Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
17/08/2024, 00:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7237196efbc6139629511e058494c0dbd7cf3ca75b4be4113b78eba90d8109df.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
7237196efbc6139629511e058494c0dbd7cf3ca75b4be4113b78eba90d8109df.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
7237196efbc6139629511e058494c0dbd7cf3ca75b4be4113b78eba90d8109df.exe
-
Size
123KB
-
MD5
e9dbce055169f2aabdbf51f46db5f6f2
-
SHA1
c3b429487bef0424ade8ed1fba196f6d30d8493d
-
SHA256
7237196efbc6139629511e058494c0dbd7cf3ca75b4be4113b78eba90d8109df
-
SHA512
eb34e1822ca6c94d523c79fcd988e8514df3773019f0be2317292aee7550373870db3fca220067c878ea94d051f08545b9895e8e5e9629862c54072614e28ca2
-
SSDEEP
3072:x7+cW9NEmglTvEBpdpekRYSa9rR85DEn5k7r8:x78CHTv+3ek4rQD85k/8
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idghhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikicikap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aicmadmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnjhjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgobcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpgjnbnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqffgapf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idghhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dleelp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdogldmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbajme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkcebg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkoqmhii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqpbpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbkaneao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aadobccg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mldgbcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anfeop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okkddd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Embkbdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glnkcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhiphb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekbhnkhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfhmehji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngcanq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igcgnbim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nddeae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gindjqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjkpng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gecklbih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdogldmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nahfkigd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olkjaflh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahljg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhelghol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbbbjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gddobpbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkbpgeai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfhlbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Camqpnel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikocoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Admgglep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ladpagin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkojoghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glijnmdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadakl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjfpdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blaobmkq.exe -
Executes dropped EXE 64 IoCs
pid Process 2668 Oiahnnji.exe 2312 Ockinl32.exe 2436 Ojeakfnd.exe 2664 Oekehomj.exe 2588 Pgibdjln.exe 1624 Pglojj32.exe 872 Pmhgba32.exe 2956 Padccpal.exe 564 Pcdldknm.exe 2840 Plpqim32.exe 3016 Pbjifgcd.exe 2100 Qblfkgqb.exe 1384 Qhincn32.exe 1320 Qbobaf32.exe 2136 Qdpohodn.exe 1596 Aadobccg.exe 1736 Afqhjj32.exe 2372 Addhcn32.exe 1884 Aiaqle32.exe 2424 Ammmlcgi.exe 596 Aicmadmm.exe 1812 Adiaommc.exe 2676 Afgnkilf.exe 2124 Appbcn32.exe 2552 Aocbokia.exe 2548 Baclaf32.exe 2060 Bikcbc32.exe 2480 Bafhff32.exe 2364 Bhpqcpkm.exe 1092 Bedamd32.exe 2828 Bdfahaaa.exe 2620 Bnofaf32.exe 3032 Befnbd32.exe 2336 Bdinnqon.exe 316 Bkcfjk32.exe 1852 Boobki32.exe 2220 Camnge32.exe 948 Cppobaeb.exe 1600 Chggdoee.exe 1648 Cjhckg32.exe 1532 Cncolfcl.exe 1580 Cpbkhabp.exe 2044 Ccqhdmbc.exe 2608 Ckhpejbf.exe 300 Cnflae32.exe 2736 Cpdhna32.exe 2692 Cdpdnpif.exe 2572 Cgnpjkhj.exe 2568 Cjmmffgn.exe 1528 Cnhhge32.exe 1960 Cpgecq32.exe 2184 Cojeomee.exe 1060 Cgqmpkfg.exe 2796 Cfcmlg32.exe 1924 Clnehado.exe 2348 Cpiaipmh.exe 2088 Ccgnelll.exe 2156 Cbjnqh32.exe 1272 Djafaf32.exe 2296 Donojm32.exe 1508 Dbmkfh32.exe 988 Dhgccbhp.exe 2028 Dlboca32.exe 3004 Dnckki32.exe -
Loads dropped DLL 64 IoCs
pid Process 2708 7237196efbc6139629511e058494c0dbd7cf3ca75b4be4113b78eba90d8109df.exe 2708 7237196efbc6139629511e058494c0dbd7cf3ca75b4be4113b78eba90d8109df.exe 2668 Oiahnnji.exe 2668 Oiahnnji.exe 2312 Ockinl32.exe 2312 Ockinl32.exe 2436 Ojeakfnd.exe 2436 Ojeakfnd.exe 2664 Oekehomj.exe 2664 Oekehomj.exe 2588 Pgibdjln.exe 2588 Pgibdjln.exe 1624 Pglojj32.exe 1624 Pglojj32.exe 872 Pmhgba32.exe 872 Pmhgba32.exe 2956 Padccpal.exe 2956 Padccpal.exe 564 Pcdldknm.exe 564 Pcdldknm.exe 2840 Plpqim32.exe 2840 Plpqim32.exe 3016 Pbjifgcd.exe 3016 Pbjifgcd.exe 2100 Qblfkgqb.exe 2100 Qblfkgqb.exe 1384 Qhincn32.exe 1384 Qhincn32.exe 1320 Qbobaf32.exe 1320 Qbobaf32.exe 2136 Qdpohodn.exe 2136 Qdpohodn.exe 1596 Aadobccg.exe 1596 Aadobccg.exe 1736 Afqhjj32.exe 1736 Afqhjj32.exe 2372 Addhcn32.exe 2372 Addhcn32.exe 1884 Aiaqle32.exe 1884 Aiaqle32.exe 2424 Ammmlcgi.exe 2424 Ammmlcgi.exe 596 Aicmadmm.exe 596 Aicmadmm.exe 1812 Adiaommc.exe 1812 Adiaommc.exe 2676 Afgnkilf.exe 2676 Afgnkilf.exe 2124 Appbcn32.exe 2124 Appbcn32.exe 2552 Aocbokia.exe 2552 Aocbokia.exe 2548 Baclaf32.exe 2548 Baclaf32.exe 2060 Bikcbc32.exe 2060 Bikcbc32.exe 2480 Bafhff32.exe 2480 Bafhff32.exe 2364 Bhpqcpkm.exe 2364 Bhpqcpkm.exe 1092 Bedamd32.exe 1092 Bedamd32.exe 2828 Bdfahaaa.exe 2828 Bdfahaaa.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jcqoqi32.dll Process not Found File created C:\Windows\SysWOW64\Iebmpcjc.exe Process not Found File created C:\Windows\SysWOW64\Kioiffcn.exe Kfaljjdj.exe File opened for modification C:\Windows\SysWOW64\Lggbmbfc.exe Lehfafgp.exe File created C:\Windows\SysWOW64\Cjqkgfdn.dll Hofjem32.exe File opened for modification C:\Windows\SysWOW64\Mkfojakp.exe Mcofid32.exe File created C:\Windows\SysWOW64\Qhalbm32.dll Dhiphb32.exe File created C:\Windows\SysWOW64\Ccadla32.dll Mjlejl32.exe File opened for modification C:\Windows\SysWOW64\Ihnmfoli.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jpeafo32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ogmngn32.exe Process not Found File created C:\Windows\SysWOW64\Kbkdpnil.exe Kolhdbjh.exe File created C:\Windows\SysWOW64\Hkbmil32.exe Hhdqma32.exe File created C:\Windows\SysWOW64\Cdhbbpkh.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pmhgba32.exe Pglojj32.exe File opened for modification C:\Windows\SysWOW64\Joekimld.exe Jkioho32.exe File created C:\Windows\SysWOW64\Mjhdbb32.dll Bmjekahk.exe File created C:\Windows\SysWOW64\Cpbkhabp.exe Cncolfcl.exe File created C:\Windows\SysWOW64\Pdkooael.dll Dhgccbhp.exe File opened for modification C:\Windows\SysWOW64\Hpdbmooo.exe Hmefad32.exe File created C:\Windows\SysWOW64\Gaiboaic.dll Llpaha32.exe File opened for modification C:\Windows\SysWOW64\Aemafjeg.exe Qqbeel32.exe File created C:\Windows\SysWOW64\Fcichb32.exe Fefcmehe.exe File created C:\Windows\SysWOW64\Ldjmidcj.exe Llcehg32.exe File created C:\Windows\SysWOW64\Defhonof.dll Pkmmigjo.exe File created C:\Windows\SysWOW64\Plpfpn32.dll Qifpqi32.exe File opened for modification C:\Windows\SysWOW64\Bedcembk.exe Baigen32.exe File created C:\Windows\SysWOW64\Iijfeeok.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dglpdomh.exe Dhiphb32.exe File created C:\Windows\SysWOW64\Qcoljb32.dll Mpcgbhig.exe File created C:\Windows\SysWOW64\Nnkgjpbo.dll Bepjjn32.exe File opened for modification C:\Windows\SysWOW64\Cnlnpd32.exe Ckmbdh32.exe File created C:\Windows\SysWOW64\Pcnhmdli.exe Pdkhag32.exe File opened for modification C:\Windows\SysWOW64\Jfddkmch.exe Jcfgoadd.exe File created C:\Windows\SysWOW64\Chmibmlo.exe Cdamao32.exe File opened for modification C:\Windows\SysWOW64\Ddliklgk.exe Deiipp32.exe File opened for modification C:\Windows\SysWOW64\Jhniebne.exe Process not Found File created C:\Windows\SysWOW64\Dnknlm32.dll Chggdoee.exe File opened for modification C:\Windows\SysWOW64\Dkjhjm32.exe Dgnminke.exe File opened for modification C:\Windows\SysWOW64\Ddhcbnnn.exe Dajgfboj.exe File created C:\Windows\SysWOW64\Biqfpb32.exe Bfbjdf32.exe File opened for modification C:\Windows\SysWOW64\Ghgjflof.exe Giejkp32.exe File created C:\Windows\SysWOW64\Majcoepi.exe Process not Found File created C:\Windows\SysWOW64\Fappgflg.exe Fjfhkl32.exe File created C:\Windows\SysWOW64\Qpaohjkk.exe Qmcclolh.exe File opened for modification C:\Windows\SysWOW64\Glkgcmbg.exe Gddobpbe.exe File created C:\Windows\SysWOW64\Blajkq32.dll Heonpf32.exe File opened for modification C:\Windows\SysWOW64\Eoomai32.exe Eplmflde.exe File opened for modification C:\Windows\SysWOW64\Jkdoci32.exe Process not Found File created C:\Windows\SysWOW64\Ladpagin.exe Limhpihl.exe File created C:\Windows\SysWOW64\Amplklmj.exe Aidpjm32.exe File opened for modification C:\Windows\SysWOW64\Hkejnl32.exe Hhfmbq32.exe File opened for modification C:\Windows\SysWOW64\Jaonji32.exe Jopbnn32.exe File opened for modification C:\Windows\SysWOW64\Pipjpj32.exe Pjmjdnop.exe File opened for modification C:\Windows\SysWOW64\Liekddkh.exe Process not Found File created C:\Windows\SysWOW64\Lighjd32.exe Process not Found File created C:\Windows\SysWOW64\Ibamdc32.dll Hgckoofa.exe File created C:\Windows\SysWOW64\Cbfpkj32.dll Fcilnl32.exe File created C:\Windows\SysWOW64\Lnfmhj32.exe Process not Found File created C:\Windows\SysWOW64\Ebakdbbk.dll Process not Found File created C:\Windows\SysWOW64\Aceakpbh.dll Chmibmlo.exe File created C:\Windows\SysWOW64\Lilfchel.dll Gnofng32.exe File created C:\Windows\SysWOW64\Kiefad32.dll Fcdbcloi.exe File opened for modification C:\Windows\SysWOW64\Lnqkjl32.exe Ljeoimeg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12144 12116 Process not Found 1294 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofiopaap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icbkhnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jddqgdii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlepioj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eocfmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndiomdde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Polobd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bppdlgjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgnminke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojkhjabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Podpoffm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmjekahk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpdnlgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpbabf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cedpdpdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhgelk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Addhcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfagemej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpbnaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnkpcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkfghh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pijgbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkmmigjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injlkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Embkbdce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fppmcmah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmabqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnogfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkfojakp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghgjflof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fappgflg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpgjnbnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbjpem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmiolk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceickb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clinfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbfjkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkdbea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Facfpddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpfoboml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcakbjpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkpcbecl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qidckjae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkcfjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlpchfdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnbifl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kglfcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkkhmadd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npppaejj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgaoic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnafdc32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfqiingf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oolbcaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceacoqfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dlbaljhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ainmlomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlkkhne.dll" Chjmmnnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Holgkalp.dll" Bbfgiabg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acfoejcg.dll" Ddbolkac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbblkaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghdmolf.dll" Kmabqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbkdpnil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgjjndeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ochenfdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okcchbnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkeahf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Degjpgmg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhefgd32.dll" Gidhbgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjddaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdgefn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhcadad.dll" Hmgodc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pffgonbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Engmglod.dll" Ffpkob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oklmhcdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjhpin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcqebd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcdldknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piihaccl.dll" Mohhea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dglpdomh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anfeop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlaegk32.dll" Nmhqokcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaegla32.dll" Nifgekbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lilomj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcpmijqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enenef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcgkcccn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Beldao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndecfjhe.dll" Fnejdiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qobepmjh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfigef32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Higjomhj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkkbcl32.dll" Icoepohq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbheif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjmoeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmmnkglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aiflpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hajhpgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Injlkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pecelm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnhgoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkambhgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oiahnnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbblkaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kljmapka.dll" Afcghbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgcdlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpnngi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdmhhh32.dll" Olgpff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbiijb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2708 wrote to memory of 2668 2708 7237196efbc6139629511e058494c0dbd7cf3ca75b4be4113b78eba90d8109df.exe 30 PID 2708 wrote to memory of 2668 2708 7237196efbc6139629511e058494c0dbd7cf3ca75b4be4113b78eba90d8109df.exe 30 PID 2708 wrote to memory of 2668 2708 7237196efbc6139629511e058494c0dbd7cf3ca75b4be4113b78eba90d8109df.exe 30 PID 2708 wrote to memory of 2668 2708 7237196efbc6139629511e058494c0dbd7cf3ca75b4be4113b78eba90d8109df.exe 30 PID 2668 wrote to memory of 2312 2668 Oiahnnji.exe 31 PID 2668 wrote to memory of 2312 2668 Oiahnnji.exe 31 PID 2668 wrote to memory of 2312 2668 Oiahnnji.exe 31 PID 2668 wrote to memory of 2312 2668 Oiahnnji.exe 31 PID 2312 wrote to memory of 2436 2312 Ockinl32.exe 32 PID 2312 wrote to memory of 2436 2312 Ockinl32.exe 32 PID 2312 wrote to memory of 2436 2312 Ockinl32.exe 32 PID 2312 wrote to memory of 2436 2312 Ockinl32.exe 32 PID 2436 wrote to memory of 2664 2436 Ojeakfnd.exe 33 PID 2436 wrote to memory of 2664 2436 Ojeakfnd.exe 33 PID 2436 wrote to memory of 2664 2436 Ojeakfnd.exe 33 PID 2436 wrote to memory of 2664 2436 Ojeakfnd.exe 33 PID 2664 wrote to memory of 2588 2664 Oekehomj.exe 34 PID 2664 wrote to memory of 2588 2664 Oekehomj.exe 34 PID 2664 wrote to memory of 2588 2664 Oekehomj.exe 34 PID 2664 wrote to memory of 2588 2664 Oekehomj.exe 34 PID 2588 wrote to memory of 1624 2588 Pgibdjln.exe 35 PID 2588 wrote to memory of 1624 2588 Pgibdjln.exe 35 PID 2588 wrote to memory of 1624 2588 Pgibdjln.exe 35 PID 2588 wrote to memory of 1624 2588 Pgibdjln.exe 35 PID 1624 wrote to memory of 872 1624 Pglojj32.exe 36 PID 1624 wrote to memory of 872 1624 Pglojj32.exe 36 PID 1624 wrote to memory of 872 1624 Pglojj32.exe 36 PID 1624 wrote to memory of 872 1624 Pglojj32.exe 36 PID 872 wrote to memory of 2956 872 Pmhgba32.exe 37 PID 872 wrote to memory of 2956 872 Pmhgba32.exe 37 PID 872 wrote to memory of 2956 872 Pmhgba32.exe 37 PID 872 wrote to memory of 2956 872 Pmhgba32.exe 37 PID 2956 wrote to memory of 564 2956 Padccpal.exe 38 PID 2956 wrote to memory of 564 2956 Padccpal.exe 38 PID 2956 wrote to memory of 564 2956 Padccpal.exe 38 PID 2956 wrote to memory of 564 2956 Padccpal.exe 38 PID 564 wrote to memory of 2840 564 Pcdldknm.exe 39 PID 564 wrote to memory of 2840 564 Pcdldknm.exe 39 PID 564 wrote to memory of 2840 564 Pcdldknm.exe 39 PID 564 wrote to memory of 2840 564 Pcdldknm.exe 39 PID 2840 wrote to memory of 3016 2840 Plpqim32.exe 40 PID 2840 wrote to memory of 3016 2840 Plpqim32.exe 40 PID 2840 wrote to memory of 3016 2840 Plpqim32.exe 40 PID 2840 wrote to memory of 3016 2840 Plpqim32.exe 40 PID 3016 wrote to memory of 2100 3016 Pbjifgcd.exe 41 PID 3016 wrote to memory of 2100 3016 Pbjifgcd.exe 41 PID 3016 wrote to memory of 2100 3016 Pbjifgcd.exe 41 PID 3016 wrote to memory of 2100 3016 Pbjifgcd.exe 41 PID 2100 wrote to memory of 1384 2100 Qblfkgqb.exe 42 PID 2100 wrote to memory of 1384 2100 Qblfkgqb.exe 42 PID 2100 wrote to memory of 1384 2100 Qblfkgqb.exe 42 PID 2100 wrote to memory of 1384 2100 Qblfkgqb.exe 42 PID 1384 wrote to memory of 1320 1384 Qhincn32.exe 43 PID 1384 wrote to memory of 1320 1384 Qhincn32.exe 43 PID 1384 wrote to memory of 1320 1384 Qhincn32.exe 43 PID 1384 wrote to memory of 1320 1384 Qhincn32.exe 43 PID 1320 wrote to memory of 2136 1320 Qbobaf32.exe 44 PID 1320 wrote to memory of 2136 1320 Qbobaf32.exe 44 PID 1320 wrote to memory of 2136 1320 Qbobaf32.exe 44 PID 1320 wrote to memory of 2136 1320 Qbobaf32.exe 44 PID 2136 wrote to memory of 1596 2136 Qdpohodn.exe 45 PID 2136 wrote to memory of 1596 2136 Qdpohodn.exe 45 PID 2136 wrote to memory of 1596 2136 Qdpohodn.exe 45 PID 2136 wrote to memory of 1596 2136 Qdpohodn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\7237196efbc6139629511e058494c0dbd7cf3ca75b4be4113b78eba90d8109df.exe"C:\Users\Admin\AppData\Local\Temp\7237196efbc6139629511e058494c0dbd7cf3ca75b4be4113b78eba90d8109df.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Oiahnnji.exeC:\Windows\system32\Oiahnnji.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Ockinl32.exeC:\Windows\system32\Ockinl32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Ojeakfnd.exeC:\Windows\system32\Ojeakfnd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Oekehomj.exeC:\Windows\system32\Oekehomj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Pgibdjln.exeC:\Windows\system32\Pgibdjln.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Pglojj32.exeC:\Windows\system32\Pglojj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Pmhgba32.exeC:\Windows\system32\Pmhgba32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Padccpal.exeC:\Windows\system32\Padccpal.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Pcdldknm.exeC:\Windows\system32\Pcdldknm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\Plpqim32.exeC:\Windows\system32\Plpqim32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Pbjifgcd.exeC:\Windows\system32\Pbjifgcd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Qblfkgqb.exeC:\Windows\system32\Qblfkgqb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Qhincn32.exeC:\Windows\system32\Qhincn32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Qbobaf32.exeC:\Windows\system32\Qbobaf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Qdpohodn.exeC:\Windows\system32\Qdpohodn.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Aadobccg.exeC:\Windows\system32\Aadobccg.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Afqhjj32.exeC:\Windows\system32\Afqhjj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Addhcn32.exeC:\Windows\system32\Addhcn32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Windows\SysWOW64\Aiaqle32.exeC:\Windows\system32\Aiaqle32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1884 -
C:\Windows\SysWOW64\Ammmlcgi.exeC:\Windows\system32\Ammmlcgi.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\Aicmadmm.exeC:\Windows\system32\Aicmadmm.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:596 -
C:\Windows\SysWOW64\Adiaommc.exeC:\Windows\system32\Adiaommc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Afgnkilf.exeC:\Windows\system32\Afgnkilf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Appbcn32.exeC:\Windows\system32\Appbcn32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Windows\SysWOW64\Aocbokia.exeC:\Windows\system32\Aocbokia.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Baclaf32.exeC:\Windows\system32\Baclaf32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Bikcbc32.exeC:\Windows\system32\Bikcbc32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Bafhff32.exeC:\Windows\system32\Bafhff32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2480 -
C:\Windows\SysWOW64\Bhpqcpkm.exeC:\Windows\system32\Bhpqcpkm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Bedamd32.exeC:\Windows\system32\Bedamd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1092 -
C:\Windows\SysWOW64\Bdfahaaa.exeC:\Windows\system32\Bdfahaaa.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Bnofaf32.exeC:\Windows\system32\Bnofaf32.exe33⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Befnbd32.exeC:\Windows\system32\Befnbd32.exe34⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Bdinnqon.exeC:\Windows\system32\Bdinnqon.exe35⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Bkcfjk32.exeC:\Windows\system32\Bkcfjk32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:316 -
C:\Windows\SysWOW64\Boobki32.exeC:\Windows\system32\Boobki32.exe37⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Camnge32.exeC:\Windows\system32\Camnge32.exe38⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Cppobaeb.exeC:\Windows\system32\Cppobaeb.exe39⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Chggdoee.exeC:\Windows\system32\Chggdoee.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Cjhckg32.exeC:\Windows\system32\Cjhckg32.exe41⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Cncolfcl.exeC:\Windows\system32\Cncolfcl.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Cpbkhabp.exeC:\Windows\system32\Cpbkhabp.exe43⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Ccqhdmbc.exeC:\Windows\system32\Ccqhdmbc.exe44⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Ckhpejbf.exeC:\Windows\system32\Ckhpejbf.exe45⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Cnflae32.exeC:\Windows\system32\Cnflae32.exe46⤵
- Executes dropped EXE
PID:300 -
C:\Windows\SysWOW64\Cpdhna32.exeC:\Windows\system32\Cpdhna32.exe47⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Cdpdnpif.exeC:\Windows\system32\Cdpdnpif.exe48⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Cgnpjkhj.exeC:\Windows\system32\Cgnpjkhj.exe49⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Cjmmffgn.exeC:\Windows\system32\Cjmmffgn.exe50⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Cnhhge32.exeC:\Windows\system32\Cnhhge32.exe51⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Cpgecq32.exeC:\Windows\system32\Cpgecq32.exe52⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Cojeomee.exeC:\Windows\system32\Cojeomee.exe53⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Cgqmpkfg.exeC:\Windows\system32\Cgqmpkfg.exe54⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Cfcmlg32.exeC:\Windows\system32\Cfcmlg32.exe55⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Clnehado.exeC:\Windows\system32\Clnehado.exe56⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Cpiaipmh.exeC:\Windows\system32\Cpiaipmh.exe57⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Ccgnelll.exeC:\Windows\system32\Ccgnelll.exe58⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Cbjnqh32.exeC:\Windows\system32\Cbjnqh32.exe59⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Djafaf32.exeC:\Windows\system32\Djafaf32.exe60⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Donojm32.exeC:\Windows\system32\Donojm32.exe61⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Dbmkfh32.exeC:\Windows\system32\Dbmkfh32.exe62⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Dhgccbhp.exeC:\Windows\system32\Dhgccbhp.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:988 -
C:\Windows\SysWOW64\Dlboca32.exeC:\Windows\system32\Dlboca32.exe64⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Dnckki32.exeC:\Windows\system32\Dnckki32.exe65⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Dboglhna.exeC:\Windows\system32\Dboglhna.exe66⤵PID:2148
-
C:\Windows\SysWOW64\Dhiphb32.exeC:\Windows\system32\Dhiphb32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Dglpdomh.exeC:\Windows\system32\Dglpdomh.exe68⤵
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Dnfhqi32.exeC:\Windows\system32\Dnfhqi32.exe69⤵PID:2576
-
C:\Windows\SysWOW64\Dbadagln.exeC:\Windows\system32\Dbadagln.exe70⤵PID:1612
-
C:\Windows\SysWOW64\Ddppmclb.exeC:\Windows\system32\Ddppmclb.exe71⤵PID:1864
-
C:\Windows\SysWOW64\Dgnminke.exeC:\Windows\system32\Dgnminke.exe72⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1116 -
C:\Windows\SysWOW64\Dkjhjm32.exeC:\Windows\system32\Dkjhjm32.exe73⤵PID:2868
-
C:\Windows\SysWOW64\Dnhefh32.exeC:\Windows\system32\Dnhefh32.exe74⤵PID:2360
-
C:\Windows\SysWOW64\Dbdagg32.exeC:\Windows\system32\Dbdagg32.exe75⤵PID:2216
-
C:\Windows\SysWOW64\Ddbmcb32.exeC:\Windows\system32\Ddbmcb32.exe76⤵PID:1920
-
C:\Windows\SysWOW64\Dgqion32.exeC:\Windows\system32\Dgqion32.exe77⤵PID:2248
-
C:\Windows\SysWOW64\Dklepmal.exeC:\Windows\system32\Dklepmal.exe78⤵PID:732
-
C:\Windows\SysWOW64\Dqinhcoc.exeC:\Windows\system32\Dqinhcoc.exe79⤵PID:476
-
C:\Windows\SysWOW64\Eddjhb32.exeC:\Windows\system32\Eddjhb32.exe80⤵PID:1396
-
C:\Windows\SysWOW64\Ecgjdong.exeC:\Windows\system32\Ecgjdong.exe81⤵PID:828
-
C:\Windows\SysWOW64\Ejabqi32.exeC:\Windows\system32\Ejabqi32.exe82⤵PID:2800
-
C:\Windows\SysWOW64\Empomd32.exeC:\Windows\system32\Empomd32.exe83⤵PID:2892
-
C:\Windows\SysWOW64\Eqkjmcmq.exeC:\Windows\system32\Eqkjmcmq.exe84⤵PID:2528
-
C:\Windows\SysWOW64\Ecjgio32.exeC:\Windows\system32\Ecjgio32.exe85⤵PID:2540
-
C:\Windows\SysWOW64\Egebjmdn.exeC:\Windows\system32\Egebjmdn.exe86⤵PID:2504
-
C:\Windows\SysWOW64\Ejcofica.exeC:\Windows\system32\Ejcofica.exe87⤵PID:604
-
C:\Windows\SysWOW64\Embkbdce.exeC:\Windows\system32\Embkbdce.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Windows\SysWOW64\Eqngcc32.exeC:\Windows\system32\Eqngcc32.exe89⤵PID:2748
-
C:\Windows\SysWOW64\Ebockkal.exeC:\Windows\system32\Ebockkal.exe90⤵PID:2096
-
C:\Windows\SysWOW64\Eiilge32.exeC:\Windows\system32\Eiilge32.exe91⤵PID:2140
-
C:\Windows\SysWOW64\Ekghcq32.exeC:\Windows\system32\Ekghcq32.exe92⤵PID:1936
-
C:\Windows\SysWOW64\Ecnpdnho.exeC:\Windows\system32\Ecnpdnho.exe93⤵PID:912
-
C:\Windows\SysWOW64\Efmlqigc.exeC:\Windows\system32\Efmlqigc.exe94⤵PID:1688
-
C:\Windows\SysWOW64\Eikimeff.exeC:\Windows\system32\Eikimeff.exe95⤵PID:2432
-
C:\Windows\SysWOW64\Elieipej.exeC:\Windows\system32\Elieipej.exe96⤵PID:1536
-
C:\Windows\SysWOW64\Enhaeldn.exeC:\Windows\system32\Enhaeldn.exe97⤵PID:2760
-
C:\Windows\SysWOW64\Efoifiep.exeC:\Windows\system32\Efoifiep.exe98⤵PID:2740
-
C:\Windows\SysWOW64\Eebibf32.exeC:\Windows\system32\Eebibf32.exe99⤵PID:2448
-
C:\Windows\SysWOW64\Einebddd.exeC:\Windows\system32\Einebddd.exe100⤵PID:2512
-
C:\Windows\SysWOW64\Fpgnoo32.exeC:\Windows\system32\Fpgnoo32.exe101⤵PID:380
-
C:\Windows\SysWOW64\Fbfjkj32.exeC:\Windows\system32\Fbfjkj32.exe102⤵
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Windows\SysWOW64\Faijggao.exeC:\Windows\system32\Faijggao.exe103⤵PID:1460
-
C:\Windows\SysWOW64\Fipbhd32.exeC:\Windows\system32\Fipbhd32.exe104⤵PID:304
-
C:\Windows\SysWOW64\Fjaoplho.exeC:\Windows\system32\Fjaoplho.exe105⤵PID:1632
-
C:\Windows\SysWOW64\Fbhfajia.exeC:\Windows\system32\Fbhfajia.exe106⤵PID:660
-
C:\Windows\SysWOW64\Fefcmehe.exeC:\Windows\system32\Fefcmehe.exe107⤵
- Drops file in System32 directory
PID:320 -
C:\Windows\SysWOW64\Fcichb32.exeC:\Windows\system32\Fcichb32.exe108⤵PID:1768
-
C:\Windows\SysWOW64\Fjckelfm.exeC:\Windows\system32\Fjckelfm.exe109⤵PID:3064
-
C:\Windows\SysWOW64\Fnogfk32.exeC:\Windows\system32\Fnogfk32.exe110⤵
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\Fmbgageq.exeC:\Windows\system32\Fmbgageq.exe111⤵PID:2412
-
C:\Windows\SysWOW64\Feipbefb.exeC:\Windows\system32\Feipbefb.exe112⤵PID:2836
-
C:\Windows\SysWOW64\Fhglop32.exeC:\Windows\system32\Fhglop32.exe113⤵PID:1472
-
C:\Windows\SysWOW64\Fjfhkl32.exeC:\Windows\system32\Fjfhkl32.exe114⤵
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Fappgflg.exeC:\Windows\system32\Fappgflg.exe115⤵
- System Location Discovery: System Language Discovery
PID:1888 -
C:\Windows\SysWOW64\Fpbqcb32.exeC:\Windows\system32\Fpbqcb32.exe116⤵PID:1704
-
C:\Windows\SysWOW64\Fhjhdp32.exeC:\Windows\system32\Fhjhdp32.exe117⤵PID:1228
-
C:\Windows\SysWOW64\Fikelhib.exeC:\Windows\system32\Fikelhib.exe118⤵PID:2016
-
C:\Windows\SysWOW64\Fabmmejd.exeC:\Windows\system32\Fabmmejd.exe119⤵PID:2656
-
C:\Windows\SysWOW64\Fpemhb32.exeC:\Windows\system32\Fpemhb32.exe120⤵PID:2756
-
C:\Windows\SysWOW64\Gbcien32.exeC:\Windows\system32\Gbcien32.exe121⤵PID:2160
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-