Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18/08/2024, 12:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b5a50f32a495e78e13955a46d82a98e0N.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
b5a50f32a495e78e13955a46d82a98e0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
b5a50f32a495e78e13955a46d82a98e0N.exe
-
Size
400KB
-
MD5
b5a50f32a495e78e13955a46d82a98e0
-
SHA1
0834b45321983d0dfb26950ac40f10aa806ba9ae
-
SHA256
2c42d36003cd44a21cee22d57ffb1bfe10f11dff08b41170f7016a25319b1363
-
SHA512
4db8b43b41aaf0b160c858da3614a820447ace91ed2120cc70484070c653d2de53415d3bd6746ff33a55ec44756c221b11a58251f00e7de6b6d3c99791a8a2b4
-
SSDEEP
12288:OyFrXVH/+zrWAI5KFum/+zrWAIAqWim/k:9FrXFm0BmmvFimc
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnbfkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkbhfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dchcdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhhhjhkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpecad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nndkdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akoghnnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfhjmpam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahjcqcdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oekaab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nihjfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epapoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlpmjdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boiagp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpldjajo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lphnlcnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afjncabj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bepmokco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cajmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dokmel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkebig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnqhcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boohgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkomhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaecne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hljnbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpkedbka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljmmng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbblbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flpkll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcokhaho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fddeifgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjcigcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glkinb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnllppfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Begegn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enblpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkainp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbbbld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcnomjbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckciqdol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nihedodm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnebgcqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndjloanf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogqihcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlpbpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hobfgcdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndaaclac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omhjejai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggcnbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbpihafp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfmpifdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpppifii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khpccibp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abogpiod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kceijg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jebojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nldbbbno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njpdiifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhnpih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcknqicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjnhpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkbagjfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaqhiq32.exe -
Executes dropped EXE 64 IoCs
pid Process 2712 Alncgn32.exe 1856 Ajbdpblo.exe 2428 Bkmcni32.exe 2780 Cdgdlnop.exe 2716 Ccmanjch.exe 2688 Cccgni32.exe 1368 Deljfqmf.exe 1396 Dabkla32.exe 1808 Eiefqc32.exe 2936 Eelfedpa.exe 2696 Flhkhnel.exe 2516 Foidii32.exe 828 Fmnakege.exe 2408 Fpojlp32.exe 2272 Gcocnk32.exe 604 Gcapckod.exe 1096 Ggphji32.exe 2444 Geeekf32.exe 2168 Gheola32.exe 1976 Hnecjgch.exe 960 Hbblpf32.exe 1656 Hmlmacfn.exe 2212 Hchbcmlh.exe 2280 Ibnodj32.exe 3000 Jnlfjjpl.exe 2592 Jmcpqfba.exe 2144 Jgidnobg.exe 1612 Jjimpj32.exe 2836 Klmfmacc.exe 2844 Kehgkgha.exe 2872 Kanhph32.exe 2764 Kaaeegkc.exe 1868 Koeeoljm.exe 2676 Lphnlcnh.exe 2804 Llooad32.exe 2540 Lckdcn32.exe 2976 Modano32.exe 2008 Meafpibb.exe 2328 Mahgejhf.exe 2020 Majdkifd.exe 2524 Ncnmhajo.exe 1944 Nodnmb32.exe 752 Nbegonmd.exe 1244 Noighakn.exe 1196 Nhalag32.exe 2952 Ndhlfh32.exe 860 Nonqca32.exe 1348 Ojgado32.exe 3044 Omhjejai.exe 1100 Ojlkonpb.exe 1600 Oiahpkdj.exe 2508 Ocglmcdp.exe 2440 Pifakj32.exe 2624 Pnbjca32.exe 2748 Plfjme32.exe 1664 Phmkaf32.exe 576 Pafpjljk.exe 2056 Pjndca32.exe 1620 Qmomelml.exe 2520 Qfganb32.exe 1632 Afjncabj.exe 1812 Abpohb32.exe 1992 Alicahno.exe 268 Ahpdficc.exe -
Loads dropped DLL 64 IoCs
pid Process 2172 b5a50f32a495e78e13955a46d82a98e0N.exe 2172 b5a50f32a495e78e13955a46d82a98e0N.exe 2712 Alncgn32.exe 2712 Alncgn32.exe 1856 Ajbdpblo.exe 1856 Ajbdpblo.exe 2428 Bkmcni32.exe 2428 Bkmcni32.exe 2780 Cdgdlnop.exe 2780 Cdgdlnop.exe 2716 Ccmanjch.exe 2716 Ccmanjch.exe 2688 Cccgni32.exe 2688 Cccgni32.exe 1368 Deljfqmf.exe 1368 Deljfqmf.exe 1396 Dabkla32.exe 1396 Dabkla32.exe 1808 Eiefqc32.exe 1808 Eiefqc32.exe 2936 Eelfedpa.exe 2936 Eelfedpa.exe 2696 Flhkhnel.exe 2696 Flhkhnel.exe 2516 Foidii32.exe 2516 Foidii32.exe 828 Fmnakege.exe 828 Fmnakege.exe 2408 Fpojlp32.exe 2408 Fpojlp32.exe 2272 Gcocnk32.exe 2272 Gcocnk32.exe 604 Gcapckod.exe 604 Gcapckod.exe 1096 Ggphji32.exe 1096 Ggphji32.exe 2444 Geeekf32.exe 2444 Geeekf32.exe 2168 Gheola32.exe 2168 Gheola32.exe 1976 Hnecjgch.exe 1976 Hnecjgch.exe 960 Hbblpf32.exe 960 Hbblpf32.exe 1656 Hmlmacfn.exe 1656 Hmlmacfn.exe 2212 Hchbcmlh.exe 2212 Hchbcmlh.exe 2280 Ibnodj32.exe 2280 Ibnodj32.exe 3000 Jnlfjjpl.exe 3000 Jnlfjjpl.exe 2592 Jmcpqfba.exe 2592 Jmcpqfba.exe 2144 Jgidnobg.exe 2144 Jgidnobg.exe 1612 Jjimpj32.exe 1612 Jjimpj32.exe 2836 Klmfmacc.exe 2836 Klmfmacc.exe 2844 Kehgkgha.exe 2844 Kehgkgha.exe 2872 Kanhph32.exe 2872 Kanhph32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jjhecdda.dll Flpkll32.exe File opened for modification C:\Windows\SysWOW64\Lkdmneoo.exe Lcihicad.exe File created C:\Windows\SysWOW64\Nmiakdll.exe Nlieqa32.exe File opened for modification C:\Windows\SysWOW64\Clbbfj32.exe Cblniaii.exe File created C:\Windows\SysWOW64\Njkdom32.dll Dddmkkpb.exe File created C:\Windows\SysWOW64\Hcomjk32.dll Mkjkkf32.exe File created C:\Windows\SysWOW64\Coogjloi.exe Cfgcaf32.exe File created C:\Windows\SysWOW64\Mkimfg32.dll Icohfi32.exe File created C:\Windows\SysWOW64\Meepac32.dll Hkccpb32.exe File created C:\Windows\SysWOW64\Aqaedc32.dll Lncodf32.exe File created C:\Windows\SysWOW64\Mhibdl32.dll Obpflhmi.exe File created C:\Windows\SysWOW64\Blckoifq.dll Koodlbeh.exe File created C:\Windows\SysWOW64\Idihponj.exe Inopce32.exe File created C:\Windows\SysWOW64\Hpnlgbjp.dll Mchmblji.exe File created C:\Windows\SysWOW64\Gjgmhaim.exe Ffiebc32.exe File created C:\Windows\SysWOW64\Lajgnb32.exe Ldfgdn32.exe File opened for modification C:\Windows\SysWOW64\Nhbnjpic.exe Npdlpnnj.exe File created C:\Windows\SysWOW64\Lboeoagk.dll Hjbljh32.exe File opened for modification C:\Windows\SysWOW64\Fgmogcpc.exe Fiiono32.exe File created C:\Windows\SysWOW64\Kaeadppc.exe Kmginaim.exe File created C:\Windows\SysWOW64\Ipkncf32.dll Qipmdhcj.exe File opened for modification C:\Windows\SysWOW64\Mafmhcam.exe Mdbloobc.exe File created C:\Windows\SysWOW64\Jdbgem32.dll Pjmqldee.exe File created C:\Windows\SysWOW64\Eempnnjn.dll Bkflpi32.exe File created C:\Windows\SysWOW64\Pidgnc32.exe Oqibjq32.exe File opened for modification C:\Windows\SysWOW64\Agpamd32.exe Adoili32.exe File created C:\Windows\SysWOW64\Pabidiko.exe Poapbn32.exe File opened for modification C:\Windows\SysWOW64\Nekbjf32.exe Mhgbpb32.exe File created C:\Windows\SysWOW64\Camepc32.dll Geckno32.exe File created C:\Windows\SysWOW64\Lbgjae32.dll Fgolmbnq.exe File created C:\Windows\SysWOW64\Fpecfg32.dll Djpnkhep.exe File opened for modification C:\Windows\SysWOW64\Pfpflenm.exe Pnebgcqb.exe File opened for modification C:\Windows\SysWOW64\Doclijgd.exe Dekgpdqc.exe File opened for modification C:\Windows\SysWOW64\Hfpijngn.exe Haadlh32.exe File created C:\Windows\SysWOW64\Elhhkb32.dll Imgija32.exe File created C:\Windows\SysWOW64\Diclbfdi.dll Llagegfb.exe File created C:\Windows\SysWOW64\Nggpgn32.exe Nqngkcjm.exe File created C:\Windows\SysWOW64\Ajibgh32.dll Eljkqfko.exe File created C:\Windows\SysWOW64\Bffgbo32.exe Aibfik32.exe File created C:\Windows\SysWOW64\Jbhpld32.dll Naebmppm.exe File created C:\Windows\SysWOW64\Jpbmhf32.exe Jdklcebk.exe File created C:\Windows\SysWOW64\Cpfcphnf.dll Fjjeid32.exe File created C:\Windows\SysWOW64\Llojpghe.exe Lgaaiian.exe File created C:\Windows\SysWOW64\Kfabfldd.exe Jgleep32.exe File created C:\Windows\SysWOW64\Cpokca32.dll Dplbbndo.exe File created C:\Windows\SysWOW64\Lgibjo32.dll Fffckf32.exe File created C:\Windows\SysWOW64\Pgionbbl.exe Pgfbhb32.exe File opened for modification C:\Windows\SysWOW64\Ojfhblci.exe Ojckmm32.exe File created C:\Windows\SysWOW64\Poapbn32.exe Pidhjg32.exe File created C:\Windows\SysWOW64\Nlmbelbg.dll Ibnodj32.exe File opened for modification C:\Windows\SysWOW64\Jjjfbikh.exe Jgljfmkd.exe File created C:\Windows\SysWOW64\Bgjngb32.exe Bghaabdg.exe File opened for modification C:\Windows\SysWOW64\Npdlpnnj.exe Nglhghgj.exe File opened for modification C:\Windows\SysWOW64\Oodejhfg.exe Oekaab32.exe File created C:\Windows\SysWOW64\Ajnlqgfo.exe Aeachphg.exe File opened for modification C:\Windows\SysWOW64\Dpfpco32.exe Ccbojk32.exe File created C:\Windows\SysWOW64\Dmjkaf32.dll Iacojc32.exe File created C:\Windows\SysWOW64\Cfocmhcq.exe Bkiopock.exe File opened for modification C:\Windows\SysWOW64\Dabkla32.exe Deljfqmf.exe File created C:\Windows\SysWOW64\Mgipbnom.dll Pejnpe32.exe File created C:\Windows\SysWOW64\Ogjhqmni.dll Bnnblfgm.exe File opened for modification C:\Windows\SysWOW64\Mkhnef32.exe Mkeapgng.exe File opened for modification C:\Windows\SysWOW64\Njadab32.exe Mnkdlagc.exe File created C:\Windows\SysWOW64\Bodbfd32.dll Eqpfchka.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmqmgedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcigjolm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpoegc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjbccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fobamgfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjaieoko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpplfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbknjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkiopock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkeapgng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpfpco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aogqihcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlhblc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doqmjaac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bebmgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhhphmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbkfpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcmmhmhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgdfbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmcpqfba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adcakdhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apjbpemb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldfgdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjjeid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiapjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbpomb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeenip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmfbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blelpeoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnjonpgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejldfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pidhjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghjkki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkccpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkmcni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknani32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oigokj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecklgdag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dokmel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqkmgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koodlbeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgfnfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ielllj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dggbeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odckho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afebpmal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Facjobce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Modano32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mahinb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdefdjnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkdclgpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfabfldd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbmdpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obnigi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dngaahan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpdficc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peoanckj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glkinb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pifakj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqeoegfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enjand32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkifld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbdiabcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbokkagk.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibnodj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojgado32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bckidl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpgpfdoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bghaabdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfadkh32.dll" Dmpedk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcpcjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lqiohh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcfiggpo.dll" Apnlee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aibfik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Camepc32.dll" Geckno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipkhpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iobbfggm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcjihk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okjdfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lejmjh32.dll" Nodikecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aejmha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnpbejpb.dll" Gepjgaid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glncip32.dll" Gpblof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onaflccf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgenbkca.dll" Mikjmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmnjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoibgkno.dll" Aoeflamd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcapckod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknlnp32.dll" Kpjoel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcchoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcjihk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkembjcb.dll" Liddljan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfejbf32.dll" Nhinhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngcebnen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgolmbnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mofgfk32.dll" Noighakn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chafpfqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcehpbdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfehcia.dll" Gnldhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oiahpkdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnjonpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igeljknl.dll" Kcpcjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkbagjfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kakdbngn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnkdlagc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcinia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mljnoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cqokoeig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aibjlcli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpbmhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhpcmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkbhfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glimdgmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alglin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klmfmacc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bieegcid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Andaoqjp.dll" Nihjfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbeeolfd.dll" Belhem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcpagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkaaik32.dll" Moqkgmol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phfaknce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Biiljjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jopkbala.dll" Ipkkhckl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkainp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dggbeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbgdlq32.dll" Fpojlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkcingip.dll" Gbbbld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbmbgngb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2712 2172 b5a50f32a495e78e13955a46d82a98e0N.exe 29 PID 2172 wrote to memory of 2712 2172 b5a50f32a495e78e13955a46d82a98e0N.exe 29 PID 2172 wrote to memory of 2712 2172 b5a50f32a495e78e13955a46d82a98e0N.exe 29 PID 2172 wrote to memory of 2712 2172 b5a50f32a495e78e13955a46d82a98e0N.exe 29 PID 2712 wrote to memory of 1856 2712 Alncgn32.exe 30 PID 2712 wrote to memory of 1856 2712 Alncgn32.exe 30 PID 2712 wrote to memory of 1856 2712 Alncgn32.exe 30 PID 2712 wrote to memory of 1856 2712 Alncgn32.exe 30 PID 1856 wrote to memory of 2428 1856 Ajbdpblo.exe 31 PID 1856 wrote to memory of 2428 1856 Ajbdpblo.exe 31 PID 1856 wrote to memory of 2428 1856 Ajbdpblo.exe 31 PID 1856 wrote to memory of 2428 1856 Ajbdpblo.exe 31 PID 2428 wrote to memory of 2780 2428 Bkmcni32.exe 32 PID 2428 wrote to memory of 2780 2428 Bkmcni32.exe 32 PID 2428 wrote to memory of 2780 2428 Bkmcni32.exe 32 PID 2428 wrote to memory of 2780 2428 Bkmcni32.exe 32 PID 2780 wrote to memory of 2716 2780 Cdgdlnop.exe 33 PID 2780 wrote to memory of 2716 2780 Cdgdlnop.exe 33 PID 2780 wrote to memory of 2716 2780 Cdgdlnop.exe 33 PID 2780 wrote to memory of 2716 2780 Cdgdlnop.exe 33 PID 2716 wrote to memory of 2688 2716 Ccmanjch.exe 34 PID 2716 wrote to memory of 2688 2716 Ccmanjch.exe 34 PID 2716 wrote to memory of 2688 2716 Ccmanjch.exe 34 PID 2716 wrote to memory of 2688 2716 Ccmanjch.exe 34 PID 2688 wrote to memory of 1368 2688 Cccgni32.exe 35 PID 2688 wrote to memory of 1368 2688 Cccgni32.exe 35 PID 2688 wrote to memory of 1368 2688 Cccgni32.exe 35 PID 2688 wrote to memory of 1368 2688 Cccgni32.exe 35 PID 1368 wrote to memory of 1396 1368 Deljfqmf.exe 36 PID 1368 wrote to memory of 1396 1368 Deljfqmf.exe 36 PID 1368 wrote to memory of 1396 1368 Deljfqmf.exe 36 PID 1368 wrote to memory of 1396 1368 Deljfqmf.exe 36 PID 1396 wrote to memory of 1808 1396 Dabkla32.exe 37 PID 1396 wrote to memory of 1808 1396 Dabkla32.exe 37 PID 1396 wrote to memory of 1808 1396 Dabkla32.exe 37 PID 1396 wrote to memory of 1808 1396 Dabkla32.exe 37 PID 1808 wrote to memory of 2936 1808 Eiefqc32.exe 38 PID 1808 wrote to memory of 2936 1808 Eiefqc32.exe 38 PID 1808 wrote to memory of 2936 1808 Eiefqc32.exe 38 PID 1808 wrote to memory of 2936 1808 Eiefqc32.exe 38 PID 2936 wrote to memory of 2696 2936 Eelfedpa.exe 39 PID 2936 wrote to memory of 2696 2936 Eelfedpa.exe 39 PID 2936 wrote to memory of 2696 2936 Eelfedpa.exe 39 PID 2936 wrote to memory of 2696 2936 Eelfedpa.exe 39 PID 2696 wrote to memory of 2516 2696 Flhkhnel.exe 40 PID 2696 wrote to memory of 2516 2696 Flhkhnel.exe 40 PID 2696 wrote to memory of 2516 2696 Flhkhnel.exe 40 PID 2696 wrote to memory of 2516 2696 Flhkhnel.exe 40 PID 2516 wrote to memory of 828 2516 Foidii32.exe 41 PID 2516 wrote to memory of 828 2516 Foidii32.exe 41 PID 2516 wrote to memory of 828 2516 Foidii32.exe 41 PID 2516 wrote to memory of 828 2516 Foidii32.exe 41 PID 828 wrote to memory of 2408 828 Fmnakege.exe 42 PID 828 wrote to memory of 2408 828 Fmnakege.exe 42 PID 828 wrote to memory of 2408 828 Fmnakege.exe 42 PID 828 wrote to memory of 2408 828 Fmnakege.exe 42 PID 2408 wrote to memory of 2272 2408 Fpojlp32.exe 43 PID 2408 wrote to memory of 2272 2408 Fpojlp32.exe 43 PID 2408 wrote to memory of 2272 2408 Fpojlp32.exe 43 PID 2408 wrote to memory of 2272 2408 Fpojlp32.exe 43 PID 2272 wrote to memory of 604 2272 Gcocnk32.exe 44 PID 2272 wrote to memory of 604 2272 Gcocnk32.exe 44 PID 2272 wrote to memory of 604 2272 Gcocnk32.exe 44 PID 2272 wrote to memory of 604 2272 Gcocnk32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5a50f32a495e78e13955a46d82a98e0N.exe"C:\Users\Admin\AppData\Local\Temp\b5a50f32a495e78e13955a46d82a98e0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Alncgn32.exeC:\Windows\system32\Alncgn32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Ajbdpblo.exeC:\Windows\system32\Ajbdpblo.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Bkmcni32.exeC:\Windows\system32\Bkmcni32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Cdgdlnop.exeC:\Windows\system32\Cdgdlnop.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Ccmanjch.exeC:\Windows\system32\Ccmanjch.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Cccgni32.exeC:\Windows\system32\Cccgni32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Deljfqmf.exeC:\Windows\system32\Deljfqmf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Dabkla32.exeC:\Windows\system32\Dabkla32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Eiefqc32.exeC:\Windows\system32\Eiefqc32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Eelfedpa.exeC:\Windows\system32\Eelfedpa.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Flhkhnel.exeC:\Windows\system32\Flhkhnel.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Foidii32.exeC:\Windows\system32\Foidii32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Fmnakege.exeC:\Windows\system32\Fmnakege.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\Fpojlp32.exeC:\Windows\system32\Fpojlp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Gcocnk32.exeC:\Windows\system32\Gcocnk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Gcapckod.exeC:\Windows\system32\Gcapckod.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:604 -
C:\Windows\SysWOW64\Ggphji32.exeC:\Windows\system32\Ggphji32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Windows\SysWOW64\Geeekf32.exeC:\Windows\system32\Geeekf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Gheola32.exeC:\Windows\system32\Gheola32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\Hnecjgch.exeC:\Windows\system32\Hnecjgch.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Hbblpf32.exeC:\Windows\system32\Hbblpf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:960 -
C:\Windows\SysWOW64\Hmlmacfn.exeC:\Windows\system32\Hmlmacfn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Hchbcmlh.exeC:\Windows\system32\Hchbcmlh.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Ibnodj32.exeC:\Windows\system32\Ibnodj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Jnlfjjpl.exeC:\Windows\system32\Jnlfjjpl.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Windows\SysWOW64\Jmcpqfba.exeC:\Windows\system32\Jmcpqfba.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Windows\SysWOW64\Jgidnobg.exeC:\Windows\system32\Jgidnobg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Jjimpj32.exeC:\Windows\system32\Jjimpj32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Klmfmacc.exeC:\Windows\system32\Klmfmacc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Kehgkgha.exeC:\Windows\system32\Kehgkgha.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Kanhph32.exeC:\Windows\system32\Kanhph32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Kaaeegkc.exeC:\Windows\system32\Kaaeegkc.exe33⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Koeeoljm.exeC:\Windows\system32\Koeeoljm.exe34⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Lphnlcnh.exeC:\Windows\system32\Lphnlcnh.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Llooad32.exeC:\Windows\system32\Llooad32.exe36⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Lckdcn32.exeC:\Windows\system32\Lckdcn32.exe37⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Modano32.exeC:\Windows\system32\Modano32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Meafpibb.exeC:\Windows\system32\Meafpibb.exe39⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Mahgejhf.exeC:\Windows\system32\Mahgejhf.exe40⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Majdkifd.exeC:\Windows\system32\Majdkifd.exe41⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Ncnmhajo.exeC:\Windows\system32\Ncnmhajo.exe42⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Nodnmb32.exeC:\Windows\system32\Nodnmb32.exe43⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Nbegonmd.exeC:\Windows\system32\Nbegonmd.exe44⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Noighakn.exeC:\Windows\system32\Noighakn.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Nhalag32.exeC:\Windows\system32\Nhalag32.exe46⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Ndhlfh32.exeC:\Windows\system32\Ndhlfh32.exe47⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Nonqca32.exeC:\Windows\system32\Nonqca32.exe48⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Ojgado32.exeC:\Windows\system32\Ojgado32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1348 -
C:\Windows\SysWOW64\Omhjejai.exeC:\Windows\system32\Omhjejai.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Ojlkonpb.exeC:\Windows\system32\Ojlkonpb.exe51⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Oiahpkdj.exeC:\Windows\system32\Oiahpkdj.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Ocglmcdp.exeC:\Windows\system32\Ocglmcdp.exe53⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Pifakj32.exeC:\Windows\system32\Pifakj32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2440 -
C:\Windows\SysWOW64\Pnbjca32.exeC:\Windows\system32\Pnbjca32.exe55⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Plfjme32.exeC:\Windows\system32\Plfjme32.exe56⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Phmkaf32.exeC:\Windows\system32\Phmkaf32.exe57⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Pafpjljk.exeC:\Windows\system32\Pafpjljk.exe58⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Pjndca32.exeC:\Windows\system32\Pjndca32.exe59⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Qmomelml.exeC:\Windows\system32\Qmomelml.exe60⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Qfganb32.exeC:\Windows\system32\Qfganb32.exe61⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Afjncabj.exeC:\Windows\system32\Afjncabj.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Abpohb32.exeC:\Windows\system32\Abpohb32.exe63⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Alicahno.exeC:\Windows\system32\Alicahno.exe64⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Ahpdficc.exeC:\Windows\system32\Ahpdficc.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:268 -
C:\Windows\SysWOW64\Aecdpmbm.exeC:\Windows\system32\Aecdpmbm.exe66⤵PID:2244
-
C:\Windows\SysWOW64\Aolihc32.exeC:\Windows\system32\Aolihc32.exe67⤵PID:2588
-
C:\Windows\SysWOW64\Bdiaqj32.exeC:\Windows\system32\Bdiaqj32.exe68⤵PID:1804
-
C:\Windows\SysWOW64\Bpdkajic.exeC:\Windows\system32\Bpdkajic.exe69⤵PID:2944
-
C:\Windows\SysWOW64\Bpfhfjgq.exeC:\Windows\system32\Bpfhfjgq.exe70⤵PID:2088
-
C:\Windows\SysWOW64\Blmikkle.exeC:\Windows\system32\Blmikkle.exe71⤵PID:3040
-
C:\Windows\SysWOW64\Cjaieoko.exeC:\Windows\system32\Cjaieoko.exe72⤵
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\SysWOW64\Cblniaii.exeC:\Windows\system32\Cblniaii.exe73⤵
- Drops file in System32 directory
PID:3008 -
C:\Windows\SysWOW64\Clbbfj32.exeC:\Windows\system32\Clbbfj32.exe74⤵PID:2880
-
C:\Windows\SysWOW64\Cobkhe32.exeC:\Windows\system32\Cobkhe32.exe75⤵PID:2892
-
C:\Windows\SysWOW64\Cbcdjpba.exeC:\Windows\system32\Cbcdjpba.exe76⤵PID:1996
-
C:\Windows\SysWOW64\Dklibf32.exeC:\Windows\system32\Dklibf32.exe77⤵PID:1012
-
C:\Windows\SysWOW64\Dddmkkpb.exeC:\Windows\system32\Dddmkkpb.exe78⤵
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Dnmada32.exeC:\Windows\system32\Dnmada32.exe79⤵PID:2064
-
C:\Windows\SysWOW64\Dgefmf32.exeC:\Windows\system32\Dgefmf32.exe80⤵PID:1536
-
C:\Windows\SysWOW64\Dfjcncak.exeC:\Windows\system32\Dfjcncak.exe81⤵PID:2824
-
C:\Windows\SysWOW64\Dpbgghhl.exeC:\Windows\system32\Dpbgghhl.exe82⤵PID:1568
-
C:\Windows\SysWOW64\Dkihli32.exeC:\Windows\system32\Dkihli32.exe83⤵PID:624
-
C:\Windows\SysWOW64\Enjand32.exeC:\Windows\system32\Enjand32.exe84⤵
- System Location Discovery: System Language Discovery
PID:1248 -
C:\Windows\SysWOW64\Egbffj32.exeC:\Windows\system32\Egbffj32.exe85⤵PID:2276
-
C:\Windows\SysWOW64\Eeffpn32.exeC:\Windows\system32\Eeffpn32.exe86⤵PID:1504
-
C:\Windows\SysWOW64\Enokidgl.exeC:\Windows\system32\Enokidgl.exe87⤵PID:1636
-
C:\Windows\SysWOW64\Enagnc32.exeC:\Windows\system32\Enagnc32.exe88⤵PID:2492
-
C:\Windows\SysWOW64\Ehilgikj.exeC:\Windows\system32\Ehilgikj.exe89⤵PID:2884
-
C:\Windows\SysWOW64\Fjjeid32.exeC:\Windows\system32\Fjjeid32.exe90⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Windows\SysWOW64\Ffaeneno.exeC:\Windows\system32\Ffaeneno.exe91⤵PID:1716
-
C:\Windows\SysWOW64\Fpijgk32.exeC:\Windows\system32\Fpijgk32.exe92⤵PID:2300
-
C:\Windows\SysWOW64\Flpkll32.exeC:\Windows\system32\Flpkll32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Fblpnepn.exeC:\Windows\system32\Fblpnepn.exe94⤵PID:2772
-
C:\Windows\SysWOW64\Gkgdbh32.exeC:\Windows\system32\Gkgdbh32.exe95⤵PID:1752
-
C:\Windows\SysWOW64\Ghlell32.exeC:\Windows\system32\Ghlell32.exe96⤵PID:2072
-
C:\Windows\SysWOW64\Gdbeqmag.exeC:\Windows\system32\Gdbeqmag.exe97⤵PID:1548
-
C:\Windows\SysWOW64\Ggcnbh32.exeC:\Windows\system32\Ggcnbh32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1848 -
C:\Windows\SysWOW64\Gdgoll32.exeC:\Windows\system32\Gdgoll32.exe99⤵PID:1380
-
C:\Windows\SysWOW64\Gnocdb32.exeC:\Windows\system32\Gnocdb32.exe100⤵PID:1308
-
C:\Windows\SysWOW64\Hghhngjb.exeC:\Windows\system32\Hghhngjb.exe101⤵PID:2000
-
C:\Windows\SysWOW64\Hpplfm32.exeC:\Windows\system32\Hpplfm32.exe102⤵
- System Location Discovery: System Language Discovery
PID:848 -
C:\Windows\SysWOW64\Hlgmkn32.exeC:\Windows\system32\Hlgmkn32.exe103⤵PID:2756
-
C:\Windows\SysWOW64\Hoeigi32.exeC:\Windows\system32\Hoeigi32.exe104⤵PID:2664
-
C:\Windows\SysWOW64\Hhnnpolk.exeC:\Windows\system32\Hhnnpolk.exe105⤵PID:2672
-
C:\Windows\SysWOW64\Hllffmbb.exeC:\Windows\system32\Hllffmbb.exe106⤵PID:2220
-
C:\Windows\SysWOW64\Hfdkoc32.exeC:\Windows\system32\Hfdkoc32.exe107⤵PID:2972
-
C:\Windows\SysWOW64\Inopce32.exeC:\Windows\system32\Inopce32.exe108⤵
- Drops file in System32 directory
PID:768 -
C:\Windows\SysWOW64\Idihponj.exeC:\Windows\system32\Idihponj.exe109⤵PID:3028
-
C:\Windows\SysWOW64\Imgija32.exeC:\Windows\system32\Imgija32.exe110⤵
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Imifpagp.exeC:\Windows\system32\Imifpagp.exe111⤵PID:236
-
C:\Windows\SysWOW64\Iipgeb32.exeC:\Windows\system32\Iipgeb32.exe112⤵PID:1756
-
C:\Windows\SysWOW64\Jmnpkp32.exeC:\Windows\system32\Jmnpkp32.exe113⤵PID:2228
-
C:\Windows\SysWOW64\Jbkhcg32.exeC:\Windows\system32\Jbkhcg32.exe114⤵PID:544
-
C:\Windows\SysWOW64\Joohmk32.exeC:\Windows\system32\Joohmk32.exe115⤵PID:1608
-
C:\Windows\SysWOW64\Joaebkni.exeC:\Windows\system32\Joaebkni.exe116⤵PID:2796
-
C:\Windows\SysWOW64\Jgljfmkd.exeC:\Windows\system32\Jgljfmkd.exe117⤵
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Jjjfbikh.exeC:\Windows\system32\Jjjfbikh.exe118⤵PID:1676
-
C:\Windows\SysWOW64\Jgnflmia.exeC:\Windows\system32\Jgnflmia.exe119⤵PID:1744
-
C:\Windows\SysWOW64\Lpekln32.exeC:\Windows\system32\Lpekln32.exe120⤵PID:1988
-
C:\Windows\SysWOW64\Lojhmjag.exeC:\Windows\system32\Lojhmjag.exe121⤵PID:1780
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-