Analysis
-
max time kernel
93s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/09/2024, 07:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4ff7d6633268add3103f0b2d48981aaf18ccdae78979ac2b9e02db80e977aad1N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
4ff7d6633268add3103f0b2d48981aaf18ccdae78979ac2b9e02db80e977aad1N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
4ff7d6633268add3103f0b2d48981aaf18ccdae78979ac2b9e02db80e977aad1N.exe
-
Size
470KB
-
MD5
f373b70ece2606c0ca2e93618a4c8a60
-
SHA1
3bc3c256e04128a585ed19b81c39b7ce82cc149a
-
SHA256
4ff7d6633268add3103f0b2d48981aaf18ccdae78979ac2b9e02db80e977aad1
-
SHA512
10951f39330224cf649c329ae9fd169304f3e4f77239b59b917a36c260bf583f0ace5a4d8a5e677f409c473b2e218097cbd15a6ae5d189ed3717af4a017d06b6
-
SSDEEP
12288:fqO+Yfa/Qc8QVj94nLiFzN3b7CUq1u2ztB1XQKTQInqyS6Rm6TIJ3l7DurTG9c8:fl+YS4
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjpjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhnikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qhhpop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mahnhhod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbgalmej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llnnmhfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mablfnne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmjmekgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlklkgei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbfcmhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmieae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpolbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oidhlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Okedcjcm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lljklo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gejhef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cigkdmel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljbfpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mehcdfch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghhhcomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aqoiqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjneln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmhdkknd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mjodla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pffgom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aphnnafb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aggegh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Modpib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkofga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcjcnoej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqpoakco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfaajnfb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmladm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iloidijb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fineoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbfheo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kegpifod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knnhjcog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adjjeieh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmdonkgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fneggdhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbcncibp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caienjfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plkpcfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eehicoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbjmhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfqnbjfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmkofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmkgkapm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jknfcofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qemhbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Flfkkhid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihnkel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajaelc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojgjndno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnlbojee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiopca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Emlenj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miaboe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apaadpng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhegig32.exe -
Executes dropped EXE 64 IoCs
pid Process 5072 Lnnikdnj.exe 4908 Lnqeqd32.exe 4376 Lfhnaa32.exe 900 Lhkgoiqe.exe 1576 Loeolc32.exe 4516 Lhncdi32.exe 2432 Loglacfo.exe 3208 Lfodbqfa.exe 4260 Mimpolee.exe 4068 Mlklkgei.exe 2524 Mlbbkfoq.exe 1428 Mifcejnj.exe 3924 Niipjj32.exe 3552 Neppokal.exe 3640 Nlleaeff.exe 3696 Nedjjj32.exe 2844 Neffpj32.exe 4388 Nheble32.exe 4604 Opogbbig.exe 4216 Oocddono.exe 756 Ogklelna.exe 2684 Oiihahme.exe 3292 Ocdjpmac.exe 456 Pjpobg32.exe 2260 Pfgogh32.exe 4580 Phhhhc32.exe 3080 Pflibgil.exe 2648 Ppamophb.exe 2400 Qcbfakec.exe 3368 Qoifflkg.exe 2156 Qcdbfk32.exe 1220 Aokcklid.exe 1340 Aompak32.exe 4484 Ajcdnd32.exe 2620 Amaqjp32.exe 2600 Aggegh32.exe 4048 Aihaoqlp.exe 2408 Aqoiqn32.exe 1064 Ajhniccb.exe 4524 Aglnbhal.exe 1984 Bgnkhg32.exe 1512 Bjlgdc32.exe 2820 Bcelmhen.exe 2108 Bgbdcgld.exe 3232 Bqkill32.exe 1852 Bjcmebie.exe 764 Bppfmigl.exe 5004 Bihjfnmm.exe 4884 Cqpbglno.exe 4828 Cgjjdf32.exe 1884 Ccqkigkp.exe 768 Cimcan32.exe 1044 Cadlbk32.exe 4416 Cjmpkqqj.exe 4752 Cceddf32.exe 3520 Caienjfd.exe 212 Cgcmjd32.exe 948 Dpnbog32.exe 1644 Dgejpd32.exe 2676 Djdflp32.exe 3396 Dfjgaq32.exe 4808 Dmdonkgc.exe 1600 Dhjckcgi.exe 1236 Dmglcj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Emdajb32.exe Efjimhnh.exe File created C:\Windows\SysWOW64\Pjpbba32.dll Eehicoel.exe File created C:\Windows\SysWOW64\Pipeabep.dll Cnfkdb32.exe File created C:\Windows\SysWOW64\Fpnkah32.dll Nbbeml32.exe File opened for modification C:\Windows\SysWOW64\Epffbd32.exe Process not Found File created C:\Windows\SysWOW64\Lbekag32.dll Bbdhiojo.exe File created C:\Windows\SysWOW64\Gpolbo32.exe Gghdaa32.exe File created C:\Windows\SysWOW64\Ogklelna.exe Oocddono.exe File opened for modification C:\Windows\SysWOW64\Afinioip.exe Ackbmcjl.exe File created C:\Windows\SysWOW64\Bjicdmmd.exe Abbkcpma.exe File opened for modification C:\Windows\SysWOW64\Cgifbhid.exe Cdkifmjq.exe File created C:\Windows\SysWOW64\Koonge32.exe Kheekkjl.exe File created C:\Windows\SysWOW64\Edogedqq.dll Bgbdcgld.exe File created C:\Windows\SysWOW64\Mcpeiqdc.dll Dfjgaq32.exe File created C:\Windows\SysWOW64\Gehbjm32.exe Fnnjmbpm.exe File opened for modification C:\Windows\SysWOW64\Qpeahb32.exe Qjiipk32.exe File opened for modification C:\Windows\SysWOW64\Enpfan32.exe Ekajec32.exe File opened for modification C:\Windows\SysWOW64\Glfmgp32.exe Gbnhoj32.exe File created C:\Windows\SysWOW64\Hbohpn32.exe Hlepcdoa.exe File created C:\Windows\SysWOW64\Klfaapbl.exe Kncaec32.exe File created C:\Windows\SysWOW64\Fboqkn32.dll Lcnfohmi.exe File created C:\Windows\SysWOW64\Bmgagk32.dll Mmfkhmdi.exe File created C:\Windows\SysWOW64\Iohmnmmb.dll Akdilipp.exe File created C:\Windows\SysWOW64\Ecgodpgb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hglaej32.exe Haoimcgg.exe File created C:\Windows\SysWOW64\Cjelhg32.dll Gpecbk32.exe File opened for modification C:\Windows\SysWOW64\Hehdfdek.exe Halhfe32.exe File created C:\Windows\SysWOW64\Lckggdbo.dll Iiopca32.exe File opened for modification C:\Windows\SysWOW64\Loacdc32.exe Ljdkll32.exe File created C:\Windows\SysWOW64\Mbdiknlb.exe Mpclce32.exe File opened for modification C:\Windows\SysWOW64\Dkbocbog.exe Diccgfpd.exe File opened for modification C:\Windows\SysWOW64\Mjdebfnd.exe Mgehfkop.exe File created C:\Windows\SysWOW64\Dqnjgl32.exe Dolmodpi.exe File created C:\Windows\SysWOW64\Aeaanjkl.exe Amjillkj.exe File opened for modification C:\Windows\SysWOW64\Kheekkjl.exe Kefiopki.exe File created C:\Windows\SysWOW64\Jjgkan32.dll Oikjkc32.exe File created C:\Windows\SysWOW64\Enqjamin.dll Jjopcb32.exe File created C:\Windows\SysWOW64\Ljhpog32.dll Naecop32.exe File opened for modification C:\Windows\SysWOW64\Hlpfhe32.exe Hefnkkkj.exe File opened for modification C:\Windows\SysWOW64\Mnjqmpgg.exe Mjodla32.exe File created C:\Windows\SysWOW64\Fkofga32.exe Fiqjke32.exe File created C:\Windows\SysWOW64\Lfojfj32.dll Halhfe32.exe File created C:\Windows\SysWOW64\Ganmcc32.dll Hjhalefe.exe File opened for modification C:\Windows\SysWOW64\Aagkhd32.exe Amlogfel.exe File created C:\Windows\SysWOW64\Iacngdgj.exe Ipbaol32.exe File created C:\Windows\SysWOW64\Emlmcm32.dll Lpgmhg32.exe File created C:\Windows\SysWOW64\Cdjblf32.exe Cmpjoloh.exe File created C:\Windows\SysWOW64\Fmfgek32.exe Feoodn32.exe File opened for modification C:\Windows\SysWOW64\Ihdldn32.exe Iialhaad.exe File opened for modification C:\Windows\SysWOW64\Olgncmim.exe Oihagaji.exe File created C:\Windows\SysWOW64\Blqllqqa.exe Bffcpg32.exe File created C:\Windows\SysWOW64\Eehicoel.exe Ebimgcfi.exe File opened for modification C:\Windows\SysWOW64\Kfpcoefj.exe Kcbfcigf.exe File created C:\Windows\SysWOW64\Fliabjbh.dll Bppfmigl.exe File created C:\Windows\SysWOW64\Jkhgmf32.exe Jglklggl.exe File opened for modification C:\Windows\SysWOW64\Pocfpf32.exe Plejdkmm.exe File created C:\Windows\SysWOW64\Ickglm32.exe Iplkpa32.exe File opened for modification C:\Windows\SysWOW64\Jhifomdj.exe Jekjcaef.exe File created C:\Windows\SysWOW64\Anfjipgp.dll Cfnqklgh.exe File opened for modification C:\Windows\SysWOW64\Dolmodpi.exe Dhbebj32.exe File opened for modification C:\Windows\SysWOW64\Gpecbk32.exe Gikkfqmf.exe File opened for modification C:\Windows\SysWOW64\Kcbfcigf.exe Klhnfo32.exe File created C:\Windows\SysWOW64\Bgkiaj32.exe Apaadpng.exe File created C:\Windows\SysWOW64\Amaqjp32.exe Ajcdnd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7020 7308 Process not Found 1147 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllhpkfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbqmiinl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmpdhboj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poimpapp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdhcgaic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idbodn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmbmkpie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edbiniff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paihlpfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gipdap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bihjfnmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiahnnph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahmjjoig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofgdcipq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkadoiip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcmbee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhnfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppjbmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfhnaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkgkapm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikpjbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jokkgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebdlangb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haaaaeim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amkhmoap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiihahme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqkill32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cimcan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmihij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odoogi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pldcjeia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdbdcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncchb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpjfgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neppokal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iidphgcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opogbbig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpkkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffclcgfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnoki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efafgifc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqmhnko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpmmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnoknihb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnjqmpgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgqlcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiejmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjellmbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epndknin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkgpbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcbfakec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Milidebi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbohpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joekag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgnkhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkohaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blqllqqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmhdkknd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokdnjkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmbegqjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qebhhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flinkojm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hipmfjee.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hdilnojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ljbnfleo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mpclce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edogedqq.dll" Bgbdcgld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgeofeib.dll" Omqmop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chqogq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bgnkhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hgdejd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hdokdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mjodla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qofcff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfejnf32.dll" Iciaqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qjiipk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jhndljll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Offnhpfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Naecop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkokcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebnfbcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dickplko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pefabkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cgmhcaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hoobdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilpfgkh.dll" Dgcihgaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichelm32.dll" Kpqggh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igleoo32.dll" Caienjfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnhpfjhc.dll" Obcceg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeeaodnk.dll" Lhcali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eehicoel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eklajcmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klfhhpnk.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Epikpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpgnjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fikbocki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nadleilm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qljcoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aphnnafb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkkaiphj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdagpnbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpnbog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mjnnbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kncaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Apaadpng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaakdpkj.dll" Odjeljhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbhiiol.dll" Bfkbfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ampaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnhmla32.dll" Nefped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pkadoiip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Paelfmaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkpnbd32.dll" Aahbbkaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qikbaaml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmdkcnie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fhofmq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gklnjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iahqoq32.dll" Abponp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jdmgfedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Emjgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichqihli.dll" Amqhbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmglcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfgjhf32.dll" Ggnedlao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Edbiniff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Piapkbeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpkgc32.dll" Hlhccj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Enkmfolf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2120 wrote to memory of 5072 2120 4ff7d6633268add3103f0b2d48981aaf18ccdae78979ac2b9e02db80e977aad1N.exe 82 PID 2120 wrote to memory of 5072 2120 4ff7d6633268add3103f0b2d48981aaf18ccdae78979ac2b9e02db80e977aad1N.exe 82 PID 2120 wrote to memory of 5072 2120 4ff7d6633268add3103f0b2d48981aaf18ccdae78979ac2b9e02db80e977aad1N.exe 82 PID 5072 wrote to memory of 4908 5072 Lnnikdnj.exe 83 PID 5072 wrote to memory of 4908 5072 Lnnikdnj.exe 83 PID 5072 wrote to memory of 4908 5072 Lnnikdnj.exe 83 PID 4908 wrote to memory of 4376 4908 Lnqeqd32.exe 84 PID 4908 wrote to memory of 4376 4908 Lnqeqd32.exe 84 PID 4908 wrote to memory of 4376 4908 Lnqeqd32.exe 84 PID 4376 wrote to memory of 900 4376 Lfhnaa32.exe 85 PID 4376 wrote to memory of 900 4376 Lfhnaa32.exe 85 PID 4376 wrote to memory of 900 4376 Lfhnaa32.exe 85 PID 900 wrote to memory of 1576 900 Lhkgoiqe.exe 86 PID 900 wrote to memory of 1576 900 Lhkgoiqe.exe 86 PID 900 wrote to memory of 1576 900 Lhkgoiqe.exe 86 PID 1576 wrote to memory of 4516 1576 Loeolc32.exe 87 PID 1576 wrote to memory of 4516 1576 Loeolc32.exe 87 PID 1576 wrote to memory of 4516 1576 Loeolc32.exe 87 PID 4516 wrote to memory of 2432 4516 Lhncdi32.exe 88 PID 4516 wrote to memory of 2432 4516 Lhncdi32.exe 88 PID 4516 wrote to memory of 2432 4516 Lhncdi32.exe 88 PID 2432 wrote to memory of 3208 2432 Loglacfo.exe 89 PID 2432 wrote to memory of 3208 2432 Loglacfo.exe 89 PID 2432 wrote to memory of 3208 2432 Loglacfo.exe 89 PID 3208 wrote to memory of 4260 3208 Lfodbqfa.exe 90 PID 3208 wrote to memory of 4260 3208 Lfodbqfa.exe 90 PID 3208 wrote to memory of 4260 3208 Lfodbqfa.exe 90 PID 4260 wrote to memory of 4068 4260 Mimpolee.exe 91 PID 4260 wrote to memory of 4068 4260 Mimpolee.exe 91 PID 4260 wrote to memory of 4068 4260 Mimpolee.exe 91 PID 4068 wrote to memory of 2524 4068 Mlklkgei.exe 92 PID 4068 wrote to memory of 2524 4068 Mlklkgei.exe 92 PID 4068 wrote to memory of 2524 4068 Mlklkgei.exe 92 PID 2524 wrote to memory of 1428 2524 Mlbbkfoq.exe 93 PID 2524 wrote to memory of 1428 2524 Mlbbkfoq.exe 93 PID 2524 wrote to memory of 1428 2524 Mlbbkfoq.exe 93 PID 1428 wrote to memory of 3924 1428 Mifcejnj.exe 94 PID 1428 wrote to memory of 3924 1428 Mifcejnj.exe 94 PID 1428 wrote to memory of 3924 1428 Mifcejnj.exe 94 PID 3924 wrote to memory of 3552 3924 Niipjj32.exe 95 PID 3924 wrote to memory of 3552 3924 Niipjj32.exe 95 PID 3924 wrote to memory of 3552 3924 Niipjj32.exe 95 PID 3552 wrote to memory of 3640 3552 Neppokal.exe 96 PID 3552 wrote to memory of 3640 3552 Neppokal.exe 96 PID 3552 wrote to memory of 3640 3552 Neppokal.exe 96 PID 3640 wrote to memory of 3696 3640 Nlleaeff.exe 97 PID 3640 wrote to memory of 3696 3640 Nlleaeff.exe 97 PID 3640 wrote to memory of 3696 3640 Nlleaeff.exe 97 PID 3696 wrote to memory of 2844 3696 Nedjjj32.exe 98 PID 3696 wrote to memory of 2844 3696 Nedjjj32.exe 98 PID 3696 wrote to memory of 2844 3696 Nedjjj32.exe 98 PID 2844 wrote to memory of 4388 2844 Neffpj32.exe 99 PID 2844 wrote to memory of 4388 2844 Neffpj32.exe 99 PID 2844 wrote to memory of 4388 2844 Neffpj32.exe 99 PID 4388 wrote to memory of 4604 4388 Nheble32.exe 100 PID 4388 wrote to memory of 4604 4388 Nheble32.exe 100 PID 4388 wrote to memory of 4604 4388 Nheble32.exe 100 PID 4604 wrote to memory of 4216 4604 Opogbbig.exe 101 PID 4604 wrote to memory of 4216 4604 Opogbbig.exe 101 PID 4604 wrote to memory of 4216 4604 Opogbbig.exe 101 PID 4216 wrote to memory of 756 4216 Oocddono.exe 102 PID 4216 wrote to memory of 756 4216 Oocddono.exe 102 PID 4216 wrote to memory of 756 4216 Oocddono.exe 102 PID 756 wrote to memory of 2684 756 Ogklelna.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ff7d6633268add3103f0b2d48981aaf18ccdae78979ac2b9e02db80e977aad1N.exe"C:\Users\Admin\AppData\Local\Temp\4ff7d6633268add3103f0b2d48981aaf18ccdae78979ac2b9e02db80e977aad1N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Lnnikdnj.exeC:\Windows\system32\Lnnikdnj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Lnqeqd32.exeC:\Windows\system32\Lnqeqd32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\Loeolc32.exeC:\Windows\system32\Loeolc32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Lhncdi32.exeC:\Windows\system32\Lhncdi32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Loglacfo.exeC:\Windows\system32\Loglacfo.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\Mlklkgei.exeC:\Windows\system32\Mlklkgei.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Mlbbkfoq.exeC:\Windows\system32\Mlbbkfoq.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Mifcejnj.exeC:\Windows\system32\Mifcejnj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Niipjj32.exeC:\Windows\system32\Niipjj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\Nlleaeff.exeC:\Windows\system32\Nlleaeff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Nheble32.exeC:\Windows\system32\Nheble32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\Opogbbig.exeC:\Windows\system32\Opogbbig.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Ocdjpmac.exeC:\Windows\system32\Ocdjpmac.exe24⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Pjpobg32.exeC:\Windows\system32\Pjpobg32.exe25⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Pfgogh32.exeC:\Windows\system32\Pfgogh32.exe26⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe27⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe28⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Ppamophb.exeC:\Windows\system32\Ppamophb.exe29⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Qcbfakec.exeC:\Windows\system32\Qcbfakec.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\Qoifflkg.exeC:\Windows\system32\Qoifflkg.exe31⤵
- Executes dropped EXE
PID:3368 -
C:\Windows\SysWOW64\Qcdbfk32.exeC:\Windows\system32\Qcdbfk32.exe32⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Aokcklid.exeC:\Windows\system32\Aokcklid.exe33⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe34⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Ajcdnd32.exeC:\Windows\system32\Ajcdnd32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4484 -
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe36⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe38⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Aqoiqn32.exeC:\Windows\system32\Aqoiqn32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe40⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Aglnbhal.exeC:\Windows\system32\Aglnbhal.exe41⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Bjlgdc32.exeC:\Windows\system32\Bjlgdc32.exe43⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe44⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Bgbdcgld.exeC:\Windows\system32\Bgbdcgld.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Bqkill32.exeC:\Windows\system32\Bqkill32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3232 -
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe47⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Bppfmigl.exeC:\Windows\system32\Bppfmigl.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:764 -
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5004 -
C:\Windows\SysWOW64\Cqpbglno.exeC:\Windows\system32\Cqpbglno.exe50⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Cgjjdf32.exeC:\Windows\system32\Cgjjdf32.exe51⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Ccqkigkp.exeC:\Windows\system32\Ccqkigkp.exe52⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Cimcan32.exeC:\Windows\system32\Cimcan32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:768 -
C:\Windows\SysWOW64\Cadlbk32.exeC:\Windows\system32\Cadlbk32.exe54⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Cjmpkqqj.exeC:\Windows\system32\Cjmpkqqj.exe55⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Cceddf32.exeC:\Windows\system32\Cceddf32.exe56⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Caienjfd.exeC:\Windows\system32\Caienjfd.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3520 -
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe58⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Dpnbog32.exeC:\Windows\system32\Dpnbog32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:948 -
C:\Windows\SysWOW64\Dgejpd32.exeC:\Windows\system32\Dgejpd32.exe60⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Djdflp32.exeC:\Windows\system32\Djdflp32.exe61⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Dfjgaq32.exeC:\Windows\system32\Dfjgaq32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3396 -
C:\Windows\SysWOW64\Dmdonkgc.exeC:\Windows\system32\Dmdonkgc.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Dhjckcgi.exeC:\Windows\system32\Dhjckcgi.exe64⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Dmglcj32.exeC:\Windows\system32\Dmglcj32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1236 -
C:\Windows\SysWOW64\Dpehof32.exeC:\Windows\system32\Dpehof32.exe66⤵PID:2304
-
C:\Windows\SysWOW64\Dmihij32.exeC:\Windows\system32\Dmihij32.exe67⤵
- System Location Discovery: System Language Discovery
PID:4532 -
C:\Windows\SysWOW64\Dpgeee32.exeC:\Windows\system32\Dpgeee32.exe68⤵PID:2444
-
C:\Windows\SysWOW64\Djmibn32.exeC:\Windows\system32\Djmibn32.exe69⤵PID:3756
-
C:\Windows\SysWOW64\Emlenj32.exeC:\Windows\system32\Emlenj32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3772 -
C:\Windows\SysWOW64\Edemkd32.exeC:\Windows\system32\Edemkd32.exe71⤵PID:4540
-
C:\Windows\SysWOW64\Eaindh32.exeC:\Windows\system32\Eaindh32.exe72⤵PID:532
-
C:\Windows\SysWOW64\Ehcfaboo.exeC:\Windows\system32\Ehcfaboo.exe73⤵PID:4452
-
C:\Windows\SysWOW64\Empoiimf.exeC:\Windows\system32\Empoiimf.exe74⤵PID:2380
-
C:\Windows\SysWOW64\Edjgfcec.exeC:\Windows\system32\Edjgfcec.exe75⤵PID:2160
-
C:\Windows\SysWOW64\Ejdocm32.exeC:\Windows\system32\Ejdocm32.exe76⤵PID:4600
-
C:\Windows\SysWOW64\Epagkd32.exeC:\Windows\system32\Epagkd32.exe77⤵PID:628
-
C:\Windows\SysWOW64\Ejflhm32.exeC:\Windows\system32\Ejflhm32.exe78⤵PID:4960
-
C:\Windows\SysWOW64\Ehjlaaig.exeC:\Windows\system32\Ehjlaaig.exe79⤵PID:3424
-
C:\Windows\SysWOW64\Facqkg32.exeC:\Windows\system32\Facqkg32.exe80⤵PID:4008
-
C:\Windows\SysWOW64\Fhmigagd.exeC:\Windows\system32\Fhmigagd.exe81⤵PID:3828
-
C:\Windows\SysWOW64\Fineoi32.exeC:\Windows\system32\Fineoi32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2856 -
C:\Windows\SysWOW64\Fhofmq32.exeC:\Windows\system32\Fhofmq32.exe83⤵
- Modifies registry class
PID:4704 -
C:\Windows\SysWOW64\Fdffbake.exeC:\Windows\system32\Fdffbake.exe84⤵PID:1224
-
C:\Windows\SysWOW64\Fkpool32.exeC:\Windows\system32\Fkpool32.exe85⤵PID:3920
-
C:\Windows\SysWOW64\Fdhcgaic.exeC:\Windows\system32\Fdhcgaic.exe86⤵
- System Location Discovery: System Language Discovery
PID:3212 -
C:\Windows\SysWOW64\Falcae32.exeC:\Windows\system32\Falcae32.exe87⤵PID:3356
-
C:\Windows\SysWOW64\Gpaqbbld.exeC:\Windows\system32\Gpaqbbld.exe88⤵PID:3860
-
C:\Windows\SysWOW64\Ghhhcomg.exeC:\Windows\system32\Ghhhcomg.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:888 -
C:\Windows\SysWOW64\Gijekg32.exeC:\Windows\system32\Gijekg32.exe90⤵PID:1768
-
C:\Windows\SysWOW64\Ggnedlao.exeC:\Windows\system32\Ggnedlao.exe91⤵
- Modifies registry class
PID:3576 -
C:\Windows\SysWOW64\Gklnjj32.exeC:\Windows\system32\Gklnjj32.exe92⤵
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe93⤵PID:2816
-
C:\Windows\SysWOW64\Gddbcp32.exeC:\Windows\system32\Gddbcp32.exe94⤵PID:4776
-
C:\Windows\SysWOW64\Hhbkinel.exeC:\Windows\system32\Hhbkinel.exe95⤵PID:5000
-
C:\Windows\SysWOW64\Hgelek32.exeC:\Windows\system32\Hgelek32.exe96⤵PID:3764
-
C:\Windows\SysWOW64\Hajpbckl.exeC:\Windows\system32\Hajpbckl.exe97⤵PID:1012
-
C:\Windows\SysWOW64\Hdilnojp.exeC:\Windows\system32\Hdilnojp.exe98⤵
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Hgghjjid.exeC:\Windows\system32\Hgghjjid.exe99⤵PID:2788
-
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe100⤵PID:3788
-
C:\Windows\SysWOW64\Hhfedm32.exeC:\Windows\system32\Hhfedm32.exe101⤵PID:4612
-
C:\Windows\SysWOW64\Hjhalefe.exeC:\Windows\system32\Hjhalefe.exe102⤵
- Drops file in System32 directory
PID:352 -
C:\Windows\SysWOW64\Haoimcgg.exeC:\Windows\system32\Haoimcgg.exe103⤵
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Hglaej32.exeC:\Windows\system32\Hglaej32.exe104⤵PID:2868
-
C:\Windows\SysWOW64\Hjjnae32.exeC:\Windows\system32\Hjjnae32.exe105⤵PID:1200
-
C:\Windows\SysWOW64\Hpdfnolo.exeC:\Windows\system32\Hpdfnolo.exe106⤵PID:5132
-
C:\Windows\SysWOW64\Hgnoki32.exeC:\Windows\system32\Hgnoki32.exe107⤵
- System Location Discovery: System Language Discovery
PID:5176 -
C:\Windows\SysWOW64\Hnhghcki.exeC:\Windows\system32\Hnhghcki.exe108⤵PID:5216
-
C:\Windows\SysWOW64\Idbodn32.exeC:\Windows\system32\Idbodn32.exe109⤵
- System Location Discovery: System Language Discovery
PID:5260 -
C:\Windows\SysWOW64\Ihnkel32.exeC:\Windows\system32\Ihnkel32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5296 -
C:\Windows\SysWOW64\Iklgah32.exeC:\Windows\system32\Iklgah32.exe111⤵PID:5344
-
C:\Windows\SysWOW64\Iafonaao.exeC:\Windows\system32\Iafonaao.exe112⤵PID:5392
-
C:\Windows\SysWOW64\Ihphkl32.exeC:\Windows\system32\Ihphkl32.exe113⤵PID:5436
-
C:\Windows\SysWOW64\Ijadbdoj.exeC:\Windows\system32\Ijadbdoj.exe114⤵PID:5476
-
C:\Windows\SysWOW64\Inmpcc32.exeC:\Windows\system32\Inmpcc32.exe115⤵PID:5512
-
C:\Windows\SysWOW64\Iqklon32.exeC:\Windows\system32\Iqklon32.exe116⤵PID:5556
-
C:\Windows\SysWOW64\Ikqqlgem.exeC:\Windows\system32\Ikqqlgem.exe117⤵PID:5600
-
C:\Windows\SysWOW64\Inomhbeq.exeC:\Windows\system32\Inomhbeq.exe118⤵PID:5636
-
C:\Windows\SysWOW64\Iakiia32.exeC:\Windows\system32\Iakiia32.exe119⤵PID:5680
-
C:\Windows\SysWOW64\Iggaah32.exeC:\Windows\system32\Iggaah32.exe120⤵PID:5724
-
C:\Windows\SysWOW64\Inainbcn.exeC:\Windows\system32\Inainbcn.exe121⤵PID:5764
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-