Analysis
-
max time kernel
107s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22/08/2024, 00:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dde934e2c9400b002707f5666e606630N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
dde934e2c9400b002707f5666e606630N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
dde934e2c9400b002707f5666e606630N.exe
-
Size
168KB
-
MD5
dde934e2c9400b002707f5666e606630
-
SHA1
9b6fa8cd0592bdfc50a6001cff46689661a20a3a
-
SHA256
40425c727f0b52962763e19f790479f1d3c864b54a7beece0dde3225f19ab644
-
SHA512
8f4d7c0bc6ecbe44d5d401c066c1ee21b6377de692fe51fcb5a9063b8ff29c07be1bbf7cc87ed7d52895e232494ae3c6019912fb206339ace6f32e15c81fe12d
-
SSDEEP
3072:utHNMDlQsnCFVxUUutXKLfD42VqZ2fQkbn1vVAva63HePH/RAPJis2Ht3IjXn326:6t7U0fD42g4fQkjxqvak+PH/RARMHGbH
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Degdaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ledojqhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgmajifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlpeib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbbbh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeioio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eehnhhmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cffkleae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dobfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcnhjdkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gomhgbmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdccehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfllmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfnbgp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neamhfjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohpidaig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqffmkpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmddma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnamib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gglpln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfiaco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcangbko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gofkmadc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icpconql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpdkiajo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Docmjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjjheg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chjaag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llhfaepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfbfod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfgjjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nconka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Domldpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gggfanfm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hegmqg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acicol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feochgff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdoclbla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kppigdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhadlfcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqhljhob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glqipf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfhkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpbmgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lefkpq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncdgfaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiehcmcm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpqihhbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnffcajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eokhfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoaqhhlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkjmogio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndagjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbhapl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohpidaig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmhfnjkn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hokdhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anjnae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdfmocil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Golamlib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndoked32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikagjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkehnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iofmjh32.exe -
Executes dropped EXE 64 IoCs
pid Process 1628 Alcnpopl.exe 452 Aaqghf32.exe 3144 Bhjoepfq.exe 5016 Bndgaj32.exe 1392 Bdapja32.exe 1920 Bjkhgkca.exe 2336 Baepceko.exe 2956 Blkdqnjd.exe 3656 Boiamiih.exe 1224 Beciic32.exe 2696 Bhaefo32.exe 1796 Bbgich32.exe 180 Bdhfkp32.exe 4608 Blonlm32.exe 1396 Bbifhgnl.exe 2604 Calfdd32.exe 2144 Clakam32.exe 5036 Cblcngli.exe 3604 Cejojb32.exe 3496 Chhkfn32.exe 976 Ckghbi32.exe 4636 Cbnpcg32.exe 3396 Cellpb32.exe 2712 Cdolkope.exe 1184 Clfdllpg.exe 896 Ckidhi32.exe 3020 Coephhok.exe 4732 Cbplif32.exe 4932 Ceoheb32.exe 4968 Cdaiaonb.exe 3400 Chmeamfk.exe 4328 Cklanieo.exe 4708 Cbbiofea.exe 4332 Caeijc32.exe 4644 Ceaekade.exe 1236 Chpagmdi.exe 1876 Clkngl32.exe 2736 Cknnchcl.exe 632 Dbefdfco.exe 2056 Dahfpb32.exe 3000 Decbqabb.exe 824 Dhbnmmaf.exe 3044 Dlmjmkjo.exe 3528 Dkpjih32.exe 5000 Dbgbje32.exe 4364 Dajbebhf.exe 540 Defofa32.exe 2428 Dhdkbl32.exe 1532 Dlpgbkhl.exe 3152 Dkbgnh32.exe 4580 Dbjooe32.exe 1664 Damokbfd.exe 1992 Dehkkq32.exe 1096 Dhfhhl32.exe 3476 Dlbchkfj.exe 3960 Dkeddgmd.exe 332 Doqpdf32.exe 1408 Daolqa32.exe 4776 Dejhapmj.exe 4540 Dhidmlln.exe 4668 Dldpnj32.exe 5072 Dkgqigka.exe 2952 Docmjf32.exe 4904 Dcnhjdkd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hihble32.exe Helflfkp.exe File created C:\Windows\SysWOW64\Mbaohc32.dll Pnjejgpo.exe File created C:\Windows\SysWOW64\Ihihgo32.exe Ifklkc32.exe File opened for modification C:\Windows\SysWOW64\Phekfogp.exe Pfgojchl.exe File created C:\Windows\SysWOW64\Jkokmakh.dll Bimkmk32.exe File opened for modification C:\Windows\SysWOW64\Chpagmdi.exe Ceaekade.exe File created C:\Windows\SysWOW64\Nplcfk32.dll Fllpegpl.exe File created C:\Windows\SysWOW64\Mmppdn32.dll Echkqcci.exe File created C:\Windows\SysWOW64\Jnblbdep.dll Fgkgepqj.exe File created C:\Windows\SysWOW64\Heocaf32.exe Hbpgekii.exe File created C:\Windows\SysWOW64\Hndmkiod.dll Faonmibc.exe File created C:\Windows\SysWOW64\Geqfeclf.dll Cfhhbe32.exe File created C:\Windows\SysWOW64\Fopionfo.dll Emjofl32.exe File created C:\Windows\SysWOW64\Fdbkoj32.exe Fcangbko.exe File created C:\Windows\SysWOW64\Onekoh32.exe Ogkcbn32.exe File created C:\Windows\SysWOW64\Fomcboeg.dll Knpmma32.exe File created C:\Windows\SysWOW64\Jkejfleh.dll Icifelia.exe File created C:\Windows\SysWOW64\Hbhjje32.exe Hojnnj32.exe File created C:\Windows\SysWOW64\Lfnbcl32.dll Pjnbobdj.exe File created C:\Windows\SysWOW64\Nbfmonpc.dll Aqjphj32.exe File opened for modification C:\Windows\SysWOW64\Cknnchcl.exe Clkngl32.exe File created C:\Windows\SysWOW64\Nbbhmchn.dll Gkcilcba.exe File created C:\Windows\SysWOW64\Cdlhki32.exe Ceihplga.exe File opened for modification C:\Windows\SysWOW64\Mlklnbpc.exe Mfocelal.exe File created C:\Windows\SysWOW64\Dkjmogio.exe Dlgmcj32.exe File created C:\Windows\SysWOW64\Hoicjp32.dll Pfcmij32.exe File created C:\Windows\SysWOW64\Ogoopl32.dll Iijobeaf.exe File opened for modification C:\Windows\SysWOW64\Ilmeip32.exe Iioimd32.exe File created C:\Windows\SysWOW64\Mgddka32.exe Mlnpnh32.exe File created C:\Windows\SysWOW64\Iajphd32.dll Onekoh32.exe File created C:\Windows\SysWOW64\Peodfhjp.dll Bjfhae32.exe File created C:\Windows\SysWOW64\Ophofkle.dll Jfpomp32.exe File created C:\Windows\SysWOW64\Bpippeho.exe Bmkccjik.exe File created C:\Windows\SysWOW64\Cmdjkqmi.dll Dlmjmkjo.exe File created C:\Windows\SysWOW64\Lkanbjqh.dll Dlbchkfj.exe File created C:\Windows\SysWOW64\Bmjdcc32.dll Jiehcmcm.exe File created C:\Windows\SysWOW64\Kbaicf32.exe Kpbmgj32.exe File created C:\Windows\SysWOW64\Aqijmq32.exe Anjnae32.exe File opened for modification C:\Windows\SysWOW64\Phlippoj.exe Pemlcdpf.exe File created C:\Windows\SysWOW64\Bdapja32.exe Bndgaj32.exe File created C:\Windows\SysWOW64\Kcmfjh32.dll Lpqihhbp.exe File created C:\Windows\SysWOW64\Ibffkcpe.exe Idbfbo32.exe File created C:\Windows\SysWOW64\Niipmefb.exe Ngjcajgo.exe File created C:\Windows\SysWOW64\Cgkehe32.dll Ipfddo32.exe File opened for modification C:\Windows\SysWOW64\Lffhjcmb.exe Ldgkmhno.exe File opened for modification C:\Windows\SysWOW64\Iehfgeqb.exe Ibijkiao.exe File created C:\Windows\SysWOW64\Cmodnlac.dll Lpnlbi32.exe File opened for modification C:\Windows\SysWOW64\Bmimhpoj.exe Bjjalepf.exe File created C:\Windows\SysWOW64\Elnehbkp.dll Dmpmpm32.exe File created C:\Windows\SysWOW64\Flnlkgnj.exe Fdgdjimg.exe File created C:\Windows\SysWOW64\Kbdnbq32.dll Ieeibebe.exe File created C:\Windows\SysWOW64\Npabof32.exe Nghmfqmm.exe File created C:\Windows\SysWOW64\Koqgnp32.dll Fnhlgjfd.exe File opened for modification C:\Windows\SysWOW64\Eoeipeah.exe Dkjmogio.exe File created C:\Windows\SysWOW64\Bjddbhji.dll Iehfgeqb.exe File created C:\Windows\SysWOW64\Medgan32.exe Mdckifda.exe File created C:\Windows\SysWOW64\Ohpidaig.exe Neamhfjd.exe File created C:\Windows\SysWOW64\Dkpjih32.exe Dlmjmkjo.exe File created C:\Windows\SysWOW64\Gdnjjh32.exe Gcmnbpaa.exe File created C:\Windows\SysWOW64\Ppnmih32.dll Gnhdng32.exe File created C:\Windows\SysWOW64\Lbieon32.exe Loninpid.exe File opened for modification C:\Windows\SysWOW64\Blkdqnjd.exe Baepceko.exe File created C:\Windows\SysWOW64\Ingmlj32.dll Eoeipeah.exe File created C:\Windows\SysWOW64\Hagpegcb.dll Jckcklfo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14128 14052 WerFault.exe 706 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnhlgjfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkjmogio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foaikdgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foholc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gochmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbgoba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mefmlh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqafii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhfhhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eogfeeoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlllof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmpmpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calfdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Defofa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfnibg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddhhggdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inmgpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbgbje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlgmcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceihplga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feochgff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miomggom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agmbde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imhhhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klpkemlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jenenmgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfgndmhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neopbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lifqkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofijckhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mikjfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfglgadi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjedi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhkackjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikhknppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcbikkqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpgoig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhagbfnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiakammb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clakam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfbppkjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noqojm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opgaeojj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlgjmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ampkbagd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doicia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehmgne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifdoaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkjjpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leedejbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bijnhleg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chpagmdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anedfffb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicqnjmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acicol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmngcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajcklf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggnlampe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hffbpcbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jniflb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iijobeaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilbndoho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfedbomi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckghbi32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 12448 Acping32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fekahn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkckhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jelihn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiagokip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blkdqnjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceoheb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkbgnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Helflfkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oloidfcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbhgidg.dll" Agglej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlnpnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mobbioeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biqmbi32.dll" Dkpjih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aqijmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgmajifb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoilpoig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Decbqabb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpbmgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjokgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anedfffb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbmcedhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbefdfco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpoqoo32.dll" Eogfeeoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndoked32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ledojqhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doicia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmgmmgq.dll" Hojnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olbkeoki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eefhmobm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boiclaak.dll" Hfbppkjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iioimd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdckifda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfapkkpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llflni32.dll" Bdhfkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhqnki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbghiocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbijgo32.dll" Hcddcoki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmhdje32.dll" Niipmefb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dldpnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingmlj32.dll" Eoeipeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcangbko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fahfmjdf.dll" Jkcdohbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Limgkiob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llgdel32.dll" Qmfhlcoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmimhpoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chhdlhfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjhdgeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hladdbpk.dll" Gonnblgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neopbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knhmhgei.dll" Eeanao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pggbnlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fageamqg.dll" Dhokmgpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adenmg32.dll" Fopbqnco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdiclq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmbll32.dll" Idpilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfkebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaolln32.dll" Jpdikffd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkffacpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facgap32.dll" Ikhknppj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gniahkff.dll" Foiegl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdegdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnoneglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcebkjdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlpgbkhl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1964 wrote to memory of 1628 1964 dde934e2c9400b002707f5666e606630N.exe 83 PID 1964 wrote to memory of 1628 1964 dde934e2c9400b002707f5666e606630N.exe 83 PID 1964 wrote to memory of 1628 1964 dde934e2c9400b002707f5666e606630N.exe 83 PID 1628 wrote to memory of 452 1628 Alcnpopl.exe 84 PID 1628 wrote to memory of 452 1628 Alcnpopl.exe 84 PID 1628 wrote to memory of 452 1628 Alcnpopl.exe 84 PID 452 wrote to memory of 3144 452 Aaqghf32.exe 85 PID 452 wrote to memory of 3144 452 Aaqghf32.exe 85 PID 452 wrote to memory of 3144 452 Aaqghf32.exe 85 PID 3144 wrote to memory of 5016 3144 Bhjoepfq.exe 86 PID 3144 wrote to memory of 5016 3144 Bhjoepfq.exe 86 PID 3144 wrote to memory of 5016 3144 Bhjoepfq.exe 86 PID 5016 wrote to memory of 1392 5016 Bndgaj32.exe 87 PID 5016 wrote to memory of 1392 5016 Bndgaj32.exe 87 PID 5016 wrote to memory of 1392 5016 Bndgaj32.exe 87 PID 1392 wrote to memory of 1920 1392 Bdapja32.exe 88 PID 1392 wrote to memory of 1920 1392 Bdapja32.exe 88 PID 1392 wrote to memory of 1920 1392 Bdapja32.exe 88 PID 1920 wrote to memory of 2336 1920 Bjkhgkca.exe 89 PID 1920 wrote to memory of 2336 1920 Bjkhgkca.exe 89 PID 1920 wrote to memory of 2336 1920 Bjkhgkca.exe 89 PID 2336 wrote to memory of 2956 2336 Baepceko.exe 90 PID 2336 wrote to memory of 2956 2336 Baepceko.exe 90 PID 2336 wrote to memory of 2956 2336 Baepceko.exe 90 PID 2956 wrote to memory of 3656 2956 Blkdqnjd.exe 91 PID 2956 wrote to memory of 3656 2956 Blkdqnjd.exe 91 PID 2956 wrote to memory of 3656 2956 Blkdqnjd.exe 91 PID 3656 wrote to memory of 1224 3656 Boiamiih.exe 93 PID 3656 wrote to memory of 1224 3656 Boiamiih.exe 93 PID 3656 wrote to memory of 1224 3656 Boiamiih.exe 93 PID 1224 wrote to memory of 2696 1224 Beciic32.exe 94 PID 1224 wrote to memory of 2696 1224 Beciic32.exe 94 PID 1224 wrote to memory of 2696 1224 Beciic32.exe 94 PID 2696 wrote to memory of 1796 2696 Bhaefo32.exe 95 PID 2696 wrote to memory of 1796 2696 Bhaefo32.exe 95 PID 2696 wrote to memory of 1796 2696 Bhaefo32.exe 95 PID 1796 wrote to memory of 180 1796 Bbgich32.exe 96 PID 1796 wrote to memory of 180 1796 Bbgich32.exe 96 PID 1796 wrote to memory of 180 1796 Bbgich32.exe 96 PID 180 wrote to memory of 4608 180 Bdhfkp32.exe 97 PID 180 wrote to memory of 4608 180 Bdhfkp32.exe 97 PID 180 wrote to memory of 4608 180 Bdhfkp32.exe 97 PID 4608 wrote to memory of 1396 4608 Blonlm32.exe 98 PID 4608 wrote to memory of 1396 4608 Blonlm32.exe 98 PID 4608 wrote to memory of 1396 4608 Blonlm32.exe 98 PID 1396 wrote to memory of 2604 1396 Bbifhgnl.exe 99 PID 1396 wrote to memory of 2604 1396 Bbifhgnl.exe 99 PID 1396 wrote to memory of 2604 1396 Bbifhgnl.exe 99 PID 2604 wrote to memory of 2144 2604 Calfdd32.exe 101 PID 2604 wrote to memory of 2144 2604 Calfdd32.exe 101 PID 2604 wrote to memory of 2144 2604 Calfdd32.exe 101 PID 2144 wrote to memory of 5036 2144 Clakam32.exe 102 PID 2144 wrote to memory of 5036 2144 Clakam32.exe 102 PID 2144 wrote to memory of 5036 2144 Clakam32.exe 102 PID 5036 wrote to memory of 3604 5036 Cblcngli.exe 103 PID 5036 wrote to memory of 3604 5036 Cblcngli.exe 103 PID 5036 wrote to memory of 3604 5036 Cblcngli.exe 103 PID 3604 wrote to memory of 3496 3604 Cejojb32.exe 104 PID 3604 wrote to memory of 3496 3604 Cejojb32.exe 104 PID 3604 wrote to memory of 3496 3604 Cejojb32.exe 104 PID 3496 wrote to memory of 976 3496 Chhkfn32.exe 105 PID 3496 wrote to memory of 976 3496 Chhkfn32.exe 105 PID 3496 wrote to memory of 976 3496 Chhkfn32.exe 105 PID 976 wrote to memory of 4636 976 Ckghbi32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\dde934e2c9400b002707f5666e606630N.exe"C:\Users\Admin\AppData\Local\Temp\dde934e2c9400b002707f5666e606630N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Alcnpopl.exeC:\Windows\system32\Alcnpopl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Aaqghf32.exeC:\Windows\system32\Aaqghf32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\Bhjoepfq.exeC:\Windows\system32\Bhjoepfq.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\Bndgaj32.exeC:\Windows\system32\Bndgaj32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Bdapja32.exeC:\Windows\system32\Bdapja32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Bjkhgkca.exeC:\Windows\system32\Bjkhgkca.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Baepceko.exeC:\Windows\system32\Baepceko.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Blkdqnjd.exeC:\Windows\system32\Blkdqnjd.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Boiamiih.exeC:\Windows\system32\Boiamiih.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Beciic32.exeC:\Windows\system32\Beciic32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\Bhaefo32.exeC:\Windows\system32\Bhaefo32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Bbgich32.exeC:\Windows\system32\Bbgich32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Bdhfkp32.exeC:\Windows\system32\Bdhfkp32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:180 -
C:\Windows\SysWOW64\Blonlm32.exeC:\Windows\system32\Blonlm32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Bbifhgnl.exeC:\Windows\system32\Bbifhgnl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Calfdd32.exeC:\Windows\system32\Calfdd32.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Clakam32.exeC:\Windows\system32\Clakam32.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Cblcngli.exeC:\Windows\system32\Cblcngli.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Cejojb32.exeC:\Windows\system32\Cejojb32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\Chhkfn32.exeC:\Windows\system32\Chhkfn32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\Ckghbi32.exeC:\Windows\system32\Ckghbi32.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\Cbnpcg32.exeC:\Windows\system32\Cbnpcg32.exe23⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Cellpb32.exeC:\Windows\system32\Cellpb32.exe24⤵
- Executes dropped EXE
PID:3396 -
C:\Windows\SysWOW64\Cdolkope.exeC:\Windows\system32\Cdolkope.exe25⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Clfdllpg.exeC:\Windows\system32\Clfdllpg.exe26⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Ckidhi32.exeC:\Windows\system32\Ckidhi32.exe27⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Coephhok.exeC:\Windows\system32\Coephhok.exe28⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Cbplif32.exeC:\Windows\system32\Cbplif32.exe29⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Ceoheb32.exeC:\Windows\system32\Ceoheb32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:4932 -
C:\Windows\SysWOW64\Cdaiaonb.exeC:\Windows\system32\Cdaiaonb.exe31⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Chmeamfk.exeC:\Windows\system32\Chmeamfk.exe32⤵
- Executes dropped EXE
PID:3400 -
C:\Windows\SysWOW64\Cklanieo.exeC:\Windows\system32\Cklanieo.exe33⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Cbbiofea.exeC:\Windows\system32\Cbbiofea.exe34⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Caeijc32.exeC:\Windows\system32\Caeijc32.exe35⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Ceaekade.exeC:\Windows\system32\Ceaekade.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4644 -
C:\Windows\SysWOW64\Chpagmdi.exeC:\Windows\system32\Chpagmdi.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1236 -
C:\Windows\SysWOW64\Clkngl32.exeC:\Windows\system32\Clkngl32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1876 -
C:\Windows\SysWOW64\Cknnchcl.exeC:\Windows\system32\Cknnchcl.exe39⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Dbefdfco.exeC:\Windows\system32\Dbefdfco.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:632 -
C:\Windows\SysWOW64\Dahfpb32.exeC:\Windows\system32\Dahfpb32.exe41⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Decbqabb.exeC:\Windows\system32\Decbqabb.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Dhbnmmaf.exeC:\Windows\system32\Dhbnmmaf.exe43⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Dlmjmkjo.exeC:\Windows\system32\Dlmjmkjo.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Dkpjih32.exeC:\Windows\system32\Dkpjih32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:3528 -
C:\Windows\SysWOW64\Dbgbje32.exeC:\Windows\system32\Dbgbje32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5000 -
C:\Windows\SysWOW64\Dajbebhf.exeC:\Windows\system32\Dajbebhf.exe47⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Defofa32.exeC:\Windows\system32\Defofa32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:540 -
C:\Windows\SysWOW64\Dhdkbl32.exeC:\Windows\system32\Dhdkbl32.exe49⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Dlpgbkhl.exeC:\Windows\system32\Dlpgbkhl.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Dkbgnh32.exeC:\Windows\system32\Dkbgnh32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:3152 -
C:\Windows\SysWOW64\Dbjooe32.exeC:\Windows\system32\Dbjooe32.exe52⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Damokbfd.exeC:\Windows\system32\Damokbfd.exe53⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Dehkkq32.exeC:\Windows\system32\Dehkkq32.exe54⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Dhfhhl32.exeC:\Windows\system32\Dhfhhl32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1096 -
C:\Windows\SysWOW64\Dlbchkfj.exeC:\Windows\system32\Dlbchkfj.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3476 -
C:\Windows\SysWOW64\Dkeddgmd.exeC:\Windows\system32\Dkeddgmd.exe57⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Doqpdf32.exeC:\Windows\system32\Doqpdf32.exe58⤵
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Daolqa32.exeC:\Windows\system32\Daolqa32.exe59⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Dejhapmj.exeC:\Windows\system32\Dejhapmj.exe60⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Dhidmlln.exeC:\Windows\system32\Dhidmlln.exe61⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Dldpnj32.exeC:\Windows\system32\Dldpnj32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:4668 -
C:\Windows\SysWOW64\Dkgqigka.exeC:\Windows\system32\Dkgqigka.exe63⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Docmjf32.exeC:\Windows\system32\Docmjf32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Dcnhjdkd.exeC:\Windows\system32\Dcnhjdkd.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Daaifa32.exeC:\Windows\system32\Daaifa32.exe66⤵PID:656
-
C:\Windows\SysWOW64\Ddpebm32.exeC:\Windows\system32\Ddpebm32.exe67⤵PID:3320
-
C:\Windows\SysWOW64\Dhkackjk.exeC:\Windows\system32\Dhkackjk.exe68⤵
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\SysWOW64\Dlgmcj32.exeC:\Windows\system32\Dlgmcj32.exe69⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1952 -
C:\Windows\SysWOW64\Dkjmogio.exeC:\Windows\system32\Dkjmogio.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4980 -
C:\Windows\SysWOW64\Eoeipeah.exeC:\Windows\system32\Eoeipeah.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:3832 -
C:\Windows\SysWOW64\Eacelapl.exeC:\Windows\system32\Eacelapl.exe72⤵PID:1172
-
C:\Windows\SysWOW64\Eeoalp32.exeC:\Windows\system32\Eeoalp32.exe73⤵PID:4052
-
C:\Windows\SysWOW64\Eogfeeoe.exeC:\Windows\system32\Eogfeeoe.exe74⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Eeanao32.exeC:\Windows\system32\Eeanao32.exe75⤵
- Modifies registry class
PID:4036 -
C:\Windows\SysWOW64\Ehpjnk32.exeC:\Windows\system32\Ehpjnk32.exe76⤵PID:1132
-
C:\Windows\SysWOW64\Ekngjf32.exeC:\Windows\system32\Ekngjf32.exe77⤵PID:2068
-
C:\Windows\SysWOW64\Eahogp32.exeC:\Windows\system32\Eahogp32.exe78⤵PID:2640
-
C:\Windows\SysWOW64\Ekqcpfbg.exeC:\Windows\system32\Ekqcpfbg.exe79⤵PID:3164
-
C:\Windows\SysWOW64\Echkqcci.exeC:\Windows\system32\Echkqcci.exe80⤵
- Drops file in System32 directory
PID:4876 -
C:\Windows\SysWOW64\Eefhmobm.exeC:\Windows\system32\Eefhmobm.exe81⤵
- Modifies registry class
PID:5100 -
C:\Windows\SysWOW64\Elppii32.exeC:\Windows\system32\Elppii32.exe82⤵PID:3724
-
C:\Windows\SysWOW64\Eamhbp32.exeC:\Windows\system32\Eamhbp32.exe83⤵PID:1136
-
C:\Windows\SysWOW64\Edkdnkge.exeC:\Windows\system32\Edkdnkge.exe84⤵PID:3948
-
C:\Windows\SysWOW64\Elbmohhg.exeC:\Windows\system32\Elbmohhg.exe85⤵PID:1688
-
C:\Windows\SysWOW64\Foaikdgk.exeC:\Windows\system32\Foaikdgk.exe86⤵
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\Faoegofo.exeC:\Windows\system32\Faoegofo.exe87⤵PID:1092
-
C:\Windows\SysWOW64\Fekahn32.exeC:\Windows\system32\Fekahn32.exe88⤵
- Modifies registry class
PID:3668 -
C:\Windows\SysWOW64\Fdnackeb.exeC:\Windows\system32\Fdnackeb.exe89⤵PID:4756
-
C:\Windows\SysWOW64\Fleidhfd.exeC:\Windows\system32\Fleidhfd.exe90⤵PID:2392
-
C:\Windows\SysWOW64\Fkhipe32.exeC:\Windows\system32\Fkhipe32.exe91⤵PID:4624
-
C:\Windows\SysWOW64\Fcoaab32.exeC:\Windows\system32\Fcoaab32.exe92⤵PID:5116
-
C:\Windows\SysWOW64\Faabmodl.exeC:\Windows\system32\Faabmodl.exe93⤵PID:2656
-
C:\Windows\SysWOW64\Fdpnij32.exeC:\Windows\system32\Fdpnij32.exe94⤵PID:1780
-
C:\Windows\SysWOW64\Flgfjh32.exeC:\Windows\system32\Flgfjh32.exe95⤵PID:3060
-
C:\Windows\SysWOW64\Fcangbko.exeC:\Windows\system32\Fcangbko.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Fdbkoj32.exeC:\Windows\system32\Fdbkoj32.exe97⤵PID:4164
-
C:\Windows\SysWOW64\Fhngoiif.exeC:\Windows\system32\Fhngoiif.exe98⤵PID:1504
-
C:\Windows\SysWOW64\Fklckdhj.exeC:\Windows\system32\Fklckdhj.exe99⤵PID:4880
-
C:\Windows\SysWOW64\Foholc32.exeC:\Windows\system32\Foholc32.exe100⤵
- System Location Discovery: System Language Discovery
PID:3228 -
C:\Windows\SysWOW64\Fbfkhn32.exeC:\Windows\system32\Fbfkhn32.exe101⤵PID:220
-
C:\Windows\SysWOW64\Fdegdj32.exeC:\Windows\system32\Fdegdj32.exe102⤵
- Modifies registry class
PID:5148 -
C:\Windows\SysWOW64\Fllpegpl.exeC:\Windows\system32\Fllpegpl.exe103⤵
- Drops file in System32 directory
PID:5192 -
C:\Windows\SysWOW64\Fkopad32.exeC:\Windows\system32\Fkopad32.exe104⤵PID:5236
-
C:\Windows\SysWOW64\Fojlabop.exeC:\Windows\system32\Fojlabop.exe105⤵PID:5280
-
C:\Windows\SysWOW64\Fbihnnnd.exeC:\Windows\system32\Fbihnnnd.exe106⤵PID:5324
-
C:\Windows\SysWOW64\Fdgdjimg.exeC:\Windows\system32\Fdgdjimg.exe107⤵
- Drops file in System32 directory
PID:5372 -
C:\Windows\SysWOW64\Flnlkgnj.exeC:\Windows\system32\Flnlkgnj.exe108⤵PID:5424
-
C:\Windows\SysWOW64\Gomhgbmn.exeC:\Windows\system32\Gomhgbmn.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5476 -
C:\Windows\SysWOW64\Gchdga32.exeC:\Windows\system32\Gchdga32.exe110⤵PID:5520
-
C:\Windows\SysWOW64\Gffqcl32.exeC:\Windows\system32\Gffqcl32.exe111⤵PID:5564
-
C:\Windows\SysWOW64\Gdiaoike.exeC:\Windows\system32\Gdiaoike.exe112⤵PID:5608
-
C:\Windows\SysWOW64\Glqipf32.exeC:\Windows\system32\Glqipf32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5652 -
C:\Windows\SysWOW64\Gkcilcba.exeC:\Windows\system32\Gkcilcba.exe114⤵
- Drops file in System32 directory
PID:5696 -
C:\Windows\SysWOW64\Gcjamqcd.exeC:\Windows\system32\Gcjamqcd.exe115⤵PID:5740
-
C:\Windows\SysWOW64\Gbmaim32.exeC:\Windows\system32\Gbmaim32.exe116⤵PID:5784
-
C:\Windows\SysWOW64\Ghgiegak.exeC:\Windows\system32\Ghgiegak.exe117⤵PID:5832
-
C:\Windows\SysWOW64\Gkffacpo.exeC:\Windows\system32\Gkffacpo.exe118⤵
- Modifies registry class
PID:5880 -
C:\Windows\SysWOW64\Gcmnbpaa.exeC:\Windows\system32\Gcmnbpaa.exe119⤵
- Drops file in System32 directory
PID:5932 -
C:\Windows\SysWOW64\Gdnjjh32.exeC:\Windows\system32\Gdnjjh32.exe120⤵PID:5976
-
C:\Windows\SysWOW64\Gkhbgb32.exeC:\Windows\system32\Gkhbgb32.exe121⤵PID:6008
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-