Analysis
-
max time kernel
96s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-09-2024 19:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1661c07b4dc414bc21e9a1f8f0c573c96c23afd4ac1c0ecc2da7cc551b6cb17f.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
1661c07b4dc414bc21e9a1f8f0c573c96c23afd4ac1c0ecc2da7cc551b6cb17f.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
1661c07b4dc414bc21e9a1f8f0c573c96c23afd4ac1c0ecc2da7cc551b6cb17f.exe
-
Size
93KB
-
MD5
018cd4a7bdcd050ee73081a209788118
-
SHA1
edbc79af14a863ce1aef00744ec6fc10641709a4
-
SHA256
1661c07b4dc414bc21e9a1f8f0c573c96c23afd4ac1c0ecc2da7cc551b6cb17f
-
SHA512
0bfaa041b2d48957e5626212ac4f0cca803de8b953ca845e074f598b264e598b74310692fac9e3c713eaed53a01bec26001bd6f7c7ac495d0b70dbc455c3704c
-
SSDEEP
1536:P+VlyXxL3rsvOZkR/SIXa4JLTYGubh9uz85vpsaMiwihtIbbpkp:PcyBzrs2aR/SIJLbkMz85RdMiwaIbbp4
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqkgbcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emanjldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Embddb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glldgljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nccokk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkahilkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iebngial.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okedcjcm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikpjbq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjnffjkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndeii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fneggdhg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmfgek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipgbdbqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngjkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Malgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlnkmnah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eplgeokq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkipkani.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhkikq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oldamm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiglnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olgncmim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjdebfnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dflfac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pejkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpqldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahaceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgelgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnfkdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oifeab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjdaodja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qodeajbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaldccip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neccpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpphjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glgcbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhkikq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bopocbcq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piijno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bohibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kglmio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkobmnka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcmdaljn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdjgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llhikacp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacmdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aagkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmkdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qohpkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phdnngdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lknojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efblbbqd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnepna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njiegl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dblgpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnmkfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljfhqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lndagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaqbkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqkqhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgibpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aanbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpdhkf32.exe -
Executes dropped EXE 64 IoCs
pid Process 4500 Lajagj32.exe 1108 Lkofdbkj.exe 3032 Lnnbqnjn.exe 1140 Lalnmiia.exe 3052 Lkabjbih.exe 3340 Lnpofnhk.exe 1532 Lejgch32.exe 4076 Ljgpkonp.exe 4876 Lbngllob.exe 1740 Lndham32.exe 2872 Lacdmh32.exe 3704 Lhmmjbkf.exe 876 Llhikacp.exe 4804 Meamcg32.exe 3284 Mlkepaam.exe 1004 Mbenmk32.exe 1336 Mlmbfqoj.exe 3060 Mbgjbkfg.exe 4800 Meefofek.exe 2812 Mlpokp32.exe 4904 Malgcg32.exe 2724 Mhfppabl.exe 2192 Mblcnj32.exe 2808 Mejpje32.exe 952 Mldhfpib.exe 1224 Nbnpcj32.exe 3952 Nhkikq32.exe 3960 Njiegl32.exe 3116 Nacmdf32.exe 1200 Nhmeapmd.exe 2348 Nognnj32.exe 852 Nhpbfpka.exe 1564 Nknobkje.exe 4256 Neccpd32.exe 2536 Nlnkmnah.exe 1396 Nbgcih32.exe 2296 Nefped32.exe 1840 Nlphbnoe.exe 1012 Oondnini.exe 540 Oehlkc32.exe 3160 Ohghgodi.exe 4484 Okedcjcm.exe 1844 Oblmdhdo.exe 2124 Oifeab32.exe 3012 Oldamm32.exe 3108 Oboijgbl.exe 4580 Oemefcap.exe 3344 Olgncmim.exe 2160 Obafpg32.exe 3944 Oiknlagg.exe 4036 Ohnohn32.exe 4408 Oohgdhfn.exe 3444 Oeaoab32.exe 2908 Pllgnl32.exe 2508 Pcepkfld.exe 3664 Pedlgbkh.exe 3916 Plndcl32.exe 4872 Phedhmhi.exe 2748 Poomegpf.exe 2200 Peieba32.exe 348 Phganm32.exe 3852 Papfgbmg.exe 2920 Phincl32.exe 4760 Pcobaedj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eonklp32.dll Jdfjld32.exe File created C:\Windows\SysWOW64\Najmjokc.exe Nnkpnclp.exe File opened for modification C:\Windows\SysWOW64\Mogcihaj.exe Mnegbp32.exe File opened for modification C:\Windows\SysWOW64\Poomegpf.exe Phedhmhi.exe File created C:\Windows\SysWOW64\Bgelgi32.exe Bpkdjofm.exe File created C:\Windows\SysWOW64\Bhpopokm.dll Fimhjl32.exe File created C:\Windows\SysWOW64\Hidgai32.exe Hoobdp32.exe File created C:\Windows\SysWOW64\Ckjinf32.dll Gmafajfi.exe File created C:\Windows\SysWOW64\Amdcghbo.dll Jpcapp32.exe File created C:\Windows\SysWOW64\Fjhacf32.exe Elgaeolp.exe File created C:\Windows\SysWOW64\Nbkdke32.dll Kggcnoic.exe File created C:\Windows\SysWOW64\Anqlll32.dll Ohhnbhok.exe File created C:\Windows\SysWOW64\Paelfmaf.exe Omjpeo32.exe File created C:\Windows\SysWOW64\Blgifbil.exe Bdpaeehj.exe File opened for modification C:\Windows\SysWOW64\Bhbcfbjk.exe Bahkih32.exe File created C:\Windows\SysWOW64\Jhnhbn32.dll Ecbjkngo.exe File opened for modification C:\Windows\SysWOW64\Omnjojpo.exe Ojomcopk.exe File opened for modification C:\Windows\SysWOW64\Aeddnp32.exe Acfhad32.exe File opened for modification C:\Windows\SysWOW64\Hplicjok.exe Hbhijepa.exe File created C:\Windows\SysWOW64\Bicdfa32.dll Lkofdbkj.exe File opened for modification C:\Windows\SysWOW64\Mqkiok32.exe Mfeeabda.exe File created C:\Windows\SysWOW64\Qobhkjdi.exe Qhhpop32.exe File created C:\Windows\SysWOW64\Nmnpml32.dll Eplgeokq.exe File created C:\Windows\SysWOW64\Qodeajbg.exe Qhjmdp32.exe File created C:\Windows\SysWOW64\Lnpofnhk.exe Lkabjbih.exe File opened for modification C:\Windows\SysWOW64\Dbnmke32.exe Dkceokii.exe File opened for modification C:\Windows\SysWOW64\Lobjni32.exe Lnangaoa.exe File created C:\Windows\SysWOW64\Akfiji32.dll Nclbpf32.exe File opened for modification C:\Windows\SysWOW64\Paeelgnj.exe Pjkmomfn.exe File created C:\Windows\SysWOW64\Bbiado32.exe Bokehc32.exe File created C:\Windows\SysWOW64\Qdphngfl.exe Qmepam32.exe File created C:\Windows\SysWOW64\Obgbikfp.dll Bahkih32.exe File created C:\Windows\SysWOW64\Mjnafk32.dll Mlpokp32.exe File opened for modification C:\Windows\SysWOW64\Kdbjhbbd.exe Knhakh32.exe File created C:\Windows\SysWOW64\Lgnqimah.dll Ojbacd32.exe File opened for modification C:\Windows\SysWOW64\Fpejlmcf.exe Fmfnpa32.exe File created C:\Windows\SysWOW64\Nmpgal32.dll Hplicjok.exe File created C:\Windows\SysWOW64\Ekhobd32.dll Aoalgn32.exe File created C:\Windows\SysWOW64\Gblbca32.exe Gpnfge32.exe File created C:\Windows\SysWOW64\Oakbehfe.exe Onmfimga.exe File created C:\Windows\SysWOW64\Faikapbo.dll Aanbhp32.exe File created C:\Windows\SysWOW64\Bohibc32.exe Bljlfh32.exe File created C:\Windows\SysWOW64\Aeddnp32.exe Acfhad32.exe File opened for modification C:\Windows\SysWOW64\Ekkkoj32.exe Deqcbpld.exe File opened for modification C:\Windows\SysWOW64\Gdaociml.exe Gikkfqmf.exe File opened for modification C:\Windows\SysWOW64\Mchppmij.exe Mkmkkjko.exe File opened for modification C:\Windows\SysWOW64\Ohkkhhmh.exe Oaqbkn32.exe File opened for modification C:\Windows\SysWOW64\Bahkih32.exe Bkobmnka.exe File opened for modification C:\Windows\SysWOW64\Jllokajf.exe Jgpfbjlo.exe File created C:\Windows\SysWOW64\Igigla32.exe Ikbfgppo.exe File opened for modification C:\Windows\SysWOW64\Bakgoh32.exe Bhbcfbjk.exe File created C:\Windows\SysWOW64\Icfekc32.exe Iinqbn32.exe File created C:\Windows\SysWOW64\Ljfhqh32.exe Lggldm32.exe File created C:\Windows\SysWOW64\Nnfgcd32.exe Nhmofj32.exe File created C:\Windows\SysWOW64\Aopemh32.exe Ahfmpnql.exe File created C:\Windows\SysWOW64\Hlfpph32.dll Bpdnjple.exe File created C:\Windows\SysWOW64\Iblhpckf.dll Ljqhkckn.exe File created C:\Windows\SysWOW64\Panhbfep.exe Pnplfj32.exe File opened for modification C:\Windows\SysWOW64\Pjkmomfn.exe Ocaebc32.exe File created C:\Windows\SysWOW64\Nknobkje.exe Nhpbfpka.exe File created C:\Windows\SysWOW64\Palbgl32.exe Pkbjjbda.exe File created C:\Windows\SysWOW64\Mdpmoppk.dll Pkbjjbda.exe File created C:\Windows\SysWOW64\Egjogddi.dll Pedlgbkh.exe File created C:\Windows\SysWOW64\Ikpjbq32.exe Icfekc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12928 12848 WerFault.exe 632 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhenj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dflfac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgnffj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoabad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkgpbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adkgje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gemkelcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gimqajgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeddnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejchhgid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllbaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgifbhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coegoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnjdpaki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbgnemjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecbjkngo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fneggdhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogekbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gikkfqmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaqbkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljqhkckn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcndbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mogcihaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fihnomjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiglnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcimdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmkdcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mblcnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajdjin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbqqkkbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afkknogn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppjfgcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgplado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgqlcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqndhcdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nccokk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfgipd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palbgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkkjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgcbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbfklei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgepom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalipoiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paelfmaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iliinc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adhdjpjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahfmpnql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkofdbkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oohgdhfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Domdjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpphjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emjgim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfcnpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klcekpdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljnlecmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oblmdhdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bljlfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dblgpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqmmmmph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngndaccj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjbbfgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Addaif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhpfqcln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dijbno32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhnhbn32.dll" Ecbjkngo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Camddhoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgbloglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hedafk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anaemfem.dll" Jqhafffk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhmmjbkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccbakce.dll" Fbhpch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkimho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lobjni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjnafk32.dll" Mlpokp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjhacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikbfgppo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljqhkckn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enkjji32.dll" Mbenmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fllkqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppihoe32.dll" Glkmmefl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceifibod.dll" Qljcoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fideeaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obnbpa32.dll" Mccfdmmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpphjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmlfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 1661c07b4dc414bc21e9a1f8f0c573c96c23afd4ac1c0ecc2da7cc551b6cb17f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dimenegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abklmb32.dll" Cljobphg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Peieba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgffoo32.dll" Ieidhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdmfllhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpanan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdliee32.dll" Pllgnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cohkokgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glgcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiebmc32.dll" Mlmbfqoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jllokajf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klcekpdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbofcghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igigla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnhenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chglab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmfgek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicdcemd.dll" Nqpcjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gikkfqmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aodogdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mchppmij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ieidhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Johnamkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdmlfj.dll" Aagkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Micoommd.dll" Ccmgiaig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikpjbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Naecop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnkbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pakllc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfhllkp.dll" Hpiecd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmimp32.dll" Lqmmmmph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkicbhla.dll" Cglbhhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bcddcbab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iahici32.dll" Blgifbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kapceeje.dll" Fpimlfke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbbigf32.dll" Njiegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlfnaicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alpbecod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eokqkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnipbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Keimof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njhgbp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2548 wrote to memory of 4500 2548 1661c07b4dc414bc21e9a1f8f0c573c96c23afd4ac1c0ecc2da7cc551b6cb17f.exe 83 PID 2548 wrote to memory of 4500 2548 1661c07b4dc414bc21e9a1f8f0c573c96c23afd4ac1c0ecc2da7cc551b6cb17f.exe 83 PID 2548 wrote to memory of 4500 2548 1661c07b4dc414bc21e9a1f8f0c573c96c23afd4ac1c0ecc2da7cc551b6cb17f.exe 83 PID 4500 wrote to memory of 1108 4500 Lajagj32.exe 84 PID 4500 wrote to memory of 1108 4500 Lajagj32.exe 84 PID 4500 wrote to memory of 1108 4500 Lajagj32.exe 84 PID 1108 wrote to memory of 3032 1108 Lkofdbkj.exe 85 PID 1108 wrote to memory of 3032 1108 Lkofdbkj.exe 85 PID 1108 wrote to memory of 3032 1108 Lkofdbkj.exe 85 PID 3032 wrote to memory of 1140 3032 Lnnbqnjn.exe 86 PID 3032 wrote to memory of 1140 3032 Lnnbqnjn.exe 86 PID 3032 wrote to memory of 1140 3032 Lnnbqnjn.exe 86 PID 1140 wrote to memory of 3052 1140 Lalnmiia.exe 87 PID 1140 wrote to memory of 3052 1140 Lalnmiia.exe 87 PID 1140 wrote to memory of 3052 1140 Lalnmiia.exe 87 PID 3052 wrote to memory of 3340 3052 Lkabjbih.exe 88 PID 3052 wrote to memory of 3340 3052 Lkabjbih.exe 88 PID 3052 wrote to memory of 3340 3052 Lkabjbih.exe 88 PID 3340 wrote to memory of 1532 3340 Lnpofnhk.exe 89 PID 3340 wrote to memory of 1532 3340 Lnpofnhk.exe 89 PID 3340 wrote to memory of 1532 3340 Lnpofnhk.exe 89 PID 1532 wrote to memory of 4076 1532 Lejgch32.exe 90 PID 1532 wrote to memory of 4076 1532 Lejgch32.exe 90 PID 1532 wrote to memory of 4076 1532 Lejgch32.exe 90 PID 4076 wrote to memory of 4876 4076 Ljgpkonp.exe 91 PID 4076 wrote to memory of 4876 4076 Ljgpkonp.exe 91 PID 4076 wrote to memory of 4876 4076 Ljgpkonp.exe 91 PID 4876 wrote to memory of 1740 4876 Lbngllob.exe 93 PID 4876 wrote to memory of 1740 4876 Lbngllob.exe 93 PID 4876 wrote to memory of 1740 4876 Lbngllob.exe 93 PID 1740 wrote to memory of 2872 1740 Lndham32.exe 94 PID 1740 wrote to memory of 2872 1740 Lndham32.exe 94 PID 1740 wrote to memory of 2872 1740 Lndham32.exe 94 PID 2872 wrote to memory of 3704 2872 Lacdmh32.exe 96 PID 2872 wrote to memory of 3704 2872 Lacdmh32.exe 96 PID 2872 wrote to memory of 3704 2872 Lacdmh32.exe 96 PID 3704 wrote to memory of 876 3704 Lhmmjbkf.exe 97 PID 3704 wrote to memory of 876 3704 Lhmmjbkf.exe 97 PID 3704 wrote to memory of 876 3704 Lhmmjbkf.exe 97 PID 876 wrote to memory of 4804 876 Llhikacp.exe 98 PID 876 wrote to memory of 4804 876 Llhikacp.exe 98 PID 876 wrote to memory of 4804 876 Llhikacp.exe 98 PID 4804 wrote to memory of 3284 4804 Meamcg32.exe 99 PID 4804 wrote to memory of 3284 4804 Meamcg32.exe 99 PID 4804 wrote to memory of 3284 4804 Meamcg32.exe 99 PID 3284 wrote to memory of 1004 3284 Mlkepaam.exe 100 PID 3284 wrote to memory of 1004 3284 Mlkepaam.exe 100 PID 3284 wrote to memory of 1004 3284 Mlkepaam.exe 100 PID 1004 wrote to memory of 1336 1004 Mbenmk32.exe 101 PID 1004 wrote to memory of 1336 1004 Mbenmk32.exe 101 PID 1004 wrote to memory of 1336 1004 Mbenmk32.exe 101 PID 1336 wrote to memory of 3060 1336 Mlmbfqoj.exe 103 PID 1336 wrote to memory of 3060 1336 Mlmbfqoj.exe 103 PID 1336 wrote to memory of 3060 1336 Mlmbfqoj.exe 103 PID 3060 wrote to memory of 4800 3060 Mbgjbkfg.exe 104 PID 3060 wrote to memory of 4800 3060 Mbgjbkfg.exe 104 PID 3060 wrote to memory of 4800 3060 Mbgjbkfg.exe 104 PID 4800 wrote to memory of 2812 4800 Meefofek.exe 105 PID 4800 wrote to memory of 2812 4800 Meefofek.exe 105 PID 4800 wrote to memory of 2812 4800 Meefofek.exe 105 PID 2812 wrote to memory of 4904 2812 Mlpokp32.exe 106 PID 2812 wrote to memory of 4904 2812 Mlpokp32.exe 106 PID 2812 wrote to memory of 4904 2812 Mlpokp32.exe 106 PID 4904 wrote to memory of 2724 4904 Malgcg32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\1661c07b4dc414bc21e9a1f8f0c573c96c23afd4ac1c0ecc2da7cc551b6cb17f.exe"C:\Users\Admin\AppData\Local\Temp\1661c07b4dc414bc21e9a1f8f0c573c96c23afd4ac1c0ecc2da7cc551b6cb17f.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Lajagj32.exeC:\Windows\system32\Lajagj32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Lkabjbih.exeC:\Windows\system32\Lkabjbih.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Lnpofnhk.exeC:\Windows\system32\Lnpofnhk.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Ljgpkonp.exeC:\Windows\system32\Ljgpkonp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\Lndham32.exeC:\Windows\system32\Lndham32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Lacdmh32.exeC:\Windows\system32\Lacdmh32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Mbgjbkfg.exeC:\Windows\system32\Mbgjbkfg.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Malgcg32.exeC:\Windows\system32\Malgcg32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\Mhfppabl.exeC:\Windows\system32\Mhfppabl.exe23⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Mblcnj32.exeC:\Windows\system32\Mblcnj32.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\Mejpje32.exeC:\Windows\system32\Mejpje32.exe25⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Mldhfpib.exeC:\Windows\system32\Mldhfpib.exe26⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe27⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Nhkikq32.exeC:\Windows\system32\Nhkikq32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Njiegl32.exeC:\Windows\system32\Njiegl32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3960 -
C:\Windows\SysWOW64\Nacmdf32.exeC:\Windows\system32\Nacmdf32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Nhmeapmd.exeC:\Windows\system32\Nhmeapmd.exe31⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe32⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:852 -
C:\Windows\SysWOW64\Nknobkje.exeC:\Windows\system32\Nknobkje.exe34⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Neccpd32.exeC:\Windows\system32\Neccpd32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Nlnkmnah.exeC:\Windows\system32\Nlnkmnah.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Nbgcih32.exeC:\Windows\system32\Nbgcih32.exe37⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe38⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Nlphbnoe.exeC:\Windows\system32\Nlphbnoe.exe39⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Oondnini.exeC:\Windows\system32\Oondnini.exe40⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe41⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Ohghgodi.exeC:\Windows\system32\Ohghgodi.exe42⤵
- Executes dropped EXE
PID:3160 -
C:\Windows\SysWOW64\Okedcjcm.exeC:\Windows\system32\Okedcjcm.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Oblmdhdo.exeC:\Windows\system32\Oblmdhdo.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1844 -
C:\Windows\SysWOW64\Oifeab32.exeC:\Windows\system32\Oifeab32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Oboijgbl.exeC:\Windows\system32\Oboijgbl.exe47⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe48⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Olgncmim.exeC:\Windows\system32\Olgncmim.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3344 -
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe50⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Oiknlagg.exeC:\Windows\system32\Oiknlagg.exe51⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Ohnohn32.exeC:\Windows\system32\Ohnohn32.exe52⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Oohgdhfn.exeC:\Windows\system32\Oohgdhfn.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4408 -
C:\Windows\SysWOW64\Oeaoab32.exeC:\Windows\system32\Oeaoab32.exe54⤵
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\Pllgnl32.exeC:\Windows\system32\Pllgnl32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Pcepkfld.exeC:\Windows\system32\Pcepkfld.exe56⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Pedlgbkh.exeC:\Windows\system32\Pedlgbkh.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3664 -
C:\Windows\SysWOW64\Plndcl32.exeC:\Windows\system32\Plndcl32.exe58⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe59⤵
- Modifies registry class
PID:4936 -
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4872 -
C:\Windows\SysWOW64\Poomegpf.exeC:\Windows\system32\Poomegpf.exe61⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Peieba32.exeC:\Windows\system32\Peieba32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Phganm32.exeC:\Windows\system32\Phganm32.exe63⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe64⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Phincl32.exeC:\Windows\system32\Phincl32.exe65⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Pcobaedj.exeC:\Windows\system32\Pcobaedj.exe66⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Piijno32.exeC:\Windows\system32\Piijno32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1352 -
C:\Windows\SysWOW64\Qlggjk32.exeC:\Windows\system32\Qlggjk32.exe68⤵PID:2032
-
C:\Windows\SysWOW64\Qofcff32.exeC:\Windows\system32\Qofcff32.exe69⤵PID:968
-
C:\Windows\SysWOW64\Qepkbpak.exeC:\Windows\system32\Qepkbpak.exe70⤵PID:5036
-
C:\Windows\SysWOW64\Qljcoj32.exeC:\Windows\system32\Qljcoj32.exe71⤵
- Modifies registry class
PID:3252 -
C:\Windows\SysWOW64\Qohpkf32.exeC:\Windows\system32\Qohpkf32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4956 -
C:\Windows\SysWOW64\Qaflgago.exeC:\Windows\system32\Qaflgago.exe73⤵PID:3380
-
C:\Windows\SysWOW64\Ajndioga.exeC:\Windows\system32\Ajndioga.exe74⤵PID:3048
-
C:\Windows\SysWOW64\Allpejfe.exeC:\Windows\system32\Allpejfe.exe75⤵PID:1160
-
C:\Windows\SysWOW64\Acfhad32.exeC:\Windows\system32\Acfhad32.exe76⤵
- Drops file in System32 directory
PID:3368 -
C:\Windows\SysWOW64\Aeddnp32.exeC:\Windows\system32\Aeddnp32.exe77⤵
- System Location Discovery: System Language Discovery
PID:3304 -
C:\Windows\SysWOW64\Aakebqbj.exeC:\Windows\system32\Aakebqbj.exe78⤵PID:1348
-
C:\Windows\SysWOW64\Ajbmdn32.exeC:\Windows\system32\Ajbmdn32.exe79⤵PID:748
-
C:\Windows\SysWOW64\Akcjkfij.exeC:\Windows\system32\Akcjkfij.exe80⤵PID:2876
-
C:\Windows\SysWOW64\Aanbhp32.exeC:\Windows\system32\Aanbhp32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4364 -
C:\Windows\SysWOW64\Ajdjin32.exeC:\Windows\system32\Ajdjin32.exe82⤵
- System Location Discovery: System Language Discovery
PID:4944 -
C:\Windows\SysWOW64\Aoabad32.exeC:\Windows\system32\Aoabad32.exe83⤵
- System Location Discovery: System Language Discovery
PID:4696 -
C:\Windows\SysWOW64\Afkknogn.exeC:\Windows\system32\Afkknogn.exe84⤵
- System Location Discovery: System Language Discovery
PID:3564 -
C:\Windows\SysWOW64\Aodogdmn.exeC:\Windows\system32\Aodogdmn.exe85⤵
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Bfngdn32.exeC:\Windows\system32\Bfngdn32.exe86⤵PID:2776
-
C:\Windows\SysWOW64\Bkkple32.exeC:\Windows\system32\Bkkple32.exe87⤵PID:3696
-
C:\Windows\SysWOW64\Bbdhiojo.exeC:\Windows\system32\Bbdhiojo.exe88⤵PID:2188
-
C:\Windows\SysWOW64\Bjlpjm32.exeC:\Windows\system32\Bjlpjm32.exe89⤵PID:1228
-
C:\Windows\SysWOW64\Bljlfh32.exeC:\Windows\system32\Bljlfh32.exe90⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Windows\SysWOW64\Bohibc32.exeC:\Windows\system32\Bohibc32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1820 -
C:\Windows\SysWOW64\Bcddcbab.exeC:\Windows\system32\Bcddcbab.exe92⤵
- Modifies registry class
PID:4456 -
C:\Windows\SysWOW64\Bfbaonae.exeC:\Windows\system32\Bfbaonae.exe93⤵PID:5144
-
C:\Windows\SysWOW64\Bhamkipi.exeC:\Windows\system32\Bhamkipi.exe94⤵PID:5196
-
C:\Windows\SysWOW64\Bokehc32.exeC:\Windows\system32\Bokehc32.exe95⤵
- Drops file in System32 directory
PID:5244 -
C:\Windows\SysWOW64\Bbiado32.exeC:\Windows\system32\Bbiado32.exe96⤵PID:5304
-
C:\Windows\SysWOW64\Bjpjel32.exeC:\Windows\system32\Bjpjel32.exe97⤵PID:5356
-
C:\Windows\SysWOW64\Bhcjqinf.exeC:\Windows\system32\Bhcjqinf.exe98⤵PID:5424
-
C:\Windows\SysWOW64\Bombmcec.exeC:\Windows\system32\Bombmcec.exe99⤵PID:5480
-
C:\Windows\SysWOW64\Bblnindg.exeC:\Windows\system32\Bblnindg.exe100⤵PID:5540
-
C:\Windows\SysWOW64\Bfgjjm32.exeC:\Windows\system32\Bfgjjm32.exe101⤵PID:5584
-
C:\Windows\SysWOW64\Bjbfklei.exeC:\Windows\system32\Bjbfklei.exe102⤵
- System Location Discovery: System Language Discovery
PID:5616 -
C:\Windows\SysWOW64\Bmabggdm.exeC:\Windows\system32\Bmabggdm.exe103⤵PID:5672
-
C:\Windows\SysWOW64\Bopocbcq.exeC:\Windows\system32\Bopocbcq.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5716 -
C:\Windows\SysWOW64\Bbnkonbd.exeC:\Windows\system32\Bbnkonbd.exe105⤵PID:5764
-
C:\Windows\SysWOW64\Cihclh32.exeC:\Windows\system32\Cihclh32.exe106⤵PID:5812
-
C:\Windows\SysWOW64\Ckfphc32.exeC:\Windows\system32\Ckfphc32.exe107⤵PID:5860
-
C:\Windows\SysWOW64\Ccmgiaig.exeC:\Windows\system32\Ccmgiaig.exe108⤵
- Modifies registry class
PID:5912 -
C:\Windows\SysWOW64\Cmflbf32.exeC:\Windows\system32\Cmflbf32.exe109⤵PID:5980
-
C:\Windows\SysWOW64\Ccpdoqgd.exeC:\Windows\system32\Ccpdoqgd.exe110⤵PID:6024
-
C:\Windows\SysWOW64\Cmhigf32.exeC:\Windows\system32\Cmhigf32.exe111⤵PID:6068
-
C:\Windows\SysWOW64\Cofecami.exeC:\Windows\system32\Cofecami.exe112⤵PID:6108
-
C:\Windows\SysWOW64\Cfqmpl32.exeC:\Windows\system32\Cfqmpl32.exe113⤵PID:5136
-
C:\Windows\SysWOW64\Cbgnemjj.exeC:\Windows\system32\Cbgnemjj.exe114⤵
- System Location Discovery: System Language Discovery
PID:5208 -
C:\Windows\SysWOW64\Cjnffjkl.exeC:\Windows\system32\Cjnffjkl.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5284 -
C:\Windows\SysWOW64\Cmmbbejp.exeC:\Windows\system32\Cmmbbejp.exe116⤵PID:5404
-
C:\Windows\SysWOW64\Ccgjopal.exeC:\Windows\system32\Ccgjopal.exe117⤵PID:5488
-
C:\Windows\SysWOW64\Diccgfpd.exeC:\Windows\system32\Diccgfpd.exe118⤵PID:5572
-
C:\Windows\SysWOW64\Dpnkdq32.exeC:\Windows\system32\Dpnkdq32.exe119⤵PID:5652
-
C:\Windows\SysWOW64\Dblgpl32.exeC:\Windows\system32\Dblgpl32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5712 -
C:\Windows\SysWOW64\Dpphjp32.exeC:\Windows\system32\Dpphjp32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5808
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-