Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/08/2024, 18:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c384f5e83f50366e03860baea4de49b0N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
c384f5e83f50366e03860baea4de49b0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
c384f5e83f50366e03860baea4de49b0N.exe
-
Size
364KB
-
MD5
c384f5e83f50366e03860baea4de49b0
-
SHA1
24e883b4ed2004efd33a060933abce55b2c69be1
-
SHA256
b6aa3e0e61f8a4884b74defedecbc54f9fa6dd6d8e5cde0e2273adf28f54d6bd
-
SHA512
26a7ee1dcbe8f3207c67349077cf74dd312d61cd3b9bedf5d0905e488224421fa1c51e946cc57720a7320b3bfd6c9eada848e5753f2265c070dcee3de4bef850
-
SSDEEP
3072:xxhO4XNKl9/pDDB24ho1mtye3lFDrFDHZtOga24ho1mtye3lfTl0vFXo+RoaFcyo:DfNgDusFj5tT3sF70/HwnrsFj5tT3sF
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgbhokqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gidbalfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gakjcjgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gikibk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hblblcgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ganghiel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijbhjhlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkfpka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnnbqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahidfdjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgbqfhbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmnqmngo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhjgfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plogkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcfnkcfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpbhbdfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pichdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpmfpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iobcad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjfnaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpqbgklf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdqmpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klpohded.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgcjpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plldkjnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imjipjoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfpbhghj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgmkai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oobdkmif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmoqobmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nadjadok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ombagd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omajmnkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhfdmobf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfglqjak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgacal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npdgmkdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgcjpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gndhmjjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnpgiipc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmnmcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eijpjjio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enhnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njphdelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbddoohl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlliheom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pagfhgba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pljgej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffflofla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdllkbfm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnabnafk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmnqcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbpbqd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kojbiqim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bngeehja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqajdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnknni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcbmfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlomjibi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqjgjaam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qakbnjge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdjgachf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gikibk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnodnikp.exe -
Executes dropped EXE 64 IoCs
pid Process 3520 Bmocnb32.exe 704 Cjbdgf32.exe 696 Calldppd.exe 2928 Cfielg32.exe 1664 Cpaiemdl.exe 3028 Cflaag32.exe 1820 Cmejnacf.exe 2448 Ccpbkk32.exe 212 Cmhfdq32.exe 1096 Cgmkai32.exe 2760 Cmjcip32.exe 3052 Dcdkfjfm.exe 3916 Dahlpo32.exe 3864 Dfedhe32.exe 2480 Dpmiqkjo.exe 4452 Dhdabhka.exe 2256 Diemiqqp.exe 3740 Dckagiqe.exe 4024 Dihjopom.exe 4712 Daobpnoo.exe 3192 Dhijmh32.exe 4284 Dmfceoec.exe 3772 Ehkgbgdi.exe 2904 Emhpkncq.exe 368 Edbhgh32.exe 2496 Emklpn32.exe 1624 Emmifn32.exe 1472 Edgabhfh.exe 2088 Eicjkodp.exe 2028 Epnbgill.exe 4996 Eiffpn32.exe 2588 Fppomhjj.exe 2720 Fkecjajp.exe 3240 Fapkgk32.exe 3160 Fdngcgpp.exe 2152 Fkhppa32.exe 2908 Fabhmkoj.exe 4404 Fdpdifnm.exe 4544 Fgopebma.exe 4064 Faddbkmg.exe 2556 Fdbqnflk.exe 3116 Fkmikpcg.exe 3224 Fmkeglbk.exe 4636 Fdemdf32.exe 872 Fgcjpa32.exe 1652 Fmmbmkqi.exe 4808 Gplnigpl.exe 5040 Gidbalfm.exe 1848 Gakjcjgo.exe 956 Ghecpd32.exe 1508 Gkcolo32.exe 3096 Ganghiel.exe 2160 Ghgpec32.exe 2436 Gkflaokm.exe 4844 Gndhmjjq.exe 2328 Gdnpjd32.exe 2112 Ggmlfp32.exe 3340 Gikibk32.exe 232 Gabqci32.exe 4192 Gdqmpd32.exe 936 Ggoilp32.exe 2032 Hniahj32.exe 3624 Hdcjednh.exe 1868 Hkmbbn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Enfahjcj.exe Emdepb32.exe File opened for modification C:\Windows\SysWOW64\Hfphlb32.exe Hoipke32.exe File created C:\Windows\SysWOW64\Gccbaffg.dll Jpbhbdfg.exe File created C:\Windows\SysWOW64\Icedlg32.dll Mmeaja32.exe File created C:\Windows\SysWOW64\Onjpfahf.exe Ofbhedgd.exe File created C:\Windows\SysWOW64\Faddbkmg.exe Fgopebma.exe File created C:\Windows\SysWOW64\Ijadhq32.dll Mgbcbp32.exe File created C:\Windows\SysWOW64\Nemilcig.exe Njheojia.exe File created C:\Windows\SysWOW64\Cdbfgjae.dll Fmengppi.exe File created C:\Windows\SysWOW64\Kgaaddmk.exe Kqgihj32.exe File created C:\Windows\SysWOW64\Dmbhkb32.exe Dfhpnh32.exe File opened for modification C:\Windows\SysWOW64\Doqdgn32.exe Dmbhkb32.exe File created C:\Windows\SysWOW64\Fpfgik32.exe Fmgkmo32.exe File created C:\Windows\SysWOW64\Ffaelc32.dll Ipbokgdj.exe File created C:\Windows\SysWOW64\Kpiocc32.exe Kjoffihc.exe File created C:\Windows\SysWOW64\Nhldqe32.dll Omajmnkl.exe File created C:\Windows\SysWOW64\Dpoocdho.dll Pflkkcoj.exe File created C:\Windows\SysWOW64\Gkflaokm.exe Ghgpec32.exe File created C:\Windows\SysWOW64\Nepmli32.exe Nbbqpm32.exe File created C:\Windows\SysWOW64\Ajhdad32.dll Oaiclc32.exe File opened for modification C:\Windows\SysWOW64\Aoapmn32.exe Qjecmpkc.exe File created C:\Windows\SysWOW64\Pgcdefid.dll Dckagiqe.exe File created C:\Windows\SysWOW64\Oaiclc32.exe Onjgph32.exe File created C:\Windows\SysWOW64\Akmqheif.exe Ahodlijc.exe File created C:\Windows\SysWOW64\Iloojh32.dll Enekndpo.exe File created C:\Windows\SysWOW64\Dgjhlife.dll Jqhpbq32.exe File created C:\Windows\SysWOW64\Kekacnkk.exe Knaigd32.exe File opened for modification C:\Windows\SysWOW64\Almdln32.exe Ajogpb32.exe File created C:\Windows\SysWOW64\Dnhegl32.exe Chkmne32.exe File created C:\Windows\SysWOW64\Mimkadgm.dll Fnodnikp.exe File created C:\Windows\SysWOW64\Geelga32.exe Gfblkdbd.exe File created C:\Windows\SysWOW64\Gjqklilf.exe Gbicjlkd.exe File opened for modification C:\Windows\SysWOW64\Lmjiii32.exe Ljlmln32.exe File created C:\Windows\SysWOW64\Nokdgllg.exe Mnigod32.exe File created C:\Windows\SysWOW64\Inpecqml.dll Ppbcni32.exe File created C:\Windows\SysWOW64\Ckmbdl32.exe Bdcjhb32.exe File created C:\Windows\SysWOW64\Ochfdglq.dll Dqmqip32.exe File created C:\Windows\SysWOW64\Igpbbm32.exe Iqejfc32.exe File opened for modification C:\Windows\SysWOW64\Igpbbm32.exe Iqejfc32.exe File created C:\Windows\SysWOW64\Cbmbab32.exe Coofeg32.exe File opened for modification C:\Windows\SysWOW64\Oaqqghhj.exe Oobdkmif.exe File opened for modification C:\Windows\SysWOW64\Hcgplj32.exe Hpicpo32.exe File created C:\Windows\SysWOW64\Kpholk32.dll Afoagpod.exe File opened for modification C:\Windows\SysWOW64\Emooag32.exe Eicbphad.exe File created C:\Windows\SysWOW64\Pgpidl32.dll Mneenknj.exe File created C:\Windows\SysWOW64\Lnkknfbi.exe Lgacal32.exe File created C:\Windows\SysWOW64\Nebdppke.dll Klkfmeji.exe File created C:\Windows\SysWOW64\Iqejfc32.exe Ijlaiibb.exe File created C:\Windows\SysWOW64\Cfeqopah.dll Acglih32.exe File created C:\Windows\SysWOW64\Bbabed32.exe Bcnbjgej.exe File created C:\Windows\SysWOW64\Eiqlqa32.dll Egkbaj32.exe File created C:\Windows\SysWOW64\Hniahj32.exe Ggoilp32.exe File created C:\Windows\SysWOW64\Aeahdf32.dll Jgododom.exe File created C:\Windows\SysWOW64\Qeibooag.exe Qmbjnape.exe File opened for modification C:\Windows\SysWOW64\Fenffbog.exe Fbpjjgpc.exe File created C:\Windows\SysWOW64\Ehfbne32.dll Loodknfe.exe File created C:\Windows\SysWOW64\Fabhmkoj.exe Fkhppa32.exe File created C:\Windows\SysWOW64\Ecjngj32.dll Fabhmkoj.exe File created C:\Windows\SysWOW64\Chndbo32.dll Cncllmdp.exe File opened for modification C:\Windows\SysWOW64\Mjleclco.exe Mcbmfa32.exe File created C:\Windows\SysWOW64\Dbcagkhc.exe Dnhegl32.exe File created C:\Windows\SysWOW64\Qdngabon.dll Dhpfienm.exe File created C:\Windows\SysWOW64\Bkflcm32.exe Bdldgcfc.exe File created C:\Windows\SysWOW64\Ddafipck.exe Dabjmddg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4908 2840 WerFault.exe 958 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ociech32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkdhbmom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knecbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pichdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcoei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Filefgii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glindq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jplill32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmdipi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiddnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckpfdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppbcni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljgej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiomol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faddbkmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqomlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eilmpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhpnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emhpkncq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdmebp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icofliil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfhkgael.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dihjopom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peqfcfmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oppfiijp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmacckmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbabed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmadmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqjgjaam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjgenf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikjgie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmaoihkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhfdq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlliheom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbphmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glfaoanp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aabhoiam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capngefj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkbefi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oejpbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjdjbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkeegh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Illcqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnfnehpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eklogn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaioph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjiookq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcdkfjfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljlmln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnabnafk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeefghgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joblhaoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnknni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpmbfefc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omdnmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnhegl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpfpphng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpbhbdfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daegbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknpii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbfega32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjjinl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgpfmpbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnfjoh32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qapbdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhpfienm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egkbaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqcgjoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgkanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oipope32.dll" Plmkepbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqfjce32.dll" Pmpmhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmhlcjcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heocgcpe.dll" Jemdel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjoffihc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nemipa32.dll" Naccgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhhchepl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klpqcd32.dll" Alijaohj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlcbkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlhbp32.dll" Ojejfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbbqpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbpmakpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piooiecd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaeloobf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoilhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbiegc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imccokef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmfceoec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffjgjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hphidghc.dll" Kiadimhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlhgjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljkfbhne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llibncmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nepmli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohjbjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liecdp32.dll" Ploqqjli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oajigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akngbkmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mimkdion.dll" Hpfpphng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngkonheo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdlbkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beodaloo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipdlaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojlhpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdjgachf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibfjod32.dll" Djpinnhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecdnbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkapmfeg.dll" Igahnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnjien32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hofcfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afoagpod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjedohjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpcanc32.dll" Mhjgfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adalekcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hchkcbcg.dll" Haigdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbjacbn.dll" Ljlcgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcenmaap.dll" Cilcil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chndbo32.dll" Cncllmdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eefhnkql.dll" Kpiocc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkoogn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjhjfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anpfop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebbdco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cljojooj.dll" Efgcjmpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcmkddoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeikqn32.dll" Ohjbjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbcagkhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghecpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpadnpgm.dll" Jbqfld32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4528 wrote to memory of 3520 4528 c384f5e83f50366e03860baea4de49b0N.exe 84 PID 4528 wrote to memory of 3520 4528 c384f5e83f50366e03860baea4de49b0N.exe 84 PID 4528 wrote to memory of 3520 4528 c384f5e83f50366e03860baea4de49b0N.exe 84 PID 3520 wrote to memory of 704 3520 Bmocnb32.exe 85 PID 3520 wrote to memory of 704 3520 Bmocnb32.exe 85 PID 3520 wrote to memory of 704 3520 Bmocnb32.exe 85 PID 704 wrote to memory of 696 704 Cjbdgf32.exe 86 PID 704 wrote to memory of 696 704 Cjbdgf32.exe 86 PID 704 wrote to memory of 696 704 Cjbdgf32.exe 86 PID 696 wrote to memory of 2928 696 Calldppd.exe 87 PID 696 wrote to memory of 2928 696 Calldppd.exe 87 PID 696 wrote to memory of 2928 696 Calldppd.exe 87 PID 2928 wrote to memory of 1664 2928 Cfielg32.exe 88 PID 2928 wrote to memory of 1664 2928 Cfielg32.exe 88 PID 2928 wrote to memory of 1664 2928 Cfielg32.exe 88 PID 1664 wrote to memory of 3028 1664 Cpaiemdl.exe 89 PID 1664 wrote to memory of 3028 1664 Cpaiemdl.exe 89 PID 1664 wrote to memory of 3028 1664 Cpaiemdl.exe 89 PID 3028 wrote to memory of 1820 3028 Cflaag32.exe 90 PID 3028 wrote to memory of 1820 3028 Cflaag32.exe 90 PID 3028 wrote to memory of 1820 3028 Cflaag32.exe 90 PID 1820 wrote to memory of 2448 1820 Cmejnacf.exe 91 PID 1820 wrote to memory of 2448 1820 Cmejnacf.exe 91 PID 1820 wrote to memory of 2448 1820 Cmejnacf.exe 91 PID 2448 wrote to memory of 212 2448 Ccpbkk32.exe 92 PID 2448 wrote to memory of 212 2448 Ccpbkk32.exe 92 PID 2448 wrote to memory of 212 2448 Ccpbkk32.exe 92 PID 212 wrote to memory of 1096 212 Cmhfdq32.exe 93 PID 212 wrote to memory of 1096 212 Cmhfdq32.exe 93 PID 212 wrote to memory of 1096 212 Cmhfdq32.exe 93 PID 1096 wrote to memory of 2760 1096 Cgmkai32.exe 94 PID 1096 wrote to memory of 2760 1096 Cgmkai32.exe 94 PID 1096 wrote to memory of 2760 1096 Cgmkai32.exe 94 PID 2760 wrote to memory of 3052 2760 Cmjcip32.exe 95 PID 2760 wrote to memory of 3052 2760 Cmjcip32.exe 95 PID 2760 wrote to memory of 3052 2760 Cmjcip32.exe 95 PID 3052 wrote to memory of 3916 3052 Dcdkfjfm.exe 96 PID 3052 wrote to memory of 3916 3052 Dcdkfjfm.exe 96 PID 3052 wrote to memory of 3916 3052 Dcdkfjfm.exe 96 PID 3916 wrote to memory of 3864 3916 Dahlpo32.exe 97 PID 3916 wrote to memory of 3864 3916 Dahlpo32.exe 97 PID 3916 wrote to memory of 3864 3916 Dahlpo32.exe 97 PID 3864 wrote to memory of 2480 3864 Dfedhe32.exe 98 PID 3864 wrote to memory of 2480 3864 Dfedhe32.exe 98 PID 3864 wrote to memory of 2480 3864 Dfedhe32.exe 98 PID 2480 wrote to memory of 4452 2480 Dpmiqkjo.exe 99 PID 2480 wrote to memory of 4452 2480 Dpmiqkjo.exe 99 PID 2480 wrote to memory of 4452 2480 Dpmiqkjo.exe 99 PID 4452 wrote to memory of 2256 4452 Dhdabhka.exe 100 PID 4452 wrote to memory of 2256 4452 Dhdabhka.exe 100 PID 4452 wrote to memory of 2256 4452 Dhdabhka.exe 100 PID 2256 wrote to memory of 3740 2256 Diemiqqp.exe 101 PID 2256 wrote to memory of 3740 2256 Diemiqqp.exe 101 PID 2256 wrote to memory of 3740 2256 Diemiqqp.exe 101 PID 3740 wrote to memory of 4024 3740 Dckagiqe.exe 102 PID 3740 wrote to memory of 4024 3740 Dckagiqe.exe 102 PID 3740 wrote to memory of 4024 3740 Dckagiqe.exe 102 PID 4024 wrote to memory of 4712 4024 Dihjopom.exe 103 PID 4024 wrote to memory of 4712 4024 Dihjopom.exe 103 PID 4024 wrote to memory of 4712 4024 Dihjopom.exe 103 PID 4712 wrote to memory of 3192 4712 Daobpnoo.exe 104 PID 4712 wrote to memory of 3192 4712 Daobpnoo.exe 104 PID 4712 wrote to memory of 3192 4712 Daobpnoo.exe 104 PID 3192 wrote to memory of 4284 3192 Dhijmh32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\c384f5e83f50366e03860baea4de49b0N.exe"C:\Users\Admin\AppData\Local\Temp\c384f5e83f50366e03860baea4de49b0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\Bmocnb32.exeC:\Windows\system32\Bmocnb32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\Cjbdgf32.exeC:\Windows\system32\Cjbdgf32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SysWOW64\Calldppd.exeC:\Windows\system32\Calldppd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\Cfielg32.exeC:\Windows\system32\Cfielg32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Cpaiemdl.exeC:\Windows\system32\Cpaiemdl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Cflaag32.exeC:\Windows\system32\Cflaag32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Cmejnacf.exeC:\Windows\system32\Cmejnacf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Ccpbkk32.exeC:\Windows\system32\Ccpbkk32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Cmhfdq32.exeC:\Windows\system32\Cmhfdq32.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\Cgmkai32.exeC:\Windows\system32\Cgmkai32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Cmjcip32.exeC:\Windows\system32\Cmjcip32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Dcdkfjfm.exeC:\Windows\system32\Dcdkfjfm.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Dahlpo32.exeC:\Windows\system32\Dahlpo32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\Dfedhe32.exeC:\Windows\system32\Dfedhe32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\Dpmiqkjo.exeC:\Windows\system32\Dpmiqkjo.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Dhdabhka.exeC:\Windows\system32\Dhdabhka.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\Diemiqqp.exeC:\Windows\system32\Diemiqqp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Dckagiqe.exeC:\Windows\system32\Dckagiqe.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\Dihjopom.exeC:\Windows\system32\Dihjopom.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\Daobpnoo.exeC:\Windows\system32\Daobpnoo.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\Dhijmh32.exeC:\Windows\system32\Dhijmh32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\Dmfceoec.exeC:\Windows\system32\Dmfceoec.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:4284 -
C:\Windows\SysWOW64\Ehkgbgdi.exeC:\Windows\system32\Ehkgbgdi.exe24⤵
- Executes dropped EXE
PID:3772 -
C:\Windows\SysWOW64\Emhpkncq.exeC:\Windows\system32\Emhpkncq.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2904 -
C:\Windows\SysWOW64\Edbhgh32.exeC:\Windows\system32\Edbhgh32.exe26⤵
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\Emklpn32.exeC:\Windows\system32\Emklpn32.exe27⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Emmifn32.exeC:\Windows\system32\Emmifn32.exe28⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Edgabhfh.exeC:\Windows\system32\Edgabhfh.exe29⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Eicjkodp.exeC:\Windows\system32\Eicjkodp.exe30⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Epnbgill.exeC:\Windows\system32\Epnbgill.exe31⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Eiffpn32.exeC:\Windows\system32\Eiffpn32.exe32⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Fppomhjj.exeC:\Windows\system32\Fppomhjj.exe33⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Ffjgjb32.exeC:\Windows\system32\Ffjgjb32.exe34⤵
- Modifies registry class
PID:4548 -
C:\Windows\SysWOW64\Fkecjajp.exeC:\Windows\system32\Fkecjajp.exe35⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Fapkgk32.exeC:\Windows\system32\Fapkgk32.exe36⤵
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\Fdngcgpp.exeC:\Windows\system32\Fdngcgpp.exe37⤵
- Executes dropped EXE
PID:3160 -
C:\Windows\SysWOW64\Fkhppa32.exeC:\Windows\system32\Fkhppa32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Fabhmkoj.exeC:\Windows\system32\Fabhmkoj.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Fdpdifnm.exeC:\Windows\system32\Fdpdifnm.exe40⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Fgopebma.exeC:\Windows\system32\Fgopebma.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4544 -
C:\Windows\SysWOW64\Faddbkmg.exeC:\Windows\system32\Faddbkmg.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4064 -
C:\Windows\SysWOW64\Fdbqnflk.exeC:\Windows\system32\Fdbqnflk.exe43⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Fkmikpcg.exeC:\Windows\system32\Fkmikpcg.exe44⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Fmkeglbk.exeC:\Windows\system32\Fmkeglbk.exe45⤵
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\Fdemdf32.exeC:\Windows\system32\Fdemdf32.exe46⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Fgcjpa32.exeC:\Windows\system32\Fgcjpa32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Fmmbmkqi.exeC:\Windows\system32\Fmmbmkqi.exe48⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Gplnigpl.exeC:\Windows\system32\Gplnigpl.exe49⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Gidbalfm.exeC:\Windows\system32\Gidbalfm.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Gakjcjgo.exeC:\Windows\system32\Gakjcjgo.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Ghecpd32.exeC:\Windows\system32\Ghecpd32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:956 -
C:\Windows\SysWOW64\Gkcolo32.exeC:\Windows\system32\Gkcolo32.exe53⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Ganghiel.exeC:\Windows\system32\Ganghiel.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Ghgpec32.exeC:\Windows\system32\Ghgpec32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Gkflaokm.exeC:\Windows\system32\Gkflaokm.exe56⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Gndhmjjq.exeC:\Windows\system32\Gndhmjjq.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Gdnpjd32.exeC:\Windows\system32\Gdnpjd32.exe58⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Ggmlfp32.exeC:\Windows\system32\Ggmlfp32.exe59⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Gikibk32.exeC:\Windows\system32\Gikibk32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Gabqci32.exeC:\Windows\system32\Gabqci32.exe61⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Gdqmpd32.exeC:\Windows\system32\Gdqmpd32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Ggoilp32.exeC:\Windows\system32\Ggoilp32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:936 -
C:\Windows\SysWOW64\Hniahj32.exeC:\Windows\system32\Hniahj32.exe64⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Hdcjednh.exeC:\Windows\system32\Hdcjednh.exe65⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Hkmbbn32.exeC:\Windows\system32\Hkmbbn32.exe66⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Hnknni32.exeC:\Windows\system32\Hnknni32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5036 -
C:\Windows\SysWOW64\Hagjohma.exeC:\Windows\system32\Hagjohma.exe68⤵PID:5088
-
C:\Windows\SysWOW64\Hgdbgoki.exeC:\Windows\system32\Hgdbgoki.exe69⤵PID:2764
-
C:\Windows\SysWOW64\Hkoogn32.exeC:\Windows\system32\Hkoogn32.exe70⤵
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Haigdh32.exeC:\Windows\system32\Haigdh32.exe71⤵
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Hdhcpc32.exeC:\Windows\system32\Hdhcpc32.exe72⤵PID:4412
-
C:\Windows\SysWOW64\Hkakmmap.exeC:\Windows\system32\Hkakmmap.exe73⤵PID:4928
-
C:\Windows\SysWOW64\Hnpgiipc.exeC:\Windows\system32\Hnpgiipc.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1876 -
C:\Windows\SysWOW64\Hpodedpg.exeC:\Windows\system32\Hpodedpg.exe75⤵PID:4644
-
C:\Windows\SysWOW64\Hhelfapi.exeC:\Windows\system32\Hhelfapi.exe76⤵PID:2628
-
C:\Windows\SysWOW64\Hkdhbmom.exeC:\Windows\system32\Hkdhbmom.exe77⤵
- System Location Discovery: System Language Discovery
PID:3508 -
C:\Windows\SysWOW64\Hnbdohnq.exeC:\Windows\system32\Hnbdohnq.exe78⤵PID:3144
-
C:\Windows\SysWOW64\Hdllkbfm.exeC:\Windows\system32\Hdllkbfm.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3536 -
C:\Windows\SysWOW64\Hkfdhm32.exeC:\Windows\system32\Hkfdhm32.exe80⤵PID:4140
-
C:\Windows\SysWOW64\Ineadh32.exeC:\Windows\system32\Ineadh32.exe81⤵PID:3092
-
C:\Windows\SysWOW64\Ijlaiibb.exeC:\Windows\system32\Ijlaiibb.exe82⤵
- Drops file in System32 directory
PID:3164 -
C:\Windows\SysWOW64\Iqejfc32.exeC:\Windows\system32\Iqejfc32.exe83⤵
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Igpbbm32.exeC:\Windows\system32\Igpbbm32.exe84⤵PID:4588
-
C:\Windows\SysWOW64\Ijnnoi32.exeC:\Windows\system32\Ijnnoi32.exe85⤵PID:4376
-
C:\Windows\SysWOW64\Iaefpf32.exeC:\Windows\system32\Iaefpf32.exe86⤵PID:4188
-
C:\Windows\SysWOW64\Ikmkilgb.exeC:\Windows\system32\Ikmkilgb.exe87⤵PID:2100
-
C:\Windows\SysWOW64\Ibgcef32.exeC:\Windows\system32\Ibgcef32.exe88⤵PID:1768
-
C:\Windows\SysWOW64\Ihakbp32.exeC:\Windows\system32\Ihakbp32.exe89⤵PID:2856
-
C:\Windows\SysWOW64\Ijbhjhlj.exeC:\Windows\system32\Ijbhjhlj.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3228 -
C:\Windows\SysWOW64\Ibjpkeml.exeC:\Windows\system32\Ibjpkeml.exe91⤵PID:2576
-
C:\Windows\SysWOW64\Iqmpfb32.exeC:\Windows\system32\Iqmpfb32.exe92⤵PID:4964
-
C:\Windows\SysWOW64\Ihchhp32.exeC:\Windows\system32\Ihchhp32.exe93⤵PID:1484
-
C:\Windows\SysWOW64\Jjedohjg.exeC:\Windows\system32\Jjedohjg.exe94⤵
- Modifies registry class
PID:4048 -
C:\Windows\SysWOW64\Jqomlb32.exeC:\Windows\system32\Jqomlb32.exe95⤵
- System Location Discovery: System Language Discovery
PID:3376 -
C:\Windows\SysWOW64\Jhfdmobf.exeC:\Windows\system32\Jhfdmobf.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3828 -
C:\Windows\SysWOW64\Jkdaikaj.exeC:\Windows\system32\Jkdaikaj.exe97⤵PID:2284
-
C:\Windows\SysWOW64\Jncmefpn.exeC:\Windows\system32\Jncmefpn.exe98⤵PID:2292
-
C:\Windows\SysWOW64\Jdmebp32.exeC:\Windows\system32\Jdmebp32.exe99⤵
- System Location Discovery: System Language Discovery
PID:4952 -
C:\Windows\SysWOW64\Jgkanl32.exeC:\Windows\system32\Jgkanl32.exe100⤵
- Modifies registry class
PID:3820 -
C:\Windows\SysWOW64\Jjjnjg32.exeC:\Windows\system32\Jjjnjg32.exe101⤵PID:2772
-
C:\Windows\SysWOW64\Jbqfld32.exeC:\Windows\system32\Jbqfld32.exe102⤵
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Jdobhp32.exeC:\Windows\system32\Jdobhp32.exe103⤵PID:4460
-
C:\Windows\SysWOW64\Jkijdj32.exeC:\Windows\system32\Jkijdj32.exe104⤵PID:4556
-
C:\Windows\SysWOW64\Jngfqe32.exeC:\Windows\system32\Jngfqe32.exe105⤵PID:1112
-
C:\Windows\SysWOW64\Jdaompce.exeC:\Windows\system32\Jdaompce.exe106⤵PID:4760
-
C:\Windows\SysWOW64\Jgpkikbi.exeC:\Windows\system32\Jgpkikbi.exe107⤵PID:2416
-
C:\Windows\SysWOW64\Jjngefam.exeC:\Windows\system32\Jjngefam.exe108⤵PID:3496
-
C:\Windows\SysWOW64\Jbeogcbo.exeC:\Windows\system32\Jbeogcbo.exe109⤵PID:5020
-
C:\Windows\SysWOW64\Jqhpbq32.exeC:\Windows\system32\Jqhpbq32.exe110⤵
- Drops file in System32 directory
PID:5136 -
C:\Windows\SysWOW64\Kgbhokqf.exeC:\Windows\system32\Kgbhokqf.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5184 -
C:\Windows\SysWOW64\Knlpldhc.exeC:\Windows\system32\Knlpldhc.exe112⤵PID:5228
-
C:\Windows\SysWOW64\Kqklhpgg.exeC:\Windows\system32\Kqklhpgg.exe113⤵PID:5272
-
C:\Windows\SysWOW64\Kiadimhi.exeC:\Windows\system32\Kiadimhi.exe114⤵
- Modifies registry class
PID:5316 -
C:\Windows\SysWOW64\Kjcqqf32.exeC:\Windows\system32\Kjcqqf32.exe115⤵PID:5360
-
C:\Windows\SysWOW64\Kqmimped.exeC:\Windows\system32\Kqmimped.exe116⤵PID:5392
-
C:\Windows\SysWOW64\Kidaomff.exeC:\Windows\system32\Kidaomff.exe117⤵PID:5444
-
C:\Windows\SysWOW64\Knaigd32.exeC:\Windows\system32\Knaigd32.exe118⤵
- Drops file in System32 directory
PID:5488 -
C:\Windows\SysWOW64\Kekacnkk.exeC:\Windows\system32\Kekacnkk.exe119⤵PID:5532
-
C:\Windows\SysWOW64\Kkejph32.exeC:\Windows\system32\Kkejph32.exe120⤵PID:5576
-
C:\Windows\SysWOW64\Kncflc32.exeC:\Windows\system32\Kncflc32.exe121⤵PID:5620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-