Analysis
-
max time kernel
116s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
01-09-2024 09:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8f113bda83df514ecfaed478a371a110N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
8f113bda83df514ecfaed478a371a110N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
8f113bda83df514ecfaed478a371a110N.exe
-
Size
72KB
-
MD5
8f113bda83df514ecfaed478a371a110
-
SHA1
7aad380715b44c261e4a5a0a22f3f135685f56aa
-
SHA256
a2692faf9f8de9ae60e0eab59f4ec35f74df5c7116ed71ece19efdec9811ca30
-
SHA512
62dc499e7dfe5125434a07baff9574bf48dc547019ba11ec27dba49c286231907626ad68ea5e75c12f50c97f2afc282de71b272b989773467dca334aec706bef
-
SSDEEP
1536:e+0xuteAgJCOvAcT7kSo8JgsVipJ92LF6+lWCWQ+:enuteUyiHsKJOF6+bWQ+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keodflee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoamoefh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbflqccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omekgakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eijffhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhdfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pldknmhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jemkai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnknqpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojilqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcbjon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ombhgljn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjfgalcq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eleliepj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfknjfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kommediq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llfcik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbhibio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lojeda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faimkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bineidcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fimclh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpojlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkkeeikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahoamplo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahlnmjkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhhblgim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhndcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khpaidpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiplecnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edhmhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcljdpke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipgpcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmbiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehopnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmojfcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doocln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Popkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geeekf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgkknm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcnfjpib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahjahk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdmhcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pinnfonh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eponmmaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adppdckh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhdjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gljdlq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfppfcmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfamko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kadhen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndnplk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdnihiad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efdmohmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckdpinhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfgdpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbooen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dabkla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aonjpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhjae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfalaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkqbhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cocbbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emnelbdi.exe -
Executes dropped EXE 64 IoCs
pid Process 2364 Qhdfdb32.exe 2708 Qlpadaac.exe 2844 Qfifmghc.exe 1436 Aoakfl32.exe 1788 Afkccffq.exe 2616 Adncoc32.exe 756 Abachg32.exe 1504 Adppdckh.exe 2064 Agolpnjl.exe 3020 Ajmhljip.exe 2920 Aqgqid32.exe 2952 Agaifnhi.exe 2212 Ajoebigm.exe 1432 Adeiobgc.exe 1232 Afffgjma.exe 380 Ampncd32.exe 1076 Aonjpp32.exe 1864 Agebam32.exe 264 Bigohejb.exe 576 Bqngjcje.exe 2336 Bclcfnih.exe 1248 Bbocak32.exe 2472 Bjfkbhae.exe 2008 Biikne32.exe 2032 Bkghjq32.exe 2228 Bbapgknp.exe 1584 Bikhce32.exe 2812 Bnhqll32.exe 2728 Bfphmi32.exe 2344 Bineidcj.exe 2672 Bphmfo32.exe 2268 Bedene32.exe 2356 Bgcbja32.exe 1904 Bnmjgkpo.exe 3024 Cakfcfoc.exe 3052 Cgeopqfp.exe 2944 Cnogmk32.exe 2380 Cghkepdm.exe 1960 Cjfgalcq.exe 1968 Cmdcngbd.exe 2456 Cpcpjbah.exe 1908 Cmgpcg32.exe 2080 Cpemob32.exe 972 Cbcikn32.exe 2492 Cjkamk32.exe 2028 Cllmdcej.exe 1536 Ccceeqfl.exe 2276 Cbfeam32.exe 1708 Cedbmi32.exe 2188 Dlnjjc32.exe 2828 Dbhbfmkd.exe 2892 Degobhjg.exe 2152 Dhekodik.exe 2644 Dhekodik.exe 2808 Dplbpaim.exe 2972 Doocln32.exe 2052 Deikhhhe.exe 2872 Didgig32.exe 2848 Dlcceboa.exe 2960 Doapanne.exe 2148 Daplmimi.exe 2596 Dekhnh32.exe 2192 Dlepjbmo.exe 920 Dkhpfo32.exe -
Loads dropped DLL 64 IoCs
pid Process 1720 8f113bda83df514ecfaed478a371a110N.exe 1720 8f113bda83df514ecfaed478a371a110N.exe 2364 Qhdfdb32.exe 2364 Qhdfdb32.exe 2708 Qlpadaac.exe 2708 Qlpadaac.exe 2844 Qfifmghc.exe 2844 Qfifmghc.exe 1436 Aoakfl32.exe 1436 Aoakfl32.exe 1788 Afkccffq.exe 1788 Afkccffq.exe 2616 Adncoc32.exe 2616 Adncoc32.exe 756 Abachg32.exe 756 Abachg32.exe 1504 Adppdckh.exe 1504 Adppdckh.exe 2064 Agolpnjl.exe 2064 Agolpnjl.exe 3020 Ajmhljip.exe 3020 Ajmhljip.exe 2920 Aqgqid32.exe 2920 Aqgqid32.exe 2952 Agaifnhi.exe 2952 Agaifnhi.exe 2212 Ajoebigm.exe 2212 Ajoebigm.exe 1432 Adeiobgc.exe 1432 Adeiobgc.exe 1232 Afffgjma.exe 1232 Afffgjma.exe 380 Ampncd32.exe 380 Ampncd32.exe 1076 Aonjpp32.exe 1076 Aonjpp32.exe 1864 Agebam32.exe 1864 Agebam32.exe 264 Bigohejb.exe 264 Bigohejb.exe 576 Bqngjcje.exe 576 Bqngjcje.exe 2336 Bclcfnih.exe 2336 Bclcfnih.exe 1248 Bbocak32.exe 1248 Bbocak32.exe 2472 Bjfkbhae.exe 2472 Bjfkbhae.exe 2008 Biikne32.exe 2008 Biikne32.exe 2032 Bkghjq32.exe 2032 Bkghjq32.exe 2228 Bbapgknp.exe 2228 Bbapgknp.exe 1584 Bikhce32.exe 1584 Bikhce32.exe 2812 Bnhqll32.exe 2812 Bnhqll32.exe 2728 Bfphmi32.exe 2728 Bfphmi32.exe 2344 Bineidcj.exe 2344 Bineidcj.exe 2672 Bphmfo32.exe 2672 Bphmfo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kdjenkgh.exe Kegebn32.exe File created C:\Windows\SysWOW64\Dlfina32.exe Dihmae32.exe File created C:\Windows\SysWOW64\Ococgpfb.dll Eecgafkj.exe File opened for modification C:\Windows\SysWOW64\Eoqeekme.exe Ekeiel32.exe File opened for modification C:\Windows\SysWOW64\Iabcbg32.exe Imfgahao.exe File created C:\Windows\SysWOW64\Fkafkl32.dll Kblooa32.exe File opened for modification C:\Windows\SysWOW64\Kmbclj32.exe Kekkkm32.exe File created C:\Windows\SysWOW64\Omgdmenm.dll Kdjenkgh.exe File created C:\Windows\SysWOW64\Bkhppp32.dll Nmjicn32.exe File opened for modification C:\Windows\SysWOW64\Ojgokflc.exe Oldooi32.exe File created C:\Windows\SysWOW64\Hhhblgim.exe Hfjfpkji.exe File opened for modification C:\Windows\SysWOW64\Lnobfn32.exe Lkafib32.exe File created C:\Windows\SysWOW64\Ahgdbk32.exe Qdlialfb.exe File opened for modification C:\Windows\SysWOW64\Epmahmcm.exe Emnelbdi.exe File created C:\Windows\SysWOW64\Hobcok32.exe Hgkknm32.exe File created C:\Windows\SysWOW64\Afffgjma.exe Adeiobgc.exe File created C:\Windows\SysWOW64\Edenjc32.exe Epjbienl.exe File opened for modification C:\Windows\SysWOW64\Qbkljd32.exe Qlqdmj32.exe File created C:\Windows\SysWOW64\Hancef32.exe Hopgikop.exe File created C:\Windows\SysWOW64\Cloibnnc.dll Hcajjf32.exe File opened for modification C:\Windows\SysWOW64\Mbgela32.exe Mjpmkdpp.exe File opened for modification C:\Windows\SysWOW64\Mchadifq.exe Mdeaim32.exe File opened for modification C:\Windows\SysWOW64\Kkajkoml.exe Kfenjq32.exe File opened for modification C:\Windows\SysWOW64\Bfkakbpp.exe Boainhic.exe File created C:\Windows\SysWOW64\Jhcojn32.dll Cgjjdijo.exe File opened for modification C:\Windows\SysWOW64\Hdloab32.exe Hancef32.exe File opened for modification C:\Windows\SysWOW64\Bkghjq32.exe Biikne32.exe File created C:\Windows\SysWOW64\Goeoie32.dll Eiimci32.exe File created C:\Windows\SysWOW64\Hqbnnj32.exe Hbpmbndm.exe File created C:\Windows\SysWOW64\Hnjompcl.dll Jpcfih32.exe File created C:\Windows\SysWOW64\Bmmcnf32.dll Pdffcn32.exe File created C:\Windows\SysWOW64\Egmqcllm.dll Apdminod.exe File created C:\Windows\SysWOW64\Dfnleh32.dll Akbgdkgm.exe File created C:\Windows\SysWOW64\Bcgoolln.exe Bqhbcqmj.exe File opened for modification C:\Windows\SysWOW64\Cmbiap32.exe Cjdmee32.exe File created C:\Windows\SysWOW64\Aojngh32.dll Deljfqmf.exe File opened for modification C:\Windows\SysWOW64\Hkkaik32.exe Hcdihn32.exe File created C:\Windows\SysWOW64\Gielchpp.exe Gfgpgmql.exe File created C:\Windows\SysWOW64\Aenegl32.dll Cgkanomj.exe File created C:\Windows\SysWOW64\Obnnchia.dll Ipgpcc32.exe File opened for modification C:\Windows\SysWOW64\Oakcan32.exe Ojakdd32.exe File opened for modification C:\Windows\SysWOW64\Cilfka32.exe Cfmjoe32.exe File opened for modification C:\Windows\SysWOW64\Hmojfcdk.exe Hnljkf32.exe File created C:\Windows\SysWOW64\Jdaibo32.dll Cbcikn32.exe File opened for modification C:\Windows\SysWOW64\Gkaljdaf.exe Gmnlog32.exe File created C:\Windows\SysWOW64\Cggcja32.dll Jkdalb32.exe File opened for modification C:\Windows\SysWOW64\Odmgnl32.exe Naokbq32.exe File created C:\Windows\SysWOW64\Fondonbc.exe Fpkdca32.exe File opened for modification C:\Windows\SysWOW64\Nbodpo32.exe Nndhpqma.exe File created C:\Windows\SysWOW64\Hkdkhl32.exe Gheola32.exe File created C:\Windows\SysWOW64\Njobpa32.exe Nfcfob32.exe File created C:\Windows\SysWOW64\Eagdgaoe.exe Eiplecnc.exe File created C:\Windows\SysWOW64\Epmahmcm.exe Emnelbdi.exe File opened for modification C:\Windows\SysWOW64\Gheola32.exe Gegbpe32.exe File opened for modification C:\Windows\SysWOW64\Jalmcl32.exe Jjbdfbnl.exe File opened for modification C:\Windows\SysWOW64\Babbpc32.exe Bcobdgoj.exe File created C:\Windows\SysWOW64\Dcojbm32.exe Deljfqmf.exe File created C:\Windows\SysWOW64\Ahoamplo.exe Afqeaemk.exe File created C:\Windows\SysWOW64\Jligibpk.dll Obopobhe.exe File opened for modification C:\Windows\SysWOW64\Mcmkoi32.exe Mpaoojjb.exe File opened for modification C:\Windows\SysWOW64\Bblpae32.exe Bnqcaffa.exe File opened for modification C:\Windows\SysWOW64\Gpfggeai.exe Gacgli32.exe File opened for modification C:\Windows\SysWOW64\Ipgpcc32.exe Iadphghe.exe File created C:\Windows\SysWOW64\Imkqmh32.exe Iiodliep.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8764 8556 WerFault.exe 953 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doapanne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofpmegpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofbikf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dicmlpje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfgpgmql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afeold32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfookk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hchpjddc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llainlje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Copljmpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggeiooea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnmfpnqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pinnfonh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agolpnjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deikhhhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjgclcjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hogddpld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmdcngbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaangfjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijolbfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edenjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkaljdaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfdbji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjlgaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdincdcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Degqka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odgchjhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccceeqfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnjbfhqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emailhfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnfeep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpgee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efdmohmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ginefe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daplmimi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kommediq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmjicn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akjjifji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahlnmjkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8f113bda83df514ecfaed478a371a110N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbhbfmkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcimop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqdaal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkhpfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afqeaemk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lojeda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jemkai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnogmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elqcnfdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naokbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agaifnhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdpfbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjmiknng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcbjon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibjikk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdolga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhopcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfijfdca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apdminod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgkeol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kblooa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdcebagp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiinmnaa.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opkndldc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijhkembk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caqpgp32.dll" Oikeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aednha32.dll" Boainhic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmhbncoj.dll" Hancef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhekodik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnffkn32.dll" Kpcbhlki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeqpjn32.dll" Hikobfgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aefhpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjmolp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcoodlbd.dll" Cicggcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfenjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqlenpag.dll" Ljfckodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akhndf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgfbojek.dll" Gqcaoghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bblpae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akmgoehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgjjdijo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feppqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbblpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngeghb32.dll" Eplood32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmiha32.dll" Cemebcnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgbejj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcfioj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnlqemal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiledbch.dll" Ipimic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhgaan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqbnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjcekj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plhfoe32.dll" Khkdmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Annpaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klfbmd32.dll" Dkaihkih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdloab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gielchpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eojoelcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gielchpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnbldghq.dll" Jiinmnaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfnleh32.dll" Akbgdkgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbolge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eojoelcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blgfml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlpadaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgkpdifc.dll" Gbfklolh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djffihmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leialh32.dll" Ijphqbpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdcihfiq.dll" Kiqdmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnagbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggbljogc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cincaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hngngo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilfadg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcgoolln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehdpcahk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjfhad32.dll" Qibhao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbapjpfp.dll" Ggmldj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bikhce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbpmbndm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkiknb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpbhmiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adekhkng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqqdigko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjiibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhalelik.dll" Oaaghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchqamfp.dll" Iefeaj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1720 wrote to memory of 2364 1720 8f113bda83df514ecfaed478a371a110N.exe 30 PID 1720 wrote to memory of 2364 1720 8f113bda83df514ecfaed478a371a110N.exe 30 PID 1720 wrote to memory of 2364 1720 8f113bda83df514ecfaed478a371a110N.exe 30 PID 1720 wrote to memory of 2364 1720 8f113bda83df514ecfaed478a371a110N.exe 30 PID 2364 wrote to memory of 2708 2364 Qhdfdb32.exe 31 PID 2364 wrote to memory of 2708 2364 Qhdfdb32.exe 31 PID 2364 wrote to memory of 2708 2364 Qhdfdb32.exe 31 PID 2364 wrote to memory of 2708 2364 Qhdfdb32.exe 31 PID 2708 wrote to memory of 2844 2708 Qlpadaac.exe 32 PID 2708 wrote to memory of 2844 2708 Qlpadaac.exe 32 PID 2708 wrote to memory of 2844 2708 Qlpadaac.exe 32 PID 2708 wrote to memory of 2844 2708 Qlpadaac.exe 32 PID 2844 wrote to memory of 1436 2844 Qfifmghc.exe 33 PID 2844 wrote to memory of 1436 2844 Qfifmghc.exe 33 PID 2844 wrote to memory of 1436 2844 Qfifmghc.exe 33 PID 2844 wrote to memory of 1436 2844 Qfifmghc.exe 33 PID 1436 wrote to memory of 1788 1436 Aoakfl32.exe 34 PID 1436 wrote to memory of 1788 1436 Aoakfl32.exe 34 PID 1436 wrote to memory of 1788 1436 Aoakfl32.exe 34 PID 1436 wrote to memory of 1788 1436 Aoakfl32.exe 34 PID 1788 wrote to memory of 2616 1788 Afkccffq.exe 35 PID 1788 wrote to memory of 2616 1788 Afkccffq.exe 35 PID 1788 wrote to memory of 2616 1788 Afkccffq.exe 35 PID 1788 wrote to memory of 2616 1788 Afkccffq.exe 35 PID 2616 wrote to memory of 756 2616 Adncoc32.exe 36 PID 2616 wrote to memory of 756 2616 Adncoc32.exe 36 PID 2616 wrote to memory of 756 2616 Adncoc32.exe 36 PID 2616 wrote to memory of 756 2616 Adncoc32.exe 36 PID 756 wrote to memory of 1504 756 Abachg32.exe 37 PID 756 wrote to memory of 1504 756 Abachg32.exe 37 PID 756 wrote to memory of 1504 756 Abachg32.exe 37 PID 756 wrote to memory of 1504 756 Abachg32.exe 37 PID 1504 wrote to memory of 2064 1504 Adppdckh.exe 38 PID 1504 wrote to memory of 2064 1504 Adppdckh.exe 38 PID 1504 wrote to memory of 2064 1504 Adppdckh.exe 38 PID 1504 wrote to memory of 2064 1504 Adppdckh.exe 38 PID 2064 wrote to memory of 3020 2064 Agolpnjl.exe 39 PID 2064 wrote to memory of 3020 2064 Agolpnjl.exe 39 PID 2064 wrote to memory of 3020 2064 Agolpnjl.exe 39 PID 2064 wrote to memory of 3020 2064 Agolpnjl.exe 39 PID 3020 wrote to memory of 2920 3020 Ajmhljip.exe 40 PID 3020 wrote to memory of 2920 3020 Ajmhljip.exe 40 PID 3020 wrote to memory of 2920 3020 Ajmhljip.exe 40 PID 3020 wrote to memory of 2920 3020 Ajmhljip.exe 40 PID 2920 wrote to memory of 2952 2920 Aqgqid32.exe 41 PID 2920 wrote to memory of 2952 2920 Aqgqid32.exe 41 PID 2920 wrote to memory of 2952 2920 Aqgqid32.exe 41 PID 2920 wrote to memory of 2952 2920 Aqgqid32.exe 41 PID 2952 wrote to memory of 2212 2952 Agaifnhi.exe 42 PID 2952 wrote to memory of 2212 2952 Agaifnhi.exe 42 PID 2952 wrote to memory of 2212 2952 Agaifnhi.exe 42 PID 2952 wrote to memory of 2212 2952 Agaifnhi.exe 42 PID 2212 wrote to memory of 1432 2212 Ajoebigm.exe 43 PID 2212 wrote to memory of 1432 2212 Ajoebigm.exe 43 PID 2212 wrote to memory of 1432 2212 Ajoebigm.exe 43 PID 2212 wrote to memory of 1432 2212 Ajoebigm.exe 43 PID 1432 wrote to memory of 1232 1432 Adeiobgc.exe 44 PID 1432 wrote to memory of 1232 1432 Adeiobgc.exe 44 PID 1432 wrote to memory of 1232 1432 Adeiobgc.exe 44 PID 1432 wrote to memory of 1232 1432 Adeiobgc.exe 44 PID 1232 wrote to memory of 380 1232 Afffgjma.exe 45 PID 1232 wrote to memory of 380 1232 Afffgjma.exe 45 PID 1232 wrote to memory of 380 1232 Afffgjma.exe 45 PID 1232 wrote to memory of 380 1232 Afffgjma.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f113bda83df514ecfaed478a371a110N.exe"C:\Users\Admin\AppData\Local\Temp\8f113bda83df514ecfaed478a371a110N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Qhdfdb32.exeC:\Windows\system32\Qhdfdb32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Qlpadaac.exeC:\Windows\system32\Qlpadaac.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Qfifmghc.exeC:\Windows\system32\Qfifmghc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Aoakfl32.exeC:\Windows\system32\Aoakfl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Afkccffq.exeC:\Windows\system32\Afkccffq.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Adncoc32.exeC:\Windows\system32\Adncoc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Abachg32.exeC:\Windows\system32\Abachg32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Adppdckh.exeC:\Windows\system32\Adppdckh.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Agolpnjl.exeC:\Windows\system32\Agolpnjl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Ajmhljip.exeC:\Windows\system32\Ajmhljip.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Aqgqid32.exeC:\Windows\system32\Aqgqid32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Agaifnhi.exeC:\Windows\system32\Agaifnhi.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Ajoebigm.exeC:\Windows\system32\Ajoebigm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Adeiobgc.exeC:\Windows\system32\Adeiobgc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Afffgjma.exeC:\Windows\system32\Afffgjma.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\Ampncd32.exeC:\Windows\system32\Ampncd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:380 -
C:\Windows\SysWOW64\Aonjpp32.exeC:\Windows\system32\Aonjpp32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1076 -
C:\Windows\SysWOW64\Agebam32.exeC:\Windows\system32\Agebam32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1864 -
C:\Windows\SysWOW64\Bigohejb.exeC:\Windows\system32\Bigohejb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:264 -
C:\Windows\SysWOW64\Bqngjcje.exeC:\Windows\system32\Bqngjcje.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:576 -
C:\Windows\SysWOW64\Bclcfnih.exeC:\Windows\system32\Bclcfnih.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Bbocak32.exeC:\Windows\system32\Bbocak32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1248 -
C:\Windows\SysWOW64\Bjfkbhae.exeC:\Windows\system32\Bjfkbhae.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Windows\SysWOW64\Biikne32.exeC:\Windows\system32\Biikne32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Bkghjq32.exeC:\Windows\system32\Bkghjq32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2032 -
C:\Windows\SysWOW64\Bbapgknp.exeC:\Windows\system32\Bbapgknp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2228 -
C:\Windows\SysWOW64\Bikhce32.exeC:\Windows\system32\Bikhce32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Bnhqll32.exeC:\Windows\system32\Bnhqll32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Bfphmi32.exeC:\Windows\system32\Bfphmi32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Bineidcj.exeC:\Windows\system32\Bineidcj.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2344 -
C:\Windows\SysWOW64\Bphmfo32.exeC:\Windows\system32\Bphmfo32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Bedene32.exeC:\Windows\system32\Bedene32.exe33⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Bgcbja32.exeC:\Windows\system32\Bgcbja32.exe34⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Bnmjgkpo.exeC:\Windows\system32\Bnmjgkpo.exe35⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Cakfcfoc.exeC:\Windows\system32\Cakfcfoc.exe36⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Cgeopqfp.exeC:\Windows\system32\Cgeopqfp.exe37⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Cnogmk32.exeC:\Windows\system32\Cnogmk32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Windows\SysWOW64\Cghkepdm.exeC:\Windows\system32\Cghkepdm.exe39⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Cjfgalcq.exeC:\Windows\system32\Cjfgalcq.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Cmdcngbd.exeC:\Windows\system32\Cmdcngbd.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\Cpcpjbah.exeC:\Windows\system32\Cpcpjbah.exe42⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Cmgpcg32.exeC:\Windows\system32\Cmgpcg32.exe43⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Cpemob32.exeC:\Windows\system32\Cpemob32.exe44⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Cbcikn32.exeC:\Windows\system32\Cbcikn32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:972 -
C:\Windows\SysWOW64\Cjkamk32.exeC:\Windows\system32\Cjkamk32.exe46⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Cllmdcej.exeC:\Windows\system32\Cllmdcej.exe47⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Ccceeqfl.exeC:\Windows\system32\Ccceeqfl.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Windows\SysWOW64\Cbfeam32.exeC:\Windows\system32\Cbfeam32.exe49⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Cedbmi32.exeC:\Windows\system32\Cedbmi32.exe50⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Dlnjjc32.exeC:\Windows\system32\Dlnjjc32.exe51⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Dbhbfmkd.exeC:\Windows\system32\Dbhbfmkd.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Degobhjg.exeC:\Windows\system32\Degobhjg.exe53⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Dhekodik.exeC:\Windows\system32\Dhekodik.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Dhekodik.exeC:\Windows\system32\Dhekodik.exe55⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Dplbpaim.exeC:\Windows\system32\Dplbpaim.exe56⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Doocln32.exeC:\Windows\system32\Doocln32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Deikhhhe.exeC:\Windows\system32\Deikhhhe.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\SysWOW64\Didgig32.exeC:\Windows\system32\Didgig32.exe59⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Dlcceboa.exeC:\Windows\system32\Dlcceboa.exe60⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Doapanne.exeC:\Windows\system32\Doapanne.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\Daplmimi.exeC:\Windows\system32\Daplmimi.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\SysWOW64\Dekhnh32.exeC:\Windows\system32\Dekhnh32.exe63⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Dlepjbmo.exeC:\Windows\system32\Dlepjbmo.exe64⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Dkhpfo32.exeC:\Windows\system32\Dkhpfo32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:920 -
C:\Windows\SysWOW64\Dodlfmlb.exeC:\Windows\system32\Dodlfmlb.exe66⤵PID:2524
-
C:\Windows\SysWOW64\Dabicikf.exeC:\Windows\system32\Dabicikf.exe67⤵PID:2044
-
C:\Windows\SysWOW64\Ddqeodjj.exeC:\Windows\system32\Ddqeodjj.exe68⤵PID:1172
-
C:\Windows\SysWOW64\Dhlapc32.exeC:\Windows\system32\Dhlapc32.exe69⤵PID:1928
-
C:\Windows\SysWOW64\Dkkmln32.exeC:\Windows\system32\Dkkmln32.exe70⤵PID:1936
-
C:\Windows\SysWOW64\Dmiihjak.exeC:\Windows\system32\Dmiihjak.exe71⤵PID:2856
-
C:\Windows\SysWOW64\Dpgedepn.exeC:\Windows\system32\Dpgedepn.exe72⤵PID:2656
-
C:\Windows\SysWOW64\Ddcadd32.exeC:\Windows\system32\Ddcadd32.exe73⤵PID:2612
-
C:\Windows\SysWOW64\Ehonebqq.exeC:\Windows\system32\Ehonebqq.exe74⤵PID:2668
-
C:\Windows\SysWOW64\Eganqo32.exeC:\Windows\system32\Eganqo32.exe75⤵PID:308
-
C:\Windows\SysWOW64\Eipjmk32.exeC:\Windows\system32\Eipjmk32.exe76⤵PID:2716
-
C:\Windows\SysWOW64\Emkfmioh.exeC:\Windows\system32\Emkfmioh.exe77⤵PID:2936
-
C:\Windows\SysWOW64\Epjbienl.exeC:\Windows\system32\Epjbienl.exe78⤵
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Edenjc32.exeC:\Windows\system32\Edenjc32.exe79⤵
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\Echoepmo.exeC:\Windows\system32\Echoepmo.exe80⤵PID:2096
-
C:\Windows\SysWOW64\Ekofgnna.exeC:\Windows\system32\Ekofgnna.exe81⤵PID:2156
-
C:\Windows\SysWOW64\Eibgbj32.exeC:\Windows\system32\Eibgbj32.exe82⤵PID:2176
-
C:\Windows\SysWOW64\Elqcnfdp.exeC:\Windows\system32\Elqcnfdp.exe83⤵
- System Location Discovery: System Language Discovery
PID:856 -
C:\Windows\SysWOW64\Eplood32.exeC:\Windows\system32\Eplood32.exe84⤵
- Modifies registry class
PID:892 -
C:\Windows\SysWOW64\Ecjkkp32.exeC:\Windows\system32\Ecjkkp32.exe85⤵PID:1484
-
C:\Windows\SysWOW64\Egfglocf.exeC:\Windows\system32\Egfglocf.exe86⤵PID:1896
-
C:\Windows\SysWOW64\Eoalpaaa.exeC:\Windows\system32\Eoalpaaa.exe87⤵PID:2768
-
C:\Windows\SysWOW64\Eghdanac.exeC:\Windows\system32\Eghdanac.exe88⤵PID:3068
-
C:\Windows\SysWOW64\Eigpmjqg.exeC:\Windows\system32\Eigpmjqg.exe89⤵PID:2756
-
C:\Windows\SysWOW64\Ehjqif32.exeC:\Windows\system32\Ehjqif32.exe90⤵PID:2588
-
C:\Windows\SysWOW64\Eleliepj.exeC:\Windows\system32\Eleliepj.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2988 -
C:\Windows\SysWOW64\Eocieq32.exeC:\Windows\system32\Eocieq32.exe92⤵PID:816
-
C:\Windows\SysWOW64\Eabeal32.exeC:\Windows\system32\Eabeal32.exe93⤵PID:1180
-
C:\Windows\SysWOW64\Eiimci32.exeC:\Windows\system32\Eiimci32.exe94⤵
- Drops file in System32 directory
PID:1944 -
C:\Windows\SysWOW64\Elgioe32.exeC:\Windows\system32\Elgioe32.exe95⤵PID:2908
-
C:\Windows\SysWOW64\Fofekp32.exeC:\Windows\system32\Fofekp32.exe96⤵PID:560
-
C:\Windows\SysWOW64\Fcaaloed.exeC:\Windows\system32\Fcaaloed.exe97⤵PID:2428
-
C:\Windows\SysWOW64\Fepnhjdh.exeC:\Windows\system32\Fepnhjdh.exe98⤵PID:2312
-
C:\Windows\SysWOW64\Fljfdd32.exeC:\Windows\system32\Fljfdd32.exe99⤵PID:2804
-
C:\Windows\SysWOW64\Fkmfpabp.exeC:\Windows\system32\Fkmfpabp.exe100⤵PID:2900
-
C:\Windows\SysWOW64\Fnkblm32.exeC:\Windows\system32\Fnkblm32.exe101⤵PID:2800
-
C:\Windows\SysWOW64\Fagnmkjm.exeC:\Windows\system32\Fagnmkjm.exe102⤵PID:2888
-
C:\Windows\SysWOW64\Fdekigip.exeC:\Windows\system32\Fdekigip.exe103⤵PID:2664
-
C:\Windows\SysWOW64\Fgcgebhd.exeC:\Windows\system32\Fgcgebhd.exe104⤵PID:1420
-
C:\Windows\SysWOW64\Fnnobl32.exeC:\Windows\system32\Fnnobl32.exe105⤵PID:2332
-
C:\Windows\SysWOW64\Fdggofgn.exeC:\Windows\system32\Fdggofgn.exe106⤵PID:2956
-
C:\Windows\SysWOW64\Fhccoe32.exeC:\Windows\system32\Fhccoe32.exe107⤵PID:844
-
C:\Windows\SysWOW64\Fkapkq32.exeC:\Windows\system32\Fkapkq32.exe108⤵PID:1092
-
C:\Windows\SysWOW64\Fnplgl32.exeC:\Windows\system32\Fnplgl32.exe109⤵PID:2424
-
C:\Windows\SysWOW64\Fqnhcgma.exeC:\Windows\system32\Fqnhcgma.exe110⤵PID:1796
-
C:\Windows\SysWOW64\Fcmdpcle.exeC:\Windows\system32\Fcmdpcle.exe111⤵PID:2408
-
C:\Windows\SysWOW64\Fkdlaplh.exeC:\Windows\system32\Fkdlaplh.exe112⤵PID:2320
-
C:\Windows\SysWOW64\Fjfllm32.exeC:\Windows\system32\Fjfllm32.exe113⤵PID:2932
-
C:\Windows\SysWOW64\Fleihi32.exeC:\Windows\system32\Fleihi32.exe114⤵PID:2300
-
C:\Windows\SysWOW64\Fqqdigko.exeC:\Windows\system32\Fqqdigko.exe115⤵
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Fcoaebjc.exeC:\Windows\system32\Fcoaebjc.exe116⤵PID:1268
-
C:\Windows\SysWOW64\Gjiibm32.exeC:\Windows\system32\Gjiibm32.exe117⤵
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Gndebkii.exeC:\Windows\system32\Gndebkii.exe118⤵PID:2476
-
C:\Windows\SysWOW64\Gqcaoghl.exeC:\Windows\system32\Gqcaoghl.exe119⤵
- Modifies registry class
PID:988 -
C:\Windows\SysWOW64\Gcankb32.exeC:\Windows\system32\Gcankb32.exe120⤵PID:2056
-
C:\Windows\SysWOW64\Ggmjkapi.exeC:\Windows\system32\Ggmjkapi.exe121⤵PID:1680
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-