Analysis
-
max time kernel
122s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25/07/2024, 11:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ca02d5af7ad592ad7433d47bf973a880N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
General
-
Target
ca02d5af7ad592ad7433d47bf973a880N.exe
-
Size
163KB
-
MD5
ca02d5af7ad592ad7433d47bf973a880
-
SHA1
af35e09c8098daf97285f358552fc0e391d64d49
-
SHA256
1f17f02061a7d5fdd13c59b48b116c86c2b3ad9962adf743577a87b383373155
-
SHA512
86ab2464e9c86dd5587138d9325dc5fb46591308e0ada73cc05836a7b6b3a78b64624858494a37c032b0aef72032f873cbfcb587a3ad0f1c7bd0de1580f328c7
-
SSDEEP
1536:Pmi8uvIOGMclzt3A5aXGyspOylProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:OjuvIycbjXGRpltOrWKDBr+yJb
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bggohi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmqjoljn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heiaqjhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnnlihll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bppcac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkolil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inhfmmfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhiigmnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgelih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkjdgadp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqcafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbefbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhmijn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elfcakep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibmigdnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nikflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgogbano.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lemejd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkenmidf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjffphpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lifdec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjkpjkni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlmipk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plcfokfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffihelkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meqhkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihhehoci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhgfbpdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jneadc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bngicb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijodiedi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbmknipc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcofnejq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgladc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdpcmpgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdlmdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfjfhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emmljodk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pednllpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clgcfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnobmnnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Genmab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhjjle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgklcaqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbpendha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcedfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbjccf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlgigemg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jblpifni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idaimfjf.exe -
Executes dropped EXE 64 IoCs
pid Process 2960 Fmnmih32.exe 2784 Fffabman.exe 2736 Gabohk32.exe 2664 Glgcec32.exe 2800 Gmipmlan.exe 2696 Hdjnje32.exe 3060 Hbokkagk.exe 2292 Hfmcapna.exe 2008 Hinlck32.exe 1060 Ilneef32.exe 2916 Ippkni32.exe 2036 Ijmibn32.exe 1296 Jomnpdjb.exe 2448 Jookedhp.exe 2300 Jgllof32.exe 824 Khlhiijk.exe 236 Kjbnlqld.exe 1500 Kmbgnl32.exe 2284 Kjfhgp32.exe 2164 Lphjkfbq.exe 3012 Lgcooh32.exe 2572 Llagegfb.exe 1564 Mhjdpgic.exe 888 Mdaedhoh.exe 2872 Mmijmn32.exe 2788 Mibgho32.exe 1600 Nhjaok32.exe 2668 Ndaaclac.exe 2908 Nhojjjhj.exe 2672 Nibcgb32.exe 3048 Oeidlc32.exe 2068 Opaeok32.exe 320 Oofbph32.exe 1700 Oagkac32.exe 2012 Paldmbmq.exe 812 Pnbeacbd.exe 3004 Pfnjfepp.exe 2304 Qcdgei32.exe 2136 Qkolil32.exe 2320 Qegpbaqb.exe 2232 Aghidl32.exe 456 Abnmae32.exe 1360 Aihenoef.exe 1092 Ajibeg32.exe 612 Cpafhpaj.exe 1968 Dpfpco32.exe 2332 Diqabd32.exe 592 Donijk32.exe 2560 Ddjbbbna.exe 2224 Dopfpkng.exe 2852 Ddmohbln.exe 2988 Dobcekld.exe 2656 Ehkgnpbe.exe 2840 Edahca32.exe 2640 Ejnqkh32.exe 2116 Egbaelej.exe 596 Eloimcca.exe 664 Egdnjlcg.exe 1548 Elafbcao.exe 976 Ebnokjpf.exe 2428 Fkfcdpfg.exe 2452 Fhjcmcep.exe 2424 Fodljn32.exe 1308 Fgpqnpjh.exe -
Loads dropped DLL 64 IoCs
pid Process 2548 ca02d5af7ad592ad7433d47bf973a880N.exe 2548 ca02d5af7ad592ad7433d47bf973a880N.exe 2960 Fmnmih32.exe 2960 Fmnmih32.exe 2784 Fffabman.exe 2784 Fffabman.exe 2736 Gabohk32.exe 2736 Gabohk32.exe 2664 Glgcec32.exe 2664 Glgcec32.exe 2800 Gmipmlan.exe 2800 Gmipmlan.exe 2696 Hdjnje32.exe 2696 Hdjnje32.exe 3060 Hbokkagk.exe 3060 Hbokkagk.exe 2292 Hfmcapna.exe 2292 Hfmcapna.exe 2008 Hinlck32.exe 2008 Hinlck32.exe 1060 Ilneef32.exe 1060 Ilneef32.exe 2916 Ippkni32.exe 2916 Ippkni32.exe 2036 Ijmibn32.exe 2036 Ijmibn32.exe 1296 Jomnpdjb.exe 1296 Jomnpdjb.exe 2448 Jookedhp.exe 2448 Jookedhp.exe 2300 Jgllof32.exe 2300 Jgllof32.exe 824 Khlhiijk.exe 824 Khlhiijk.exe 236 Kjbnlqld.exe 236 Kjbnlqld.exe 1500 Kmbgnl32.exe 1500 Kmbgnl32.exe 2284 Kjfhgp32.exe 2284 Kjfhgp32.exe 2164 Lphjkfbq.exe 2164 Lphjkfbq.exe 3012 Lgcooh32.exe 3012 Lgcooh32.exe 2572 Llagegfb.exe 2572 Llagegfb.exe 1564 Mhjdpgic.exe 1564 Mhjdpgic.exe 888 Mdaedhoh.exe 888 Mdaedhoh.exe 2872 Mmijmn32.exe 2872 Mmijmn32.exe 2788 Mibgho32.exe 2788 Mibgho32.exe 1600 Nhjaok32.exe 1600 Nhjaok32.exe 2668 Ndaaclac.exe 2668 Ndaaclac.exe 2908 Nhojjjhj.exe 2908 Nhojjjhj.exe 2672 Nibcgb32.exe 2672 Nibcgb32.exe 3048 Oeidlc32.exe 3048 Oeidlc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Olklmk32.exe Occgce32.exe File opened for modification C:\Windows\SysWOW64\Cdfmddff.exe Cgbmkp32.exe File created C:\Windows\SysWOW64\Lchpeebo.exe Liplmolo.exe File opened for modification C:\Windows\SysWOW64\Nmfbohal.exe Ndmneb32.exe File created C:\Windows\SysWOW64\Mfbdkemd.dll Process not Found File created C:\Windows\SysWOW64\Cgppcbob.dll Jcpmgj32.exe File created C:\Windows\SysWOW64\Dbndbkdh.exe Process not Found File created C:\Windows\SysWOW64\Mmijmn32.exe Mdaedhoh.exe File opened for modification C:\Windows\SysWOW64\Nibcgb32.exe Nhojjjhj.exe File created C:\Windows\SysWOW64\Lhjjle32.exe Koafcppm.exe File created C:\Windows\SysWOW64\Elfcakep.exe Eoabgggf.exe File created C:\Windows\SysWOW64\Jcnbbhbh.dll Biaaii32.exe File created C:\Windows\SysWOW64\Niehal32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ajibeg32.exe Aihenoef.exe File created C:\Windows\SysWOW64\Higkdm32.exe Hmqjoljn.exe File opened for modification C:\Windows\SysWOW64\Gpnemo32.exe Gfeadjlo.exe File created C:\Windows\SysWOW64\Ipjhdond.dll Jdeigc32.exe File opened for modification C:\Windows\SysWOW64\Kkonbp32.exe Kphmnojf.exe File created C:\Windows\SysWOW64\Qdaidbha.exe Process not Found File opened for modification C:\Windows\SysWOW64\Capopb32.exe Cidklp32.exe File created C:\Windows\SysWOW64\Olpcffde.dll Mideho32.exe File created C:\Windows\SysWOW64\Kineaecj.exe Kcalindb.exe File created C:\Windows\SysWOW64\Cifgcl32.exe Cmofok32.exe File opened for modification C:\Windows\SysWOW64\Mjkpjkni.exe Mpflmbnc.exe File created C:\Windows\SysWOW64\Omqpqnle.exe Process not Found File created C:\Windows\SysWOW64\Ghbqhm32.exe Fmmlkdeo.exe File created C:\Windows\SysWOW64\Behbnj32.exe Bplifcji.exe File opened for modification C:\Windows\SysWOW64\Gandokaf.exe Gfhpbb32.exe File created C:\Windows\SysWOW64\Fidfhd32.dll Jgjkhi32.exe File created C:\Windows\SysWOW64\Iqpaocjd.dll Process not Found File created C:\Windows\SysWOW64\Jmnbaj32.exe Process not Found File created C:\Windows\SysWOW64\Diooghml.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ciolapkc.exe Process not Found File created C:\Windows\SysWOW64\Pafdii32.exe Pgpplphe.exe File created C:\Windows\SysWOW64\Amgggm32.exe Acncngpl.exe File created C:\Windows\SysWOW64\Flfbfken.exe Fhhiqm32.exe File created C:\Windows\SysWOW64\Qkahhoqm.dll Bjphhcon.exe File created C:\Windows\SysWOW64\Ckoodgei.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pmejln32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ieeajmpo.exe Hildollm.exe File opened for modification C:\Windows\SysWOW64\Ongijbja.exe Ofldfpmf.exe File opened for modification C:\Windows\SysWOW64\Djndoaof.exe Dngcjp32.exe File created C:\Windows\SysWOW64\Kbpgehhj.dll Kjfhgp32.exe File created C:\Windows\SysWOW64\Mhhjhefb.dll Pbfhkfdc.exe File created C:\Windows\SysWOW64\Gjlinfgm.exe Gdaqal32.exe File created C:\Windows\SysWOW64\Njblbb32.dll Ijghoe32.exe File created C:\Windows\SysWOW64\Cipahi32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ceehdo32.exe Cmjcpm32.exe File created C:\Windows\SysWOW64\Mijemh32.exe Process not Found File created C:\Windows\SysWOW64\Mfejocnp.dll Khlhiijk.exe File opened for modification C:\Windows\SysWOW64\Ekohac32.exe Eebpil32.exe File created C:\Windows\SysWOW64\Nacdoq32.dll Faqihe32.exe File created C:\Windows\SysWOW64\Amkbmlci.exe Qmhegmel.exe File created C:\Windows\SysWOW64\Bagafeai.exe Aljinncb.exe File created C:\Windows\SysWOW64\Kfpqjeei.dll Aehcfn32.exe File created C:\Windows\SysWOW64\Lenmnb32.exe Lhjmdn32.exe File created C:\Windows\SysWOW64\Lohnndlj.exe Process not Found File created C:\Windows\SysWOW64\Dhkbak32.dll Lphjkfbq.exe File opened for modification C:\Windows\SysWOW64\Klipfpeh.exe Jdnkamhm.exe File created C:\Windows\SysWOW64\Lfndga32.dll Lgaoqdmk.exe File created C:\Windows\SysWOW64\Pbokaelh.exe Plecdk32.exe File opened for modification C:\Windows\SysWOW64\Ndpmdkpm.exe Process not Found File created C:\Windows\SysWOW64\Nqffoa32.exe Ngmbfl32.exe File opened for modification C:\Windows\SysWOW64\Deficgha.exe Dpiakqjj.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhiigmnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgcec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oagkac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqgbihel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lchpeebo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeidlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coenifch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gimmbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koodlbeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dglmmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gblknd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Janijh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgpqnpjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcbfjaeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcjmdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebehob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndmneb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nppemgjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbpendha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daognhlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgdoemdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceehdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfhpbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncogge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmocjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkqmnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcoafcjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plcfokfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhhiqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahkiniip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlfnlofp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oandekcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edeapm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opaeok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmqlgppo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hchcmnlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fklohgie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaaohfjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqgjlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfojhngl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbilpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbpncn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Demhhmfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khlhiijk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odiagj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epapoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lphjkfbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lahmalgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidcpk32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4812 Process not Found -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajfanjqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gliomp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhnjlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekpqhmgg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcalindb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhojjjhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eepccldb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccpjae32.dll" Oooeeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbpncn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibmigdnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bglanp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jomnpdjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idedbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Colpkh32.dll" Bglhcihn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gickgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mideho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcgdpg32.dll" Eijegdfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkmckm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbokaelh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gejdagfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedope32.dll" Djndoaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koodecap.dll" Hmbdlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmlleofb.dll" Ihhehoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbncfgnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efakjgni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Highje32.dll" Lbmknipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obpflhmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnjkkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikdmoehh.dll" Oqcafg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdaedhoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pefmkpbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcqhkc32.dll" Gkdpdnfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obkicqlm.dll" Qkhbbcjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnijidk.dll" Ccfoah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpejnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dobcekld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhgfbpdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeolqdjp.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhklibbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Floneh32.dll" Iaogjhmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fklohgie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnaqhbbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldgapec.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cionkp32.dll" Pehggk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" ca02d5af7ad592ad7433d47bf973a880N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofeneqcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjcpoeb.dll" Nhajbc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2548 wrote to memory of 2960 2548 ca02d5af7ad592ad7433d47bf973a880N.exe 29 PID 2548 wrote to memory of 2960 2548 ca02d5af7ad592ad7433d47bf973a880N.exe 29 PID 2548 wrote to memory of 2960 2548 ca02d5af7ad592ad7433d47bf973a880N.exe 29 PID 2548 wrote to memory of 2960 2548 ca02d5af7ad592ad7433d47bf973a880N.exe 29 PID 2960 wrote to memory of 2784 2960 Fmnmih32.exe 30 PID 2960 wrote to memory of 2784 2960 Fmnmih32.exe 30 PID 2960 wrote to memory of 2784 2960 Fmnmih32.exe 30 PID 2960 wrote to memory of 2784 2960 Fmnmih32.exe 30 PID 2784 wrote to memory of 2736 2784 Fffabman.exe 31 PID 2784 wrote to memory of 2736 2784 Fffabman.exe 31 PID 2784 wrote to memory of 2736 2784 Fffabman.exe 31 PID 2784 wrote to memory of 2736 2784 Fffabman.exe 31 PID 2736 wrote to memory of 2664 2736 Gabohk32.exe 32 PID 2736 wrote to memory of 2664 2736 Gabohk32.exe 32 PID 2736 wrote to memory of 2664 2736 Gabohk32.exe 32 PID 2736 wrote to memory of 2664 2736 Gabohk32.exe 32 PID 2664 wrote to memory of 2800 2664 Glgcec32.exe 33 PID 2664 wrote to memory of 2800 2664 Glgcec32.exe 33 PID 2664 wrote to memory of 2800 2664 Glgcec32.exe 33 PID 2664 wrote to memory of 2800 2664 Glgcec32.exe 33 PID 2800 wrote to memory of 2696 2800 Gmipmlan.exe 34 PID 2800 wrote to memory of 2696 2800 Gmipmlan.exe 34 PID 2800 wrote to memory of 2696 2800 Gmipmlan.exe 34 PID 2800 wrote to memory of 2696 2800 Gmipmlan.exe 34 PID 2696 wrote to memory of 3060 2696 Hdjnje32.exe 35 PID 2696 wrote to memory of 3060 2696 Hdjnje32.exe 35 PID 2696 wrote to memory of 3060 2696 Hdjnje32.exe 35 PID 2696 wrote to memory of 3060 2696 Hdjnje32.exe 35 PID 3060 wrote to memory of 2292 3060 Hbokkagk.exe 36 PID 3060 wrote to memory of 2292 3060 Hbokkagk.exe 36 PID 3060 wrote to memory of 2292 3060 Hbokkagk.exe 36 PID 3060 wrote to memory of 2292 3060 Hbokkagk.exe 36 PID 2292 wrote to memory of 2008 2292 Hfmcapna.exe 37 PID 2292 wrote to memory of 2008 2292 Hfmcapna.exe 37 PID 2292 wrote to memory of 2008 2292 Hfmcapna.exe 37 PID 2292 wrote to memory of 2008 2292 Hfmcapna.exe 37 PID 2008 wrote to memory of 1060 2008 Hinlck32.exe 38 PID 2008 wrote to memory of 1060 2008 Hinlck32.exe 38 PID 2008 wrote to memory of 1060 2008 Hinlck32.exe 38 PID 2008 wrote to memory of 1060 2008 Hinlck32.exe 38 PID 1060 wrote to memory of 2916 1060 Ilneef32.exe 39 PID 1060 wrote to memory of 2916 1060 Ilneef32.exe 39 PID 1060 wrote to memory of 2916 1060 Ilneef32.exe 39 PID 1060 wrote to memory of 2916 1060 Ilneef32.exe 39 PID 2916 wrote to memory of 2036 2916 Ippkni32.exe 40 PID 2916 wrote to memory of 2036 2916 Ippkni32.exe 40 PID 2916 wrote to memory of 2036 2916 Ippkni32.exe 40 PID 2916 wrote to memory of 2036 2916 Ippkni32.exe 40 PID 2036 wrote to memory of 1296 2036 Ijmibn32.exe 41 PID 2036 wrote to memory of 1296 2036 Ijmibn32.exe 41 PID 2036 wrote to memory of 1296 2036 Ijmibn32.exe 41 PID 2036 wrote to memory of 1296 2036 Ijmibn32.exe 41 PID 1296 wrote to memory of 2448 1296 Jomnpdjb.exe 42 PID 1296 wrote to memory of 2448 1296 Jomnpdjb.exe 42 PID 1296 wrote to memory of 2448 1296 Jomnpdjb.exe 42 PID 1296 wrote to memory of 2448 1296 Jomnpdjb.exe 42 PID 2448 wrote to memory of 2300 2448 Jookedhp.exe 43 PID 2448 wrote to memory of 2300 2448 Jookedhp.exe 43 PID 2448 wrote to memory of 2300 2448 Jookedhp.exe 43 PID 2448 wrote to memory of 2300 2448 Jookedhp.exe 43 PID 2300 wrote to memory of 824 2300 Jgllof32.exe 44 PID 2300 wrote to memory of 824 2300 Jgllof32.exe 44 PID 2300 wrote to memory of 824 2300 Jgllof32.exe 44 PID 2300 wrote to memory of 824 2300 Jgllof32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca02d5af7ad592ad7433d47bf973a880N.exe"C:\Users\Admin\AppData\Local\Temp\ca02d5af7ad592ad7433d47bf973a880N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Fmnmih32.exeC:\Windows\system32\Fmnmih32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Fffabman.exeC:\Windows\system32\Fffabman.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Gabohk32.exeC:\Windows\system32\Gabohk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Glgcec32.exeC:\Windows\system32\Glgcec32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Gmipmlan.exeC:\Windows\system32\Gmipmlan.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Hdjnje32.exeC:\Windows\system32\Hdjnje32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Hbokkagk.exeC:\Windows\system32\Hbokkagk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Hfmcapna.exeC:\Windows\system32\Hfmcapna.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Hinlck32.exeC:\Windows\system32\Hinlck32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Ilneef32.exeC:\Windows\system32\Ilneef32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Ippkni32.exeC:\Windows\system32\Ippkni32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Ijmibn32.exeC:\Windows\system32\Ijmibn32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Jomnpdjb.exeC:\Windows\system32\Jomnpdjb.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Jookedhp.exeC:\Windows\system32\Jookedhp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Jgllof32.exeC:\Windows\system32\Jgllof32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Khlhiijk.exeC:\Windows\system32\Khlhiijk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:824 -
C:\Windows\SysWOW64\Kjbnlqld.exeC:\Windows\system32\Kjbnlqld.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:236 -
C:\Windows\SysWOW64\Kmbgnl32.exeC:\Windows\system32\Kmbgnl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1500 -
C:\Windows\SysWOW64\Kjfhgp32.exeC:\Windows\system32\Kjfhgp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Lphjkfbq.exeC:\Windows\system32\Lphjkfbq.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\Lgcooh32.exeC:\Windows\system32\Lgcooh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Llagegfb.exeC:\Windows\system32\Llagegfb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Mhjdpgic.exeC:\Windows\system32\Mhjdpgic.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1564 -
C:\Windows\SysWOW64\Mdaedhoh.exeC:\Windows\system32\Mdaedhoh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Mmijmn32.exeC:\Windows\system32\Mmijmn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Mibgho32.exeC:\Windows\system32\Mibgho32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Nhjaok32.exeC:\Windows\system32\Nhjaok32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Ndaaclac.exeC:\Windows\system32\Ndaaclac.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Nhojjjhj.exeC:\Windows\system32\Nhojjjhj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Nibcgb32.exeC:\Windows\system32\Nibcgb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Oeidlc32.exeC:\Windows\system32\Oeidlc32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\Opaeok32.exeC:\Windows\system32\Opaeok32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2068 -
C:\Windows\SysWOW64\Oofbph32.exeC:\Windows\system32\Oofbph32.exe34⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Oagkac32.exeC:\Windows\system32\Oagkac32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\SysWOW64\Paldmbmq.exeC:\Windows\system32\Paldmbmq.exe36⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Pnbeacbd.exeC:\Windows\system32\Pnbeacbd.exe37⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Pfnjfepp.exeC:\Windows\system32\Pfnjfepp.exe38⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Qcdgei32.exeC:\Windows\system32\Qcdgei32.exe39⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Qkolil32.exeC:\Windows\system32\Qkolil32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Qegpbaqb.exeC:\Windows\system32\Qegpbaqb.exe41⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Aghidl32.exeC:\Windows\system32\Aghidl32.exe42⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Abnmae32.exeC:\Windows\system32\Abnmae32.exe43⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Aihenoef.exeC:\Windows\system32\Aihenoef.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1360 -
C:\Windows\SysWOW64\Ajibeg32.exeC:\Windows\system32\Ajibeg32.exe45⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Cpafhpaj.exeC:\Windows\system32\Cpafhpaj.exe46⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Dpfpco32.exeC:\Windows\system32\Dpfpco32.exe47⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Diqabd32.exeC:\Windows\system32\Diqabd32.exe48⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Donijk32.exeC:\Windows\system32\Donijk32.exe49⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Ddjbbbna.exeC:\Windows\system32\Ddjbbbna.exe50⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Dopfpkng.exeC:\Windows\system32\Dopfpkng.exe51⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Ddmohbln.exeC:\Windows\system32\Ddmohbln.exe52⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Dobcekld.exeC:\Windows\system32\Dobcekld.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Ehkgnpbe.exeC:\Windows\system32\Ehkgnpbe.exe54⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Edahca32.exeC:\Windows\system32\Edahca32.exe55⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Ejnqkh32.exeC:\Windows\system32\Ejnqkh32.exe56⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Egbaelej.exeC:\Windows\system32\Egbaelej.exe57⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Eloimcca.exeC:\Windows\system32\Eloimcca.exe58⤵
- Executes dropped EXE
PID:596 -
C:\Windows\SysWOW64\Egdnjlcg.exeC:\Windows\system32\Egdnjlcg.exe59⤵
- Executes dropped EXE
PID:664 -
C:\Windows\SysWOW64\Elafbcao.exeC:\Windows\system32\Elafbcao.exe60⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Ebnokjpf.exeC:\Windows\system32\Ebnokjpf.exe61⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Fkfcdpfg.exeC:\Windows\system32\Fkfcdpfg.exe62⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Fhjcmcep.exeC:\Windows\system32\Fhjcmcep.exe63⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Fodljn32.exeC:\Windows\system32\Fodljn32.exe64⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Fgpqnpjh.exeC:\Windows\system32\Fgpqnpjh.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1308 -
C:\Windows\SysWOW64\Fqhegf32.exeC:\Windows\system32\Fqhegf32.exe66⤵PID:776
-
C:\Windows\SysWOW64\Fgbmdphe.exeC:\Windows\system32\Fgbmdphe.exe67⤵PID:1260
-
C:\Windows\SysWOW64\Fbgaahgl.exeC:\Windows\system32\Fbgaahgl.exe68⤵PID:1828
-
C:\Windows\SysWOW64\Fnnbfjmp.exeC:\Windows\system32\Fnnbfjmp.exe69⤵PID:2496
-
C:\Windows\SysWOW64\Fehjcc32.exeC:\Windows\system32\Fehjcc32.exe70⤵PID:2824
-
C:\Windows\SysWOW64\Gpbkca32.exeC:\Windows\system32\Gpbkca32.exe71⤵PID:2132
-
C:\Windows\SysWOW64\Gjgpqjqa.exeC:\Windows\system32\Gjgpqjqa.exe72⤵PID:2796
-
C:\Windows\SysWOW64\Gpdhiaoi.exeC:\Windows\system32\Gpdhiaoi.exe73⤵PID:2676
-
C:\Windows\SysWOW64\Gimmbg32.exeC:\Windows\system32\Gimmbg32.exe74⤵
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\Gcbaop32.exeC:\Windows\system32\Gcbaop32.exe75⤵PID:2092
-
C:\Windows\SysWOW64\Gmjehe32.exeC:\Windows\system32\Gmjehe32.exe76⤵PID:1912
-
C:\Windows\SysWOW64\Gefjlg32.exeC:\Windows\system32\Gefjlg32.exe77⤵PID:1512
-
C:\Windows\SysWOW64\Hbjjfl32.exeC:\Windows\system32\Hbjjfl32.exe78⤵PID:1400
-
C:\Windows\SysWOW64\Hhfcnb32.exeC:\Windows\system32\Hhfcnb32.exe79⤵PID:2248
-
C:\Windows\SysWOW64\Haoggh32.exeC:\Windows\system32\Haoggh32.exe80⤵PID:1748
-
C:\Windows\SysWOW64\Hmehlibq.exeC:\Windows\system32\Hmehlibq.exe81⤵PID:2412
-
C:\Windows\SysWOW64\Hhklibbf.exeC:\Windows\system32\Hhklibbf.exe82⤵
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Hpfamd32.exeC:\Windows\system32\Hpfamd32.exe83⤵PID:1196
-
C:\Windows\SysWOW64\Hfpijngn.exeC:\Windows\system32\Hfpijngn.exe84⤵PID:2712
-
C:\Windows\SysWOW64\Hddjcbfh.exeC:\Windows\system32\Hddjcbfh.exe85⤵PID:2776
-
C:\Windows\SysWOW64\Iiablido.exeC:\Windows\system32\Iiablido.exe86⤵PID:1708
-
C:\Windows\SysWOW64\Ifecen32.exeC:\Windows\system32\Ifecen32.exe87⤵PID:2652
-
C:\Windows\SysWOW64\Ipmgncii.exeC:\Windows\system32\Ipmgncii.exe88⤵PID:1720
-
C:\Windows\SysWOW64\Ifgpkm32.exeC:\Windows\system32\Ifgpkm32.exe89⤵PID:952
-
C:\Windows\SysWOW64\Ippdcc32.exeC:\Windows\system32\Ippdcc32.exe90⤵PID:3032
-
C:\Windows\SysWOW64\Ielllj32.exeC:\Windows\system32\Ielllj32.exe91⤵PID:1328
-
C:\Windows\SysWOW64\Ikiedq32.exeC:\Windows\system32\Ikiedq32.exe92⤵PID:2228
-
C:\Windows\SysWOW64\Idaimfjf.exeC:\Windows\system32\Idaimfjf.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2188 -
C:\Windows\SysWOW64\Iklajp32.exeC:\Windows\system32\Iklajp32.exe94⤵PID:1404
-
C:\Windows\SysWOW64\Jeafgiai.exeC:\Windows\system32\Jeafgiai.exe95⤵PID:2240
-
C:\Windows\SysWOW64\Jknnoppp.exeC:\Windows\system32\Jknnoppp.exe96⤵PID:388
-
C:\Windows\SysWOW64\Jdfche32.exeC:\Windows\system32\Jdfche32.exe97⤵PID:876
-
C:\Windows\SysWOW64\Jkpkepnn.exeC:\Windows\system32\Jkpkepnn.exe98⤵PID:472
-
C:\Windows\SysWOW64\Jdipnedn.exeC:\Windows\system32\Jdipnedn.exe99⤵PID:780
-
C:\Windows\SysWOW64\Jkbhjo32.exeC:\Windows\system32\Jkbhjo32.exe100⤵PID:2444
-
C:\Windows\SysWOW64\Jpppbf32.exeC:\Windows\system32\Jpppbf32.exe101⤵PID:2976
-
C:\Windows\SysWOW64\Jncqlj32.exeC:\Windows\system32\Jncqlj32.exe102⤵PID:2836
-
C:\Windows\SysWOW64\Jcpidagc.exeC:\Windows\system32\Jcpidagc.exe103⤵PID:2744
-
C:\Windows\SysWOW64\Jjjaak32.exeC:\Windows\system32\Jjjaak32.exe104⤵PID:2372
-
C:\Windows\SysWOW64\Kcbfjaeq.exeC:\Windows\system32\Kcbfjaeq.exe105⤵
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Windows\SysWOW64\Kknkncbl.exeC:\Windows\system32\Kknkncbl.exe106⤵PID:1712
-
C:\Windows\SysWOW64\Kbjpqmhf.exeC:\Windows\system32\Kbjpqmhf.exe107⤵PID:2148
-
C:\Windows\SysWOW64\Kgghidfm.exeC:\Windows\system32\Kgghidfm.exe108⤵PID:1860
-
C:\Windows\SysWOW64\Kgienc32.exeC:\Windows\system32\Kgienc32.exe109⤵PID:2104
-
C:\Windows\SysWOW64\Lgladc32.exeC:\Windows\system32\Lgladc32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2488 -
C:\Windows\SysWOW64\Lnejqmie.exeC:\Windows\system32\Lnejqmie.exe111⤵PID:2408
-
C:\Windows\SysWOW64\Ljljenoi.exeC:\Windows\system32\Ljljenoi.exe112⤵PID:1628
-
C:\Windows\SysWOW64\Lceond32.exeC:\Windows\system32\Lceond32.exe113⤵PID:2480
-
C:\Windows\SysWOW64\Lqiohh32.exeC:\Windows\system32\Lqiohh32.exe114⤵PID:2724
-
C:\Windows\SysWOW64\Mjocja32.exeC:\Windows\system32\Mjocja32.exe115⤵PID:2864
-
C:\Windows\SysWOW64\Medggj32.exeC:\Windows\system32\Medggj32.exe116⤵PID:2764
-
C:\Windows\SysWOW64\Nppemgjd.exeC:\Windows\system32\Nppemgjd.exe117⤵
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\Nmdfglhm.exeC:\Windows\system32\Nmdfglhm.exe118⤵PID:2276
-
C:\Windows\SysWOW64\Nikflm32.exeC:\Windows\system32\Nikflm32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2616 -
C:\Windows\SysWOW64\Nfogeamk.exeC:\Windows\system32\Nfogeamk.exe120⤵PID:972
-
C:\Windows\SysWOW64\Nolhoc32.exeC:\Windows\system32\Nolhoc32.exe121⤵PID:2944
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-