Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03-09-2024 06:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fe01b92794805f41931d81a1958ccd43d986e6a3d012219084c6b4014a420841.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
fe01b92794805f41931d81a1958ccd43d986e6a3d012219084c6b4014a420841.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
fe01b92794805f41931d81a1958ccd43d986e6a3d012219084c6b4014a420841.exe
-
Size
67KB
-
MD5
eee4207ed42455d8df6553215c1bfed5
-
SHA1
3bf5161f0d3afea08296728ddb56a3348399ad26
-
SHA256
fe01b92794805f41931d81a1958ccd43d986e6a3d012219084c6b4014a420841
-
SHA512
feecd72f71c7662315c5ac891399b88f39b92662082bc4f598865a84c589fdff4776400d39be38745054419a1157125d9ecadeb5eb3eebe007d20b9abe7fb09b
-
SSDEEP
1536:VbS4S09TPvDyd+cFMinCYkkDZFmR3w+b+qX6SAPNRQxR/Rj:JS4SYjvAFMdYk4K35aw6SAPNexVx
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkeddgmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhpceh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gggfanfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fcoaab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nghflj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amhngl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aompdgbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hejjfgmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Golamlib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhdoloap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blhhkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hohhbq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddonhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nockpmgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkiokn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad fe01b92794805f41931d81a1958ccd43d986e6a3d012219084c6b4014a420841.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbihnnnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkalfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgknnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Faakbipp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqmjab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igabnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlbbna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gdqgphem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnhdng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llhfaepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojgloc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgbdfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaqghf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfolehep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooagak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clakam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhngoiif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aefbcogf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qqambk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fclelb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkjffdjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eeokaiei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Emlllk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppjgaljd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdnang32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qdmpmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddekah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhglbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pllnkncn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gdiaoike.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfeobe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfeobe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcgmbnnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekifdqec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bqdboi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djpcnbmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gecmcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfiefqhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmbmlmbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpgoig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mipcambi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlhbdgia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onneoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkbngjmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqhafcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bgknfcmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcfqioif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncmaeb32.exe -
Executes dropped EXE 64 IoCs
pid Process 1636 Alaajobo.exe 2240 Abkjgi32.exe 2360 Adlfoapj.exe 3144 Ajfoll32.exe 5016 Aaqghf32.exe 3244 Blfkeo32.exe 1820 Baccne32.exe 2724 Blhhkn32.exe 3700 Bngdgj32.exe 5072 Baepceko.exe 3000 Bhohpo32.exe 4020 Bbdmmh32.exe 1828 Bdfiephp.exe 2936 Bjpabj32.exe 3552 Bajjodfi.exe 3632 Bhdbkonf.exe 2088 Bkbngjmj.exe 4832 Bbifhgnl.exe 3088 Cehbdcmp.exe 4880 Clakam32.exe 2624 Copgnh32.exe 5064 Caocjd32.exe 4636 Cdmofoag.exe 3396 Ckghbi32.exe 3228 Caapocpa.exe 3320 Cdolkope.exe 4588 Clfdllpg.exe 3384 Coephhok.exe 1012 Ceoheb32.exe 1660 Chmeamfk.exe 4896 Cklanieo.exe 4092 Caeijc32.exe 2172 Ceaekade.exe 516 Cknnchcl.exe 4864 Dbefdfco.exe 2988 Ddfbln32.exe 4656 Dlmjmkjo.exe 1940 Dbgbje32.exe 3208 Defofa32.exe 2528 Dhdkbl32.exe 1504 Dbjooe32.exe 4012 Ddklgmeg.exe 2596 Dkeddgmd.exe 1796 Dejhapmj.exe 4216 Dhidmlln.exe 2588 Dcnhjdkd.exe 1680 Ddpebm32.exe 2252 Dlgmcj32.exe 2448 Ecqepd32.exe 4324 Edbbhlop.exe 4980 Elijijpb.exe 3832 Eccbed32.exe 2704 Eeanao32.exe 4776 Elkfnino.exe 2320 Edgkcl32.exe 388 Elncdi32.exe 1936 Eolopd32.exe 1688 Eefhmobm.exe 2276 Elppii32.exe 4844 Eooled32.exe 3860 Eehdbn32.exe 1628 Ehgqoj32.exe 5112 Ekemke32.exe 4540 Fclelb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Foholc32.exe Fhngoiif.exe File created C:\Windows\SysWOW64\Ggocqjho.dll Mpebch32.exe File opened for modification C:\Windows\SysWOW64\Cnamib32.exe Cfkegd32.exe File opened for modification C:\Windows\SysWOW64\Pjihdc32.exe Pemlcdpf.exe File created C:\Windows\SysWOW64\Amhngl32.exe Ajiaka32.exe File opened for modification C:\Windows\SysWOW64\Alaajobo.exe fe01b92794805f41931d81a1958ccd43d986e6a3d012219084c6b4014a420841.exe File opened for modification C:\Windows\SysWOW64\Bfoelf32.exe Benidnao.exe File created C:\Windows\SysWOW64\Hfioec32.exe Hnagdf32.exe File created C:\Windows\SysWOW64\Dagbpf32.dll Oojaql32.exe File opened for modification C:\Windows\SysWOW64\Mlqlch32.exe Mibpgm32.exe File created C:\Windows\SysWOW64\Keqnmjbl.dll Ndhdde32.exe File created C:\Windows\SysWOW64\Djicbb32.dll Pjlldiji.exe File created C:\Windows\SysWOW64\Epilpe32.dll Opjnko32.exe File created C:\Windows\SysWOW64\Hgccib32.dll Eeanao32.exe File created C:\Windows\SysWOW64\Kaocpk32.dll Ndlnoelf.exe File opened for modification C:\Windows\SysWOW64\Anedfffb.exe Qfolehep.exe File created C:\Windows\SysWOW64\Nbhddd32.dll Bbifhgnl.exe File opened for modification C:\Windows\SysWOW64\Dhidmlln.exe Dejhapmj.exe File opened for modification C:\Windows\SysWOW64\Fejjnh32.exe Fncblj32.exe File opened for modification C:\Windows\SysWOW64\Kihnpj32.exe Kbnecplk.exe File created C:\Windows\SysWOW64\Noljgjnp.dll Plgdpo32.exe File created C:\Windows\SysWOW64\Ginommdo.dll Gbpnnm32.exe File created C:\Windows\SysWOW64\Dkbpda32.exe Dffdcccb.exe File created C:\Windows\SysWOW64\Loninpid.exe Lhdqaeag.exe File created C:\Windows\SysWOW64\Kgfmdj32.dll Bngdgj32.exe File opened for modification C:\Windows\SysWOW64\Ieebgooi.exe Ibffkcpe.exe File created C:\Windows\SysWOW64\Bmfqcqql.exe Bfmhff32.exe File created C:\Windows\SysWOW64\Eccbed32.exe Elijijpb.exe File created C:\Windows\SysWOW64\Lhpqdkqf.dll Eehdbn32.exe File created C:\Windows\SysWOW64\Colpjg32.dll Dhagbfnj.exe File created C:\Windows\SysWOW64\Fdlilphh.dll Ibopkdfn.exe File created C:\Windows\SysWOW64\Kdjpnkke.dll Kihnpj32.exe File created C:\Windows\SysWOW64\Ajfoll32.exe Adlfoapj.exe File created C:\Windows\SysWOW64\Dkdmia32.exe Dfiaibap.exe File opened for modification C:\Windows\SysWOW64\Pfdbdcjo.exe Pcffhh32.exe File created C:\Windows\SysWOW64\Gjojdjno.dll Bqdboi32.exe File opened for modification C:\Windows\SysWOW64\Blfkeo32.exe Aaqghf32.exe File created C:\Windows\SysWOW64\Fkhipe32.exe Fekahn32.exe File created C:\Windows\SysWOW64\Lagkbcpp.dll Ldbbbh32.exe File opened for modification C:\Windows\SysWOW64\Ogfjgo32.exe Odhmkcbi.exe File created C:\Windows\SysWOW64\Eaafniao.dll Eogokokj.exe File opened for modification C:\Windows\SysWOW64\Mbnnjnmh.exe Mppbnb32.exe File created C:\Windows\SysWOW64\Bngdgj32.exe Blhhkn32.exe File created C:\Windows\SysWOW64\Fkllanen.exe Fhmpebfj.exe File created C:\Windows\SysWOW64\Mlqlch32.exe Mibpgm32.exe File opened for modification C:\Windows\SysWOW64\Nlhbdgia.exe Ndlnoelf.exe File created C:\Windows\SysWOW64\Kbnecplk.exe Kppigdlg.exe File opened for modification C:\Windows\SysWOW64\Qhghkn32.exe Qfilocfi.exe File opened for modification C:\Windows\SysWOW64\Acping32.exe Qqambk32.exe File created C:\Windows\SysWOW64\Bdlhfkjp.dll Kidkoa32.exe File opened for modification C:\Windows\SysWOW64\Adplbp32.exe Anedfffb.exe File created C:\Windows\SysWOW64\Pmcmcqge.dll Pjnbobdj.exe File created C:\Windows\SysWOW64\Ipgpnnah.dll Pcgmbnnf.exe File created C:\Windows\SysWOW64\Llbmhc32.dll Gcagnp32.exe File created C:\Windows\SysWOW64\Fknifnck.exe Fddqjc32.exe File opened for modification C:\Windows\SysWOW64\Gnfhihjd.exe Gglpln32.exe File created C:\Windows\SysWOW64\Kfgdno32.exe Knpmma32.exe File opened for modification C:\Windows\SysWOW64\Bbdmmh32.exe Bhohpo32.exe File created C:\Windows\SysWOW64\Bmijki32.dll Infapela.exe File created C:\Windows\SysWOW64\Ellkllam.dll Ammgblek.exe File created C:\Windows\SysWOW64\Nponnj32.dll Lplpmi32.exe File created C:\Windows\SysWOW64\Ommfgcig.dll Lfoaid32.exe File created C:\Windows\SysWOW64\Fafabe32.dll Kfehhohi.exe File created C:\Windows\SysWOW64\Ooagak32.exe Ohgodq32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12492 12412 WerFault.exe 642 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hooncplh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iicbhcik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Delnljgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icpconql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdmcpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbgbje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcjamqcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeainchg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikjaiijk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjgnlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqoicigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlciih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qflpoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbpjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjjqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmnbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edcgcfja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bihablgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgllil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajoaqfjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddekah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mimpagqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Copgnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpebch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkdmia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emqegkll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnfhihjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbgdol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kflninba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niklcedp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdmofoag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmgfgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oimihe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoaqhhlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdfiephp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onekoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Infapela.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkfaehpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knpmma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlihoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beklnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cehbdcmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpdqemjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmfmpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cndinalo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogcfgiod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bckijehc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mepnfone.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkiokn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hddiqaml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jilndl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpdbbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pemlcdpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppjgaljd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfgojchl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieeibebe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcgopjba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hegmqg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anogldng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Benidnao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdnjjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lplpmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lekekp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogfjgo32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 11588 Acping32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbefmfca.dll" Dlgmcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ikjaiijk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pgoecgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Coephhok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahhkpfm.dll" Odhmkcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mbedjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Niaimf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenfbena.dll" Mlnpnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epfkimfp.dll" Cmpcioha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Deehkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mgddka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kflninba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mhkgbdlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Limnep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lehakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdpid32.dll" Nlgliaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nflhniko.dll" Kmfmpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glpdpd32.dll" Bgnkkckd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biqmbi32.dll" Dlmjmkjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kocfglbp.dll" Fkhipe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmfgdkej.dll" Homanp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ohgodq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ahonlmoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hnmnigdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Inhneeio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbmllb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Agglej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgakpcfl.dll" Jndmacoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Llkcgenf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cdolkope.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Clfdllpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Elijijpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Onqbdihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcmcqge.dll" Pjnbobdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ppjgaljd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fkopad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mgageace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Inhneeio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnopcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpnqpd32.dll" Cfonbdij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Loninpid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laemip32.dll" Cdmofoag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gabgjf32.dll" Emlllk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ppjgaljd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Clfdllpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kdllaihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Acbfdfqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ekemke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djceqk32.dll" Ehdmodne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ocfmajin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pojjom32.dll" Mdnang32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnpqggjd.dll" Qflpoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bcgopjba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pdoclbla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cmpcioha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkopec32.dll" Klfjlebk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lbekcoec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bqoicigl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fhngoiif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piaaoafh.dll" Hejjfgmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjddbhji.dll" Ibijkiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gkalfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Infapela.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pdhfbacf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1964 wrote to memory of 1636 1964 fe01b92794805f41931d81a1958ccd43d986e6a3d012219084c6b4014a420841.exe 82 PID 1964 wrote to memory of 1636 1964 fe01b92794805f41931d81a1958ccd43d986e6a3d012219084c6b4014a420841.exe 82 PID 1964 wrote to memory of 1636 1964 fe01b92794805f41931d81a1958ccd43d986e6a3d012219084c6b4014a420841.exe 82 PID 1636 wrote to memory of 2240 1636 Alaajobo.exe 83 PID 1636 wrote to memory of 2240 1636 Alaajobo.exe 83 PID 1636 wrote to memory of 2240 1636 Alaajobo.exe 83 PID 2240 wrote to memory of 2360 2240 Abkjgi32.exe 85 PID 2240 wrote to memory of 2360 2240 Abkjgi32.exe 85 PID 2240 wrote to memory of 2360 2240 Abkjgi32.exe 85 PID 2360 wrote to memory of 3144 2360 Adlfoapj.exe 86 PID 2360 wrote to memory of 3144 2360 Adlfoapj.exe 86 PID 2360 wrote to memory of 3144 2360 Adlfoapj.exe 86 PID 3144 wrote to memory of 5016 3144 Ajfoll32.exe 87 PID 3144 wrote to memory of 5016 3144 Ajfoll32.exe 87 PID 3144 wrote to memory of 5016 3144 Ajfoll32.exe 87 PID 5016 wrote to memory of 3244 5016 Aaqghf32.exe 88 PID 5016 wrote to memory of 3244 5016 Aaqghf32.exe 88 PID 5016 wrote to memory of 3244 5016 Aaqghf32.exe 88 PID 3244 wrote to memory of 1820 3244 Blfkeo32.exe 89 PID 3244 wrote to memory of 1820 3244 Blfkeo32.exe 89 PID 3244 wrote to memory of 1820 3244 Blfkeo32.exe 89 PID 1820 wrote to memory of 2724 1820 Baccne32.exe 90 PID 1820 wrote to memory of 2724 1820 Baccne32.exe 90 PID 1820 wrote to memory of 2724 1820 Baccne32.exe 90 PID 2724 wrote to memory of 3700 2724 Blhhkn32.exe 91 PID 2724 wrote to memory of 3700 2724 Blhhkn32.exe 91 PID 2724 wrote to memory of 3700 2724 Blhhkn32.exe 91 PID 3700 wrote to memory of 5072 3700 Bngdgj32.exe 93 PID 3700 wrote to memory of 5072 3700 Bngdgj32.exe 93 PID 3700 wrote to memory of 5072 3700 Bngdgj32.exe 93 PID 5072 wrote to memory of 3000 5072 Baepceko.exe 94 PID 5072 wrote to memory of 3000 5072 Baepceko.exe 94 PID 5072 wrote to memory of 3000 5072 Baepceko.exe 94 PID 3000 wrote to memory of 4020 3000 Bhohpo32.exe 95 PID 3000 wrote to memory of 4020 3000 Bhohpo32.exe 95 PID 3000 wrote to memory of 4020 3000 Bhohpo32.exe 95 PID 4020 wrote to memory of 1828 4020 Bbdmmh32.exe 96 PID 4020 wrote to memory of 1828 4020 Bbdmmh32.exe 96 PID 4020 wrote to memory of 1828 4020 Bbdmmh32.exe 96 PID 1828 wrote to memory of 2936 1828 Bdfiephp.exe 97 PID 1828 wrote to memory of 2936 1828 Bdfiephp.exe 97 PID 1828 wrote to memory of 2936 1828 Bdfiephp.exe 97 PID 2936 wrote to memory of 3552 2936 Bjpabj32.exe 99 PID 2936 wrote to memory of 3552 2936 Bjpabj32.exe 99 PID 2936 wrote to memory of 3552 2936 Bjpabj32.exe 99 PID 3552 wrote to memory of 3632 3552 Bajjodfi.exe 100 PID 3552 wrote to memory of 3632 3552 Bajjodfi.exe 100 PID 3552 wrote to memory of 3632 3552 Bajjodfi.exe 100 PID 3632 wrote to memory of 2088 3632 Bhdbkonf.exe 101 PID 3632 wrote to memory of 2088 3632 Bhdbkonf.exe 101 PID 3632 wrote to memory of 2088 3632 Bhdbkonf.exe 101 PID 2088 wrote to memory of 4832 2088 Bkbngjmj.exe 102 PID 2088 wrote to memory of 4832 2088 Bkbngjmj.exe 102 PID 2088 wrote to memory of 4832 2088 Bkbngjmj.exe 102 PID 4832 wrote to memory of 3088 4832 Bbifhgnl.exe 103 PID 4832 wrote to memory of 3088 4832 Bbifhgnl.exe 103 PID 4832 wrote to memory of 3088 4832 Bbifhgnl.exe 103 PID 3088 wrote to memory of 4880 3088 Cehbdcmp.exe 104 PID 3088 wrote to memory of 4880 3088 Cehbdcmp.exe 104 PID 3088 wrote to memory of 4880 3088 Cehbdcmp.exe 104 PID 4880 wrote to memory of 2624 4880 Clakam32.exe 105 PID 4880 wrote to memory of 2624 4880 Clakam32.exe 105 PID 4880 wrote to memory of 2624 4880 Clakam32.exe 105 PID 2624 wrote to memory of 5064 2624 Copgnh32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe01b92794805f41931d81a1958ccd43d986e6a3d012219084c6b4014a420841.exe"C:\Users\Admin\AppData\Local\Temp\fe01b92794805f41931d81a1958ccd43d986e6a3d012219084c6b4014a420841.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Alaajobo.exeC:\Windows\system32\Alaajobo.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Abkjgi32.exeC:\Windows\system32\Abkjgi32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Adlfoapj.exeC:\Windows\system32\Adlfoapj.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Ajfoll32.exeC:\Windows\system32\Ajfoll32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\Aaqghf32.exeC:\Windows\system32\Aaqghf32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Blfkeo32.exeC:\Windows\system32\Blfkeo32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\Baccne32.exeC:\Windows\system32\Baccne32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Blhhkn32.exeC:\Windows\system32\Blhhkn32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Bngdgj32.exeC:\Windows\system32\Bngdgj32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\Baepceko.exeC:\Windows\system32\Baepceko.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Bhohpo32.exeC:\Windows\system32\Bhohpo32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Bbdmmh32.exeC:\Windows\system32\Bbdmmh32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\Bdfiephp.exeC:\Windows\system32\Bdfiephp.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Bjpabj32.exeC:\Windows\system32\Bjpabj32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Bajjodfi.exeC:\Windows\system32\Bajjodfi.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\Bhdbkonf.exeC:\Windows\system32\Bhdbkonf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\Bkbngjmj.exeC:\Windows\system32\Bkbngjmj.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Bbifhgnl.exeC:\Windows\system32\Bbifhgnl.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Cehbdcmp.exeC:\Windows\system32\Cehbdcmp.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\Clakam32.exeC:\Windows\system32\Clakam32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\Copgnh32.exeC:\Windows\system32\Copgnh32.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Caocjd32.exeC:\Windows\system32\Caocjd32.exe23⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Cdmofoag.exeC:\Windows\system32\Cdmofoag.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4636 -
C:\Windows\SysWOW64\Ckghbi32.exeC:\Windows\system32\Ckghbi32.exe25⤵
- Executes dropped EXE
PID:3396 -
C:\Windows\SysWOW64\Caapocpa.exeC:\Windows\system32\Caapocpa.exe26⤵
- Executes dropped EXE
PID:3228 -
C:\Windows\SysWOW64\Cdolkope.exeC:\Windows\system32\Cdolkope.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:3320 -
C:\Windows\SysWOW64\Clfdllpg.exeC:\Windows\system32\Clfdllpg.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:4588 -
C:\Windows\SysWOW64\Coephhok.exeC:\Windows\system32\Coephhok.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:3384 -
C:\Windows\SysWOW64\Ceoheb32.exeC:\Windows\system32\Ceoheb32.exe30⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Chmeamfk.exeC:\Windows\system32\Chmeamfk.exe31⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Cklanieo.exeC:\Windows\system32\Cklanieo.exe32⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Caeijc32.exeC:\Windows\system32\Caeijc32.exe33⤵
- Executes dropped EXE
PID:4092 -
C:\Windows\SysWOW64\Ceaekade.exeC:\Windows\system32\Ceaekade.exe34⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Chpagmdi.exeC:\Windows\system32\Chpagmdi.exe35⤵PID:1028
-
C:\Windows\SysWOW64\Cknnchcl.exeC:\Windows\system32\Cknnchcl.exe36⤵
- Executes dropped EXE
PID:516 -
C:\Windows\SysWOW64\Dbefdfco.exeC:\Windows\system32\Dbefdfco.exe37⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Ddfbln32.exeC:\Windows\system32\Ddfbln32.exe38⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Dlmjmkjo.exeC:\Windows\system32\Dlmjmkjo.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:4656 -
C:\Windows\SysWOW64\Dbgbje32.exeC:\Windows\system32\Dbgbje32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1940 -
C:\Windows\SysWOW64\Defofa32.exeC:\Windows\system32\Defofa32.exe41⤵
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\Dhdkbl32.exeC:\Windows\system32\Dhdkbl32.exe42⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Dbjooe32.exeC:\Windows\system32\Dbjooe32.exe43⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Ddklgmeg.exeC:\Windows\system32\Ddklgmeg.exe44⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Dkeddgmd.exeC:\Windows\system32\Dkeddgmd.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Dejhapmj.exeC:\Windows\system32\Dejhapmj.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1796 -
C:\Windows\SysWOW64\Dhidmlln.exeC:\Windows\system32\Dhidmlln.exe47⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Dcnhjdkd.exeC:\Windows\system32\Dcnhjdkd.exe48⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Ddpebm32.exeC:\Windows\system32\Ddpebm32.exe49⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Dlgmcj32.exeC:\Windows\system32\Dlgmcj32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Ecqepd32.exeC:\Windows\system32\Ecqepd32.exe51⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Edbbhlop.exeC:\Windows\system32\Edbbhlop.exe52⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Elijijpb.exeC:\Windows\system32\Elijijpb.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4980 -
C:\Windows\SysWOW64\Eccbed32.exeC:\Windows\system32\Eccbed32.exe54⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Eeanao32.exeC:\Windows\system32\Eeanao32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Elkfnino.exeC:\Windows\system32\Elkfnino.exe56⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Edgkcl32.exeC:\Windows\system32\Edgkcl32.exe57⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Elncdi32.exeC:\Windows\system32\Elncdi32.exe58⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Eolopd32.exeC:\Windows\system32\Eolopd32.exe59⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Eefhmobm.exeC:\Windows\system32\Eefhmobm.exe60⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Elppii32.exeC:\Windows\system32\Elppii32.exe61⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Eooled32.exeC:\Windows\system32\Eooled32.exe62⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Eehdbn32.exeC:\Windows\system32\Eehdbn32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3860 -
C:\Windows\SysWOW64\Ehgqoj32.exeC:\Windows\system32\Ehgqoj32.exe64⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Ekemke32.exeC:\Windows\system32\Ekemke32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:5112 -
C:\Windows\SysWOW64\Fclelb32.exeC:\Windows\system32\Fclelb32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Fekahn32.exeC:\Windows\system32\Fekahn32.exe67⤵
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Fkhipe32.exeC:\Windows\system32\Fkhipe32.exe68⤵
- Modifies registry class
PID:772 -
C:\Windows\SysWOW64\Fcoaab32.exeC:\Windows\system32\Fcoaab32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3480 -
C:\Windows\SysWOW64\Ffmnmnle.exeC:\Windows\system32\Ffmnmnle.exe70⤵PID:2608
-
C:\Windows\SysWOW64\Fhljjiki.exeC:\Windows\system32\Fhljjiki.exe71⤵PID:4936
-
C:\Windows\SysWOW64\Fkjffdjl.exeC:\Windows\system32\Fkjffdjl.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1836 -
C:\Windows\SysWOW64\Fadobo32.exeC:\Windows\system32\Fadobo32.exe73⤵PID:2020
-
C:\Windows\SysWOW64\Fhngoiif.exeC:\Windows\system32\Fhngoiif.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3920 -
C:\Windows\SysWOW64\Foholc32.exeC:\Windows\system32\Foholc32.exe75⤵PID:3960
-
C:\Windows\SysWOW64\Fbfkhn32.exeC:\Windows\system32\Fbfkhn32.exe76⤵PID:1700
-
C:\Windows\SysWOW64\Fhpceh32.exeC:\Windows\system32\Fhpceh32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3976 -
C:\Windows\SysWOW64\Fkopad32.exeC:\Windows\system32\Fkopad32.exe78⤵
- Modifies registry class
PID:3688 -
C:\Windows\SysWOW64\Fbihnnnd.exeC:\Windows\system32\Fbihnnnd.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4888 -
C:\Windows\SysWOW64\Fhbpjh32.exeC:\Windows\system32\Fhbpjh32.exe80⤵
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\SysWOW64\Gkalfc32.exeC:\Windows\system32\Gkalfc32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Gbkdcnla.exeC:\Windows\system32\Gbkdcnla.exe82⤵PID:4424
-
C:\Windows\SysWOW64\Gdiaoike.exeC:\Windows\system32\Gdiaoike.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1220 -
C:\Windows\SysWOW64\Gkcilcba.exeC:\Windows\system32\Gkcilcba.exe84⤵PID:3956
-
C:\Windows\SysWOW64\Gcjamqcd.exeC:\Windows\system32\Gcjamqcd.exe85⤵
- System Location Discovery: System Language Discovery
PID:4308 -
C:\Windows\SysWOW64\Gfimilbh.exeC:\Windows\system32\Gfimilbh.exe86⤵PID:4048
-
C:\Windows\SysWOW64\Gmceff32.exeC:\Windows\system32\Gmceff32.exe87⤵PID:4920
-
C:\Windows\SysWOW64\Goabba32.exeC:\Windows\system32\Goabba32.exe88⤵PID:2016
-
C:\Windows\SysWOW64\Gbpnnm32.exeC:\Windows\system32\Gbpnnm32.exe89⤵
- Drops file in System32 directory
PID:4036 -
C:\Windows\SysWOW64\Gdnjjh32.exeC:\Windows\system32\Gdnjjh32.exe90⤵
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Gbbkdmfi.exeC:\Windows\system32\Gbbkdmfi.exe91⤵PID:3328
-
C:\Windows\SysWOW64\Gdqgphem.exeC:\Windows\system32\Gdqgphem.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4744 -
C:\Windows\SysWOW64\Gmgoaeeo.exeC:\Windows\system32\Gmgoaeeo.exe93⤵PID:512
-
C:\Windows\SysWOW64\Gofkmadc.exeC:\Windows\system32\Gofkmadc.exe94⤵PID:4788
-
C:\Windows\SysWOW64\Gcagnp32.exeC:\Windows\system32\Gcagnp32.exe95⤵
- Drops file in System32 directory
PID:3948 -
C:\Windows\SysWOW64\Gdccehcj.exeC:\Windows\system32\Gdccehcj.exe96⤵PID:3260
-
C:\Windows\SysWOW64\Hohhbq32.exeC:\Windows\system32\Hohhbq32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4288 -
C:\Windows\SysWOW64\Hbgdol32.exeC:\Windows\system32\Hbgdol32.exe98⤵
- System Location Discovery: System Language Discovery
PID:1916 -
C:\Windows\SysWOW64\Hmlhle32.exeC:\Windows\system32\Hmlhle32.exe99⤵PID:440
-
C:\Windows\SysWOW64\Hcfqioif.exeC:\Windows\system32\Hcfqioif.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3952 -
C:\Windows\SysWOW64\Hegmqg32.exeC:\Windows\system32\Hegmqg32.exe101⤵
- System Location Discovery: System Language Discovery
PID:1328 -
C:\Windows\SysWOW64\Hiciafgn.exeC:\Windows\system32\Hiciafgn.exe102⤵PID:3104
-
C:\Windows\SysWOW64\Homanp32.exeC:\Windows\system32\Homanp32.exe103⤵
- Modifies registry class
PID:5132 -
C:\Windows\SysWOW64\Hejjfgmb.exeC:\Windows\system32\Hejjfgmb.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5176 -
C:\Windows\SysWOW64\Hooncplh.exeC:\Windows\system32\Hooncplh.exe105⤵
- System Location Discovery: System Language Discovery
PID:5220 -
C:\Windows\SysWOW64\Hbnjpkll.exeC:\Windows\system32\Hbnjpkll.exe106⤵PID:5264
-
C:\Windows\SysWOW64\Helflfkp.exeC:\Windows\system32\Helflfkp.exe107⤵PID:5308
-
C:\Windows\SysWOW64\Hcmgin32.exeC:\Windows\system32\Hcmgin32.exe108⤵PID:5352
-
C:\Windows\SysWOW64\Heocaf32.exeC:\Windows\system32\Heocaf32.exe109⤵PID:5396
-
C:\Windows\SysWOW64\Ikhknppj.exeC:\Windows\system32\Ikhknppj.exe110⤵PID:5440
-
C:\Windows\SysWOW64\Icpconql.exeC:\Windows\system32\Icpconql.exe111⤵
- System Location Discovery: System Language Discovery
PID:5484 -
C:\Windows\SysWOW64\Ieapgf32.exeC:\Windows\system32\Ieapgf32.exe112⤵PID:5528
-
C:\Windows\SysWOW64\Iillgdoc.exeC:\Windows\system32\Iillgdoc.exe113⤵PID:5572
-
C:\Windows\SysWOW64\Ipfddo32.exeC:\Windows\system32\Ipfddo32.exe114⤵PID:5616
-
C:\Windows\SysWOW64\Ibeqpj32.exeC:\Windows\system32\Ibeqpj32.exe115⤵PID:5660
-
C:\Windows\SysWOW64\Iioimd32.exeC:\Windows\system32\Iioimd32.exe116⤵PID:5700
-
C:\Windows\SysWOW64\Ieeibebe.exeC:\Windows\system32\Ieeibebe.exe117⤵
- System Location Discovery: System Language Discovery
PID:5744 -
C:\Windows\SysWOW64\Ilpaoo32.exeC:\Windows\system32\Ilpaoo32.exe118⤵PID:5788
-
C:\Windows\SysWOW64\Icfjpm32.exeC:\Windows\system32\Icfjpm32.exe119⤵PID:5832
-
C:\Windows\SysWOW64\Ibijkiao.exeC:\Windows\system32\Ibijkiao.exe120⤵
- Modifies registry class
PID:5868 -
C:\Windows\SysWOW64\Iicbhcik.exeC:\Windows\system32\Iicbhcik.exe121⤵
- System Location Discovery: System Language Discovery
PID:5920
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-