Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23/07/2024, 23:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8393ff0418668e8df2ffd9ce5c7e8280f9d5f7e45a1f91f72ccc65c05d8219e0.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
8393ff0418668e8df2ffd9ce5c7e8280f9d5f7e45a1f91f72ccc65c05d8219e0.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
8393ff0418668e8df2ffd9ce5c7e8280f9d5f7e45a1f91f72ccc65c05d8219e0.exe
-
Size
128KB
-
MD5
f6b11d2295eb6a9de3a10b6f28cfb6ab
-
SHA1
d0efb461a5d4fcc8bc7f8b1bba8aebadad4663d8
-
SHA256
8393ff0418668e8df2ffd9ce5c7e8280f9d5f7e45a1f91f72ccc65c05d8219e0
-
SHA512
cafd6667efce2b4f56fc96123b85b11d14df0ba10588c7d387a985a449ac52b17b23d32890a067d299c11240176a1d09f9ad60bd68d0e0db5081aca50015ea2e
-
SSDEEP
3072:61DNUAgQAcLXBXWw8asCHNhMXi6Y0HYSx9m9jqLsFmp:SSAgQTLtW2xUS6UJjws6
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlefngkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mimpagqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gielbcbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkhnjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdkigjch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiakinkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hejjfgmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djfcdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Codhamjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liqikb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdckifda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogdmaocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajcdapbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cabopggg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paaihp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpknaldn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anedfffb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Canlon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dadlefed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jggadcfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojplhkdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joamef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gplgjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojgbij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfoelf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbilhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daieqf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgjnjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lechpjdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhaklipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gchdga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcddcoki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmcomdkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imonhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libgpooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qaofjnha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbeabh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbmcedhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjfnkkhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phpkpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdpnij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mecqfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkgebfge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kipqdeed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfcogecg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibfoam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddhoangj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Docmjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjnbobdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kghjkahi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inhgkofc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcqfbbkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npcodf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajcklf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkckhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjjjbolj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqafii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbkacjjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lebaed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifeflh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gipbgd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moknegii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njlcmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daqblk32.exe -
Executes dropped EXE 64 IoCs
pid Process 4400 Dbefdfco.exe 3476 Ddfbln32.exe 4528 Dlmjmkjo.exe 3404 Dolfigic.exe 3424 Ddhoangj.exe 4532 Doncofgp.exe 4504 Damokbfd.exe 5004 Dhfhhl32.exe 4976 Dkeddgmd.exe 5028 Doqpdf32.exe 3868 Daolqa32.exe 3412 Dldpnj32.exe 2892 Docmjf32.exe 3444 Daaifa32.exe 4016 Dlgmcj32.exe 4544 Ecqepd32.exe 1000 Ehnnhk32.exe 744 Eogfeeoe.exe 2932 Eafbaqni.exe 5084 Elkfnino.exe 1984 Eceokcel.exe 1680 Edgkcl32.exe 1964 Ekqcpfbg.exe 3932 Eolopd32.exe 3112 Eefhmobm.exe 1908 Ekcpeeqd.exe 4784 Ecjhfcaf.exe 1520 Eehdbn32.exe 1424 Ehgqoj32.exe 4824 Foaikdgk.exe 1264 Fekahn32.exe 4992 Fhimdi32.exe 3992 Fkhipe32.exe 1180 Fdpnij32.exe 3772 Flgfjh32.exe 4984 Foebfc32.exe 2940 Fadobo32.exe 2700 Ffpjcmjb.exe 4740 Fdbkoj32.exe 428 Flibpg32.exe 4852 Foholc32.exe 4208 Fbfkhn32.exe 1488 Ffbghmhp.exe 2740 Fdegdj32.exe 4756 Fllpegpl.exe 4628 Fojlabop.exe 1568 Fbihnnnd.exe 4776 Ffddnm32.exe 3356 Fhbpjh32.exe 3344 Gchdga32.exe 1764 Gbkdcnla.exe 1828 Ghemph32.exe 1988 Gkcilcba.exe 3576 Gcjamqcd.exe 1672 Gbmaim32.exe 4436 Gdlnei32.exe 4672 Gmceff32.exe 1464 Goabba32.exe 2352 Gbpnnm32.exe 116 Gfkjolpe.exe 412 Ghjfkgoi.exe 4944 Gocohafe.exe 3696 Gilcqg32.exe 2108 Gkjomb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jbbfgafh.exe Jkhnjg32.exe File created C:\Windows\SysWOW64\Pnpbka32.dll Jbbfgafh.exe File created C:\Windows\SysWOW64\Aqhccj32.exe Aiakammb.exe File opened for modification C:\Windows\SysWOW64\Fpnkhpgd.exe Fmpoldhq.exe File created C:\Windows\SysWOW64\Fekahn32.exe Foaikdgk.exe File created C:\Windows\SysWOW64\Cmegcdno.dll Nlllof32.exe File created C:\Windows\SysWOW64\Qcmlig32.exe Qqopml32.exe File created C:\Windows\SysWOW64\Knabhk32.exe Kghjkahi.exe File created C:\Windows\SysWOW64\Opjnko32.exe Ohbfiage.exe File created C:\Windows\SysWOW64\Ljkcne32.dll Fangbb32.exe File opened for modification C:\Windows\SysWOW64\Maeafc32.exe Mngejh32.exe File created C:\Windows\SysWOW64\Ofjidh32.dll Minglmdk.exe File created C:\Windows\SysWOW64\Igbmja32.dll Pfqpcj32.exe File opened for modification C:\Windows\SysWOW64\Qdmpmp32.exe Qmfhlcoo.exe File opened for modification C:\Windows\SysWOW64\Ajcklf32.exe Afhokgme.exe File created C:\Windows\SysWOW64\Ocmdbd32.dll Kfgdno32.exe File created C:\Windows\SysWOW64\Nielmp32.exe Naodlb32.exe File created C:\Windows\SysWOW64\Dbaiommd.dll Pchcnhih.exe File created C:\Windows\SysWOW64\Bdlale32.dll Eibfffbj.exe File opened for modification C:\Windows\SysWOW64\Jqbbbhkj.exe Jjhjfn32.exe File opened for modification C:\Windows\SysWOW64\Megdfnhm.exe Mchhjbii.exe File opened for modification C:\Windows\SysWOW64\Nconka32.exe Ndlnoelf.exe File created C:\Windows\SysWOW64\Lfggia32.dll Ocmjlpfa.exe File opened for modification C:\Windows\SysWOW64\Joamef32.exe Jfihmabf.exe File created C:\Windows\SysWOW64\Mbjnbfbe.dll Pcffhh32.exe File created C:\Windows\SysWOW64\Fggdgibd.dll Alicbf32.exe File created C:\Windows\SysWOW64\Kfhkhe32.exe Kdiolj32.exe File created C:\Windows\SysWOW64\Fhhfjc32.exe Fncblj32.exe File created C:\Windows\SysWOW64\Eojofici.dll Pllnkncn.exe File created C:\Windows\SysWOW64\Aqffmkpg.exe Ahonlmoe.exe File created C:\Windows\SysWOW64\Ehlpcopa.exe Epehbapo.exe File created C:\Windows\SysWOW64\Hponej32.dll Gbmaim32.exe File opened for modification C:\Windows\SysWOW64\Anedfffb.exe Qfolehep.exe File created C:\Windows\SysWOW64\Ahbinm32.dll Acilde32.exe File opened for modification C:\Windows\SysWOW64\Aohpna32.exe Alicbf32.exe File created C:\Windows\SysWOW64\Bjkpmhfl.exe Bcahpn32.exe File opened for modification C:\Windows\SysWOW64\Hbknjkno.exe Homanp32.exe File created C:\Windows\SysWOW64\Npnnopbd.exe Nhgfncab.exe File opened for modification C:\Windows\SysWOW64\Nhhlilld.exe Nielmp32.exe File created C:\Windows\SysWOW64\Hejjfgmb.exe Hbknjkno.exe File opened for modification C:\Windows\SysWOW64\Minglmdk.exe Mebkko32.exe File created C:\Windows\SysWOW64\Mchhjbii.exe Mipcambi.exe File opened for modification C:\Windows\SysWOW64\Dejafj32.exe Dmbiem32.exe File created C:\Windows\SysWOW64\Pemlcdpf.exe Ocopgiac.exe File created C:\Windows\SysWOW64\Jqpfmiml.exe Jnaiamni.exe File created C:\Windows\SysWOW64\Noeakfan.exe Nkiejg32.exe File opened for modification C:\Windows\SysWOW64\Afpkelle.exe Aoeciaei.exe File opened for modification C:\Windows\SysWOW64\Ogbploeb.exe Ocfdlqmi.exe File created C:\Windows\SysWOW64\Hafonb32.dll Ojbinjbc.exe File created C:\Windows\SysWOW64\Apkbpbca.dll Afaijhcm.exe File opened for modification C:\Windows\SysWOW64\Dmbiem32.exe Dhfqmf32.exe File created C:\Windows\SysWOW64\Ekdlcpab.dll Aqffmkpg.exe File created C:\Windows\SysWOW64\Hnaofijo.dll Edgkcl32.exe File opened for modification C:\Windows\SysWOW64\Hdepkg32.exe Hcddcoki.exe File created C:\Windows\SysWOW64\Npekjeph.exe Njlcmk32.exe File opened for modification C:\Windows\SysWOW64\Cnopcb32.exe Cfhhbe32.exe File opened for modification C:\Windows\SysWOW64\Afnejb32.exe Acping32.exe File opened for modification C:\Windows\SysWOW64\Fgmmpikl.exe Fdopdnlh.exe File created C:\Windows\SysWOW64\Omhlkeko.exe Onekoh32.exe File created C:\Windows\SysWOW64\Ehapid32.exe Eecdmi32.exe File created C:\Windows\SysWOW64\Eehnhhmo.exe Emqegkll.exe File created C:\Windows\SysWOW64\Bkkfalhg.dll Jeqbcmel.exe File created C:\Windows\SysWOW64\Pjnbobdj.exe Pgoecgef.exe File created C:\Windows\SysWOW64\Bfjeab32.dll Ecqepd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 17812 1576 WerFault.exe 970 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkjomb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfihmabf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbpgekii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Megdfnhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keeknl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oedjmfha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaddldgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kghjkahi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfhhbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deckfkof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhkpib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kifhdq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oflfhkee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqfdac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpiab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccghfcne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihjij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmnknb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gekcdeli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gagjia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hngndadf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfqegfpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kemhia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npbhjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdamjmje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boabdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjhlpgpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hphgel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbjillhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbfckmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlnnpmna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dppogb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Combpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nalgfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijehoad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fadobo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojefcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfeiojnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkflkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdffem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijadeoie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmjlfecl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjjjbolj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iddlmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfbjif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlmjmkjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aebihpkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mijlaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdccehcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghcokk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onneoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecqepd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlllof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opngfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obefgdeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imonhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjjqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oncoihfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikhdcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lilppckf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckfpko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggeikohp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikokdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfdmejhj.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2132 Acping32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecqepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfhdbkjp.dll" Cmgjjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkaponlb.dll" Liocpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhdjhcce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhhkfok.dll" Ehcfdmji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmcgcamo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcknhd32.dll" Pckfnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbdjmenm.dll" Eknppp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlklnbpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcpbaao.dll" Mhoibndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfiffg.dll" Mbdnpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klkgii32.dll" Fhbpjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajcklf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihihgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keeknl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfcdjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djebek32.dll" Fmehgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghemph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afaijhcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acicol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bncqgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emjofl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emqegkll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjqknahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilnclfoi.dll" Nklbpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plgdpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kklpkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbmbklla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlciih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeqbcmel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klapqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncadfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogkcbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjehpanb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emkeae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekqfbi32.dll" Pihajm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alggmfee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndlnoelf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pggccjjp.dll" Pcammi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfedbomi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhngiccd.dll" Didjeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Affecf32.dll" Achejo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmceff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pddmga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlfciocm.dll" Pjeojhbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgngebpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lepadnlo.dll" Jfqegfpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahpdggif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdaen32.dll" Ddfbln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plnohm32.dll" Gcjamqcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmoead32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facgap32.dll" Imekbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kffepdon.dll" Combpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlncijdi.dll" Kemhia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmegcdno.dll" Nlllof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehjjhefp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlpffl32.dll" Ngomli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmgei32.dll" Npekjeph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kohlodkf.dll" Nohdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdffem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Migplaai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmlnbdoi.dll" Dadlefed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmceff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogdmaocp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1544 wrote to memory of 4400 1544 8393ff0418668e8df2ffd9ce5c7e8280f9d5f7e45a1f91f72ccc65c05d8219e0.exe 83 PID 1544 wrote to memory of 4400 1544 8393ff0418668e8df2ffd9ce5c7e8280f9d5f7e45a1f91f72ccc65c05d8219e0.exe 83 PID 1544 wrote to memory of 4400 1544 8393ff0418668e8df2ffd9ce5c7e8280f9d5f7e45a1f91f72ccc65c05d8219e0.exe 83 PID 4400 wrote to memory of 3476 4400 Dbefdfco.exe 84 PID 4400 wrote to memory of 3476 4400 Dbefdfco.exe 84 PID 4400 wrote to memory of 3476 4400 Dbefdfco.exe 84 PID 3476 wrote to memory of 4528 3476 Ddfbln32.exe 85 PID 3476 wrote to memory of 4528 3476 Ddfbln32.exe 85 PID 3476 wrote to memory of 4528 3476 Ddfbln32.exe 85 PID 4528 wrote to memory of 3404 4528 Dlmjmkjo.exe 86 PID 4528 wrote to memory of 3404 4528 Dlmjmkjo.exe 86 PID 4528 wrote to memory of 3404 4528 Dlmjmkjo.exe 86 PID 3404 wrote to memory of 3424 3404 Dolfigic.exe 87 PID 3404 wrote to memory of 3424 3404 Dolfigic.exe 87 PID 3404 wrote to memory of 3424 3404 Dolfigic.exe 87 PID 3424 wrote to memory of 4532 3424 Ddhoangj.exe 88 PID 3424 wrote to memory of 4532 3424 Ddhoangj.exe 88 PID 3424 wrote to memory of 4532 3424 Ddhoangj.exe 88 PID 4532 wrote to memory of 4504 4532 Doncofgp.exe 89 PID 4532 wrote to memory of 4504 4532 Doncofgp.exe 89 PID 4532 wrote to memory of 4504 4532 Doncofgp.exe 89 PID 4504 wrote to memory of 5004 4504 Damokbfd.exe 90 PID 4504 wrote to memory of 5004 4504 Damokbfd.exe 90 PID 4504 wrote to memory of 5004 4504 Damokbfd.exe 90 PID 5004 wrote to memory of 4976 5004 Dhfhhl32.exe 91 PID 5004 wrote to memory of 4976 5004 Dhfhhl32.exe 91 PID 5004 wrote to memory of 4976 5004 Dhfhhl32.exe 91 PID 4976 wrote to memory of 5028 4976 Dkeddgmd.exe 92 PID 4976 wrote to memory of 5028 4976 Dkeddgmd.exe 92 PID 4976 wrote to memory of 5028 4976 Dkeddgmd.exe 92 PID 5028 wrote to memory of 3868 5028 Doqpdf32.exe 93 PID 5028 wrote to memory of 3868 5028 Doqpdf32.exe 93 PID 5028 wrote to memory of 3868 5028 Doqpdf32.exe 93 PID 3868 wrote to memory of 3412 3868 Daolqa32.exe 94 PID 3868 wrote to memory of 3412 3868 Daolqa32.exe 94 PID 3868 wrote to memory of 3412 3868 Daolqa32.exe 94 PID 3412 wrote to memory of 2892 3412 Dldpnj32.exe 95 PID 3412 wrote to memory of 2892 3412 Dldpnj32.exe 95 PID 3412 wrote to memory of 2892 3412 Dldpnj32.exe 95 PID 2892 wrote to memory of 3444 2892 Docmjf32.exe 96 PID 2892 wrote to memory of 3444 2892 Docmjf32.exe 96 PID 2892 wrote to memory of 3444 2892 Docmjf32.exe 96 PID 3444 wrote to memory of 4016 3444 Daaifa32.exe 98 PID 3444 wrote to memory of 4016 3444 Daaifa32.exe 98 PID 3444 wrote to memory of 4016 3444 Daaifa32.exe 98 PID 4016 wrote to memory of 4544 4016 Dlgmcj32.exe 99 PID 4016 wrote to memory of 4544 4016 Dlgmcj32.exe 99 PID 4016 wrote to memory of 4544 4016 Dlgmcj32.exe 99 PID 4544 wrote to memory of 1000 4544 Ecqepd32.exe 101 PID 4544 wrote to memory of 1000 4544 Ecqepd32.exe 101 PID 4544 wrote to memory of 1000 4544 Ecqepd32.exe 101 PID 1000 wrote to memory of 744 1000 Ehnnhk32.exe 102 PID 1000 wrote to memory of 744 1000 Ehnnhk32.exe 102 PID 1000 wrote to memory of 744 1000 Ehnnhk32.exe 102 PID 744 wrote to memory of 2932 744 Eogfeeoe.exe 103 PID 744 wrote to memory of 2932 744 Eogfeeoe.exe 103 PID 744 wrote to memory of 2932 744 Eogfeeoe.exe 103 PID 2932 wrote to memory of 5084 2932 Eafbaqni.exe 104 PID 2932 wrote to memory of 5084 2932 Eafbaqni.exe 104 PID 2932 wrote to memory of 5084 2932 Eafbaqni.exe 104 PID 5084 wrote to memory of 1984 5084 Elkfnino.exe 106 PID 5084 wrote to memory of 1984 5084 Elkfnino.exe 106 PID 5084 wrote to memory of 1984 5084 Elkfnino.exe 106 PID 1984 wrote to memory of 1680 1984 Eceokcel.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\8393ff0418668e8df2ffd9ce5c7e8280f9d5f7e45a1f91f72ccc65c05d8219e0.exe"C:\Users\Admin\AppData\Local\Temp\8393ff0418668e8df2ffd9ce5c7e8280f9d5f7e45a1f91f72ccc65c05d8219e0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Dbefdfco.exeC:\Windows\system32\Dbefdfco.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\Ddfbln32.exeC:\Windows\system32\Ddfbln32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\Dlmjmkjo.exeC:\Windows\system32\Dlmjmkjo.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\Dolfigic.exeC:\Windows\system32\Dolfigic.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\Ddhoangj.exeC:\Windows\system32\Ddhoangj.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\Doncofgp.exeC:\Windows\system32\Doncofgp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\Damokbfd.exeC:\Windows\system32\Damokbfd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Dhfhhl32.exeC:\Windows\system32\Dhfhhl32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Dkeddgmd.exeC:\Windows\system32\Dkeddgmd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\Doqpdf32.exeC:\Windows\system32\Doqpdf32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Daolqa32.exeC:\Windows\system32\Daolqa32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\SysWOW64\Dldpnj32.exeC:\Windows\system32\Dldpnj32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\SysWOW64\Docmjf32.exeC:\Windows\system32\Docmjf32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Daaifa32.exeC:\Windows\system32\Daaifa32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\Dlgmcj32.exeC:\Windows\system32\Dlgmcj32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\Ecqepd32.exeC:\Windows\system32\Ecqepd32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\Ehnnhk32.exeC:\Windows\system32\Ehnnhk32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\Eogfeeoe.exeC:\Windows\system32\Eogfeeoe.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\Eafbaqni.exeC:\Windows\system32\Eafbaqni.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Elkfnino.exeC:\Windows\system32\Elkfnino.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\Eceokcel.exeC:\Windows\system32\Eceokcel.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Edgkcl32.exeC:\Windows\system32\Edgkcl32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Ekqcpfbg.exeC:\Windows\system32\Ekqcpfbg.exe24⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Eolopd32.exeC:\Windows\system32\Eolopd32.exe25⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Eefhmobm.exeC:\Windows\system32\Eefhmobm.exe26⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\Ekcpeeqd.exeC:\Windows\system32\Ekcpeeqd.exe27⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Ecjhfcaf.exeC:\Windows\system32\Ecjhfcaf.exe28⤵
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\Eehdbn32.exeC:\Windows\system32\Eehdbn32.exe29⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Ehgqoj32.exeC:\Windows\system32\Ehgqoj32.exe30⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Foaikdgk.exeC:\Windows\system32\Foaikdgk.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4824 -
C:\Windows\SysWOW64\Fekahn32.exeC:\Windows\system32\Fekahn32.exe32⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Fhimdi32.exeC:\Windows\system32\Fhimdi32.exe33⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Fkhipe32.exeC:\Windows\system32\Fkhipe32.exe34⤵
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Fdpnij32.exeC:\Windows\system32\Fdpnij32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Flgfjh32.exeC:\Windows\system32\Flgfjh32.exe36⤵
- Executes dropped EXE
PID:3772 -
C:\Windows\SysWOW64\Foebfc32.exeC:\Windows\system32\Foebfc32.exe37⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Fadobo32.exeC:\Windows\system32\Fadobo32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\Ffpjcmjb.exeC:\Windows\system32\Ffpjcmjb.exe39⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Fdbkoj32.exeC:\Windows\system32\Fdbkoj32.exe40⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Flibpg32.exeC:\Windows\system32\Flibpg32.exe41⤵
- Executes dropped EXE
PID:428 -
C:\Windows\SysWOW64\Foholc32.exeC:\Windows\system32\Foholc32.exe42⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Fbfkhn32.exeC:\Windows\system32\Fbfkhn32.exe43⤵
- Executes dropped EXE
PID:4208 -
C:\Windows\SysWOW64\Ffbghmhp.exeC:\Windows\system32\Ffbghmhp.exe44⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Fdegdj32.exeC:\Windows\system32\Fdegdj32.exe45⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Fllpegpl.exeC:\Windows\system32\Fllpegpl.exe46⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Fojlabop.exeC:\Windows\system32\Fojlabop.exe47⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Fbihnnnd.exeC:\Windows\system32\Fbihnnnd.exe48⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Ffddnm32.exeC:\Windows\system32\Ffddnm32.exe49⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Fhbpjh32.exeC:\Windows\system32\Fhbpjh32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:3356 -
C:\Windows\SysWOW64\Gchdga32.exeC:\Windows\system32\Gchdga32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3344 -
C:\Windows\SysWOW64\Gbkdcnla.exeC:\Windows\system32\Gbkdcnla.exe52⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Ghemph32.exeC:\Windows\system32\Ghemph32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Gkcilcba.exeC:\Windows\system32\Gkcilcba.exe54⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Gcjamqcd.exeC:\Windows\system32\Gcjamqcd.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:3576 -
C:\Windows\SysWOW64\Gbmaim32.exeC:\Windows\system32\Gbmaim32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Gdlnei32.exeC:\Windows\system32\Gdlnei32.exe57⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Gmceff32.exeC:\Windows\system32\Gmceff32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:4672 -
C:\Windows\SysWOW64\Goabba32.exeC:\Windows\system32\Goabba32.exe59⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Gbpnnm32.exeC:\Windows\system32\Gbpnnm32.exe60⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Gfkjolpe.exeC:\Windows\system32\Gfkjolpe.exe61⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Ghjfkgoi.exeC:\Windows\system32\Ghjfkgoi.exe62⤵
- Executes dropped EXE
PID:412 -
C:\Windows\SysWOW64\Gocohafe.exeC:\Windows\system32\Gocohafe.exe63⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Gilcqg32.exeC:\Windows\system32\Gilcqg32.exe64⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\Gkjomb32.exeC:\Windows\system32\Gkjomb32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2108 -
C:\Windows\SysWOW64\Gbdgildf.exeC:\Windows\system32\Gbdgildf.exe66⤵PID:2064
-
C:\Windows\SysWOW64\Gdccehcj.exeC:\Windows\system32\Gdccehcj.exe67⤵
- System Location Discovery: System Language Discovery
PID:3768 -
C:\Windows\SysWOW64\Hmjlfecl.exeC:\Windows\system32\Hmjlfecl.exe68⤵
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Hkmlbb32.exeC:\Windows\system32\Hkmlbb32.exe69⤵PID:5096
-
C:\Windows\SysWOW64\Hcddcoki.exeC:\Windows\system32\Hcddcoki.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4848 -
C:\Windows\SysWOW64\Hdepkg32.exeC:\Windows\system32\Hdepkg32.exe71⤵PID:4716
-
C:\Windows\SysWOW64\Hmlhle32.exeC:\Windows\system32\Hmlhle32.exe72⤵PID:2928
-
C:\Windows\SysWOW64\Hkoihahd.exeC:\Windows\system32\Hkoihahd.exe73⤵PID:2200
-
C:\Windows\SysWOW64\Hfdmejhj.exeC:\Windows\system32\Hfdmejhj.exe74⤵
- System Location Discovery: System Language Discovery
PID:408 -
C:\Windows\SysWOW64\Hiciafgn.exeC:\Windows\system32\Hiciafgn.exe75⤵PID:2632
-
C:\Windows\SysWOW64\Hmoead32.exeC:\Windows\system32\Hmoead32.exe76⤵
- Modifies registry class
PID:692 -
C:\Windows\SysWOW64\Homanp32.exeC:\Windows\system32\Homanp32.exe77⤵
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Hbknjkno.exeC:\Windows\system32\Hbknjkno.exe78⤵
- Drops file in System32 directory
PID:1660 -
C:\Windows\SysWOW64\Hejjfgmb.exeC:\Windows\system32\Hejjfgmb.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2896 -
C:\Windows\SysWOW64\Hmabgdmd.exeC:\Windows\system32\Hmabgdmd.exe80⤵PID:2984
-
C:\Windows\SysWOW64\Hooncplh.exeC:\Windows\system32\Hooncplh.exe81⤵PID:1784
-
C:\Windows\SysWOW64\Helflfkp.exeC:\Windows\system32\Helflfkp.exe82⤵PID:404
-
C:\Windows\SysWOW64\Hmcomdkb.exeC:\Windows\system32\Hmcomdkb.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1656 -
C:\Windows\SysWOW64\Hoakioje.exeC:\Windows\system32\Hoakioje.exe84⤵PID:3796
-
C:\Windows\SysWOW64\Hbpgekii.exeC:\Windows\system32\Hbpgekii.exe85⤵
- System Location Discovery: System Language Discovery
PID:4332 -
C:\Windows\SysWOW64\Imekbc32.exeC:\Windows\system32\Imekbc32.exe86⤵
- Modifies registry class
PID:3296 -
C:\Windows\SysWOW64\Ipdgoo32.exeC:\Windows\system32\Ipdgoo32.exe87⤵PID:3624
-
C:\Windows\SysWOW64\Ibbckj32.exeC:\Windows\system32\Ibbckj32.exe88⤵PID:3860
-
C:\Windows\SysWOW64\Imhhhc32.exeC:\Windows\system32\Imhhhc32.exe89⤵PID:2576
-
C:\Windows\SysWOW64\Ikkhcpng.exeC:\Windows\system32\Ikkhcpng.exe90⤵PID:3512
-
C:\Windows\SysWOW64\Icbpdmoi.exeC:\Windows\system32\Icbpdmoi.exe91⤵PID:2316
-
C:\Windows\SysWOW64\Ifplqi32.exeC:\Windows\system32\Ifplqi32.exe92⤵PID:4340
-
C:\Windows\SysWOW64\Imjdmcej.exeC:\Windows\system32\Imjdmcej.exe93⤵PID:5164
-
C:\Windows\SysWOW64\Ilmeip32.exeC:\Windows\system32\Ilmeip32.exe94⤵PID:5212
-
C:\Windows\SysWOW64\Ibgmfjca.exeC:\Windows\system32\Ibgmfjca.exe95⤵PID:5256
-
C:\Windows\SysWOW64\Ieeibebe.exeC:\Windows\system32\Ieeibebe.exe96⤵PID:5300
-
C:\Windows\SysWOW64\Immacbcg.exeC:\Windows\system32\Immacbcg.exe97⤵PID:5344
-
C:\Windows\SysWOW64\Ifeflh32.exeC:\Windows\system32\Ifeflh32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5388 -
C:\Windows\SysWOW64\Imonhb32.exeC:\Windows\system32\Imonhb32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5424 -
C:\Windows\SysWOW64\Ipmjen32.exeC:\Windows\system32\Ipmjen32.exe100⤵PID:5492
-
C:\Windows\SysWOW64\Jldkjofl.exeC:\Windows\system32\Jldkjofl.exe101⤵PID:5560
-
C:\Windows\SysWOW64\Jppgjm32.exeC:\Windows\system32\Jppgjm32.exe102⤵PID:5604
-
C:\Windows\SysWOW64\Jbncfi32.exeC:\Windows\system32\Jbncfi32.exe103⤵PID:5636
-
C:\Windows\SysWOW64\Jfjoggfb.exeC:\Windows\system32\Jfjoggfb.exe104⤵PID:5692
-
C:\Windows\SysWOW64\Jmcgcamo.exeC:\Windows\system32\Jmcgcamo.exe105⤵
- Modifies registry class
PID:5736 -
C:\Windows\SysWOW64\Jpbdpmlc.exeC:\Windows\system32\Jpbdpmlc.exe106⤵PID:5772
-
C:\Windows\SysWOW64\Jcnppl32.exeC:\Windows\system32\Jcnppl32.exe107⤵PID:5820
-
C:\Windows\SysWOW64\Jfllmg32.exeC:\Windows\system32\Jfllmg32.exe108⤵PID:5860
-
C:\Windows\SysWOW64\Jijhib32.exeC:\Windows\system32\Jijhib32.exe109⤵PID:5904
-
C:\Windows\SysWOW64\Jliden32.exeC:\Windows\system32\Jliden32.exe110⤵PID:5944
-
C:\Windows\SysWOW64\Jpdqemjp.exeC:\Windows\system32\Jpdqemjp.exe111⤵PID:5992
-
C:\Windows\SysWOW64\Jbcmahid.exeC:\Windows\system32\Jbcmahid.exe112⤵PID:6036
-
C:\Windows\SysWOW64\Jfnibg32.exeC:\Windows\system32\Jfnibg32.exe113⤵PID:6084
-
C:\Windows\SysWOW64\Jimenb32.exeC:\Windows\system32\Jimenb32.exe114⤵PID:6128
-
C:\Windows\SysWOW64\Jmhaoqij.exeC:\Windows\system32\Jmhaoqij.exe115⤵PID:5136
-
C:\Windows\SysWOW64\Jpgmkl32.exeC:\Windows\system32\Jpgmkl32.exe116⤵PID:5188
-
C:\Windows\SysWOW64\Jcbikkqf.exeC:\Windows\system32\Jcbikkqf.exe117⤵PID:5276
-
C:\Windows\SysWOW64\Jfqegfpj.exeC:\Windows\system32\Jfqegfpj.exe118⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5324 -
C:\Windows\SysWOW64\Jececc32.exeC:\Windows\system32\Jececc32.exe119⤵PID:5416
-
C:\Windows\SysWOW64\Jmkndq32.exeC:\Windows\system32\Jmkndq32.exe120⤵PID:5476
-
C:\Windows\SysWOW64\Jlnnpmna.exeC:\Windows\system32\Jlnnpmna.exe121⤵
- System Location Discovery: System Language Discovery
PID:5572
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-