916 4540 Aejfce32.exe 88 PID 4540 wrote to memory of 1916 4540 Aejfce32.exe 88 PID 4540 wrote to memory of 1916 4540 Aejfce32.exe 88 PID 1916 wrote to memory of 1840 1916 Ahhbpp32.exe 89 PID 1916 wrote to memory of 1840 1916 Ahhbpp32.exe 89 PID 1916 wrote to memory of 1840 1916 Ahhbpp32.exe 89 PID 1840 wrote to memory of 5080 1840 Ajfoll32.exe 90 PID 1840 wrote to memory of 5080 1840 Ajfoll32.exe 90 PID 1840 wrote to memory of 5080 1840 Ajfoll32.exe 90 PID 5080 wrote to memory of 3264 5080 Abngmihi.exe 92 PID 5080 wrote to memory of 3264 5080 Abngmihi.exe 92 PID 5080 wrote to memory of 3264 5080 Abngmihi.exe 92 PID 3264 wrote to memory of 1516 3264 Belcidgm.exe 93 PID 3264 wrote to memory of 1516 3264 Belcidgm.exe 93 PID 3264 wrote to memory of 1516 3264 Belcidgm.exe 93 PID 1516 wrote to memory of 2216 1516 Blfkeo32.exe 94 PID 1516 wrote to memory of 2216 1516 Blfkeo32.exe 94 PID 1516 wrote to memory of 2216 1516 Blfkeo32.exe 94 PID 2216 wrote to memory of 3528 2216 Bbpcbiff.exe 96 PID 2216 wrote to memory of 3528 2216 Bbpcbiff.exe 96 PID 2216 wrote to memory of 3528 2216 Bbpcbiff.exe 96 PID 3528 wrote to memory of 620 3528 Bhmlkpdn.exe 97 PID 3528 wrote to memory of 620 3528 Bhmlkpdn.exe 97 PID 3528 wrote to memory of 620 3528 Bhmlkpdn.exe 97 PID 620 wrote to memory of 1500 620 Bbbphh32.exe 98 PID 620 wrote to memory of 1500 620 Bbbphh32.exe 98 PID 620 wrote to memory of 1500 620 Bbbphh32.exe 98 PID 1500 wrote to memory of 456 1500 Beqldd32.exe 99 PID 1500 wrote to memory of 456 1500 Beqldd32.exe 99 PID 1500 wrote to memory of 456 1500 Beqldd32.exe 99 PID 456 wrote to memory of 628 456 Blkdqnjd.exe 101 PID 456 wrote to memory of 628 456 Blkdqnjd.exe 101 PID 456 wrote to memory of 628 456 Blkdqnjd.exe 101 PID 628 wrote to memory of 1352 628 Bbdmmh32.exe 102 PID 628 wrote to memory of 1352 628 Bbdmmh32.exe 102 PID 628 wrote to memory of 1352 628 Bbdmmh32.exe 102 PID 1352 wrote to memory of 3672 1352 Beciic32.exe 103 PID 1352 wrote to memory of 3672 1352 Beciic32.exe 103 PID 1352 wrote to memory of 3672 1352 Beciic32.exe 103 PID 3672 wrote to memory of 4592 3672 Blmafnhb.exe 104 PID 3672 wrote to memory of 4592 3672 Blmafnhb.exe 104 PID 3672 wrote to memory of 4592 3672 Blmafnhb.exe 104 PID 4592 wrote to memory of 3160 4592 Bbgich32.exe 105 PID 4592 wrote to memory of 3160 4592 Bbgich32.exe 105 PID 4592 wrote to memory of 3160 4592 Bbgich32.exe 105 PID 3160 wrote to memory of 4564 3160 Bajjodfi.exe 106 PID 3160 wrote to memory of 4564 3160 Bajjodfi.exe 106 PID 3160 wrote to memory of 4564 3160 Bajjodfi.exe 106 PID 4564 wrote to memory of 1520 4564 Beefocob.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\80fb4a4836295ba8a6135b122f5e389bb5191638bc0dd540b5ec26bf3bfa784d.exe"C:\Users\Admin\AppData\Local\Temp\80fb4a4836295ba8a6135b122f5e389bb5191638bc0dd540b5ec26bf3bfa784d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Abimaj32.exeC:\Windows\system32\Abimaj32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\Acjjibbm.exeC:\Windows\system32\Acjjibbm.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\Alaajobo.exeC:\Windows\system32\Alaajobo.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\Anpnfkac.exeC:\Windows\system32\Anpnfkac.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Aejfce32.exeC:\Windows\system32\Aejfce32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Ahhbpp32.exeC:\Windows\system32\Ahhbpp32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Ajfoll32.exeC:\Windows\system32\Ajfoll32.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Abngmihi.exeC:\Windows\system32\Abngmihi.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\Belcidgm.exeC:\Windows\system32\Belcidgm.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\Blfkeo32.exeC:\Windows\system32\Blfkeo32.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Bbpcbiff.exeC:\Windows\system32\Bbpcbiff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Bhmlkpdn.exeC:\Windows\system32\Bhmlkpdn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Bbbphh32.exeC:\Windows\system32\Bbbphh32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\Beqldd32.exeC:\Windows\system32\Beqldd32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Blkdqnjd.exeC:\Windows\system32\Blkdqnjd.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\Bbdmmh32.exeC:\Windows\system32\Bbdmmh32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\Beciic32.exeC:\Windows\system32\Beciic32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\Blmafnhb.exeC:\Windows\system32\Blmafnhb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\Bbgich32.exeC:\Windows\system32\Bbgich32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Bajjodfi.exeC:\Windows\system32\Bajjodfi.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\Beefocob.exeC:\Windows\system32\Beefocob.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Bhdbkonf.exeC:\Windows\system32\Bhdbkonf.exe23⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Bkbngjmj.exeC:\Windows\system32\Bkbngjmj.exe24⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Bonjhi32.exeC:\Windows\system32\Bonjhi32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:4448 -
C:\Windows\SysWOW64\Cehbdcmp.exeC:\Windows\system32\Cehbdcmp.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Cdjbpp32.exeC:\Windows\system32\Cdjbpp32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Caocjd32.exeC:\Windows\system32\Caocjd32.exe28⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Chhkfn32.exeC:\Windows\system32\Chhkfn32.exe29⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Ckghbi32.exeC:\Windows\system32\Ckghbi32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Cellpb32.exeC:\Windows\system32\Cellpb32.exe31⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Chkhln32.exeC:\Windows\system32\Chkhln32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Ckidhi32.exeC:\Windows\system32\Ckidhi32.exe33⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Coephhok.exeC:\Windows\system32\Coephhok.exe34⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Cacmecno.exeC:\Windows\system32\Cacmecno.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Windows\SysWOW64\Chmeamfk.exeC:\Windows\system32\Chmeamfk.exe36⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Cogmng32.exeC:\Windows\system32\Cogmng32.exe37⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Cbbiofea.exeC:\Windows\system32\Cbbiofea.exe38⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Ceaekade.exeC:\Windows\system32\Ceaekade.exe39⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Chpagmdi.exeC:\Windows\system32\Chpagmdi.exe40⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Cknnchcl.exeC:\Windows\system32\Cknnchcl.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3124 -
C:\Windows\SysWOW64\Dbefdfco.exeC:\Windows\system32\Dbefdfco.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4484 -
C:\Windows\SysWOW64\Decbqabb.exeC:\Windows\system32\Decbqabb.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1424 -
C:\Windows\SysWOW64\Dlmjmkjo.exeC:\Windows\system32\Dlmjmkjo.exe44⤵
- Executes dropped EXE
PID:3512 -
C:\Windows\SysWOW64\Dolfigic.exeC:\Windows\system32\Dolfigic.exe45⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Dajbebhf.exeC:\Windows\system32\Dajbebhf.exe46⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Dhdkbl32.exeC:\Windows\system32\Dhdkbl32.exe47⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Doncofgp.exeC:\Windows\system32\Doncofgp.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3960 -
C:\Windows\SysWOW64\Damokbfd.exeC:\Windows\system32\Damokbfd.exe49⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Ddklgmeg.exeC:\Windows\system32\Ddklgmeg.exe50⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Dlbchkfj.exeC:\Windows\system32\Dlbchkfj.exe51⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Daolqa32.exeC:\Windows\system32\Daolqa32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3384 -
C:\Windows\SysWOW64\Dhidmlln.exeC:\Windows\system32\Dhidmlln.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1892 -
C:\Windows\SysWOW64\Dkgqigka.exeC:\Windows\system32\Dkgqigka.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Docmjf32.exeC:\Windows\system32\Docmjf32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1064 -
C:\Windows\SysWOW64\Ddpebm32.exeC:\Windows\system32\Ddpebm32.exe56⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Dhkackjk.exeC:\Windows\system32\Dhkackjk.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Dkjmogio.exeC:\Windows\system32\Dkjmogio.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4304 -
C:\Windows\SysWOW64\Ecqepd32.exeC:\Windows\system32\Ecqepd32.exe59⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Eacelapl.exeC:\Windows\system32\Eacelapl.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4664 -
C:\Windows\SysWOW64\Eeoalp32.exeC:\Windows\system32\Eeoalp32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:408 -
C:\Windows\SysWOW64\Edbbhlop.exeC:\Windows\system32\Edbbhlop.exe62⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Ehnnhk32.exeC:\Windows\system32\Ehnnhk32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:816 -
C:\Windows\SysWOW64\Ekljdf32.exeC:\Windows\system32\Ekljdf32.exe64⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Eogfeeoe.exeC:\Windows\system32\Eogfeeoe.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Eafbaqni.exeC:\Windows\system32\Eafbaqni.exe66⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Eeanao32.exeC:\Windows\system32\Eeanao32.exe67⤵PID:2856
-
C:\Windows\SysWOW64\Eddomlmm.exeC:\Windows\system32\Eddomlmm.exe68⤵PID:4288
-
C:\Windows\SysWOW64\Elkfnino.exeC:\Windows\system32\Elkfnino.exe69⤵PID:1780
-
C:\Windows\SysWOW64\Ehbgcjcc.exeC:\Windows\system32\Ehbgcjcc.exe70⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4732 -
C:\Windows\SysWOW64\Ekqcpfbg.exeC:\Windows\system32\Ekqcpfbg.exe71⤵
- System Location Discovery: System Language Discovery
PID:4320 -
C:\Windows\SysWOW64\Echkqcci.exeC:\Windows\system32\Echkqcci.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4648 -
C:\Windows\SysWOW64\Eefhmobm.exeC:\Windows\system32\Eefhmobm.exe73⤵
- Drops file in System32 directory
PID:4140 -
C:\Windows\SysWOW64\Elppii32.exeC:\Windows\system32\Elppii32.exe74⤵
- Modifies registry class
PID:5012 -
C:\Windows\SysWOW64\Ekcpeeqd.exeC:\Windows\system32\Ekcpeeqd.exe75⤵PID:4936
-
C:\Windows\SysWOW64\Eamhbp32.exeC:\Windows\system32\Eamhbp32.exe76⤵
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Edkdnkge.exeC:\Windows\system32\Edkdnkge.exe77⤵
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Ehgqoj32.exeC:\Windows\system32\Ehgqoj32.exe78⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4164 -
C:\Windows\SysWOW64\Elbmohhg.exeC:\Windows\system32\Elbmohhg.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:3976 -
C:\Windows\SysWOW64\Foaikdgk.exeC:\Windows\system32\Foaikdgk.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:672 -
C:\Windows\SysWOW64\Faoegofo.exeC:\Windows\system32\Faoegofo.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4296 -
C:\Windows\SysWOW64\Fekahn32.exeC:\Windows\system32\Fekahn32.exe82⤵
- System Location Discovery: System Language Discovery
PID:1940 -
C:\Windows\SysWOW64\Fhimdi32.exeC:\Windows\system32\Fhimdi32.exe83⤵
- System Location Discovery: System Language Discovery
PID:4800 -
C:\Windows\SysWOW64\Foceqceh.exeC:\Windows\system32\Foceqceh.exe84⤵
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Faabmodl.exeC:\Windows\system32\Faabmodl.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Fhljjiki.exeC:\Windows\system32\Fhljjiki.exe86⤵
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Fkjffdjl.exeC:\Windows\system32\Fkjffdjl.exe87⤵PID:2136
-
C:\Windows\SysWOW64\Foebfc32.exeC:\Windows\system32\Foebfc32.exe88⤵PID:1968
-
C:\Windows\SysWOW64\Fcangbko.exeC:\Windows\system32\Fcangbko.exe89⤵PID:4784
-
C:\Windows\SysWOW64\Fadobo32.exeC:\Windows\system32\Fadobo32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3188 -
C:\Windows\SysWOW64\Fdbkoj32.exeC:\Windows\system32\Fdbkoj32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2056 -
C:\Windows\SysWOW64\Flibpg32.exeC:\Windows\system32\Flibpg32.exe92⤵
- System Location Discovery: System Language Discovery
PID:4740 -
C:\Windows\SysWOW64\Fccklail.exeC:\Windows\system32\Fccklail.exe93⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Fbfkhn32.exeC:\Windows\system32\Fbfkhn32.exe94⤵
- Drops file in System32 directory
PID:1240 -
C:\Windows\SysWOW64\Fllpegpl.exeC:\Windows\system32\Fllpegpl.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5132 -
C:\Windows\SysWOW64\Fcfhba32.exeC:\Windows\system32\Fcfhba32.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:5208 -
C:\Windows\SysWOW64\Ffddnm32.exeC:\Windows\system32\Ffddnm32.exe97⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5268 -
C:\Windows\SysWOW64\Fhbpjh32.exeC:\Windows\system32\Fhbpjh32.exe98⤵PID:5308
-
C:\Windows\SysWOW64\Gomhgbmn.exeC:\Windows\system32\Gomhgbmn.exe99⤵PID:5352
-
C:\Windows\SysWOW64\Gdiaoike.exeC:\Windows\system32\Gdiaoike.exe100⤵PID:5392
-
C:\Windows\SysWOW64\Gcjamqcd.exeC:\Windows\system32\Gcjamqcd.exe101⤵PID:5436
-
C:\Windows\SysWOW64\Gbmaim32.exeC:\Windows\system32\Gbmaim32.exe102⤵
- System Location Discovery: System Language Discovery
PID:5484 -
C:\Windows\SysWOW64\Gkffacpo.exeC:\Windows\system32\Gkffacpo.exe103⤵
- System Location Discovery: System Language Discovery
PID:5528 -
C:\Windows\SysWOW64\Gdnjjh32.exeC:\Windows\system32\Gdnjjh32.exe104⤵
- Modifies registry class
PID:5580 -
C:\Windows\SysWOW64\Gcojhp32.exeC:\Windows\system32\Gcojhp32.exe105⤵PID:5624
-
C:\Windows\SysWOW64\Gfngdk32.exeC:\Windows\system32\Gfngdk32.exe106⤵
- Modifies registry class
PID:5668 -
C:\Windows\SysWOW64\Gmgoaeeo.exeC:\Windows\system32\Gmgoaeeo.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5712 -
C:\Windows\SysWOW64\Gkjomb32.exeC:\Windows\system32\Gkjomb32.exe108⤵PID:5756
-
C:\Windows\SysWOW64\Gofkmadc.exeC:\Windows\system32\Gofkmadc.exe109⤵
- Modifies registry class
PID:5800 -
C:\Windows\SysWOW64\Gcagnp32.exeC:\Windows\system32\Gcagnp32.exe110⤵PID:5844
-
C:\Windows\SysWOW64\Gfpcjk32.exeC:\Windows\system32\Gfpcjk32.exe111⤵PID:5888
-
C:\Windows\SysWOW64\Ginpff32.exeC:\Windows\system32\Ginpff32.exe112⤵PID:5932
-
C:\Windows\SysWOW64\Hohhbq32.exeC:\Windows\system32\Hohhbq32.exe113⤵PID:5976
-
C:\Windows\SysWOW64\Hbgdol32.exeC:\Windows\system32\Hbgdol32.exe114⤵
- Drops file in System32 directory
PID:6020 -
C:\Windows\SysWOW64\Hfbppkjm.exeC:\Windows\system32\Hfbppkjm.exe115⤵PID:6064
-
C:\Windows\SysWOW64\Hiqllfiq.exeC:\Windows\system32\Hiqllfiq.exe116⤵
- System Location Discovery: System Language Discovery
PID:6108 -
C:\Windows\SysWOW64\Hkoihahd.exeC:\Windows\system32\Hkoihahd.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4856 -
C:\Windows\SysWOW64\Hokdhp32.exeC:\Windows\system32\Hokdhp32.exe118⤵PID:5228
-
C:\Windows\SysWOW64\Hbiadl32.exeC:\Windows\system32\Hbiadl32.exe119⤵PID:5296
-
C:\Windows\SysWOW64\Hegmqg32.exeC:\Windows\system32\Hegmqg32.exe120⤵
- Modifies registry class
PID:5380 -
C:\Windows\SysWOW64\Hiciafgn.exeC:\Windows\system32\Hiciafgn.exe121⤵PID:5448
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-