Analysis
-
max time kernel
92s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12/09/2024, 02:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e97d7cc6328b57f9dd41d28fe9b594b2fdfeba220fd12e8986e7637999c9ebeb.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
e97d7cc6328b57f9dd41d28fe9b594b2fdfeba220fd12e8986e7637999c9ebeb.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
e97d7cc6328b57f9dd41d28fe9b594b2fdfeba220fd12e8986e7637999c9ebeb.exe
-
Size
768KB
-
MD5
b4a04633b48081dfaf818bdc3cc8abaa
-
SHA1
185a72d8ba0dc29f3047392fdbcd57c4d4338f00
-
SHA256
e97d7cc6328b57f9dd41d28fe9b594b2fdfeba220fd12e8986e7637999c9ebeb
-
SHA512
8689b18e206c4cecc53ef0931663a8629c4556d6b858e67dfbab7a5cb1b9afa3f75e7fdda934765dcbbdef64cadc4e0103a932c389906ae927e0aea52309c644
-
SSDEEP
12288:TIvt6IveDVqvQ6IvYvc6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvGZX:Oq5h3q5htaSHFaZRBEYyqmaf2qwiHPKu
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nemmoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nemmoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmhdkknd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqkiok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbbagk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mecjif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebejfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agimkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lakfeodm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbdoof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gndbie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ledepn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkdjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeelnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncqlkemc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnoddcef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Momcpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmjfodne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppnenlka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icfekc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iomoenej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fooclapd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmphaaln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lajokiaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhoqeibl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpjmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnnjmbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebaplnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbjkkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdmkhgho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebdlangb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkemfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eojiqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kabcopmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fncibg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcinna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caageq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blhpqhlh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcahmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kggcnoic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbjkkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlofcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddmhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miaboe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkdliame.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npbceggm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocohmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Polppg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnmlhf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmoohe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jedccfqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilmedf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkpnga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Babcil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acmobchj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fealin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jenmcggo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feqeog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejojljqa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbdnne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjoiil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqdcnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cponen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbphdn32.exe -
Executes dropped EXE 64 IoCs
pid Process 220 Jjdjoane.exe 4744 Kbmoen32.exe 1892 Kelkaj32.exe 2412 Keqdmihc.exe 5060 Kbddfmgl.exe 4688 Kkmioc32.exe 456 Lbgalmej.exe 448 Lnnbqnjn.exe 3160 Lalnmiia.exe 4692 Lkabjbih.exe 64 Ljdceo32.exe 1088 Lbkkgl32.exe 824 Lejgch32.exe 1460 Lghcocol.exe 992 Lnbklm32.exe 1980 Laqhhi32.exe 1100 Lihpif32.exe 1924 Llflea32.exe 5104 Lndham32.exe 2476 Lacdmh32.exe 2724 Lijlof32.exe 724 Ljkifn32.exe 1716 Mbbagk32.exe 3696 Maeachag.exe 2112 Milidebi.exe 1168 Mjneln32.exe 4768 Mbenmk32.exe 3188 Mecjif32.exe 3000 Mhafeb32.exe 2340 Mjpbam32.exe 2652 Mbgjbkfg.exe 3500 Meefofek.exe 8 Miaboe32.exe 3732 Mlpokp32.exe 3752 Mnnkgl32.exe 2148 Malgcg32.exe 2028 Micoed32.exe 1668 Mjellmbp.exe 4300 Mblcnj32.exe 940 Mhilfa32.exe 3720 Njghbl32.exe 2960 Nbnpcj32.exe 3468 Nemmoe32.exe 3096 Nhkikq32.exe 956 Njiegl32.exe 3092 Nbqmiinl.exe 3980 Neoieenp.exe 4708 Nhmeapmd.exe 4576 Nklbmllg.exe 1540 Nafjjf32.exe 1904 Nimbkc32.exe 5004 Nlkngo32.exe 3920 Nojjcj32.exe 4552 Nahgoe32.exe 4400 Nhbolp32.exe 5084 Nkqkhk32.exe 3464 Nbgcih32.exe 5032 Nefped32.exe 2348 Nhdlao32.exe 4224 Okchnk32.exe 1720 Objpoh32.exe 3864 Oidhlb32.exe 2928 Olbdhn32.exe 1868 Ooqqdi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Conanfli.exe Chdialdl.exe File opened for modification C:\Windows\SysWOW64\Eojiqb32.exe Edeeci32.exe File created C:\Windows\SysWOW64\Jdmgfedl.exe Igigla32.exe File opened for modification C:\Windows\SysWOW64\Bhpfqcln.exe Bohbhmfm.exe File created C:\Windows\SysWOW64\Mdcajc32.dll Mcfbkpab.exe File opened for modification C:\Windows\SysWOW64\Bhcjqinf.exe Bbiado32.exe File created C:\Windows\SysWOW64\Fflohaij.exe Fneggdhg.exe File created C:\Windows\SysWOW64\Klkfenfk.dll Gpelhd32.exe File opened for modification C:\Windows\SysWOW64\Ojemig32.exe Obnehj32.exe File created C:\Windows\SysWOW64\Fcekfnkb.exe Fbdnne32.exe File created C:\Windows\SysWOW64\Gpmmbfem.dll Idhiii32.exe File opened for modification C:\Windows\SysWOW64\Phganm32.exe Peieba32.exe File created C:\Windows\SysWOW64\Dfiildio.exe Dmohno32.exe File created C:\Windows\SysWOW64\Bdepoj32.dll Eojiqb32.exe File created C:\Windows\SysWOW64\Djkpla32.dll Pfhmjf32.exe File created C:\Windows\SysWOW64\Lnbklm32.exe Lghcocol.exe File created C:\Windows\SysWOW64\Agadmk32.dll Pocfpf32.exe File created C:\Windows\SysWOW64\Bkphhgfc.exe Bpkdjofm.exe File opened for modification C:\Windows\SysWOW64\Iafkld32.exe Ilibdmgp.exe File created C:\Windows\SysWOW64\Hegmlnbp.exe Hbiapb32.exe File opened for modification C:\Windows\SysWOW64\Fdglmkeg.exe Flqdlnde.exe File created C:\Windows\SysWOW64\Dnbokg32.dll Hcmbee32.exe File opened for modification C:\Windows\SysWOW64\Igdnabjh.exe Idfaefkd.exe File created C:\Windows\SysWOW64\Hhcmlj32.dll Ijcjmmil.exe File opened for modification C:\Windows\SysWOW64\Oghghb32.exe Oanokhdb.exe File opened for modification C:\Windows\SysWOW64\Klndfj32.exe Kedlip32.exe File created C:\Windows\SysWOW64\Kheekkjl.exe Kbhmbdle.exe File opened for modification C:\Windows\SysWOW64\Obcceg32.exe Olijhmgj.exe File opened for modification C:\Windows\SysWOW64\Pkenjh32.exe Phganm32.exe File created C:\Windows\SysWOW64\Jllokajf.exe Jpenfp32.exe File opened for modification C:\Windows\SysWOW64\Bmhocd32.exe Bgnffj32.exe File created C:\Windows\SysWOW64\Gicgpelg.exe Gbiockdj.exe File opened for modification C:\Windows\SysWOW64\Hihibbjo.exe Haaaaeim.exe File created C:\Windows\SysWOW64\Klbgfc32.exe Kbjbnnfg.exe File opened for modification C:\Windows\SysWOW64\Jnlbojee.exe Jqhafffk.exe File created C:\Windows\SysWOW64\Ofmdio32.exe Ocohmc32.exe File opened for modification C:\Windows\SysWOW64\Lbkkgl32.exe Ljdceo32.exe File created C:\Windows\SysWOW64\Kljibbol.dll Bhcjqinf.exe File created C:\Windows\SysWOW64\Ampaho32.exe Affikdfn.exe File created C:\Windows\SysWOW64\Elkodmbe.dll Dkpjdo32.exe File created C:\Windows\SysWOW64\Afgfhaab.dll Jdopjh32.exe File created C:\Windows\SysWOW64\Qaalblgi.exe Pocpfphe.exe File opened for modification C:\Windows\SysWOW64\Gpgind32.exe Gpelhd32.exe File created C:\Windows\SysWOW64\Mbkkam32.dll Caageq32.exe File opened for modification C:\Windows\SysWOW64\Dnqcfjae.exe Dggkipii.exe File opened for modification C:\Windows\SysWOW64\Koimbpbc.exe Jhoeef32.exe File created C:\Windows\SysWOW64\Nhjnjq32.dll Ccpdoqgd.exe File created C:\Windows\SysWOW64\Njoddaaj.dll Coiaiakf.exe File created C:\Windows\SysWOW64\Nobkpkdh.dll Dfiildio.exe File opened for modification C:\Windows\SysWOW64\Mqkiok32.exe Mjaabq32.exe File opened for modification C:\Windows\SysWOW64\Dnljkk32.exe Dknnoofg.exe File created C:\Windows\SysWOW64\Icogcjde.exe Ibnjkbog.exe File opened for modification C:\Windows\SysWOW64\Hbhijepa.exe Hpjmnjqn.exe File opened for modification C:\Windows\SysWOW64\Hlhccj32.exe Hkfglb32.exe File created C:\Windows\SysWOW64\Cogddd32.exe Chnlgjlb.exe File created C:\Windows\SysWOW64\Japjfm32.dll Khdoqefq.exe File created C:\Windows\SysWOW64\Efjikc32.dll Meefofek.exe File created C:\Windows\SysWOW64\Odhifjkg.exe Nmnqjp32.exe File opened for modification C:\Windows\SysWOW64\Mfnoqc32.exe Mqafhl32.exe File opened for modification C:\Windows\SysWOW64\Nmbjcljl.exe Mgeakekd.exe File created C:\Windows\SysWOW64\Fenpmnno.dll Ocgbld32.exe File created C:\Windows\SysWOW64\Pjpfjl32.exe Ppjbmc32.exe File created C:\Windows\SysWOW64\Mleggmck.dll Lcclncbh.exe File opened for modification C:\Windows\SysWOW64\Poomegpf.exe Plpqil32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7072 6008 WerFault.exe 894 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdbdcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocohmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chnlgjlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlkfbocp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lghcocol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhacf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdmgfedl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehndnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqncnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckboblp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldbefe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olijhmgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fechomko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mofmobmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijqcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dggkipii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpecbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knchpiom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilkhog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Milidebi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiknlagg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjmjdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mblcnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooqqdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfepdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhkikq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmdgikhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjnnbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgjejhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmaamn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afcmfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmonl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obnehj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhenai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nklbmllg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjgpfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njiegl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmjemflb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihpcinld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccppmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bckkca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkalplel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbqinm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lijlof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbenmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eleepoob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgaokl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbbnpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnqfcbnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chfegk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijkled32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klbgfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clgbmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heegad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcepkfld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlbojee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdfjld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olicnfco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhgonidg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glfmgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmeapmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnfiplog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcehdod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgcjfbed.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plpqil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfgcakon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocbnhog.dll" Mjaabq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbiapb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnfgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfcnpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Panhbfep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhimhobl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgimjd32.dll" Gjficg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfdcpb32.dll" Gcnnllcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaplji32.dll" Micoed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dckdjomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqafhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hknfelnj.dll" Dqpfmlce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kofdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmpkall.dll" Adjjeieh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Famhmfkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koimbpbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} e97d7cc6328b57f9dd41d28fe9b594b2fdfeba220fd12e8986e7637999c9ebeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Palbkhoj.dll" Olijhmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjjnifbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnihkq32.dll" Mcgiefen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpeahb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbdpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iagqgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dimenegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fekmfnbj.dll" Bbaclegm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccbadp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjoiil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kffonkgk.dll" Kjblje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjidgkog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apocmn32.dll" Gdgdeppb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdnjfojj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjfjgifo.dll" Lbkkgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckilmcgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agimkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcndmiqg.dll" Lcmodajm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnlhmpgg.dll" Cmnnimak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icfekc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekajec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjlalkmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kljibbol.dll" Bhcjqinf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Difpmfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imgicgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjadje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcimdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caecnh32.dll" Mpapnfhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkogiikb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncqlkemc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Geanfelc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cijpahho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdnmfclj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaenbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgmqghl.dll" Fnhbmgmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oemefcap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnfgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gimngjie.dll" Edgbii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nndbpeal.dll" Glfmgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Heegad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Malgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cogddd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpnmig32.dll" Jpegkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ookoaokf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgiohbfi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4524 wrote to memory of 220 4524 e97d7cc6328b57f9dd41d28fe9b594b2fdfeba220fd12e8986e7637999c9ebeb.exe 83 PID 4524 wrote to memory of 220 4524 e97d7cc6328b57f9dd41d28fe9b594b2fdfeba220fd12e8986e7637999c9ebeb.exe 83 PID 4524 wrote to memory of 220 4524 e97d7cc6328b57f9dd41d28fe9b594b2fdfeba220fd12e8986e7637999c9ebeb.exe 83 PID 220 wrote to memory of 4744 220 Jjdjoane.exe 84 PID 220 wrote to memory of 4744 220 Jjdjoane.exe 84 PID 220 wrote to memory of 4744 220 Jjdjoane.exe 84 PID 4744 wrote to memory of 1892 4744 Kbmoen32.exe 87 PID 4744 wrote to memory of 1892 4744 Kbmoen32.exe 87 PID 4744 wrote to memory of 1892 4744 Kbmoen32.exe 87 PID 1892 wrote to memory of 2412 1892 Kelkaj32.exe 88 PID 1892 wrote to memory of 2412 1892 Kelkaj32.exe 88 PID 1892 wrote to memory of 2412 1892 Kelkaj32.exe 88 PID 2412 wrote to memory of 5060 2412 Keqdmihc.exe 90 PID 2412 wrote to memory of 5060 2412 Keqdmihc.exe 90 PID 2412 wrote to memory of 5060 2412 Keqdmihc.exe 90 PID 5060 wrote to memory of 4688 5060 Kbddfmgl.exe 91 PID 5060 wrote to memory of 4688 5060 Kbddfmgl.exe 91 PID 5060 wrote to memory of 4688 5060 Kbddfmgl.exe 91 PID 4688 wrote to memory of 456 4688 Kkmioc32.exe 92 PID 4688 wrote to memory of 456 4688 Kkmioc32.exe 92 PID 4688 wrote to memory of 456 4688 Kkmioc32.exe 92 PID 456 wrote to memory of 448 456 Lbgalmej.exe 93 PID 456 wrote to memory of 448 456 Lbgalmej.exe 93 PID 456 wrote to memory of 448 456 Lbgalmej.exe 93 PID 448 wrote to memory of 3160 448 Lnnbqnjn.exe 94 PID 448 wrote to memory of 3160 448 Lnnbqnjn.exe 94 PID 448 wrote to memory of 3160 448 Lnnbqnjn.exe 94 PID 3160 wrote to memory of 4692 3160 Lalnmiia.exe 95 PID 3160 wrote to memory of 4692 3160 Lalnmiia.exe 95 PID 3160 wrote to memory of 4692 3160 Lalnmiia.exe 95 PID 4692 wrote to memory of 64 4692 Lkabjbih.exe 96 PID 4692 wrote to memory of 64 4692 Lkabjbih.exe 96 PID 4692 wrote to memory of 64 4692 Lkabjbih.exe 96 PID 64 wrote to memory of 1088 64 Ljdceo32.exe 97 PID 64 wrote to memory of 1088 64 Ljdceo32.exe 97 PID 64 wrote to memory of 1088 64 Ljdceo32.exe 97 PID 1088 wrote to memory of 824 1088 Lbkkgl32.exe 98 PID 1088 wrote to memory of 824 1088 Lbkkgl32.exe 98 PID 1088 wrote to memory of 824 1088 Lbkkgl32.exe 98 PID 824 wrote to memory of 1460 824 Lejgch32.exe 99 PID 824 wrote to memory of 1460 824 Lejgch32.exe 99 PID 824 wrote to memory of 1460 824 Lejgch32.exe 99 PID 1460 wrote to memory of 992 1460 Lghcocol.exe 100 PID 1460 wrote to memory of 992 1460 Lghcocol.exe 100 PID 1460 wrote to memory of 992 1460 Lghcocol.exe 100 PID 992 wrote to memory of 1980 992 Lnbklm32.exe 101 PID 992 wrote to memory of 1980 992 Lnbklm32.exe 101 PID 992 wrote to memory of 1980 992 Lnbklm32.exe 101 PID 1980 wrote to memory of 1100 1980 Laqhhi32.exe 102 PID 1980 wrote to memory of 1100 1980 Laqhhi32.exe 102 PID 1980 wrote to memory of 1100 1980 Laqhhi32.exe 102 PID 1100 wrote to memory of 1924 1100 Lihpif32.exe 103 PID 1100 wrote to memory of 1924 1100 Lihpif32.exe 103 PID 1100 wrote to memory of 1924 1100 Lihpif32.exe 103 PID 1924 wrote to memory of 5104 1924 Llflea32.exe 104 PID 1924 wrote to memory of 5104 1924 Llflea32.exe 104 PID 1924 wrote to memory of 5104 1924 Llflea32.exe 104 PID 5104 wrote to memory of 2476 5104 Lndham32.exe 105 PID 5104 wrote to memory of 2476 5104 Lndham32.exe 105 PID 5104 wrote to memory of 2476 5104 Lndham32.exe 105 PID 2476 wrote to memory of 2724 2476 Lacdmh32.exe 106 PID 2476 wrote to memory of 2724 2476 Lacdmh32.exe 106 PID 2476 wrote to memory of 2724 2476 Lacdmh32.exe 106 PID 2724 wrote to memory of 724 2724 Lijlof32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\e97d7cc6328b57f9dd41d28fe9b594b2fdfeba220fd12e8986e7637999c9ebeb.exe"C:\Users\Admin\AppData\Local\Temp\e97d7cc6328b57f9dd41d28fe9b594b2fdfeba220fd12e8986e7637999c9ebeb.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\Jjdjoane.exeC:\Windows\system32\Jjdjoane.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Kbmoen32.exeC:\Windows\system32\Kbmoen32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\Kelkaj32.exeC:\Windows\system32\Kelkaj32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Kbddfmgl.exeC:\Windows\system32\Kbddfmgl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Kkmioc32.exeC:\Windows\system32\Kkmioc32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\Lbgalmej.exeC:\Windows\system32\Lbgalmej.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\Lkabjbih.exeC:\Windows\system32\Lkabjbih.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Ljdceo32.exeC:\Windows\system32\Ljdceo32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\Lghcocol.exeC:\Windows\system32\Lghcocol.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Lnbklm32.exeC:\Windows\system32\Lnbklm32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\Laqhhi32.exeC:\Windows\system32\Laqhhi32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Lihpif32.exeC:\Windows\system32\Lihpif32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Lndham32.exeC:\Windows\system32\Lndham32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Lacdmh32.exeC:\Windows\system32\Lacdmh32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Ljkifn32.exeC:\Windows\system32\Ljkifn32.exe23⤵
- Executes dropped EXE
PID:724 -
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Maeachag.exeC:\Windows\system32\Maeachag.exe25⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Windows\SysWOW64\Mjneln32.exeC:\Windows\system32\Mjneln32.exe27⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4768 -
C:\Windows\SysWOW64\Mecjif32.exeC:\Windows\system32\Mecjif32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3188 -
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe30⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe31⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Mbgjbkfg.exeC:\Windows\system32\Mbgjbkfg.exe32⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3500 -
C:\Windows\SysWOW64\Miaboe32.exeC:\Windows\system32\Miaboe32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe35⤵
- Executes dropped EXE
PID:3732 -
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe36⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\Malgcg32.exeC:\Windows\system32\Malgcg32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe39⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Mblcnj32.exeC:\Windows\system32\Mblcnj32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4300 -
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe41⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Njghbl32.exeC:\Windows\system32\Njghbl32.exe42⤵
- Executes dropped EXE
PID:3720 -
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe43⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Nhkikq32.exeC:\Windows\system32\Nhkikq32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3096 -
C:\Windows\SysWOW64\Njiegl32.exeC:\Windows\system32\Njiegl32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:956 -
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe47⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Neoieenp.exeC:\Windows\system32\Neoieenp.exe48⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Nhmeapmd.exeC:\Windows\system32\Nhmeapmd.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4708 -
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4576 -
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe51⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Nimbkc32.exeC:\Windows\system32\Nimbkc32.exe52⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Nlkngo32.exeC:\Windows\system32\Nlkngo32.exe53⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe54⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Nahgoe32.exeC:\Windows\system32\Nahgoe32.exe55⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Nhbolp32.exeC:\Windows\system32\Nhbolp32.exe56⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Nkqkhk32.exeC:\Windows\system32\Nkqkhk32.exe57⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Nbgcih32.exeC:\Windows\system32\Nbgcih32.exe58⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe59⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Nhdlao32.exeC:\Windows\system32\Nhdlao32.exe60⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe61⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Objpoh32.exeC:\Windows\system32\Objpoh32.exe62⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Oidhlb32.exeC:\Windows\system32\Oidhlb32.exe63⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Olbdhn32.exeC:\Windows\system32\Olbdhn32.exe64⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Windows\SysWOW64\Oekiqccc.exeC:\Windows\system32\Oekiqccc.exe66⤵PID:3292
-
C:\Windows\SysWOW64\Ohiemobf.exeC:\Windows\system32\Ohiemobf.exe67⤵PID:5056
-
C:\Windows\SysWOW64\Okgaijaj.exeC:\Windows\system32\Okgaijaj.exe68⤵PID:468
-
C:\Windows\SysWOW64\Oboijgbl.exeC:\Windows\system32\Oboijgbl.exe69⤵PID:4072
-
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe70⤵
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Ohkbbn32.exeC:\Windows\system32\Ohkbbn32.exe71⤵PID:5048
-
C:\Windows\SysWOW64\Okjnnj32.exeC:\Windows\system32\Okjnnj32.exe72⤵PID:5156
-
C:\Windows\SysWOW64\Oadfkdgd.exeC:\Windows\system32\Oadfkdgd.exe73⤵PID:5200
-
C:\Windows\SysWOW64\Oiknlagg.exeC:\Windows\system32\Oiknlagg.exe74⤵
- System Location Discovery: System Language Discovery
PID:5240 -
C:\Windows\SysWOW64\Olijhmgj.exeC:\Windows\system32\Olijhmgj.exe75⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5280 -
C:\Windows\SysWOW64\Obcceg32.exeC:\Windows\system32\Obcceg32.exe76⤵PID:5320
-
C:\Windows\SysWOW64\Oeaoab32.exeC:\Windows\system32\Oeaoab32.exe77⤵PID:5360
-
C:\Windows\SysWOW64\Ohpkmn32.exeC:\Windows\system32\Ohpkmn32.exe78⤵PID:5400
-
C:\Windows\SysWOW64\Pkogiikb.exeC:\Windows\system32\Pkogiikb.exe79⤵
- Modifies registry class
PID:5440 -
C:\Windows\SysWOW64\Pcepkfld.exeC:\Windows\system32\Pcepkfld.exe80⤵
- System Location Discovery: System Language Discovery
PID:5480 -
C:\Windows\SysWOW64\Piphgq32.exeC:\Windows\system32\Piphgq32.exe81⤵PID:5520
-
C:\Windows\SysWOW64\Plndcl32.exeC:\Windows\system32\Plndcl32.exe82⤵PID:5564
-
C:\Windows\SysWOW64\Polppg32.exeC:\Windows\system32\Polppg32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5604 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe84⤵PID:5648
-
C:\Windows\SysWOW64\Pibdmp32.exeC:\Windows\system32\Pibdmp32.exe85⤵PID:5692
-
C:\Windows\SysWOW64\Plpqil32.exeC:\Windows\system32\Plpqil32.exe86⤵
- Drops file in System32 directory
- Modifies registry class
PID:5736 -
C:\Windows\SysWOW64\Poomegpf.exeC:\Windows\system32\Poomegpf.exe87⤵PID:5780
-
C:\Windows\SysWOW64\Peieba32.exeC:\Windows\system32\Peieba32.exe88⤵
- Drops file in System32 directory
PID:5824 -
C:\Windows\SysWOW64\Phganm32.exeC:\Windows\system32\Phganm32.exe89⤵
- Drops file in System32 directory
PID:5868 -
C:\Windows\SysWOW64\Pkenjh32.exeC:\Windows\system32\Pkenjh32.exe90⤵PID:5912
-
C:\Windows\SysWOW64\Pcmeke32.exeC:\Windows\system32\Pcmeke32.exe91⤵PID:5956
-
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe92⤵PID:6000
-
C:\Windows\SysWOW64\Phincl32.exeC:\Windows\system32\Phincl32.exe93⤵PID:6040
-
C:\Windows\SysWOW64\Pocfpf32.exeC:\Windows\system32\Pocfpf32.exe94⤵
- Drops file in System32 directory
PID:6080 -
C:\Windows\SysWOW64\Pabblb32.exeC:\Windows\system32\Pabblb32.exe95⤵PID:6120
-
C:\Windows\SysWOW64\Piijno32.exeC:\Windows\system32\Piijno32.exe96⤵PID:5088
-
C:\Windows\SysWOW64\Qlggjk32.exeC:\Windows\system32\Qlggjk32.exe97⤵PID:4972
-
C:\Windows\SysWOW64\Qofcff32.exeC:\Windows\system32\Qofcff32.exe98⤵PID:3100
-
C:\Windows\SysWOW64\Qepkbpak.exeC:\Windows\system32\Qepkbpak.exe99⤵PID:4304
-
C:\Windows\SysWOW64\Qhngolpo.exeC:\Windows\system32\Qhngolpo.exe100⤵PID:3636
-
C:\Windows\SysWOW64\Qkmdkgob.exeC:\Windows\system32\Qkmdkgob.exe101⤵PID:4980
-
C:\Windows\SysWOW64\Qaflgago.exeC:\Windows\system32\Qaflgago.exe102⤵PID:4332
-
C:\Windows\SysWOW64\Ajndioga.exeC:\Windows\system32\Ajndioga.exe103⤵PID:5184
-
C:\Windows\SysWOW64\Allpejfe.exeC:\Windows\system32\Allpejfe.exe104⤵PID:1756
-
C:\Windows\SysWOW64\Aojlaeei.exeC:\Windows\system32\Aojlaeei.exe105⤵PID:5312
-
C:\Windows\SysWOW64\Aeddnp32.exeC:\Windows\system32\Aeddnp32.exe106⤵PID:5428
-
C:\Windows\SysWOW64\Alnmjjdb.exeC:\Windows\system32\Alnmjjdb.exe107⤵PID:5504
-
C:\Windows\SysWOW64\Achegd32.exeC:\Windows\system32\Achegd32.exe108⤵PID:5572
-
C:\Windows\SysWOW64\Aakebqbj.exeC:\Windows\system32\Aakebqbj.exe109⤵PID:5644
-
C:\Windows\SysWOW64\Ajbmdn32.exeC:\Windows\system32\Ajbmdn32.exe110⤵PID:1808
-
C:\Windows\SysWOW64\Alqjpi32.exeC:\Windows\system32\Alqjpi32.exe111⤵PID:1288
-
C:\Windows\SysWOW64\Ackbmcjl.exeC:\Windows\system32\Ackbmcjl.exe112⤵PID:5820
-
C:\Windows\SysWOW64\Ahgjejhd.exeC:\Windows\system32\Ahgjejhd.exe113⤵
- System Location Discovery: System Language Discovery
PID:4628 -
C:\Windows\SysWOW64\Alcfei32.exeC:\Windows\system32\Alcfei32.exe114⤵PID:4076
-
C:\Windows\SysWOW64\Acmobchj.exeC:\Windows\system32\Acmobchj.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5096 -
C:\Windows\SysWOW64\Afkknogn.exeC:\Windows\system32\Afkknogn.exe116⤵PID:6028
-
C:\Windows\SysWOW64\Aleckinj.exeC:\Windows\system32\Aleckinj.exe117⤵PID:1604
-
C:\Windows\SysWOW64\Acokhc32.exeC:\Windows\system32\Acokhc32.exe118⤵PID:6116
-
C:\Windows\SysWOW64\Abbkcpma.exeC:\Windows\system32\Abbkcpma.exe119⤵PID:1252
-
C:\Windows\SysWOW64\Blhpqhlh.exeC:\Windows\system32\Blhpqhlh.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4836 -
C:\Windows\SysWOW64\Bcahmb32.exeC:\Windows\system32\Bcahmb32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1772
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-