Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20/08/2024, 09:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d060d3bb845fcddecb92e24b93093db0N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
d060d3bb845fcddecb92e24b93093db0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
d060d3bb845fcddecb92e24b93093db0N.exe
-
Size
448KB
-
MD5
d060d3bb845fcddecb92e24b93093db0
-
SHA1
a93731e706236bfc4ebcad65be68a97fe1422a4e
-
SHA256
63acefba6dbe5544b7f0ff8ea6b1d871926a68d1e7c9f9428327e08645ac5f3f
-
SHA512
b53c56fe547bbd59b07783d311d688545a165d18f7f4016be842230027277f0a2078b7cbc8a7c539d5a079d350b519ea563aa2d6d72dde46257dd92f0f89d6cc
-
SSDEEP
6144:xv0rd0PQ///NR5fLYG3eujPQ///NR5fqZo4tjS6Y:xvy/NcZ7/NC64tm6Y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdiejfej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpdqdkie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkmeoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpmcielb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fncmmmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cffljlpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcegin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eemnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggbieb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eflill32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abfnpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmhkmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbdiia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iefcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njhfcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjldf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgadda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlhnifmq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocpbfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipdojfgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpamde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qiflohqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bffpki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjjmijme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbncjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmkcil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fahhnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klfmijae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fggkcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfkkpmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epnhpglg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkakicam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaghki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Colpld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obgkpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfkeokjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmoqnhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pepfnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imjmhkpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khiccj32.exe -
Executes dropped EXE 64 IoCs
pid Process 2712 Aaheie32.exe 2840 Aganeoip.exe 2588 Anlfbi32.exe 2640 Achojp32.exe 1164 Bmhideol.exe 572 Biafnecn.exe 2208 Bonoflae.exe 2028 Bhfcpb32.exe 1248 Bmclhi32.exe 2872 Bhhpeafc.exe 3044 Bmeimhdj.exe 628 Cdoajb32.exe 2568 Cmgechbh.exe 2672 Cbdnko32.exe 1448 Cmjbhh32.exe 868 Cbgjqo32.exe 2564 Cmlong32.exe 808 Cgdcgm32.exe 852 Cckdlnjg.exe 1976 Chhldeho.exe 400 Dobdqo32.exe 976 Daqamj32.exe 1544 Dhkiid32.exe 2032 Dkiefp32.exe 2716 Dacnbjml.exe 2624 Ddajoelp.exe 2880 Dgpfkakd.exe 2636 Dnjngk32.exe 596 Dphjcf32.exe 1508 Djqoll32.exe 1464 Dahgni32.exe 2200 Ddfcje32.exe 1860 Dnnhbjnk.exe 3048 Eckpkamb.exe 1768 Enqdhj32.exe 1972 Eflill32.exe 2936 Eqamje32.exe 1648 Efnfbl32.exe 2536 Ekknjcfh.exe 1120 Ecbfkpfk.exe 1756 Edccch32.exe 1748 Emkkdf32.exe 1480 Enlglnci.exe 1296 Edfpih32.exe 2008 Egdlec32.exe 2756 Fnndan32.exe 2576 Fdhlnhhc.exe 1424 Fjeefofk.exe 2340 Fqomci32.exe 3020 Fcmiod32.exe 2464 Fncmmmma.exe 2980 Fcpfedki.exe 2956 Fnejbmko.exe 2432 Fcbbjcif.exe 2396 Fmjgcipg.exe 2400 Fbgpkpnn.exe 1496 Glpdde32.exe 2600 Gbjlaplk.exe 2220 Gmoqnhla.exe 2604 Gnpmfqap.exe 676 Gfgegnbb.exe 2656 Ghiaof32.exe 2968 Gnbjlpom.exe 2508 Gaafhloq.exe -
Loads dropped DLL 64 IoCs
pid Process 2824 d060d3bb845fcddecb92e24b93093db0N.exe 2824 d060d3bb845fcddecb92e24b93093db0N.exe 2712 Aaheie32.exe 2712 Aaheie32.exe 2840 Aganeoip.exe 2840 Aganeoip.exe 2588 Anlfbi32.exe 2588 Anlfbi32.exe 2640 Achojp32.exe 2640 Achojp32.exe 1164 Bmhideol.exe 1164 Bmhideol.exe 572 Biafnecn.exe 572 Biafnecn.exe 2208 Bonoflae.exe 2208 Bonoflae.exe 2028 Bhfcpb32.exe 2028 Bhfcpb32.exe 1248 Bmclhi32.exe 1248 Bmclhi32.exe 2872 Bhhpeafc.exe 2872 Bhhpeafc.exe 3044 Bmeimhdj.exe 3044 Bmeimhdj.exe 628 Cdoajb32.exe 628 Cdoajb32.exe 2568 Cmgechbh.exe 2568 Cmgechbh.exe 2672 Cbdnko32.exe 2672 Cbdnko32.exe 1448 Cmjbhh32.exe 1448 Cmjbhh32.exe 868 Cbgjqo32.exe 868 Cbgjqo32.exe 2564 Cmlong32.exe 2564 Cmlong32.exe 808 Cgdcgm32.exe 808 Cgdcgm32.exe 852 Cckdlnjg.exe 852 Cckdlnjg.exe 1976 Chhldeho.exe 1976 Chhldeho.exe 400 Dobdqo32.exe 400 Dobdqo32.exe 976 Daqamj32.exe 976 Daqamj32.exe 1544 Dhkiid32.exe 1544 Dhkiid32.exe 2032 Dkiefp32.exe 2032 Dkiefp32.exe 2716 Dacnbjml.exe 2716 Dacnbjml.exe 2624 Ddajoelp.exe 2624 Ddajoelp.exe 2880 Dgpfkakd.exe 2880 Dgpfkakd.exe 2636 Dnjngk32.exe 2636 Dnjngk32.exe 596 Dphjcf32.exe 596 Dphjcf32.exe 1508 Djqoll32.exe 1508 Djqoll32.exe 1464 Dahgni32.exe 1464 Dahgni32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mpdqdkie.exe Mmfdhojb.exe File opened for modification C:\Windows\SysWOW64\Amnocpdk.exe Akncimmh.exe File created C:\Windows\SysWOW64\Bmbgfkje.exe Bbmcibjp.exe File opened for modification C:\Windows\SysWOW64\Fnibcd32.exe Fkkfgi32.exe File created C:\Windows\SysWOW64\Nfmcog32.dll Inbnhihl.exe File created C:\Windows\SysWOW64\Cmfkkl32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kqkalenn.exe Process not Found File created C:\Windows\SysWOW64\Acpmldkn.dll Khiccj32.exe File created C:\Windows\SysWOW64\Pgpgjepk.exe Ppfomk32.exe File opened for modification C:\Windows\SysWOW64\Hgflflqg.exe Hegpjaac.exe File opened for modification C:\Windows\SysWOW64\Lffohikd.exe Process not Found File created C:\Windows\SysWOW64\Noacef32.exe Nehomq32.exe File created C:\Windows\SysWOW64\Ljajkolc.dll Hloiib32.exe File created C:\Windows\SysWOW64\Heloek32.dll Cgnnab32.exe File created C:\Windows\SysWOW64\Gielfcfg.dll Lnkege32.exe File created C:\Windows\SysWOW64\Oneqchee.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mlmjgnaa.exe Process not Found File created C:\Windows\SysWOW64\Gcgnnlle.exe Gmmfaa32.exe File created C:\Windows\SysWOW64\Aedkomok.dll Ebfqfpop.exe File created C:\Windows\SysWOW64\Imhhea32.dll Process not Found File created C:\Windows\SysWOW64\Hmgodc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Naionh32.exe Process not Found File created C:\Windows\SysWOW64\Jcpkpe32.exe Ipbocjlg.exe File created C:\Windows\SysWOW64\Dllgcqbk.dll Fgohna32.exe File created C:\Windows\SysWOW64\Ieomef32.exe Hfjpdjjo.exe File created C:\Windows\SysWOW64\Plmcfpfk.dll Ddaemh32.exe File created C:\Windows\SysWOW64\Kolpjh32.dll Cfknhi32.exe File created C:\Windows\SysWOW64\Olqdoelc.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jdjgfomh.exe Process not Found File opened for modification C:\Windows\SysWOW64\Odhhgkib.exe Obgkpb32.exe File opened for modification C:\Windows\SysWOW64\Bmhkmm32.exe Bimoloog.exe File created C:\Windows\SysWOW64\Kfmmfimm.dll Famope32.exe File created C:\Windows\SysWOW64\Liefaj32.dll Nqmnjd32.exe File opened for modification C:\Windows\SysWOW64\Fpmned32.exe Ficehj32.exe File created C:\Windows\SysWOW64\Cifqgb32.dll Hkpnjd32.exe File created C:\Windows\SysWOW64\Kgocid32.exe Process not Found File created C:\Windows\SysWOW64\Kndfop32.dll Pjfpafmb.exe File opened for modification C:\Windows\SysWOW64\Cikbhc32.exe Cadjgf32.exe File created C:\Windows\SysWOW64\Peipigfb.dll Dhplhc32.exe File created C:\Windows\SysWOW64\Afhgaocl.dll Fncpef32.exe File opened for modification C:\Windows\SysWOW64\Ikicikap.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mldgbcoe.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lohccp32.exe Lhnkffeo.exe File created C:\Windows\SysWOW64\Igbfkb32.dll Dcllbhdn.exe File created C:\Windows\SysWOW64\Nnleiipc.exe Ndcapd32.exe File opened for modification C:\Windows\SysWOW64\Fdiqpigl.exe Fakdcnhh.exe File created C:\Windows\SysWOW64\Kocpbfei.exe Khjgel32.exe File created C:\Windows\SysWOW64\Nokqidll.exe Process not Found File created C:\Windows\SysWOW64\Ajipkb32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mmfdhojb.exe Mhilph32.exe File created C:\Windows\SysWOW64\Olpgconp.exe Oiakgcnl.exe File created C:\Windows\SysWOW64\Fgilkf32.dll Pqnlhpfb.exe File opened for modification C:\Windows\SysWOW64\Lbcbjlmb.exe Loefnpnn.exe File opened for modification C:\Windows\SysWOW64\Bgcbhd32.exe Bnknoogp.exe File created C:\Windows\SysWOW64\Nnahgh32.exe Nkclkl32.exe File created C:\Windows\SysWOW64\Ckfkpqnm.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ndmecgba.exe Nmcmgm32.exe File created C:\Windows\SysWOW64\Jfckkecc.dll Phledp32.exe File created C:\Windows\SysWOW64\Oipklb32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bhdjno32.exe Process not Found File created C:\Windows\SysWOW64\Eqnmne32.dll Process not Found File created C:\Windows\SysWOW64\Olopjddf.exe Process not Found File created C:\Windows\SysWOW64\Jaoobkci.dll Aknngo32.exe File created C:\Windows\SysWOW64\Mdepmh32.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 4248 4148 Process not Found 1692 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbjjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmbonmll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lghlndfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miehak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhgnaehm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oemgplgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llbconkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggklka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lipecm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boidnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fogdap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imhqbkbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikbifcpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajmjcoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbgqjdce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqeqqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dblhmoio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iajemnia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kncofa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcofio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimdcqom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qigebglj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lklejh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kilgoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmpcgace.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moeeelhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jblnaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njhfcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjfpafmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epnhpglg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhfcpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmfhil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadfkhkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cckdlnjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcqaok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbaice32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngneph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abfoll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emaijk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqhfhigj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhenjmbb.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfkgbapp.dll" Nabopjmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Allefimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkjpdcfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgcbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hghillnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhfkihon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfcdcl32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iahhgnkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njhfcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgiekfhg.dll" Idgglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cegoqlof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgkkmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eegmhhie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffnnem32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okdamdah.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjcial32.dll" Fheabelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aekeef32.dll" Gjjmijme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlddd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mccbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpggei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qiiahgjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpgkpogp.dll" Felcbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbjlaplk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfdopp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lclgjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoiiijcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fplllkdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jefbnacn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fggkcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnkjpo32.dll" Fnndan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nihieggm.dll" Jplkmgol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciffggmh.dll" Mjcaimgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Floeof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemapqnd.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiibij32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oidglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjfgpjhf.dll" Cjmopkla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpohakbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbcinlm.dll" Mfoiqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jagnlkjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikfbbjdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjblg32.dll" Kpojkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbfkfemo.dll" Fcbbjcif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdpgjhbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgmfb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbfajl32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaidoiaj.dll" Mmhamoho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adlqbf32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggfnopfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olebgfao.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2824 wrote to memory of 2712 2824 d060d3bb845fcddecb92e24b93093db0N.exe 30 PID 2824 wrote to memory of 2712 2824 d060d3bb845fcddecb92e24b93093db0N.exe 30 PID 2824 wrote to memory of 2712 2824 d060d3bb845fcddecb92e24b93093db0N.exe 30 PID 2824 wrote to memory of 2712 2824 d060d3bb845fcddecb92e24b93093db0N.exe 30 PID 2712 wrote to memory of 2840 2712 Aaheie32.exe 31 PID 2712 wrote to memory of 2840 2712 Aaheie32.exe 31 PID 2712 wrote to memory of 2840 2712 Aaheie32.exe 31 PID 2712 wrote to memory of 2840 2712 Aaheie32.exe 31 PID 2840 wrote to memory of 2588 2840 Aganeoip.exe 32 PID 2840 wrote to memory of 2588 2840 Aganeoip.exe 32 PID 2840 wrote to memory of 2588 2840 Aganeoip.exe 32 PID 2840 wrote to memory of 2588 2840 Aganeoip.exe 32 PID 2588 wrote to memory of 2640 2588 Anlfbi32.exe 33 PID 2588 wrote to memory of 2640 2588 Anlfbi32.exe 33 PID 2588 wrote to memory of 2640 2588 Anlfbi32.exe 33 PID 2588 wrote to memory of 2640 2588 Anlfbi32.exe 33 PID 2640 wrote to memory of 1164 2640 Achojp32.exe 34 PID 2640 wrote to memory of 1164 2640 Achojp32.exe 34 PID 2640 wrote to memory of 1164 2640 Achojp32.exe 34 PID 2640 wrote to memory of 1164 2640 Achojp32.exe 34 PID 1164 wrote to memory of 572 1164 Bmhideol.exe 35 PID 1164 wrote to memory of 572 1164 Bmhideol.exe 35 PID 1164 wrote to memory of 572 1164 Bmhideol.exe 35 PID 1164 wrote to memory of 572 1164 Bmhideol.exe 35 PID 572 wrote to memory of 2208 572 Biafnecn.exe 36 PID 572 wrote to memory of 2208 572 Biafnecn.exe 36 PID 572 wrote to memory of 2208 572 Biafnecn.exe 36 PID 572 wrote to memory of 2208 572 Biafnecn.exe 36 PID 2208 wrote to memory of 2028 2208 Bonoflae.exe 37 PID 2208 wrote to memory of 2028 2208 Bonoflae.exe 37 PID 2208 wrote to memory of 2028 2208 Bonoflae.exe 37 PID 2208 wrote to memory of 2028 2208 Bonoflae.exe 37 PID 2028 wrote to memory of 1248 2028 Bhfcpb32.exe 38 PID 2028 wrote to memory of 1248 2028 Bhfcpb32.exe 38 PID 2028 wrote to memory of 1248 2028 Bhfcpb32.exe 38 PID 2028 wrote to memory of 1248 2028 Bhfcpb32.exe 38 PID 1248 wrote to memory of 2872 1248 Bmclhi32.exe 39 PID 1248 wrote to memory of 2872 1248 Bmclhi32.exe 39 PID 1248 wrote to memory of 2872 1248 Bmclhi32.exe 39 PID 1248 wrote to memory of 2872 1248 Bmclhi32.exe 39 PID 2872 wrote to memory of 3044 2872 Bhhpeafc.exe 40 PID 2872 wrote to memory of 3044 2872 Bhhpeafc.exe 40 PID 2872 wrote to memory of 3044 2872 Bhhpeafc.exe 40 PID 2872 wrote to memory of 3044 2872 Bhhpeafc.exe 40 PID 3044 wrote to memory of 628 3044 Bmeimhdj.exe 41 PID 3044 wrote to memory of 628 3044 Bmeimhdj.exe 41 PID 3044 wrote to memory of 628 3044 Bmeimhdj.exe 41 PID 3044 wrote to memory of 628 3044 Bmeimhdj.exe 41 PID 628 wrote to memory of 2568 628 Cdoajb32.exe 42 PID 628 wrote to memory of 2568 628 Cdoajb32.exe 42 PID 628 wrote to memory of 2568 628 Cdoajb32.exe 42 PID 628 wrote to memory of 2568 628 Cdoajb32.exe 42 PID 2568 wrote to memory of 2672 2568 Cmgechbh.exe 43 PID 2568 wrote to memory of 2672 2568 Cmgechbh.exe 43 PID 2568 wrote to memory of 2672 2568 Cmgechbh.exe 43 PID 2568 wrote to memory of 2672 2568 Cmgechbh.exe 43 PID 2672 wrote to memory of 1448 2672 Cbdnko32.exe 44 PID 2672 wrote to memory of 1448 2672 Cbdnko32.exe 44 PID 2672 wrote to memory of 1448 2672 Cbdnko32.exe 44 PID 2672 wrote to memory of 1448 2672 Cbdnko32.exe 44 PID 1448 wrote to memory of 868 1448 Cmjbhh32.exe 45 PID 1448 wrote to memory of 868 1448 Cmjbhh32.exe 45 PID 1448 wrote to memory of 868 1448 Cmjbhh32.exe 45 PID 1448 wrote to memory of 868 1448 Cmjbhh32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d060d3bb845fcddecb92e24b93093db0N.exe"C:\Users\Admin\AppData\Local\Temp\d060d3bb845fcddecb92e24b93093db0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Aaheie32.exeC:\Windows\system32\Aaheie32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Aganeoip.exeC:\Windows\system32\Aganeoip.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Anlfbi32.exeC:\Windows\system32\Anlfbi32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Achojp32.exeC:\Windows\system32\Achojp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Bmhideol.exeC:\Windows\system32\Bmhideol.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Biafnecn.exeC:\Windows\system32\Biafnecn.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Bonoflae.exeC:\Windows\system32\Bonoflae.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Bhfcpb32.exeC:\Windows\system32\Bhfcpb32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Bmclhi32.exeC:\Windows\system32\Bmclhi32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Bhhpeafc.exeC:\Windows\system32\Bhhpeafc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Bmeimhdj.exeC:\Windows\system32\Bmeimhdj.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Cdoajb32.exeC:\Windows\system32\Cdoajb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\Cmgechbh.exeC:\Windows\system32\Cmgechbh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Cbdnko32.exeC:\Windows\system32\Cbdnko32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Cmjbhh32.exeC:\Windows\system32\Cmjbhh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Cbgjqo32.exeC:\Windows\system32\Cbgjqo32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Cmlong32.exeC:\Windows\system32\Cmlong32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Cgdcgm32.exeC:\Windows\system32\Cgdcgm32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:808 -
C:\Windows\SysWOW64\Cckdlnjg.exeC:\Windows\system32\Cckdlnjg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:852 -
C:\Windows\SysWOW64\Chhldeho.exeC:\Windows\system32\Chhldeho.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Dobdqo32.exeC:\Windows\system32\Dobdqo32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:400 -
C:\Windows\SysWOW64\Daqamj32.exeC:\Windows\system32\Daqamj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:976 -
C:\Windows\SysWOW64\Dhkiid32.exeC:\Windows\system32\Dhkiid32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Dkiefp32.exeC:\Windows\system32\Dkiefp32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2032 -
C:\Windows\SysWOW64\Dacnbjml.exeC:\Windows\system32\Dacnbjml.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Ddajoelp.exeC:\Windows\system32\Ddajoelp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Dgpfkakd.exeC:\Windows\system32\Dgpfkakd.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Dnjngk32.exeC:\Windows\system32\Dnjngk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Dphjcf32.exeC:\Windows\system32\Dphjcf32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:596 -
C:\Windows\SysWOW64\Djqoll32.exeC:\Windows\system32\Djqoll32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Windows\SysWOW64\Dahgni32.exeC:\Windows\system32\Dahgni32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1464 -
C:\Windows\SysWOW64\Ddfcje32.exeC:\Windows\system32\Ddfcje32.exe33⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Dnnhbjnk.exeC:\Windows\system32\Dnnhbjnk.exe34⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Eckpkamb.exeC:\Windows\system32\Eckpkamb.exe35⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Enqdhj32.exeC:\Windows\system32\Enqdhj32.exe36⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Eflill32.exeC:\Windows\system32\Eflill32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Eqamje32.exeC:\Windows\system32\Eqamje32.exe38⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Efnfbl32.exeC:\Windows\system32\Efnfbl32.exe39⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Ekknjcfh.exeC:\Windows\system32\Ekknjcfh.exe40⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Ecbfkpfk.exeC:\Windows\system32\Ecbfkpfk.exe41⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Edccch32.exeC:\Windows\system32\Edccch32.exe42⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Emkkdf32.exeC:\Windows\system32\Emkkdf32.exe43⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Enlglnci.exeC:\Windows\system32\Enlglnci.exe44⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Edfpih32.exeC:\Windows\system32\Edfpih32.exe45⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Egdlec32.exeC:\Windows\system32\Egdlec32.exe46⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Fnndan32.exeC:\Windows\system32\Fnndan32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Fdhlnhhc.exeC:\Windows\system32\Fdhlnhhc.exe48⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Fjeefofk.exeC:\Windows\system32\Fjeefofk.exe49⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Fqomci32.exeC:\Windows\system32\Fqomci32.exe50⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Fcmiod32.exeC:\Windows\system32\Fcmiod32.exe51⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Fncmmmma.exeC:\Windows\system32\Fncmmmma.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Fcpfedki.exeC:\Windows\system32\Fcpfedki.exe53⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Fnejbmko.exeC:\Windows\system32\Fnejbmko.exe54⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Fcbbjcif.exeC:\Windows\system32\Fcbbjcif.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Fmjgcipg.exeC:\Windows\system32\Fmjgcipg.exe56⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Fbgpkpnn.exeC:\Windows\system32\Fbgpkpnn.exe57⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Glpdde32.exeC:\Windows\system32\Glpdde32.exe58⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Gbjlaplk.exeC:\Windows\system32\Gbjlaplk.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Gmoqnhla.exeC:\Windows\system32\Gmoqnhla.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Gnpmfqap.exeC:\Windows\system32\Gnpmfqap.exe61⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Gfgegnbb.exeC:\Windows\system32\Gfgegnbb.exe62⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Ghiaof32.exeC:\Windows\system32\Ghiaof32.exe63⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Gnbjlpom.exeC:\Windows\system32\Gnbjlpom.exe64⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Gaafhloq.exeC:\Windows\system32\Gaafhloq.exe65⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Glgjednf.exeC:\Windows\system32\Glgjednf.exe66⤵PID:820
-
C:\Windows\SysWOW64\Gnefapmj.exeC:\Windows\system32\Gnefapmj.exe67⤵PID:2404
-
C:\Windows\SysWOW64\Geoonjeg.exeC:\Windows\system32\Geoonjeg.exe68⤵PID:888
-
C:\Windows\SysWOW64\Ghmkjedk.exeC:\Windows\system32\Ghmkjedk.exe69⤵PID:2364
-
C:\Windows\SysWOW64\Gngcgp32.exeC:\Windows\system32\Gngcgp32.exe70⤵PID:2776
-
C:\Windows\SysWOW64\Heakcjcd.exeC:\Windows\system32\Heakcjcd.exe71⤵PID:2760
-
C:\Windows\SysWOW64\Hhpgpebh.exeC:\Windows\system32\Hhpgpebh.exe72⤵PID:528
-
C:\Windows\SysWOW64\Hnjplo32.exeC:\Windows\system32\Hnjplo32.exe73⤵PID:776
-
C:\Windows\SysWOW64\Hahlhkhi.exeC:\Windows\system32\Hahlhkhi.exe74⤵PID:2384
-
C:\Windows\SysWOW64\Hdfhdfgl.exeC:\Windows\system32\Hdfhdfgl.exe75⤵PID:880
-
C:\Windows\SysWOW64\Hjqqap32.exeC:\Windows\system32\Hjqqap32.exe76⤵PID:2924
-
C:\Windows\SysWOW64\Hmomml32.exeC:\Windows\system32\Hmomml32.exe77⤵PID:2520
-
C:\Windows\SysWOW64\Hdiejfej.exeC:\Windows\system32\Hdiejfej.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1616 -
C:\Windows\SysWOW64\Hfgafadm.exeC:\Windows\system32\Hfgafadm.exe79⤵PID:2204
-
C:\Windows\SysWOW64\Hifmbmda.exeC:\Windows\system32\Hifmbmda.exe80⤵PID:2092
-
C:\Windows\SysWOW64\Hppfog32.exeC:\Windows\system32\Hppfog32.exe81⤵PID:2868
-
C:\Windows\SysWOW64\Hbnbkbja.exeC:\Windows\system32\Hbnbkbja.exe82⤵PID:2848
-
C:\Windows\SysWOW64\Hihjhl32.exeC:\Windows\system32\Hihjhl32.exe83⤵PID:320
-
C:\Windows\SysWOW64\Hlffdh32.exeC:\Windows\system32\Hlffdh32.exe84⤵PID:380
-
C:\Windows\SysWOW64\Hbqoqbho.exeC:\Windows\system32\Hbqoqbho.exe85⤵PID:1992
-
C:\Windows\SysWOW64\Ipdojfgh.exeC:\Windows\system32\Ipdojfgh.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1940 -
C:\Windows\SysWOW64\Iimcclni.exeC:\Windows\system32\Iimcclni.exe87⤵PID:2368
-
C:\Windows\SysWOW64\Ioilkblq.exeC:\Windows\system32\Ioilkblq.exe88⤵PID:2560
-
C:\Windows\SysWOW64\Iahhgnkd.exeC:\Windows\system32\Iahhgnkd.exe89⤵
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Ihbqdh32.exeC:\Windows\system32\Ihbqdh32.exe90⤵PID:1476
-
C:\Windows\SysWOW64\Ikpmpc32.exeC:\Windows\system32\Ikpmpc32.exe91⤵PID:560
-
C:\Windows\SysWOW64\Iajemnia.exeC:\Windows\system32\Iajemnia.exe92⤵
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Windows\SysWOW64\Ihdmihpn.exeC:\Windows\system32\Ihdmihpn.exe93⤵PID:2612
-
C:\Windows\SysWOW64\Ikbifcpb.exeC:\Windows\system32\Ikbifcpb.exe94⤵
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Windows\SysWOW64\Iamabm32.exeC:\Windows\system32\Iamabm32.exe95⤵PID:2236
-
C:\Windows\SysWOW64\Ihfjognl.exeC:\Windows\system32\Ihfjognl.exe96⤵PID:2144
-
C:\Windows\SysWOW64\Iihfgp32.exeC:\Windows\system32\Iihfgp32.exe97⤵PID:2860
-
C:\Windows\SysWOW64\Ipbocjlg.exeC:\Windows\system32\Ipbocjlg.exe98⤵
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Jcpkpe32.exeC:\Windows\system32\Jcpkpe32.exe99⤵PID:948
-
C:\Windows\SysWOW64\Jnfomn32.exeC:\Windows\system32\Jnfomn32.exe100⤵PID:2884
-
C:\Windows\SysWOW64\Jdpgjhbm.exeC:\Windows\system32\Jdpgjhbm.exe101⤵
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Jjmpbopd.exeC:\Windows\system32\Jjmpbopd.exe102⤵PID:1612
-
C:\Windows\SysWOW64\Jpfhoi32.exeC:\Windows\system32\Jpfhoi32.exe103⤵PID:2412
-
C:\Windows\SysWOW64\Jgqpkc32.exeC:\Windows\system32\Jgqpkc32.exe104⤵PID:748
-
C:\Windows\SysWOW64\Jhamckel.exeC:\Windows\system32\Jhamckel.exe105⤵PID:1044
-
C:\Windows\SysWOW64\Jcgapdeb.exeC:\Windows\system32\Jcgapdeb.exe106⤵PID:2584
-
C:\Windows\SysWOW64\Jjaimn32.exeC:\Windows\system32\Jjaimn32.exe107⤵PID:2460
-
C:\Windows\SysWOW64\Jkbfdfbm.exeC:\Windows\system32\Jkbfdfbm.exe108⤵PID:1280
-
C:\Windows\SysWOW64\Jblnaq32.exeC:\Windows\system32\Jblnaq32.exe109⤵
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Windows\SysWOW64\Jhffnk32.exeC:\Windows\system32\Jhffnk32.exe110⤵PID:2388
-
C:\Windows\SysWOW64\Kncofa32.exeC:\Windows\system32\Kncofa32.exe111⤵
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Windows\SysWOW64\Khiccj32.exeC:\Windows\system32\Khiccj32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Kobkpdfa.exeC:\Windows\system32\Kobkpdfa.exe113⤵PID:1680
-
C:\Windows\SysWOW64\Khkpijma.exeC:\Windows\system32\Khkpijma.exe114⤵PID:2952
-
C:\Windows\SysWOW64\Kjllab32.exeC:\Windows\system32\Kjllab32.exe115⤵PID:836
-
C:\Windows\SysWOW64\Kqfdnljm.exeC:\Windows\system32\Kqfdnljm.exe116⤵PID:984
-
C:\Windows\SysWOW64\Kjoifb32.exeC:\Windows\system32\Kjoifb32.exe117⤵PID:2524
-
C:\Windows\SysWOW64\Kcgmoggn.exeC:\Windows\system32\Kcgmoggn.exe118⤵PID:1308
-
C:\Windows\SysWOW64\Lmbonmll.exeC:\Windows\system32\Lmbonmll.exe119⤵
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\Lclgjg32.exeC:\Windows\system32\Lclgjg32.exe120⤵
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Lfjcfb32.exeC:\Windows\system32\Lfjcfb32.exe121⤵PID:1800
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-