Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
05-09-2024 04:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d2925f2f69d127766c158df90b8b74d0N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
d2925f2f69d127766c158df90b8b74d0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
d2925f2f69d127766c158df90b8b74d0N.exe
-
Size
76KB
-
MD5
d2925f2f69d127766c158df90b8b74d0
-
SHA1
b74f25a3f2b83ea2b1080db3e4cd6b7bf5c10501
-
SHA256
366ab327a80c15a75a64def60e4c88dfe49bca946618d2e2f37100cdd351d187
-
SHA512
e143ff96950725ae256e8b33695d0c5ae364c4c889a6b6de36c22ba11ed6d4bfe75137510578c737cbcd15ac095a6c34feb2ad6d47c5034c7245a75f6ec01aa0
-
SSDEEP
1536:K9pRJOzMvsDZmy5DkGTUO//ehfWn/3IU2TMTSHioQV+/eCeyvCQ:6pRQzMvsDZmy5DkGTU2/ehenAUvSHrk+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajcipc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aobnniji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knfndjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abmgjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akabgebj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jenpajfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kllnhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qngopb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecnoijbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pafdjmkq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llbqfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cicalakk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohiffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aebmjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpelnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hllmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edfbaabj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcecbq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccmpce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpmbfbgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfjann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paiaplin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpmcielb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maefamlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhmhhmlm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foafdoag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcdjoaee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcfbdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmogmjmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpmcielb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epgphcqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjipenda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qobbofgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odedge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfhkhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbbfep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bajqfq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgldnkkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccjoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnpkflne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbagipfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pplaki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aomnhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdiogq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Napbjjom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pplaki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppkhhjei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbncjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkpjnkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggkqmoma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbdiia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Panaeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pohhna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckhdggom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pejmfqan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aflfjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akcomepg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omefkplm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phcpgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jliaac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgffe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojecajj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lneaqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmgbao32.exe -
Executes dropped EXE 64 IoCs
pid Process 1948 Egjbdo32.exe 1248 Eoajel32.exe 2472 Eapfagno.exe 2896 Enfgfh32.exe 2596 Edqocbkp.exe 2952 Egokonjc.exe 2592 Ejmhkiig.exe 2156 Epgphcqd.exe 2928 Ecfldoph.exe 2340 Enkpahon.exe 2984 Eolmip32.exe 2948 Fgcejm32.exe 1908 Flqmbd32.exe 2056 Foojop32.exe 964 Ffibkj32.exe 2140 Fmcjhdbc.exe 908 Foafdoag.exe 1132 Ffkoai32.exe 2488 Fhikme32.exe 988 Fkhgip32.exe 2360 Fbbofjnh.exe 884 Fdpkbf32.exe 2288 Filgbdfd.exe 692 Fofpoo32.exe 2240 Findhdcb.exe 2400 Fgadda32.exe 2700 Gqiimfam.exe 2860 Geeemeif.exe 2796 Gmpjagfa.exe 1180 Gegabegc.exe 2604 Gfhnjm32.exe 2440 Gnpflj32.exe 2888 Gfkkpmko.exe 2680 Gjfgqk32.exe 1528 Gcokiaji.exe 1004 Gfmgelil.exe 1280 Gpelnb32.exe 2300 Gcahoqhf.exe 1312 Hmjlhfof.exe 1540 Hllmcc32.exe 444 Hbfepmmn.exe 1088 Hfbaql32.exe 912 Heealhla.exe 2484 Hipmmg32.exe 2292 Hpjeialg.exe 2556 Hnmeen32.exe 1128 Hbiaemkk.exe 1600 Halbai32.exe 2836 Hhejnc32.exe 2748 Hjdfjo32.exe 3012 Hanogipc.exe 2344 Hdlkcdog.exe 2656 Hhhgcc32.exe 1524 Hlccdboi.exe 2932 Hjfcpo32.exe 1724 Hmeolj32.exe 1816 Hapklimq.exe 1316 Hdoghdmd.exe 1596 Hhjcic32.exe 1376 Hjipenda.exe 2772 Hndlem32.exe 1560 Hmglajcd.exe 712 Ipehmebh.exe 2268 Idadnd32.exe -
Loads dropped DLL 64 IoCs
pid Process 1952 d2925f2f69d127766c158df90b8b74d0N.exe 1952 d2925f2f69d127766c158df90b8b74d0N.exe 1948 Egjbdo32.exe 1948 Egjbdo32.exe 1248 Eoajel32.exe 1248 Eoajel32.exe 2472 Eapfagno.exe 2472 Eapfagno.exe 2896 Enfgfh32.exe 2896 Enfgfh32.exe 2596 Edqocbkp.exe 2596 Edqocbkp.exe 2952 Egokonjc.exe 2952 Egokonjc.exe 2592 Ejmhkiig.exe 2592 Ejmhkiig.exe 2156 Epgphcqd.exe 2156 Epgphcqd.exe 2928 Ecfldoph.exe 2928 Ecfldoph.exe 2340 Enkpahon.exe 2340 Enkpahon.exe 2984 Eolmip32.exe 2984 Eolmip32.exe 2948 Fgcejm32.exe 2948 Fgcejm32.exe 1908 Flqmbd32.exe 1908 Flqmbd32.exe 2056 Foojop32.exe 2056 Foojop32.exe 964 Ffibkj32.exe 964 Ffibkj32.exe 2140 Fmcjhdbc.exe 2140 Fmcjhdbc.exe 908 Foafdoag.exe 908 Foafdoag.exe 1132 Ffkoai32.exe 1132 Ffkoai32.exe 2488 Fhikme32.exe 2488 Fhikme32.exe 988 Fkhgip32.exe 988 Fkhgip32.exe 2360 Fbbofjnh.exe 2360 Fbbofjnh.exe 884 Fdpkbf32.exe 884 Fdpkbf32.exe 2288 Filgbdfd.exe 2288 Filgbdfd.exe 692 Fofpoo32.exe 692 Fofpoo32.exe 2240 Findhdcb.exe 2240 Findhdcb.exe 2400 Fgadda32.exe 2400 Fgadda32.exe 2700 Gqiimfam.exe 2700 Gqiimfam.exe 2860 Geeemeif.exe 2860 Geeemeif.exe 2796 Gmpjagfa.exe 2796 Gmpjagfa.exe 1180 Gegabegc.exe 1180 Gegabegc.exe 2604 Gfhnjm32.exe 2604 Gfhnjm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jdhgnf32.exe Jaijak32.exe File created C:\Windows\SysWOW64\Pclmghko.dll Iamdkfnc.exe File opened for modification C:\Windows\SysWOW64\Mcckcbgp.exe Mklcadfn.exe File created C:\Windows\SysWOW64\Apqcdckf.dll Pohhna32.exe File created C:\Windows\SysWOW64\Gpoqpi32.dll Flqmbd32.exe File opened for modification C:\Windows\SysWOW64\Fdpkbf32.exe Fbbofjnh.exe File created C:\Windows\SysWOW64\Jlhhndno.exe Jenpajfb.exe File opened for modification C:\Windows\SysWOW64\Joiappkp.exe Jkmeoa32.exe File opened for modification C:\Windows\SysWOW64\Nplimbka.exe Nlqmmd32.exe File created C:\Windows\SysWOW64\Gfikmo32.dll Bchfhfeh.exe File created C:\Windows\SysWOW64\Kfnmpn32.exe Kcopdb32.exe File created C:\Windows\SysWOW64\Eemngplg.dll Okbpde32.exe File created C:\Windows\SysWOW64\Dmjqpdje.exe Dogpdg32.exe File created C:\Windows\SysWOW64\Nmkplgnq.exe Nipdkieg.exe File created C:\Windows\SysWOW64\Mcjdhh32.dll Fjhcegll.exe File created C:\Windows\SysWOW64\Gcmbji32.dll Hfegij32.exe File created C:\Windows\SysWOW64\Pipnmn32.dll Jhbold32.exe File created C:\Windows\SysWOW64\Pghaaidm.dll Omnipjni.exe File created C:\Windows\SysWOW64\Fbcqem32.dll Ecfldoph.exe File created C:\Windows\SysWOW64\Cfnoogbo.exe Ccpcckck.exe File created C:\Windows\SysWOW64\Bkkpkade.dll Epmfgo32.exe File created C:\Windows\SysWOW64\Eiekpd32.exe Eclbcj32.exe File created C:\Windows\SysWOW64\Aoojnc32.exe Akcomepg.exe File created C:\Windows\SysWOW64\Lmdlck32.dll Bqeqqk32.exe File opened for modification C:\Windows\SysWOW64\Bfioia32.exe Bbmcibjp.exe File created C:\Windows\SysWOW64\Egflhe32.dll Odhhgkib.exe File created C:\Windows\SysWOW64\Gigqol32.dll Lclicpkm.exe File created C:\Windows\SysWOW64\Biolanld.exe Bfqpecma.exe File opened for modification C:\Windows\SysWOW64\Idkpganf.exe Iamdkfnc.exe File created C:\Windows\SysWOW64\Ojomdoof.exe Ofcqcp32.exe File created C:\Windows\SysWOW64\Gjgcdgcc.dll Gncldi32.exe File created C:\Windows\SysWOW64\Kekiphge.exe Kaompi32.exe File opened for modification C:\Windows\SysWOW64\Gmpjagfa.exe Geeemeif.exe File opened for modification C:\Windows\SysWOW64\Qdojgmfe.exe Qfljkp32.exe File created C:\Windows\SysWOW64\Jonedp32.dll Beackp32.exe File opened for modification C:\Windows\SysWOW64\Gdkgkcpq.exe Gfhgpg32.exe File created C:\Windows\SysWOW64\Ahcjenki.dll Ioooiack.exe File created C:\Windows\SysWOW64\Lohjnf32.exe Lmjnak32.exe File created C:\Windows\SysWOW64\Kielkojm.dll Mbbfep32.exe File created C:\Windows\SysWOW64\Jefdckem.dll Lbafdlod.exe File created C:\Windows\SysWOW64\Ippbdn32.dll Nplimbka.exe File created C:\Windows\SysWOW64\Bfioia32.exe Bbmcibjp.exe File created C:\Windows\SysWOW64\Maojpk32.dll Ldllgiek.exe File created C:\Windows\SysWOW64\Heapkela.dll Lohjnf32.exe File created C:\Windows\SysWOW64\Neiaeiii.exe Nameek32.exe File created C:\Windows\SysWOW64\Kcdjoaee.exe Kljabgnh.exe File opened for modification C:\Windows\SysWOW64\Behilopf.exe Bbjmpcab.exe File created C:\Windows\SysWOW64\Fpmbfbgo.exe Fnofjfhk.exe File created C:\Windows\SysWOW64\Hfjckino.dll Jpbalb32.exe File created C:\Windows\SysWOW64\Dkbfgoak.dll Hbiaemkk.exe File created C:\Windows\SysWOW64\Hanogipc.exe Hjdfjo32.exe File created C:\Windows\SysWOW64\Jpccfogk.dll Idadnd32.exe File created C:\Windows\SysWOW64\Kfpifm32.exe Kbdmeoob.exe File created C:\Windows\SysWOW64\Nbdmji32.dll Jikeeh32.exe File opened for modification C:\Windows\SysWOW64\Jondnnbk.exe Jlphbbbg.exe File opened for modification C:\Windows\SysWOW64\Kgqocoin.exe Kcecbq32.exe File created C:\Windows\SysWOW64\Ofcqcp32.exe Obhdcanc.exe File created C:\Windows\SysWOW64\Qcogbdkg.exe Qppkfhlc.exe File created C:\Windows\SysWOW64\Hlbhgd32.dll Ohcdhi32.exe File created C:\Windows\SysWOW64\Lcmfeo32.dll Biaign32.exe File created C:\Windows\SysWOW64\Cpnidcen.dll Cfcijf32.exe File created C:\Windows\SysWOW64\Nnoiio32.exe Nplimbka.exe File created C:\Windows\SysWOW64\Cicalakk.exe Cfeepelg.exe File created C:\Windows\SysWOW64\Gneijien.exe Gjjmijme.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8940 8908 WerFault.exe 849 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkbaii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmfkfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifgpnmom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldpbpgoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhikme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmeolj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacclpae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napbjjom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aebmjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcigco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfljkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnoogbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Copjdhib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdonhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idgglb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdpfadlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heealhla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgnjde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeaepd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbhlek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phlclgfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giipab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hblgnkdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhknaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cchbgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmljgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qngopb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbncjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iipiljgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mikjpiim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Popeif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabkom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjdkjpkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncldi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idicbbpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nipdkieg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akfkbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqiimfam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppcbgkka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Behilopf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmcjhdbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imokehhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeckfndj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdbdqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcokiaji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idfnicfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mejlalji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajmijmnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojabdlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfnmpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajnpecbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dicnkdnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfhkhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeppdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aficjnpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhkkbmnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgffe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgchgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkgahoel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oidiekdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmpkqklh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljcllqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijehdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jampjian.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdbdqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boljgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npdfhhhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqdiga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaghki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpemjpcl.dll" Ljnnko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbniid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plmpblnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcmfeo32.dll" Biaign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll" Cjonncab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipehmebh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhjphfgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjdofm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeqkmn32.dll" Hdlkcdog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgedmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elkmmodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkkapd32.dll" Jefpeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpjngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nplbqgdb.dll" Mndmoaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clnoge32.dll" Mccbmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnmlcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mndmoaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmhadf32.dll" Diaaeepi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iefcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhgcm32.dll" Ieomef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieomef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgqkbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incleo32.dll" Aaimopli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkkcoogp.dll" Nmcmgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abpjjeim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpmjhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgjebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjjpjgjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hipmmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilabmedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aopjkjhh.dll" Jaeafklf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cegoqlof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfkkpmko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhonngce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkloned.dll" Qngopb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngpjpqe.dll" Bjmeiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggogki32.dll" Oioggmmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdakniag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hneeilgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcogbdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhpondph.dll" Cbepdhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbmnbl32.dll" Ggkqmoma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqfaldbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgnjde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qododfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpfdhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nidmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djiqcmnn.dll" Njjcip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgoime32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpmcjc32.dll" Dhkkbmnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipnmn32.dll" Jhbold32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nameek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbjojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Manghajd.dll" Qackpado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eecafd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffaaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmaeh32.dll" Nigafnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibbklamb.dll" Akcomepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfokinhf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1952 wrote to memory of 1948 1952 d2925f2f69d127766c158df90b8b74d0N.exe 30 PID 1952 wrote to memory of 1948 1952 d2925f2f69d127766c158df90b8b74d0N.exe 30 PID 1952 wrote to memory of 1948 1952 d2925f2f69d127766c158df90b8b74d0N.exe 30 PID 1952 wrote to memory of 1948 1952 d2925f2f69d127766c158df90b8b74d0N.exe 30 PID 1948 wrote to memory of 1248 1948 Egjbdo32.exe 31 PID 1948 wrote to memory of 1248 1948 Egjbdo32.exe 31 PID 1948 wrote to memory of 1248 1948 Egjbdo32.exe 31 PID 1948 wrote to memory of 1248 1948 Egjbdo32.exe 31 PID 1248 wrote to memory of 2472 1248 Eoajel32.exe 32 PID 1248 wrote to memory of 2472 1248 Eoajel32.exe 32 PID 1248 wrote to memory of 2472 1248 Eoajel32.exe 32 PID 1248 wrote to memory of 2472 1248 Eoajel32.exe 32 PID 2472 wrote to memory of 2896 2472 Eapfagno.exe 33 PID 2472 wrote to memory of 2896 2472 Eapfagno.exe 33 PID 2472 wrote to memory of 2896 2472 Eapfagno.exe 33 PID 2472 wrote to memory of 2896 2472 Eapfagno.exe 33 PID 2896 wrote to memory of 2596 2896 Enfgfh32.exe 34 PID 2896 wrote to memory of 2596 2896 Enfgfh32.exe 34 PID 2896 wrote to memory of 2596 2896 Enfgfh32.exe 34 PID 2896 wrote to memory of 2596 2896 Enfgfh32.exe 34 PID 2596 wrote to memory of 2952 2596 Edqocbkp.exe 35 PID 2596 wrote to memory of 2952 2596 Edqocbkp.exe 35 PID 2596 wrote to memory of 2952 2596 Edqocbkp.exe 35 PID 2596 wrote to memory of 2952 2596 Edqocbkp.exe 35 PID 2952 wrote to memory of 2592 2952 Egokonjc.exe 36 PID 2952 wrote to memory of 2592 2952 Egokonjc.exe 36 PID 2952 wrote to memory of 2592 2952 Egokonjc.exe 36 PID 2952 wrote to memory of 2592 2952 Egokonjc.exe 36 PID 2592 wrote to memory of 2156 2592 Ejmhkiig.exe 37 PID 2592 wrote to memory of 2156 2592 Ejmhkiig.exe 37 PID 2592 wrote to memory of 2156 2592 Ejmhkiig.exe 37 PID 2592 wrote to memory of 2156 2592 Ejmhkiig.exe 37 PID 2156 wrote to memory of 2928 2156 Epgphcqd.exe 38 PID 2156 wrote to memory of 2928 2156 Epgphcqd.exe 38 PID 2156 wrote to memory of 2928 2156 Epgphcqd.exe 38 PID 2156 wrote to memory of 2928 2156 Epgphcqd.exe 38 PID 2928 wrote to memory of 2340 2928 Ecfldoph.exe 39 PID 2928 wrote to memory of 2340 2928 Ecfldoph.exe 39 PID 2928 wrote to memory of 2340 2928 Ecfldoph.exe 39 PID 2928 wrote to memory of 2340 2928 Ecfldoph.exe 39 PID 2340 wrote to memory of 2984 2340 Enkpahon.exe 40 PID 2340 wrote to memory of 2984 2340 Enkpahon.exe 40 PID 2340 wrote to memory of 2984 2340 Enkpahon.exe 40 PID 2340 wrote to memory of 2984 2340 Enkpahon.exe 40 PID 2984 wrote to memory of 2948 2984 Eolmip32.exe 41 PID 2984 wrote to memory of 2948 2984 Eolmip32.exe 41 PID 2984 wrote to memory of 2948 2984 Eolmip32.exe 41 PID 2984 wrote to memory of 2948 2984 Eolmip32.exe 41 PID 2948 wrote to memory of 1908 2948 Fgcejm32.exe 42 PID 2948 wrote to memory of 1908 2948 Fgcejm32.exe 42 PID 2948 wrote to memory of 1908 2948 Fgcejm32.exe 42 PID 2948 wrote to memory of 1908 2948 Fgcejm32.exe 42 PID 1908 wrote to memory of 2056 1908 Flqmbd32.exe 43 PID 1908 wrote to memory of 2056 1908 Flqmbd32.exe 43 PID 1908 wrote to memory of 2056 1908 Flqmbd32.exe 43 PID 1908 wrote to memory of 2056 1908 Flqmbd32.exe 43 PID 2056 wrote to memory of 964 2056 Foojop32.exe 44 PID 2056 wrote to memory of 964 2056 Foojop32.exe 44 PID 2056 wrote to memory of 964 2056 Foojop32.exe 44 PID 2056 wrote to memory of 964 2056 Foojop32.exe 44 PID 964 wrote to memory of 2140 964 Ffibkj32.exe 45 PID 964 wrote to memory of 2140 964 Ffibkj32.exe 45 PID 964 wrote to memory of 2140 964 Ffibkj32.exe 45 PID 964 wrote to memory of 2140 964 Ffibkj32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2925f2f69d127766c158df90b8b74d0N.exe"C:\Users\Admin\AppData\Local\Temp\d2925f2f69d127766c158df90b8b74d0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Egjbdo32.exeC:\Windows\system32\Egjbdo32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Eapfagno.exeC:\Windows\system32\Eapfagno.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Enfgfh32.exeC:\Windows\system32\Enfgfh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Edqocbkp.exeC:\Windows\system32\Edqocbkp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Egokonjc.exeC:\Windows\system32\Egokonjc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Ejmhkiig.exeC:\Windows\system32\Ejmhkiig.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Epgphcqd.exeC:\Windows\system32\Epgphcqd.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Ecfldoph.exeC:\Windows\system32\Ecfldoph.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Enkpahon.exeC:\Windows\system32\Enkpahon.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Foojop32.exeC:\Windows\system32\Foojop32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Ffibkj32.exeC:\Windows\system32\Ffibkj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2140 -
C:\Windows\SysWOW64\Foafdoag.exeC:\Windows\system32\Foafdoag.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Ffkoai32.exeC:\Windows\system32\Ffkoai32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1132 -
C:\Windows\SysWOW64\Fhikme32.exeC:\Windows\system32\Fhikme32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Windows\SysWOW64\Fkhgip32.exeC:\Windows\system32\Fkhgip32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:988 -
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Fdpkbf32.exeC:\Windows\system32\Fdpkbf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Filgbdfd.exeC:\Windows\system32\Filgbdfd.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Fofpoo32.exeC:\Windows\system32\Fofpoo32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:692 -
C:\Windows\SysWOW64\Findhdcb.exeC:\Windows\system32\Findhdcb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Windows\SysWOW64\Geeemeif.exeC:\Windows\system32\Geeemeif.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Gmpjagfa.exeC:\Windows\system32\Gmpjagfa.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Gegabegc.exeC:\Windows\system32\Gegabegc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1180 -
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe33⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Gfkkpmko.exeC:\Windows\system32\Gfkkpmko.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe35⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Gcokiaji.exeC:\Windows\system32\Gcokiaji.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1528 -
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe37⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Gcahoqhf.exeC:\Windows\system32\Gcahoqhf.exe39⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Hmjlhfof.exeC:\Windows\system32\Hmjlhfof.exe40⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Hllmcc32.exeC:\Windows\system32\Hllmcc32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe42⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe43⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Heealhla.exeC:\Windows\system32\Heealhla.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:912 -
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe46⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Hnmeen32.exeC:\Windows\system32\Hnmeen32.exe47⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Hbiaemkk.exeC:\Windows\system32\Hbiaemkk.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1128 -
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe49⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe50⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Hanogipc.exeC:\Windows\system32\Hanogipc.exe52⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Hdlkcdog.exeC:\Windows\system32\Hdlkcdog.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe54⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Hlccdboi.exeC:\Windows\system32\Hlccdboi.exe55⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe56⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Windows\SysWOW64\Hapklimq.exeC:\Windows\system32\Hapklimq.exe58⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Hdoghdmd.exeC:\Windows\system32\Hdoghdmd.exe59⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe60⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Hjipenda.exeC:\Windows\system32\Hjipenda.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Hndlem32.exeC:\Windows\system32\Hndlem32.exe62⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Hmglajcd.exeC:\Windows\system32\Hmglajcd.exe63⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:712 -
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe66⤵PID:1568
-
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe67⤵PID:2548
-
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe68⤵PID:2740
-
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe69⤵PID:2716
-
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe70⤵PID:2892
-
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe71⤵PID:2164
-
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe72⤵
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe73⤵PID:2936
-
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe74⤵
- System Location Discovery: System Language Discovery
PID:380 -
C:\Windows\SysWOW64\Ifdjeoep.exeC:\Windows\system32\Ifdjeoep.exe75⤵PID:1824
-
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe76⤵PID:2396
-
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe77⤵PID:2572
-
C:\Windows\SysWOW64\Ilabmedg.exeC:\Windows\system32\Ilabmedg.exe78⤵
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe79⤵
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Ibkkjp32.exeC:\Windows\system32\Ibkkjp32.exe80⤵PID:1776
-
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe81⤵PID:560
-
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe82⤵PID:2524
-
C:\Windows\SysWOW64\Ipokcdjn.exeC:\Windows\system32\Ipokcdjn.exe83⤵PID:1932
-
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe84⤵PID:2828
-
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe85⤵PID:2972
-
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe86⤵PID:2136
-
C:\Windows\SysWOW64\Jhjphfgi.exeC:\Windows\system32\Jhjphfgi.exe87⤵
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe88⤵PID:2008
-
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe89⤵PID:1904
-
C:\Windows\SysWOW64\Jabdql32.exeC:\Windows\system32\Jabdql32.exe90⤵PID:992
-
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Jlhhndno.exeC:\Windows\system32\Jlhhndno.exe92⤵PID:1852
-
C:\Windows\SysWOW64\Jniefm32.exeC:\Windows\system32\Jniefm32.exe93⤵PID:776
-
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe94⤵
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe95⤵PID:1308
-
C:\Windows\SysWOW64\Jhoice32.exeC:\Windows\system32\Jhoice32.exe96⤵PID:2236
-
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe97⤵
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Joiappkp.exeC:\Windows\system32\Joiappkp.exe98⤵PID:2712
-
C:\Windows\SysWOW64\Jagnlkjd.exeC:\Windows\system32\Jagnlkjd.exe99⤵PID:2404
-
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe100⤵
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe101⤵PID:2628
-
C:\Windows\SysWOW64\Jkpbdq32.exeC:\Windows\system32\Jkpbdq32.exe102⤵PID:2224
-
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe103⤵PID:876
-
C:\Windows\SysWOW64\Jaijak32.exeC:\Windows\system32\Jaijak32.exe104⤵
- Drops file in System32 directory
PID:684 -
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe105⤵PID:1752
-
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe106⤵PID:832
-
C:\Windows\SysWOW64\Jjdofm32.exeC:\Windows\system32\Jjdofm32.exe107⤵
- Modifies registry class
PID:372 -
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2848 -
C:\Windows\SysWOW64\Jpogbgmi.exeC:\Windows\system32\Jpogbgmi.exe109⤵PID:2728
-
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe110⤵PID:2160
-
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe111⤵PID:1936
-
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe112⤵PID:608
-
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe113⤵PID:2080
-
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe114⤵PID:2076
-
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe115⤵
- Drops file in System32 directory
PID:828 -
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe116⤵
- System Location Discovery: System Language Discovery
PID:1636 -
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe117⤵PID:2844
-
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe118⤵PID:2756
-
C:\Windows\SysWOW64\Kbdmeoob.exeC:\Windows\system32\Kbdmeoob.exe119⤵
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe120⤵PID:688
-
C:\Windows\SysWOW64\Kjleflod.exeC:\Windows\system32\Kjleflod.exe121⤵PID:2072
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-