Analysis
-
max time kernel
75s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
29/08/2024, 10:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
15c7697699408eb34da98c204337c5a0N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
15c7697699408eb34da98c204337c5a0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
15c7697699408eb34da98c204337c5a0N.exe
-
Size
80KB
-
MD5
15c7697699408eb34da98c204337c5a0
-
SHA1
d7fb2cad2ff124d9b8be3344e3b88b853bc2258e
-
SHA256
2bc4a87cddb27f1f398ae33ec834d20dd41ab9c5b969d3a913e2c145ec87212e
-
SHA512
8509537ef711ee62623a9a8e2bc0c808afdc5952ac6bdb9530a04fb3f3b2d1d1eb51ca284a719c2b7c61381a9393cc712d5e82b7cd4225e1edd94325ab9c207e
-
SSDEEP
1536:dyO5DnsePLa3L84xL6OITeKYcXx6o/i6prtVh6DtO72Zm+N3aFeJuqnhCN:UklLa784J6hT7n/npr7Y5O72Zm+xaFeA
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Faanibeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gknhlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ooianpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plpehj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijokcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aadbhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiolfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipnigl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pabidiko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiagck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Immqeq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfngdmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcooinfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klniao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eikmkbeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaoadb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dohiefpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bakjfp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oelcjkgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oecpeqdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmpckbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcmkciap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eikmkbeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbchbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laahjdib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmpafnld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqleqg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndadld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koafcppm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmbdlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kckeno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohoiaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beoekl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aoeflamd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocedieek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeiekgfq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bekobn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgjdjghf.exe -
Executes dropped EXE 64 IoCs
pid Process 2316 Kjhajo32.exe 2016 Kdmehh32.exe 2768 Lgladc32.exe 2884 Lmhjlj32.exe 2832 Lcbbidgl.exe 2628 Lgnnicpe.exe 928 Lmkgajnm.exe 1208 Lceond32.exe 2204 Lgpkobnb.exe 2100 Liaggk32.exe 2632 Lqiohh32.exe 2896 Lcgldc32.exe 2212 Ljadqn32.exe 1748 Lkbphfab.exe 3028 Lcihicad.exe 864 Lekeak32.exe 3032 Lmbmbi32.exe 2176 Mppiod32.exe 1776 Mboekp32.exe 1012 Mfjaknoe.exe 2348 Mgkncfdc.exe 2388 Mpbfddef.exe 904 Madbll32.exe 752 Mikjmi32.exe 1440 Mjlgdaad.exe 2452 Mnhbep32.exe 2724 Mcdkmg32.exe 2868 Mnjokphk.exe 2864 Mahlgkgo.exe 2800 Medggj32.exe 2592 Mjappa32.exe 2616 Mnllppfh.exe 2808 Mpnhhh32.exe 2484 Nmaialjp.exe 2432 Namebk32.exe 2920 Njeikpij.exe 2908 Nmdfglhm.exe 1784 Nfljpa32.exe 1232 Neojknfh.exe 796 Nlibhhme.exe 2408 Nogodcli.exe 2080 Nbckeb32.exe 1068 Nlkonhkb.exe 1592 Nojljcjf.exe 2340 Neddfm32.exe 1616 Niopgljl.exe 3044 Nhbpbi32.exe 2220 Nolhoc32.exe 2496 Oakdkn32.exe 2784 Oefqlmpq.exe 2880 Ohdmhhod.exe 2740 Olpiig32.exe 2368 Oooeeb32.exe 2928 Omaepoml.exe 2516 Oehmamnn.exe 2280 Ogjjie32.exe 2984 Okefjcle.exe 2936 Omdbfo32.exe 1724 Oaonfncb.exe 2228 Opbnbj32.exe 2492 Ohifch32.exe 2460 Oglfodai.exe 1292 Oijbkpqm.exe 920 Omfoko32.exe -
Loads dropped DLL 64 IoCs
pid Process 1020 15c7697699408eb34da98c204337c5a0N.exe 1020 15c7697699408eb34da98c204337c5a0N.exe 2316 Kjhajo32.exe 2316 Kjhajo32.exe 2016 Kdmehh32.exe 2016 Kdmehh32.exe 2768 Lgladc32.exe 2768 Lgladc32.exe 2884 Lmhjlj32.exe 2884 Lmhjlj32.exe 2832 Lcbbidgl.exe 2832 Lcbbidgl.exe 2628 Lgnnicpe.exe 2628 Lgnnicpe.exe 928 Lmkgajnm.exe 928 Lmkgajnm.exe 1208 Lceond32.exe 1208 Lceond32.exe 2204 Lgpkobnb.exe 2204 Lgpkobnb.exe 2100 Liaggk32.exe 2100 Liaggk32.exe 2632 Lqiohh32.exe 2632 Lqiohh32.exe 2896 Lcgldc32.exe 2896 Lcgldc32.exe 2212 Ljadqn32.exe 2212 Ljadqn32.exe 1748 Lkbphfab.exe 1748 Lkbphfab.exe 3028 Lcihicad.exe 3028 Lcihicad.exe 864 Lekeak32.exe 864 Lekeak32.exe 3032 Lmbmbi32.exe 3032 Lmbmbi32.exe 2176 Mppiod32.exe 2176 Mppiod32.exe 1776 Mboekp32.exe 1776 Mboekp32.exe 1012 Mfjaknoe.exe 1012 Mfjaknoe.exe 2348 Mgkncfdc.exe 2348 Mgkncfdc.exe 2388 Mpbfddef.exe 2388 Mpbfddef.exe 904 Madbll32.exe 904 Madbll32.exe 752 Mikjmi32.exe 752 Mikjmi32.exe 1440 Mjlgdaad.exe 1440 Mjlgdaad.exe 2452 Mnhbep32.exe 2452 Mnhbep32.exe 2724 Mcdkmg32.exe 2724 Mcdkmg32.exe 2868 Mnjokphk.exe 2868 Mnjokphk.exe 2864 Mahlgkgo.exe 2864 Mahlgkgo.exe 2800 Medggj32.exe 2800 Medggj32.exe 2592 Mjappa32.exe 2592 Mjappa32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mdnfhldh.exe Process not Found File opened for modification C:\Windows\SysWOW64\Neojknfh.exe Nfljpa32.exe File created C:\Windows\SysWOW64\Addklpal.dll Hffpiikm.exe File created C:\Windows\SysWOW64\Kpoegc32.exe Klcjfdqi.exe File opened for modification C:\Windows\SysWOW64\Fogkhf32.exe Fgpcgi32.exe File opened for modification C:\Windows\SysWOW64\Jbqkmj32.exe Jpboan32.exe File opened for modification C:\Windows\SysWOW64\Nbcmnklf.exe Npeaapmb.exe File opened for modification C:\Windows\SysWOW64\Oajpjq32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pmefidoj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oddhho32.exe Process not Found File created C:\Windows\SysWOW64\Jffjbfpf.dll Dcmkciap.exe File created C:\Windows\SysWOW64\Ljnecb32.dll Pmkjog32.exe File created C:\Windows\SysWOW64\Aoomma32.dll Pbjpmmij.exe File created C:\Windows\SysWOW64\Adglqd32.exe Aplppela.exe File opened for modification C:\Windows\SysWOW64\Lhmijn32.exe Process not Found File created C:\Windows\SysWOW64\Mgillijo.exe Process not Found File created C:\Windows\SysWOW64\Mnnecoah.exe Mloigc32.exe File created C:\Windows\SysWOW64\Ifeenfjm.exe Icgibkki.exe File created C:\Windows\SysWOW64\Jklfokoe.dll Nlkonhkb.exe File created C:\Windows\SysWOW64\Ohdmhhod.exe Oefqlmpq.exe File opened for modification C:\Windows\SysWOW64\Ajfoea32.exe Aggbif32.exe File created C:\Windows\SysWOW64\Cefbfa32.exe Cfcajekc.exe File opened for modification C:\Windows\SysWOW64\Goohckob.exe Gkclcm32.exe File opened for modification C:\Windows\SysWOW64\Ldqkqf32.exe Lbbodk32.exe File created C:\Windows\SysWOW64\Fkibbh32.exe Flfbfken.exe File opened for modification C:\Windows\SysWOW64\Bfdhdj32.exe Bbilclhb.exe File created C:\Windows\SysWOW64\Bgeomhoa.dll Bdghpggf.exe File opened for modification C:\Windows\SysWOW64\Bcnklm32.exe Process not Found File created C:\Windows\SysWOW64\Iiiapg32.exe Ifkecl32.exe File created C:\Windows\SysWOW64\Pmlajm32.exe Ooianpif.exe File created C:\Windows\SysWOW64\Pplcabif.exe Plpgqc32.exe File created C:\Windows\SysWOW64\Jlpjfgmc.dll Bnmpcmpi.exe File created C:\Windows\SysWOW64\Neabophn.exe Process not Found File opened for modification C:\Windows\SysWOW64\Qechbf32.exe Process not Found File created C:\Windows\SysWOW64\Cjhofa32.dll Bakjfp32.exe File created C:\Windows\SysWOW64\Bejeka32.dll Lhlgaedj.exe File opened for modification C:\Windows\SysWOW64\Adjhfcbh.exe Albpef32.exe File created C:\Windows\SysWOW64\Hgqcjacj.dll Process not Found File created C:\Windows\SysWOW64\Njialh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Adkaib32.exe Process not Found File created C:\Windows\SysWOW64\Hglakcao.exe Process not Found File opened for modification C:\Windows\SysWOW64\Egbcne32.exe Ecggmfde.exe File created C:\Windows\SysWOW64\Ppoijq32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bhfjid32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fppcjcfn.exe Process not Found File created C:\Windows\SysWOW64\Afkcqg32.exe Process not Found File created C:\Windows\SysWOW64\Djmpmppn.exe Process not Found File created C:\Windows\SysWOW64\Hmqjoljn.exe Process not Found File opened for modification C:\Windows\SysWOW64\Aikkgnnc.exe Ajhkka32.exe File opened for modification C:\Windows\SysWOW64\Ellfmm32.exe Ehpjmoio.exe File opened for modification C:\Windows\SysWOW64\Kpgpfdoj.exe Knicjipf.exe File created C:\Windows\SysWOW64\Oglknfoo.dll Nnghjm32.exe File created C:\Windows\SysWOW64\Picqpfdf.dll Bngicb32.exe File created C:\Windows\SysWOW64\Cbpncn32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Flgdod32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fpkpbc32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Apakdmpp.exe Process not Found File created C:\Windows\SysWOW64\Cpoeac32.exe Process not Found File created C:\Windows\SysWOW64\Endbhjbd.dll Mnhbep32.exe File created C:\Windows\SysWOW64\Nekbfcck.dll Dmmffbek.exe File created C:\Windows\SysWOW64\Hpjlca32.dll Ihhehoci.exe File opened for modification C:\Windows\SysWOW64\Edpnfjap.exe Eaaajo32.exe File opened for modification C:\Windows\SysWOW64\Hkenmidf.exe Hcnfllcd.exe File created C:\Windows\SysWOW64\Lbbpnfnf.dll Mkjibnbn.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5640 5736 Process not Found 1873 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgojdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gepjgaid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llefld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnhnnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcodhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Occgce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oejfelin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiomec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kikcjdfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldchff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elolfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bekobn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napdpchk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggjmhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohmllf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcbmend.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjnqhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjbccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koaohila.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlieqa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjchnclk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmoijc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaonfncb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohifch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpifln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pieodn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aghdboal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omdbfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnojpdfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcohih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilohnopg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oijlpjma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epfnkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgldmlil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mghjcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlmcaijm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcaankpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ammjekmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opahef32.dll" Ojhehlag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbimg32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noacgmpl.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oakdkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkpacaoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjnqhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnkedemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Illnpoeb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcohih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdiepmak.dll" Bihdfkoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oakdkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqogiafk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofcmhpig.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggjmhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhjcgccc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgfdmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfqlcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihkkanlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obhfhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Papmnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekcpdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkkifgpn.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ianfacjk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkhjibke.dll" Pmlajm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heoqph32.dll" Jhjnmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egepce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qjleem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahfkah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfikeg32.dll" Aopcnbfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkcjchco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckmmjof.dll" Oobkna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbhdic32.dll" Ddkdkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kceehijb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooljkbfj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmcefhll.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hepffelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aediaoae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkckihel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfjeppd.dll" Dibjec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pceefg32.dll" Eaoadb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpgcfmge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pddbni32.dll" Nqngkcjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qjoheb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdcijbch.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oogolo32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1020 wrote to memory of 2316 1020 15c7697699408eb34da98c204337c5a0N.exe 29 PID 1020 wrote to memory of 2316 1020 15c7697699408eb34da98c204337c5a0N.exe 29 PID 1020 wrote to memory of 2316 1020 15c7697699408eb34da98c204337c5a0N.exe 29 PID 1020 wrote to memory of 2316 1020 15c7697699408eb34da98c204337c5a0N.exe 29 PID 2316 wrote to memory of 2016 2316 Kjhajo32.exe 30 PID 2316 wrote to memory of 2016 2316 Kjhajo32.exe 30 PID 2316 wrote to memory of 2016 2316 Kjhajo32.exe 30 PID 2316 wrote to memory of 2016 2316 Kjhajo32.exe 30 PID 2016 wrote to memory of 2768 2016 Kdmehh32.exe 31 PID 2016 wrote to memory of 2768 2016 Kdmehh32.exe 31 PID 2016 wrote to memory of 2768 2016 Kdmehh32.exe 31 PID 2016 wrote to memory of 2768 2016 Kdmehh32.exe 31 PID 2768 wrote to memory of 2884 2768 Lgladc32.exe 32 PID 2768 wrote to memory of 2884 2768 Lgladc32.exe 32 PID 2768 wrote to memory of 2884 2768 Lgladc32.exe 32 PID 2768 wrote to memory of 2884 2768 Lgladc32.exe 32 PID 2884 wrote to memory of 2832 2884 Lmhjlj32.exe 33 PID 2884 wrote to memory of 2832 2884 Lmhjlj32.exe 33 PID 2884 wrote to memory of 2832 2884 Lmhjlj32.exe 33 PID 2884 wrote to memory of 2832 2884 Lmhjlj32.exe 33 PID 2832 wrote to memory of 2628 2832 Lcbbidgl.exe 34 PID 2832 wrote to memory of 2628 2832 Lcbbidgl.exe 34 PID 2832 wrote to memory of 2628 2832 Lcbbidgl.exe 34 PID 2832 wrote to memory of 2628 2832 Lcbbidgl.exe 34 PID 2628 wrote to memory of 928 2628 Lgnnicpe.exe 35 PID 2628 wrote to memory of 928 2628 Lgnnicpe.exe 35 PID 2628 wrote to memory of 928 2628 Lgnnicpe.exe 35 PID 2628 wrote to memory of 928 2628 Lgnnicpe.exe 35 PID 928 wrote to memory of 1208 928 Lmkgajnm.exe 36 PID 928 wrote to memory of 1208 928 Lmkgajnm.exe 36 PID 928 wrote to memory of 1208 928 Lmkgajnm.exe 36 PID 928 wrote to memory of 1208 928 Lmkgajnm.exe 36 PID 1208 wrote to memory of 2204 1208 Lceond32.exe 37 PID 1208 wrote to memory of 2204 1208 Lceond32.exe 37 PID 1208 wrote to memory of 2204 1208 Lceond32.exe 37 PID 1208 wrote to memory of 2204 1208 Lceond32.exe 37 PID 2204 wrote to memory of 2100 2204 Lgpkobnb.exe 38 PID 2204 wrote to memory of 2100 2204 Lgpkobnb.exe 38 PID 2204 wrote to memory of 2100 2204 Lgpkobnb.exe 38 PID 2204 wrote to memory of 2100 2204 Lgpkobnb.exe 38 PID 2100 wrote to memory of 2632 2100 Liaggk32.exe 39 PID 2100 wrote to memory of 2632 2100 Liaggk32.exe 39 PID 2100 wrote to memory of 2632 2100 Liaggk32.exe 39 PID 2100 wrote to memory of 2632 2100 Liaggk32.exe 39 PID 2632 wrote to memory of 2896 2632 Lqiohh32.exe 40 PID 2632 wrote to memory of 2896 2632 Lqiohh32.exe 40 PID 2632 wrote to memory of 2896 2632 Lqiohh32.exe 40 PID 2632 wrote to memory of 2896 2632 Lqiohh32.exe 40 PID 2896 wrote to memory of 2212 2896 Lcgldc32.exe 41 PID 2896 wrote to memory of 2212 2896 Lcgldc32.exe 41 PID 2896 wrote to memory of 2212 2896 Lcgldc32.exe 41 PID 2896 wrote to memory of 2212 2896 Lcgldc32.exe 41 PID 2212 wrote to memory of 1748 2212 Ljadqn32.exe 42 PID 2212 wrote to memory of 1748 2212 Ljadqn32.exe 42 PID 2212 wrote to memory of 1748 2212 Ljadqn32.exe 42 PID 2212 wrote to memory of 1748 2212 Ljadqn32.exe 42 PID 1748 wrote to memory of 3028 1748 Lkbphfab.exe 43 PID 1748 wrote to memory of 3028 1748 Lkbphfab.exe 43 PID 1748 wrote to memory of 3028 1748 Lkbphfab.exe 43 PID 1748 wrote to memory of 3028 1748 Lkbphfab.exe 43 PID 3028 wrote to memory of 864 3028 Lcihicad.exe 44 PID 3028 wrote to memory of 864 3028 Lcihicad.exe 44 PID 3028 wrote to memory of 864 3028 Lcihicad.exe 44 PID 3028 wrote to memory of 864 3028 Lcihicad.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\15c7697699408eb34da98c204337c5a0N.exe"C:\Users\Admin\AppData\Local\Temp\15c7697699408eb34da98c204337c5a0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Kjhajo32.exeC:\Windows\system32\Kjhajo32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Kdmehh32.exeC:\Windows\system32\Kdmehh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Lgladc32.exeC:\Windows\system32\Lgladc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Lmhjlj32.exeC:\Windows\system32\Lmhjlj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Lcbbidgl.exeC:\Windows\system32\Lcbbidgl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Lgnnicpe.exeC:\Windows\system32\Lgnnicpe.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Lmkgajnm.exeC:\Windows\system32\Lmkgajnm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Lceond32.exeC:\Windows\system32\Lceond32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Lgpkobnb.exeC:\Windows\system32\Lgpkobnb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Liaggk32.exeC:\Windows\system32\Liaggk32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Lqiohh32.exeC:\Windows\system32\Lqiohh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Lcgldc32.exeC:\Windows\system32\Lcgldc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Ljadqn32.exeC:\Windows\system32\Ljadqn32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Lkbphfab.exeC:\Windows\system32\Lkbphfab.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Lcihicad.exeC:\Windows\system32\Lcihicad.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Lekeak32.exeC:\Windows\system32\Lekeak32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:864 -
C:\Windows\SysWOW64\Lmbmbi32.exeC:\Windows\system32\Lmbmbi32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Mppiod32.exeC:\Windows\system32\Mppiod32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Mboekp32.exeC:\Windows\system32\Mboekp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Mfjaknoe.exeC:\Windows\system32\Mfjaknoe.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1012 -
C:\Windows\SysWOW64\Mgkncfdc.exeC:\Windows\system32\Mgkncfdc.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Mpbfddef.exeC:\Windows\system32\Mpbfddef.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Madbll32.exeC:\Windows\system32\Madbll32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:904 -
C:\Windows\SysWOW64\Mikjmi32.exeC:\Windows\system32\Mikjmi32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:752 -
C:\Windows\SysWOW64\Mjlgdaad.exeC:\Windows\system32\Mjlgdaad.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1440 -
C:\Windows\SysWOW64\Mnhbep32.exeC:\Windows\system32\Mnhbep32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Mcdkmg32.exeC:\Windows\system32\Mcdkmg32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Mnjokphk.exeC:\Windows\system32\Mnjokphk.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Mahlgkgo.exeC:\Windows\system32\Mahlgkgo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Medggj32.exeC:\Windows\system32\Medggj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Mjappa32.exeC:\Windows\system32\Mjappa32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Mnllppfh.exeC:\Windows\system32\Mnllppfh.exe33⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Mpnhhh32.exeC:\Windows\system32\Mpnhhh32.exe34⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Nmaialjp.exeC:\Windows\system32\Nmaialjp.exe35⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Namebk32.exeC:\Windows\system32\Namebk32.exe36⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Njeikpij.exeC:\Windows\system32\Njeikpij.exe37⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Nmdfglhm.exeC:\Windows\system32\Nmdfglhm.exe38⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Nfljpa32.exeC:\Windows\system32\Nfljpa32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\Neojknfh.exeC:\Windows\system32\Neojknfh.exe40⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Nlibhhme.exeC:\Windows\system32\Nlibhhme.exe41⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Nogodcli.exeC:\Windows\system32\Nogodcli.exe42⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Nbckeb32.exeC:\Windows\system32\Nbckeb32.exe43⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Nlkonhkb.exeC:\Windows\system32\Nlkonhkb.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1068 -
C:\Windows\SysWOW64\Nojljcjf.exeC:\Windows\system32\Nojljcjf.exe45⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Neddfm32.exeC:\Windows\system32\Neddfm32.exe46⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Niopgljl.exeC:\Windows\system32\Niopgljl.exe47⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Nhbpbi32.exeC:\Windows\system32\Nhbpbi32.exe48⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Nolhoc32.exeC:\Windows\system32\Nolhoc32.exe49⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Oakdkn32.exeC:\Windows\system32\Oakdkn32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Oefqlmpq.exeC:\Windows\system32\Oefqlmpq.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Ohdmhhod.exeC:\Windows\system32\Ohdmhhod.exe52⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Olpiig32.exeC:\Windows\system32\Olpiig32.exe53⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Oooeeb32.exeC:\Windows\system32\Oooeeb32.exe54⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Omaepoml.exeC:\Windows\system32\Omaepoml.exe55⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Oehmamnn.exeC:\Windows\system32\Oehmamnn.exe56⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Ogjjie32.exeC:\Windows\system32\Ogjjie32.exe57⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Okefjcle.exeC:\Windows\system32\Okefjcle.exe58⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Omdbfo32.exeC:\Windows\system32\Omdbfo32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\Oaonfncb.exeC:\Windows\system32\Oaonfncb.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Windows\SysWOW64\Opbnbj32.exeC:\Windows\system32\Opbnbj32.exe61⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Ohifch32.exeC:\Windows\system32\Ohifch32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2492 -
C:\Windows\SysWOW64\Oglfodai.exeC:\Windows\system32\Oglfodai.exe63⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Oijbkpqm.exeC:\Windows\system32\Oijbkpqm.exe64⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Omfoko32.exeC:\Windows\system32\Omfoko32.exe65⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Occgce32.exeC:\Windows\system32\Occgce32.exe66⤵
- System Location Discovery: System Language Discovery
PID:584 -
C:\Windows\SysWOW64\Okjoec32.exeC:\Windows\system32\Okjoec32.exe67⤵PID:1148
-
C:\Windows\SysWOW64\Oimpppoj.exeC:\Windows\system32\Oimpppoj.exe68⤵PID:2684
-
C:\Windows\SysWOW64\Onhkan32.exeC:\Windows\system32\Onhkan32.exe69⤵PID:2900
-
C:\Windows\SysWOW64\Opghmjfg.exeC:\Windows\system32\Opghmjfg.exe70⤵PID:2688
-
C:\Windows\SysWOW64\Ocedieek.exeC:\Windows\system32\Ocedieek.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2056 -
C:\Windows\SysWOW64\Oecpeqdo.exeC:\Windows\system32\Oecpeqdo.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2364 -
C:\Windows\SysWOW64\Oiolfo32.exeC:\Windows\system32\Oiolfo32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2472 -
C:\Windows\SysWOW64\Ppidbidd.exeC:\Windows\system32\Ppidbidd.exe74⤵PID:2976
-
C:\Windows\SysWOW64\Poldnf32.exeC:\Windows\system32\Poldnf32.exe75⤵PID:2044
-
C:\Windows\SysWOW64\Pgcmoc32.exeC:\Windows\system32\Pgcmoc32.exe76⤵PID:1948
-
C:\Windows\SysWOW64\Piaiko32.exeC:\Windows\system32\Piaiko32.exe77⤵PID:1016
-
C:\Windows\SysWOW64\Plpehj32.exeC:\Windows\system32\Plpehj32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2352 -
C:\Windows\SysWOW64\Ponadfim.exeC:\Windows\system32\Ponadfim.exe79⤵PID:2060
-
C:\Windows\SysWOW64\Pcjmdd32.exeC:\Windows\system32\Pcjmdd32.exe80⤵PID:1968
-
C:\Windows\SysWOW64\Pamnpahp.exeC:\Windows\system32\Pamnpahp.exe81⤵PID:2076
-
C:\Windows\SysWOW64\Pehiqp32.exeC:\Windows\system32\Pehiqp32.exe82⤵PID:2764
-
C:\Windows\SysWOW64\Phgfmk32.exeC:\Windows\system32\Phgfmk32.exe83⤵PID:2720
-
C:\Windows\SysWOW64\Pkebig32.exeC:\Windows\system32\Pkebig32.exe84⤵PID:2312
-
C:\Windows\SysWOW64\Poqniegj.exeC:\Windows\system32\Poqniegj.exe85⤵PID:2748
-
C:\Windows\SysWOW64\Pcljjd32.exeC:\Windows\system32\Pcljjd32.exe86⤵PID:2576
-
C:\Windows\SysWOW64\Pekffp32.exeC:\Windows\system32\Pekffp32.exe87⤵PID:2088
-
C:\Windows\SysWOW64\Phibbk32.exeC:\Windows\system32\Phibbk32.exe88⤵PID:1228
-
C:\Windows\SysWOW64\Pldobjec.exeC:\Windows\system32\Pldobjec.exe89⤵PID:2960
-
C:\Windows\SysWOW64\Pockoeeg.exeC:\Windows\system32\Pockoeeg.exe90⤵PID:1648
-
C:\Windows\SysWOW64\Pnfkjb32.exeC:\Windows\system32\Pnfkjb32.exe91⤵PID:1980
-
C:\Windows\SysWOW64\Pfmclold.exeC:\Windows\system32\Pfmclold.exe92⤵PID:1140
-
C:\Windows\SysWOW64\Phkohkkh.exeC:\Windows\system32\Phkohkkh.exe93⤵PID:1992
-
C:\Windows\SysWOW64\Pkjkdfjk.exeC:\Windows\system32\Pkjkdfjk.exe94⤵PID:2084
-
C:\Windows\SysWOW64\Padcqp32.exeC:\Windows\system32\Padcqp32.exe95⤵PID:832
-
C:\Windows\SysWOW64\Pqfdlmic.exeC:\Windows\system32\Pqfdlmic.exe96⤵PID:2780
-
C:\Windows\SysWOW64\Qdbpml32.exeC:\Windows\system32\Qdbpml32.exe97⤵PID:2600
-
C:\Windows\SysWOW64\Qgqlig32.exeC:\Windows\system32\Qgqlig32.exe98⤵PID:756
-
C:\Windows\SysWOW64\Qjoheb32.exeC:\Windows\system32\Qjoheb32.exe99⤵
- Modifies registry class
PID:816 -
C:\Windows\SysWOW64\Qbfqfppe.exeC:\Windows\system32\Qbfqfppe.exe100⤵PID:2844
-
C:\Windows\SysWOW64\Qddmbkoi.exeC:\Windows\system32\Qddmbkoi.exe101⤵PID:2236
-
C:\Windows\SysWOW64\Qcgmnh32.exeC:\Windows\system32\Qcgmnh32.exe102⤵PID:1744
-
C:\Windows\SysWOW64\Qkoeoe32.exeC:\Windows\system32\Qkoeoe32.exe103⤵PID:2376
-
C:\Windows\SysWOW64\Qnmaka32.exeC:\Windows\system32\Qnmaka32.exe104⤵PID:328
-
C:\Windows\SysWOW64\Qmpafnld.exeC:\Windows\system32\Qmpafnld.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:908 -
C:\Windows\SysWOW64\Aqkmgl32.exeC:\Windows\system32\Aqkmgl32.exe106⤵PID:2208
-
C:\Windows\SysWOW64\Acjjch32.exeC:\Windows\system32\Acjjch32.exe107⤵PID:2732
-
C:\Windows\SysWOW64\Ageedflj.exeC:\Windows\system32\Ageedflj.exe108⤵PID:2272
-
C:\Windows\SysWOW64\Ajcbpbkn.exeC:\Windows\system32\Ajcbpbkn.exe109⤵PID:2568
-
C:\Windows\SysWOW64\Ambnlmja.exeC:\Windows\system32\Ambnlmja.exe110⤵PID:2064
-
C:\Windows\SysWOW64\Aoqjhiie.exeC:\Windows\system32\Aoqjhiie.exe111⤵PID:2828
-
C:\Windows\SysWOW64\Aggbif32.exeC:\Windows\system32\Aggbif32.exe112⤵
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Ajfoea32.exeC:\Windows\system32\Ajfoea32.exe113⤵PID:2296
-
C:\Windows\SysWOW64\Amdkam32.exeC:\Windows\system32\Amdkam32.exe114⤵PID:2140
-
C:\Windows\SysWOW64\Aqpgblqh.exeC:\Windows\system32\Aqpgblqh.exe115⤵PID:2540
-
C:\Windows\SysWOW64\Acncngpl.exeC:\Windows\system32\Acncngpl.exe116⤵PID:676
-
C:\Windows\SysWOW64\Abacjd32.exeC:\Windows\system32\Abacjd32.exe117⤵PID:2708
-
C:\Windows\SysWOW64\Ajhkka32.exeC:\Windows\system32\Ajhkka32.exe118⤵
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Aikkgnnc.exeC:\Windows\system32\Aikkgnnc.exe119⤵PID:2640
-
C:\Windows\SysWOW64\Akjhcimg.exeC:\Windows\system32\Akjhcimg.exe120⤵PID:2676
-
C:\Windows\SysWOW64\Acqpdgni.exeC:\Windows\system32\Acqpdgni.exe121⤵PID:2344
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-