Analysis
-
max time kernel
40s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
19-08-2024 15:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b4f510e73fd6472ddc6f04333792e590N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
b4f510e73fd6472ddc6f04333792e590N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
b4f510e73fd6472ddc6f04333792e590N.exe
-
Size
120KB
-
MD5
b4f510e73fd6472ddc6f04333792e590
-
SHA1
1e3826146746cf926f937dc215c79ac1fd827297
-
SHA256
859d6b75167d98465f7c4eec6261f4216e7cd85b417c573b98d2442d5d40a74a
-
SHA512
81c1489d85364cb38383ce60055c19142865e3df088339c0f9fb4fa7765378bc13a6baf7cd751965be9e93b8d57e6a0a1f58c9115ba7c64f5238d353964170a3
-
SSDEEP
3072:zIOQaM4GauOKweh203H/6TC+qF1SsB1bw4AVRrd9:EGM7Lh9C81NBy9
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eomoohoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfippego.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ieglfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgladc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljljenoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnagecdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmbpaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqeagpop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Henipenb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liddljan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohginhma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggofcmih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ilohnopg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iopqoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jhedachg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcmbco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfgadbcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehlqao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfoookfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdckgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhaogp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihclmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eepakc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gnfajgbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nahhfoij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cenhfqle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nimcallo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnhbep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfgadbcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhchlcjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Depelp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hinolcbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iikneggd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jngfei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgpfdoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knnmeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aipebm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijahik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cplfcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edgkap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gigllafc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqbaqccn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idhplaoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jinkkgeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpbfddef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbqnobge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmnjgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmimkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpphlp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbpaef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnhjok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipqmgbbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcjmdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cceenilo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipefba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdnabo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjkije32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaaklmao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbfidfem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chgkgmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmimkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eafapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iikneggd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opbnbj32.exe -
Executes dropped EXE 64 IoCs
pid Process 1224 Kqaigijk.exe 2496 Lgladc32.exe 2776 Lmhjlj32.exe 2708 Lfanep32.exe 2956 Ljljenoi.exe 2688 Lgpkobnb.exe 2172 Lmmcgilj.exe 2812 Lokpcekn.exe 2024 Lbjlppja.exe 2640 Liddljan.exe 2968 Lkbphfab.exe 2912 Lblhep32.exe 1916 Lfhdeoqh.exe 1288 Lmbmbi32.exe 796 Mncijanc.exe 2408 Mgkncfdc.exe 2372 Mpbfddef.exe 2112 Madbll32.exe 2460 Mikjmi32.exe 912 Mlifie32.exe 1468 Mnhbep32.exe 920 Mcdkmg32.exe 568 Mllcodig.exe 2548 Mmmpfm32.exe 1556 Medggj32.exe 1600 Mhbdce32.exe 2852 Makhlkel.exe 2196 Nfgadbcc.exe 2744 Njcmeqkl.exe 2624 Ndlanf32.exe 2368 Nbnajcig.exe 2516 Nmdfglhm.exe 2404 Nbqnobge.exe 2796 Nikflm32.exe 1192 Npdohg32.exe 2980 Nimcallo.exe 2936 Nlkonhkb.exe 1004 Npgknf32.exe 3020 Nahhfoij.exe 2028 Niopgljl.exe 2216 Obhdpaqm.exe 2136 Oakdkn32.exe 820 Odiagj32.exe 1992 Olpiig32.exe 2012 Omaepoml.exe 1432 Oehmamnn.exe 2764 Ohginhma.exe 2148 Ogjjie32.exe 524 Ooabjbdn.exe 2580 Omdbfo32.exe 2888 Oaonfncb.exe 2592 Opbnbj32.exe 2256 Oglfodai.exe 2064 Oijbkpqm.exe 2432 Oaaklmao.exe 2836 Opdkgj32.exe 2236 Occgce32.exe 932 Okjoec32.exe 1984 Onhkan32.exe 2140 Olklmk32.exe 1048 Odbcnh32.exe 1896 Ogqpjd32.exe 1540 Oecpeqdo.exe 588 Plnhbk32.exe -
Loads dropped DLL 64 IoCs
pid Process 1148 b4f510e73fd6472ddc6f04333792e590N.exe 1148 b4f510e73fd6472ddc6f04333792e590N.exe 1224 Kqaigijk.exe 1224 Kqaigijk.exe 2496 Lgladc32.exe 2496 Lgladc32.exe 2776 Lmhjlj32.exe 2776 Lmhjlj32.exe 2708 Lfanep32.exe 2708 Lfanep32.exe 2956 Ljljenoi.exe 2956 Ljljenoi.exe 2688 Lgpkobnb.exe 2688 Lgpkobnb.exe 2172 Lmmcgilj.exe 2172 Lmmcgilj.exe 2812 Lokpcekn.exe 2812 Lokpcekn.exe 2024 Lbjlppja.exe 2024 Lbjlppja.exe 2640 Liddljan.exe 2640 Liddljan.exe 2968 Lkbphfab.exe 2968 Lkbphfab.exe 2912 Lblhep32.exe 2912 Lblhep32.exe 1916 Lfhdeoqh.exe 1916 Lfhdeoqh.exe 1288 Lmbmbi32.exe 1288 Lmbmbi32.exe 796 Mncijanc.exe 796 Mncijanc.exe 2408 Mgkncfdc.exe 2408 Mgkncfdc.exe 2372 Mpbfddef.exe 2372 Mpbfddef.exe 2112 Madbll32.exe 2112 Madbll32.exe 2460 Mikjmi32.exe 2460 Mikjmi32.exe 912 Mlifie32.exe 912 Mlifie32.exe 1468 Mnhbep32.exe 1468 Mnhbep32.exe 920 Mcdkmg32.exe 920 Mcdkmg32.exe 568 Mllcodig.exe 568 Mllcodig.exe 2548 Mmmpfm32.exe 2548 Mmmpfm32.exe 1556 Medggj32.exe 1556 Medggj32.exe 1600 Mhbdce32.exe 1600 Mhbdce32.exe 2852 Makhlkel.exe 2852 Makhlkel.exe 2196 Nfgadbcc.exe 2196 Nfgadbcc.exe 2744 Njcmeqkl.exe 2744 Njcmeqkl.exe 2624 Ndlanf32.exe 2624 Ndlanf32.exe 2368 Nbnajcig.exe 2368 Nbnajcig.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ibghnjnm.dll Ddgnbl32.exe File created C:\Windows\SysWOW64\Dgmnqggl.dll Egegnk32.exe File opened for modification C:\Windows\SysWOW64\Fqbeapqb.exe Fndhed32.exe File opened for modification C:\Windows\SysWOW64\Gplgmodq.exe Gmnkqcem.exe File created C:\Windows\SysWOW64\Jckiolgm.exe Joomnm32.exe File created C:\Windows\SysWOW64\Ehlidiph.dll Jlodma32.exe File created C:\Windows\SysWOW64\Nmdfglhm.exe Nbnajcig.exe File created C:\Windows\SysWOW64\Oocqan32.dll Pekffp32.exe File created C:\Windows\SysWOW64\Bcqlcj32.exe Bpepbkhk.exe File created C:\Windows\SysWOW64\Febnfe32.dll Dkmmdg32.exe File opened for modification C:\Windows\SysWOW64\Dmbpaa32.exe Dekgpdqc.exe File created C:\Windows\SysWOW64\Eljihn32.exe Ehnmgo32.exe File created C:\Windows\SysWOW64\Qgcingnm.exe Qddmbkoi.exe File created C:\Windows\SysWOW64\Qinlbk32.dll Ckhdihlp.exe File opened for modification C:\Windows\SysWOW64\Gmnkqcem.exe Gjpodhfi.exe File created C:\Windows\SysWOW64\Jcknnonh.dll Hepffelp.exe File opened for modification C:\Windows\SysWOW64\Lgladc32.exe Kqaigijk.exe File created C:\Windows\SysWOW64\Fqbacl32.dll Bpepbkhk.exe File created C:\Windows\SysWOW64\Bmiqlpge.exe Bjjdpdga.exe File created C:\Windows\SysWOW64\Elpgjjhd.dll Dmkipb32.exe File created C:\Windows\SysWOW64\Moelic32.dll Olklmk32.exe File opened for modification C:\Windows\SysWOW64\Bmfdfpih.exe Bjhgjdjd.exe File created C:\Windows\SysWOW64\Iopqoi32.exe Ifhinl32.exe File opened for modification C:\Windows\SysWOW64\Ibdcnm32.exe Ipefba32.exe File opened for modification C:\Windows\SysWOW64\Lkbphfab.exe Liddljan.exe File opened for modification C:\Windows\SysWOW64\Madbll32.exe Mpbfddef.exe File created C:\Windows\SysWOW64\Ofpeil32.dll Dpifln32.exe File opened for modification C:\Windows\SysWOW64\Enmbeehg.exe Ekofijic.exe File opened for modification C:\Windows\SysWOW64\Jhchlcjj.exe Jedlph32.exe File opened for modification C:\Windows\SysWOW64\Pldobjec.exe Pekffp32.exe File opened for modification C:\Windows\SysWOW64\Dmkipb32.exe Dkmmdg32.exe File opened for modification C:\Windows\SysWOW64\Ehpjmoio.exe Edenlp32.exe File created C:\Windows\SysWOW64\Hfkidh32.exe Hcmmhmhd.exe File created C:\Windows\SysWOW64\Afaieb32.exe Anjqdd32.exe File opened for modification C:\Windows\SysWOW64\Cocpjf32.exe Ckhdihlp.exe File created C:\Windows\SysWOW64\Ghkabpbh.dll Dmmffbek.exe File opened for modification C:\Windows\SysWOW64\Didgkc32.exe Dgfkoh32.exe File opened for modification C:\Windows\SysWOW64\Fiepga32.exe Fffckf32.exe File created C:\Windows\SysWOW64\Gcalcoom.dll Jckiolgm.exe File created C:\Windows\SysWOW64\Mmmpfm32.exe Mllcodig.exe File created C:\Windows\SysWOW64\Mbpekm32.dll Ffomjgoj.exe File opened for modification C:\Windows\SysWOW64\Fmnoapba.exe Fjpbeecn.exe File created C:\Windows\SysWOW64\Dmmffbek.exe Dibjec32.exe File created C:\Windows\SysWOW64\Jibfqd32.dll Dbjonicb.exe File opened for modification C:\Windows\SysWOW64\Impdeg32.exe Ijahik32.exe File opened for modification C:\Windows\SysWOW64\Imgjfe32.exe Iikneggd.exe File created C:\Windows\SysWOW64\Ffbjpfmg.exe Fgojdj32.exe File created C:\Windows\SysWOW64\Medggj32.exe Mmmpfm32.exe File created C:\Windows\SysWOW64\Plnhbk32.exe Oecpeqdo.exe File opened for modification C:\Windows\SysWOW64\Paojeafn.exe Plbbmjhf.exe File opened for modification C:\Windows\SysWOW64\Aikkgnnc.exe Afmokbop.exe File created C:\Windows\SysWOW64\Fkflii32.exe Fcodhl32.exe File created C:\Windows\SysWOW64\Ffomjgoj.exe Fcaankpf.exe File created C:\Windows\SysWOW64\Obhdpaqm.exe Niopgljl.exe File created C:\Windows\SysWOW64\Hllkhoaj.exe Hhaogp32.exe File opened for modification C:\Windows\SysWOW64\Ikinjj32.exe Ibafhmph.exe File opened for modification C:\Windows\SysWOW64\Knicjipf.exe Kjngjj32.exe File created C:\Windows\SysWOW64\Ejambd32.dll Mpbfddef.exe File opened for modification C:\Windows\SysWOW64\Pkjkdfjk.exe Phkohkkh.exe File opened for modification C:\Windows\SysWOW64\Jdoblckh.exe Japfphle.exe File opened for modification C:\Windows\SysWOW64\Kdckgc32.exe Kpgpfdoj.exe File opened for modification C:\Windows\SysWOW64\Opdkgj32.exe Oaaklmao.exe File created C:\Windows\SysWOW64\Qeokhe32.dll Clqjblij.exe File created C:\Windows\SysWOW64\Dlepmnhq.exe Dmbpaa32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4336 4316 WerFault.exe 374 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbpaef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhjnmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdlefd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokpcekn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Madbll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njcmeqkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpepbkhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cceenilo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clqjblij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fccncknc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfhdeoqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhbdce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciggap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gepjgaid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpkobnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lblhep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpbfddef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Occgce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onhkan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgddin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nahhfoij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaaklmao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bakjfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edenlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbfpcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Janijh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Begegn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihclmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnfnik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jphcgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjjdpdga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edgkap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haldgbkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibdcnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpliac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcooinfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlifie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qddmbkoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfohoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgnbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoeiniea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqeagpop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdehmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfgedkko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jckiolgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgcmoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amdkam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akjhcimg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejfpofkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gigllafc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haggkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipqmgbbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjpdoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bapcaocc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehnmgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egegnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epnkfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjpodhfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdckgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknani32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dafeaapg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eepakc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eomoohoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nimcallo.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgfiapam.dll" Kfknpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmbmbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Enmbeehg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fcodhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gqbaqccn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Giiibqdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ihclmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kdckgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jbhlilip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lbjlppja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpbgjj32.dll" Abcppcdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpligk32.dll" Hnfnik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ifhinl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lboeha32.dll" Ellfmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lmmcgilj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkkcfa32.dll" Cmnjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffmoim32.dll" Ehpjmoio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hlhamp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacjefjn.dll" Jbfpcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abcobjdg.dll" Odbcnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbfpcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eefffo32.dll" Knnmeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibkfah32.dll" Cpnchjpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dgfkoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Didgkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehpjmoio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hebckd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jckiolgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjngjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpnhmi32.dll" Fqgnmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kpjlldmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Odiagj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Clqjblij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogmkla32.dll" Ekcpdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fffckf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jdoblckh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qklhifhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnooj32.dll" Chgkgmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eohedi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gigllafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kgfannba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nahhfoij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bggohi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhnahl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dafeaapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eomoohoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Haldgbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anlieh32.dll" Ilohnopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdjcjaq.dll" Iopqoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbliiipi.dll" Kgoknohj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kgddin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Imgjfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kooimpao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njcmeqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ogjjie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aipebm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cablfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jdlefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpbkon32.dll" Kgfannba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjfifc32.dll" Cfcajekc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Depelp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dgjdjghf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Enpoje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oehmamnn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1148 wrote to memory of 1224 1148 b4f510e73fd6472ddc6f04333792e590N.exe 29 PID 1148 wrote to memory of 1224 1148 b4f510e73fd6472ddc6f04333792e590N.exe 29 PID 1148 wrote to memory of 1224 1148 b4f510e73fd6472ddc6f04333792e590N.exe 29 PID 1148 wrote to memory of 1224 1148 b4f510e73fd6472ddc6f04333792e590N.exe 29 PID 1224 wrote to memory of 2496 1224 Kqaigijk.exe 30 PID 1224 wrote to memory of 2496 1224 Kqaigijk.exe 30 PID 1224 wrote to memory of 2496 1224 Kqaigijk.exe 30 PID 1224 wrote to memory of 2496 1224 Kqaigijk.exe 30 PID 2496 wrote to memory of 2776 2496 Lgladc32.exe 31 PID 2496 wrote to memory of 2776 2496 Lgladc32.exe 31 PID 2496 wrote to memory of 2776 2496 Lgladc32.exe 31 PID 2496 wrote to memory of 2776 2496 Lgladc32.exe 31 PID 2776 wrote to memory of 2708 2776 Lmhjlj32.exe 32 PID 2776 wrote to memory of 2708 2776 Lmhjlj32.exe 32 PID 2776 wrote to memory of 2708 2776 Lmhjlj32.exe 32 PID 2776 wrote to memory of 2708 2776 Lmhjlj32.exe 32 PID 2708 wrote to memory of 2956 2708 Lfanep32.exe 33 PID 2708 wrote to memory of 2956 2708 Lfanep32.exe 33 PID 2708 wrote to memory of 2956 2708 Lfanep32.exe 33 PID 2708 wrote to memory of 2956 2708 Lfanep32.exe 33 PID 2956 wrote to memory of 2688 2956 Ljljenoi.exe 34 PID 2956 wrote to memory of 2688 2956 Ljljenoi.exe 34 PID 2956 wrote to memory of 2688 2956 Ljljenoi.exe 34 PID 2956 wrote to memory of 2688 2956 Ljljenoi.exe 34 PID 2688 wrote to memory of 2172 2688 Lgpkobnb.exe 35 PID 2688 wrote to memory of 2172 2688 Lgpkobnb.exe 35 PID 2688 wrote to memory of 2172 2688 Lgpkobnb.exe 35 PID 2688 wrote to memory of 2172 2688 Lgpkobnb.exe 35 PID 2172 wrote to memory of 2812 2172 Lmmcgilj.exe 36 PID 2172 wrote to memory of 2812 2172 Lmmcgilj.exe 36 PID 2172 wrote to memory of 2812 2172 Lmmcgilj.exe 36 PID 2172 wrote to memory of 2812 2172 Lmmcgilj.exe 36 PID 2812 wrote to memory of 2024 2812 Lokpcekn.exe 37 PID 2812 wrote to memory of 2024 2812 Lokpcekn.exe 37 PID 2812 wrote to memory of 2024 2812 Lokpcekn.exe 37 PID 2812 wrote to memory of 2024 2812 Lokpcekn.exe 37 PID 2024 wrote to memory of 2640 2024 Lbjlppja.exe 38 PID 2024 wrote to memory of 2640 2024 Lbjlppja.exe 38 PID 2024 wrote to memory of 2640 2024 Lbjlppja.exe 38 PID 2024 wrote to memory of 2640 2024 Lbjlppja.exe 38 PID 2640 wrote to memory of 2968 2640 Liddljan.exe 39 PID 2640 wrote to memory of 2968 2640 Liddljan.exe 39 PID 2640 wrote to memory of 2968 2640 Liddljan.exe 39 PID 2640 wrote to memory of 2968 2640 Liddljan.exe 39 PID 2968 wrote to memory of 2912 2968 Lkbphfab.exe 40 PID 2968 wrote to memory of 2912 2968 Lkbphfab.exe 40 PID 2968 wrote to memory of 2912 2968 Lkbphfab.exe 40 PID 2968 wrote to memory of 2912 2968 Lkbphfab.exe 40 PID 2912 wrote to memory of 1916 2912 Lblhep32.exe 41 PID 2912 wrote to memory of 1916 2912 Lblhep32.exe 41 PID 2912 wrote to memory of 1916 2912 Lblhep32.exe 41 PID 2912 wrote to memory of 1916 2912 Lblhep32.exe 41 PID 1916 wrote to memory of 1288 1916 Lfhdeoqh.exe 42 PID 1916 wrote to memory of 1288 1916 Lfhdeoqh.exe 42 PID 1916 wrote to memory of 1288 1916 Lfhdeoqh.exe 42 PID 1916 wrote to memory of 1288 1916 Lfhdeoqh.exe 42 PID 1288 wrote to memory of 796 1288 Lmbmbi32.exe 43 PID 1288 wrote to memory of 796 1288 Lmbmbi32.exe 43 PID 1288 wrote to memory of 796 1288 Lmbmbi32.exe 43 PID 1288 wrote to memory of 796 1288 Lmbmbi32.exe 43 PID 796 wrote to memory of 2408 796 Mncijanc.exe 44 PID 796 wrote to memory of 2408 796 Mncijanc.exe 44 PID 796 wrote to memory of 2408 796 Mncijanc.exe 44 PID 796 wrote to memory of 2408 796 Mncijanc.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4f510e73fd6472ddc6f04333792e590N.exe"C:\Users\Admin\AppData\Local\Temp\b4f510e73fd6472ddc6f04333792e590N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Kqaigijk.exeC:\Windows\system32\Kqaigijk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\Lgladc32.exeC:\Windows\system32\Lgladc32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Lmhjlj32.exeC:\Windows\system32\Lmhjlj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Lfanep32.exeC:\Windows\system32\Lfanep32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Ljljenoi.exeC:\Windows\system32\Ljljenoi.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Lgpkobnb.exeC:\Windows\system32\Lgpkobnb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Lmmcgilj.exeC:\Windows\system32\Lmmcgilj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Lokpcekn.exeC:\Windows\system32\Lokpcekn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Lbjlppja.exeC:\Windows\system32\Lbjlppja.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Liddljan.exeC:\Windows\system32\Liddljan.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Lkbphfab.exeC:\Windows\system32\Lkbphfab.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Lblhep32.exeC:\Windows\system32\Lblhep32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Lfhdeoqh.exeC:\Windows\system32\Lfhdeoqh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Lmbmbi32.exeC:\Windows\system32\Lmbmbi32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\Mncijanc.exeC:\Windows\system32\Mncijanc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Mgkncfdc.exeC:\Windows\system32\Mgkncfdc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Windows\SysWOW64\Mpbfddef.exeC:\Windows\system32\Mpbfddef.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Windows\SysWOW64\Madbll32.exeC:\Windows\system32\Madbll32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Windows\SysWOW64\Mikjmi32.exeC:\Windows\system32\Mikjmi32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\SysWOW64\Mlifie32.exeC:\Windows\system32\Mlifie32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:912 -
C:\Windows\SysWOW64\Mnhbep32.exeC:\Windows\system32\Mnhbep32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1468 -
C:\Windows\SysWOW64\Mcdkmg32.exeC:\Windows\system32\Mcdkmg32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:920 -
C:\Windows\SysWOW64\Mllcodig.exeC:\Windows\system32\Mllcodig.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:568 -
C:\Windows\SysWOW64\Mmmpfm32.exeC:\Windows\system32\Mmmpfm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Medggj32.exeC:\Windows\system32\Medggj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Mhbdce32.exeC:\Windows\system32\Mhbdce32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\Makhlkel.exeC:\Windows\system32\Makhlkel.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Nfgadbcc.exeC:\Windows\system32\Nfgadbcc.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Windows\SysWOW64\Njcmeqkl.exeC:\Windows\system32\Njcmeqkl.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Ndlanf32.exeC:\Windows\system32\Ndlanf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Nbnajcig.exeC:\Windows\system32\Nbnajcig.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Nmdfglhm.exeC:\Windows\system32\Nmdfglhm.exe33⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Nbqnobge.exeC:\Windows\system32\Nbqnobge.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Nikflm32.exeC:\Windows\system32\Nikflm32.exe35⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Npdohg32.exeC:\Windows\system32\Npdohg32.exe36⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Nimcallo.exeC:\Windows\system32\Nimcallo.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\Nlkonhkb.exeC:\Windows\system32\Nlkonhkb.exe38⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Npgknf32.exeC:\Windows\system32\Npgknf32.exe39⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Nahhfoij.exeC:\Windows\system32\Nahhfoij.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Niopgljl.exeC:\Windows\system32\Niopgljl.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Obhdpaqm.exeC:\Windows\system32\Obhdpaqm.exe42⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Oakdkn32.exeC:\Windows\system32\Oakdkn32.exe43⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Odiagj32.exeC:\Windows\system32\Odiagj32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:820 -
C:\Windows\SysWOW64\Olpiig32.exeC:\Windows\system32\Olpiig32.exe45⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Omaepoml.exeC:\Windows\system32\Omaepoml.exe46⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Oehmamnn.exeC:\Windows\system32\Oehmamnn.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1432 -
C:\Windows\SysWOW64\Ohginhma.exeC:\Windows\system32\Ohginhma.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Ogjjie32.exeC:\Windows\system32\Ogjjie32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Ooabjbdn.exeC:\Windows\system32\Ooabjbdn.exe50⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\Omdbfo32.exeC:\Windows\system32\Omdbfo32.exe51⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Oaonfncb.exeC:\Windows\system32\Oaonfncb.exe52⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Opbnbj32.exeC:\Windows\system32\Opbnbj32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Oglfodai.exeC:\Windows\system32\Oglfodai.exe54⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Oijbkpqm.exeC:\Windows\system32\Oijbkpqm.exe55⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Oaaklmao.exeC:\Windows\system32\Oaaklmao.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\SysWOW64\Opdkgj32.exeC:\Windows\system32\Opdkgj32.exe57⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Occgce32.exeC:\Windows\system32\Occgce32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2236 -
C:\Windows\SysWOW64\Okjoec32.exeC:\Windows\system32\Okjoec32.exe59⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Onhkan32.exeC:\Windows\system32\Onhkan32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\Olklmk32.exeC:\Windows\system32\Olklmk32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Odbcnh32.exeC:\Windows\system32\Odbcnh32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Ogqpjd32.exeC:\Windows\system32\Ogqpjd32.exe63⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Oecpeqdo.exeC:\Windows\system32\Oecpeqdo.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Plnhbk32.exeC:\Windows\system32\Plnhbk32.exe65⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Poldnf32.exeC:\Windows\system32\Poldnf32.exe66⤵PID:868
-
C:\Windows\SysWOW64\Pgcmoc32.exeC:\Windows\system32\Pgcmoc32.exe67⤵
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\Piaiko32.exeC:\Windows\system32\Piaiko32.exe68⤵PID:2444
-
C:\Windows\SysWOW64\Phdiglap.exeC:\Windows\system32\Phdiglap.exe69⤵PID:2900
-
C:\Windows\SysWOW64\Ppkahi32.exeC:\Windows\system32\Ppkahi32.exe70⤵PID:2616
-
C:\Windows\SysWOW64\Pcjmdd32.exeC:\Windows\system32\Pcjmdd32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2436 -
C:\Windows\SysWOW64\Pjdeaohb.exeC:\Windows\system32\Pjdeaohb.exe72⤵PID:2100
-
C:\Windows\SysWOW64\Plbbmjhf.exeC:\Windows\system32\Plbbmjhf.exe73⤵
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Paojeafn.exeC:\Windows\system32\Paojeafn.exe74⤵PID:1756
-
C:\Windows\SysWOW64\Pekffp32.exeC:\Windows\system32\Pekffp32.exe75⤵
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\Pldobjec.exeC:\Windows\system32\Pldobjec.exe76⤵PID:2000
-
C:\Windows\SysWOW64\Pkgonf32.exeC:\Windows\system32\Pkgonf32.exe77⤵PID:2552
-
C:\Windows\SysWOW64\Paagkq32.exeC:\Windows\system32\Paagkq32.exe78⤵PID:3032
-
C:\Windows\SysWOW64\Phkohkkh.exeC:\Windows\system32\Phkohkkh.exe79⤵
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\Pkjkdfjk.exeC:\Windows\system32\Pkjkdfjk.exe80⤵PID:836
-
C:\Windows\SysWOW64\Poegde32.exeC:\Windows\system32\Poegde32.exe81⤵PID:2184
-
C:\Windows\SysWOW64\Pqfdlmic.exeC:\Windows\system32\Pqfdlmic.exe82⤵PID:584
-
C:\Windows\SysWOW64\Qhnlmjie.exeC:\Windows\system32\Qhnlmjie.exe83⤵PID:1924
-
C:\Windows\SysWOW64\Qklhifhi.exeC:\Windows\system32\Qklhifhi.exe84⤵
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Qddmbkoi.exeC:\Windows\system32\Qddmbkoi.exe85⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\Qgcingnm.exeC:\Windows\system32\Qgcingnm.exe86⤵PID:1740
-
C:\Windows\SysWOW64\Qkoeoe32.exeC:\Windows\system32\Qkoeoe32.exe87⤵PID:2072
-
C:\Windows\SysWOW64\Qnmaka32.exeC:\Windows\system32\Qnmaka32.exe88⤵PID:2816
-
C:\Windows\SysWOW64\Aqkmgl32.exeC:\Windows\system32\Aqkmgl32.exe89⤵PID:2096
-
C:\Windows\SysWOW64\Acjjch32.exeC:\Windows\system32\Acjjch32.exe90⤵PID:2228
-
C:\Windows\SysWOW64\Afhfpc32.exeC:\Windows\system32\Afhfpc32.exe91⤵PID:1096
-
C:\Windows\SysWOW64\Anonqq32.exeC:\Windows\system32\Anonqq32.exe92⤵PID:916
-
C:\Windows\SysWOW64\Aqnjml32.exeC:\Windows\system32\Aqnjml32.exe93⤵PID:1108
-
C:\Windows\SysWOW64\Aclfigao.exeC:\Windows\system32\Aclfigao.exe94⤵PID:2520
-
C:\Windows\SysWOW64\Aggbif32.exeC:\Windows\system32\Aggbif32.exe95⤵PID:1572
-
C:\Windows\SysWOW64\Aiioanpf.exeC:\Windows\system32\Aiioanpf.exe96⤵PID:2748
-
C:\Windows\SysWOW64\Amdkam32.exeC:\Windows\system32\Amdkam32.exe97⤵
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\Aocgnh32.exeC:\Windows\system32\Aocgnh32.exe98⤵PID:2156
-
C:\Windows\SysWOW64\Acncngpl.exeC:\Windows\system32\Acncngpl.exe99⤵PID:2488
-
C:\Windows\SysWOW64\Afmokbop.exeC:\Windows\system32\Afmokbop.exe100⤵
- Drops file in System32 directory
PID:308 -
C:\Windows\SysWOW64\Aikkgnnc.exeC:\Windows\system32\Aikkgnnc.exe101⤵PID:1772
-
C:\Windows\SysWOW64\Akjhcimg.exeC:\Windows\system32\Akjhcimg.exe102⤵
- System Location Discovery: System Language Discovery
PID:2296 -
C:\Windows\SysWOW64\Aoedch32.exeC:\Windows\system32\Aoedch32.exe103⤵PID:2116
-
C:\Windows\SysWOW64\Abcppcdc.exeC:\Windows\system32\Abcppcdc.exe104⤵
- Modifies registry class
PID:980 -
C:\Windows\SysWOW64\Aebllocg.exeC:\Windows\system32\Aebllocg.exe105⤵PID:1044
-
C:\Windows\SysWOW64\Akldhi32.exeC:\Windows\system32\Akldhi32.exe106⤵PID:856
-
C:\Windows\SysWOW64\Anjqdd32.exeC:\Windows\system32\Anjqdd32.exe107⤵
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Afaieb32.exeC:\Windows\system32\Afaieb32.exe108⤵PID:2596
-
C:\Windows\SysWOW64\Aipebm32.exeC:\Windows\system32\Aipebm32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1280 -
C:\Windows\SysWOW64\Bknani32.exeC:\Windows\system32\Bknani32.exe110⤵
- System Location Discovery: System Language Discovery
PID:2240 -
C:\Windows\SysWOW64\Bnmmjd32.exeC:\Windows\system32\Bnmmjd32.exe111⤵PID:2988
-
C:\Windows\SysWOW64\Bakjfp32.exeC:\Windows\system32\Bakjfp32.exe112⤵
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\SysWOW64\Begegn32.exeC:\Windows\system32\Begegn32.exe113⤵
- System Location Discovery: System Language Discovery
PID:1152 -
C:\Windows\SysWOW64\Bgebcj32.exeC:\Windows\system32\Bgebcj32.exe114⤵PID:2128
-
C:\Windows\SysWOW64\Bjcnoe32.exeC:\Windows\system32\Bjcnoe32.exe115⤵PID:1532
-
C:\Windows\SysWOW64\Bnojpdfb.exeC:\Windows\system32\Bnojpdfb.exe116⤵PID:2724
-
C:\Windows\SysWOW64\Bamfloef.exeC:\Windows\system32\Bamfloef.exe117⤵PID:2736
-
C:\Windows\SysWOW64\Bclbhkdj.exeC:\Windows\system32\Bclbhkdj.exe118⤵PID:2712
-
C:\Windows\SysWOW64\Bggohi32.exeC:\Windows\system32\Bggohi32.exe119⤵
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Bnagecdp.exeC:\Windows\system32\Bnagecdp.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1136 -
C:\Windows\SysWOW64\Bapcaocc.exeC:\Windows\system32\Bapcaocc.exe121⤵
- System Location Discovery: System Language Discovery
PID:2020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-