Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2024 21:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a7df57c199007e839aab842d1d35d1b7eab7501b5f0013301b3ceded8af72f95.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
a7df57c199007e839aab842d1d35d1b7eab7501b5f0013301b3ceded8af72f95.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
a7df57c199007e839aab842d1d35d1b7eab7501b5f0013301b3ceded8af72f95.exe
-
Size
384KB
-
MD5
fa283ab9e54809c7c9b7314cb5b56097
-
SHA1
8bc5f7d1e1bd312863e1c22210ecfe0c035b9b39
-
SHA256
a7df57c199007e839aab842d1d35d1b7eab7501b5f0013301b3ceded8af72f95
-
SHA512
7eb740994e491da5bf7b6b86bd2b339a91b3afaa605fa53423e97eae8b3ad4b5cc71c18225d60fc1a8f561ea82e8b4a40be9762e692f521a27a5d32332cdb441
-
SSDEEP
6144:JMksEfw6/eKxSlKKZ74ueKxff0qjwszeX9z6/ojwszeXmOEgHH:JMkElr54ujjgj+HH
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpbpbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhbebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcbnnpka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bahkih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kckqbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmeandma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chkobkod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anclbkbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlolpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gejopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kngkqbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogekbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojhpimhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpdhkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emhkdmlg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilqoobdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngndaccj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckbemgcp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onnmdcjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkceokii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kclgmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgninn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pahilmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jofalmmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ompfej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikbfgppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icnklbmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifcgion.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfcabp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikbfgppo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiaael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oabhfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bknlbhhe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlkipgpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kclgmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oplfkeob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjjnifbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmdjapgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lenicahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcmdaljn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgcihgaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcdala32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jknfcofa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgiiiidd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmkdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjaabq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlnjbedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioolkncg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omegjomb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjcngpjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpfepf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlmfeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcdciiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfbped32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lncjlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chiblk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glgjlm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iphioh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgqlcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfeljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdjgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlobkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbhboolf.exe -
Executes dropped EXE 64 IoCs
pid Process 4588 Eiieicml.exe 3504 Ffmfchle.exe 4964 Fjhacf32.exe 4440 Fjjnifbl.exe 3364 Fdccbl32.exe 3584 Fmkgkapm.exe 4192 Fjohde32.exe 4116 Flqdlnde.exe 3964 Fbjmhh32.exe 1084 Fjadje32.exe 5060 Fmpqfq32.exe 3112 Glcaambb.exe 2920 Gdjibj32.exe 5028 Gbmingjo.exe 4568 Gfheof32.exe 2128 Gigaka32.exe 1840 Gmbmkpie.exe 1480 Glengm32.exe 4400 Gdlfhj32.exe 4864 Gbofcghl.exe 4900 Gjfnedho.exe 4636 Giinpa32.exe 3256 Gmdjapgb.exe 4160 Glgjlm32.exe 3936 Gdobnj32.exe 4276 Gbabigfj.exe 3640 Gkhkjd32.exe 3796 Gikkfqmf.exe 1208 Gljgbllj.exe 2336 Gpecbk32.exe 2692 Gdaociml.exe 3920 Gfokoelp.exe 4376 Gkkgpc32.exe 1204 Gmiclo32.exe 2864 Glldgljg.exe 2832 Gphphj32.exe 544 Gbfldf32.exe 2588 Ggahedjn.exe 2512 Gipdap32.exe 4140 Hmlpaoaj.exe 3456 Hpjmnjqn.exe 3784 Hdehni32.exe 2788 Hlambk32.exe 4288 Hplicjok.exe 4372 Hckeoeno.exe 3900 Hgfapd32.exe 1224 Hienlpel.exe 4924 Hmpjmn32.exe 4420 Hpofii32.exe 2364 Hcmbee32.exe 1872 Hkdjfb32.exe 1548 Hmbfbn32.exe 2276 Hpabni32.exe 4208 Hcpojd32.exe 4720 Hgkkkcbc.exe 2052 Hiiggoaf.exe 3968 Hmechmip.exe 1136 Hpcodihc.exe 2280 Hdokdg32.exe 1576 Hgmgqc32.exe 4204 Hkicaahi.exe 184 Ingpmmgm.exe 4772 Iljpij32.exe 1100 Idahjg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cgqlcg32.exe Cdbpgl32.exe File created C:\Windows\SysWOW64\Hplicjok.exe Hlambk32.exe File opened for modification C:\Windows\SysWOW64\Fnlmhc32.exe Fmkqpkla.exe File created C:\Windows\SysWOW64\Mfhbga32.exe Monjjgkb.exe File opened for modification C:\Windows\SysWOW64\Ckbemgcp.exe Chdialdl.exe File opened for modification C:\Windows\SysWOW64\Ffmfchle.exe Eiieicml.exe File created C:\Windows\SysWOW64\Madjhb32.exe Mnfnlf32.exe File created C:\Windows\SysWOW64\Pmlfqh32.exe Pnifekmd.exe File created C:\Windows\SysWOW64\Ghndhd32.dll Mjcngpjh.exe File created C:\Windows\SysWOW64\Nalhik32.dll Dafppp32.exe File created C:\Windows\SysWOW64\Pmdpecjm.dll Ijqmhnko.exe File created C:\Windows\SysWOW64\Lbmock32.dll Jcdala32.exe File opened for modification C:\Windows\SysWOW64\Jnlbojee.exe Jknfcofa.exe File created C:\Windows\SysWOW64\Lgqfdnah.exe Kqfngd32.exe File opened for modification C:\Windows\SysWOW64\Ahpmjejp.exe Aafemk32.exe File created C:\Windows\SysWOW64\Mmmqhl32.exe Mjodla32.exe File opened for modification C:\Windows\SysWOW64\Fjohde32.exe Fmkgkapm.exe File created C:\Windows\SysWOW64\Opqofe32.exe Ombcji32.exe File created C:\Windows\SysWOW64\Gdlfhj32.exe Glengm32.exe File created C:\Windows\SysWOW64\Mjijkmod.dll Ohcegi32.exe File created C:\Windows\SysWOW64\Ehmjob32.dll Lflbkcll.exe File created C:\Windows\SysWOW64\Jcleff32.dll Ncnofeof.exe File created C:\Windows\SysWOW64\Ckbaokim.dll Hlnjbedi.exe File created C:\Windows\SysWOW64\Kigcfhbi.dll Hpchib32.exe File created C:\Windows\SysWOW64\Fjcgfjdk.dll Nnbnhedj.exe File created C:\Windows\SysWOW64\Nadleilm.exe Nmipdk32.exe File created C:\Windows\SysWOW64\Ppolhcnm.exe Palklf32.exe File opened for modification C:\Windows\SysWOW64\Ojhpimhp.exe Ofmdio32.exe File created C:\Windows\SysWOW64\Manmoq32.exe Mgehfkop.exe File created C:\Windows\SysWOW64\Npjfngdm.dll Lggldm32.exe File created C:\Windows\SysWOW64\Aagkhd32.exe Aknbkjfh.exe File created C:\Windows\SysWOW64\Ofkhal32.dll Bdojjo32.exe File opened for modification C:\Windows\SysWOW64\Glgjlm32.exe Gmdjapgb.exe File created C:\Windows\SysWOW64\Iinqbn32.exe Ikkpgafg.exe File opened for modification C:\Windows\SysWOW64\Efgemb32.exe Eblimcdf.exe File opened for modification C:\Windows\SysWOW64\Hiipmhmk.exe Hfjdqmng.exe File created C:\Windows\SysWOW64\Bahkih32.exe Bkobmnka.exe File created C:\Windows\SysWOW64\Oplfkeob.exe Onkidm32.exe File opened for modification C:\Windows\SysWOW64\Odjeljhd.exe Oalipoiq.exe File created C:\Windows\SysWOW64\Fmkqpkla.exe Fechomko.exe File opened for modification C:\Windows\SysWOW64\Bhpofl32.exe Bphgeo32.exe File opened for modification C:\Windows\SysWOW64\Hlambk32.exe Hdehni32.exe File created C:\Windows\SysWOW64\Ignlbcmf.dll Jcfggkac.exe File created C:\Windows\SysWOW64\Hllbndih.dll Hdehni32.exe File opened for modification C:\Windows\SysWOW64\Lcjcnoej.exe Lmpkadnm.exe File created C:\Windows\SysWOW64\Pgpecj32.dll Kflide32.exe File opened for modification C:\Windows\SysWOW64\Ncnofeof.exe Npbceggm.exe File created C:\Windows\SysWOW64\Boihcf32.exe Bknlbhhe.exe File created C:\Windows\SysWOW64\Hnfdcegm.dll Hmlpaoaj.exe File created C:\Windows\SysWOW64\Odepdabi.dll Ljhefhha.exe File created C:\Windows\SysWOW64\Egdagc32.dll Jofalmmp.exe File opened for modification C:\Windows\SysWOW64\Lfbped32.exe Lcdciiec.exe File created C:\Windows\SysWOW64\Gfheof32.exe Gbmingjo.exe File opened for modification C:\Windows\SysWOW64\Enkdaepb.exe Eiokinbk.exe File opened for modification C:\Windows\SysWOW64\Ijcjmmil.exe Igdnabjh.exe File created C:\Windows\SysWOW64\Aednci32.exe Anmfbl32.exe File opened for modification C:\Windows\SysWOW64\Fbjena32.exe Fmmmfj32.exe File created C:\Windows\SysWOW64\Ipbehfom.dll Lnjgfb32.exe File opened for modification C:\Windows\SysWOW64\Dhbebj32.exe Dpkmal32.exe File opened for modification C:\Windows\SysWOW64\Geaepk32.exe Goglcahb.exe File created C:\Windows\SysWOW64\Mokmdh32.exe Mmmqhl32.exe File opened for modification C:\Windows\SysWOW64\Hplicjok.exe Hlambk32.exe File created C:\Windows\SysWOW64\Hiiggoaf.exe Hgkkkcbc.exe File created C:\Windows\SysWOW64\Cnindhpg.exe Cbbnpg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11348 12196 WerFault.exe 611 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boeebnhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhacf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbjmhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dflfac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpkmal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idhnkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinjhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilqoobdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Komhll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgiiiidd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgnbdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aogbfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmiclo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lenicahg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fihnomjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnmopk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chdialdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chfegk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpfepf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmmmfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcbpjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmfjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilnbicff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgdidgjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndflak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klcekpdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcngpjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pocpfphe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkbcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffceip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpbpbecj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlnjbedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iphioh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmigoagp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdmkhgho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabhfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdojjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgqlcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpenfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnifekmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdenmbkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojbacd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfeljd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qklmpalf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onkidm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qodeajbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jklinohd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohfami32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmoiqneg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pahilmoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hedafk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iipfmggc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpaleglc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjaabq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkgeainn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgcjddh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkmgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcdciiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfkdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coegoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iciaqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paelfmaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ompfej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjdqmng.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgdpni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndflak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fngjep32.dll" Mnfnlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abjfai32.dll" Ahippdbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paeelgnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgkkkcbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koodbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aojefobm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gidnkkpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojdgnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdlfhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imiehfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lflbkcll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjjkaabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qimkic32.dll" Njfkmphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhqgik32.dll" Jncoikmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahippdbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfhgkmpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hifcgion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lggejg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kclgmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgaclkia.dll" Hpqldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adhdjpjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdfjld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdijliok.dll" Boeebnhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eehicoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfmmplad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcaaeme.dll" Qdaniq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Madjhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idhnkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alpbecod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncchae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jefjbddd.dll" Jiiicf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jepjhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcgpni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ponfka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbhboolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjjkaabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okbcgopo.dll" Idhnkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhoneioi.dll" Jjjpnlbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcbdgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adhdjpjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbofcghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndflak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmioggn.dll" Fneggdhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgngnj32.dll" Jlobkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkopekaa.dll" Eokqkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbaffgag.dll" Hkicaahi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nadleilm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqpamb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmlddqem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glbjggof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdagc32.dll" Jofalmmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phcgcqab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgnqgqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcdciiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pagbaglh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffmfchle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apoigbgj.dll" Icfekc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oplfkeob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkoaeldi.dll" Bknlbhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiipmhmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odoogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hohahelb.dll" Hfhgkmpj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4500 wrote to memory of 4588 4500 a7df57c199007e839aab842d1d35d1b7eab7501b5f0013301b3ceded8af72f95.exe 81 PID 4500 wrote to memory of 4588 4500 a7df57c199007e839aab842d1d35d1b7eab7501b5f0013301b3ceded8af72f95.exe 81 PID 4500 wrote to memory of 4588 4500 a7df57c199007e839aab842d1d35d1b7eab7501b5f0013301b3ceded8af72f95.exe 81 PID 4588 wrote to memory of 3504 4588 Eiieicml.exe 82 PID 4588 wrote to memory of 3504 4588 Eiieicml.exe 82 PID 4588 wrote to memory of 3504 4588 Eiieicml.exe 82 PID 3504 wrote to memory of 4964 3504 Ffmfchle.exe 83 PID 3504 wrote to memory of 4964 3504 Ffmfchle.exe 83 PID 3504 wrote to memory of 4964 3504 Ffmfchle.exe 83 PID 4964 wrote to memory of 4440 4964 Fjhacf32.exe 84 PID 4964 wrote to memory of 4440 4964 Fjhacf32.exe 84 PID 4964 wrote to memory of 4440 4964 Fjhacf32.exe 84 PID 4440 wrote to memory of 3364 4440 Fjjnifbl.exe 85 PID 4440 wrote to memory of 3364 4440 Fjjnifbl.exe 85 PID 4440 wrote to memory of 3364 4440 Fjjnifbl.exe 85 PID 3364 wrote to memory of 3584 3364 Fdccbl32.exe 86 PID 3364 wrote to memory of 3584 3364 Fdccbl32.exe 86 PID 3364 wrote to memory of 3584 3364 Fdccbl32.exe 86 PID 3584 wrote to memory of 4192 3584 Fmkgkapm.exe 87 PID 3584 wrote to memory of 4192 3584 Fmkgkapm.exe 87 PID 3584 wrote to memory of 4192 3584 Fmkgkapm.exe 87 PID 4192 wrote to memory of 4116 4192 Fjohde32.exe 88 PID 4192 wrote to memory of 4116 4192 Fjohde32.exe 88 PID 4192 wrote to memory of 4116 4192 Fjohde32.exe 88 PID 4116 wrote to memory of 3964 4116 Flqdlnde.exe 89 PID 4116 wrote to memory of 3964 4116 Flqdlnde.exe 89 PID 4116 wrote to memory of 3964 4116 Flqdlnde.exe 89 PID 3964 wrote to memory of 1084 3964 Fbjmhh32.exe 90 PID 3964 wrote to memory of 1084 3964 Fbjmhh32.exe 90 PID 3964 wrote to memory of 1084 3964 Fbjmhh32.exe 90 PID 1084 wrote to memory of 5060 1084 Fjadje32.exe 91 PID 1084 wrote to memory of 5060 1084 Fjadje32.exe 91 PID 1084 wrote to memory of 5060 1084 Fjadje32.exe 91 PID 5060 wrote to memory of 3112 5060 Fmpqfq32.exe 92 PID 5060 wrote to memory of 3112 5060 Fmpqfq32.exe 92 PID 5060 wrote to memory of 3112 5060 Fmpqfq32.exe 92 PID 3112 wrote to memory of 2920 3112 Glcaambb.exe 93 PID 3112 wrote to memory of 2920 3112 Glcaambb.exe 93 PID 3112 wrote to memory of 2920 3112 Glcaambb.exe 93 PID 2920 wrote to memory of 5028 2920 Gdjibj32.exe 94 PID 2920 wrote to memory of 5028 2920 Gdjibj32.exe 94 PID 2920 wrote to memory of 5028 2920 Gdjibj32.exe 94 PID 5028 wrote to memory of 4568 5028 Gbmingjo.exe 95 PID 5028 wrote to memory of 4568 5028 Gbmingjo.exe 95 PID 5028 wrote to memory of 4568 5028 Gbmingjo.exe 95 PID 4568 wrote to memory of 2128 4568 Gfheof32.exe 96 PID 4568 wrote to memory of 2128 4568 Gfheof32.exe 96 PID 4568 wrote to memory of 2128 4568 Gfheof32.exe 96 PID 2128 wrote to memory of 1840 2128 Gigaka32.exe 97 PID 2128 wrote to memory of 1840 2128 Gigaka32.exe 97 PID 2128 wrote to memory of 1840 2128 Gigaka32.exe 97 PID 1840 wrote to memory of 1480 1840 Gmbmkpie.exe 98 PID 1840 wrote to memory of 1480 1840 Gmbmkpie.exe 98 PID 1840 wrote to memory of 1480 1840 Gmbmkpie.exe 98 PID 1480 wrote to memory of 4400 1480 Glengm32.exe 99 PID 1480 wrote to memory of 4400 1480 Glengm32.exe 99 PID 1480 wrote to memory of 4400 1480 Glengm32.exe 99 PID 4400 wrote to memory of 4864 4400 Gdlfhj32.exe 100 PID 4400 wrote to memory of 4864 4400 Gdlfhj32.exe 100 PID 4400 wrote to memory of 4864 4400 Gdlfhj32.exe 100 PID 4864 wrote to memory of 4900 4864 Gbofcghl.exe 101 PID 4864 wrote to memory of 4900 4864 Gbofcghl.exe 101 PID 4864 wrote to memory of 4900 4864 Gbofcghl.exe 101 PID 4900 wrote to memory of 4636 4900 Gjfnedho.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7df57c199007e839aab842d1d35d1b7eab7501b5f0013301b3ceded8af72f95.exe"C:\Users\Admin\AppData\Local\Temp\a7df57c199007e839aab842d1d35d1b7eab7501b5f0013301b3ceded8af72f95.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Eiieicml.exeC:\Windows\system32\Eiieicml.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Ffmfchle.exeC:\Windows\system32\Ffmfchle.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\Fjhacf32.exeC:\Windows\system32\Fjhacf32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Fjjnifbl.exeC:\Windows\system32\Fjjnifbl.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\Fdccbl32.exeC:\Windows\system32\Fdccbl32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\Fmkgkapm.exeC:\Windows\system32\Fmkgkapm.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\Fjohde32.exeC:\Windows\system32\Fjohde32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\Flqdlnde.exeC:\Windows\system32\Flqdlnde.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SysWOW64\Fbjmhh32.exeC:\Windows\system32\Fbjmhh32.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Fjadje32.exeC:\Windows\system32\Fjadje32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Fmpqfq32.exeC:\Windows\system32\Fmpqfq32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Glcaambb.exeC:\Windows\system32\Glcaambb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\Gdjibj32.exeC:\Windows\system32\Gdjibj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Gbmingjo.exeC:\Windows\system32\Gbmingjo.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Gfheof32.exeC:\Windows\system32\Gfheof32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\Gigaka32.exeC:\Windows\system32\Gigaka32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Gmbmkpie.exeC:\Windows\system32\Gmbmkpie.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Glengm32.exeC:\Windows\system32\Glengm32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Gdlfhj32.exeC:\Windows\system32\Gdlfhj32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\Gbofcghl.exeC:\Windows\system32\Gbofcghl.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Gjfnedho.exeC:\Windows\system32\Gjfnedho.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Giinpa32.exeC:\Windows\system32\Giinpa32.exe23⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Gmdjapgb.exeC:\Windows\system32\Gmdjapgb.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3256 -
C:\Windows\SysWOW64\Glgjlm32.exeC:\Windows\system32\Glgjlm32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Gdobnj32.exeC:\Windows\system32\Gdobnj32.exe26⤵
- Executes dropped EXE
PID:3936 -
C:\Windows\SysWOW64\Gbabigfj.exeC:\Windows\system32\Gbabigfj.exe27⤵
- Executes dropped EXE
PID:4276 -
C:\Windows\SysWOW64\Gkhkjd32.exeC:\Windows\system32\Gkhkjd32.exe28⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Gikkfqmf.exeC:\Windows\system32\Gikkfqmf.exe29⤵
- Executes dropped EXE
PID:3796 -
C:\Windows\SysWOW64\Gljgbllj.exeC:\Windows\system32\Gljgbllj.exe30⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Gpecbk32.exeC:\Windows\system32\Gpecbk32.exe31⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Gdaociml.exeC:\Windows\system32\Gdaociml.exe32⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Gfokoelp.exeC:\Windows\system32\Gfokoelp.exe33⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Gkkgpc32.exeC:\Windows\system32\Gkkgpc32.exe34⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Gmiclo32.exeC:\Windows\system32\Gmiclo32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1204 -
C:\Windows\SysWOW64\Glldgljg.exeC:\Windows\system32\Glldgljg.exe36⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Gphphj32.exeC:\Windows\system32\Gphphj32.exe37⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Gbfldf32.exeC:\Windows\system32\Gbfldf32.exe38⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Ggahedjn.exeC:\Windows\system32\Ggahedjn.exe39⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Gipdap32.exeC:\Windows\system32\Gipdap32.exe40⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Hmlpaoaj.exeC:\Windows\system32\Hmlpaoaj.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4140 -
C:\Windows\SysWOW64\Hpjmnjqn.exeC:\Windows\system32\Hpjmnjqn.exe42⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Hdehni32.exeC:\Windows\system32\Hdehni32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3784 -
C:\Windows\SysWOW64\Hlambk32.exeC:\Windows\system32\Hlambk32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Hplicjok.exeC:\Windows\system32\Hplicjok.exe45⤵
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\Hckeoeno.exeC:\Windows\system32\Hckeoeno.exe46⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Hgfapd32.exeC:\Windows\system32\Hgfapd32.exe47⤵
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\Hienlpel.exeC:\Windows\system32\Hienlpel.exe48⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Hmpjmn32.exeC:\Windows\system32\Hmpjmn32.exe49⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Hpofii32.exeC:\Windows\system32\Hpofii32.exe50⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Hcmbee32.exeC:\Windows\system32\Hcmbee32.exe51⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Hkdjfb32.exeC:\Windows\system32\Hkdjfb32.exe52⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Hmbfbn32.exeC:\Windows\system32\Hmbfbn32.exe53⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Hpabni32.exeC:\Windows\system32\Hpabni32.exe54⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Hcpojd32.exeC:\Windows\system32\Hcpojd32.exe55⤵
- Executes dropped EXE
PID:4208 -
C:\Windows\SysWOW64\Hgkkkcbc.exeC:\Windows\system32\Hgkkkcbc.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4720 -
C:\Windows\SysWOW64\Hiiggoaf.exeC:\Windows\system32\Hiiggoaf.exe57⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Hmechmip.exeC:\Windows\system32\Hmechmip.exe58⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Hpcodihc.exeC:\Windows\system32\Hpcodihc.exe59⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Hdokdg32.exeC:\Windows\system32\Hdokdg32.exe60⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Hgmgqc32.exeC:\Windows\system32\Hgmgqc32.exe61⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Hkicaahi.exeC:\Windows\system32\Hkicaahi.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:4204 -
C:\Windows\SysWOW64\Ingpmmgm.exeC:\Windows\system32\Ingpmmgm.exe63⤵
- Executes dropped EXE
PID:184 -
C:\Windows\SysWOW64\Iljpij32.exeC:\Windows\system32\Iljpij32.exe64⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Idahjg32.exeC:\Windows\system32\Idahjg32.exe65⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Icdheded.exeC:\Windows\system32\Icdheded.exe66⤵PID:1844
-
C:\Windows\SysWOW64\Ikkpgafg.exeC:\Windows\system32\Ikkpgafg.exe67⤵
- Drops file in System32 directory
PID:3300 -
C:\Windows\SysWOW64\Iinqbn32.exeC:\Windows\system32\Iinqbn32.exe68⤵PID:2884
-
C:\Windows\SysWOW64\Injmcmej.exeC:\Windows\system32\Injmcmej.exe69⤵PID:2116
-
C:\Windows\SysWOW64\Iphioh32.exeC:\Windows\system32\Iphioh32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\Icfekc32.exeC:\Windows\system32\Icfekc32.exe71⤵
- Modifies registry class
PID:4728 -
C:\Windows\SysWOW64\Igbalblk.exeC:\Windows\system32\Igbalblk.exe72⤵PID:4684
-
C:\Windows\SysWOW64\Ijqmhnko.exeC:\Windows\system32\Ijqmhnko.exe73⤵
- Drops file in System32 directory
PID:4980 -
C:\Windows\SysWOW64\Inlihl32.exeC:\Windows\system32\Inlihl32.exe74⤵PID:2504
-
C:\Windows\SysWOW64\Ipjedh32.exeC:\Windows\system32\Ipjedh32.exe75⤵PID:4800
-
C:\Windows\SysWOW64\Iciaqc32.exeC:\Windows\system32\Iciaqc32.exe76⤵
- System Location Discovery: System Language Discovery
PID:4480 -
C:\Windows\SysWOW64\Igdnabjh.exeC:\Windows\system32\Igdnabjh.exe77⤵
- Drops file in System32 directory
PID:3588 -
C:\Windows\SysWOW64\Ijcjmmil.exeC:\Windows\system32\Ijcjmmil.exe78⤵PID:1972
-
C:\Windows\SysWOW64\Innfnl32.exeC:\Windows\system32\Innfnl32.exe79⤵PID:2536
-
C:\Windows\SysWOW64\Ipmbjgpi.exeC:\Windows\system32\Ipmbjgpi.exe80⤵PID:3436
-
C:\Windows\SysWOW64\Idhnkf32.exeC:\Windows\system32\Idhnkf32.exe81⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3196 -
C:\Windows\SysWOW64\Iggjga32.exeC:\Windows\system32\Iggjga32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4880 -
C:\Windows\SysWOW64\Ikbfgppo.exeC:\Windows\system32\Ikbfgppo.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:800 -
C:\Windows\SysWOW64\Inqbclob.exeC:\Windows\system32\Inqbclob.exe84⤵PID:3628
-
C:\Windows\SysWOW64\Ipoopgnf.exeC:\Windows\system32\Ipoopgnf.exe85⤵PID:3716
-
C:\Windows\SysWOW64\Icnklbmj.exeC:\Windows\system32\Icnklbmj.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1796 -
C:\Windows\SysWOW64\Igigla32.exeC:\Windows\system32\Igigla32.exe87⤵PID:2716
-
C:\Windows\SysWOW64\Jjgchm32.exeC:\Windows\system32\Jjgchm32.exe88⤵PID:1368
-
C:\Windows\SysWOW64\Jncoikmp.exeC:\Windows\system32\Jncoikmp.exe89⤵
- Modifies registry class
PID:4884 -
C:\Windows\SysWOW64\Jpaleglc.exeC:\Windows\system32\Jpaleglc.exe90⤵
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Jcphab32.exeC:\Windows\system32\Jcphab32.exe91⤵PID:3184
-
C:\Windows\SysWOW64\Jgkdbacp.exeC:\Windows\system32\Jgkdbacp.exe92⤵PID:716
-
C:\Windows\SysWOW64\Jjjpnlbd.exeC:\Windows\system32\Jjjpnlbd.exe93⤵
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Jnelok32.exeC:\Windows\system32\Jnelok32.exe94⤵PID:60
-
C:\Windows\SysWOW64\Jpdhkf32.exeC:\Windows\system32\Jpdhkf32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4524 -
C:\Windows\SysWOW64\Jcbdgb32.exeC:\Windows\system32\Jcbdgb32.exe96⤵
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Jgnqgqan.exeC:\Windows\system32\Jgnqgqan.exe97⤵
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Jjlmclqa.exeC:\Windows\system32\Jjlmclqa.exe98⤵PID:432
-
C:\Windows\SysWOW64\Jlkipgpe.exeC:\Windows\system32\Jlkipgpe.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1900 -
C:\Windows\SysWOW64\Jpfepf32.exeC:\Windows\system32\Jpfepf32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\SysWOW64\Jcdala32.exeC:\Windows\system32\Jcdala32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4932 -
C:\Windows\SysWOW64\Jklinohd.exeC:\Windows\system32\Jklinohd.exe102⤵
- System Location Discovery: System Language Discovery
PID:336 -
C:\Windows\SysWOW64\Jjoiil32.exeC:\Windows\system32\Jjoiil32.exe103⤵PID:2152
-
C:\Windows\SysWOW64\Jlmfeg32.exeC:\Windows\system32\Jlmfeg32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5044 -
C:\Windows\SysWOW64\Jqhafffk.exeC:\Windows\system32\Jqhafffk.exe105⤵PID:4764
-
C:\Windows\SysWOW64\Jcgnbaeo.exeC:\Windows\system32\Jcgnbaeo.exe106⤵PID:4836
-
C:\Windows\SysWOW64\Jknfcofa.exeC:\Windows\system32\Jknfcofa.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5004 -
C:\Windows\SysWOW64\Jnlbojee.exeC:\Windows\system32\Jnlbojee.exe108⤵PID:2944
-
C:\Windows\SysWOW64\Jlobkg32.exeC:\Windows\system32\Jlobkg32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1436 -
C:\Windows\SysWOW64\Jdfjld32.exeC:\Windows\system32\Jdfjld32.exe110⤵
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Jgeghp32.exeC:\Windows\system32\Jgeghp32.exe111⤵PID:2264
-
C:\Windows\SysWOW64\Kkpbin32.exeC:\Windows\system32\Kkpbin32.exe112⤵PID:3468
-
C:\Windows\SysWOW64\Knooej32.exeC:\Windows\system32\Knooej32.exe113⤵PID:656
-
C:\Windows\SysWOW64\Kmaopfjm.exeC:\Windows\system32\Kmaopfjm.exe114⤵PID:3444
-
C:\Windows\SysWOW64\Kclgmq32.exeC:\Windows\system32\Kclgmq32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1192 -
C:\Windows\SysWOW64\Kjepjkhf.exeC:\Windows\system32\Kjepjkhf.exe116⤵PID:3624
-
C:\Windows\SysWOW64\Kcndbp32.exeC:\Windows\system32\Kcndbp32.exe117⤵PID:4436
-
C:\Windows\SysWOW64\Kkeldnpi.exeC:\Windows\system32\Kkeldnpi.exe118⤵PID:2752
-
C:\Windows\SysWOW64\Kjhloj32.exeC:\Windows\system32\Kjhloj32.exe119⤵PID:2380
-
C:\Windows\SysWOW64\Kmfhkf32.exeC:\Windows\system32\Kmfhkf32.exe120⤵PID:4860
-
C:\Windows\SysWOW64\Kcpahpmd.exeC:\Windows\system32\Kcpahpmd.exe121⤵PID:4936
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-