Analysis
-
max time kernel
96s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2024, 22:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6e76c3a39273222c31177b1aa400c83e27454ef4baa42ea2145f45503f58fe89.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
6e76c3a39273222c31177b1aa400c83e27454ef4baa42ea2145f45503f58fe89.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
6e76c3a39273222c31177b1aa400c83e27454ef4baa42ea2145f45503f58fe89.exe
-
Size
704KB
-
MD5
b802f1cbf325297905db7b30dfd6bc68
-
SHA1
867ed36b19de3fb9fa91085eaf1f82bd144c7605
-
SHA256
6e76c3a39273222c31177b1aa400c83e27454ef4baa42ea2145f45503f58fe89
-
SHA512
ec4419811a12acc4c417a986b8aaaa73309523e6e1e8304e70fb3b98a28ad0b76b89841c5789b7fc843d8decac30910359b404f073a701e6d49cd62cc03b1f1f
-
SSDEEP
1536:ILQ3MzHXoUhUi4IhEJzFNT7smPVhRYSw1mir8CAjXoiDEuGg0opGCR9C:T+tW7BhRYSa9rR85DEn5k7rC
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gikdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nadleilm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjkpoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dokgdkeh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgnffj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhnhajba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjpjgj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpnihiio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncabfkqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nahgoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imiehfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgbchj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkhgod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmipblaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjmcnbdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlmbfqoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pekbga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odmbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emmdom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaoaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aodfajaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aanbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqmfdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnkkjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljeafb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjpjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efffmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnlgleef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enfckp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeelnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqmmmmph.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nahgoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjjlkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmhigf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpnmbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqphfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnbgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikndgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Majjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lljklo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Madjhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knnhjcog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmeandma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iialhaad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiphjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aflaie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglgjeci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opeiadfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dokgdkeh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkjeomld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Coadnlnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmnqjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojnfihmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbnpcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpdhkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlmfeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lflbkcll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqdcnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Poodpmca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfadkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdbnjdfg.exe -
Executes dropped EXE 64 IoCs
pid Process 1568 Ocdjpmac.exe 3188 Ophjiaql.exe 1332 Phcomcng.exe 840 Phelcc32.exe 2672 Poodpmca.exe 4428 Pgflqkdd.exe 4344 Phjenbhp.exe 3084 Pcpikkge.exe 3132 Phlacbfm.exe 1416 Qgnbaj32.exe 2248 Qjlnnemp.exe 2808 Qgpogili.exe 3252 Qjnkcekm.exe 388 Qlmgopjq.exe 1636 Acgolj32.exe 1608 Afelhf32.exe 3580 Aompak32.exe 4376 Acilajpk.exe 2320 Agdhbi32.exe 3184 Afghneoo.exe 2172 Ahfdjanb.exe 1200 Amaqjp32.exe 2276 Aqmlknnd.exe 3404 Ackigjmh.exe 2372 Aggegh32.exe 1112 Afjeceml.exe 1192 Aihaoqlp.exe 1972 Amcmpodi.exe 2460 Aobilkcl.exe 2452 Acnemi32.exe 4852 Aflaie32.exe 1780 Aijnep32.exe 3368 Amfjeobf.exe 2476 Aodfajaj.exe 3776 Acpbbi32.exe 3676 Aglnbhal.exe 4056 Ajjjocap.exe 4364 Aimkjp32.exe 916 Amhfkopc.exe 3452 Bogcgj32.exe 1992 Bcbohigp.exe 4820 Bgnkhg32.exe 4340 Biogppeg.exe 884 Bmkcqn32.exe 4680 Bcelmhen.exe 3056 Bgpgng32.exe 2624 Bjodjb32.exe 2888 Bmmpfn32.exe 3328 Boklbi32.exe 220 Bgbdcgld.exe 2528 Bfedoc32.exe 968 Bpnihiio.exe 4716 Bgeaifia.exe 4732 Bjcmebie.exe 4148 Bifmqo32.exe 2376 Bqmeal32.exe 3240 Bppfmigl.exe 2116 Bggnof32.exe 900 Bfjnjcni.exe 1068 Bihjfnmm.exe 4816 Cqpbglno.exe 3372 Cpbbch32.exe 4856 Cgjjdf32.exe 1948 Cjhfpa32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Aqmlknnd.exe Amaqjp32.exe File opened for modification C:\Windows\SysWOW64\Pkcadhgm.exe Phedhmhi.exe File created C:\Windows\SysWOW64\Fpmehf32.dll Pkenjh32.exe File opened for modification C:\Windows\SysWOW64\Ngjbaj32.exe Nelfeo32.exe File created C:\Windows\SysWOW64\Ecalcl32.dll Akglloai.exe File opened for modification C:\Windows\SysWOW64\Imkbnf32.exe Igajal32.exe File created C:\Windows\SysWOW64\Qpeahb32.exe Qodeajbg.exe File opened for modification C:\Windows\SysWOW64\Pimfpc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cpleig32.exe Cmniml32.exe File opened for modification C:\Windows\SysWOW64\Mniallpq.exe Mjneln32.exe File created C:\Windows\SysWOW64\Ngmeal32.dll Nbnpcj32.exe File created C:\Windows\SysWOW64\Hnoigi32.dll Pedlgbkh.exe File created C:\Windows\SysWOW64\Pkhjph32.exe Plejdkmm.exe File created C:\Windows\SysWOW64\Aqdjon32.dll Bjbfklei.exe File created C:\Windows\SysWOW64\Hcpojd32.exe Hpabni32.exe File created C:\Windows\SysWOW64\Ogjdmbil.exe Opclldhj.exe File opened for modification C:\Windows\SysWOW64\Dnonkq32.exe Dgeenfog.exe File created C:\Windows\SysWOW64\Eqlfhjig.exe Eojiqb32.exe File opened for modification C:\Windows\SysWOW64\Nqcejcha.exe Njjmni32.exe File created C:\Windows\SysWOW64\Qjlnnemp.exe Qgnbaj32.exe File opened for modification C:\Windows\SysWOW64\Djhpgofm.exe Dfmcfp32.exe File created C:\Windows\SysWOW64\Ghmpmgdc.dll Jgadgf32.exe File opened for modification C:\Windows\SysWOW64\Ahqddk32.exe Qebhhp32.exe File opened for modification C:\Windows\SysWOW64\Inlihl32.exe Iknmla32.exe File created C:\Windows\SysWOW64\Nhokljge.exe Naecop32.exe File created C:\Windows\SysWOW64\Iblhpckf.dll Lnldla32.exe File created C:\Windows\SysWOW64\Mgphpe32.exe Moipoh32.exe File opened for modification C:\Windows\SysWOW64\Dpiplm32.exe Cnjdpaki.exe File created C:\Windows\SysWOW64\Dndgfpbo.exe Dkekjdck.exe File created C:\Windows\SysWOW64\Djfcaohp.exe Dhhfedil.exe File opened for modification C:\Windows\SysWOW64\Dfoplpla.exe Dhlpqc32.exe File created C:\Windows\SysWOW64\Hnodaecc.exe Hhbkinel.exe File created C:\Windows\SysWOW64\Pkenjh32.exe Phganm32.exe File created C:\Windows\SysWOW64\Nhqgik32.dll Jncoikmp.exe File created C:\Windows\SysWOW64\Palbgl32.exe Ponfka32.exe File created C:\Windows\SysWOW64\Hqdkac32.dll Aoalgn32.exe File created C:\Windows\SysWOW64\Lippqp32.dll Fbgihaji.exe File created C:\Windows\SysWOW64\Pgflqkdd.exe Poodpmca.exe File created C:\Windows\SysWOW64\Achhaode.dll Fdffbake.exe File created C:\Windows\SysWOW64\Bbaffgag.dll Hkicaahi.exe File opened for modification C:\Windows\SysWOW64\Jdaaaeqg.exe Jnhidk32.exe File created C:\Windows\SysWOW64\Mgclpkac.exe Meepdp32.exe File created C:\Windows\SysWOW64\Bgeemcfc.dll Nmenca32.exe File created C:\Windows\SysWOW64\Ecmomj32.dll Kjmmepfj.exe File opened for modification C:\Windows\SysWOW64\Coiaiakf.exe Cjliajmo.exe File created C:\Windows\SysWOW64\Npbblbdb.dll Dmalne32.exe File created C:\Windows\SysWOW64\Fcgeilmb.dll Dmhand32.exe File created C:\Windows\SysWOW64\Mccfdmmo.exe Madjhb32.exe File created C:\Windows\SysWOW64\Plkpcfal.exe Omjpeo32.exe File opened for modification C:\Windows\SysWOW64\Akglloai.exe Adndoe32.exe File created C:\Windows\SysWOW64\Aoibcl32.dll Dqbcbkab.exe File created C:\Windows\SysWOW64\Fijgdejm.dll Oampjeml.exe File created C:\Windows\SysWOW64\Bkafmd32.exe Bjpjel32.exe File created C:\Windows\SysWOW64\Dkhnjk32.exe Dijbno32.exe File opened for modification C:\Windows\SysWOW64\Kgnbdh32.exe Kofkbk32.exe File created C:\Windows\SysWOW64\Mgmodn32.dll Bmeandma.exe File created C:\Windows\SysWOW64\Hnjfof32.dll Hihibbjo.exe File created C:\Windows\SysWOW64\Iejpiq32.dll Aflaie32.exe File created C:\Windows\SysWOW64\Kopapk32.dll Ginnfgop.exe File created C:\Windows\SysWOW64\Clomci32.dll Jbiejoaj.exe File opened for modification C:\Windows\SysWOW64\Olanmgig.exe Oeheqm32.exe File opened for modification C:\Windows\SysWOW64\Boeebnhp.exe Bhkmec32.exe File created C:\Windows\SysWOW64\Jldbpl32.exe Jifecp32.exe File opened for modification C:\Windows\SysWOW64\Jlgoek32.exe Jemfhacc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6644 6680 Process not Found 1141 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hehkajig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klndfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkaicd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcecjmkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpdcag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gblbca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkhgod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqdpgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geoapenf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqmmmmph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpeahb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egened32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcmpodi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgcmjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Indfca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hemdlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbbnpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfjkjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeocna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klggli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfjnjcni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maeachag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbccge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkipkani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hedafk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadpdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglgjeci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgamnded.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djelgied.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efafgifc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6e76c3a39273222c31177b1aa400c83e27454ef4baa42ea2145f45503f58fe89.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dannij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkbocbog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcddcbab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkpqkcpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcpojd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlmdbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiipmhmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igajal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noppeaed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmikeaap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjfnedho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmbfbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfaemp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bihjfnmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghmbno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfjola32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdoacabq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emehdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkihnmhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkicaahi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkqpkla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknbkjfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Filapfbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhcali32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjjocap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lghcocol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikdcmpnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjafok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnhmnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hicpgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfedoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ponfka32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mennkfdm.dll" Cgqqdeod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dakacjdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Micoed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkofga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijfnmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbaffgag.dll" Hkicaahi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmechmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcbhah32.dll" Cdecgbfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfglfdkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknhhh32.dll" Caghhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmniml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlbpmd32.dll" Jjmcnbdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfbaonae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pngfalmm.dll" Fdepgkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpnoncim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 6e76c3a39273222c31177b1aa400c83e27454ef4baa42ea2145f45503f58fe89.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bppfmigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fliabjbh.dll" Bfjnjcni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nblolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kadcjkfm.dll" Cbbdjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dikihe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fplpll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Giljfddl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpaqbf32.dll" Hnnljj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gejhef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goniok32.dll" Iialhaad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ookoaokf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmikeaap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmbfbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgfoqnae.dll" Lqbncb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjdhbppo.dll" Jpcapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oglbla32.dll" Onmfimga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kodnmkap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chdialdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Coqncejg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amhfkopc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpckjfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kaehljpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjbfklei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehkga32.dll" Nabfjpak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kofkbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfedoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfendmoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbjmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gingkqkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkfglb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipgkjlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhlclpe.dll" Kiphjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Boeebnhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hedafk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hblkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlelal32.dll" Ipjoja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbgkei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgcihgaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hankellh.dll" Ipmbjgpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgjijmin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlmdbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlmdbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhegobpi.dll" Ilqoobdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpcfd32.dll" Eehicoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnnbme32.dll" Gihgfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkdjo32.dll" Nfjola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phjenbhp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3772 wrote to memory of 1568 3772 6e76c3a39273222c31177b1aa400c83e27454ef4baa42ea2145f45503f58fe89.exe 82 PID 3772 wrote to memory of 1568 3772 6e76c3a39273222c31177b1aa400c83e27454ef4baa42ea2145f45503f58fe89.exe 82 PID 3772 wrote to memory of 1568 3772 6e76c3a39273222c31177b1aa400c83e27454ef4baa42ea2145f45503f58fe89.exe 82 PID 1568 wrote to memory of 3188 1568 Ocdjpmac.exe 83 PID 1568 wrote to memory of 3188 1568 Ocdjpmac.exe 83 PID 1568 wrote to memory of 3188 1568 Ocdjpmac.exe 83 PID 3188 wrote to memory of 1332 3188 Ophjiaql.exe 84 PID 3188 wrote to memory of 1332 3188 Ophjiaql.exe 84 PID 3188 wrote to memory of 1332 3188 Ophjiaql.exe 84 PID 1332 wrote to memory of 840 1332 Phcomcng.exe 85 PID 1332 wrote to memory of 840 1332 Phcomcng.exe 85 PID 1332 wrote to memory of 840 1332 Phcomcng.exe 85 PID 840 wrote to memory of 2672 840 Phelcc32.exe 86 PID 840 wrote to memory of 2672 840 Phelcc32.exe 86 PID 840 wrote to memory of 2672 840 Phelcc32.exe 86 PID 2672 wrote to memory of 4428 2672 Poodpmca.exe 87 PID 2672 wrote to memory of 4428 2672 Poodpmca.exe 87 PID 2672 wrote to memory of 4428 2672 Poodpmca.exe 87 PID 4428 wrote to memory of 4344 4428 Pgflqkdd.exe 88 PID 4428 wrote to memory of 4344 4428 Pgflqkdd.exe 88 PID 4428 wrote to memory of 4344 4428 Pgflqkdd.exe 88 PID 4344 wrote to memory of 3084 4344 Phjenbhp.exe 89 PID 4344 wrote to memory of 3084 4344 Phjenbhp.exe 89 PID 4344 wrote to memory of 3084 4344 Phjenbhp.exe 89 PID 3084 wrote to memory of 3132 3084 Pcpikkge.exe 90 PID 3084 wrote to memory of 3132 3084 Pcpikkge.exe 90 PID 3084 wrote to memory of 3132 3084 Pcpikkge.exe 90 PID 3132 wrote to memory of 1416 3132 Phlacbfm.exe 91 PID 3132 wrote to memory of 1416 3132 Phlacbfm.exe 91 PID 3132 wrote to memory of 1416 3132 Phlacbfm.exe 91 PID 1416 wrote to memory of 2248 1416 Qgnbaj32.exe 92 PID 1416 wrote to memory of 2248 1416 Qgnbaj32.exe 92 PID 1416 wrote to memory of 2248 1416 Qgnbaj32.exe 92 PID 2248 wrote to memory of 2808 2248 Qjlnnemp.exe 93 PID 2248 wrote to memory of 2808 2248 Qjlnnemp.exe 93 PID 2248 wrote to memory of 2808 2248 Qjlnnemp.exe 93 PID 2808 wrote to memory of 3252 2808 Qgpogili.exe 94 PID 2808 wrote to memory of 3252 2808 Qgpogili.exe 94 PID 2808 wrote to memory of 3252 2808 Qgpogili.exe 94 PID 3252 wrote to memory of 388 3252 Qjnkcekm.exe 95 PID 3252 wrote to memory of 388 3252 Qjnkcekm.exe 95 PID 3252 wrote to memory of 388 3252 Qjnkcekm.exe 95 PID 388 wrote to memory of 1636 388 Qlmgopjq.exe 96 PID 388 wrote to memory of 1636 388 Qlmgopjq.exe 96 PID 388 wrote to memory of 1636 388 Qlmgopjq.exe 96 PID 1636 wrote to memory of 1608 1636 Acgolj32.exe 97 PID 1636 wrote to memory of 1608 1636 Acgolj32.exe 97 PID 1636 wrote to memory of 1608 1636 Acgolj32.exe 97 PID 1608 wrote to memory of 3580 1608 Afelhf32.exe 98 PID 1608 wrote to memory of 3580 1608 Afelhf32.exe 98 PID 1608 wrote to memory of 3580 1608 Afelhf32.exe 98 PID 3580 wrote to memory of 4376 3580 Aompak32.exe 99 PID 3580 wrote to memory of 4376 3580 Aompak32.exe 99 PID 3580 wrote to memory of 4376 3580 Aompak32.exe 99 PID 4376 wrote to memory of 2320 4376 Acilajpk.exe 100 PID 4376 wrote to memory of 2320 4376 Acilajpk.exe 100 PID 4376 wrote to memory of 2320 4376 Acilajpk.exe 100 PID 2320 wrote to memory of 3184 2320 Agdhbi32.exe 101 PID 2320 wrote to memory of 3184 2320 Agdhbi32.exe 101 PID 2320 wrote to memory of 3184 2320 Agdhbi32.exe 101 PID 3184 wrote to memory of 2172 3184 Afghneoo.exe 102 PID 3184 wrote to memory of 2172 3184 Afghneoo.exe 102 PID 3184 wrote to memory of 2172 3184 Afghneoo.exe 102 PID 2172 wrote to memory of 1200 2172 Ahfdjanb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e76c3a39273222c31177b1aa400c83e27454ef4baa42ea2145f45503f58fe89.exe"C:\Users\Admin\AppData\Local\Temp\6e76c3a39273222c31177b1aa400c83e27454ef4baa42ea2145f45503f58fe89.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\Ocdjpmac.exeC:\Windows\system32\Ocdjpmac.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Ophjiaql.exeC:\Windows\system32\Ophjiaql.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\Phcomcng.exeC:\Windows\system32\Phcomcng.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Pgflqkdd.exeC:\Windows\system32\Pgflqkdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\Pcpikkge.exeC:\Windows\system32\Pcpikkge.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\Phlacbfm.exeC:\Windows\system32\Phlacbfm.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SysWOW64\Qgnbaj32.exeC:\Windows\system32\Qgnbaj32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Qgpogili.exeC:\Windows\system32\Qgpogili.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Qjnkcekm.exeC:\Windows\system32\Qjnkcekm.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\SysWOW64\Qlmgopjq.exeC:\Windows\system32\Qlmgopjq.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Afelhf32.exeC:\Windows\system32\Afelhf32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\Agdhbi32.exeC:\Windows\system32\Agdhbi32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Afghneoo.exeC:\Windows\system32\Afghneoo.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\Ahfdjanb.exeC:\Windows\system32\Ahfdjanb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1200 -
C:\Windows\SysWOW64\Aqmlknnd.exeC:\Windows\system32\Aqmlknnd.exe24⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe25⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe26⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Afjeceml.exeC:\Windows\system32\Afjeceml.exe27⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe28⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe30⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe31⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Aflaie32.exeC:\Windows\system32\Aflaie32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4852 -
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe33⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe34⤵
- Executes dropped EXE
PID:3368 -
C:\Windows\SysWOW64\Aodfajaj.exeC:\Windows\system32\Aodfajaj.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe36⤵
- Executes dropped EXE
PID:3776 -
C:\Windows\SysWOW64\Aglnbhal.exeC:\Windows\system32\Aglnbhal.exe37⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4056 -
C:\Windows\SysWOW64\Aimkjp32.exeC:\Windows\system32\Aimkjp32.exe39⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Amhfkopc.exeC:\Windows\system32\Amhfkopc.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:916 -
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe41⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Bcbohigp.exeC:\Windows\system32\Bcbohigp.exe42⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe43⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Biogppeg.exeC:\Windows\system32\Biogppeg.exe44⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Bmkcqn32.exeC:\Windows\system32\Bmkcqn32.exe45⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe46⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Bgpgng32.exeC:\Windows\system32\Bgpgng32.exe47⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Bjodjb32.exeC:\Windows\system32\Bjodjb32.exe48⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Bmmpfn32.exeC:\Windows\system32\Bmmpfn32.exe49⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Boklbi32.exeC:\Windows\system32\Boklbi32.exe50⤵
- Executes dropped EXE
PID:3328 -
C:\Windows\SysWOW64\Bgbdcgld.exeC:\Windows\system32\Bgbdcgld.exe51⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Bfedoc32.exeC:\Windows\system32\Bfedoc32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Bpnihiio.exeC:\Windows\system32\Bpnihiio.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe54⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe55⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Bifmqo32.exeC:\Windows\system32\Bifmqo32.exe56⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Bqmeal32.exeC:\Windows\system32\Bqmeal32.exe57⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Bppfmigl.exeC:\Windows\system32\Bppfmigl.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:3240 -
C:\Windows\SysWOW64\Bggnof32.exeC:\Windows\system32\Bggnof32.exe59⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Bfjnjcni.exeC:\Windows\system32\Bfjnjcni.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:900 -
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1068 -
C:\Windows\SysWOW64\Cqpbglno.exeC:\Windows\system32\Cqpbglno.exe62⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Cpbbch32.exeC:\Windows\system32\Cpbbch32.exe63⤵
- Executes dropped EXE
PID:3372 -
C:\Windows\SysWOW64\Cgjjdf32.exeC:\Windows\system32\Cgjjdf32.exe64⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Cjhfpa32.exeC:\Windows\system32\Cjhfpa32.exe65⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe66⤵PID:3232
-
C:\Windows\SysWOW64\Cabomkll.exeC:\Windows\system32\Cabomkll.exe67⤵PID:4256
-
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe68⤵PID:736
-
C:\Windows\SysWOW64\Cglgjeci.exeC:\Windows\system32\Cglgjeci.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:368 -
C:\Windows\SysWOW64\Cfogeb32.exeC:\Windows\system32\Cfogeb32.exe70⤵PID:4028
-
C:\Windows\SysWOW64\Cimcan32.exeC:\Windows\system32\Cimcan32.exe71⤵PID:4072
-
C:\Windows\SysWOW64\Cmipblaq.exeC:\Windows\system32\Cmipblaq.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3364 -
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe73⤵PID:1544
-
C:\Windows\SysWOW64\Ccchof32.exeC:\Windows\system32\Ccchof32.exe74⤵PID:4168
-
C:\Windows\SysWOW64\Cfadkb32.exeC:\Windows\system32\Cfadkb32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4612 -
C:\Windows\SysWOW64\Cjmpkqqj.exeC:\Windows\system32\Cjmpkqqj.exe76⤵PID:4048
-
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe77⤵PID:980
-
C:\Windows\SysWOW64\Caghhk32.exeC:\Windows\system32\Caghhk32.exe78⤵
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Cceddf32.exeC:\Windows\system32\Cceddf32.exe79⤵PID:3820
-
C:\Windows\SysWOW64\Cgqqdeod.exeC:\Windows\system32\Cgqqdeod.exe80⤵
- Modifies registry class
PID:4552 -
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe81⤵PID:4368
-
C:\Windows\SysWOW64\Cibmlmeb.exeC:\Windows\system32\Cibmlmeb.exe82⤵PID:1868
-
C:\Windows\SysWOW64\Cmniml32.exeC:\Windows\system32\Cmniml32.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:4436 -
C:\Windows\SysWOW64\Cpleig32.exeC:\Windows\system32\Cpleig32.exe84⤵PID:1108
-
C:\Windows\SysWOW64\Ccgajfeh.exeC:\Windows\system32\Ccgajfeh.exe85⤵PID:4356
-
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe86⤵
- System Location Discovery: System Language Discovery
PID:1448 -
C:\Windows\SysWOW64\Cjaifp32.exeC:\Windows\system32\Cjaifp32.exe87⤵PID:4860
-
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe88⤵PID:5160
-
C:\Windows\SysWOW64\Dakacjdb.exeC:\Windows\system32\Dakacjdb.exe89⤵
- Modifies registry class
PID:5200 -
C:\Windows\SysWOW64\Dpnbog32.exeC:\Windows\system32\Dpnbog32.exe90⤵PID:5240
-
C:\Windows\SysWOW64\Dcjnoece.exeC:\Windows\system32\Dcjnoece.exe91⤵PID:5280
-
C:\Windows\SysWOW64\Dfhjkabi.exeC:\Windows\system32\Dfhjkabi.exe92⤵PID:5320
-
C:\Windows\SysWOW64\Djdflp32.exeC:\Windows\system32\Djdflp32.exe93⤵PID:5360
-
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe94⤵PID:5400
-
C:\Windows\SysWOW64\Dannij32.exeC:\Windows\system32\Dannij32.exe95⤵
- System Location Discovery: System Language Discovery
PID:5440 -
C:\Windows\SysWOW64\Dclkee32.exeC:\Windows\system32\Dclkee32.exe96⤵PID:5480
-
C:\Windows\SysWOW64\Dhhfedil.exeC:\Windows\system32\Dhhfedil.exe97⤵
- Drops file in System32 directory
PID:5516 -
C:\Windows\SysWOW64\Djfcaohp.exeC:\Windows\system32\Djfcaohp.exe98⤵PID:5560
-
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe99⤵PID:5600
-
C:\Windows\SysWOW64\Dmdonkgc.exeC:\Windows\system32\Dmdonkgc.exe100⤵PID:5640
-
C:\Windows\SysWOW64\Dpckjfgg.exeC:\Windows\system32\Dpckjfgg.exe101⤵
- Modifies registry class
PID:5680 -
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe102⤵PID:5720
-
C:\Windows\SysWOW64\Dfmcfp32.exeC:\Windows\system32\Dfmcfp32.exe103⤵
- Drops file in System32 directory
PID:5760 -
C:\Windows\SysWOW64\Djhpgofm.exeC:\Windows\system32\Djhpgofm.exe104⤵PID:5800
-
C:\Windows\SysWOW64\Dmglcj32.exeC:\Windows\system32\Dmglcj32.exe105⤵PID:5840
-
C:\Windows\SysWOW64\Dabhdinj.exeC:\Windows\system32\Dabhdinj.exe106⤵PID:5880
-
C:\Windows\SysWOW64\Ddadpdmn.exeC:\Windows\system32\Ddadpdmn.exe107⤵PID:5920
-
C:\Windows\SysWOW64\Dhlpqc32.exeC:\Windows\system32\Dhlpqc32.exe108⤵
- Drops file in System32 directory
PID:5960 -
C:\Windows\SysWOW64\Dfoplpla.exeC:\Windows\system32\Dfoplpla.exe109⤵PID:6000
-
C:\Windows\SysWOW64\Dinmhkke.exeC:\Windows\system32\Dinmhkke.exe110⤵PID:6040
-
C:\Windows\SysWOW64\Edhjqc32.exeC:\Windows\system32\Edhjqc32.exe111⤵PID:6100
-
C:\Windows\SysWOW64\Efffmo32.exeC:\Windows\system32\Efffmo32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6136 -
C:\Windows\SysWOW64\Eidbij32.exeC:\Windows\system32\Eidbij32.exe113⤵PID:2972
-
C:\Windows\SysWOW64\Epokedmj.exeC:\Windows\system32\Epokedmj.exe114⤵PID:3832
-
C:\Windows\SysWOW64\Ehfcfb32.exeC:\Windows\system32\Ehfcfb32.exe115⤵PID:1984
-
C:\Windows\SysWOW64\Embkoi32.exeC:\Windows\system32\Embkoi32.exe116⤵PID:3736
-
C:\Windows\SysWOW64\Efkphnbd.exeC:\Windows\system32\Efkphnbd.exe117⤵PID:3888
-
C:\Windows\SysWOW64\Emehdh32.exeC:\Windows\system32\Emehdh32.exe118⤵
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Fkihnmhj.exeC:\Windows\system32\Fkihnmhj.exe119⤵
- System Location Discovery: System Language Discovery
PID:5128 -
C:\Windows\SysWOW64\Fpeafcfa.exeC:\Windows\system32\Fpeafcfa.exe120⤵PID:5184
-
C:\Windows\SysWOW64\Ffpicn32.exeC:\Windows\system32\Ffpicn32.exe121⤵PID:5236
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-