Analysis
-
max time kernel
146s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-09-2024 12:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eff44b3c542e9a5153e3639d7a0d71887eb476c09da3edd0a99674ae21e739ff.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
eff44b3c542e9a5153e3639d7a0d71887eb476c09da3edd0a99674ae21e739ff.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
eff44b3c542e9a5153e3639d7a0d71887eb476c09da3edd0a99674ae21e739ff.exe
-
Size
71KB
-
MD5
89d1a5c73d257db75828755e81f8ca2f
-
SHA1
11b28033a0a03679cd4d906d3f311f12eb9cb785
-
SHA256
eff44b3c542e9a5153e3639d7a0d71887eb476c09da3edd0a99674ae21e739ff
-
SHA512
d5e1533a577364dcd02ca7adc201cab3f24b206ce55f6bd7d0cd3d82f570ac84f342afc633fab3de9b18abf88df1cbda7a03378b824b3933d8b0b7115eaf297e
-
SSDEEP
1536:TfPGJOD6ajwhDq721kXWg7J2LX7RZObZUS:Tfz14O7DXheXClUS
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbepdhgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knhjjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cebeem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjhhld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcaiiejc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncfoch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhdhif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iigpli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqhfhigj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liklhmom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neklbppb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpqain32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Necogkbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geeemeif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hblgnkdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhgnge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khabghdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eejopecj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flfpabkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdaglmcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qppkfhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmkilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opkccm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Comdkipe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaeafklf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmkilb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgoji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmbfggdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbaaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfoojj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcdnhoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mikhgqbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caidaeak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edqocbkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqglggcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ielclkhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfnoogbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbncjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhiei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbgod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkcpei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jefpeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oghhfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnldjekl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jolghndm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkklhjnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkhldafl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaffbqaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojbkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaajei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdkjnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knjegqif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npaich32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkqnoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbigpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peedka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daofpchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjegog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gifclb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idgglb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnbnpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmkhjncg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joihjfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhdocl32.exe -
Executes dropped EXE 64 IoCs
pid Process 2888 Jnhlbn32.exe 2688 Jlklnjoh.exe 2716 Joihjfnl.exe 2752 Jcedkd32.exe 2820 Jgqpkc32.exe 2632 Jlmicj32.exe 3008 Jfemlpdf.exe 2968 Jkbfdfbm.exe 2192 Jonbee32.exe 2196 Jdkjnl32.exe 1768 Jhffnk32.exe 1924 Kncofa32.exe 1804 Kfjggo32.exe 1820 Kglcogeo.exe 572 Kkgopf32.exe 2456 Kqdhhm32.exe 832 Khkpijma.exe 848 Kbcdbp32.exe 2224 Kceqjhiq.exe 948 Kgpmjf32.exe 1044 Knjegqif.exe 1784 Kmmebm32.exe 1540 Kddmdk32.exe 944 Kfeikcfa.exe 2484 Knmamp32.exe 2712 Konndhmb.exe 1192 Kgefefnd.exe 2804 Lopkjhko.exe 2556 Lclgjg32.exe 2896 Lmdkcl32.exe 2580 Lkgkoiqc.exe 2008 Lcncpfaf.exe 3000 Liklhmom.exe 2992 Lkihdioa.exe 2068 Lfolaang.exe 1972 Leammn32.exe 1248 Lgpiij32.exe 2648 Lpgajgeg.exe 768 Lipecm32.exe 808 Lgbeoibb.exe 1644 Mbhjlbbh.exe 540 Mlpneh32.exe 1324 Mjcoqdoc.exe 2880 Mhgoji32.exe 1292 Mfjoeeeh.exe 1500 Mnaggcej.exe 1992 Mpbdnk32.exe 2808 Mcnpojca.exe 2796 Mjhhld32.exe 2788 Mikhgqbi.exe 2564 Mabphn32.exe 2692 Mpdqdkie.exe 2592 Mdpldi32.exe 3004 Mbcmpfhi.exe 2148 Mjjdacik.exe 2628 Mmhamoho.exe 2620 Mpgmijgc.exe 2660 Mfaefd32.exe 1136 Medeaaej.exe 2544 Mioabp32.exe 2884 Npijoj32.exe 1476 Noljjglk.exe 2260 Nfcbldmm.exe 2428 Nhdocl32.exe -
Loads dropped DLL 64 IoCs
pid Process 3016 eff44b3c542e9a5153e3639d7a0d71887eb476c09da3edd0a99674ae21e739ff.exe 3016 eff44b3c542e9a5153e3639d7a0d71887eb476c09da3edd0a99674ae21e739ff.exe 2888 Jnhlbn32.exe 2888 Jnhlbn32.exe 2688 Jlklnjoh.exe 2688 Jlklnjoh.exe 2716 Joihjfnl.exe 2716 Joihjfnl.exe 2752 Jcedkd32.exe 2752 Jcedkd32.exe 2820 Jgqpkc32.exe 2820 Jgqpkc32.exe 2632 Jlmicj32.exe 2632 Jlmicj32.exe 3008 Jfemlpdf.exe 3008 Jfemlpdf.exe 2968 Jkbfdfbm.exe 2968 Jkbfdfbm.exe 2192 Jonbee32.exe 2192 Jonbee32.exe 2196 Jdkjnl32.exe 2196 Jdkjnl32.exe 1768 Jhffnk32.exe 1768 Jhffnk32.exe 1924 Kncofa32.exe 1924 Kncofa32.exe 1804 Kfjggo32.exe 1804 Kfjggo32.exe 1820 Kglcogeo.exe 1820 Kglcogeo.exe 572 Kkgopf32.exe 572 Kkgopf32.exe 2456 Kqdhhm32.exe 2456 Kqdhhm32.exe 832 Khkpijma.exe 832 Khkpijma.exe 848 Kbcdbp32.exe 848 Kbcdbp32.exe 2224 Kceqjhiq.exe 2224 Kceqjhiq.exe 948 Kgpmjf32.exe 948 Kgpmjf32.exe 1044 Knjegqif.exe 1044 Knjegqif.exe 1784 Kmmebm32.exe 1784 Kmmebm32.exe 1540 Kddmdk32.exe 1540 Kddmdk32.exe 944 Kfeikcfa.exe 944 Kfeikcfa.exe 2484 Knmamp32.exe 2484 Knmamp32.exe 2712 Konndhmb.exe 2712 Konndhmb.exe 1192 Kgefefnd.exe 1192 Kgefefnd.exe 2804 Lopkjhko.exe 2804 Lopkjhko.exe 2556 Lclgjg32.exe 2556 Lclgjg32.exe 2896 Lmdkcl32.exe 2896 Lmdkcl32.exe 2580 Lkgkoiqc.exe 2580 Lkgkoiqc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Nbjcqe32.exe Nplfdj32.exe File created C:\Windows\SysWOW64\Bdfiaojk.dll Gpabcbdb.exe File opened for modification C:\Windows\SysWOW64\Opaebkmc.exe Omcifpnp.exe File created C:\Windows\SysWOW64\Lboiol32.exe Loqmba32.exe File created C:\Windows\SysWOW64\Mcqombic.exe Mqbbagjo.exe File created C:\Windows\SysWOW64\Ccjoli32.exe Cegoqlof.exe File created C:\Windows\SysWOW64\Cfhakqek.dll Ggicgopd.exe File created C:\Windows\SysWOW64\Hemqpf32.exe Hfjpdjjo.exe File opened for modification C:\Windows\SysWOW64\Ijclol32.exe Ihdpbq32.exe File created C:\Windows\SysWOW64\Icehdl32.dll Kpgffe32.exe File created C:\Windows\SysWOW64\Ecinnn32.dll Pdbdqh32.exe File created C:\Windows\SysWOW64\Komjgdhc.dll Ahgofi32.exe File opened for modification C:\Windows\SysWOW64\Danmmd32.exe Cmbalfem.exe File created C:\Windows\SysWOW64\Filgbdfd.exe Fdpkbf32.exe File created C:\Windows\SysWOW64\Ibmgpoia.exe Ioakoq32.exe File created C:\Windows\SysWOW64\Jdcmbgkj.exe Jaeafklf.exe File created C:\Windows\SysWOW64\Nmldop32.dll Oiljam32.exe File created C:\Windows\SysWOW64\Nnoiph32.dll Olmcchlg.exe File created C:\Windows\SysWOW64\Eepejpil.dll Cebeem32.exe File created C:\Windows\SysWOW64\Gadafg32.dll Eqjmncna.exe File created C:\Windows\SysWOW64\Jianlbkj.dll Lkakicam.exe File created C:\Windows\SysWOW64\Eknmhk32.exe Ehpalp32.exe File created C:\Windows\SysWOW64\Illbhp32.exe Ihpfgalh.exe File opened for modification C:\Windows\SysWOW64\Klpdaf32.exe Kjahej32.exe File created C:\Windows\SysWOW64\Hpqnnmcd.dll Abpcooea.exe File opened for modification C:\Windows\SysWOW64\Lmjnak32.exe Ljkaeo32.exe File created C:\Windows\SysWOW64\Onffhdlh.dll Pgpgjepk.exe File created C:\Windows\SysWOW64\Dfmcfjpo.dll Afgmodel.exe File created C:\Windows\SysWOW64\Jlnklcej.exe Jhbold32.exe File created C:\Windows\SysWOW64\Knqcbd32.dll Mbcoio32.exe File created C:\Windows\SysWOW64\Maanne32.dll Afdiondb.exe File created C:\Windows\SysWOW64\Fhgnge32.exe Ffibkj32.exe File created C:\Windows\SysWOW64\Knakol32.dll Mihdgkpp.exe File opened for modification C:\Windows\SysWOW64\Bcmfmlen.exe Baojapfj.exe File created C:\Windows\SysWOW64\Cicalakk.exe Cfeepelg.exe File created C:\Windows\SysWOW64\Gceailog.exe Goiehm32.exe File created C:\Windows\SysWOW64\Kneino32.dll Bplhnoej.exe File created C:\Windows\SysWOW64\Iphhqinm.dll Bpnddn32.exe File opened for modification C:\Windows\SysWOW64\Agpcihcf.exe Qdaglmcb.exe File created C:\Windows\SysWOW64\Flfpabkp.exe Fncpef32.exe File created C:\Windows\SysWOW64\Olpecfkn.dll Qcogbdkg.exe File created C:\Windows\SysWOW64\Medeaaej.exe Mfaefd32.exe File created C:\Windows\SysWOW64\Ogdgeded.dll Pkdihhag.exe File opened for modification C:\Windows\SysWOW64\Mnomjl32.exe Mjcaimgg.exe File created C:\Windows\SysWOW64\Fqliblhd.dll Olpilg32.exe File opened for modification C:\Windows\SysWOW64\Hebdfind.exe Gbdhjm32.exe File created C:\Windows\SysWOW64\Bbodaa32.dll Jpogbgmi.exe File created C:\Windows\SysWOW64\Knhjjj32.exe Kjmnjkjd.exe File opened for modification C:\Windows\SysWOW64\Cmpgpond.exe Cjakccop.exe File created C:\Windows\SysWOW64\Khcomhbi.exe Kdhcli32.exe File created C:\Windows\SysWOW64\Gqnfackh.dll Nmnclmoj.exe File created C:\Windows\SysWOW64\Djkacflm.dll Neklbppb.exe File created C:\Windows\SysWOW64\Fkhgip32.exe Fhikme32.exe File opened for modification C:\Windows\SysWOW64\Gegabegc.exe Gnmifk32.exe File created C:\Windows\SysWOW64\Jjndlebb.dll Jofejpmc.exe File created C:\Windows\SysWOW64\Daajeb32.dll Nfghdcfj.exe File created C:\Windows\SysWOW64\Hqenoohi.dll Opplolac.exe File created C:\Windows\SysWOW64\Fbbofjnh.exe Fnfcel32.exe File created C:\Windows\SysWOW64\Gjdjklek.exe Gfhnjm32.exe File opened for modification C:\Windows\SysWOW64\Ccdmnj32.exe Clmdmm32.exe File created C:\Windows\SysWOW64\Abigipko.dll Cbiiog32.exe File created C:\Windows\SysWOW64\Lecpilip.dll Kffldlne.exe File opened for modification C:\Windows\SysWOW64\Opnbbe32.exe Ompefj32.exe File created C:\Windows\SysWOW64\Qndkpmkm.exe Qiioon32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9588 9556 WerFault.exe 995 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Folfoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfoojj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifdjeoep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npdfhhhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmlgfnal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciaefa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhiakf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjkjle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqqpgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkjmoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fofpoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Illbhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgnbnpkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkbfdfbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlhnifmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehkhaqpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dllhhaep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbhmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmjnak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opglafab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbigpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plolgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elfcbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flfpabkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckahkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcdjoaee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggcaiqhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opnbbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olebgfao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqdhhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekhkjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbaken32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deollamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dklddhka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihpfgalh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdbdqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbafjlaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoajel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meoell32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciihklpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpgpond.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khkpijma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lopkjhko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hldlga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhgnaehm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olpilg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjhmfekp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mihdgkpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlgimqhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phbgcnig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpdgbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbajkiof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaeafklf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkfddc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opfbngfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlfgcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aomnhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nledoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oifdbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaffbqaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agdmdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bammlq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnflke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jliaac32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caidaeak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggcaiqhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcfbdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obdojcef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbiiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqahqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pddnnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eldglp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdldnomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khlili32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lneaqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmldop32.dll" Oiljam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pincfpoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hldlga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcljmdmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfqbqqjl.dll" Hinqgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebfidim.dll" Anbkipok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jonedp32.dll" Beackp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgpmjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajjfkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lneaqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaemhl32.dll" Ggnmbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnheohcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgddfe32.dll" Lnhgim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbhhdnlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfjggo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Injcbk32.dll" Bcmfmlen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjnalhgb.dll" Cmjdaqgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmkeke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnkjnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfcemimp.dll" Gcahoqhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Difnaqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peblpbgn.dll" Qppkfhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qppkfhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnhoag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkloned.dll" Qododfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fggkcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knjegqif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihmpobck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifoqjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlhhndno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khabghdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnoiio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cohkpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkjapglg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlkjne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppkhhjei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbncjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhnop32.dll" Ddblgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eogmcjef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghajacmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmhamoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbjeinje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qppkfhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aplpbjee.dll" Ieajkfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmgbao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pplncj32.dll" Kkgahoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oihqgbhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohidmoaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbnpkmfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfglep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkifdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agpcihcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgbeiiqe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2888 3016 eff44b3c542e9a5153e3639d7a0d71887eb476c09da3edd0a99674ae21e739ff.exe 30 PID 3016 wrote to memory of 2888 3016 eff44b3c542e9a5153e3639d7a0d71887eb476c09da3edd0a99674ae21e739ff.exe 30 PID 3016 wrote to memory of 2888 3016 eff44b3c542e9a5153e3639d7a0d71887eb476c09da3edd0a99674ae21e739ff.exe 30 PID 3016 wrote to memory of 2888 3016 eff44b3c542e9a5153e3639d7a0d71887eb476c09da3edd0a99674ae21e739ff.exe 30 PID 2888 wrote to memory of 2688 2888 Jnhlbn32.exe 31 PID 2888 wrote to memory of 2688 2888 Jnhlbn32.exe 31 PID 2888 wrote to memory of 2688 2888 Jnhlbn32.exe 31 PID 2888 wrote to memory of 2688 2888 Jnhlbn32.exe 31 PID 2688 wrote to memory of 2716 2688 Jlklnjoh.exe 32 PID 2688 wrote to memory of 2716 2688 Jlklnjoh.exe 32 PID 2688 wrote to memory of 2716 2688 Jlklnjoh.exe 32 PID 2688 wrote to memory of 2716 2688 Jlklnjoh.exe 32 PID 2716 wrote to memory of 2752 2716 Joihjfnl.exe 33 PID 2716 wrote to memory of 2752 2716 Joihjfnl.exe 33 PID 2716 wrote to memory of 2752 2716 Joihjfnl.exe 33 PID 2716 wrote to memory of 2752 2716 Joihjfnl.exe 33 PID 2752 wrote to memory of 2820 2752 Jcedkd32.exe 34 PID 2752 wrote to memory of 2820 2752 Jcedkd32.exe 34 PID 2752 wrote to memory of 2820 2752 Jcedkd32.exe 34 PID 2752 wrote to memory of 2820 2752 Jcedkd32.exe 34 PID 2820 wrote to memory of 2632 2820 Jgqpkc32.exe 35 PID 2820 wrote to memory of 2632 2820 Jgqpkc32.exe 35 PID 2820 wrote to memory of 2632 2820 Jgqpkc32.exe 35 PID 2820 wrote to memory of 2632 2820 Jgqpkc32.exe 35 PID 2632 wrote to memory of 3008 2632 Jlmicj32.exe 36 PID 2632 wrote to memory of 3008 2632 Jlmicj32.exe 36 PID 2632 wrote to memory of 3008 2632 Jlmicj32.exe 36 PID 2632 wrote to memory of 3008 2632 Jlmicj32.exe 36 PID 3008 wrote to memory of 2968 3008 Jfemlpdf.exe 37 PID 3008 wrote to memory of 2968 3008 Jfemlpdf.exe 37 PID 3008 wrote to memory of 2968 3008 Jfemlpdf.exe 37 PID 3008 wrote to memory of 2968 3008 Jfemlpdf.exe 37 PID 2968 wrote to memory of 2192 2968 Jkbfdfbm.exe 38 PID 2968 wrote to memory of 2192 2968 Jkbfdfbm.exe 38 PID 2968 wrote to memory of 2192 2968 Jkbfdfbm.exe 38 PID 2968 wrote to memory of 2192 2968 Jkbfdfbm.exe 38 PID 2192 wrote to memory of 2196 2192 Jonbee32.exe 39 PID 2192 wrote to memory of 2196 2192 Jonbee32.exe 39 PID 2192 wrote to memory of 2196 2192 Jonbee32.exe 39 PID 2192 wrote to memory of 2196 2192 Jonbee32.exe 39 PID 2196 wrote to memory of 1768 2196 Jdkjnl32.exe 40 PID 2196 wrote to memory of 1768 2196 Jdkjnl32.exe 40 PID 2196 wrote to memory of 1768 2196 Jdkjnl32.exe 40 PID 2196 wrote to memory of 1768 2196 Jdkjnl32.exe 40 PID 1768 wrote to memory of 1924 1768 Jhffnk32.exe 41 PID 1768 wrote to memory of 1924 1768 Jhffnk32.exe 41 PID 1768 wrote to memory of 1924 1768 Jhffnk32.exe 41 PID 1768 wrote to memory of 1924 1768 Jhffnk32.exe 41 PID 1924 wrote to memory of 1804 1924 Kncofa32.exe 42 PID 1924 wrote to memory of 1804 1924 Kncofa32.exe 42 PID 1924 wrote to memory of 1804 1924 Kncofa32.exe 42 PID 1924 wrote to memory of 1804 1924 Kncofa32.exe 42 PID 1804 wrote to memory of 1820 1804 Kfjggo32.exe 43 PID 1804 wrote to memory of 1820 1804 Kfjggo32.exe 43 PID 1804 wrote to memory of 1820 1804 Kfjggo32.exe 43 PID 1804 wrote to memory of 1820 1804 Kfjggo32.exe 43 PID 1820 wrote to memory of 572 1820 Kglcogeo.exe 44 PID 1820 wrote to memory of 572 1820 Kglcogeo.exe 44 PID 1820 wrote to memory of 572 1820 Kglcogeo.exe 44 PID 1820 wrote to memory of 572 1820 Kglcogeo.exe 44 PID 572 wrote to memory of 2456 572 Kkgopf32.exe 45 PID 572 wrote to memory of 2456 572 Kkgopf32.exe 45 PID 572 wrote to memory of 2456 572 Kkgopf32.exe 45 PID 572 wrote to memory of 2456 572 Kkgopf32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\eff44b3c542e9a5153e3639d7a0d71887eb476c09da3edd0a99674ae21e739ff.exe"C:\Users\Admin\AppData\Local\Temp\eff44b3c542e9a5153e3639d7a0d71887eb476c09da3edd0a99674ae21e739ff.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Jnhlbn32.exeC:\Windows\system32\Jnhlbn32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Jlklnjoh.exeC:\Windows\system32\Jlklnjoh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Joihjfnl.exeC:\Windows\system32\Joihjfnl.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Jcedkd32.exeC:\Windows\system32\Jcedkd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Jgqpkc32.exeC:\Windows\system32\Jgqpkc32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Jlmicj32.exeC:\Windows\system32\Jlmicj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Jfemlpdf.exeC:\Windows\system32\Jfemlpdf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Jkbfdfbm.exeC:\Windows\system32\Jkbfdfbm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Jonbee32.exeC:\Windows\system32\Jonbee32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Jdkjnl32.exeC:\Windows\system32\Jdkjnl32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Jhffnk32.exeC:\Windows\system32\Jhffnk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Kncofa32.exeC:\Windows\system32\Kncofa32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Kfjggo32.exeC:\Windows\system32\Kfjggo32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Kglcogeo.exeC:\Windows\system32\Kglcogeo.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Kkgopf32.exeC:\Windows\system32\Kkgopf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Kqdhhm32.exeC:\Windows\system32\Kqdhhm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2456 -
C:\Windows\SysWOW64\Khkpijma.exeC:\Windows\system32\Khkpijma.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:832 -
C:\Windows\SysWOW64\Kbcdbp32.exeC:\Windows\system32\Kbcdbp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:848 -
C:\Windows\SysWOW64\Kceqjhiq.exeC:\Windows\system32\Kceqjhiq.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Kgpmjf32.exeC:\Windows\system32\Kgpmjf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:948 -
C:\Windows\SysWOW64\Knjegqif.exeC:\Windows\system32\Knjegqif.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1044 -
C:\Windows\SysWOW64\Kmmebm32.exeC:\Windows\system32\Kmmebm32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\Kddmdk32.exeC:\Windows\system32\Kddmdk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Kfeikcfa.exeC:\Windows\system32\Kfeikcfa.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:944 -
C:\Windows\SysWOW64\Knmamp32.exeC:\Windows\system32\Knmamp32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Konndhmb.exeC:\Windows\system32\Konndhmb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Kgefefnd.exeC:\Windows\system32\Kgefefnd.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1192 -
C:\Windows\SysWOW64\Lopkjhko.exeC:\Windows\system32\Lopkjhko.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Lclgjg32.exeC:\Windows\system32\Lclgjg32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Lmdkcl32.exeC:\Windows\system32\Lmdkcl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Lkgkoiqc.exeC:\Windows\system32\Lkgkoiqc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Lcncpfaf.exeC:\Windows\system32\Lcncpfaf.exe33⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Liklhmom.exeC:\Windows\system32\Liklhmom.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Lkihdioa.exeC:\Windows\system32\Lkihdioa.exe35⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Lfolaang.exeC:\Windows\system32\Lfolaang.exe36⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Leammn32.exeC:\Windows\system32\Leammn32.exe37⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Lgpiij32.exeC:\Windows\system32\Lgpiij32.exe38⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Lpgajgeg.exeC:\Windows\system32\Lpgajgeg.exe39⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Lipecm32.exeC:\Windows\system32\Lipecm32.exe40⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Lgbeoibb.exeC:\Windows\system32\Lgbeoibb.exe41⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Mbhjlbbh.exeC:\Windows\system32\Mbhjlbbh.exe42⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Mlpneh32.exeC:\Windows\system32\Mlpneh32.exe43⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Mjcoqdoc.exeC:\Windows\system32\Mjcoqdoc.exe44⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Mhgoji32.exeC:\Windows\system32\Mhgoji32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Mfjoeeeh.exeC:\Windows\system32\Mfjoeeeh.exe46⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Mnaggcej.exeC:\Windows\system32\Mnaggcej.exe47⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Mpbdnk32.exeC:\Windows\system32\Mpbdnk32.exe48⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Mcnpojca.exeC:\Windows\system32\Mcnpojca.exe49⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Mjhhld32.exeC:\Windows\system32\Mjhhld32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Mikhgqbi.exeC:\Windows\system32\Mikhgqbi.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Mabphn32.exeC:\Windows\system32\Mabphn32.exe52⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Mpdqdkie.exeC:\Windows\system32\Mpdqdkie.exe53⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe54⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Mbcmpfhi.exeC:\Windows\system32\Mbcmpfhi.exe55⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Mjjdacik.exeC:\Windows\system32\Mjjdacik.exe56⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Mmhamoho.exeC:\Windows\system32\Mmhamoho.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Mpgmijgc.exeC:\Windows\system32\Mpgmijgc.exe58⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Mfaefd32.exeC:\Windows\system32\Mfaefd32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Medeaaej.exeC:\Windows\system32\Medeaaej.exe60⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Mioabp32.exeC:\Windows\system32\Mioabp32.exe61⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Npijoj32.exeC:\Windows\system32\Npijoj32.exe62⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe63⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Nfcbldmm.exeC:\Windows\system32\Nfcbldmm.exe64⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Nhdocl32.exeC:\Windows\system32\Nhdocl32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Nlpkdkkd.exeC:\Windows\system32\Nlpkdkkd.exe66⤵PID:688
-
C:\Windows\SysWOW64\Nplfdj32.exeC:\Windows\system32\Nplfdj32.exe67⤵
- Drops file in System32 directory
PID:980 -
C:\Windows\SysWOW64\Nbjcqe32.exeC:\Windows\system32\Nbjcqe32.exe68⤵PID:984
-
C:\Windows\SysWOW64\Namclbil.exeC:\Windows\system32\Namclbil.exe69⤵PID:2308
-
C:\Windows\SysWOW64\Nidkmojn.exeC:\Windows\system32\Nidkmojn.exe70⤵PID:3060
-
C:\Windows\SysWOW64\Nlbgikia.exeC:\Windows\system32\Nlbgikia.exe71⤵PID:2780
-
C:\Windows\SysWOW64\Noacef32.exeC:\Windows\system32\Noacef32.exe72⤵PID:1748
-
C:\Windows\SysWOW64\Nblpfepo.exeC:\Windows\system32\Nblpfepo.exe73⤵PID:1868
-
C:\Windows\SysWOW64\Neklbppb.exeC:\Windows\system32\Neklbppb.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Ndnlnm32.exeC:\Windows\system32\Ndnlnm32.exe75⤵PID:2056
-
C:\Windows\SysWOW64\Nledoj32.exeC:\Windows\system32\Nledoj32.exe76⤵
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\Nkhdkgnj.exeC:\Windows\system32\Nkhdkgnj.exe77⤵PID:1744
-
C:\Windows\SysWOW64\Nmfqgbmm.exeC:\Windows\system32\Nmfqgbmm.exe78⤵PID:1492
-
C:\Windows\SysWOW64\Naalga32.exeC:\Windows\system32\Naalga32.exe79⤵PID:2140
-
C:\Windows\SysWOW64\Ndpicm32.exeC:\Windows\system32\Ndpicm32.exe80⤵PID:1704
-
C:\Windows\SysWOW64\Ngneph32.exeC:\Windows\system32\Ngneph32.exe81⤵PID:1552
-
C:\Windows\SysWOW64\Nkjapglg.exeC:\Windows\system32\Nkjapglg.exe82⤵
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe83⤵PID:2444
-
C:\Windows\SysWOW64\Nadimacd.exeC:\Windows\system32\Nadimacd.exe84⤵PID:1984
-
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe85⤵PID:2616
-
C:\Windows\SysWOW64\Ogqaehak.exeC:\Windows\system32\Ogqaehak.exe86⤵PID:2724
-
C:\Windows\SysWOW64\Oklnff32.exeC:\Windows\system32\Oklnff32.exe87⤵PID:2348
-
C:\Windows\SysWOW64\Omkjbb32.exeC:\Windows\system32\Omkjbb32.exe88⤵PID:2396
-
C:\Windows\SysWOW64\Oaffbqaa.exeC:\Windows\system32\Oaffbqaa.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2188 -
C:\Windows\SysWOW64\Ocgbji32.exeC:\Windows\system32\Ocgbji32.exe90⤵PID:1760
-
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe91⤵PID:1440
-
C:\Windows\SysWOW64\Oiakgcnl.exeC:\Windows\system32\Oiakgcnl.exe92⤵PID:1772
-
C:\Windows\SysWOW64\Olpgconp.exeC:\Windows\system32\Olpgconp.exe93⤵PID:1628
-
C:\Windows\SysWOW64\Opkccm32.exeC:\Windows\system32\Opkccm32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:440 -
C:\Windows\SysWOW64\Ocjophem.exeC:\Windows\system32\Ocjophem.exe95⤵PID:1708
-
C:\Windows\SysWOW64\Ogekpg32.exeC:\Windows\system32\Ogekpg32.exe96⤵PID:1300
-
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe97⤵PID:1732
-
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe98⤵PID:2684
-
C:\Windows\SysWOW64\Ooqpdj32.exeC:\Windows\system32\Ooqpdj32.exe99⤵PID:2228
-
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1864 -
C:\Windows\SysWOW64\Oekhacbn.exeC:\Windows\system32\Oekhacbn.exe101⤵PID:1232
-
C:\Windows\SysWOW64\Oifdbb32.exeC:\Windows\system32\Oifdbb32.exe102⤵
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\Ohidmoaa.exeC:\Windows\system32\Ohidmoaa.exe103⤵
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe104⤵
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe105⤵PID:1288
-
C:\Windows\SysWOW64\Oihqgbhd.exeC:\Windows\system32\Oihqgbhd.exe106⤵
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Pkjmoj32.exeC:\Windows\system32\Pkjmoj32.exe107⤵
- System Location Discovery: System Language Discovery
PID:1356 -
C:\Windows\SysWOW64\Poeipifl.exeC:\Windows\system32\Poeipifl.exe108⤵PID:1396
-
C:\Windows\SysWOW64\Peoalc32.exeC:\Windows\system32\Peoalc32.exe109⤵PID:2904
-
C:\Windows\SysWOW64\Pdbahpec.exeC:\Windows\system32\Pdbahpec.exe110⤵PID:2256
-
C:\Windows\SysWOW64\Phnnho32.exeC:\Windows\system32\Phnnho32.exe111⤵PID:2080
-
C:\Windows\SysWOW64\Pkljdj32.exeC:\Windows\system32\Pkljdj32.exe112⤵PID:1660
-
C:\Windows\SysWOW64\Pohfehdi.exeC:\Windows\system32\Pohfehdi.exe113⤵PID:2212
-
C:\Windows\SysWOW64\Pafbadcm.exeC:\Windows\system32\Pafbadcm.exe114⤵PID:480
-
C:\Windows\SysWOW64\Peanbblf.exeC:\Windows\system32\Peanbblf.exe115⤵PID:1480
-
C:\Windows\SysWOW64\Pddnnp32.exeC:\Windows\system32\Pddnnp32.exe116⤵
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Phpjnnki.exeC:\Windows\system32\Phpjnnki.exe117⤵PID:2268
-
C:\Windows\SysWOW64\Pojbkh32.exeC:\Windows\system32\Pojbkh32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2072 -
C:\Windows\SysWOW64\Pojbkh32.exeC:\Windows\system32\Pojbkh32.exe119⤵PID:2836
-
C:\Windows\SysWOW64\Pahogc32.exeC:\Windows\system32\Pahogc32.exe120⤵PID:1976
-
C:\Windows\SysWOW64\Phbgcnig.exeC:\Windows\system32\Phbgcnig.exe121⤵
- System Location Discovery: System Language Discovery
PID:2536
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-