Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
07/08/2024, 10:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
abae2d71bfebac0675ba9d41297c18f0N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
abae2d71bfebac0675ba9d41297c18f0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
abae2d71bfebac0675ba9d41297c18f0N.exe
-
Size
45KB
-
MD5
abae2d71bfebac0675ba9d41297c18f0
-
SHA1
3b483cd84f869139adbc98423224e4b27455d0f1
-
SHA256
bfa70bf6575811ee1b20ee34a22c43a261e13dd2bb65a38d6154fde2ebf796bd
-
SHA512
59a9d776eaa391978296547973f513419c10babca150b6bd13fbdddcf9ffd6e829969d72051d84d1b2a4bb10f5a760b4cfd15899e076a240d4baea2cbea55f80
-
SSDEEP
768:FI8EMd3lWLazj/M64j0o0yxYOLUKTFddj7L1iYQ1nqoVQN/1H5wm:68N3ljzMnjDtFjj7zQ1pOHr
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djqcki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoqeekme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfccmini.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmfjda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcmopepp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaolne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blkgdmbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccikghel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpalmaad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eekpknlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdcmjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fioajqmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaffja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mebpchmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilolol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojilqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njaoeq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlpjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpecddpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naqkki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bblocaik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Godjaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mchadifq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjlpjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfjgopop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lffjih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koobcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niednn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kknkncbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neojknfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfaedeme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbmknipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clkfjman.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqomkimg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhpbcdqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlblq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgdfbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cflanc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heoadcmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdlppf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmmbhegc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpblne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paagkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgpklb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnaokn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokccnci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Executes dropped EXE 64 IoCs
pid Process 1712 Jmggcmgg.exe 2236 Jgpklb32.exe 2760 Khcdijac.exe 2720 Kopikdgn.exe 2808 Kobfqc32.exe 2788 Kkigfdjo.exe 2676 Lllpclnk.exe 1856 Lnlmmo32.exe 2364 Loofjg32.exe 2952 Lcmopepp.exe 2956 Lodoefed.exe 872 Mhlcnl32.exe 2024 Mchadifq.exe 2256 Mnneabff.exe 2112 Mmcbbo32.exe 1640 Nqakim32.exe 1736 Nlklik32.exe 1724 Niombolm.exe 2036 Nhdjdk32.exe 1812 Nalnmahf.exe 2304 Nbljfdoh.exe 976 Oldooi32.exe 1340 Omekgakg.exe 2232 Ojilqf32.exe 1776 Opfdim32.exe 1796 Oiniaboi.exe 1568 Oiqegb32.exe 2076 Oegflcbj.exe 2812 Pbkgegad.exe 2816 Ppogok32.exe 2896 Pbppqf32.exe 2008 Phmiimlf.exe 2644 Pddinn32.exe 864 Qnoklc32.exe 2336 Qpocno32.exe 2488 Ancdgcab.exe 3016 Acplpjpj.exe 2496 Apdminod.exe 1452 Ajlabc32.exe 2384 Afcbgd32.exe 2108 Anngkg32.exe 2468 Bqambacb.exe 1092 Bjjakg32.exe 2208 Bfqaph32.exe 2508 Bgpnjkgi.exe 1708 Bbjoki32.exe 944 Cmocha32.exe 932 Cejhld32.exe 1832 Ckdpinhf.exe 2316 Cfjdfg32.exe 1588 Cpbiolnl.exe 2404 Cacegd32.exe 2772 Ciknhb32.exe 2776 Cjljpjjk.exe 2296 Cafbmdbh.exe 2312 Clkfjman.exe 832 Dcfknooi.exe 2944 Djqcki32.exe 1316 Dhdddnep.exe 2100 Difplf32.exe 2224 Damhmc32.exe 1848 Dbneekan.exe 2368 Dpbenpqh.exe 1728 Dijjgegh.exe -
Loads dropped DLL 64 IoCs
pid Process 2540 abae2d71bfebac0675ba9d41297c18f0N.exe 2540 abae2d71bfebac0675ba9d41297c18f0N.exe 1712 Jmggcmgg.exe 1712 Jmggcmgg.exe 2236 Jgpklb32.exe 2236 Jgpklb32.exe 2760 Khcdijac.exe 2760 Khcdijac.exe 2720 Kopikdgn.exe 2720 Kopikdgn.exe 2808 Kobfqc32.exe 2808 Kobfqc32.exe 2788 Kkigfdjo.exe 2788 Kkigfdjo.exe 2676 Lllpclnk.exe 2676 Lllpclnk.exe 1856 Lnlmmo32.exe 1856 Lnlmmo32.exe 2364 Loofjg32.exe 2364 Loofjg32.exe 2952 Lcmopepp.exe 2952 Lcmopepp.exe 2956 Lodoefed.exe 2956 Lodoefed.exe 872 Mhlcnl32.exe 872 Mhlcnl32.exe 2024 Mchadifq.exe 2024 Mchadifq.exe 2256 Mnneabff.exe 2256 Mnneabff.exe 2112 Mmcbbo32.exe 2112 Mmcbbo32.exe 1640 Nqakim32.exe 1640 Nqakim32.exe 1736 Nlklik32.exe 1736 Nlklik32.exe 1724 Niombolm.exe 1724 Niombolm.exe 2036 Nhdjdk32.exe 2036 Nhdjdk32.exe 1812 Nalnmahf.exe 1812 Nalnmahf.exe 2304 Nbljfdoh.exe 2304 Nbljfdoh.exe 976 Oldooi32.exe 976 Oldooi32.exe 1340 Omekgakg.exe 1340 Omekgakg.exe 2232 Ojilqf32.exe 2232 Ojilqf32.exe 1776 Opfdim32.exe 1776 Opfdim32.exe 1796 Oiniaboi.exe 1796 Oiniaboi.exe 1568 Oiqegb32.exe 1568 Oiqegb32.exe 2076 Oegflcbj.exe 2076 Oegflcbj.exe 2812 Pbkgegad.exe 2812 Pbkgegad.exe 2816 Ppogok32.exe 2816 Ppogok32.exe 2896 Pbppqf32.exe 2896 Pbppqf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lgqfpqja.dll Ciknhb32.exe File opened for modification C:\Windows\SysWOW64\Afjncabj.exe Aamekk32.exe File opened for modification C:\Windows\SysWOW64\Efdohq32.exe Ecfcle32.exe File opened for modification C:\Windows\SysWOW64\Diqabd32.exe Dhadhakp.exe File created C:\Windows\SysWOW64\Fabkfhch.dll Mhlcnl32.exe File opened for modification C:\Windows\SysWOW64\Jdplmflg.exe Jbooen32.exe File created C:\Windows\SysWOW64\Ihmcelkk.exe Iodolf32.exe File opened for modification C:\Windows\SysWOW64\Fcnmne32.exe Epmdljal.exe File created C:\Windows\SysWOW64\Plgfigda.dll Process not Found File created C:\Windows\SysWOW64\Obmmfhbc.dll Dijjgegh.exe File created C:\Windows\SysWOW64\Oghfnq32.dll Omeged32.exe File opened for modification C:\Windows\SysWOW64\Aihmhe32.exe Apphpp32.exe File opened for modification C:\Windows\SysWOW64\Cgfdmf32.exe Cnnpdaeb.exe File opened for modification C:\Windows\SysWOW64\Kppohf32.exe Kmpfgklo.exe File opened for modification C:\Windows\SysWOW64\Pbfcoedi.exe Pmijgn32.exe File opened for modification C:\Windows\SysWOW64\Jboanfmm.exe Jfhqiegh.exe File created C:\Windows\SysWOW64\Pcemeqqm.dll Cghpgbce.exe File opened for modification C:\Windows\SysWOW64\Chqfbbka.exe Process not Found File created C:\Windows\SysWOW64\Qoobod32.dll Mnqdpj32.exe File created C:\Windows\SysWOW64\Jepjpajn.exe Jgljfmkd.exe File opened for modification C:\Windows\SysWOW64\Cflanc32.exe Cmclem32.exe File created C:\Windows\SysWOW64\Lcmopepp.exe Loofjg32.exe File created C:\Windows\SysWOW64\Degdgl32.dll Pdqfnhpa.exe File opened for modification C:\Windows\SysWOW64\Kfccmini.exe Kmkodd32.exe File created C:\Windows\SysWOW64\Fmcnbemk.dll Lnmglbgh.exe File opened for modification C:\Windows\SysWOW64\Mfbnfcli.exe Mphfji32.exe File opened for modification C:\Windows\SysWOW64\Khdgabih.exe Knkbimbg.exe File opened for modification C:\Windows\SysWOW64\Iodolf32.exe Icnngeof.exe File opened for modification C:\Windows\SysWOW64\Ogncddpg.exe Oijbkpqm.exe File created C:\Windows\SysWOW64\Bpokkdim.exe Bffgbo32.exe File created C:\Windows\SysWOW64\Hemggm32.exe Hbmnfajm.exe File created C:\Windows\SysWOW64\Keogkp32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ancdgcab.exe Qpocno32.exe File created C:\Windows\SysWOW64\Hibkkjpb.dll Cnpieceq.exe File created C:\Windows\SysWOW64\Pmamliin.exe Ppnmbd32.exe File created C:\Windows\SysWOW64\Adeido32.dll Aeikohgk.exe File created C:\Windows\SysWOW64\Ajnfbp32.dll Aipickfe.exe File created C:\Windows\SysWOW64\Nkmdmm32.exe Npgppdpc.exe File created C:\Windows\SysWOW64\Oibanm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dfjcncak.exe Dmaoem32.exe File created C:\Windows\SysWOW64\Akinoefk.dll Fplgljbm.exe File created C:\Windows\SysWOW64\Eefneh32.dll Iolohhpc.exe File opened for modification C:\Windows\SysWOW64\Bndhle32.exe Process not Found File created C:\Windows\SysWOW64\Abghlk32.exe Process not Found File created C:\Windows\SysWOW64\Fpkdca32.exe Fialggcl.exe File opened for modification C:\Windows\SysWOW64\Iecaad32.exe Ibeeeijg.exe File created C:\Windows\SysWOW64\Gaffja32.exe Gepeep32.exe File created C:\Windows\SysWOW64\Nlkmeo32.exe Ncbilimn.exe File created C:\Windows\SysWOW64\Agkfil32.exe Abnmae32.exe File created C:\Windows\SysWOW64\Ecoobjme.dll Nqakim32.exe File opened for modification C:\Windows\SysWOW64\Eleobngo.exe Emnelbdi.exe File created C:\Windows\SysWOW64\Hempmfcb.exe Hejcggee.exe File created C:\Windows\SysWOW64\Jkhjin32.exe Jndjoi32.exe File created C:\Windows\SysWOW64\Gdpinonc.dll Damhmc32.exe File created C:\Windows\SysWOW64\Dpbenpqh.exe Dbneekan.exe File created C:\Windows\SysWOW64\Lpmhgc32.exe Legcjjjm.exe File created C:\Windows\SysWOW64\Dlilqp32.dll Cmnqae32.exe File created C:\Windows\SysWOW64\Pjhcphkf.exe Process not Found File created C:\Windows\SysWOW64\Fiopah32.exe Flkohc32.exe File created C:\Windows\SysWOW64\Ofhmfe32.dll Bfoffmhd.exe File opened for modification C:\Windows\SysWOW64\Ibfcei32.exe Hinolcbf.exe File opened for modification C:\Windows\SysWOW64\Aalemg32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gaffja32.exe Gepeep32.exe File opened for modification C:\Windows\SysWOW64\Phcpdm32.exe Pnnlfd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4100 3020 Process not Found 1353 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jehklc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bggohi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lobgah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihmcelkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkpjkni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ielllj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkeedo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncggifep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mahlgkgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdlefd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgbanlfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aamekk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbaqhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khcdijac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijmdql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlmjjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dalffg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdinea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daibfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lllkaobc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ficilgai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaahgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjqqianh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocpakg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aniffaim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebkpma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcnomjbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onipbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqmadn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aihmhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpliec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecdhonoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nndkdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mckpba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmgkoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaolne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlqniihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkdclgpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdoaackf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmkodd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgcdjip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkpgdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enblpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npgngokp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bamdcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmdehgcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngajeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gledgkfn.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oajojd32.dll" Lahaqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maieqidm.dll" Inaliedk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Connaf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeakle32.dll" Hemggm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glldfmcc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nljdcn32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhkddaih.dll" Ipecndab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijfeqbn.dll" Panpgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cehlbihg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgcbpemp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjpdoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpblne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pejnpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfblqne.dll" Fpliec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfple32.dll" Hejcggee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhgnh32.dll" Dpfblh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mknfqe32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oppgpo32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdhgegfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Endmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqninhmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbebjpaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgekldkg.dll" Pddinn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlfaag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejnnbpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdlahl32.dll" Pconjjql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apqhllki.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jekoljgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehnfc32.dll" Lobgah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foepck32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjjjp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfoqephq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccpjae32.dll" Oamaan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njaoeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paagkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcddca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhpphiqg.dll" Lgnqbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmcbbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjjakg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmcibej.dll" Iapfmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkgmnhl.dll" Glmecbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgbjbgph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mccgnc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfmffpjl.dll" Jmnpkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijmdql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpmjplag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemnml32.dll" Ooianpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbgdlq32.dll" Figoefkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djaedbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bicogkal.dll" Pbienj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcdmekne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okgpfjbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlaqba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mphfji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plgfigda.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2540 wrote to memory of 1712 2540 abae2d71bfebac0675ba9d41297c18f0N.exe 29 PID 2540 wrote to memory of 1712 2540 abae2d71bfebac0675ba9d41297c18f0N.exe 29 PID 2540 wrote to memory of 1712 2540 abae2d71bfebac0675ba9d41297c18f0N.exe 29 PID 2540 wrote to memory of 1712 2540 abae2d71bfebac0675ba9d41297c18f0N.exe 29 PID 1712 wrote to memory of 2236 1712 Jmggcmgg.exe 30 PID 1712 wrote to memory of 2236 1712 Jmggcmgg.exe 30 PID 1712 wrote to memory of 2236 1712 Jmggcmgg.exe 30 PID 1712 wrote to memory of 2236 1712 Jmggcmgg.exe 30 PID 2236 wrote to memory of 2760 2236 Jgpklb32.exe 31 PID 2236 wrote to memory of 2760 2236 Jgpklb32.exe 31 PID 2236 wrote to memory of 2760 2236 Jgpklb32.exe 31 PID 2236 wrote to memory of 2760 2236 Jgpklb32.exe 31 PID 2760 wrote to memory of 2720 2760 Khcdijac.exe 32 PID 2760 wrote to memory of 2720 2760 Khcdijac.exe 32 PID 2760 wrote to memory of 2720 2760 Khcdijac.exe 32 PID 2760 wrote to memory of 2720 2760 Khcdijac.exe 32 PID 2720 wrote to memory of 2808 2720 Kopikdgn.exe 33 PID 2720 wrote to memory of 2808 2720 Kopikdgn.exe 33 PID 2720 wrote to memory of 2808 2720 Kopikdgn.exe 33 PID 2720 wrote to memory of 2808 2720 Kopikdgn.exe 33 PID 2808 wrote to memory of 2788 2808 Kobfqc32.exe 34 PID 2808 wrote to memory of 2788 2808 Kobfqc32.exe 34 PID 2808 wrote to memory of 2788 2808 Kobfqc32.exe 34 PID 2808 wrote to memory of 2788 2808 Kobfqc32.exe 34 PID 2788 wrote to memory of 2676 2788 Kkigfdjo.exe 35 PID 2788 wrote to memory of 2676 2788 Kkigfdjo.exe 35 PID 2788 wrote to memory of 2676 2788 Kkigfdjo.exe 35 PID 2788 wrote to memory of 2676 2788 Kkigfdjo.exe 35 PID 2676 wrote to memory of 1856 2676 Lllpclnk.exe 36 PID 2676 wrote to memory of 1856 2676 Lllpclnk.exe 36 PID 2676 wrote to memory of 1856 2676 Lllpclnk.exe 36 PID 2676 wrote to memory of 1856 2676 Lllpclnk.exe 36 PID 1856 wrote to memory of 2364 1856 Lnlmmo32.exe 37 PID 1856 wrote to memory of 2364 1856 Lnlmmo32.exe 37 PID 1856 wrote to memory of 2364 1856 Lnlmmo32.exe 37 PID 1856 wrote to memory of 2364 1856 Lnlmmo32.exe 37 PID 2364 wrote to memory of 2952 2364 Loofjg32.exe 38 PID 2364 wrote to memory of 2952 2364 Loofjg32.exe 38 PID 2364 wrote to memory of 2952 2364 Loofjg32.exe 38 PID 2364 wrote to memory of 2952 2364 Loofjg32.exe 38 PID 2952 wrote to memory of 2956 2952 Lcmopepp.exe 39 PID 2952 wrote to memory of 2956 2952 Lcmopepp.exe 39 PID 2952 wrote to memory of 2956 2952 Lcmopepp.exe 39 PID 2952 wrote to memory of 2956 2952 Lcmopepp.exe 39 PID 2956 wrote to memory of 872 2956 Lodoefed.exe 40 PID 2956 wrote to memory of 872 2956 Lodoefed.exe 40 PID 2956 wrote to memory of 872 2956 Lodoefed.exe 40 PID 2956 wrote to memory of 872 2956 Lodoefed.exe 40 PID 872 wrote to memory of 2024 872 Mhlcnl32.exe 41 PID 872 wrote to memory of 2024 872 Mhlcnl32.exe 41 PID 872 wrote to memory of 2024 872 Mhlcnl32.exe 41 PID 872 wrote to memory of 2024 872 Mhlcnl32.exe 41 PID 2024 wrote to memory of 2256 2024 Mchadifq.exe 42 PID 2024 wrote to memory of 2256 2024 Mchadifq.exe 42 PID 2024 wrote to memory of 2256 2024 Mchadifq.exe 42 PID 2024 wrote to memory of 2256 2024 Mchadifq.exe 42 PID 2256 wrote to memory of 2112 2256 Mnneabff.exe 43 PID 2256 wrote to memory of 2112 2256 Mnneabff.exe 43 PID 2256 wrote to memory of 2112 2256 Mnneabff.exe 43 PID 2256 wrote to memory of 2112 2256 Mnneabff.exe 43 PID 2112 wrote to memory of 1640 2112 Mmcbbo32.exe 44 PID 2112 wrote to memory of 1640 2112 Mmcbbo32.exe 44 PID 2112 wrote to memory of 1640 2112 Mmcbbo32.exe 44 PID 2112 wrote to memory of 1640 2112 Mmcbbo32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\abae2d71bfebac0675ba9d41297c18f0N.exe"C:\Users\Admin\AppData\Local\Temp\abae2d71bfebac0675ba9d41297c18f0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Jmggcmgg.exeC:\Windows\system32\Jmggcmgg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Jgpklb32.exeC:\Windows\system32\Jgpklb32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Khcdijac.exeC:\Windows\system32\Khcdijac.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Kopikdgn.exeC:\Windows\system32\Kopikdgn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Kobfqc32.exeC:\Windows\system32\Kobfqc32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Kkigfdjo.exeC:\Windows\system32\Kkigfdjo.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Lllpclnk.exeC:\Windows\system32\Lllpclnk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Lnlmmo32.exeC:\Windows\system32\Lnlmmo32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Loofjg32.exeC:\Windows\system32\Loofjg32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Lcmopepp.exeC:\Windows\system32\Lcmopepp.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Lodoefed.exeC:\Windows\system32\Lodoefed.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Mhlcnl32.exeC:\Windows\system32\Mhlcnl32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Mchadifq.exeC:\Windows\system32\Mchadifq.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Mnneabff.exeC:\Windows\system32\Mnneabff.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Mmcbbo32.exeC:\Windows\system32\Mmcbbo32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Nqakim32.exeC:\Windows\system32\Nqakim32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Nlklik32.exeC:\Windows\system32\Nlklik32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Niombolm.exeC:\Windows\system32\Niombolm.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Nhdjdk32.exeC:\Windows\system32\Nhdjdk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Nalnmahf.exeC:\Windows\system32\Nalnmahf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Nbljfdoh.exeC:\Windows\system32\Nbljfdoh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Oldooi32.exeC:\Windows\system32\Oldooi32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:976 -
C:\Windows\SysWOW64\Omekgakg.exeC:\Windows\system32\Omekgakg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1340 -
C:\Windows\SysWOW64\Ojilqf32.exeC:\Windows\system32\Ojilqf32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Opfdim32.exeC:\Windows\system32\Opfdim32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Oiniaboi.exeC:\Windows\system32\Oiniaboi.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1796 -
C:\Windows\SysWOW64\Oiqegb32.exeC:\Windows\system32\Oiqegb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568 -
C:\Windows\SysWOW64\Oegflcbj.exeC:\Windows\system32\Oegflcbj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Pbkgegad.exeC:\Windows\system32\Pbkgegad.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Ppogok32.exeC:\Windows\system32\Ppogok32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Pbppqf32.exeC:\Windows\system32\Pbppqf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Phmiimlf.exeC:\Windows\system32\Phmiimlf.exe33⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Pddinn32.exeC:\Windows\system32\Pddinn32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Qnoklc32.exeC:\Windows\system32\Qnoklc32.exe35⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Qpocno32.exeC:\Windows\system32\Qpocno32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Ancdgcab.exeC:\Windows\system32\Ancdgcab.exe37⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Acplpjpj.exeC:\Windows\system32\Acplpjpj.exe38⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Apdminod.exeC:\Windows\system32\Apdminod.exe39⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Ajlabc32.exeC:\Windows\system32\Ajlabc32.exe40⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Afcbgd32.exeC:\Windows\system32\Afcbgd32.exe41⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Anngkg32.exeC:\Windows\system32\Anngkg32.exe42⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Bqambacb.exeC:\Windows\system32\Bqambacb.exe43⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Bjjakg32.exeC:\Windows\system32\Bjjakg32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Bfqaph32.exeC:\Windows\system32\Bfqaph32.exe45⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Bgpnjkgi.exeC:\Windows\system32\Bgpnjkgi.exe46⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Bbjoki32.exeC:\Windows\system32\Bbjoki32.exe47⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Cmocha32.exeC:\Windows\system32\Cmocha32.exe48⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Cejhld32.exeC:\Windows\system32\Cejhld32.exe49⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Ckdpinhf.exeC:\Windows\system32\Ckdpinhf.exe50⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Cfjdfg32.exeC:\Windows\system32\Cfjdfg32.exe51⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Cgkanomj.exeC:\Windows\system32\Cgkanomj.exe52⤵PID:2696
-
C:\Windows\SysWOW64\Cpbiolnl.exeC:\Windows\system32\Cpbiolnl.exe53⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Cacegd32.exeC:\Windows\system32\Cacegd32.exe54⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Ciknhb32.exeC:\Windows\system32\Ciknhb32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Cjljpjjk.exeC:\Windows\system32\Cjljpjjk.exe56⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Cafbmdbh.exeC:\Windows\system32\Cafbmdbh.exe57⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Clkfjman.exeC:\Windows\system32\Clkfjman.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Dcfknooi.exeC:\Windows\system32\Dcfknooi.exe59⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Djqcki32.exeC:\Windows\system32\Djqcki32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Dhdddnep.exeC:\Windows\system32\Dhdddnep.exe61⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Difplf32.exeC:\Windows\system32\Difplf32.exe62⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Damhmc32.exeC:\Windows\system32\Damhmc32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Dbneekan.exeC:\Windows\system32\Dbneekan.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1848 -
C:\Windows\SysWOW64\Dpbenpqh.exeC:\Windows\system32\Dpbenpqh.exe65⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Dijjgegh.exeC:\Windows\system32\Dijjgegh.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Dbcnpk32.exeC:\Windows\system32\Dbcnpk32.exe67⤵PID:1636
-
C:\Windows\SysWOW64\Deajlf32.exeC:\Windows\system32\Deajlf32.exe68⤵PID:1628
-
C:\Windows\SysWOW64\Eecgafkj.exeC:\Windows\system32\Eecgafkj.exe69⤵PID:2088
-
C:\Windows\SysWOW64\Ekppjmia.exeC:\Windows\system32\Ekppjmia.exe70⤵PID:2004
-
C:\Windows\SysWOW64\Ebghkjjc.exeC:\Windows\system32\Ebghkjjc.exe71⤵PID:2228
-
C:\Windows\SysWOW64\Edidcb32.exeC:\Windows\system32\Edidcb32.exe72⤵PID:1196
-
C:\Windows\SysWOW64\Ekblplgo.exeC:\Windows\system32\Ekblplgo.exe73⤵PID:2884
-
C:\Windows\SysWOW64\Eehqme32.exeC:\Windows\system32\Eehqme32.exe74⤵PID:2752
-
C:\Windows\SysWOW64\Egimdmmc.exeC:\Windows\system32\Egimdmmc.exe75⤵PID:2844
-
C:\Windows\SysWOW64\Eoqeekme.exeC:\Windows\system32\Eoqeekme.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1740 -
C:\Windows\SysWOW64\Egljjmkp.exeC:\Windows\system32\Egljjmkp.exe77⤵PID:2536
-
C:\Windows\SysWOW64\Emfbgg32.exeC:\Windows\system32\Emfbgg32.exe78⤵PID:2976
-
C:\Windows\SysWOW64\Fkjbpkag.exeC:\Windows\system32\Fkjbpkag.exe79⤵PID:2192
-
C:\Windows\SysWOW64\Flkohc32.exeC:\Windows\system32\Flkohc32.exe80⤵
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Fiopah32.exeC:\Windows\system32\Fiopah32.exe81⤵PID:2512
-
C:\Windows\SysWOW64\Folhio32.exeC:\Windows\system32\Folhio32.exe82⤵PID:2216
-
C:\Windows\SysWOW64\Fialggcl.exeC:\Windows\system32\Fialggcl.exe83⤵
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\Fpkdca32.exeC:\Windows\system32\Fpkdca32.exe84⤵PID:2204
-
C:\Windows\SysWOW64\Fcjqpm32.exeC:\Windows\system32\Fcjqpm32.exe85⤵PID:2248
-
C:\Windows\SysWOW64\Ficilgai.exeC:\Windows\system32\Ficilgai.exe86⤵
- System Location Discovery: System Language Discovery
PID:2564 -
C:\Windows\SysWOW64\Fkeedo32.exeC:\Windows\system32\Fkeedo32.exe87⤵
- System Location Discovery: System Language Discovery
PID:1012 -
C:\Windows\SysWOW64\Fclmem32.exeC:\Windows\system32\Fclmem32.exe88⤵PID:1560
-
C:\Windows\SysWOW64\Fdmjmenh.exeC:\Windows\system32\Fdmjmenh.exe89⤵PID:296
-
C:\Windows\SysWOW64\Fldbnb32.exeC:\Windows\system32\Fldbnb32.exe90⤵PID:2620
-
C:\Windows\SysWOW64\Gdpfbd32.exeC:\Windows\system32\Gdpfbd32.exe91⤵PID:3028
-
C:\Windows\SysWOW64\Gkiooocb.exeC:\Windows\system32\Gkiooocb.exe92⤵PID:2900
-
C:\Windows\SysWOW64\Gdbchd32.exeC:\Windows\system32\Gdbchd32.exe93⤵PID:2964
-
C:\Windows\SysWOW64\Gddpndhp.exeC:\Windows\system32\Gddpndhp.exe94⤵PID:1868
-
C:\Windows\SysWOW64\Ggbljogc.exeC:\Windows\system32\Ggbljogc.exe95⤵PID:1480
-
C:\Windows\SysWOW64\Gnmdfi32.exeC:\Windows\system32\Gnmdfi32.exe96⤵PID:2244
-
C:\Windows\SysWOW64\Gcimop32.exeC:\Windows\system32\Gcimop32.exe97⤵PID:2428
-
C:\Windows\SysWOW64\Gjcekj32.exeC:\Windows\system32\Gjcekj32.exe98⤵PID:2160
-
C:\Windows\SysWOW64\Gcljdpke.exeC:\Windows\system32\Gcljdpke.exe99⤵PID:1956
-
C:\Windows\SysWOW64\Hjfbaj32.exeC:\Windows\system32\Hjfbaj32.exe100⤵PID:1752
-
C:\Windows\SysWOW64\Hobjia32.exeC:\Windows\system32\Hobjia32.exe101⤵PID:2524
-
C:\Windows\SysWOW64\Hfmbfkhf.exeC:\Windows\system32\Hfmbfkhf.exe102⤵PID:2820
-
C:\Windows\SysWOW64\Hkiknb32.exeC:\Windows\system32\Hkiknb32.exe103⤵PID:2912
-
C:\Windows\SysWOW64\Hfookk32.exeC:\Windows\system32\Hfookk32.exe104⤵PID:2640
-
C:\Windows\SysWOW64\Hmighemp.exeC:\Windows\system32\Hmighemp.exe105⤵PID:2360
-
C:\Windows\SysWOW64\Hnjdpm32.exeC:\Windows\system32\Hnjdpm32.exe106⤵PID:2712
-
C:\Windows\SysWOW64\Hgbhibio.exeC:\Windows\system32\Hgbhibio.exe107⤵PID:2352
-
C:\Windows\SysWOW64\Hbhmfk32.exeC:\Windows\system32\Hbhmfk32.exe108⤵PID:2288
-
C:\Windows\SysWOW64\Hibebeqb.exeC:\Windows\system32\Hibebeqb.exe109⤵PID:1084
-
C:\Windows\SysWOW64\Hnomkloi.exeC:\Windows\system32\Hnomkloi.exe110⤵PID:276
-
C:\Windows\SysWOW64\Ieiegf32.exeC:\Windows\system32\Ieiegf32.exe111⤵PID:2212
-
C:\Windows\SysWOW64\Ikbndqnc.exeC:\Windows\system32\Ikbndqnc.exe112⤵PID:2520
-
C:\Windows\SysWOW64\Iapfmg32.exeC:\Windows\system32\Iapfmg32.exe113⤵
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Icnbic32.exeC:\Windows\system32\Icnbic32.exe114⤵PID:1080
-
C:\Windows\SysWOW64\Ijhkembk.exeC:\Windows\system32\Ijhkembk.exe115⤵PID:2668
-
C:\Windows\SysWOW64\Ipecndab.exeC:\Windows\system32\Ipecndab.exe116⤵
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Ijjgkmqh.exeC:\Windows\system32\Ijjgkmqh.exe117⤵PID:2056
-
C:\Windows\SysWOW64\Imidgh32.exeC:\Windows\system32\Imidgh32.exe118⤵PID:1584
-
C:\Windows\SysWOW64\Icbldbgi.exeC:\Windows\system32\Icbldbgi.exe119⤵PID:560
-
C:\Windows\SysWOW64\Ijmdql32.exeC:\Windows\system32\Ijmdql32.exe120⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Imkqmh32.exeC:\Windows\system32\Imkqmh32.exe121⤵PID:2028
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-