Analysis
-
max time kernel
95s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-09-2024 06:43
Behavioral task
behavioral1
Sample
f832c77f402e2d7ae3b06625c5a1a490N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
f832c77f402e2d7ae3b06625c5a1a490N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
f832c77f402e2d7ae3b06625c5a1a490N.exe
-
Size
337KB
-
MD5
f832c77f402e2d7ae3b06625c5a1a490
-
SHA1
14c2966f7f1a4073abe4899b4f35d650406acaae
-
SHA256
83b20199b613ed6550325545ee8143e17c9a30c9cd2f78d277e9f0bd0212cefc
-
SHA512
ac40d73f7751e3ff7e32d57bb06365ab66d5102343d3118b5e179e8016a5b4a3fb3ca833f0ebb551dc8111eb2b620617b2fb9e893eaea07b585357360c0ebd64
-
SSDEEP
3072:b08tQwBlCCPTpgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:bHtjBlCC7p1+fIyG5jZkCwi8r
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqeioiam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibjqaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfiokmkc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noppeaed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcikejg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndgfpbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nblolm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nofefp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiccje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kekbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hifmmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhifomdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcmfnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqmhqapg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcpnhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enpfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lafmjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpdnjple.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gejhef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilibdmgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kedlip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khgbqkhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnhgjaml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlhqcgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbphglbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocgkan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aajhndkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akkffkhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdkifmjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehlhih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggkqgaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nofefp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppgomnai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfmmplad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbiockdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmgelf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chnlgjlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fooclapd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnpphljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbnhoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnibokbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckgohf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enmjlojd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kabcopmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljpaqmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhckcgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooibkpmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Objkmkjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehpadhll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njbgmjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbbeml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbebbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iehmmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bddcenpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbojlfdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfmmplad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gokbgpeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gegkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkaclqkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeocna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loofnccf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chfegk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fooclapd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loacdc32.exe -
Executes dropped EXE 64 IoCs
pid Process 4016 Pmblagmf.exe 3776 Qhhpop32.exe 464 Qjfmkk32.exe 2772 Qaqegecm.exe 3016 Qdoacabq.exe 4148 Qfmmplad.exe 3992 Qodeajbg.exe 736 Qmgelf32.exe 3196 Qpeahb32.exe 1652 Ahmjjoig.exe 4056 Akkffkhk.exe 4288 Aknbkjfh.exe 4040 Aagkhd32.exe 1040 Ahaceo32.exe 2312 Aajhndkb.exe 1796 Ahdpjn32.exe 1048 Amqhbe32.exe 220 Adkqoohc.exe 4568 Aopemh32.exe 5004 Amcehdod.exe 384 Bkgeainn.exe 1056 Baannc32.exe 2492 Bpdnjple.exe 2916 Bkibgh32.exe 4756 Bmhocd32.exe 1800 Bdagpnbk.exe 3708 Bogkmgba.exe 2128 Bddcenpi.exe 4668 Boihcf32.exe 1676 Bdfpkm32.exe 3048 Bgelgi32.exe 3532 Bnoddcef.exe 1972 Chdialdl.exe 2416 Ckbemgcp.exe 4600 Conanfli.exe 5068 Cammjakm.exe 540 Cdkifmjq.exe 4876 Chfegk32.exe 4492 Ckebcg32.exe 1828 Cncnob32.exe 1884 Cpbjkn32.exe 1864 Cglbhhga.exe 4504 Ckgohf32.exe 4708 Caageq32.exe 1224 Cdpcal32.exe 4908 Cgnomg32.exe 436 Coegoe32.exe 3764 Cnhgjaml.exe 4612 Cpfcfmlp.exe 4936 Chnlgjlb.exe 3684 Cklhcfle.exe 976 Cnjdpaki.exe 4388 Dafppp32.exe 3952 Dhphmj32.exe 3932 Dgcihgaj.exe 3312 Dnmaea32.exe 1468 Dahmfpap.exe 1528 Dhbebj32.exe 2184 Dolmodpi.exe 1584 Dqnjgl32.exe 4804 Dggbcf32.exe 632 Doojec32.exe 1504 Damfao32.exe 4444 Dgjoif32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eqgmmk32.exe Eoepebho.exe File created C:\Windows\SysWOW64\Bcoaln32.dll Eohmkb32.exe File created C:\Windows\SysWOW64\Ofblbapl.dll Fgmdec32.exe File created C:\Windows\SysWOW64\Glllagck.dll Ljbnfleo.exe File created C:\Windows\SysWOW64\Pblajhje.exe Ppnenlka.exe File created C:\Windows\SysWOW64\Ahaceo32.exe Aagkhd32.exe File created C:\Windows\SysWOW64\Foapaa32.exe Figgdg32.exe File created C:\Windows\SysWOW64\Ipamlopb.dll Llnnmhfe.exe File opened for modification C:\Windows\SysWOW64\Momcpa32.exe Mhckcgpj.exe File opened for modification C:\Windows\SysWOW64\Qhhpop32.exe Pmblagmf.exe File opened for modification C:\Windows\SysWOW64\Eohmkb32.exe Eklajcmc.exe File opened for modification C:\Windows\SysWOW64\Mpeiie32.exe Mhoahh32.exe File created C:\Windows\SysWOW64\Qjfmkk32.exe Qhhpop32.exe File created C:\Windows\SysWOW64\Mlcdqdie.dll Qmgelf32.exe File opened for modification C:\Windows\SysWOW64\Iefphb32.exe Iajdgcab.exe File opened for modification C:\Windows\SysWOW64\Enmjlojd.exe Ekonpckp.exe File created C:\Windows\SysWOW64\Ffeifdjo.dll Fajbjh32.exe File created C:\Windows\SysWOW64\Gokbgpeg.exe Fkofga32.exe File created C:\Windows\SysWOW64\Ceknlgnl.dll Glhimp32.exe File created C:\Windows\SysWOW64\Deocpk32.dll Iijfhbhl.exe File created C:\Windows\SysWOW64\Ckbemgcp.exe Chdialdl.exe File created C:\Windows\SysWOW64\Damfao32.exe Doojec32.exe File opened for modification C:\Windows\SysWOW64\Fnkfmm32.exe Fohfbpgi.exe File opened for modification C:\Windows\SysWOW64\Klbnajqc.exe Khgbqkhj.exe File created C:\Windows\SysWOW64\Aoibcl32.dll Dqbcbkab.exe File created C:\Windows\SysWOW64\Ojehbail.dll Fiqjke32.exe File created C:\Windows\SysWOW64\Ehfomc32.dll Klndfj32.exe File created C:\Windows\SysWOW64\Qfmmplad.exe Qdoacabq.exe File created C:\Windows\SysWOW64\Adkqoohc.exe Amqhbe32.exe File created C:\Windows\SysWOW64\Pekihfdc.dll Jhplpl32.exe File created C:\Windows\SysWOW64\Kpjbdk32.dll Dgjoif32.exe File created C:\Windows\SysWOW64\Jhkbdmbg.exe Jihbip32.exe File created C:\Windows\SysWOW64\Kcjjhdjb.exe Kplmliko.exe File created C:\Windows\SysWOW64\Qpeahb32.exe Qmgelf32.exe File opened for modification C:\Windows\SysWOW64\Ahmjjoig.exe Qpeahb32.exe File created C:\Windows\SysWOW64\Cgkeml32.dll Fqeioiam.exe File created C:\Windows\SysWOW64\Bpemfc32.dll Lcfidb32.exe File opened for modification C:\Windows\SysWOW64\Pfccogfc.exe Pcegclgp.exe File created C:\Windows\SysWOW64\Cnhgjaml.exe Coegoe32.exe File created C:\Windows\SysWOW64\Mjhjimfo.dll Dggbcf32.exe File created C:\Windows\SysWOW64\Gbiockdj.exe Gokbgpeg.exe File created C:\Windows\SysWOW64\Kplmliko.exe Klpakj32.exe File created C:\Windows\SysWOW64\Kofdhd32.exe Khlklj32.exe File created C:\Windows\SysWOW64\Imffkelf.dll Eqgmmk32.exe File created C:\Windows\SysWOW64\Gedhfp32.dll Gicgpelg.exe File created C:\Windows\SysWOW64\Pfgbakef.dll Pfccogfc.exe File created C:\Windows\SysWOW64\Ekiapmnp.dll Cpfcfmlp.exe File created C:\Windows\SysWOW64\Ghaeocdd.dll Ocgkan32.exe File created C:\Windows\SysWOW64\Hlkbkddd.dll Pakdbp32.exe File created C:\Windows\SysWOW64\Ckebcg32.exe Chfegk32.exe File created C:\Windows\SysWOW64\Doccpcja.exe Dkhgod32.exe File opened for modification C:\Windows\SysWOW64\Lchfib32.exe Llnnmhfe.exe File created C:\Windows\SysWOW64\Egcpgp32.dll Mjpjgj32.exe File created C:\Windows\SysWOW64\Jnijfj32.dll Ehbnigjj.exe File created C:\Windows\SysWOW64\Gkaclqkk.exe Gicgpelg.exe File created C:\Windows\SysWOW64\Ljpaqmgb.exe Lcfidb32.exe File created C:\Windows\SysWOW64\Nmhijd32.exe Nfnamjhk.exe File opened for modification C:\Windows\SysWOW64\Dggbcf32.exe Dqnjgl32.exe File created C:\Windows\SysWOW64\Gnpphljo.exe Gkaclqkk.exe File created C:\Windows\SysWOW64\Fefmmcgh.dll Objkmkjj.exe File opened for modification C:\Windows\SysWOW64\Oihmedma.exe Obnehj32.exe File opened for modification C:\Windows\SysWOW64\Ilibdmgp.exe Iijfhbhl.exe File created C:\Windows\SysWOW64\Fljhbbae.dll Oihmedma.exe File opened for modification C:\Windows\SysWOW64\Pcegclgp.exe Pafkgphl.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8324 8200 WerFault.exe 368 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbebj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kolabf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmhocd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekjded32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnfmbmbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pimfpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmgelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adkqoohc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haaaaeim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlbejloe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llnnmhfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbphglbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oonlfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doccpcja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpaihooo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghojbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiikpnmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lojmcdgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Damfao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eghkjdoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohqnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckbemgcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebfign32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihbponja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noblkqca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obgohklm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbekii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chdialdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fajbjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Conanfli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gicgpelg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iijfhbhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nblolm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooibkpmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdagpnbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddcenpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khiofk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnjdpaki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glhimp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmhijd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oflmnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahdpjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpeiie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiccje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppnenlka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nofefp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehlhih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njgqhicg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cncnob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dafppp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnblnlhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhaggp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhkbdmbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jadgnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loacdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogkmgba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkekjdck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iondqhpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omfekbdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknbkjfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coegoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipihpkkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khgbqkhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lchfib32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cncnob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klpakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jacodldj.dll" Loofnccf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfigmnlg.dll" Nqaiecjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqhoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aknbkjfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pggdhe32.dll" Hhaggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiikpnmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncpeaoih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnkibcle.dll" Pjjfdfbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gejhef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aadafn32.dll" Nofefp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfjqmbc.dll" Nblolm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqhoeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kefiopki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giecfejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faoiogei.dll" Mablfnne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnbepb32.dll" Doccpcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jppnpjel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljbnfleo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pafkgphl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmihfl32.dll" Conanfli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpenhh32.dll" Ncpeaoih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fknofqcc.dll" Pjlcjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ablmdkdf.dll" Kefiopki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bogkmgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgelgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caageq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpifjj32.dll" Mhoahh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bepjbf32.dll" Njedbjej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID f832c77f402e2d7ae3b06625c5a1a490N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdflknog.dll" Mledmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khgbqkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmmnd32.dll" Lhgkgijg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoepebho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfbaalbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbcikkp.dll" Mjggal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaejqcdo.dll" Joqafgni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhbih32.dll" Fnkfmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpemfc32.dll" Lcfidb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqgmmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dolmodpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fajbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkgppbgc.dll" Lljdai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgnomg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kabcopmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmmncpmp.dll" Ieccbbkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmmlla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckgohf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhifomdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Holpib32.dll" Oonlfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gebekb32.dll" Gbiockdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nblolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgnpek32.dll" Lllagh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqfgdpo.dll" Mjlalkmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocgkan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caageq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpikki32.dll" Oqoefand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaebef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfibla32.dll" Jekjcaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnbpqkj.dll" Bmhocd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Foapaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noblkqca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmhijd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4552 wrote to memory of 4016 4552 f832c77f402e2d7ae3b06625c5a1a490N.exe 83 PID 4552 wrote to memory of 4016 4552 f832c77f402e2d7ae3b06625c5a1a490N.exe 83 PID 4552 wrote to memory of 4016 4552 f832c77f402e2d7ae3b06625c5a1a490N.exe 83 PID 4016 wrote to memory of 3776 4016 Pmblagmf.exe 84 PID 4016 wrote to memory of 3776 4016 Pmblagmf.exe 84 PID 4016 wrote to memory of 3776 4016 Pmblagmf.exe 84 PID 3776 wrote to memory of 464 3776 Qhhpop32.exe 85 PID 3776 wrote to memory of 464 3776 Qhhpop32.exe 85 PID 3776 wrote to memory of 464 3776 Qhhpop32.exe 85 PID 464 wrote to memory of 2772 464 Qjfmkk32.exe 86 PID 464 wrote to memory of 2772 464 Qjfmkk32.exe 86 PID 464 wrote to memory of 2772 464 Qjfmkk32.exe 86 PID 2772 wrote to memory of 3016 2772 Qaqegecm.exe 87 PID 2772 wrote to memory of 3016 2772 Qaqegecm.exe 87 PID 2772 wrote to memory of 3016 2772 Qaqegecm.exe 87 PID 3016 wrote to memory of 4148 3016 Qdoacabq.exe 88 PID 3016 wrote to memory of 4148 3016 Qdoacabq.exe 88 PID 3016 wrote to memory of 4148 3016 Qdoacabq.exe 88 PID 4148 wrote to memory of 3992 4148 Qfmmplad.exe 89 PID 4148 wrote to memory of 3992 4148 Qfmmplad.exe 89 PID 4148 wrote to memory of 3992 4148 Qfmmplad.exe 89 PID 3992 wrote to memory of 736 3992 Qodeajbg.exe 91 PID 3992 wrote to memory of 736 3992 Qodeajbg.exe 91 PID 3992 wrote to memory of 736 3992 Qodeajbg.exe 91 PID 736 wrote to memory of 3196 736 Qmgelf32.exe 92 PID 736 wrote to memory of 3196 736 Qmgelf32.exe 92 PID 736 wrote to memory of 3196 736 Qmgelf32.exe 92 PID 3196 wrote to memory of 1652 3196 Qpeahb32.exe 93 PID 3196 wrote to memory of 1652 3196 Qpeahb32.exe 93 PID 3196 wrote to memory of 1652 3196 Qpeahb32.exe 93 PID 1652 wrote to memory of 4056 1652 Ahmjjoig.exe 94 PID 1652 wrote to memory of 4056 1652 Ahmjjoig.exe 94 PID 1652 wrote to memory of 4056 1652 Ahmjjoig.exe 94 PID 4056 wrote to memory of 4288 4056 Akkffkhk.exe 95 PID 4056 wrote to memory of 4288 4056 Akkffkhk.exe 95 PID 4056 wrote to memory of 4288 4056 Akkffkhk.exe 95 PID 4288 wrote to memory of 4040 4288 Aknbkjfh.exe 97 PID 4288 wrote to memory of 4040 4288 Aknbkjfh.exe 97 PID 4288 wrote to memory of 4040 4288 Aknbkjfh.exe 97 PID 4040 wrote to memory of 1040 4040 Aagkhd32.exe 98 PID 4040 wrote to memory of 1040 4040 Aagkhd32.exe 98 PID 4040 wrote to memory of 1040 4040 Aagkhd32.exe 98 PID 1040 wrote to memory of 2312 1040 Ahaceo32.exe 99 PID 1040 wrote to memory of 2312 1040 Ahaceo32.exe 99 PID 1040 wrote to memory of 2312 1040 Ahaceo32.exe 99 PID 2312 wrote to memory of 1796 2312 Aajhndkb.exe 100 PID 2312 wrote to memory of 1796 2312 Aajhndkb.exe 100 PID 2312 wrote to memory of 1796 2312 Aajhndkb.exe 100 PID 1796 wrote to memory of 1048 1796 Ahdpjn32.exe 101 PID 1796 wrote to memory of 1048 1796 Ahdpjn32.exe 101 PID 1796 wrote to memory of 1048 1796 Ahdpjn32.exe 101 PID 1048 wrote to memory of 220 1048 Amqhbe32.exe 102 PID 1048 wrote to memory of 220 1048 Amqhbe32.exe 102 PID 1048 wrote to memory of 220 1048 Amqhbe32.exe 102 PID 220 wrote to memory of 4568 220 Adkqoohc.exe 104 PID 220 wrote to memory of 4568 220 Adkqoohc.exe 104 PID 220 wrote to memory of 4568 220 Adkqoohc.exe 104 PID 4568 wrote to memory of 5004 4568 Aopemh32.exe 105 PID 4568 wrote to memory of 5004 4568 Aopemh32.exe 105 PID 4568 wrote to memory of 5004 4568 Aopemh32.exe 105 PID 5004 wrote to memory of 384 5004 Amcehdod.exe 106 PID 5004 wrote to memory of 384 5004 Amcehdod.exe 106 PID 5004 wrote to memory of 384 5004 Amcehdod.exe 106 PID 384 wrote to memory of 1056 384 Bkgeainn.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\f832c77f402e2d7ae3b06625c5a1a490N.exe"C:\Users\Admin\AppData\Local\Temp\f832c77f402e2d7ae3b06625c5a1a490N.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\Pmblagmf.exeC:\Windows\system32\Pmblagmf.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\Qhhpop32.exeC:\Windows\system32\Qhhpop32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\SysWOW64\Qjfmkk32.exeC:\Windows\system32\Qjfmkk32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\Qaqegecm.exeC:\Windows\system32\Qaqegecm.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Qdoacabq.exeC:\Windows\system32\Qdoacabq.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Qfmmplad.exeC:\Windows\system32\Qfmmplad.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\Qodeajbg.exeC:\Windows\system32\Qodeajbg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\Qmgelf32.exeC:\Windows\system32\Qmgelf32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\Qpeahb32.exeC:\Windows\system32\Qpeahb32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\Ahmjjoig.exeC:\Windows\system32\Ahmjjoig.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Akkffkhk.exeC:\Windows\system32\Akkffkhk.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\Aknbkjfh.exeC:\Windows\system32\Aknbkjfh.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\Aagkhd32.exeC:\Windows\system32\Aagkhd32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\Ahaceo32.exeC:\Windows\system32\Ahaceo32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Aajhndkb.exeC:\Windows\system32\Aajhndkb.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Ahdpjn32.exeC:\Windows\system32\Ahdpjn32.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Amqhbe32.exeC:\Windows\system32\Amqhbe32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Adkqoohc.exeC:\Windows\system32\Adkqoohc.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Aopemh32.exeC:\Windows\system32\Aopemh32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\Amcehdod.exeC:\Windows\system32\Amcehdod.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Bkgeainn.exeC:\Windows\system32\Bkgeainn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\Baannc32.exeC:\Windows\system32\Baannc32.exe23⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Bpdnjple.exeC:\Windows\system32\Bpdnjple.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Bkibgh32.exeC:\Windows\system32\Bkibgh32.exe25⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Bmhocd32.exeC:\Windows\system32\Bmhocd32.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4756 -
C:\Windows\SysWOW64\Bdagpnbk.exeC:\Windows\system32\Bdagpnbk.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1800 -
C:\Windows\SysWOW64\Bogkmgba.exeC:\Windows\system32\Bogkmgba.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3708 -
C:\Windows\SysWOW64\Bddcenpi.exeC:\Windows\system32\Bddcenpi.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\Boihcf32.exeC:\Windows\system32\Boihcf32.exe30⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Bdfpkm32.exeC:\Windows\system32\Bdfpkm32.exe31⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Bgelgi32.exeC:\Windows\system32\Bgelgi32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Bnoddcef.exeC:\Windows\system32\Bnoddcef.exe33⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Chdialdl.exeC:\Windows\system32\Chdialdl.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\Ckbemgcp.exeC:\Windows\system32\Ckbemgcp.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Windows\SysWOW64\Conanfli.exeC:\Windows\system32\Conanfli.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4600 -
C:\Windows\SysWOW64\Cammjakm.exeC:\Windows\system32\Cammjakm.exe37⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Cdkifmjq.exeC:\Windows\system32\Cdkifmjq.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Chfegk32.exeC:\Windows\system32\Chfegk32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4876 -
C:\Windows\SysWOW64\Ckebcg32.exeC:\Windows\system32\Ckebcg32.exe40⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Cncnob32.exeC:\Windows\system32\Cncnob32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Cpbjkn32.exeC:\Windows\system32\Cpbjkn32.exe42⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Cglbhhga.exeC:\Windows\system32\Cglbhhga.exe43⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Ckgohf32.exeC:\Windows\system32\Ckgohf32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4504 -
C:\Windows\SysWOW64\Caageq32.exeC:\Windows\system32\Caageq32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:4708 -
C:\Windows\SysWOW64\Cdpcal32.exeC:\Windows\system32\Cdpcal32.exe46⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Cgnomg32.exeC:\Windows\system32\Cgnomg32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:4908 -
C:\Windows\SysWOW64\Coegoe32.exeC:\Windows\system32\Coegoe32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:436 -
C:\Windows\SysWOW64\Cnhgjaml.exeC:\Windows\system32\Cnhgjaml.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3764 -
C:\Windows\SysWOW64\Cpfcfmlp.exeC:\Windows\system32\Cpfcfmlp.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4612 -
C:\Windows\SysWOW64\Chnlgjlb.exeC:\Windows\system32\Chnlgjlb.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Cklhcfle.exeC:\Windows\system32\Cklhcfle.exe52⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Cnjdpaki.exeC:\Windows\system32\Cnjdpaki.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:976 -
C:\Windows\SysWOW64\Dafppp32.exeC:\Windows\system32\Dafppp32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4388 -
C:\Windows\SysWOW64\Dhphmj32.exeC:\Windows\system32\Dhphmj32.exe55⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Dgcihgaj.exeC:\Windows\system32\Dgcihgaj.exe56⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Dnmaea32.exeC:\Windows\system32\Dnmaea32.exe57⤵
- Executes dropped EXE
PID:3312 -
C:\Windows\SysWOW64\Dahmfpap.exeC:\Windows\system32\Dahmfpap.exe58⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Dhbebj32.exeC:\Windows\system32\Dhbebj32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1528 -
C:\Windows\SysWOW64\Dolmodpi.exeC:\Windows\system32\Dolmodpi.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Dqnjgl32.exeC:\Windows\system32\Dqnjgl32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Dggbcf32.exeC:\Windows\system32\Dggbcf32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4804 -
C:\Windows\SysWOW64\Doojec32.exeC:\Windows\system32\Doojec32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:632 -
C:\Windows\SysWOW64\Damfao32.exeC:\Windows\system32\Damfao32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1504 -
C:\Windows\SysWOW64\Dgjoif32.exeC:\Windows\system32\Dgjoif32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4444 -
C:\Windows\SysWOW64\Dkekjdck.exeC:\Windows\system32\Dkekjdck.exe66⤵
- System Location Discovery: System Language Discovery
PID:5096 -
C:\Windows\SysWOW64\Dndgfpbo.exeC:\Windows\system32\Dndgfpbo.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2500 -
C:\Windows\SysWOW64\Dqbcbkab.exeC:\Windows\system32\Dqbcbkab.exe68⤵
- Drops file in System32 directory
PID:4768 -
C:\Windows\SysWOW64\Dhikci32.exeC:\Windows\system32\Dhikci32.exe69⤵PID:2144
-
C:\Windows\SysWOW64\Dkhgod32.exeC:\Windows\system32\Dkhgod32.exe70⤵
- Drops file in System32 directory
PID:3252 -
C:\Windows\SysWOW64\Doccpcja.exeC:\Windows\system32\Doccpcja.exe71⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:212 -
C:\Windows\SysWOW64\Ehlhih32.exeC:\Windows\system32\Ehlhih32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3700 -
C:\Windows\SysWOW64\Ekjded32.exeC:\Windows\system32\Ekjded32.exe73⤵
- System Location Discovery: System Language Discovery
PID:4284 -
C:\Windows\SysWOW64\Eoepebho.exeC:\Windows\system32\Eoepebho.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Eqgmmk32.exeC:\Windows\system32\Eqgmmk32.exe75⤵
- Drops file in System32 directory
- Modifies registry class
PID:4920 -
C:\Windows\SysWOW64\Ehndnh32.exeC:\Windows\system32\Ehndnh32.exe76⤵PID:1944
-
C:\Windows\SysWOW64\Eklajcmc.exeC:\Windows\system32\Eklajcmc.exe77⤵
- Drops file in System32 directory
PID:1432 -
C:\Windows\SysWOW64\Eohmkb32.exeC:\Windows\system32\Eohmkb32.exe78⤵
- Drops file in System32 directory
PID:4352 -
C:\Windows\SysWOW64\Ebfign32.exeC:\Windows\system32\Ebfign32.exe79⤵
- System Location Discovery: System Language Discovery
PID:1772 -
C:\Windows\SysWOW64\Edeeci32.exeC:\Windows\system32\Edeeci32.exe80⤵PID:1244
-
C:\Windows\SysWOW64\Ehpadhll.exeC:\Windows\system32\Ehpadhll.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3268 -
C:\Windows\SysWOW64\Ekonpckp.exeC:\Windows\system32\Ekonpckp.exe82⤵
- Drops file in System32 directory
PID:3680 -
C:\Windows\SysWOW64\Enmjlojd.exeC:\Windows\system32\Enmjlojd.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3580 -
C:\Windows\SysWOW64\Ehbnigjj.exeC:\Windows\system32\Ehbnigjj.exe84⤵
- Drops file in System32 directory
PID:4660 -
C:\Windows\SysWOW64\Enpfan32.exeC:\Windows\system32\Enpfan32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1164 -
C:\Windows\SysWOW64\Eghkjdoa.exeC:\Windows\system32\Eghkjdoa.exe86⤵
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Windows\SysWOW64\Fooclapd.exeC:\Windows\system32\Fooclapd.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1716 -
C:\Windows\SysWOW64\Figgdg32.exeC:\Windows\system32\Figgdg32.exe88⤵
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Foapaa32.exeC:\Windows\system32\Foapaa32.exe89⤵
- Modifies registry class
PID:4000 -
C:\Windows\SysWOW64\Fqbliicp.exeC:\Windows\system32\Fqbliicp.exe90⤵PID:2348
-
C:\Windows\SysWOW64\Fgmdec32.exeC:\Windows\system32\Fgmdec32.exe91⤵
- Drops file in System32 directory
PID:4048 -
C:\Windows\SysWOW64\Fnfmbmbi.exeC:\Windows\system32\Fnfmbmbi.exe92⤵
- System Location Discovery: System Language Discovery
PID:3576 -
C:\Windows\SysWOW64\Fqeioiam.exeC:\Windows\system32\Fqeioiam.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Fgoakc32.exeC:\Windows\system32\Fgoakc32.exe94⤵PID:1248
-
C:\Windows\SysWOW64\Fqgedh32.exeC:\Windows\system32\Fqgedh32.exe95⤵PID:2984
-
C:\Windows\SysWOW64\Fecadghc.exeC:\Windows\system32\Fecadghc.exe96⤵PID:1888
-
C:\Windows\SysWOW64\Fohfbpgi.exeC:\Windows\system32\Fohfbpgi.exe97⤵
- Drops file in System32 directory
PID:3484 -
C:\Windows\SysWOW64\Fnkfmm32.exeC:\Windows\system32\Fnkfmm32.exe98⤵
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Fajbjh32.exeC:\Windows\system32\Fajbjh32.exe99⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5132 -
C:\Windows\SysWOW64\Fiqjke32.exeC:\Windows\system32\Fiqjke32.exe100⤵
- Drops file in System32 directory
PID:5192 -
C:\Windows\SysWOW64\Fkofga32.exeC:\Windows\system32\Fkofga32.exe101⤵
- Drops file in System32 directory
PID:5248 -
C:\Windows\SysWOW64\Gokbgpeg.exeC:\Windows\system32\Gokbgpeg.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5296 -
C:\Windows\SysWOW64\Gbiockdj.exeC:\Windows\system32\Gbiockdj.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5348 -
C:\Windows\SysWOW64\Gegkpf32.exeC:\Windows\system32\Gegkpf32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5416 -
C:\Windows\SysWOW64\Gicgpelg.exeC:\Windows\system32\Gicgpelg.exe105⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5480 -
C:\Windows\SysWOW64\Gkaclqkk.exeC:\Windows\system32\Gkaclqkk.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5536 -
C:\Windows\SysWOW64\Gnpphljo.exeC:\Windows\system32\Gnpphljo.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5576 -
C:\Windows\SysWOW64\Gbkkik32.exeC:\Windows\system32\Gbkkik32.exe108⤵PID:5624
-
C:\Windows\SysWOW64\Gejhef32.exeC:\Windows\system32\Gejhef32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5672 -
C:\Windows\SysWOW64\Giecfejd.exeC:\Windows\system32\Giecfejd.exe110⤵
- Modifies registry class
PID:5716 -
C:\Windows\SysWOW64\Gkdpbpih.exeC:\Windows\system32\Gkdpbpih.exe111⤵PID:5764
-
C:\Windows\SysWOW64\Gnblnlhl.exeC:\Windows\system32\Gnblnlhl.exe112⤵
- System Location Discovery: System Language Discovery
PID:5808 -
C:\Windows\SysWOW64\Gbnhoj32.exeC:\Windows\system32\Gbnhoj32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5856 -
C:\Windows\SysWOW64\Ggkqgaol.exeC:\Windows\system32\Ggkqgaol.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5912 -
C:\Windows\SysWOW64\Gpaihooo.exeC:\Windows\system32\Gpaihooo.exe115⤵
- System Location Discovery: System Language Discovery
PID:5956 -
C:\Windows\SysWOW64\Gacepg32.exeC:\Windows\system32\Gacepg32.exe116⤵PID:6000
-
C:\Windows\SysWOW64\Glhimp32.exeC:\Windows\system32\Glhimp32.exe117⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6044 -
C:\Windows\SysWOW64\Gaebef32.exeC:\Windows\system32\Gaebef32.exe118⤵
- Modifies registry class
PID:6088 -
C:\Windows\SysWOW64\Ghojbq32.exeC:\Windows\system32\Ghojbq32.exe119⤵
- System Location Discovery: System Language Discovery
PID:6128 -
C:\Windows\SysWOW64\Hnibokbd.exeC:\Windows\system32\Hnibokbd.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5176 -
C:\Windows\SysWOW64\Hhaggp32.exeC:\Windows\system32\Hhaggp32.exe121⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5268
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-