Analysis
-
max time kernel
75s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/09/2024, 07:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6c48840c5b54d96f1fcfea6ad13328a0N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
6c48840c5b54d96f1fcfea6ad13328a0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
6c48840c5b54d96f1fcfea6ad13328a0N.exe
-
Size
144KB
-
MD5
6c48840c5b54d96f1fcfea6ad13328a0
-
SHA1
7d4f60a340f6659cddaf76f2587b32ce0fe259d5
-
SHA256
7420a49092860167ee2cd5e5bc8b53d3fe02cb63f4c57067b0975604b1392e09
-
SHA512
96d469fb52807fb567ebc880df05afde220614a776b8f7b77325940fe59b807be42363ce7cf9b4bb4552d1f965f1c7f16dc13fdc04ff0d37d42506fef227195b
-
SSDEEP
3072:Vd6P34q2R3A5IMP2d4H3kremwc/gHq/Wp+YmKfxgQd:a0d4H3/fc/UmKyI
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Docjne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbpmbndm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpkdca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mojaceln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbjbnoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abachg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecjibgdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpeoakhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jojnglco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcjlap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pccahc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieelnkpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Giejkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcaqmkpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpomnilc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kaliaphd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndbile32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoajgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poinkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmfnjnin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jadlgjjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogmngn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjeihl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlkqpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflnkjhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njjieace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elpqemll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogbgbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjofanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mffgfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kheofahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jigagocd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckdpinhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lafekm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmcbbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceanmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjoohdbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkbcgnie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijghmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmjbchnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncjbba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpndkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqciha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpphipbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmobin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kneflplf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omonmpcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbhmok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbcfbege.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Innbde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdjgfomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdapggln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epipql32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjkiie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddmofeam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaoddodf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgnmhhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgiobadq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apnhggln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdnjaibm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkjaaglp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dihkimag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmcbbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmjaadjm.exe -
Executes dropped EXE 64 IoCs
pid Process 2072 Gpafgp32.exe 2812 Hlhfmqge.exe 2564 Hkppcmjk.exe 2860 Hhdqma32.exe 2556 Hdkaabnh.exe 3008 Idmnga32.exe 2536 Iijfoh32.exe 1564 Icbkhnan.exe 2896 Inhoegqc.exe 2864 Injlkf32.exe 2236 Igbqdlea.exe 1368 Ialadj32.exe 2176 Jkdfmoha.exe 1044 Joekimld.exe 1372 Jkllnn32.exe 832 Jddqgdii.exe 1188 Kdfmlc32.exe 2304 Kmabqf32.exe 2880 Kfjfik32.exe 1480 Kobkbaac.exe 1708 Kmfklepl.exe 3052 Keappgmg.exe 732 Kpgdnp32.exe 2928 Kecmfg32.exe 864 Lbhmok32.exe 1284 Ljcbcngi.exe 2696 Lggbmbfc.exe 2488 Lmckeidj.exe 2824 Lgiobadq.exe 2668 Lcppgbjd.exe 2632 Mjlejl32.exe 1248 Mddibb32.exe 2432 Miaaki32.exe 2348 Mfebdm32.exe 2120 Mkggnp32.exe 2104 Memlki32.exe 2616 Noepdo32.exe 1100 Ndbile32.exe 2096 Nafiej32.exe 968 Nahfkigd.exe 1584 Ncjbba32.exe 1060 Nmogpj32.exe 820 Ncloha32.exe 1548 Ncnlnaim.exe 1764 Ohkdfhge.exe 2364 Ocqhcqgk.exe 1460 Oklmhcdf.exe 1988 Onapdmma.exe 2132 Pcnhmdli.exe 1784 Pncljmko.exe 1972 Pdndggcl.exe 2592 Pjjmonac.exe 2772 Pccahc32.exe 2552 Pjmjdnop.exe 2984 Poibmdmh.exe 944 Pjofjm32.exe 884 Polobd32.exe 1684 Pffgonbb.exe 2068 Qkbpgeai.exe 2140 Qekdpkgj.exe 2916 Qgiplffm.exe 1344 Qqbeel32.exe 3060 Aiimfi32.exe 1812 Anfeop32.exe -
Loads dropped DLL 64 IoCs
pid Process 2876 6c48840c5b54d96f1fcfea6ad13328a0N.exe 2876 6c48840c5b54d96f1fcfea6ad13328a0N.exe 2072 Gpafgp32.exe 2072 Gpafgp32.exe 2812 Hlhfmqge.exe 2812 Hlhfmqge.exe 2564 Hkppcmjk.exe 2564 Hkppcmjk.exe 2860 Hhdqma32.exe 2860 Hhdqma32.exe 2556 Hdkaabnh.exe 2556 Hdkaabnh.exe 3008 Idmnga32.exe 3008 Idmnga32.exe 2536 Iijfoh32.exe 2536 Iijfoh32.exe 1564 Icbkhnan.exe 1564 Icbkhnan.exe 2896 Inhoegqc.exe 2896 Inhoegqc.exe 2864 Injlkf32.exe 2864 Injlkf32.exe 2236 Igbqdlea.exe 2236 Igbqdlea.exe 1368 Ialadj32.exe 1368 Ialadj32.exe 2176 Jkdfmoha.exe 2176 Jkdfmoha.exe 1044 Joekimld.exe 1044 Joekimld.exe 1372 Jkllnn32.exe 1372 Jkllnn32.exe 832 Jddqgdii.exe 832 Jddqgdii.exe 1188 Kdfmlc32.exe 1188 Kdfmlc32.exe 2304 Kmabqf32.exe 2304 Kmabqf32.exe 2880 Kfjfik32.exe 2880 Kfjfik32.exe 1480 Kobkbaac.exe 1480 Kobkbaac.exe 1708 Kmfklepl.exe 1708 Kmfklepl.exe 3052 Keappgmg.exe 3052 Keappgmg.exe 732 Kpgdnp32.exe 732 Kpgdnp32.exe 2928 Kecmfg32.exe 2928 Kecmfg32.exe 864 Lbhmok32.exe 864 Lbhmok32.exe 1284 Ljcbcngi.exe 1284 Ljcbcngi.exe 2696 Lggbmbfc.exe 2696 Lggbmbfc.exe 2488 Lmckeidj.exe 2488 Lmckeidj.exe 2824 Lgiobadq.exe 2824 Lgiobadq.exe 2668 Lcppgbjd.exe 2668 Lcppgbjd.exe 2632 Mjlejl32.exe 2632 Mjlejl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pabncj32.exe Pkifgpeh.exe File opened for modification C:\Windows\SysWOW64\Agolpnjl.exe Abachg32.exe File created C:\Windows\SysWOW64\Kbflqccl.exe Jinghn32.exe File opened for modification C:\Windows\SysWOW64\Kblooa32.exe Kmpfgklo.exe File opened for modification C:\Windows\SysWOW64\Mnakjaoc.exe Mmpobi32.exe File opened for modification C:\Windows\SysWOW64\Pbppqf32.exe Pelpgb32.exe File created C:\Windows\SysWOW64\Dfegjknm.exe Cnjbfhqa.exe File opened for modification C:\Windows\SysWOW64\Qgiplffm.exe Qekdpkgj.exe File opened for modification C:\Windows\SysWOW64\Kkhdml32.exe Kqcqpc32.exe File created C:\Windows\SysWOW64\Mchokq32.exe Mmngof32.exe File opened for modification C:\Windows\SysWOW64\Lfonlg32.exe Lcpbpk32.exe File created C:\Windows\SysWOW64\Ojjkim32.dll Lnlmmo32.exe File created C:\Windows\SysWOW64\Dgcdjk32.dll Mmpobi32.exe File created C:\Windows\SysWOW64\Jljeeqfn.exe Jjkiie32.exe File created C:\Windows\SysWOW64\Iepfml32.dll Qckcdj32.exe File created C:\Windows\SysWOW64\Dkmghe32.exe Dadcppbp.exe File created C:\Windows\SysWOW64\Clmoli32.dll Ebabicfn.exe File opened for modification C:\Windows\SysWOW64\Lddoopbi.exe Klijjnen.exe File created C:\Windows\SysWOW64\Pgamgken.exe Ppgdjqna.exe File created C:\Windows\SysWOW64\Cadqllao.dll Ppgdjqna.exe File created C:\Windows\SysWOW64\Jkllnn32.exe Joekimld.exe File created C:\Windows\SysWOW64\Anfeop32.exe Aiimfi32.exe File created C:\Windows\SysWOW64\Idqold32.dll Bomhnb32.exe File created C:\Windows\SysWOW64\Fefbnnpg.dll Dammoahg.exe File created C:\Windows\SysWOW64\Nkdegmha.dll Epipql32.exe File created C:\Windows\SysWOW64\Bnnkcdka.dll Lggdfk32.exe File created C:\Windows\SysWOW64\Coelpahk.dll Polobd32.exe File created C:\Windows\SysWOW64\Hmeagdlp.dll Gbheif32.exe File created C:\Windows\SysWOW64\Pihmimaj.dll Hngngo32.exe File created C:\Windows\SysWOW64\Pilcnl32.dll Adfbbabc.exe File created C:\Windows\SysWOW64\Iekbmfdc.exe Iggbdb32.exe File created C:\Windows\SysWOW64\Docjne32.exe Ddnfql32.exe File created C:\Windows\SysWOW64\Epfbbghh.dll Eekdmk32.exe File opened for modification C:\Windows\SysWOW64\Ofnppgbh.exe Oelcho32.exe File created C:\Windows\SysWOW64\Pbfoci32.dll Kemgqm32.exe File created C:\Windows\SysWOW64\Pficpanm.dll Dalfdjdl.exe File opened for modification C:\Windows\SysWOW64\Hikobfgj.exe Hhhblgim.exe File created C:\Windows\SysWOW64\Aomdncho.dll Odgqoa32.exe File opened for modification C:\Windows\SysWOW64\Lfgaaa32.exe Lnlmmo32.exe File created C:\Windows\SysWOW64\Dfjaej32.exe Dpphipbk.exe File opened for modification C:\Windows\SysWOW64\Jkllnn32.exe Joekimld.exe File created C:\Windows\SysWOW64\Echlmh32.exe Epipql32.exe File created C:\Windows\SysWOW64\Mmkcpmmb.dll Phhmeehg.exe File created C:\Windows\SysWOW64\Ofdqhh32.dll Phocfd32.exe File created C:\Windows\SysWOW64\Lnmcge32.exe Lddoopbi.exe File created C:\Windows\SysWOW64\Fmlbgc32.dll Akpkok32.exe File created C:\Windows\SysWOW64\Mnneabff.exe Mgodjico.exe File opened for modification C:\Windows\SysWOW64\Mmcbbo32.exe Mcknjidn.exe File created C:\Windows\SysWOW64\Nqdaal32.exe Njjieace.exe File created C:\Windows\SysWOW64\Bafkookd.exe Bpengf32.exe File opened for modification C:\Windows\SysWOW64\Ijghmd32.exe Iaoddodf.exe File created C:\Windows\SysWOW64\Dcmomb32.dll Peapmhnk.exe File created C:\Windows\SysWOW64\Eojdod32.dll Hqkmahpp.exe File created C:\Windows\SysWOW64\Kmpfgklo.exe Kbjbibli.exe File created C:\Windows\SysWOW64\Gkkilfjk.exe Gqfeom32.exe File created C:\Windows\SysWOW64\Bdemaknk.dll Pgjfflkf.exe File created C:\Windows\SysWOW64\Bqambacb.exe Bkddjkej.exe File created C:\Windows\SysWOW64\Nnoaan32.dll Kcahjqfa.exe File created C:\Windows\SysWOW64\Ammoel32.exe Acejlfhl.exe File opened for modification C:\Windows\SysWOW64\Ddnfql32.exe Dndndbnl.exe File opened for modification C:\Windows\SysWOW64\Ampncd32.exe Aqimoc32.exe File created C:\Windows\SysWOW64\Aoijjjcl.exe Ajlabc32.exe File opened for modification C:\Windows\SysWOW64\Noepdo32.exe Memlki32.exe File created C:\Windows\SysWOW64\Lolbjahp.exe Ldgnmhhj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3312 1020 WerFault.exe 597 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eidchjbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olehbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bepjjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmgjee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qefihg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqambacb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gklkdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bemmenhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmqgec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiglfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Manljd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnojjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmggcmgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbppqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpblne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfkebkjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egndgdai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijghmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgcgebhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njdbefnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hogddpld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieiegf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aplkah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bleilh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiobcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkmakbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncjcnfcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocqhcqgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elpqemll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcagkmaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefeaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moloidjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbannb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbhlgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddoopbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkpnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmloigln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giejkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpcdqpqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmlqimph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjlgaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iijfoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgjlgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlbnja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmjbchnq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpmlcpdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lelljepm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfkhch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnnkbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hngngo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jinghn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opcaiggo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpgglifo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odanqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbiijb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmpkal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqimoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceoagcld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgfmlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpdefh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjmolp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgaoec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kblooa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fghngimj.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okfmbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Heamno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojjkim32.dll" Lnlmmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oiiilm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehcgkpie.dll" Dkmghe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jigagocd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpjfjalp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aiimfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Acbieing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eecgafkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhndcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bleilh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lggdfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldepenep.dll" Kejahn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pelpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jomadboo.dll" Cmikpngk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcingdbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdfflmoe.dll" Jmejmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oelcho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kifgllbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gekbbi32.dll" Gjffbhnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgdpgqgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnelmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iefeaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckgmon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhgnbehe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbjbibli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggnqfgce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iaegbmlq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdakoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichlpm32.dll" Omonmpcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnoaan32.dll" Kcahjqfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apnhggln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaecfp32.dll" Pghjqlmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofefqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lccmhojk.dll" Lggbmbfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpkihpnk.dll" Jonqfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfkol32.dll" Lgiobadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afkccffq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qicoleno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjkcod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfihml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agngpn32.dll" Cihedpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jahonm32.dll" Amhopfof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilmgef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibmmkaik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Niaihojk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcahjqfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjhjon32.dll" Mgoaap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbflqccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjofjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecjibgdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhcgkbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aalapaaj.dll" Flmidkmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nafiej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebmjoebl.dll" Nbddfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jogneifn.dll" Gjkcod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Laeidfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhpmhgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpphgfli.dll" Ckgmon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdonjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abbjbnoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amhopfof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oiifcdhn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2876 wrote to memory of 2072 2876 6c48840c5b54d96f1fcfea6ad13328a0N.exe 30 PID 2876 wrote to memory of 2072 2876 6c48840c5b54d96f1fcfea6ad13328a0N.exe 30 PID 2876 wrote to memory of 2072 2876 6c48840c5b54d96f1fcfea6ad13328a0N.exe 30 PID 2876 wrote to memory of 2072 2876 6c48840c5b54d96f1fcfea6ad13328a0N.exe 30 PID 2072 wrote to memory of 2812 2072 Gpafgp32.exe 31 PID 2072 wrote to memory of 2812 2072 Gpafgp32.exe 31 PID 2072 wrote to memory of 2812 2072 Gpafgp32.exe 31 PID 2072 wrote to memory of 2812 2072 Gpafgp32.exe 31 PID 2812 wrote to memory of 2564 2812 Hlhfmqge.exe 32 PID 2812 wrote to memory of 2564 2812 Hlhfmqge.exe 32 PID 2812 wrote to memory of 2564 2812 Hlhfmqge.exe 32 PID 2812 wrote to memory of 2564 2812 Hlhfmqge.exe 32 PID 2564 wrote to memory of 2860 2564 Hkppcmjk.exe 33 PID 2564 wrote to memory of 2860 2564 Hkppcmjk.exe 33 PID 2564 wrote to memory of 2860 2564 Hkppcmjk.exe 33 PID 2564 wrote to memory of 2860 2564 Hkppcmjk.exe 33 PID 2860 wrote to memory of 2556 2860 Hhdqma32.exe 34 PID 2860 wrote to memory of 2556 2860 Hhdqma32.exe 34 PID 2860 wrote to memory of 2556 2860 Hhdqma32.exe 34 PID 2860 wrote to memory of 2556 2860 Hhdqma32.exe 34 PID 2556 wrote to memory of 3008 2556 Hdkaabnh.exe 35 PID 2556 wrote to memory of 3008 2556 Hdkaabnh.exe 35 PID 2556 wrote to memory of 3008 2556 Hdkaabnh.exe 35 PID 2556 wrote to memory of 3008 2556 Hdkaabnh.exe 35 PID 3008 wrote to memory of 2536 3008 Idmnga32.exe 36 PID 3008 wrote to memory of 2536 3008 Idmnga32.exe 36 PID 3008 wrote to memory of 2536 3008 Idmnga32.exe 36 PID 3008 wrote to memory of 2536 3008 Idmnga32.exe 36 PID 2536 wrote to memory of 1564 2536 Iijfoh32.exe 37 PID 2536 wrote to memory of 1564 2536 Iijfoh32.exe 37 PID 2536 wrote to memory of 1564 2536 Iijfoh32.exe 37 PID 2536 wrote to memory of 1564 2536 Iijfoh32.exe 37 PID 1564 wrote to memory of 2896 1564 Icbkhnan.exe 38 PID 1564 wrote to memory of 2896 1564 Icbkhnan.exe 38 PID 1564 wrote to memory of 2896 1564 Icbkhnan.exe 38 PID 1564 wrote to memory of 2896 1564 Icbkhnan.exe 38 PID 2896 wrote to memory of 2864 2896 Inhoegqc.exe 39 PID 2896 wrote to memory of 2864 2896 Inhoegqc.exe 39 PID 2896 wrote to memory of 2864 2896 Inhoegqc.exe 39 PID 2896 wrote to memory of 2864 2896 Inhoegqc.exe 39 PID 2864 wrote to memory of 2236 2864 Injlkf32.exe 40 PID 2864 wrote to memory of 2236 2864 Injlkf32.exe 40 PID 2864 wrote to memory of 2236 2864 Injlkf32.exe 40 PID 2864 wrote to memory of 2236 2864 Injlkf32.exe 40 PID 2236 wrote to memory of 1368 2236 Igbqdlea.exe 41 PID 2236 wrote to memory of 1368 2236 Igbqdlea.exe 41 PID 2236 wrote to memory of 1368 2236 Igbqdlea.exe 41 PID 2236 wrote to memory of 1368 2236 Igbqdlea.exe 41 PID 1368 wrote to memory of 2176 1368 Ialadj32.exe 42 PID 1368 wrote to memory of 2176 1368 Ialadj32.exe 42 PID 1368 wrote to memory of 2176 1368 Ialadj32.exe 42 PID 1368 wrote to memory of 2176 1368 Ialadj32.exe 42 PID 2176 wrote to memory of 1044 2176 Jkdfmoha.exe 43 PID 2176 wrote to memory of 1044 2176 Jkdfmoha.exe 43 PID 2176 wrote to memory of 1044 2176 Jkdfmoha.exe 43 PID 2176 wrote to memory of 1044 2176 Jkdfmoha.exe 43 PID 1044 wrote to memory of 1372 1044 Joekimld.exe 44 PID 1044 wrote to memory of 1372 1044 Joekimld.exe 44 PID 1044 wrote to memory of 1372 1044 Joekimld.exe 44 PID 1044 wrote to memory of 1372 1044 Joekimld.exe 44 PID 1372 wrote to memory of 832 1372 Jkllnn32.exe 45 PID 1372 wrote to memory of 832 1372 Jkllnn32.exe 45 PID 1372 wrote to memory of 832 1372 Jkllnn32.exe 45 PID 1372 wrote to memory of 832 1372 Jkllnn32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c48840c5b54d96f1fcfea6ad13328a0N.exe"C:\Users\Admin\AppData\Local\Temp\6c48840c5b54d96f1fcfea6ad13328a0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Gpafgp32.exeC:\Windows\system32\Gpafgp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Hlhfmqge.exeC:\Windows\system32\Hlhfmqge.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Hkppcmjk.exeC:\Windows\system32\Hkppcmjk.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Hhdqma32.exeC:\Windows\system32\Hhdqma32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Hdkaabnh.exeC:\Windows\system32\Hdkaabnh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Idmnga32.exeC:\Windows\system32\Idmnga32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Iijfoh32.exeC:\Windows\system32\Iijfoh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Icbkhnan.exeC:\Windows\system32\Icbkhnan.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Inhoegqc.exeC:\Windows\system32\Inhoegqc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Injlkf32.exeC:\Windows\system32\Injlkf32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Igbqdlea.exeC:\Windows\system32\Igbqdlea.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Ialadj32.exeC:\Windows\system32\Ialadj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Jkdfmoha.exeC:\Windows\system32\Jkdfmoha.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Joekimld.exeC:\Windows\system32\Joekimld.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Jkllnn32.exeC:\Windows\system32\Jkllnn32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Jddqgdii.exeC:\Windows\system32\Jddqgdii.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Windows\SysWOW64\Kdfmlc32.exeC:\Windows\system32\Kdfmlc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1188 -
C:\Windows\SysWOW64\Kmabqf32.exeC:\Windows\system32\Kmabqf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Kfjfik32.exeC:\Windows\system32\Kfjfik32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Kobkbaac.exeC:\Windows\system32\Kobkbaac.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480 -
C:\Windows\SysWOW64\Kmfklepl.exeC:\Windows\system32\Kmfklepl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Keappgmg.exeC:\Windows\system32\Keappgmg.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Kpgdnp32.exeC:\Windows\system32\Kpgdnp32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:732 -
C:\Windows\SysWOW64\Kecmfg32.exeC:\Windows\system32\Kecmfg32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Lbhmok32.exeC:\Windows\system32\Lbhmok32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:864 -
C:\Windows\SysWOW64\Ljcbcngi.exeC:\Windows\system32\Ljcbcngi.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1284 -
C:\Windows\SysWOW64\Lggbmbfc.exeC:\Windows\system32\Lggbmbfc.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Lmckeidj.exeC:\Windows\system32\Lmckeidj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2488 -
C:\Windows\SysWOW64\Lgiobadq.exeC:\Windows\system32\Lgiobadq.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Lcppgbjd.exeC:\Windows\system32\Lcppgbjd.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Mjlejl32.exeC:\Windows\system32\Mjlejl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Mddibb32.exeC:\Windows\system32\Mddibb32.exe33⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Miaaki32.exeC:\Windows\system32\Miaaki32.exe34⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Mfebdm32.exeC:\Windows\system32\Mfebdm32.exe35⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Mkggnp32.exeC:\Windows\system32\Mkggnp32.exe36⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Memlki32.exeC:\Windows\system32\Memlki32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Noepdo32.exeC:\Windows\system32\Noepdo32.exe38⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Ndbile32.exeC:\Windows\system32\Ndbile32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Nafiej32.exeC:\Windows\system32\Nafiej32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Nahfkigd.exeC:\Windows\system32\Nahfkigd.exe41⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Ncjbba32.exeC:\Windows\system32\Ncjbba32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Nmogpj32.exeC:\Windows\system32\Nmogpj32.exe43⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Ncloha32.exeC:\Windows\system32\Ncloha32.exe44⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Ncnlnaim.exeC:\Windows\system32\Ncnlnaim.exe45⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Ohkdfhge.exeC:\Windows\system32\Ohkdfhge.exe46⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Ocqhcqgk.exeC:\Windows\system32\Ocqhcqgk.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2364 -
C:\Windows\SysWOW64\Oklmhcdf.exeC:\Windows\system32\Oklmhcdf.exe48⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Onapdmma.exeC:\Windows\system32\Onapdmma.exe49⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Pcnhmdli.exeC:\Windows\system32\Pcnhmdli.exe50⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Pncljmko.exeC:\Windows\system32\Pncljmko.exe51⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Pdndggcl.exeC:\Windows\system32\Pdndggcl.exe52⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Pjjmonac.exeC:\Windows\system32\Pjjmonac.exe53⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Pccahc32.exeC:\Windows\system32\Pccahc32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Pjmjdnop.exeC:\Windows\system32\Pjmjdnop.exe55⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Poibmdmh.exeC:\Windows\system32\Poibmdmh.exe56⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Pjofjm32.exeC:\Windows\system32\Pjofjm32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:944 -
C:\Windows\SysWOW64\Polobd32.exeC:\Windows\system32\Polobd32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:884 -
C:\Windows\SysWOW64\Pffgonbb.exeC:\Windows\system32\Pffgonbb.exe59⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Qkbpgeai.exeC:\Windows\system32\Qkbpgeai.exe60⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Qekdpkgj.exeC:\Windows\system32\Qekdpkgj.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Qgiplffm.exeC:\Windows\system32\Qgiplffm.exe62⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Qqbeel32.exeC:\Windows\system32\Qqbeel32.exe63⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Aiimfi32.exeC:\Windows\system32\Aiimfi32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Anfeop32.exeC:\Windows\system32\Anfeop32.exe65⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Acbnggjo.exeC:\Windows\system32\Acbnggjo.exe66⤵PID:2024
-
C:\Windows\SysWOW64\Amkbpm32.exeC:\Windows\system32\Amkbpm32.exe67⤵PID:2056
-
C:\Windows\SysWOW64\Acejlfhl.exeC:\Windows\system32\Acejlfhl.exe68⤵
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Ammoel32.exeC:\Windows\system32\Ammoel32.exe69⤵PID:2700
-
C:\Windows\SysWOW64\Aplkah32.exeC:\Windows\system32\Aplkah32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Amplklmj.exeC:\Windows\system32\Amplklmj.exe71⤵PID:2288
-
C:\Windows\SysWOW64\Apnhggln.exeC:\Windows\system32\Apnhggln.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Afhpca32.exeC:\Windows\system32\Afhpca32.exe73⤵PID:2620
-
C:\Windows\SysWOW64\Bleilh32.exeC:\Windows\system32\Bleilh32.exe74⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Bemmenhb.exeC:\Windows\system32\Bemmenhb.exe75⤵
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\Bmdefk32.exeC:\Windows\system32\Bmdefk32.exe76⤵PID:2656
-
C:\Windows\SysWOW64\Bbannb32.exeC:\Windows\system32\Bbannb32.exe77⤵
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\Bepjjn32.exeC:\Windows\system32\Bepjjn32.exe78⤵
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Windows\SysWOW64\Bpengf32.exeC:\Windows\system32\Bpengf32.exe79⤵
- Drops file in System32 directory
PID:1080 -
C:\Windows\SysWOW64\Bafkookd.exeC:\Windows\system32\Bafkookd.exe80⤵PID:2084
-
C:\Windows\SysWOW64\Bhpclica.exeC:\Windows\system32\Bhpclica.exe81⤵PID:2184
-
C:\Windows\SysWOW64\Bjoohdbd.exeC:\Windows\system32\Bjoohdbd.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:872 -
C:\Windows\SysWOW64\Baigen32.exeC:\Windows\system32\Baigen32.exe83⤵PID:2192
-
C:\Windows\SysWOW64\Blnkbg32.exeC:\Windows\system32\Blnkbg32.exe84⤵PID:1020
-
C:\Windows\SysWOW64\Bomhnb32.exeC:\Windows\system32\Bomhnb32.exe85⤵
- Drops file in System32 directory
PID:996 -
C:\Windows\SysWOW64\Bdipfi32.exeC:\Windows\system32\Bdipfi32.exe86⤵PID:2780
-
C:\Windows\SysWOW64\Cmaeoo32.exeC:\Windows\system32\Cmaeoo32.exe87⤵PID:2828
-
C:\Windows\SysWOW64\Chgimh32.exeC:\Windows\system32\Chgimh32.exe88⤵PID:1916
-
C:\Windows\SysWOW64\Cihedpcg.exeC:\Windows\system32\Cihedpcg.exe89⤵
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Cdnjaibm.exeC:\Windows\system32\Cdnjaibm.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2680 -
C:\Windows\SysWOW64\Cmfnjnin.exeC:\Windows\system32\Cmfnjnin.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2756 -
C:\Windows\SysWOW64\Cbcfbege.exeC:\Windows\system32\Cbcfbege.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2000 -
C:\Windows\SysWOW64\Cmikpngk.exeC:\Windows\system32\Cmikpngk.exe93⤵
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Cpgglifo.exeC:\Windows\system32\Cpgglifo.exe94⤵
- System Location Discovery: System Language Discovery
PID:1512 -
C:\Windows\SysWOW64\Cgaoic32.exeC:\Windows\system32\Cgaoic32.exe95⤵PID:764
-
C:\Windows\SysWOW64\Clnhajlc.exeC:\Windows\system32\Clnhajlc.exe96⤵PID:2040
-
C:\Windows\SysWOW64\Dakpiajj.exeC:\Windows\system32\Dakpiajj.exe97⤵PID:1940
-
C:\Windows\SysWOW64\Dlpdfjjp.exeC:\Windows\system32\Dlpdfjjp.exe98⤵PID:324
-
C:\Windows\SysWOW64\Dammoahg.exeC:\Windows\system32\Dammoahg.exe99⤵
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Dhgelk32.exeC:\Windows\system32\Dhgelk32.exe100⤵PID:1712
-
C:\Windows\SysWOW64\Dndndbnl.exeC:\Windows\system32\Dndndbnl.exe101⤵
- Drops file in System32 directory
PID:664 -
C:\Windows\SysWOW64\Ddnfql32.exeC:\Windows\system32\Ddnfql32.exe102⤵
- Drops file in System32 directory
PID:1312 -
C:\Windows\SysWOW64\Docjne32.exeC:\Windows\system32\Docjne32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1688 -
C:\Windows\SysWOW64\Dpdfemkm.exeC:\Windows\system32\Dpdfemkm.exe104⤵PID:2580
-
C:\Windows\SysWOW64\Dkjkcfjc.exeC:\Windows\system32\Dkjkcfjc.exe105⤵PID:2752
-
C:\Windows\SysWOW64\Dadcppbp.exeC:\Windows\system32\Dadcppbp.exe106⤵
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Dkmghe32.exeC:\Windows\system32\Dkmghe32.exe107⤵
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Epipql32.exeC:\Windows\system32\Epipql32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Echlmh32.exeC:\Windows\system32\Echlmh32.exe109⤵PID:2228
-
C:\Windows\SysWOW64\Elpqemll.exeC:\Windows\system32\Elpqemll.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Ecjibgdh.exeC:\Windows\system32\Ecjibgdh.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Ejdaoa32.exeC:\Windows\system32\Ejdaoa32.exe112⤵PID:2308
-
C:\Windows\SysWOW64\Eoajgh32.exeC:\Windows\system32\Eoajgh32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2204 -
C:\Windows\SysWOW64\Ebofcd32.exeC:\Windows\system32\Ebofcd32.exe114⤵PID:2160
-
C:\Windows\SysWOW64\Ekhjlioa.exeC:\Windows\system32\Ekhjlioa.exe115⤵PID:2168
-
C:\Windows\SysWOW64\Ebabicfn.exeC:\Windows\system32\Ebabicfn.exe116⤵
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Emggflfc.exeC:\Windows\system32\Emggflfc.exe117⤵PID:2576
-
C:\Windows\SysWOW64\Ebdoocdk.exeC:\Windows\system32\Ebdoocdk.exe118⤵PID:2980
-
C:\Windows\SysWOW64\Fgqhgjbb.exeC:\Windows\system32\Fgqhgjbb.exe119⤵PID:680
-
C:\Windows\SysWOW64\Fnkpcd32.exeC:\Windows\system32\Fnkpcd32.exe120⤵PID:2336
-
C:\Windows\SysWOW64\Fkoqmhii.exeC:\Windows\system32\Fkoqmhii.exe121⤵PID:1488
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-