Analysis
-
max time kernel
73s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
23-08-2024 04:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
85c1db710cdaeff2d3dffc3fa131b3c0N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
85c1db710cdaeff2d3dffc3fa131b3c0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
85c1db710cdaeff2d3dffc3fa131b3c0N.exe
-
Size
224KB
-
MD5
85c1db710cdaeff2d3dffc3fa131b3c0
-
SHA1
22c78a2b83b6a9e5398145d276564acbd671ed7b
-
SHA256
240401744e0eebcb8677d9f90bb2856c878e9b9977d1a2dfae92ecbac1cded28
-
SHA512
7be6eb9c8e16a9b250d75027f726c0118d999e84f2b4e7e0190852c1ab419db13e6b9cc0a46888c6fc0a3c9c24df6db580d2b2ebd4bdf91152e4e998119c49d4
-
SSDEEP
3072:bKeQvRGGPqkIuYUvIMDrFDHZtOgxBOXXwwfBoD6N3h8N5G2qVUDrFDHZtOgtSU:8ZGGy84s5tTDUZNSN58VU5tTtf
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmiqlpge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cplfcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gigllafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmogkkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcddca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emjoep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epmdljal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnegod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgckgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckalkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkpoahgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjoheb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jllggbde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oenppk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfgnbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llpbeaak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfflnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqnbffkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loinlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nejjfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajidnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiomec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goagaded.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgddin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnplhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipqmgbbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdfpfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgiln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkechk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfgbbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iohiafag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpkehbjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidhjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hilbfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkfigqjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdaah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emhbop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moqkgmol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnfoho32.exe -
Executes dropped EXE 64 IoCs
pid Process 3040 Nhbpbi32.exe 2364 Nkqlodpk.exe 2716 Ohdmhhod.exe 2692 Omaepoml.exe 2656 Odknmi32.exe 2740 Ooabjbdn.exe 2632 Ohifch32.exe 1660 Oijbkpqm.exe 2124 Odpghiqc.exe 1904 Okjoec32.exe 2912 Odbcnh32.exe 2952 Oecpeqdo.exe 3008 Poldnf32.exe 1368 Pefmkpbl.exe 2220 Ponadfim.exe 2412 Pamnpahp.exe 2400 Pjdeaohb.exe 2184 Pcljjd32.exe 2132 Pdnfalea.exe 2524 Phibbk32.exe 828 Paagkq32.exe 588 Phkohkkh.exe 1348 Pnhhpaio.exe 2204 Padcqp32.exe 2648 Qgqlig32.exe 2240 Qjoheb32.exe 2792 Qcgmnh32.exe 2076 Qgcingnm.exe 2772 Qmpafnld.exe 2612 Acjjch32.exe 2644 Afhfpc32.exe 808 Aqnjml32.exe 2176 Ajfoea32.exe 2932 Aiioanpf.exe 2880 Abacjd32.exe 2636 Ajhkka32.exe 3016 Aoedch32.exe 1232 Abcppcdc.exe 2128 Aebllocg.exe 2448 Akldhi32.exe 2352 Anjqdd32.exe 2964 Aediaoae.exe 564 Bknani32.exe 540 Bbhikcpn.exe 2528 Begegn32.exe 2012 Bgebcj32.exe 2652 Bjcnoe32.exe 1656 Bbkfpb32.exe 940 Beibln32.exe 2684 Bggohi32.exe 2116 Bnagecdp.exe 2624 Bapcaocc.exe 2996 Bekobn32.exe 2504 Bgjknijp.exe 2848 Bjhgjdjd.exe 1640 Bmfdfpih.exe 1856 Bpepbkhk.exe 1280 Bglhcihn.exe 2416 Bfohoe32.exe 3020 Bmiqlpge.exe 3012 Bpgmhkfi.exe 2064 Cbfidfem.exe 1044 Cfaedeme.exe 1528 Cmkmao32.exe -
Loads dropped DLL 64 IoCs
pid Process 2260 85c1db710cdaeff2d3dffc3fa131b3c0N.exe 2260 85c1db710cdaeff2d3dffc3fa131b3c0N.exe 3040 Nhbpbi32.exe 3040 Nhbpbi32.exe 2364 Nkqlodpk.exe 2364 Nkqlodpk.exe 2716 Ohdmhhod.exe 2716 Ohdmhhod.exe 2692 Omaepoml.exe 2692 Omaepoml.exe 2656 Odknmi32.exe 2656 Odknmi32.exe 2740 Ooabjbdn.exe 2740 Ooabjbdn.exe 2632 Ohifch32.exe 2632 Ohifch32.exe 1660 Oijbkpqm.exe 1660 Oijbkpqm.exe 2124 Odpghiqc.exe 2124 Odpghiqc.exe 1904 Okjoec32.exe 1904 Okjoec32.exe 2912 Odbcnh32.exe 2912 Odbcnh32.exe 2952 Oecpeqdo.exe 2952 Oecpeqdo.exe 3008 Poldnf32.exe 3008 Poldnf32.exe 1368 Pefmkpbl.exe 1368 Pefmkpbl.exe 2220 Ponadfim.exe 2220 Ponadfim.exe 2412 Pamnpahp.exe 2412 Pamnpahp.exe 2400 Pjdeaohb.exe 2400 Pjdeaohb.exe 2184 Pcljjd32.exe 2184 Pcljjd32.exe 2132 Pdnfalea.exe 2132 Pdnfalea.exe 2524 Phibbk32.exe 2524 Phibbk32.exe 828 Paagkq32.exe 828 Paagkq32.exe 588 Phkohkkh.exe 588 Phkohkkh.exe 1348 Pnhhpaio.exe 1348 Pnhhpaio.exe 2204 Padcqp32.exe 2204 Padcqp32.exe 2648 Qgqlig32.exe 2648 Qgqlig32.exe 2240 Qjoheb32.exe 2240 Qjoheb32.exe 2792 Qcgmnh32.exe 2792 Qcgmnh32.exe 2076 Qgcingnm.exe 2076 Qgcingnm.exe 2772 Qmpafnld.exe 2772 Qmpafnld.exe 2612 Acjjch32.exe 2612 Acjjch32.exe 2644 Afhfpc32.exe 2644 Afhfpc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jqfaka32.dll Kgodchen.exe File created C:\Windows\SysWOW64\Mgnmao32.exe Mhklfbcj.exe File created C:\Windows\SysWOW64\Joajea32.dll Jfpagd32.exe File opened for modification C:\Windows\SysWOW64\Eempcfbi.exe Process not Found File created C:\Windows\SysWOW64\Ejjhlmqa.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lmikhn32.exe Process not Found File created C:\Windows\SysWOW64\Connaf32.dll Process not Found File created C:\Windows\SysWOW64\Khdjfpfg.exe Kdinea32.exe File created C:\Windows\SysWOW64\Anflgdik.dll Process not Found File created C:\Windows\SysWOW64\Aolpph32.dll Process not Found File created C:\Windows\SysWOW64\Pmddpcjf.dll Aoedch32.exe File opened for modification C:\Windows\SysWOW64\Oenppk32.exe Oabdol32.exe File opened for modification C:\Windows\SysWOW64\Nfmlhjfb.exe Nbaqhk32.exe File created C:\Windows\SysWOW64\Geflbg32.dll Aklgabbh.exe File created C:\Windows\SysWOW64\Gcmnaapo.dll Abfonl32.exe File created C:\Windows\SysWOW64\Ngdhkejd.dll Ffbjpfmg.exe File opened for modification C:\Windows\SysWOW64\Ibobhgno.exe Ildjlmfb.exe File opened for modification C:\Windows\SysWOW64\Fbkgjgqi.exe Fchgnj32.exe File created C:\Windows\SysWOW64\Njkcfl32.dll Cpoeac32.exe File created C:\Windows\SysWOW64\Jfdjbcim.exe Jbinbd32.exe File opened for modification C:\Windows\SysWOW64\Kggcgf32.exe Kbkgfgam.exe File created C:\Windows\SysWOW64\Bmcefhll.dll Process not Found File created C:\Windows\SysWOW64\Pdmbpo32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nagakhfn.exe Niqijkel.exe File created C:\Windows\SysWOW64\Kfbjlgnk.exe Khojqj32.exe File created C:\Windows\SysWOW64\Enedml32.exe Process not Found File created C:\Windows\SysWOW64\Aoibkj32.dll Fccncknc.exe File created C:\Windows\SysWOW64\Ccckabef.exe Cqeoegfb.exe File opened for modification C:\Windows\SysWOW64\Jakhckdb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ponadfim.exe Pefmkpbl.exe File created C:\Windows\SysWOW64\Bjmodd32.dll Jlcmhann.exe File created C:\Windows\SysWOW64\Lnidmi32.dll Agkhbece.exe File created C:\Windows\SysWOW64\Ccdchhae.dll Bcoafcjk.exe File opened for modification C:\Windows\SysWOW64\Ngpokkgb.exe Process not Found File created C:\Windows\SysWOW64\Oelecd32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fojnhlch.exe Fmlblq32.exe File created C:\Windows\SysWOW64\Fdicfbpl.exe Fbkgjgqi.exe File opened for modification C:\Windows\SysWOW64\Mmebkg32.exe Mnbbpkjg.exe File created C:\Windows\SysWOW64\Iblack32.dll Aqfiqjgb.exe File created C:\Windows\SysWOW64\Ledkdoii.dll Eiclop32.exe File opened for modification C:\Windows\SysWOW64\Edjjph32.exe Eakmdm32.exe File opened for modification C:\Windows\SysWOW64\Ifmbilhq.exe Idofmp32.exe File created C:\Windows\SysWOW64\Oiebej32.exe Oejfelin.exe File created C:\Windows\SysWOW64\Edeeaj32.dll Eilfoapg.exe File created C:\Windows\SysWOW64\Keogkp32.dll Agfhmo32.exe File opened for modification C:\Windows\SysWOW64\Dnfoho32.exe Djkcgpaa.exe File created C:\Windows\SysWOW64\Ppkggifm.dll Gkhgge32.exe File created C:\Windows\SysWOW64\Nlhnkqba.dll Hjbncqkj.exe File opened for modification C:\Windows\SysWOW64\Bgjknijp.exe Bekobn32.exe File created C:\Windows\SysWOW64\Bmfdfpih.exe Bjhgjdjd.exe File created C:\Windows\SysWOW64\Jeqameil.dll Kjngjj32.exe File created C:\Windows\SysWOW64\Epigjd32.dll Lqjhkg32.exe File created C:\Windows\SysWOW64\Nlljfhjn.dll Process not Found File created C:\Windows\SysWOW64\Nhhcmd32.dll Chldbl32.exe File opened for modification C:\Windows\SysWOW64\Famhqclj.exe Ejfpofkh.exe File opened for modification C:\Windows\SysWOW64\Bbpioa32.exe Boblbe32.exe File created C:\Windows\SysWOW64\Ldngqqjh.exe Laokdekd.exe File opened for modification C:\Windows\SysWOW64\Gngdcpjl.exe Gkhgge32.exe File created C:\Windows\SysWOW64\Mapnhh32.dll Qgqlig32.exe File created C:\Windows\SysWOW64\Jngfei32.exe Jkhjin32.exe File created C:\Windows\SysWOW64\Hdhbfo32.dll Ildjlmfb.exe File created C:\Windows\SysWOW64\Ipliafnn.dll Eilodk32.exe File created C:\Windows\SysWOW64\Ljnhbijg.dll Process not Found File opened for modification C:\Windows\SysWOW64\Madcgpao.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 4864 4916 Process not Found 1555 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afhfpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjbqei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdimlllq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geibin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mocogc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfbqol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mknbmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqngkcjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ighgah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijipbchn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oijbkpqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obngnphg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pieodn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opgjfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fliefa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbpaef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcnfllcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofmigm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajkjij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epegae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjoheb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epnkfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phiekdeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aohbaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcaekh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abacjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgedlbfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmgfoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcdaah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfclic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdnkamhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajddik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeemol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkhagodb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hijgimnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emeejpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfobndnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Einljkji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkhdfhmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnodob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjhjcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoofkgib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfbjlgnk.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nghqah32.dll" Jiqjiojc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elgmbnfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cboljemb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Niqijkel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oodhca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdnojkck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhnahl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlmcaijm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lceagmmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odnmkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdkil32.dll" Cfagmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eghcckld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oioddd32.dll" Ihhehoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdcijbch.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnldmlgc.dll" Afhfpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cljfipga.dll" Kdkkkqlk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohleappp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhfgjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ellfmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kacenp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpddel32.dll" Ibibcanh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpfcaoap.dll" Jdlefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcagma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojebk32.dll" Ojpedn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnkhcn32.dll" Bomcgfjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eakmdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phoijjdk.dll" Gnahoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eojbii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcndam32.dll" Kooimpao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgjknijp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madhgj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihplpjd.dll" Epegae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkllkf32.dll" Ddkdkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckadb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cefbfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahnjefcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eofhnp32.dll" Caohfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkfigqjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbgbcelk.dll" Eepccldb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kldaqhdq.dll" Kenaoojo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgnqbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hleegpgb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2260 wrote to memory of 3040 2260 85c1db710cdaeff2d3dffc3fa131b3c0N.exe 29 PID 2260 wrote to memory of 3040 2260 85c1db710cdaeff2d3dffc3fa131b3c0N.exe 29 PID 2260 wrote to memory of 3040 2260 85c1db710cdaeff2d3dffc3fa131b3c0N.exe 29 PID 2260 wrote to memory of 3040 2260 85c1db710cdaeff2d3dffc3fa131b3c0N.exe 29 PID 3040 wrote to memory of 2364 3040 Nhbpbi32.exe 30 PID 3040 wrote to memory of 2364 3040 Nhbpbi32.exe 30 PID 3040 wrote to memory of 2364 3040 Nhbpbi32.exe 30 PID 3040 wrote to memory of 2364 3040 Nhbpbi32.exe 30 PID 2364 wrote to memory of 2716 2364 Nkqlodpk.exe 31 PID 2364 wrote to memory of 2716 2364 Nkqlodpk.exe 31 PID 2364 wrote to memory of 2716 2364 Nkqlodpk.exe 31 PID 2364 wrote to memory of 2716 2364 Nkqlodpk.exe 31 PID 2716 wrote to memory of 2692 2716 Ohdmhhod.exe 32 PID 2716 wrote to memory of 2692 2716 Ohdmhhod.exe 32 PID 2716 wrote to memory of 2692 2716 Ohdmhhod.exe 32 PID 2716 wrote to memory of 2692 2716 Ohdmhhod.exe 32 PID 2692 wrote to memory of 2656 2692 Omaepoml.exe 33 PID 2692 wrote to memory of 2656 2692 Omaepoml.exe 33 PID 2692 wrote to memory of 2656 2692 Omaepoml.exe 33 PID 2692 wrote to memory of 2656 2692 Omaepoml.exe 33 PID 2656 wrote to memory of 2740 2656 Odknmi32.exe 34 PID 2656 wrote to memory of 2740 2656 Odknmi32.exe 34 PID 2656 wrote to memory of 2740 2656 Odknmi32.exe 34 PID 2656 wrote to memory of 2740 2656 Odknmi32.exe 34 PID 2740 wrote to memory of 2632 2740 Ooabjbdn.exe 35 PID 2740 wrote to memory of 2632 2740 Ooabjbdn.exe 35 PID 2740 wrote to memory of 2632 2740 Ooabjbdn.exe 35 PID 2740 wrote to memory of 2632 2740 Ooabjbdn.exe 35 PID 2632 wrote to memory of 1660 2632 Ohifch32.exe 36 PID 2632 wrote to memory of 1660 2632 Ohifch32.exe 36 PID 2632 wrote to memory of 1660 2632 Ohifch32.exe 36 PID 2632 wrote to memory of 1660 2632 Ohifch32.exe 36 PID 1660 wrote to memory of 2124 1660 Oijbkpqm.exe 37 PID 1660 wrote to memory of 2124 1660 Oijbkpqm.exe 37 PID 1660 wrote to memory of 2124 1660 Oijbkpqm.exe 37 PID 1660 wrote to memory of 2124 1660 Oijbkpqm.exe 37 PID 2124 wrote to memory of 1904 2124 Odpghiqc.exe 38 PID 2124 wrote to memory of 1904 2124 Odpghiqc.exe 38 PID 2124 wrote to memory of 1904 2124 Odpghiqc.exe 38 PID 2124 wrote to memory of 1904 2124 Odpghiqc.exe 38 PID 1904 wrote to memory of 2912 1904 Okjoec32.exe 39 PID 1904 wrote to memory of 2912 1904 Okjoec32.exe 39 PID 1904 wrote to memory of 2912 1904 Okjoec32.exe 39 PID 1904 wrote to memory of 2912 1904 Okjoec32.exe 39 PID 2912 wrote to memory of 2952 2912 Odbcnh32.exe 40 PID 2912 wrote to memory of 2952 2912 Odbcnh32.exe 40 PID 2912 wrote to memory of 2952 2912 Odbcnh32.exe 40 PID 2912 wrote to memory of 2952 2912 Odbcnh32.exe 40 PID 2952 wrote to memory of 3008 2952 Oecpeqdo.exe 41 PID 2952 wrote to memory of 3008 2952 Oecpeqdo.exe 41 PID 2952 wrote to memory of 3008 2952 Oecpeqdo.exe 41 PID 2952 wrote to memory of 3008 2952 Oecpeqdo.exe 41 PID 3008 wrote to memory of 1368 3008 Poldnf32.exe 42 PID 3008 wrote to memory of 1368 3008 Poldnf32.exe 42 PID 3008 wrote to memory of 1368 3008 Poldnf32.exe 42 PID 3008 wrote to memory of 1368 3008 Poldnf32.exe 42 PID 1368 wrote to memory of 2220 1368 Pefmkpbl.exe 43 PID 1368 wrote to memory of 2220 1368 Pefmkpbl.exe 43 PID 1368 wrote to memory of 2220 1368 Pefmkpbl.exe 43 PID 1368 wrote to memory of 2220 1368 Pefmkpbl.exe 43 PID 2220 wrote to memory of 2412 2220 Ponadfim.exe 44 PID 2220 wrote to memory of 2412 2220 Ponadfim.exe 44 PID 2220 wrote to memory of 2412 2220 Ponadfim.exe 44 PID 2220 wrote to memory of 2412 2220 Ponadfim.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\85c1db710cdaeff2d3dffc3fa131b3c0N.exe"C:\Users\Admin\AppData\Local\Temp\85c1db710cdaeff2d3dffc3fa131b3c0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Nhbpbi32.exeC:\Windows\system32\Nhbpbi32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Nkqlodpk.exeC:\Windows\system32\Nkqlodpk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Ohdmhhod.exeC:\Windows\system32\Ohdmhhod.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Omaepoml.exeC:\Windows\system32\Omaepoml.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Odknmi32.exeC:\Windows\system32\Odknmi32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Ooabjbdn.exeC:\Windows\system32\Ooabjbdn.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Ohifch32.exeC:\Windows\system32\Ohifch32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Oijbkpqm.exeC:\Windows\system32\Oijbkpqm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Odpghiqc.exeC:\Windows\system32\Odpghiqc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Okjoec32.exeC:\Windows\system32\Okjoec32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Odbcnh32.exeC:\Windows\system32\Odbcnh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Oecpeqdo.exeC:\Windows\system32\Oecpeqdo.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Poldnf32.exeC:\Windows\system32\Poldnf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Pefmkpbl.exeC:\Windows\system32\Pefmkpbl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Ponadfim.exeC:\Windows\system32\Ponadfim.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Pamnpahp.exeC:\Windows\system32\Pamnpahp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Pjdeaohb.exeC:\Windows\system32\Pjdeaohb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Pcljjd32.exeC:\Windows\system32\Pcljjd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184 -
C:\Windows\SysWOW64\Pdnfalea.exeC:\Windows\system32\Pdnfalea.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Phibbk32.exeC:\Windows\system32\Phibbk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Paagkq32.exeC:\Windows\system32\Paagkq32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:828 -
C:\Windows\SysWOW64\Phkohkkh.exeC:\Windows\system32\Phkohkkh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:588 -
C:\Windows\SysWOW64\Pnhhpaio.exeC:\Windows\system32\Pnhhpaio.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1348 -
C:\Windows\SysWOW64\Padcqp32.exeC:\Windows\system32\Padcqp32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Windows\SysWOW64\Qgqlig32.exeC:\Windows\system32\Qgqlig32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Qjoheb32.exeC:\Windows\system32\Qjoheb32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2240 -
C:\Windows\SysWOW64\Qcgmnh32.exeC:\Windows\system32\Qcgmnh32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Qgcingnm.exeC:\Windows\system32\Qgcingnm.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Qmpafnld.exeC:\Windows\system32\Qmpafnld.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Acjjch32.exeC:\Windows\system32\Acjjch32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Afhfpc32.exeC:\Windows\system32\Afhfpc32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Aqnjml32.exeC:\Windows\system32\Aqnjml32.exe33⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Ajfoea32.exeC:\Windows\system32\Ajfoea32.exe34⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Aiioanpf.exeC:\Windows\system32\Aiioanpf.exe35⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Abacjd32.exeC:\Windows\system32\Abacjd32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\Ajhkka32.exeC:\Windows\system32\Ajhkka32.exe37⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Aoedch32.exeC:\Windows\system32\Aoedch32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Abcppcdc.exeC:\Windows\system32\Abcppcdc.exe39⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Aebllocg.exeC:\Windows\system32\Aebllocg.exe40⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Akldhi32.exeC:\Windows\system32\Akldhi32.exe41⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Anjqdd32.exeC:\Windows\system32\Anjqdd32.exe42⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Aediaoae.exeC:\Windows\system32\Aediaoae.exe43⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Bknani32.exeC:\Windows\system32\Bknani32.exe44⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Bbhikcpn.exeC:\Windows\system32\Bbhikcpn.exe45⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Begegn32.exeC:\Windows\system32\Begegn32.exe46⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Bgebcj32.exeC:\Windows\system32\Bgebcj32.exe47⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Bjcnoe32.exeC:\Windows\system32\Bjcnoe32.exe48⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Bbkfpb32.exeC:\Windows\system32\Bbkfpb32.exe49⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Beibln32.exeC:\Windows\system32\Beibln32.exe50⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Bggohi32.exeC:\Windows\system32\Bggohi32.exe51⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Bnagecdp.exeC:\Windows\system32\Bnagecdp.exe52⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Bapcaocc.exeC:\Windows\system32\Bapcaocc.exe53⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Bekobn32.exeC:\Windows\system32\Bekobn32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Bgjknijp.exeC:\Windows\system32\Bgjknijp.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Bjhgjdjd.exeC:\Windows\system32\Bjhgjdjd.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Bmfdfpih.exeC:\Windows\system32\Bmfdfpih.exe57⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Bpepbkhk.exeC:\Windows\system32\Bpepbkhk.exe58⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Bglhcihn.exeC:\Windows\system32\Bglhcihn.exe59⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Bfohoe32.exeC:\Windows\system32\Bfohoe32.exe60⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Bmiqlpge.exeC:\Windows\system32\Bmiqlpge.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Bpgmhkfi.exeC:\Windows\system32\Bpgmhkfi.exe62⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Cbfidfem.exeC:\Windows\system32\Cbfidfem.exe63⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Cfaedeme.exeC:\Windows\system32\Cfaedeme.exe64⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Cmkmao32.exeC:\Windows\system32\Cmkmao32.exe65⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Cpjimk32.exeC:\Windows\system32\Cpjimk32.exe66⤵PID:316
-
C:\Windows\SysWOW64\Cbhejf32.exeC:\Windows\system32\Cbhejf32.exe67⤵PID:868
-
C:\Windows\SysWOW64\Cefbfa32.exeC:\Windows\system32\Cefbfa32.exe68⤵
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Cibnfpjg.exeC:\Windows\system32\Cibnfpjg.exe69⤵PID:2780
-
C:\Windows\SysWOW64\Cplfcj32.exeC:\Windows\system32\Cplfcj32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2960 -
C:\Windows\SysWOW64\Coofoghn.exeC:\Windows\system32\Coofoghn.exe71⤵PID:2596
-
C:\Windows\SysWOW64\Cbjbof32.exeC:\Windows\system32\Cbjbof32.exe72⤵PID:952
-
C:\Windows\SysWOW64\Ceioka32.exeC:\Windows\system32\Ceioka32.exe73⤵PID:2940
-
C:\Windows\SysWOW64\Clcghk32.exeC:\Windows\system32\Clcghk32.exe74⤵PID:336
-
C:\Windows\SysWOW64\Coacdg32.exeC:\Windows\system32\Coacdg32.exe75⤵PID:904
-
C:\Windows\SysWOW64\Cekkaanh.exeC:\Windows\system32\Cekkaanh.exe76⤵PID:1604
-
C:\Windows\SysWOW64\Chigmlml.exeC:\Windows\system32\Chigmlml.exe77⤵PID:1760
-
C:\Windows\SysWOW64\Clecnk32.exeC:\Windows\system32\Clecnk32.exe78⤵PID:2272
-
C:\Windows\SysWOW64\Cocpjf32.exeC:\Windows\system32\Cocpjf32.exe79⤵PID:1480
-
C:\Windows\SysWOW64\Cboljemb.exeC:\Windows\system32\Cboljemb.exe80⤵
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Cenhfqle.exeC:\Windows\system32\Cenhfqle.exe81⤵PID:3044
-
C:\Windows\SysWOW64\Chldbl32.exeC:\Windows\system32\Chldbl32.exe82⤵
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Ckjqog32.exeC:\Windows\system32\Ckjqog32.exe83⤵PID:2828
-
C:\Windows\SysWOW64\Dmimkc32.exeC:\Windows\system32\Dmimkc32.exe84⤵PID:2776
-
C:\Windows\SysWOW64\Depelp32.exeC:\Windows\system32\Depelp32.exe85⤵PID:2172
-
C:\Windows\SysWOW64\Dhnahl32.exeC:\Windows\system32\Dhnahl32.exe86⤵
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Dkmmdg32.exeC:\Windows\system32\Dkmmdg32.exe87⤵PID:1648
-
C:\Windows\SysWOW64\Dohiefpc.exeC:\Windows\system32\Dohiefpc.exe88⤵PID:3024
-
C:\Windows\SysWOW64\Dafeaapg.exeC:\Windows\system32\Dafeaapg.exe89⤵PID:2232
-
C:\Windows\SysWOW64\Dhqnnk32.exeC:\Windows\system32\Dhqnnk32.exe90⤵PID:1924
-
C:\Windows\SysWOW64\Dgcnihnn.exeC:\Windows\system32\Dgcnihnn.exe91⤵PID:2084
-
C:\Windows\SysWOW64\Dibjec32.exeC:\Windows\system32\Dibjec32.exe92⤵PID:1784
-
C:\Windows\SysWOW64\Daibfa32.exeC:\Windows\system32\Daibfa32.exe93⤵PID:1360
-
C:\Windows\SysWOW64\Ddgnbl32.exeC:\Windows\system32\Ddgnbl32.exe94⤵PID:524
-
C:\Windows\SysWOW64\Dgfkoh32.exeC:\Windows\system32\Dgfkoh32.exe95⤵PID:2936
-
C:\Windows\SysWOW64\Dkafofde.exeC:\Windows\system32\Dkafofde.exe96⤵PID:1580
-
C:\Windows\SysWOW64\Dmpckbci.exeC:\Windows\system32\Dmpckbci.exe97⤵PID:2244
-
C:\Windows\SysWOW64\Dlbcgo32.exeC:\Windows\system32\Dlbcgo32.exe98⤵PID:2720
-
C:\Windows\SysWOW64\Ddjkhl32.exeC:\Windows\system32\Ddjkhl32.exe99⤵PID:2840
-
C:\Windows\SysWOW64\Dghgdg32.exeC:\Windows\system32\Dghgdg32.exe100⤵PID:2428
-
C:\Windows\SysWOW64\Dekgpdqc.exeC:\Windows\system32\Dekgpdqc.exe101⤵PID:2876
-
C:\Windows\SysWOW64\Dlepmnhq.exeC:\Windows\system32\Dlepmnhq.exe102⤵PID:984
-
C:\Windows\SysWOW64\Doclijgd.exeC:\Windows\system32\Doclijgd.exe103⤵PID:1880
-
C:\Windows\SysWOW64\Dcohih32.exeC:\Windows\system32\Dcohih32.exe104⤵PID:568
-
C:\Windows\SysWOW64\Ehlqao32.exeC:\Windows\system32\Ehlqao32.exe105⤵PID:936
-
C:\Windows\SysWOW64\Elgmbnfn.exeC:\Windows\system32\Elgmbnfn.exe106⤵
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Epchbm32.exeC:\Windows\system32\Epchbm32.exe107⤵PID:2056
-
C:\Windows\SysWOW64\Eoeiniea.exeC:\Windows\system32\Eoeiniea.exe108⤵PID:1696
-
C:\Windows\SysWOW64\Eadejede.exeC:\Windows\system32\Eadejede.exe109⤵PID:2588
-
C:\Windows\SysWOW64\Eljihn32.exeC:\Windows\system32\Eljihn32.exe110⤵PID:1844
-
C:\Windows\SysWOW64\Eohedi32.exeC:\Windows\system32\Eohedi32.exe111⤵PID:2844
-
C:\Windows\SysWOW64\Eebnqcjl.exeC:\Windows\system32\Eebnqcjl.exe112⤵PID:1972
-
C:\Windows\SysWOW64\Ehpjmoio.exeC:\Windows\system32\Ehpjmoio.exe113⤵PID:2108
-
C:\Windows\SysWOW64\Ellfmm32.exeC:\Windows\system32\Ellfmm32.exe114⤵
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Eojbii32.exeC:\Windows\system32\Eojbii32.exe115⤵
- Modifies registry class
PID:1376 -
C:\Windows\SysWOW64\Eained32.exeC:\Windows\system32\Eained32.exe116⤵PID:1588
-
C:\Windows\SysWOW64\Edgkap32.exeC:\Windows\system32\Edgkap32.exe117⤵PID:2808
-
C:\Windows\SysWOW64\Ehbgbngm.exeC:\Windows\system32\Ehbgbngm.exe118⤵PID:2608
-
C:\Windows\SysWOW64\Ekacnjfp.exeC:\Windows\system32\Ekacnjfp.exe119⤵PID:2604
-
C:\Windows\SysWOW64\Eomoohoi.exeC:\Windows\system32\Eomoohoi.exe120⤵PID:2300
-
C:\Windows\SysWOW64\Eakkkdnm.exeC:\Windows\system32\Eakkkdnm.exe121⤵PID:1380
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-