Analysis
-
max time kernel
116s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
29/08/2024, 12:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ebb07d55cd8f87c63b9d371caf8c8d50N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
ebb07d55cd8f87c63b9d371caf8c8d50N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
ebb07d55cd8f87c63b9d371caf8c8d50N.exe
-
Size
55KB
-
MD5
ebb07d55cd8f87c63b9d371caf8c8d50
-
SHA1
89c1c723c4afa50ecd4bcb6a2f948509b9a2c7f9
-
SHA256
d22dfa8e73aecfe598a797bca09ab7be816e8783155c241acb73c158ab2e46f8
-
SHA512
b769e80a1544924f6639ab64e8fd27cd23c98c34b1285bd239b4760915c6974ebf9d84d50a2740610d1e248ab400ccfe3177bdeda54afeb58692bd64712453f7
-
SSDEEP
1536:WA4fGrtL32TNm4RWGOTxm2tWnuoINSoNSd0A3shxD6:x4+5S7yNmcWnvINXNW0A8hh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkfkjemd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pokndp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbecce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bagncl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiaaaicm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djffihmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kanhph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foacmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeommfnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okmceiii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfnmdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehiiop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghcdpjqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afhfpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abfonl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okjdfq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eenckc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpkocpjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flkjffkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apgcbmha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgjfmlkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opokbdhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keohie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeklpeco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lafekm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qipmdhcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnlbpman.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Falakjag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nipgab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bckidl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgkghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acjllqke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfmjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpndlobg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhglpqeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiclcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcmpkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iodlcnmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcgmgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndoenlcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amjkgbhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bieegcid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpfamd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncnplogn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olqkapoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmjbphod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plfhfiqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeklpeco.exe -
Executes dropped EXE 64 IoCs
pid Process 2412 Mgdmeh32.exe 2832 Mmafmo32.exe 3024 Mfijfdca.exe 2636 Njipabhe.exe 2608 Necqbp32.exe 2356 Niaihojk.exe 1800 Nnnbqeib.exe 2908 Nlabjj32.exe 2956 Ododdlcd.exe 2652 Ohmljj32.exe 3044 Oiqegb32.exe 1388 Oegflcbj.exe 1124 Pfgcff32.exe 2428 Phklcn32.exe 2260 Pacqlcdi.exe 1964 Peaibajp.exe 2244 Ppjjcogn.exe 2220 Qpmgho32.exe 820 Qlcgmpkp.exe 1448 Acnpjj32.exe 1560 Apapcnaf.exe 1708 Aaeiqf32.exe 948 Aknnil32.exe 2696 Almjcobe.exe 2448 Adhohapp.exe 868 Bhfhnofg.exe 652 Bncpffdn.exe 2716 Bjjakg32.exe 1660 Boifinfg.exe 2772 Biakbc32.exe 3004 Cfekkgla.exe 2668 Cbllph32.exe 2844 Cihqbb32.exe 2896 Djcpqidc.exe 2472 Djemfibq.exe 2316 Dlfina32.exe 2712 Dijjgegh.exe 2576 Ehpgha32.exe 3048 Ehbcnajn.exe 1884 Ebghkjjc.exe 1696 Elpldp32.exe 2180 Edkahbmo.exe 1728 Ehiiop32.exe 592 Epdncb32.exe 2128 Flkohc32.exe 912 Feccqime.exe 2580 Fcgdjmlo.exe 1016 Fialggcl.exe 2192 Fondonbc.exe 2372 Falakjag.exe 864 Flbehbqm.exe 1792 Faonqiod.exe 2760 Fldbnb32.exe 3040 Gnenfjdh.exe 2176 Gdpfbd32.exe 2644 Gnhkkjbf.exe 2324 Gdbchd32.exe 1564 Gjolpkhj.exe 2892 Gqidme32.exe 884 Gqkqbe32.exe 1740 Gfhikl32.exe 2416 Gopnca32.exe 2432 Hfjfpkji.exe 2496 Hhhblgim.exe -
Loads dropped DLL 64 IoCs
pid Process 3012 ebb07d55cd8f87c63b9d371caf8c8d50N.exe 3012 ebb07d55cd8f87c63b9d371caf8c8d50N.exe 2412 Mgdmeh32.exe 2412 Mgdmeh32.exe 2832 Mmafmo32.exe 2832 Mmafmo32.exe 3024 Mfijfdca.exe 3024 Mfijfdca.exe 2636 Njipabhe.exe 2636 Njipabhe.exe 2608 Necqbp32.exe 2608 Necqbp32.exe 2356 Niaihojk.exe 2356 Niaihojk.exe 1800 Nnnbqeib.exe 1800 Nnnbqeib.exe 2908 Nlabjj32.exe 2908 Nlabjj32.exe 2956 Ododdlcd.exe 2956 Ododdlcd.exe 2652 Ohmljj32.exe 2652 Ohmljj32.exe 3044 Oiqegb32.exe 3044 Oiqegb32.exe 1388 Oegflcbj.exe 1388 Oegflcbj.exe 1124 Pfgcff32.exe 1124 Pfgcff32.exe 2428 Phklcn32.exe 2428 Phklcn32.exe 2260 Pacqlcdi.exe 2260 Pacqlcdi.exe 1964 Peaibajp.exe 1964 Peaibajp.exe 2244 Ppjjcogn.exe 2244 Ppjjcogn.exe 2220 Qpmgho32.exe 2220 Qpmgho32.exe 820 Qlcgmpkp.exe 820 Qlcgmpkp.exe 1448 Acnpjj32.exe 1448 Acnpjj32.exe 1560 Apapcnaf.exe 1560 Apapcnaf.exe 1708 Aaeiqf32.exe 1708 Aaeiqf32.exe 948 Aknnil32.exe 948 Aknnil32.exe 2696 Almjcobe.exe 2696 Almjcobe.exe 2448 Adhohapp.exe 2448 Adhohapp.exe 868 Bhfhnofg.exe 868 Bhfhnofg.exe 652 Bncpffdn.exe 652 Bncpffdn.exe 2716 Bjjakg32.exe 2716 Bjjakg32.exe 1660 Boifinfg.exe 1660 Boifinfg.exe 2772 Biakbc32.exe 2772 Biakbc32.exe 3004 Cfekkgla.exe 3004 Cfekkgla.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lfpllg32.exe Laccdp32.exe File created C:\Windows\SysWOW64\Hqfppfnc.dll Nchkjhdh.exe File created C:\Windows\SysWOW64\Ncjmeinn.dll Kqaigijk.exe File created C:\Windows\SysWOW64\Dpeack32.dll Nfhpjaba.exe File opened for modification C:\Windows\SysWOW64\Mhpgnfpn.exe Mbcofobg.exe File opened for modification C:\Windows\SysWOW64\Fdicfbpl.exe Fmnoapba.exe File created C:\Windows\SysWOW64\Noghgipn.dll Lcbbidgl.exe File created C:\Windows\SysWOW64\Dmpckbci.exe Dgfkoh32.exe File opened for modification C:\Windows\SysWOW64\Mhfckc32.exe Lonoamqo.exe File created C:\Windows\SysWOW64\Jbbpmo32.exe Jgllof32.exe File opened for modification C:\Windows\SysWOW64\Biiljjnk.exe Belcck32.exe File created C:\Windows\SysWOW64\Djmhli32.dll Process not Found File created C:\Windows\SysWOW64\Gegbpe32.exe Gaiijgbi.exe File created C:\Windows\SysWOW64\Kleeqp32.exe Kpndlobg.exe File created C:\Windows\SysWOW64\Deegjo32.exe Dpiobh32.exe File created C:\Windows\SysWOW64\Ibhieo32.exe Iiodliep.exe File opened for modification C:\Windows\SysWOW64\Mfkjnmje.exe Lgadba32.exe File created C:\Windows\SysWOW64\Hhhmki32.exe Hlamfh32.exe File created C:\Windows\SysWOW64\Mjfallhc.dll Hqocej32.exe File created C:\Windows\SysWOW64\Bichcm32.dll Iimhfj32.exe File opened for modification C:\Windows\SysWOW64\Dfjcncak.exe Dcijmhdj.exe File created C:\Windows\SysWOW64\Jkbecc32.exe Process not Found File created C:\Windows\SysWOW64\Kggeijok.dll Bohoogbk.exe File opened for modification C:\Windows\SysWOW64\Plkchdiq.exe Pjlgna32.exe File opened for modification C:\Windows\SysWOW64\Mocjeedn.exe Process not Found File opened for modification C:\Windows\SysWOW64\Eibikc32.exe Ebhani32.exe File created C:\Windows\SysWOW64\Eomaha32.exe Ekohac32.exe File opened for modification C:\Windows\SysWOW64\Hnocgnoc.exe Process not Found File created C:\Windows\SysWOW64\Fnndco32.dll Ckdlgq32.exe File created C:\Windows\SysWOW64\Abpblame.dll Beibln32.exe File created C:\Windows\SysWOW64\Jdcbfbbl.dll Icohfi32.exe File created C:\Windows\SysWOW64\Anpekggc.exe Qiclcp32.exe File created C:\Windows\SysWOW64\Ieegpg32.dll Eghflc32.exe File created C:\Windows\SysWOW64\Edbonh32.exe Ekjjebed.exe File opened for modification C:\Windows\SysWOW64\Mhdcbjal.exe Mcendc32.exe File created C:\Windows\SysWOW64\Dffbcq32.dll Ephhmn32.exe File opened for modification C:\Windows\SysWOW64\Hekhid32.exe Gidgdcli.exe File opened for modification C:\Windows\SysWOW64\Iaqnbb32.exe Iejnna32.exe File created C:\Windows\SysWOW64\Olclimif.exe Ogfdpfjo.exe File created C:\Windows\SysWOW64\Ldcnnnje.dll Faonqiod.exe File created C:\Windows\SysWOW64\Klpjgbfb.dll Djemfibq.exe File created C:\Windows\SysWOW64\Hgomej32.dll Process not Found File created C:\Windows\SysWOW64\Kikfbm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Abogpiod.exe Process not Found File created C:\Windows\SysWOW64\Agdfjc32.dll Adhohapp.exe File created C:\Windows\SysWOW64\Aajedn32.exe Aoilcc32.exe File created C:\Windows\SysWOW64\Cdmgkl32.exe Copobe32.exe File created C:\Windows\SysWOW64\Dbighojl.exe Dbgjbo32.exe File opened for modification C:\Windows\SysWOW64\Jifkmh32.exe Jnafop32.exe File opened for modification C:\Windows\SysWOW64\Dalffg32.exe Dhcanahm.exe File opened for modification C:\Windows\SysWOW64\Gnenfjdh.exe Fldbnb32.exe File created C:\Windows\SysWOW64\Mbbaejnm.dll Eadejede.exe File created C:\Windows\SysWOW64\Fdockgqp.exe Fkfobbjo.exe File created C:\Windows\SysWOW64\Gmplenhh.dll Pqaanoah.exe File created C:\Windows\SysWOW64\Hinlck32.exe Hhnpih32.exe File opened for modification C:\Windows\SysWOW64\Ikinjj32.exe Iapjad32.exe File opened for modification C:\Windows\SysWOW64\Peoanckj.exe Pkglenej.exe File opened for modification C:\Windows\SysWOW64\Eomaha32.exe Ekohac32.exe File created C:\Windows\SysWOW64\Fpgdlj32.dll Process not Found File created C:\Windows\SysWOW64\Lmnikd32.dll Pemedh32.exe File opened for modification C:\Windows\SysWOW64\Iiflgi32.exe Iopgjp32.exe File created C:\Windows\SysWOW64\Fmlbgc32.dll Almjcobe.exe File created C:\Windows\SysWOW64\Oonbnfio.exe Process not Found File opened for modification C:\Windows\SysWOW64\Glhjpjok.exe Gpaikiig.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2952 2472 Process not Found 1393 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhbnjpic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lonoamqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apapcnaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohmljj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flcjjdpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iccqedfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmjagh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjbljh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfkjnmje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hildollm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmafmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nikide32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjndha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcendc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcljlea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkpchmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfflal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggaeae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ebb07d55cd8f87c63b9d371caf8c8d50N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okjdfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Engnno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odpghiqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcnqin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meeqkijg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqmbca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfhdeoqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iggbdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faanibeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mknbmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfabbmeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkpkplih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngkfnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcmfeldm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jinmco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqjdon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Condfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkcoee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kigkmmql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khbmqpii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olnnlpqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfqpmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iodlcnmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adkbgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkfpefme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfaachpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioochn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbllph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebghkjjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aikkgnnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiagck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfgcff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nahemf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccmdbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fldbnb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bichcm32.dll" Iimhfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dclbgadl.dll" Nbegonmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mampci32.dll" Fidkep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gflfidpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcgdjmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdkqbd32.dll" Akhndf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Noighakn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apfibc32.dll" Jinmco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejkdfong.dll" Klimcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgjhdgmm.dll" Ebnlba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkiacm32.dll" Kdefdjnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nikide32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjfallhc.dll" Hqocej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Higikdhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oabdol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngkfnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebnlba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmdehgcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fogipnjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eebnqcjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bppljg32.dll" Hhnpih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dffmgqcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjlonlg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnlhcobj.dll" Hnbgdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlamfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkhcil32.dll" Efgnfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioononpl.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmafmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjolpkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcmpdifa.dll" Nnpbinoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpnqmgej.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojinqngj.dll" Bkmegaaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbighojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfpllg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeommfnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqaigijk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmfala32.dll" Kblooa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogmgpjh.dll" Kehgkgha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjpkgoq.dll" Gkjbcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhkil32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgqigohb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofklpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qeihfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chdeonfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfflal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peoanckj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qiqpmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gebflaga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nomdahbm.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bondii32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajhgfe32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eapgpd32.dll" Apeflmjc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3012 wrote to memory of 2412 3012 ebb07d55cd8f87c63b9d371caf8c8d50N.exe 29 PID 3012 wrote to memory of 2412 3012 ebb07d55cd8f87c63b9d371caf8c8d50N.exe 29 PID 3012 wrote to memory of 2412 3012 ebb07d55cd8f87c63b9d371caf8c8d50N.exe 29 PID 3012 wrote to memory of 2412 3012 ebb07d55cd8f87c63b9d371caf8c8d50N.exe 29 PID 2412 wrote to memory of 2832 2412 Mgdmeh32.exe 30 PID 2412 wrote to memory of 2832 2412 Mgdmeh32.exe 30 PID 2412 wrote to memory of 2832 2412 Mgdmeh32.exe 30 PID 2412 wrote to memory of 2832 2412 Mgdmeh32.exe 30 PID 2832 wrote to memory of 3024 2832 Mmafmo32.exe 31 PID 2832 wrote to memory of 3024 2832 Mmafmo32.exe 31 PID 2832 wrote to memory of 3024 2832 Mmafmo32.exe 31 PID 2832 wrote to memory of 3024 2832 Mmafmo32.exe 31 PID 3024 wrote to memory of 2636 3024 Mfijfdca.exe 32 PID 3024 wrote to memory of 2636 3024 Mfijfdca.exe 32 PID 3024 wrote to memory of 2636 3024 Mfijfdca.exe 32 PID 3024 wrote to memory of 2636 3024 Mfijfdca.exe 32 PID 2636 wrote to memory of 2608 2636 Njipabhe.exe 33 PID 2636 wrote to memory of 2608 2636 Njipabhe.exe 33 PID 2636 wrote to memory of 2608 2636 Njipabhe.exe 33 PID 2636 wrote to memory of 2608 2636 Njipabhe.exe 33 PID 2608 wrote to memory of 2356 2608 Necqbp32.exe 34 PID 2608 wrote to memory of 2356 2608 Necqbp32.exe 34 PID 2608 wrote to memory of 2356 2608 Necqbp32.exe 34 PID 2608 wrote to memory of 2356 2608 Necqbp32.exe 34 PID 2356 wrote to memory of 1800 2356 Niaihojk.exe 35 PID 2356 wrote to memory of 1800 2356 Niaihojk.exe 35 PID 2356 wrote to memory of 1800 2356 Niaihojk.exe 35 PID 2356 wrote to memory of 1800 2356 Niaihojk.exe 35 PID 1800 wrote to memory of 2908 1800 Nnnbqeib.exe 36 PID 1800 wrote to memory of 2908 1800 Nnnbqeib.exe 36 PID 1800 wrote to memory of 2908 1800 Nnnbqeib.exe 36 PID 1800 wrote to memory of 2908 1800 Nnnbqeib.exe 36 PID 2908 wrote to memory of 2956 2908 Nlabjj32.exe 37 PID 2908 wrote to memory of 2956 2908 Nlabjj32.exe 37 PID 2908 wrote to memory of 2956 2908 Nlabjj32.exe 37 PID 2908 wrote to memory of 2956 2908 Nlabjj32.exe 37 PID 2956 wrote to memory of 2652 2956 Ododdlcd.exe 38 PID 2956 wrote to memory of 2652 2956 Ododdlcd.exe 38 PID 2956 wrote to memory of 2652 2956 Ododdlcd.exe 38 PID 2956 wrote to memory of 2652 2956 Ododdlcd.exe 38 PID 2652 wrote to memory of 3044 2652 Ohmljj32.exe 39 PID 2652 wrote to memory of 3044 2652 Ohmljj32.exe 39 PID 2652 wrote to memory of 3044 2652 Ohmljj32.exe 39 PID 2652 wrote to memory of 3044 2652 Ohmljj32.exe 39 PID 3044 wrote to memory of 1388 3044 Oiqegb32.exe 40 PID 3044 wrote to memory of 1388 3044 Oiqegb32.exe 40 PID 3044 wrote to memory of 1388 3044 Oiqegb32.exe 40 PID 3044 wrote to memory of 1388 3044 Oiqegb32.exe 40 PID 1388 wrote to memory of 1124 1388 Oegflcbj.exe 41 PID 1388 wrote to memory of 1124 1388 Oegflcbj.exe 41 PID 1388 wrote to memory of 1124 1388 Oegflcbj.exe 41 PID 1388 wrote to memory of 1124 1388 Oegflcbj.exe 41 PID 1124 wrote to memory of 2428 1124 Pfgcff32.exe 42 PID 1124 wrote to memory of 2428 1124 Pfgcff32.exe 42 PID 1124 wrote to memory of 2428 1124 Pfgcff32.exe 42 PID 1124 wrote to memory of 2428 1124 Pfgcff32.exe 42 PID 2428 wrote to memory of 2260 2428 Phklcn32.exe 43 PID 2428 wrote to memory of 2260 2428 Phklcn32.exe 43 PID 2428 wrote to memory of 2260 2428 Phklcn32.exe 43 PID 2428 wrote to memory of 2260 2428 Phklcn32.exe 43 PID 2260 wrote to memory of 1964 2260 Pacqlcdi.exe 44 PID 2260 wrote to memory of 1964 2260 Pacqlcdi.exe 44 PID 2260 wrote to memory of 1964 2260 Pacqlcdi.exe 44 PID 2260 wrote to memory of 1964 2260 Pacqlcdi.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebb07d55cd8f87c63b9d371caf8c8d50N.exe"C:\Users\Admin\AppData\Local\Temp\ebb07d55cd8f87c63b9d371caf8c8d50N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Mgdmeh32.exeC:\Windows\system32\Mgdmeh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Mmafmo32.exeC:\Windows\system32\Mmafmo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Mfijfdca.exeC:\Windows\system32\Mfijfdca.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Njipabhe.exeC:\Windows\system32\Njipabhe.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Necqbp32.exeC:\Windows\system32\Necqbp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Niaihojk.exeC:\Windows\system32\Niaihojk.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Nnnbqeib.exeC:\Windows\system32\Nnnbqeib.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Nlabjj32.exeC:\Windows\system32\Nlabjj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Ododdlcd.exeC:\Windows\system32\Ododdlcd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Ohmljj32.exeC:\Windows\system32\Ohmljj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Oiqegb32.exeC:\Windows\system32\Oiqegb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Oegflcbj.exeC:\Windows\system32\Oegflcbj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Pfgcff32.exeC:\Windows\system32\Pfgcff32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Phklcn32.exeC:\Windows\system32\Phklcn32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Pacqlcdi.exeC:\Windows\system32\Pacqlcdi.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Peaibajp.exeC:\Windows\system32\Peaibajp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Ppjjcogn.exeC:\Windows\system32\Ppjjcogn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244 -
C:\Windows\SysWOW64\Qpmgho32.exeC:\Windows\system32\Qpmgho32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2220 -
C:\Windows\SysWOW64\Qlcgmpkp.exeC:\Windows\system32\Qlcgmpkp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:820 -
C:\Windows\SysWOW64\Acnpjj32.exeC:\Windows\system32\Acnpjj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1448 -
C:\Windows\SysWOW64\Apapcnaf.exeC:\Windows\system32\Apapcnaf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\SysWOW64\Aaeiqf32.exeC:\Windows\system32\Aaeiqf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Aknnil32.exeC:\Windows\system32\Aknnil32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948 -
C:\Windows\SysWOW64\Almjcobe.exeC:\Windows\system32\Almjcobe.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2696 -
C:\Windows\SysWOW64\Adhohapp.exeC:\Windows\system32\Adhohapp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\Bhfhnofg.exeC:\Windows\system32\Bhfhnofg.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Bncpffdn.exeC:\Windows\system32\Bncpffdn.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:652 -
C:\Windows\SysWOW64\Bjjakg32.exeC:\Windows\system32\Bjjakg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Boifinfg.exeC:\Windows\system32\Boifinfg.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\Biakbc32.exeC:\Windows\system32\Biakbc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Cfekkgla.exeC:\Windows\system32\Cfekkgla.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Cbllph32.exeC:\Windows\system32\Cbllph32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Cihqbb32.exeC:\Windows\system32\Cihqbb32.exe34⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Djcpqidc.exeC:\Windows\system32\Djcpqidc.exe35⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Djemfibq.exeC:\Windows\system32\Djemfibq.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Dlfina32.exeC:\Windows\system32\Dlfina32.exe37⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Dijjgegh.exeC:\Windows\system32\Dijjgegh.exe38⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Ehpgha32.exeC:\Windows\system32\Ehpgha32.exe39⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Ehbcnajn.exeC:\Windows\system32\Ehbcnajn.exe40⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Ebghkjjc.exeC:\Windows\system32\Ebghkjjc.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1884 -
C:\Windows\SysWOW64\Elpldp32.exeC:\Windows\system32\Elpldp32.exe42⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Edkahbmo.exeC:\Windows\system32\Edkahbmo.exe43⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Ehiiop32.exeC:\Windows\system32\Ehiiop32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Epdncb32.exeC:\Windows\system32\Epdncb32.exe45⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Flkohc32.exeC:\Windows\system32\Flkohc32.exe46⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Feccqime.exeC:\Windows\system32\Feccqime.exe47⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Fcgdjmlo.exeC:\Windows\system32\Fcgdjmlo.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Fialggcl.exeC:\Windows\system32\Fialggcl.exe49⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Fondonbc.exeC:\Windows\system32\Fondonbc.exe50⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Falakjag.exeC:\Windows\system32\Falakjag.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Flbehbqm.exeC:\Windows\system32\Flbehbqm.exe52⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Faonqiod.exeC:\Windows\system32\Faonqiod.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1792 -
C:\Windows\SysWOW64\Fldbnb32.exeC:\Windows\system32\Fldbnb32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\Gnenfjdh.exeC:\Windows\system32\Gnenfjdh.exe55⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Gdpfbd32.exeC:\Windows\system32\Gdpfbd32.exe56⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Gnhkkjbf.exeC:\Windows\system32\Gnhkkjbf.exe57⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Gdbchd32.exeC:\Windows\system32\Gdbchd32.exe58⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Gjolpkhj.exeC:\Windows\system32\Gjolpkhj.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Gqidme32.exeC:\Windows\system32\Gqidme32.exe60⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Gqkqbe32.exeC:\Windows\system32\Gqkqbe32.exe61⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Gfhikl32.exeC:\Windows\system32\Gfhikl32.exe62⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Gopnca32.exeC:\Windows\system32\Gopnca32.exe63⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Hfjfpkji.exeC:\Windows\system32\Hfjfpkji.exe64⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Hhhblgim.exeC:\Windows\system32\Hhhblgim.exe65⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Hobjia32.exeC:\Windows\system32\Hobjia32.exe66⤵PID:2444
-
C:\Windows\SysWOW64\Hkiknb32.exeC:\Windows\system32\Hkiknb32.exe67⤵PID:1040
-
C:\Windows\SysWOW64\Hbccklmj.exeC:\Windows\system32\Hbccklmj.exe68⤵PID:1140
-
C:\Windows\SysWOW64\Hnjdpm32.exeC:\Windows\system32\Hnjdpm32.exe69⤵PID:472
-
C:\Windows\SysWOW64\Hedllgjk.exeC:\Windows\system32\Hedllgjk.exe70⤵PID:1712
-
C:\Windows\SysWOW64\Hojqjp32.exeC:\Windows\system32\Hojqjp32.exe71⤵PID:2012
-
C:\Windows\SysWOW64\Hibebeqb.exeC:\Windows\system32\Hibebeqb.exe72⤵PID:2704
-
C:\Windows\SysWOW64\Hnomkloi.exeC:\Windows\system32\Hnomkloi.exe73⤵PID:2824
-
C:\Windows\SysWOW64\Iggbdb32.exeC:\Windows\system32\Iggbdb32.exe74⤵
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\SysWOW64\Iekbmfdc.exeC:\Windows\system32\Iekbmfdc.exe75⤵PID:2952
-
C:\Windows\SysWOW64\Incgfl32.exeC:\Windows\system32\Incgfl32.exe76⤵PID:788
-
C:\Windows\SysWOW64\Icponb32.exeC:\Windows\system32\Icponb32.exe77⤵PID:2256
-
C:\Windows\SysWOW64\Iimhfj32.exeC:\Windows\system32\Iimhfj32.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Ibeloo32.exeC:\Windows\system32\Ibeloo32.exe79⤵PID:1280
-
C:\Windows\SysWOW64\Iiodliep.exeC:\Windows\system32\Iiodliep.exe80⤵
- Drops file in System32 directory
PID:812 -
C:\Windows\SysWOW64\Ibhieo32.exeC:\Windows\system32\Ibhieo32.exe81⤵PID:424
-
C:\Windows\SysWOW64\Jiaaaicm.exeC:\Windows\system32\Jiaaaicm.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2420 -
C:\Windows\SysWOW64\Jnojjp32.exeC:\Windows\system32\Jnojjp32.exe83⤵PID:996
-
C:\Windows\SysWOW64\Jidngh32.exeC:\Windows\system32\Jidngh32.exe84⤵PID:1484
-
C:\Windows\SysWOW64\Jnafop32.exeC:\Windows\system32\Jnafop32.exe85⤵
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Jifkmh32.exeC:\Windows\system32\Jifkmh32.exe86⤵PID:880
-
C:\Windows\SysWOW64\Jocceo32.exeC:\Windows\system32\Jocceo32.exe87⤵PID:1540
-
C:\Windows\SysWOW64\Jemkai32.exeC:\Windows\system32\Jemkai32.exe88⤵PID:2780
-
C:\Windows\SysWOW64\Jjjdjp32.exeC:\Windows\system32\Jjjdjp32.exe89⤵PID:2820
-
C:\Windows\SysWOW64\Jdbhcfjd.exeC:\Windows\system32\Jdbhcfjd.exe90⤵PID:1656
-
C:\Windows\SysWOW64\Jjlqpp32.exeC:\Windows\system32\Jjlqpp32.exe91⤵PID:2776
-
C:\Windows\SysWOW64\Kkomepon.exeC:\Windows\system32\Kkomepon.exe92⤵PID:2664
-
C:\Windows\SysWOW64\Kdgane32.exeC:\Windows\system32\Kdgane32.exe93⤵PID:616
-
C:\Windows\SysWOW64\Kkajkoml.exeC:\Windows\system32\Kkajkoml.exe94⤵PID:332
-
C:\Windows\SysWOW64\Kblooa32.exeC:\Windows\system32\Kblooa32.exe95⤵
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Kmbclj32.exeC:\Windows\system32\Kmbclj32.exe96⤵PID:1264
-
C:\Windows\SysWOW64\Kemgqm32.exeC:\Windows\system32\Kemgqm32.exe97⤵PID:2264
-
C:\Windows\SysWOW64\Khkdmh32.exeC:\Windows\system32\Khkdmh32.exe98⤵PID:2396
-
C:\Windows\SysWOW64\Kadhen32.exeC:\Windows\system32\Kadhen32.exe99⤵PID:524
-
C:\Windows\SysWOW64\Klimcf32.exeC:\Windows\system32\Klimcf32.exe100⤵
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Lafekm32.exeC:\Windows\system32\Lafekm32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3000 -
C:\Windows\SysWOW64\Lllihf32.exeC:\Windows\system32\Lllihf32.exe102⤵PID:536
-
C:\Windows\SysWOW64\Lhbjmg32.exeC:\Windows\system32\Lhbjmg32.exe103⤵PID:920
-
C:\Windows\SysWOW64\Lolbjahp.exeC:\Windows\system32\Lolbjahp.exe104⤵PID:2860
-
C:\Windows\SysWOW64\Lpnobi32.exeC:\Windows\system32\Lpnobi32.exe105⤵PID:1668
-
C:\Windows\SysWOW64\Lghgocek.exeC:\Windows\system32\Lghgocek.exe106⤵PID:1300
-
C:\Windows\SysWOW64\Ljfckodo.exeC:\Windows\system32\Ljfckodo.exe107⤵PID:2732
-
C:\Windows\SysWOW64\Lcnhcdkp.exeC:\Windows\system32\Lcnhcdkp.exe108⤵PID:2700
-
C:\Windows\SysWOW64\Mcendc32.exeC:\Windows\system32\Mcendc32.exe109⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1404 -
C:\Windows\SysWOW64\Mhdcbjal.exeC:\Windows\system32\Mhdcbjal.exe110⤵PID:1072
-
C:\Windows\SysWOW64\Mgjpcf32.exeC:\Windows\system32\Mgjpcf32.exe111⤵PID:2148
-
C:\Windows\SysWOW64\Njjieace.exeC:\Windows\system32\Njjieace.exe112⤵PID:1604
-
C:\Windows\SysWOW64\Ngoinfao.exeC:\Windows\system32\Ngoinfao.exe113⤵PID:1688
-
C:\Windows\SysWOW64\Nnhakp32.exeC:\Windows\system32\Nnhakp32.exe114⤵PID:548
-
C:\Windows\SysWOW64\Nnknqpgi.exeC:\Windows\system32\Nnknqpgi.exe115⤵PID:2344
-
C:\Windows\SysWOW64\Nidoamch.exeC:\Windows\system32\Nidoamch.exe116⤵PID:1120
-
C:\Windows\SysWOW64\Nfhpjaba.exeC:\Windows\system32\Nfhpjaba.exe117⤵
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Ombhgljn.exeC:\Windows\system32\Ombhgljn.exe118⤵PID:2152
-
C:\Windows\SysWOW64\Ofklpa32.exeC:\Windows\system32\Ofklpa32.exe119⤵
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Olgehh32.exeC:\Windows\system32\Olgehh32.exe120⤵PID:2108
-
C:\Windows\SysWOW64\Obamebfc.exeC:\Windows\system32\Obamebfc.exe121⤵PID:1808
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-