Analysis
-
max time kernel
112s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
26-08-2024 09:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
99251d87300d7add5a64843c72f8b230N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
99251d87300d7add5a64843c72f8b230N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
99251d87300d7add5a64843c72f8b230N.exe
-
Size
842KB
-
MD5
99251d87300d7add5a64843c72f8b230
-
SHA1
f2ba8100a37370a3dfdacc5acb8d7dacb3c36c57
-
SHA256
19e4afd155daac531d74cf0cdcd2e195db8852f0c0e65afac934b905c56648d5
-
SHA512
eaa408c802f4116f6db7d1b850bfcb093936aac6a99ec8035eb1de4cc92326fc9c73c01ee1b8592b4f786ef3c375f23d0b11ea2b27db36318ce956ac316c30f3
-
SSDEEP
24576:gXgBR6Ph2kkkkK4kXkkkkkkkkhLX3a20R0m:0CWbazR0m
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnifaajh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omnmal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjcedj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nldcagaq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfdmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dglkba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doijcjde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghfacem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkbnap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdojnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihiabfhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kccgheib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdlclo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmmqmpdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Komjmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fokfqflb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifcbme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oebdndlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amnanefa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkqiek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojdjqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chjmmnnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqakim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjlejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nacmpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aepnkjcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekhjlioa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkdoci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhcgkbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gefjjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndlbmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kahciaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agloko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bknfeege.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldchdjom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkobj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kobkbaac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlghpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqhadmhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilblkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njopgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adncoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iadbqlmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpkchm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhobgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Befnbd32.exe -
Executes dropped EXE 64 IoCs
pid Process 2236 Gkbnap32.exe 2728 Gieommdc.exe 2556 Gdjcjf32.exe 2696 Hnnjfo32.exe 2564 Hjggap32.exe 2392 Ifpelq32.exe 748 Iianmlfn.exe 348 Iomcpe32.exe 1952 Iblola32.exe 664 Jkdcdf32.exe 1920 Jnifaajh.exe 2024 Kckhdg32.exe 2360 Klfmijae.exe 2188 Khagijcd.exe 2224 Lbgkfbbj.exe 2032 Laaabo32.exe 1552 Lilfgq32.exe 1456 Mpikik32.exe 1496 Mcggef32.exe 1900 Miapbpmb.exe 2288 Mlolnllf.exe 2132 Mlahdkjc.exe 1904 Maoalb32.exe 1232 Maanab32.exe 1956 Mdojnm32.exe 1708 Moenkf32.exe 2860 Nhmbdl32.exe 2652 Njnokdaq.exe 1096 Naegmabc.exe 2868 Ncipjieo.exe 2080 Nfglfdeb.exe 3008 Nnodgbed.exe 2964 Nggipg32.exe 2852 Nflfad32.exe 2948 Nhkbmo32.exe 1340 Omhkcnfg.exe 2428 Ooggpiek.exe 1880 Oknhdjko.exe 2340 Obhpad32.exe 2072 Odflmp32.exe 2944 Onoqfehp.exe 768 Okbapi32.exe 1092 Onamle32.exe 1276 Oqojhp32.exe 2232 Pflbpg32.exe 2156 Pmfjmake.exe 1264 Ppdfimji.exe 2916 Pimkbbpi.exe 2648 Padccpal.exe 2744 Pcbookpp.exe 2128 Pfqlkfoc.exe 848 Pjlgle32.exe 2516 Pefhlcdk.exe 1040 Pmmqmpdm.exe 2504 Plpqim32.exe 2956 Pehebbbh.exe 1876 Plbmom32.exe 588 Qekbgbpf.exe 2308 Qhincn32.exe 2168 Qjgjpi32.exe 872 Qemomb32.exe 2372 Qdpohodn.exe 2020 Ajjgei32.exe 1976 Amhcad32.exe -
Loads dropped DLL 64 IoCs
pid Process 2000 99251d87300d7add5a64843c72f8b230N.exe 2000 99251d87300d7add5a64843c72f8b230N.exe 2236 Gkbnap32.exe 2236 Gkbnap32.exe 2728 Gieommdc.exe 2728 Gieommdc.exe 2556 Gdjcjf32.exe 2556 Gdjcjf32.exe 2696 Hnnjfo32.exe 2696 Hnnjfo32.exe 2564 Hjggap32.exe 2564 Hjggap32.exe 2392 Ifpelq32.exe 2392 Ifpelq32.exe 748 Iianmlfn.exe 748 Iianmlfn.exe 348 Iomcpe32.exe 348 Iomcpe32.exe 1952 Iblola32.exe 1952 Iblola32.exe 664 Jkdcdf32.exe 664 Jkdcdf32.exe 1920 Jnifaajh.exe 1920 Jnifaajh.exe 2024 Kckhdg32.exe 2024 Kckhdg32.exe 2360 Klfmijae.exe 2360 Klfmijae.exe 2188 Khagijcd.exe 2188 Khagijcd.exe 2224 Lbgkfbbj.exe 2224 Lbgkfbbj.exe 2032 Laaabo32.exe 2032 Laaabo32.exe 1552 Lilfgq32.exe 1552 Lilfgq32.exe 1456 Mpikik32.exe 1456 Mpikik32.exe 1496 Mcggef32.exe 1496 Mcggef32.exe 1900 Miapbpmb.exe 1900 Miapbpmb.exe 2288 Mlolnllf.exe 2288 Mlolnllf.exe 2132 Mlahdkjc.exe 2132 Mlahdkjc.exe 1904 Maoalb32.exe 1904 Maoalb32.exe 1232 Maanab32.exe 1232 Maanab32.exe 1956 Mdojnm32.exe 1956 Mdojnm32.exe 1708 Moenkf32.exe 1708 Moenkf32.exe 2860 Nhmbdl32.exe 2860 Nhmbdl32.exe 2652 Njnokdaq.exe 2652 Njnokdaq.exe 1096 Naegmabc.exe 1096 Naegmabc.exe 2868 Ncipjieo.exe 2868 Ncipjieo.exe 2080 Nfglfdeb.exe 2080 Nfglfdeb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hgabfa32.dll Mecbjd32.exe File created C:\Windows\SysWOW64\Abjhjbbl.dll Hhdqma32.exe File created C:\Windows\SysWOW64\Qapppg32.dll Blnkbg32.exe File created C:\Windows\SysWOW64\Pchbmigj.exe Pnkiebib.exe File created C:\Windows\SysWOW64\Mjpkbk32.exe Mecbjd32.exe File opened for modification C:\Windows\SysWOW64\Cldnqe32.exe Cbljgpja.exe File opened for modification C:\Windows\SysWOW64\Jidngh32.exe Process not Found File created C:\Windows\SysWOW64\Kfnmnojj.exe Process not Found File created C:\Windows\SysWOW64\Himkgf32.exe Process not Found File created C:\Windows\SysWOW64\Nqfilgbn.dll Jojloc32.exe File created C:\Windows\SysWOW64\Olemefec.dll Okkddd32.exe File opened for modification C:\Windows\SysWOW64\Mchokq32.exe Mjpkbk32.exe File created C:\Windows\SysWOW64\Gcimop32.exe Process not Found File created C:\Windows\SysWOW64\Dmmadecm.dll Process not Found File created C:\Windows\SysWOW64\Ikiebadf.dll Lodoefed.exe File opened for modification C:\Windows\SysWOW64\Bfjkphjd.exe Amafgc32.exe File opened for modification C:\Windows\SysWOW64\Cdngip32.exe Caokmd32.exe File created C:\Windows\SysWOW64\Ogoicfml.dll Kkkhmadd.exe File created C:\Windows\SysWOW64\Cfmjiqbg.dll Pbjkop32.exe File opened for modification C:\Windows\SysWOW64\Empphi32.exe Eeiggk32.exe File opened for modification C:\Windows\SysWOW64\Khhndi32.exe Kheaoj32.exe File opened for modification C:\Windows\SysWOW64\Dgkiih32.exe Dleelp32.exe File created C:\Windows\SysWOW64\Nfqbol32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Eepmlf32.exe Ebappk32.exe File created C:\Windows\SysWOW64\Polobd32.exe Pfcjiodd.exe File created C:\Windows\SysWOW64\Eckomcec.dll Fghngimj.exe File created C:\Windows\SysWOW64\Oeobfgak.exe Process not Found File created C:\Windows\SysWOW64\Kcacil32.dll Cgjgol32.exe File opened for modification C:\Windows\SysWOW64\Gimaah32.exe Gbcien32.exe File created C:\Windows\SysWOW64\Edalmn32.dll Bdfjnkne.exe File created C:\Windows\SysWOW64\Jpaood32.dll Lpmeojbo.exe File created C:\Windows\SysWOW64\Nloedjin.exe Nfbmlckg.exe File created C:\Windows\SysWOW64\Ihefej32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pehebbbh.exe Plpqim32.exe File created C:\Windows\SysWOW64\Dleelp32.exe Djghpd32.exe File opened for modification C:\Windows\SysWOW64\Ammoel32.exe Ajociq32.exe File created C:\Windows\SysWOW64\Joenaf32.exe Jlgaek32.exe File created C:\Windows\SysWOW64\Qdkfic32.exe Qamjmh32.exe File created C:\Windows\SysWOW64\Pmoqfi32.exe Process not Found File created C:\Windows\SysWOW64\Niligfhh.dll Qgiplffm.exe File created C:\Windows\SysWOW64\Mhdcbjal.exe Process not Found File created C:\Windows\SysWOW64\Fccaicfb.dll Process not Found File created C:\Windows\SysWOW64\Glpgibbn.exe Gefolhja.exe File created C:\Windows\SysWOW64\Mcndnbhi.dll Pobeao32.exe File opened for modification C:\Windows\SysWOW64\Fmacpj32.exe Fjcfco32.exe File opened for modification C:\Windows\SysWOW64\Mkpppmko.exe Mbhlgg32.exe File created C:\Windows\SysWOW64\Khggofme.dll Process not Found File created C:\Windows\SysWOW64\Obdjjb32.exe Process not Found File created C:\Windows\SysWOW64\Ibplji32.exe Process not Found File created C:\Windows\SysWOW64\Aqodfpah.dll Jkcmjpma.exe File created C:\Windows\SysWOW64\Hibidc32.exe Hfdmhh32.exe File created C:\Windows\SysWOW64\Hbbhogeg.dll Bjgbmoda.exe File opened for modification C:\Windows\SysWOW64\Nblaajbd.exe Ndiaem32.exe File opened for modification C:\Windows\SysWOW64\Falakjag.exe Process not Found File opened for modification C:\Windows\SysWOW64\Klbfbg32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fbhfcf32.exe Process not Found File created C:\Windows\SysWOW64\Olahgd32.dll Djoeki32.exe File opened for modification C:\Windows\SysWOW64\Bfpmog32.exe Bodhjdcc.exe File created C:\Windows\SysWOW64\Bpfgke32.exe Bgkbfcck.exe File created C:\Windows\SysWOW64\Kahciaog.exe Jhpopk32.exe File opened for modification C:\Windows\SysWOW64\Mkqbhf32.exe Process not Found File created C:\Windows\SysWOW64\Aojbpoih.dll Process not Found File created C:\Windows\SysWOW64\Jopbnn32.exe Jfhmehji.exe File created C:\Windows\SysWOW64\Abldccka.exe Acjdgf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7112 2408 Process not Found 1505 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhogaamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqamla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oophlpag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgkbfcck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmoaoikj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmgddcnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaliaphd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naegmabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfbinf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecbhfeip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agloko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgkbjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhakecld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lekcffem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kigibh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fladmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghgjflof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Indnqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apkbnibq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijnabef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apfici32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogmngn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjplao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boeoek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcjldp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bleilh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chmkkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcagkmaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdhlih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maanab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfkfkopk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aejnfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnpoie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcpbpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ampncd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddpbfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pniohk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqkieogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efffpjmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mheeif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ailboh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egkgad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlgaek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnogmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghnfci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beogaenl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dglbmg32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohkdfhge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anhbdpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljhngfkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cancif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cccdjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eebibf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlhfmqge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkilgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnikb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjdnmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmllmn32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjigapme.dll" Ojbnkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcbiqgln.dll" Iphhgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmdefk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjdnne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfbfl32.dll" Nmbmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hahjkl32.dll" Dfpfke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdamhocm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omjbihpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlloeemo.dll" Ifqfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feeipfhl.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkedjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klndom32.dll" Hgckoofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebgahgaj.dll" Fhkagonc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dndndbnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbeip32.dll" Ijmkkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciepkajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lchclmla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlejkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjbehfbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkekmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geaekb32.dll" Kogffida.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdffcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inehcind.dll" Njnokdaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkfcmj32.dll" Pcbookpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecjibgdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biolckgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deiipp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhnbklji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agolpnjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfddkmch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mokdja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjmmcgha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmldji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgfckbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaeonhdm.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pefhlcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgdaoen.dll" Gpoibp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laogfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klheoobo.dll" Cldnqe32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2000 wrote to memory of 2236 2000 99251d87300d7add5a64843c72f8b230N.exe 30 PID 2000 wrote to memory of 2236 2000 99251d87300d7add5a64843c72f8b230N.exe 30 PID 2000 wrote to memory of 2236 2000 99251d87300d7add5a64843c72f8b230N.exe 30 PID 2000 wrote to memory of 2236 2000 99251d87300d7add5a64843c72f8b230N.exe 30 PID 2236 wrote to memory of 2728 2236 Gkbnap32.exe 31 PID 2236 wrote to memory of 2728 2236 Gkbnap32.exe 31 PID 2236 wrote to memory of 2728 2236 Gkbnap32.exe 31 PID 2236 wrote to memory of 2728 2236 Gkbnap32.exe 31 PID 2728 wrote to memory of 2556 2728 Gieommdc.exe 32 PID 2728 wrote to memory of 2556 2728 Gieommdc.exe 32 PID 2728 wrote to memory of 2556 2728 Gieommdc.exe 32 PID 2728 wrote to memory of 2556 2728 Gieommdc.exe 32 PID 2556 wrote to memory of 2696 2556 Gdjcjf32.exe 33 PID 2556 wrote to memory of 2696 2556 Gdjcjf32.exe 33 PID 2556 wrote to memory of 2696 2556 Gdjcjf32.exe 33 PID 2556 wrote to memory of 2696 2556 Gdjcjf32.exe 33 PID 2696 wrote to memory of 2564 2696 Hnnjfo32.exe 34 PID 2696 wrote to memory of 2564 2696 Hnnjfo32.exe 34 PID 2696 wrote to memory of 2564 2696 Hnnjfo32.exe 34 PID 2696 wrote to memory of 2564 2696 Hnnjfo32.exe 34 PID 2564 wrote to memory of 2392 2564 Hjggap32.exe 35 PID 2564 wrote to memory of 2392 2564 Hjggap32.exe 35 PID 2564 wrote to memory of 2392 2564 Hjggap32.exe 35 PID 2564 wrote to memory of 2392 2564 Hjggap32.exe 35 PID 2392 wrote to memory of 748 2392 Ifpelq32.exe 36 PID 2392 wrote to memory of 748 2392 Ifpelq32.exe 36 PID 2392 wrote to memory of 748 2392 Ifpelq32.exe 36 PID 2392 wrote to memory of 748 2392 Ifpelq32.exe 36 PID 748 wrote to memory of 348 748 Iianmlfn.exe 37 PID 748 wrote to memory of 348 748 Iianmlfn.exe 37 PID 748 wrote to memory of 348 748 Iianmlfn.exe 37 PID 748 wrote to memory of 348 748 Iianmlfn.exe 37 PID 348 wrote to memory of 1952 348 Iomcpe32.exe 38 PID 348 wrote to memory of 1952 348 Iomcpe32.exe 38 PID 348 wrote to memory of 1952 348 Iomcpe32.exe 38 PID 348 wrote to memory of 1952 348 Iomcpe32.exe 38 PID 1952 wrote to memory of 664 1952 Iblola32.exe 39 PID 1952 wrote to memory of 664 1952 Iblola32.exe 39 PID 1952 wrote to memory of 664 1952 Iblola32.exe 39 PID 1952 wrote to memory of 664 1952 Iblola32.exe 39 PID 664 wrote to memory of 1920 664 Jkdcdf32.exe 40 PID 664 wrote to memory of 1920 664 Jkdcdf32.exe 40 PID 664 wrote to memory of 1920 664 Jkdcdf32.exe 40 PID 664 wrote to memory of 1920 664 Jkdcdf32.exe 40 PID 1920 wrote to memory of 2024 1920 Jnifaajh.exe 41 PID 1920 wrote to memory of 2024 1920 Jnifaajh.exe 41 PID 1920 wrote to memory of 2024 1920 Jnifaajh.exe 41 PID 1920 wrote to memory of 2024 1920 Jnifaajh.exe 41 PID 2024 wrote to memory of 2360 2024 Kckhdg32.exe 42 PID 2024 wrote to memory of 2360 2024 Kckhdg32.exe 42 PID 2024 wrote to memory of 2360 2024 Kckhdg32.exe 42 PID 2024 wrote to memory of 2360 2024 Kckhdg32.exe 42 PID 2360 wrote to memory of 2188 2360 Klfmijae.exe 43 PID 2360 wrote to memory of 2188 2360 Klfmijae.exe 43 PID 2360 wrote to memory of 2188 2360 Klfmijae.exe 43 PID 2360 wrote to memory of 2188 2360 Klfmijae.exe 43 PID 2188 wrote to memory of 2224 2188 Khagijcd.exe 44 PID 2188 wrote to memory of 2224 2188 Khagijcd.exe 44 PID 2188 wrote to memory of 2224 2188 Khagijcd.exe 44 PID 2188 wrote to memory of 2224 2188 Khagijcd.exe 44 PID 2224 wrote to memory of 2032 2224 Lbgkfbbj.exe 45 PID 2224 wrote to memory of 2032 2224 Lbgkfbbj.exe 45 PID 2224 wrote to memory of 2032 2224 Lbgkfbbj.exe 45 PID 2224 wrote to memory of 2032 2224 Lbgkfbbj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\99251d87300d7add5a64843c72f8b230N.exe"C:\Users\Admin\AppData\Local\Temp\99251d87300d7add5a64843c72f8b230N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Gkbnap32.exeC:\Windows\system32\Gkbnap32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Gieommdc.exeC:\Windows\system32\Gieommdc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Gdjcjf32.exeC:\Windows\system32\Gdjcjf32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Hnnjfo32.exeC:\Windows\system32\Hnnjfo32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Hjggap32.exeC:\Windows\system32\Hjggap32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Ifpelq32.exeC:\Windows\system32\Ifpelq32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Iianmlfn.exeC:\Windows\system32\Iianmlfn.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Iomcpe32.exeC:\Windows\system32\Iomcpe32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\Iblola32.exeC:\Windows\system32\Iblola32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Jkdcdf32.exeC:\Windows\system32\Jkdcdf32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\Jnifaajh.exeC:\Windows\system32\Jnifaajh.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Kckhdg32.exeC:\Windows\system32\Kckhdg32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Klfmijae.exeC:\Windows\system32\Klfmijae.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Khagijcd.exeC:\Windows\system32\Khagijcd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Lbgkfbbj.exeC:\Windows\system32\Lbgkfbbj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Laaabo32.exeC:\Windows\system32\Laaabo32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2032 -
C:\Windows\SysWOW64\Lilfgq32.exeC:\Windows\system32\Lilfgq32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Mpikik32.exeC:\Windows\system32\Mpikik32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1456 -
C:\Windows\SysWOW64\Mcggef32.exeC:\Windows\system32\Mcggef32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1496 -
C:\Windows\SysWOW64\Miapbpmb.exeC:\Windows\system32\Miapbpmb.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1900 -
C:\Windows\SysWOW64\Mlolnllf.exeC:\Windows\system32\Mlolnllf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Mlahdkjc.exeC:\Windows\system32\Mlahdkjc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Maoalb32.exeC:\Windows\system32\Maoalb32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1904 -
C:\Windows\SysWOW64\Maanab32.exeC:\Windows\system32\Maanab32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1232 -
C:\Windows\SysWOW64\Mdojnm32.exeC:\Windows\system32\Mdojnm32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1956 -
C:\Windows\SysWOW64\Moenkf32.exeC:\Windows\system32\Moenkf32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Nhmbdl32.exeC:\Windows\system32\Nhmbdl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\Njnokdaq.exeC:\Windows\system32\Njnokdaq.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Naegmabc.exeC:\Windows\system32\Naegmabc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1096 -
C:\Windows\SysWOW64\Ncipjieo.exeC:\Windows\system32\Ncipjieo.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Nfglfdeb.exeC:\Windows\system32\Nfglfdeb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Nnodgbed.exeC:\Windows\system32\Nnodgbed.exe33⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Nggipg32.exeC:\Windows\system32\Nggipg32.exe34⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Nflfad32.exeC:\Windows\system32\Nflfad32.exe35⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Nhkbmo32.exeC:\Windows\system32\Nhkbmo32.exe36⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Omhkcnfg.exeC:\Windows\system32\Omhkcnfg.exe37⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Ooggpiek.exeC:\Windows\system32\Ooggpiek.exe38⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Oknhdjko.exeC:\Windows\system32\Oknhdjko.exe39⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Obhpad32.exeC:\Windows\system32\Obhpad32.exe40⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Odflmp32.exeC:\Windows\system32\Odflmp32.exe41⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Onoqfehp.exeC:\Windows\system32\Onoqfehp.exe42⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Okbapi32.exeC:\Windows\system32\Okbapi32.exe43⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Onamle32.exeC:\Windows\system32\Onamle32.exe44⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Oqojhp32.exeC:\Windows\system32\Oqojhp32.exe45⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Pflbpg32.exeC:\Windows\system32\Pflbpg32.exe46⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Pmfjmake.exeC:\Windows\system32\Pmfjmake.exe47⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Ppdfimji.exeC:\Windows\system32\Ppdfimji.exe48⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Pimkbbpi.exeC:\Windows\system32\Pimkbbpi.exe49⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Padccpal.exeC:\Windows\system32\Padccpal.exe50⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Pcbookpp.exeC:\Windows\system32\Pcbookpp.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Pfqlkfoc.exeC:\Windows\system32\Pfqlkfoc.exe52⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Pjlgle32.exeC:\Windows\system32\Pjlgle32.exe53⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Pefhlcdk.exeC:\Windows\system32\Pefhlcdk.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Pmmqmpdm.exeC:\Windows\system32\Pmmqmpdm.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Plpqim32.exeC:\Windows\system32\Plpqim32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Pehebbbh.exeC:\Windows\system32\Pehebbbh.exe57⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Plbmom32.exeC:\Windows\system32\Plbmom32.exe58⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Qekbgbpf.exeC:\Windows\system32\Qekbgbpf.exe59⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Qhincn32.exeC:\Windows\system32\Qhincn32.exe60⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Qjgjpi32.exeC:\Windows\system32\Qjgjpi32.exe61⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Qemomb32.exeC:\Windows\system32\Qemomb32.exe62⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Qdpohodn.exeC:\Windows\system32\Qdpohodn.exe63⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Ajjgei32.exeC:\Windows\system32\Ajjgei32.exe64⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Amhcad32.exeC:\Windows\system32\Amhcad32.exe65⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Adblnnbk.exeC:\Windows\system32\Adblnnbk.exe66⤵PID:3000
-
C:\Windows\SysWOW64\Anhpkg32.exeC:\Windows\system32\Anhpkg32.exe67⤵PID:3044
-
C:\Windows\SysWOW64\Apilcoho.exeC:\Windows\system32\Apilcoho.exe68⤵PID:1584
-
C:\Windows\SysWOW64\Ammmlcgi.exeC:\Windows\system32\Ammmlcgi.exe69⤵PID:2748
-
C:\Windows\SysWOW64\Apkihofl.exeC:\Windows\system32\Apkihofl.exe70⤵PID:284
-
C:\Windows\SysWOW64\Afeaei32.exeC:\Windows\system32\Afeaei32.exe71⤵PID:2752
-
C:\Windows\SysWOW64\Amoibc32.exeC:\Windows\system32\Amoibc32.exe72⤵PID:3060
-
C:\Windows\SysWOW64\Aejnfe32.exeC:\Windows\system32\Aejnfe32.exe73⤵
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\Amafgc32.exeC:\Windows\system32\Amafgc32.exe74⤵
- Drops file in System32 directory
PID:2508 -
C:\Windows\SysWOW64\Bfjkphjd.exeC:\Windows\system32\Bfjkphjd.exe75⤵PID:2500
-
C:\Windows\SysWOW64\Blgcio32.exeC:\Windows\system32\Blgcio32.exe76⤵PID:2580
-
C:\Windows\SysWOW64\Boeoek32.exeC:\Windows\system32\Boeoek32.exe77⤵
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\Beogaenl.exeC:\Windows\system32\Beogaenl.exe78⤵
- System Location Discovery: System Language Discovery
PID:1884 -
C:\Windows\SysWOW64\Bhndnpnp.exeC:\Windows\system32\Bhndnpnp.exe79⤵PID:2932
-
C:\Windows\SysWOW64\Bafhff32.exeC:\Windows\system32\Bafhff32.exe80⤵PID:688
-
C:\Windows\SysWOW64\Bceeqi32.exeC:\Windows\system32\Bceeqi32.exe81⤵PID:1820
-
C:\Windows\SysWOW64\Bedamd32.exeC:\Windows\system32\Bedamd32.exe82⤵PID:1716
-
C:\Windows\SysWOW64\Bkqiek32.exeC:\Windows\system32\Bkqiek32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2444 -
C:\Windows\SysWOW64\Bnofaf32.exeC:\Windows\system32\Bnofaf32.exe84⤵PID:1992
-
C:\Windows\SysWOW64\Befnbd32.exeC:\Windows\system32\Befnbd32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2384 -
C:\Windows\SysWOW64\Bhdjno32.exeC:\Windows\system32\Bhdjno32.exe86⤵PID:2692
-
C:\Windows\SysWOW64\Bkcfjk32.exeC:\Windows\system32\Bkcfjk32.exe87⤵PID:2196
-
C:\Windows\SysWOW64\Cppobaeb.exeC:\Windows\system32\Cppobaeb.exe88⤵PID:2704
-
C:\Windows\SysWOW64\Cgjgol32.exeC:\Windows\system32\Cgjgol32.exe89⤵
- Drops file in System32 directory
PID:1284 -
C:\Windows\SysWOW64\Caokmd32.exeC:\Windows\system32\Caokmd32.exe90⤵
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Cdngip32.exeC:\Windows\system32\Cdngip32.exe91⤵PID:2848
-
C:\Windows\SysWOW64\Cjjpag32.exeC:\Windows\system32\Cjjpag32.exe92⤵PID:1268
-
C:\Windows\SysWOW64\Cpdhna32.exeC:\Windows\system32\Cpdhna32.exe93⤵PID:2012
-
C:\Windows\SysWOW64\Cccdjl32.exeC:\Windows\system32\Cccdjl32.exe94⤵
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Cjmmffgn.exeC:\Windows\system32\Cjmmffgn.exe95⤵PID:532
-
C:\Windows\SysWOW64\Cpgecq32.exeC:\Windows\system32\Cpgecq32.exe96⤵PID:2208
-
C:\Windows\SysWOW64\Cgqmpkfg.exeC:\Windows\system32\Cgqmpkfg.exe97⤵PID:2412
-
C:\Windows\SysWOW64\Cjoilfek.exeC:\Windows\system32\Cjoilfek.exe98⤵PID:1736
-
C:\Windows\SysWOW64\Cbjnqh32.exeC:\Windows\system32\Cbjnqh32.exe99⤵PID:1596
-
C:\Windows\SysWOW64\Djafaf32.exeC:\Windows\system32\Djafaf32.exe100⤵PID:2740
-
C:\Windows\SysWOW64\Dkbbinig.exeC:\Windows\system32\Dkbbinig.exe101⤵PID:2656
-
C:\Windows\SysWOW64\Dfhgggim.exeC:\Windows\system32\Dfhgggim.exe102⤵PID:572
-
C:\Windows\SysWOW64\Dnckki32.exeC:\Windows\system32\Dnckki32.exe103⤵PID:2840
-
C:\Windows\SysWOW64\Ddmchcnd.exeC:\Windows\system32\Ddmchcnd.exe104⤵PID:2600
-
C:\Windows\SysWOW64\Ddppmclb.exeC:\Windows\system32\Ddppmclb.exe105⤵PID:1524
-
C:\Windows\SysWOW64\Dhklna32.exeC:\Windows\system32\Dhklna32.exe106⤵PID:2088
-
C:\Windows\SysWOW64\Dcemnopj.exeC:\Windows\system32\Dcemnopj.exe107⤵PID:2976
-
C:\Windows\SysWOW64\Djoeki32.exeC:\Windows\system32\Djoeki32.exe108⤵
- Drops file in System32 directory
PID:316 -
C:\Windows\SysWOW64\Eddjhb32.exeC:\Windows\system32\Eddjhb32.exe109⤵PID:1680
-
C:\Windows\SysWOW64\Efffpjmk.exeC:\Windows\system32\Efffpjmk.exe110⤵
- System Location Discovery: System Language Discovery
PID:1272 -
C:\Windows\SysWOW64\Enmnahnm.exeC:\Windows\system32\Enmnahnm.exe111⤵PID:2828
-
C:\Windows\SysWOW64\Empomd32.exeC:\Windows\system32\Empomd32.exe112⤵PID:2660
-
C:\Windows\SysWOW64\Efhcej32.exeC:\Windows\system32\Efhcej32.exe113⤵PID:1748
-
C:\Windows\SysWOW64\Embkbdce.exeC:\Windows\system32\Embkbdce.exe114⤵PID:1148
-
C:\Windows\SysWOW64\Epqgopbi.exeC:\Windows\system32\Epqgopbi.exe115⤵PID:2348
-
C:\Windows\SysWOW64\Efjpkj32.exeC:\Windows\system32\Efjpkj32.exe116⤵PID:1668
-
C:\Windows\SysWOW64\Emdhhdqb.exeC:\Windows\system32\Emdhhdqb.exe117⤵PID:1712
-
C:\Windows\SysWOW64\Ebappk32.exeC:\Windows\system32\Ebappk32.exe118⤵
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Eepmlf32.exeC:\Windows\system32\Eepmlf32.exe119⤵PID:1612
-
C:\Windows\SysWOW64\Ebcmfj32.exeC:\Windows\system32\Ebcmfj32.exe120⤵PID:2488
-
C:\Windows\SysWOW64\Eebibf32.exeC:\Windows\system32\Eebibf32.exe121⤵
- Modifies registry class
PID:2424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-