Analysis
-
max time kernel
49s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-09-2024 13:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e493a529074eea591a69ae83b19449a0N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
e493a529074eea591a69ae83b19449a0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
e493a529074eea591a69ae83b19449a0N.exe
-
Size
80KB
-
MD5
e493a529074eea591a69ae83b19449a0
-
SHA1
ac5e71b4ff45961c24b35fded0723e298ea0ea77
-
SHA256
a0f481993843a1e84b69fbf121b7600e5496b8685e88654a19d6a39beba878aa
-
SHA512
0548f78acdc8a2fdae9993c4de4c753699128c107411ed9f8befa8d48efcc7f84c762a0373efda3b11f41158eb2993ed4780d68f5b50ac3dbb40de1d0cef075b
-
SSDEEP
1536:U2BeRWDA7suMAzDg689n1VrySy4BwhIx/YfRQbXR/RgpMujAYC+O+Y:UvPsy/gTn1JyOqQoezVqLAYC+O+Y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcgqbq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Limhpihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekhjlioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fnbmoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikoehj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dcmpcjcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hplbamdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbmhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkblohek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fiakkcma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpgglifo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmlckehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aakhkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljcbcngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhnffi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffpkob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcmpcjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecoihm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nddeae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghmnmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmdefk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfdbcing.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfiaojkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbghdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkbmil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfaljjdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljcbcngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjkehhjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaobkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Igngim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opjlkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfaqbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnbmoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfiaojkq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjinaco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpjnmlel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Laogfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajjinaco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhfoleio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlgdhcmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmacej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkoqmhii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfdbcing.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjebjjck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgaoic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiakkcma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ipkema32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gieaef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkblohek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gajlac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpdbmooo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dlbaljhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Injlkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jhqeka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iaobkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pglacbbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cniajdkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcfohlmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfpmifoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdamao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihijhpdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgdnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khcbpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmmcfi32.exe -
Executes dropped EXE 64 IoCs
pid Process 2116 Bbfnchfb.exe 928 Bpjnmlel.exe 2780 Beggec32.exe 2756 Bpmkbl32.exe 2548 Cobhdhha.exe 3032 Ckiiiine.exe 924 Cdamao32.exe 2264 Cniajdkg.exe 2904 Chofhm32.exe 2856 Cpjklo32.exe 520 Cjboeenh.exe 2084 Dkblohek.exe 1312 Dcmpcjcf.exe 2744 Dodahk32.exe 2024 Dlhaaogd.exe 2076 Dljngoea.exe 2044 Dbggpfci.exe 1584 Ebicee32.exe 1828 Egflml32.exe 1076 Eqopfbfn.exe 636 Ekddck32.exe 1864 Ecoihm32.exe 832 Enenef32.exe 2284 Egmbnkie.exe 1136 Fqffgapf.exe 2280 Fgpock32.exe 3052 Fiakkcma.exe 628 Fcfohlmg.exe 2776 Fcilnl32.exe 2952 Fejifdab.exe 2560 Fnbmoi32.exe 2772 Fhkagonc.exe 2660 Fbpfeh32.exe 512 Ghmnmo32.exe 1548 Gbbbjg32.exe 2924 Ghpkbn32.exe 2384 Gmlckehe.exe 3020 Gdflgo32.exe 2864 Gajlac32.exe 1532 Gieaef32.exe 1272 Gfiaojkq.exe 1252 Gmcikd32.exe 1576 Hbpbck32.exe 532 Hpdbmooo.exe 1344 Hlkcbp32.exe 1304 Hechkfkc.exe 1592 Hbghdj32.exe 2300 Hdhdlbpk.exe 1260 Hkbmil32.exe 1428 Hehafe32.exe 1108 Hginnmml.exe 2312 Iaobkf32.exe 2900 Ihijhpdo.exe 2688 Inebpgbf.exe 2400 Ipdolbbj.exe 2832 Igngim32.exe 2184 Ilkpac32.exe 2960 Igpdnlgd.exe 2484 Injlkf32.exe 1284 Iokhcodo.exe 2064 Ieeqpi32.exe 1724 Ipkema32.exe 2292 Jbcgeilh.exe 2408 Jhmpbc32.exe -
Loads dropped DLL 64 IoCs
pid Process 2108 e493a529074eea591a69ae83b19449a0N.exe 2108 e493a529074eea591a69ae83b19449a0N.exe 2116 Bbfnchfb.exe 2116 Bbfnchfb.exe 928 Bpjnmlel.exe 928 Bpjnmlel.exe 2780 Beggec32.exe 2780 Beggec32.exe 2756 Bpmkbl32.exe 2756 Bpmkbl32.exe 2548 Cobhdhha.exe 2548 Cobhdhha.exe 3032 Ckiiiine.exe 3032 Ckiiiine.exe 924 Cdamao32.exe 924 Cdamao32.exe 2264 Cniajdkg.exe 2264 Cniajdkg.exe 2904 Chofhm32.exe 2904 Chofhm32.exe 2856 Cpjklo32.exe 2856 Cpjklo32.exe 520 Cjboeenh.exe 520 Cjboeenh.exe 2084 Dkblohek.exe 2084 Dkblohek.exe 1312 Dcmpcjcf.exe 1312 Dcmpcjcf.exe 2744 Dodahk32.exe 2744 Dodahk32.exe 2024 Dlhaaogd.exe 2024 Dlhaaogd.exe 2076 Dljngoea.exe 2076 Dljngoea.exe 2044 Dbggpfci.exe 2044 Dbggpfci.exe 1584 Ebicee32.exe 1584 Ebicee32.exe 1828 Egflml32.exe 1828 Egflml32.exe 1076 Eqopfbfn.exe 1076 Eqopfbfn.exe 636 Ekddck32.exe 636 Ekddck32.exe 1864 Ecoihm32.exe 1864 Ecoihm32.exe 832 Enenef32.exe 832 Enenef32.exe 2284 Egmbnkie.exe 2284 Egmbnkie.exe 1136 Fqffgapf.exe 1136 Fqffgapf.exe 2280 Fgpock32.exe 2280 Fgpock32.exe 3052 Fiakkcma.exe 3052 Fiakkcma.exe 628 Fcfohlmg.exe 628 Fcfohlmg.exe 2776 Fcilnl32.exe 2776 Fcilnl32.exe 2952 Fejifdab.exe 2952 Fejifdab.exe 2560 Fnbmoi32.exe 2560 Fnbmoi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fqdcka32.dll Fnbmoi32.exe File created C:\Windows\SysWOW64\Dnglef32.dll Jbcgeilh.exe File opened for modification C:\Windows\SysWOW64\Moqgiopk.exe Mhfoleio.exe File opened for modification C:\Windows\SysWOW64\Aakhkj32.exe Ajapoqmf.exe File created C:\Windows\SysWOW64\Bboahbio.exe Ajcldpkd.exe File opened for modification C:\Windows\SysWOW64\Hplbamdf.exe Hagepa32.exe File opened for modification C:\Windows\SysWOW64\Kjkehhjf.exe Kqqdjceh.exe File created C:\Windows\SysWOW64\Egmbnkie.exe Enenef32.exe File opened for modification C:\Windows\SysWOW64\Aemafjeg.exe Qnciiq32.exe File created C:\Windows\SysWOW64\Cpgglifo.exe Cbcfbege.exe File created C:\Windows\SysWOW64\Lglbcaph.dll Cgaoic32.exe File created C:\Windows\SysWOW64\Egknpp32.dll Effhic32.exe File created C:\Windows\SysWOW64\Ldlipnke.dll Fnkpcd32.exe File created C:\Windows\SysWOW64\Hagepa32.exe Hfaqbh32.exe File created C:\Windows\SysWOW64\Lfilnh32.exe Ljbkig32.exe File created C:\Windows\SysWOW64\Hkfggj32.dll Bpmkbl32.exe File created C:\Windows\SysWOW64\Ockdmn32.exe Opjlkc32.exe File created C:\Windows\SysWOW64\Ifbpdhee.dll Mcfbfaao.exe File opened for modification C:\Windows\SysWOW64\Gmcikd32.exe Gfiaojkq.exe File created C:\Windows\SysWOW64\Fammqaeq.dll Injlkf32.exe File opened for modification C:\Windows\SysWOW64\Lggbmbfc.exe Lamjph32.exe File opened for modification C:\Windows\SysWOW64\Oeaael32.exe Olimlf32.exe File opened for modification C:\Windows\SysWOW64\Ilhlan32.exe Hplbamdf.exe File created C:\Windows\SysWOW64\Fqffgapf.exe Egmbnkie.exe File created C:\Windows\SysWOW64\Mdfldbog.dll Dljngoea.exe File opened for modification C:\Windows\SysWOW64\Knoaeimg.exe Kcimhpma.exe File created C:\Windows\SysWOW64\Bgoneo32.dll Pmiikipg.exe File created C:\Windows\SysWOW64\Lenioenj.exe Lpapgnpb.exe File created C:\Windows\SysWOW64\Niienepq.dll Ckiiiine.exe File created C:\Windows\SysWOW64\Inebpgbf.exe Ihijhpdo.exe File opened for modification C:\Windows\SysWOW64\Egflml32.exe Ebicee32.exe File opened for modification C:\Windows\SysWOW64\Fnbmoi32.exe Fejifdab.exe File created C:\Windows\SysWOW64\Ffpkob32.exe Enhcnd32.exe File opened for modification C:\Windows\SysWOW64\Jhqeka32.exe Jfpmifoa.exe File opened for modification C:\Windows\SysWOW64\Mjmnmk32.exe Lenioenj.exe File created C:\Windows\SysWOW64\Pkknia32.dll Cniajdkg.exe File opened for modification C:\Windows\SysWOW64\Hbpbck32.exe Gmcikd32.exe File opened for modification C:\Windows\SysWOW64\Ieeqpi32.exe Iokhcodo.exe File created C:\Windows\SysWOW64\Dkcebg32.exe Dakpiajj.exe File created C:\Windows\SysWOW64\Ejdaoa32.exe Ecjibgdh.exe File opened for modification C:\Windows\SysWOW64\Ikoehj32.exe Iljifm32.exe File created C:\Windows\SysWOW64\Lfdbcing.exe Kjkehhjf.exe File opened for modification C:\Windows\SysWOW64\Mchokq32.exe Mcfbfaao.exe File created C:\Windows\SysWOW64\Eqopfbfn.exe Egflml32.exe File created C:\Windows\SysWOW64\Kopnma32.exe Knoaeimg.exe File opened for modification C:\Windows\SysWOW64\Lknebaba.exe Kfaljjdj.exe File opened for modification C:\Windows\SysWOW64\Fclbgj32.exe Fkoqmhii.exe File opened for modification C:\Windows\SysWOW64\Jkdoci32.exe Ikoehj32.exe File created C:\Windows\SysWOW64\Jhdlcl32.dll Lenioenj.exe File created C:\Windows\SysWOW64\Knoaeimg.exe Kcimhpma.exe File opened for modification C:\Windows\SysWOW64\Hpdbmooo.exe Hbpbck32.exe File opened for modification C:\Windows\SysWOW64\Laogfg32.exe Ljeoimeg.exe File created C:\Windows\SysWOW64\Fqhelqjm.dll Oaciom32.exe File created C:\Windows\SysWOW64\Hadbbkpk.dll Gbkaneao.exe File created C:\Windows\SysWOW64\Fnbmoi32.exe Fejifdab.exe File created C:\Windows\SysWOW64\Ljfnnkkc.dll Kcimhpma.exe File created C:\Windows\SysWOW64\Kmfklepl.exe Kcngcp32.exe File created C:\Windows\SysWOW64\Camqpnel.exe Ckchcc32.exe File created C:\Windows\SysWOW64\Mnpfkfcn.dll Jfpmifoa.exe File opened for modification C:\Windows\SysWOW64\Kqqdjceh.exe Khcbpa32.exe File opened for modification C:\Windows\SysWOW64\Dlhaaogd.exe Dodahk32.exe File created C:\Windows\SysWOW64\Najgacfg.dll Jnjhjj32.exe File created C:\Windows\SysWOW64\Hdlenkfg.dll Dakpiajj.exe File opened for modification C:\Windows\SysWOW64\Fkoqmhii.exe Fipdqmje.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3652 3628 WerFault.exe 228 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlkcbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgqhgjbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbpbck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fclbgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljcbcngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajapoqmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekhjlioa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcngcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipdolbbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdflgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inebpgbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljeoimeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laogfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkepnalk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhnffi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Effhic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpjklo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hagepa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqopfbfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opjlkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkblohek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbhmok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lggbmbfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oecnkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpgglifo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdamao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljgkom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejdaoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hehafe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lamjph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqbifhjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfpmifoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmlckehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbghdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olkjaflh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmkfqind.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpdfemkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npcika32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e493a529074eea591a69ae83b19449a0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfcjiodd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjinaco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ammoel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpbnaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enhcnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfaqbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekddck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chblqlcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhfdqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbcgeilh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoajgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkdoci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnbmoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmohjooe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khcbpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bboahbio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcpcho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbkig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpdnlgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lenioenj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfando32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kimlqfeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injlkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipkema32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmcikd32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ecoihm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ffpkob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhjgll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lfdbcing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hehafe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akfbdoha.dll" Igngim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Knoaeimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mhfoleio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffphmc32.dll" Olimlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijqkpie.dll" Efkbdbai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mlpngd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqhelqjm.dll" Oaciom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdlenkfg.dll" Dakpiajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbjqik32.dll" Jpqgkpcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ljbkig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhmbnh32.dll" Khcbpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 e493a529074eea591a69ae83b19449a0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dljngoea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eqopfbfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fgpock32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kfaljjdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qbmhdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Egmbnkie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ideopekg.dll" Hechkfkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Enhcnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jfpmifoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dcmpcjcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ghmnmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnfagl32.dll" Gmcikd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ihijhpdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lknebaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkldbf32.dll" Dlbaljhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mcfbfaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjqiok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kqkalenn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kpgdnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oeaael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oqmokioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Emggflfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node e493a529074eea591a69ae83b19449a0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pfcjiodd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ilhlan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cobhdhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjebjjck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpdfemkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Elndpnnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ipdolbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqkcelpl.dll" Ajjinaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kqqdjceh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mjmnmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Opjlkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejidgg32.dll" Ohkdfhge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pkepnalk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nolqjlhk.dll" Qnciiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hagepa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnfmhdpb.dll" Mjmnmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifbpdhee.dll" Mcfbfaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gimcmake.dll" Iaobkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kimlqfeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmohjooe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onooimfn.dll" Dkmghe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eoajgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chofhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahqfladk.dll" Lbhmok32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2108 wrote to memory of 2116 2108 e493a529074eea591a69ae83b19449a0N.exe 30 PID 2108 wrote to memory of 2116 2108 e493a529074eea591a69ae83b19449a0N.exe 30 PID 2108 wrote to memory of 2116 2108 e493a529074eea591a69ae83b19449a0N.exe 30 PID 2108 wrote to memory of 2116 2108 e493a529074eea591a69ae83b19449a0N.exe 30 PID 2116 wrote to memory of 928 2116 Bbfnchfb.exe 31 PID 2116 wrote to memory of 928 2116 Bbfnchfb.exe 31 PID 2116 wrote to memory of 928 2116 Bbfnchfb.exe 31 PID 2116 wrote to memory of 928 2116 Bbfnchfb.exe 31 PID 928 wrote to memory of 2780 928 Bpjnmlel.exe 32 PID 928 wrote to memory of 2780 928 Bpjnmlel.exe 32 PID 928 wrote to memory of 2780 928 Bpjnmlel.exe 32 PID 928 wrote to memory of 2780 928 Bpjnmlel.exe 32 PID 2780 wrote to memory of 2756 2780 Beggec32.exe 33 PID 2780 wrote to memory of 2756 2780 Beggec32.exe 33 PID 2780 wrote to memory of 2756 2780 Beggec32.exe 33 PID 2780 wrote to memory of 2756 2780 Beggec32.exe 33 PID 2756 wrote to memory of 2548 2756 Bpmkbl32.exe 34 PID 2756 wrote to memory of 2548 2756 Bpmkbl32.exe 34 PID 2756 wrote to memory of 2548 2756 Bpmkbl32.exe 34 PID 2756 wrote to memory of 2548 2756 Bpmkbl32.exe 34 PID 2548 wrote to memory of 3032 2548 Cobhdhha.exe 35 PID 2548 wrote to memory of 3032 2548 Cobhdhha.exe 35 PID 2548 wrote to memory of 3032 2548 Cobhdhha.exe 35 PID 2548 wrote to memory of 3032 2548 Cobhdhha.exe 35 PID 3032 wrote to memory of 924 3032 Ckiiiine.exe 36 PID 3032 wrote to memory of 924 3032 Ckiiiine.exe 36 PID 3032 wrote to memory of 924 3032 Ckiiiine.exe 36 PID 3032 wrote to memory of 924 3032 Ckiiiine.exe 36 PID 924 wrote to memory of 2264 924 Cdamao32.exe 37 PID 924 wrote to memory of 2264 924 Cdamao32.exe 37 PID 924 wrote to memory of 2264 924 Cdamao32.exe 37 PID 924 wrote to memory of 2264 924 Cdamao32.exe 37 PID 2264 wrote to memory of 2904 2264 Cniajdkg.exe 38 PID 2264 wrote to memory of 2904 2264 Cniajdkg.exe 38 PID 2264 wrote to memory of 2904 2264 Cniajdkg.exe 38 PID 2264 wrote to memory of 2904 2264 Cniajdkg.exe 38 PID 2904 wrote to memory of 2856 2904 Chofhm32.exe 39 PID 2904 wrote to memory of 2856 2904 Chofhm32.exe 39 PID 2904 wrote to memory of 2856 2904 Chofhm32.exe 39 PID 2904 wrote to memory of 2856 2904 Chofhm32.exe 39 PID 2856 wrote to memory of 520 2856 Cpjklo32.exe 40 PID 2856 wrote to memory of 520 2856 Cpjklo32.exe 40 PID 2856 wrote to memory of 520 2856 Cpjklo32.exe 40 PID 2856 wrote to memory of 520 2856 Cpjklo32.exe 40 PID 520 wrote to memory of 2084 520 Cjboeenh.exe 41 PID 520 wrote to memory of 2084 520 Cjboeenh.exe 41 PID 520 wrote to memory of 2084 520 Cjboeenh.exe 41 PID 520 wrote to memory of 2084 520 Cjboeenh.exe 41 PID 2084 wrote to memory of 1312 2084 Dkblohek.exe 42 PID 2084 wrote to memory of 1312 2084 Dkblohek.exe 42 PID 2084 wrote to memory of 1312 2084 Dkblohek.exe 42 PID 2084 wrote to memory of 1312 2084 Dkblohek.exe 42 PID 1312 wrote to memory of 2744 1312 Dcmpcjcf.exe 43 PID 1312 wrote to memory of 2744 1312 Dcmpcjcf.exe 43 PID 1312 wrote to memory of 2744 1312 Dcmpcjcf.exe 43 PID 1312 wrote to memory of 2744 1312 Dcmpcjcf.exe 43 PID 2744 wrote to memory of 2024 2744 Dodahk32.exe 44 PID 2744 wrote to memory of 2024 2744 Dodahk32.exe 44 PID 2744 wrote to memory of 2024 2744 Dodahk32.exe 44 PID 2744 wrote to memory of 2024 2744 Dodahk32.exe 44 PID 2024 wrote to memory of 2076 2024 Dlhaaogd.exe 45 PID 2024 wrote to memory of 2076 2024 Dlhaaogd.exe 45 PID 2024 wrote to memory of 2076 2024 Dlhaaogd.exe 45 PID 2024 wrote to memory of 2076 2024 Dlhaaogd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e493a529074eea591a69ae83b19449a0N.exe"C:\Users\Admin\AppData\Local\Temp\e493a529074eea591a69ae83b19449a0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Bbfnchfb.exeC:\Windows\system32\Bbfnchfb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Bpjnmlel.exeC:\Windows\system32\Bpjnmlel.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Beggec32.exeC:\Windows\system32\Beggec32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Bpmkbl32.exeC:\Windows\system32\Bpmkbl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Cobhdhha.exeC:\Windows\system32\Cobhdhha.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Ckiiiine.exeC:\Windows\system32\Ckiiiine.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Cdamao32.exeC:\Windows\system32\Cdamao32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\Cniajdkg.exeC:\Windows\system32\Cniajdkg.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Chofhm32.exeC:\Windows\system32\Chofhm32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Cpjklo32.exeC:\Windows\system32\Cpjklo32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Cjboeenh.exeC:\Windows\system32\Cjboeenh.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\Dkblohek.exeC:\Windows\system32\Dkblohek.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Dcmpcjcf.exeC:\Windows\system32\Dcmpcjcf.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Dodahk32.exeC:\Windows\system32\Dodahk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Dlhaaogd.exeC:\Windows\system32\Dlhaaogd.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Dljngoea.exeC:\Windows\system32\Dljngoea.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Dbggpfci.exeC:\Windows\system32\Dbggpfci.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Ebicee32.exeC:\Windows\system32\Ebicee32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Egflml32.exeC:\Windows\system32\Egflml32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\Eqopfbfn.exeC:\Windows\system32\Eqopfbfn.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\Ekddck32.exeC:\Windows\system32\Ekddck32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:636 -
C:\Windows\SysWOW64\Ecoihm32.exeC:\Windows\system32\Ecoihm32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Enenef32.exeC:\Windows\system32\Enenef32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Egmbnkie.exeC:\Windows\system32\Egmbnkie.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Fqffgapf.exeC:\Windows\system32\Fqffgapf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1136 -
C:\Windows\SysWOW64\Fgpock32.exeC:\Windows\system32\Fgpock32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Fiakkcma.exeC:\Windows\system32\Fiakkcma.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Fcfohlmg.exeC:\Windows\system32\Fcfohlmg.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:628 -
C:\Windows\SysWOW64\Fcilnl32.exeC:\Windows\system32\Fcilnl32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Fejifdab.exeC:\Windows\system32\Fejifdab.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Fnbmoi32.exeC:\Windows\system32\Fnbmoi32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\Fhkagonc.exeC:\Windows\system32\Fhkagonc.exe33⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Fbpfeh32.exeC:\Windows\system32\Fbpfeh32.exe34⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Ghmnmo32.exeC:\Windows\system32\Ghmnmo32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:512 -
C:\Windows\SysWOW64\Gbbbjg32.exeC:\Windows\system32\Gbbbjg32.exe36⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Ghpkbn32.exeC:\Windows\system32\Ghpkbn32.exe37⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Gmlckehe.exeC:\Windows\system32\Gmlckehe.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Windows\SysWOW64\Gdflgo32.exeC:\Windows\system32\Gdflgo32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\Gajlac32.exeC:\Windows\system32\Gajlac32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Gieaef32.exeC:\Windows\system32\Gieaef32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Gfiaojkq.exeC:\Windows\system32\Gfiaojkq.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1272 -
C:\Windows\SysWOW64\Gmcikd32.exeC:\Windows\system32\Gmcikd32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1252 -
C:\Windows\SysWOW64\Hbpbck32.exeC:\Windows\system32\Hbpbck32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1576 -
C:\Windows\SysWOW64\Hpdbmooo.exeC:\Windows\system32\Hpdbmooo.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Hlkcbp32.exeC:\Windows\system32\Hlkcbp32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1344 -
C:\Windows\SysWOW64\Hechkfkc.exeC:\Windows\system32\Hechkfkc.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Hbghdj32.exeC:\Windows\system32\Hbghdj32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Windows\SysWOW64\Hdhdlbpk.exeC:\Windows\system32\Hdhdlbpk.exe49⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Hkbmil32.exeC:\Windows\system32\Hkbmil32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Hehafe32.exeC:\Windows\system32\Hehafe32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1428 -
C:\Windows\SysWOW64\Hginnmml.exeC:\Windows\system32\Hginnmml.exe52⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Iaobkf32.exeC:\Windows\system32\Iaobkf32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Ihijhpdo.exeC:\Windows\system32\Ihijhpdo.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Inebpgbf.exeC:\Windows\system32\Inebpgbf.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Ipdolbbj.exeC:\Windows\system32\Ipdolbbj.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Igngim32.exeC:\Windows\system32\Igngim32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Ilkpac32.exeC:\Windows\system32\Ilkpac32.exe58⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Igpdnlgd.exeC:\Windows\system32\Igpdnlgd.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\Injlkf32.exeC:\Windows\system32\Injlkf32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\SysWOW64\Iokhcodo.exeC:\Windows\system32\Iokhcodo.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1284 -
C:\Windows\SysWOW64\Ieeqpi32.exeC:\Windows\system32\Ieeqpi32.exe62⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Ipkema32.exeC:\Windows\system32\Ipkema32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Windows\SysWOW64\Jbcgeilh.exeC:\Windows\system32\Jbcgeilh.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Windows\SysWOW64\Jhmpbc32.exeC:\Windows\system32\Jhmpbc32.exe65⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Jnjhjj32.exeC:\Windows\system32\Jnjhjj32.exe66⤵
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Jcgqbq32.exeC:\Windows\system32\Jcgqbq32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1692 -
C:\Windows\SysWOW64\Jjqiok32.exeC:\Windows\system32\Jjqiok32.exe68⤵
- Modifies registry class
PID:616 -
C:\Windows\SysWOW64\Kqkalenn.exeC:\Windows\system32\Kqkalenn.exe69⤵
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Kcimhpma.exeC:\Windows\system32\Kcimhpma.exe70⤵
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Knoaeimg.exeC:\Windows\system32\Knoaeimg.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Kopnma32.exeC:\Windows\system32\Kopnma32.exe72⤵PID:2716
-
C:\Windows\SysWOW64\Kjebjjck.exeC:\Windows\system32\Kjebjjck.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Kmdofebo.exeC:\Windows\system32\Kmdofebo.exe74⤵PID:2808
-
C:\Windows\SysWOW64\Kcngcp32.exeC:\Windows\system32\Kcngcp32.exe75⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2068 -
C:\Windows\SysWOW64\Kmfklepl.exeC:\Windows\system32\Kmfklepl.exe76⤵PID:316
-
C:\Windows\SysWOW64\Kcpcho32.exeC:\Windows\system32\Kcpcho32.exe77⤵
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\Kimlqfeq.exeC:\Windows\system32\Kimlqfeq.exe78⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Kpgdnp32.exeC:\Windows\system32\Kpgdnp32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Kfaljjdj.exeC:\Windows\system32\Kfaljjdj.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Lknebaba.exeC:\Windows\system32\Lknebaba.exe81⤵
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Lbhmok32.exeC:\Windows\system32\Lbhmok32.exe82⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:552 -
C:\Windows\SysWOW64\Liaeleak.exeC:\Windows\system32\Liaeleak.exe83⤵PID:1796
-
C:\Windows\SysWOW64\Ljcbcngi.exeC:\Windows\system32\Ljcbcngi.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Windows\SysWOW64\Lamjph32.exeC:\Windows\system32\Lamjph32.exe85⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Windows\SysWOW64\Lggbmbfc.exeC:\Windows\system32\Lggbmbfc.exe86⤵
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Windows\SysWOW64\Ljeoimeg.exeC:\Windows\system32\Ljeoimeg.exe87⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1568 -
C:\Windows\SysWOW64\Laogfg32.exeC:\Windows\system32\Laogfg32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Ljgkom32.exeC:\Windows\system32\Ljgkom32.exe89⤵
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\Laackgka.exeC:\Windows\system32\Laackgka.exe90⤵PID:1992
-
C:\Windows\SysWOW64\Limhpihl.exeC:\Windows\system32\Limhpihl.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1636 -
C:\Windows\SysWOW64\Mlpngd32.exeC:\Windows\system32\Mlpngd32.exe92⤵
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Mhfoleio.exeC:\Windows\system32\Mhfoleio.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Moqgiopk.exeC:\Windows\system32\Moqgiopk.exe94⤵PID:1516
-
C:\Windows\SysWOW64\Mhikae32.exeC:\Windows\system32\Mhikae32.exe95⤵PID:2572
-
C:\Windows\SysWOW64\Mlgdhcmb.exeC:\Windows\system32\Mlgdhcmb.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:748 -
C:\Windows\SysWOW64\Ngqeha32.exeC:\Windows\system32\Ngqeha32.exe97⤵PID:2160
-
C:\Windows\SysWOW64\Nddeae32.exeC:\Windows\system32\Nddeae32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2036 -
C:\Windows\SysWOW64\Npkfff32.exeC:\Windows\system32\Npkfff32.exe99⤵PID:1244
-
C:\Windows\SysWOW64\Nmacej32.exeC:\Windows\system32\Nmacej32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2256 -
C:\Windows\SysWOW64\Ncnlnaim.exeC:\Windows\system32\Ncnlnaim.exe101⤵PID:2080
-
C:\Windows\SysWOW64\Ohkdfhge.exeC:\Windows\system32\Ohkdfhge.exe102⤵
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Oaciom32.exeC:\Windows\system32\Oaciom32.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Olimlf32.exeC:\Windows\system32\Olimlf32.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Oeaael32.exeC:\Windows\system32\Oeaael32.exe105⤵
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Olkjaflh.exeC:\Windows\system32\Olkjaflh.exe106⤵
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Windows\SysWOW64\Oecnkk32.exeC:\Windows\system32\Oecnkk32.exe107⤵
- System Location Discovery: System Language Discovery
PID:1844 -
C:\Windows\SysWOW64\Ogekbchg.exeC:\Windows\system32\Ogekbchg.exe108⤵PID:2388
-
C:\Windows\SysWOW64\Oqmokioh.exeC:\Windows\system32\Oqmokioh.exe109⤵
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Okcchbnn.exeC:\Windows\system32\Okcchbnn.exe110⤵PID:752
-
C:\Windows\SysWOW64\Pkepnalk.exeC:\Windows\system32\Pkepnalk.exe111⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1348 -
C:\Windows\SysWOW64\Pqbifhjb.exeC:\Windows\system32\Pqbifhjb.exe112⤵
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Windows\SysWOW64\Pglacbbo.exeC:\Windows\system32\Pglacbbo.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1012 -
C:\Windows\SysWOW64\Pmiikipg.exeC:\Windows\system32\Pmiikipg.exe114⤵
- Drops file in System32 directory
PID:1384 -
C:\Windows\SysWOW64\Pfando32.exeC:\Windows\system32\Pfando32.exe115⤵
- System Location Discovery: System Language Discovery
PID:1392 -
C:\Windows\SysWOW64\Pmkfqind.exeC:\Windows\system32\Pmkfqind.exe116⤵
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\Pfcjiodd.exeC:\Windows\system32\Pfcjiodd.exe117⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Pmmcfi32.exeC:\Windows\system32\Pmmcfi32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3028 -
C:\Windows\SysWOW64\Pcgkcccn.exeC:\Windows\system32\Pcgkcccn.exe119⤵PID:2876
-
C:\Windows\SysWOW64\Pdigkk32.exeC:\Windows\system32\Pdigkk32.exe120⤵PID:1248
-
C:\Windows\SysWOW64\Qbmhdp32.exeC:\Windows\system32\Qbmhdp32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1148
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-