Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10/09/2024, 00:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
da12861579768a7f146c0f507530fdb0N.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
da12861579768a7f146c0f507530fdb0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
da12861579768a7f146c0f507530fdb0N.exe
-
Size
169KB
-
MD5
da12861579768a7f146c0f507530fdb0
-
SHA1
6fd88a22e5b17af46f79ecb0704b7dc450f4e695
-
SHA256
81e076a2831e36f810f3335f840b1e5a265702fc1d4d991771febf9b61c9158e
-
SHA512
932193010be6fecb0e728c0dde76d9a878fede50a368ccda7db1426ba54b6828252e2083dfc118f5d9d72a8dc7dc1b2b8d57bbfe0a547d6596b99d1d1e92ce88
-
SSDEEP
3072:iWjqdVWi//jERgXT22222222222222222222222222222222O222uc22O222222E:ROn/Qk6RlJML3OdgawrFZKPf9
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahngomkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfkclf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkciic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pljlbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noohlkpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Babbng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eejjnhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdpohodn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpabpcdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djlfma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnbcaome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Beogaenl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emgdmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjleclph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inhdgdmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdigoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkmaed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbqjqehd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbbccgmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efhqmadd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Einlmkhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnbifl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dglpdomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihlnhffh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaebeoan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nflchkii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iocgfhhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdgkjopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bplijcle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feddombd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmbabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkpnjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hememgdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edlhqlfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfgnnhkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fppaej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iediin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icbipe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnochnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ieponofk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khnapkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icabeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abmgjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpjofl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnogfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edoefl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fadndbci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdadjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghaeoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iafofkkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eipgjaoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkalhgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kndbko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmpgpond.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mobaef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpdankjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpkhoj32.exe -
Executes dropped EXE 64 IoCs
pid Process 3040 Kadfkhkf.exe 1972 Kpgffe32.exe 976 Knkgpi32.exe 2792 Kpkpadnl.exe 2728 Ljddjj32.exe 1052 Ljfapjbi.exe 2600 Lkgngb32.exe 2028 Lfoojj32.exe 2924 Lohccp32.exe 1892 Mjaddn32.exe 2940 Mdiefffn.exe 2136 Mjfnomde.exe 2328 Mpebmc32.exe 1152 Mpgobc32.exe 1176 Nnmlcp32.exe 1252 Nfdddm32.exe 1656 Nnoiio32.exe 1992 Nlefhcnc.exe 560 Nmfbpk32.exe 1020 Oadkej32.exe 1664 Ohncbdbd.exe 2272 Omklkkpl.exe 2292 Ofcqcp32.exe 2304 Objaha32.exe 2884 Offmipej.exe 2676 Ooabmbbe.exe 3004 Obmnna32.exe 2724 Olebgfao.exe 2956 Oococb32.exe 2616 Pepcelel.exe 2620 Pljlbf32.exe 2820 Phqmgg32.exe 1124 Pgcmbcih.exe 2944 Pdgmlhha.exe 2936 Pkaehb32.exe 2112 Pmpbdm32.exe 2320 Ppnnai32.exe 2256 Pghfnc32.exe 2968 Pkcbnanl.exe 1516 Qcogbdkg.exe 328 Qgjccb32.exe 604 Qcachc32.exe 2800 Qnghel32.exe 2412 Alihaioe.exe 1548 Aohdmdoh.exe 1620 Ajmijmnn.exe 588 Ahpifj32.exe 2488 Aaimopli.exe 2284 Ahbekjcf.exe 2056 Akabgebj.exe 2780 Achjibcl.exe 2252 Afffenbp.exe 2704 Alqnah32.exe 2688 Akcomepg.exe 1644 Abmgjo32.exe 1912 Adlcfjgh.exe 2804 Ahgofi32.exe 2916 Akfkbd32.exe 2084 Aoagccfn.exe 484 Bhjlli32.exe 1412 Bjkhdacm.exe 1724 Bnfddp32.exe 944 Bqeqqk32.exe 1584 Bdqlajbb.exe -
Loads dropped DLL 64 IoCs
pid Process 3024 da12861579768a7f146c0f507530fdb0N.exe 3024 da12861579768a7f146c0f507530fdb0N.exe 3040 Kadfkhkf.exe 3040 Kadfkhkf.exe 1972 Kpgffe32.exe 1972 Kpgffe32.exe 976 Knkgpi32.exe 976 Knkgpi32.exe 2792 Kpkpadnl.exe 2792 Kpkpadnl.exe 2728 Ljddjj32.exe 2728 Ljddjj32.exe 1052 Ljfapjbi.exe 1052 Ljfapjbi.exe 2600 Lkgngb32.exe 2600 Lkgngb32.exe 2028 Lfoojj32.exe 2028 Lfoojj32.exe 2924 Lohccp32.exe 2924 Lohccp32.exe 1892 Mjaddn32.exe 1892 Mjaddn32.exe 2940 Mdiefffn.exe 2940 Mdiefffn.exe 2136 Mjfnomde.exe 2136 Mjfnomde.exe 2328 Mpebmc32.exe 2328 Mpebmc32.exe 1152 Mpgobc32.exe 1152 Mpgobc32.exe 1176 Nnmlcp32.exe 1176 Nnmlcp32.exe 1252 Nfdddm32.exe 1252 Nfdddm32.exe 1656 Nnoiio32.exe 1656 Nnoiio32.exe 1992 Nlefhcnc.exe 1992 Nlefhcnc.exe 560 Nmfbpk32.exe 560 Nmfbpk32.exe 1020 Oadkej32.exe 1020 Oadkej32.exe 1664 Ohncbdbd.exe 1664 Ohncbdbd.exe 2272 Omklkkpl.exe 2272 Omklkkpl.exe 2292 Ofcqcp32.exe 2292 Ofcqcp32.exe 2304 Objaha32.exe 2304 Objaha32.exe 2884 Offmipej.exe 2884 Offmipej.exe 2676 Ooabmbbe.exe 2676 Ooabmbbe.exe 3004 Obmnna32.exe 3004 Obmnna32.exe 2724 Olebgfao.exe 2724 Olebgfao.exe 2956 Oococb32.exe 2956 Oococb32.exe 2616 Pepcelel.exe 2616 Pepcelel.exe 2620 Pljlbf32.exe 2620 Pljlbf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hbnmienj.exe Hnbaif32.exe File opened for modification C:\Windows\SysWOW64\Hcojam32.exe Hbnmienj.exe File opened for modification C:\Windows\SysWOW64\Hkjkle32.exe Hgnokgcc.exe File opened for modification C:\Windows\SysWOW64\Goiongbc.exe Ggagmjbq.exe File opened for modification C:\Windows\SysWOW64\Nbhkmg32.exe Nojnql32.exe File created C:\Windows\SysWOW64\Afcdpi32.exe Apilcoho.exe File opened for modification C:\Windows\SysWOW64\Mcidkf32.exe Mpkhoj32.exe File created C:\Windows\SysWOW64\Ijkocg32.exe Igmbgk32.exe File created C:\Windows\SysWOW64\Hpdjnn32.dll Jjfkmdlg.exe File opened for modification C:\Windows\SysWOW64\Omiand32.exe Ojkeah32.exe File opened for modification C:\Windows\SysWOW64\Cfanmogq.exe Ccbbachm.exe File created C:\Windows\SysWOW64\Iacoff32.dll Gncnmane.exe File created C:\Windows\SysWOW64\Fnjkajpb.dll Khagijcd.exe File created C:\Windows\SysWOW64\Mofapq32.dll Elieipej.exe File created C:\Windows\SysWOW64\Hqkmplen.exe Hjaeba32.exe File created C:\Windows\SysWOW64\Pkaehb32.exe Pdgmlhha.exe File created C:\Windows\SysWOW64\Alqnah32.exe Afffenbp.exe File created C:\Windows\SysWOW64\Dphfbiem.exe Dmijfmfi.exe File opened for modification C:\Windows\SysWOW64\Boifga32.exe Bhonjg32.exe File created C:\Windows\SysWOW64\Hbnpbm32.exe Hnbcaome.exe File created C:\Windows\SysWOW64\Jchkhe32.dll Geilah32.exe File opened for modification C:\Windows\SysWOW64\Meemgk32.exe Process not Found File created C:\Windows\SysWOW64\Ailqfooi.exe Process not Found File created C:\Windows\SysWOW64\Omklkkpl.exe Ohncbdbd.exe File created C:\Windows\SysWOW64\Goiafp32.exe Gdcmig32.exe File created C:\Windows\SysWOW64\Necdin32.dll Ccgnelll.exe File created C:\Windows\SysWOW64\Hememgdi.exe Hmfmkjdf.exe File opened for modification C:\Windows\SysWOW64\Gkalhgfd.exe Ggfpgi32.exe File created C:\Windows\SysWOW64\Ikfdkc32.exe Igkhjdde.exe File created C:\Windows\SysWOW64\Fgdgcfmb.exe Fpjofl32.exe File created C:\Windows\SysWOW64\Efljhq32.exe Ebqngb32.exe File opened for modification C:\Windows\SysWOW64\Alqnah32.exe Afffenbp.exe File opened for modification C:\Windows\SysWOW64\Hofngkga.exe Gmhbkohm.exe File created C:\Windows\SysWOW64\Daadna32.dll Hbofmcij.exe File opened for modification C:\Windows\SysWOW64\Japciodd.exe Jjfkmdlg.exe File created C:\Windows\SysWOW64\Kpcmnaip.dll Cceapl32.exe File opened for modification C:\Windows\SysWOW64\Iianmlfn.exe Igpaec32.exe File opened for modification C:\Windows\SysWOW64\Pcpbik32.exe Pmfjmake.exe File created C:\Windows\SysWOW64\Mifnodlj.dll Eabepp32.exe File created C:\Windows\SysWOW64\Imaapa32.exe Ifgicg32.exe File opened for modification C:\Windows\SysWOW64\Goiafp32.exe Gdcmig32.exe File opened for modification C:\Windows\SysWOW64\Iohbjpkb.exe Ilifndlo.exe File created C:\Windows\SysWOW64\Bgdkkc32.exe Bdfooh32.exe File created C:\Windows\SysWOW64\Ekmlgnnl.dll Omphocck.exe File created C:\Windows\SysWOW64\Hnajpcii.dll Lfoojj32.exe File created C:\Windows\SysWOW64\Aohdmdoh.exe Alihaioe.exe File created C:\Windows\SysWOW64\Mfeaiime.exe Mfeaiime.exe File created C:\Windows\SysWOW64\Hnnikfij.dll Kablnadm.exe File created C:\Windows\SysWOW64\Mpikik32.exe Mmjomogn.exe File created C:\Windows\SysWOW64\Cjoohi32.dll Hkpnjd32.exe File created C:\Windows\SysWOW64\Miclhpjp.exe Mcidkf32.exe File created C:\Windows\SysWOW64\Jbfkeo32.exe Jcckibfg.exe File opened for modification C:\Windows\SysWOW64\Kcajceke.exe Kndbko32.exe File opened for modification C:\Windows\SysWOW64\Mbdcepcm.exe Lljkif32.exe File created C:\Windows\SysWOW64\Bhmmcjjd.exe Process not Found File created C:\Windows\SysWOW64\Eckfklnl.dll Dboeco32.exe File created C:\Windows\SysWOW64\Bgnjpcle.dll Bbqkeioh.exe File opened for modification C:\Windows\SysWOW64\Eblelb32.exe Epnhpglg.exe File created C:\Windows\SysWOW64\Iooagm32.dll Pebbcdkn.exe File opened for modification C:\Windows\SysWOW64\Dhdfmbjc.exe Cbjnqh32.exe File created C:\Windows\SysWOW64\Ncfmjc32.exe Process not Found File created C:\Windows\SysWOW64\Pfikokgf.dll Andjgidl.exe File opened for modification C:\Windows\SysWOW64\Bpcfcddp.exe Bapfhg32.exe File created C:\Windows\SysWOW64\Macjgadf.exe Mgnfji32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfkmie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbllnlfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcdadhjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnknoogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmlddeio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqdgom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkmaed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahngomkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ammmlcgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbqcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqlhkofn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcojam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnjoco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadica32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpaehl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jipaip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpgjnbnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hadfah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohipla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjkfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hadfah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdegfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hohkmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiqoeplo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jieaofmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obeacl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkimpfmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaimopli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akfkbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pepfnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhmldfdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfoeel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpjifjdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lghgmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Andjgidl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggfbpaeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgiked32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eafkhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbcelp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jibpghbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffmipmjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmepkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Colpld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbnpbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jggoqimd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chgnneiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhlaiccm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feiddbbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbmdhfog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dghjkpck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gagmbkik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piadma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Debadpeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgegfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afmbak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcckibfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eblelb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhcag32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjogcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idcoaaei.dll" Bbchkime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbnaaeim.dll" Jhoklnkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifgicg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Deenjpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghlfjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbofmcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkbnap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbflbd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkaehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilalae32.dll" Fbegbacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdbpekam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnabffeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpohakbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjbclamj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glpepj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcdldknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieoeff32.dll" Egebjmdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glehgdkn.dll" Hgkfal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmgfal32.dll" Fbkjap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pehcij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll" Cgfkmgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qaapcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aaklmhak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iomcpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obmnna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongcaafk.dll" Dnjoco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komlabbb.dll" Eloipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iqcmcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nplnekmg.dll" Lgpdglhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nceqcnpi.dll" Dfkclf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjhcag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpbqcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhbbcail.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jijokbfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahgofi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qcachc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hginmm32.dll" Lhapocoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgjond32.dll" Dbdagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlfik32.dll" Pnchhllf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dboeco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qfkelkkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afpogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eldhjg32.dll" Hieiqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faeihnam.dll" Hdefnjkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Necdin32.dll" Ccgnelll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eejjnhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll" Bqgmfkhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibibfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojeffiih.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opobfpee.dll" Bnfddp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefjg32.dll" Kapohbfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icdeee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llpoohik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Objmgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpgecq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Objaha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndafcmci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cchdpbog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icdcllpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjjaikoa.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3024 wrote to memory of 3040 3024 da12861579768a7f146c0f507530fdb0N.exe 31 PID 3024 wrote to memory of 3040 3024 da12861579768a7f146c0f507530fdb0N.exe 31 PID 3024 wrote to memory of 3040 3024 da12861579768a7f146c0f507530fdb0N.exe 31 PID 3024 wrote to memory of 3040 3024 da12861579768a7f146c0f507530fdb0N.exe 31 PID 3040 wrote to memory of 1972 3040 Kadfkhkf.exe 32 PID 3040 wrote to memory of 1972 3040 Kadfkhkf.exe 32 PID 3040 wrote to memory of 1972 3040 Kadfkhkf.exe 32 PID 3040 wrote to memory of 1972 3040 Kadfkhkf.exe 32 PID 1972 wrote to memory of 976 1972 Kpgffe32.exe 33 PID 1972 wrote to memory of 976 1972 Kpgffe32.exe 33 PID 1972 wrote to memory of 976 1972 Kpgffe32.exe 33 PID 1972 wrote to memory of 976 1972 Kpgffe32.exe 33 PID 976 wrote to memory of 2792 976 Knkgpi32.exe 34 PID 976 wrote to memory of 2792 976 Knkgpi32.exe 34 PID 976 wrote to memory of 2792 976 Knkgpi32.exe 34 PID 976 wrote to memory of 2792 976 Knkgpi32.exe 34 PID 2792 wrote to memory of 2728 2792 Kpkpadnl.exe 35 PID 2792 wrote to memory of 2728 2792 Kpkpadnl.exe 35 PID 2792 wrote to memory of 2728 2792 Kpkpadnl.exe 35 PID 2792 wrote to memory of 2728 2792 Kpkpadnl.exe 35 PID 2728 wrote to memory of 1052 2728 Ljddjj32.exe 36 PID 2728 wrote to memory of 1052 2728 Ljddjj32.exe 36 PID 2728 wrote to memory of 1052 2728 Ljddjj32.exe 36 PID 2728 wrote to memory of 1052 2728 Ljddjj32.exe 36 PID 1052 wrote to memory of 2600 1052 Ljfapjbi.exe 37 PID 1052 wrote to memory of 2600 1052 Ljfapjbi.exe 37 PID 1052 wrote to memory of 2600 1052 Ljfapjbi.exe 37 PID 1052 wrote to memory of 2600 1052 Ljfapjbi.exe 37 PID 2600 wrote to memory of 2028 2600 Lkgngb32.exe 38 PID 2600 wrote to memory of 2028 2600 Lkgngb32.exe 38 PID 2600 wrote to memory of 2028 2600 Lkgngb32.exe 38 PID 2600 wrote to memory of 2028 2600 Lkgngb32.exe 38 PID 2028 wrote to memory of 2924 2028 Lfoojj32.exe 39 PID 2028 wrote to memory of 2924 2028 Lfoojj32.exe 39 PID 2028 wrote to memory of 2924 2028 Lfoojj32.exe 39 PID 2028 wrote to memory of 2924 2028 Lfoojj32.exe 39 PID 2924 wrote to memory of 1892 2924 Lohccp32.exe 40 PID 2924 wrote to memory of 1892 2924 Lohccp32.exe 40 PID 2924 wrote to memory of 1892 2924 Lohccp32.exe 40 PID 2924 wrote to memory of 1892 2924 Lohccp32.exe 40 PID 1892 wrote to memory of 2940 1892 Mjaddn32.exe 41 PID 1892 wrote to memory of 2940 1892 Mjaddn32.exe 41 PID 1892 wrote to memory of 2940 1892 Mjaddn32.exe 41 PID 1892 wrote to memory of 2940 1892 Mjaddn32.exe 41 PID 2940 wrote to memory of 2136 2940 Mdiefffn.exe 42 PID 2940 wrote to memory of 2136 2940 Mdiefffn.exe 42 PID 2940 wrote to memory of 2136 2940 Mdiefffn.exe 42 PID 2940 wrote to memory of 2136 2940 Mdiefffn.exe 42 PID 2136 wrote to memory of 2328 2136 Mjfnomde.exe 43 PID 2136 wrote to memory of 2328 2136 Mjfnomde.exe 43 PID 2136 wrote to memory of 2328 2136 Mjfnomde.exe 43 PID 2136 wrote to memory of 2328 2136 Mjfnomde.exe 43 PID 2328 wrote to memory of 1152 2328 Mpebmc32.exe 44 PID 2328 wrote to memory of 1152 2328 Mpebmc32.exe 44 PID 2328 wrote to memory of 1152 2328 Mpebmc32.exe 44 PID 2328 wrote to memory of 1152 2328 Mpebmc32.exe 44 PID 1152 wrote to memory of 1176 1152 Mpgobc32.exe 45 PID 1152 wrote to memory of 1176 1152 Mpgobc32.exe 45 PID 1152 wrote to memory of 1176 1152 Mpgobc32.exe 45 PID 1152 wrote to memory of 1176 1152 Mpgobc32.exe 45 PID 1176 wrote to memory of 1252 1176 Nnmlcp32.exe 46 PID 1176 wrote to memory of 1252 1176 Nnmlcp32.exe 46 PID 1176 wrote to memory of 1252 1176 Nnmlcp32.exe 46 PID 1176 wrote to memory of 1252 1176 Nnmlcp32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\da12861579768a7f146c0f507530fdb0N.exe"C:\Users\Admin\AppData\Local\Temp\da12861579768a7f146c0f507530fdb0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Kpgffe32.exeC:\Windows\system32\Kpgffe32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Knkgpi32.exeC:\Windows\system32\Knkgpi32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\Kpkpadnl.exeC:\Windows\system32\Kpkpadnl.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Ljddjj32.exeC:\Windows\system32\Ljddjj32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Ljfapjbi.exeC:\Windows\system32\Ljfapjbi.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Lkgngb32.exeC:\Windows\system32\Lkgngb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Lfoojj32.exeC:\Windows\system32\Lfoojj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Lohccp32.exeC:\Windows\system32\Lohccp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Mjaddn32.exeC:\Windows\system32\Mjaddn32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Mdiefffn.exeC:\Windows\system32\Mdiefffn.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Mjfnomde.exeC:\Windows\system32\Mjfnomde.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Mpebmc32.exeC:\Windows\system32\Mpebmc32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Mpgobc32.exeC:\Windows\system32\Mpgobc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Nnmlcp32.exeC:\Windows\system32\Nnmlcp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Nfdddm32.exeC:\Windows\system32\Nfdddm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1252 -
C:\Windows\SysWOW64\Nnoiio32.exeC:\Windows\system32\Nnoiio32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Nlefhcnc.exeC:\Windows\system32\Nlefhcnc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Nmfbpk32.exeC:\Windows\system32\Nmfbpk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:560 -
C:\Windows\SysWOW64\Oadkej32.exeC:\Windows\system32\Oadkej32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1020 -
C:\Windows\SysWOW64\Ohncbdbd.exeC:\Windows\system32\Ohncbdbd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Omklkkpl.exeC:\Windows\system32\Omklkkpl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Ofcqcp32.exeC:\Windows\system32\Ofcqcp32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Objaha32.exeC:\Windows\system32\Objaha32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Offmipej.exeC:\Windows\system32\Offmipej.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Ooabmbbe.exeC:\Windows\system32\Ooabmbbe.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Obmnna32.exeC:\Windows\system32\Obmnna32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Olebgfao.exeC:\Windows\system32\Olebgfao.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Oococb32.exeC:\Windows\system32\Oococb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Pepcelel.exeC:\Windows\system32\Pepcelel.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Pljlbf32.exeC:\Windows\system32\Pljlbf32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Phqmgg32.exeC:\Windows\system32\Phqmgg32.exe33⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Pgcmbcih.exeC:\Windows\system32\Pgcmbcih.exe34⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Pdgmlhha.exeC:\Windows\system32\Pdgmlhha.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Pkaehb32.exeC:\Windows\system32\Pkaehb32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Pmpbdm32.exeC:\Windows\system32\Pmpbdm32.exe37⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Ppnnai32.exeC:\Windows\system32\Ppnnai32.exe38⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Pghfnc32.exeC:\Windows\system32\Pghfnc32.exe39⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Pkcbnanl.exeC:\Windows\system32\Pkcbnanl.exe40⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Qcogbdkg.exeC:\Windows\system32\Qcogbdkg.exe41⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Qgjccb32.exeC:\Windows\system32\Qgjccb32.exe42⤵
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Qcachc32.exeC:\Windows\system32\Qcachc32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:604 -
C:\Windows\SysWOW64\Qnghel32.exeC:\Windows\system32\Qnghel32.exe44⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Alihaioe.exeC:\Windows\system32\Alihaioe.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Aohdmdoh.exeC:\Windows\system32\Aohdmdoh.exe46⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Ajmijmnn.exeC:\Windows\system32\Ajmijmnn.exe47⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Ahpifj32.exeC:\Windows\system32\Ahpifj32.exe48⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Aaimopli.exeC:\Windows\system32\Aaimopli.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Windows\SysWOW64\Ahbekjcf.exeC:\Windows\system32\Ahbekjcf.exe50⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Akabgebj.exeC:\Windows\system32\Akabgebj.exe51⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Achjibcl.exeC:\Windows\system32\Achjibcl.exe52⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Afffenbp.exeC:\Windows\system32\Afffenbp.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Alqnah32.exeC:\Windows\system32\Alqnah32.exe54⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Akcomepg.exeC:\Windows\system32\Akcomepg.exe55⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Abmgjo32.exeC:\Windows\system32\Abmgjo32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Adlcfjgh.exeC:\Windows\system32\Adlcfjgh.exe57⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Ahgofi32.exeC:\Windows\system32\Ahgofi32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Akfkbd32.exeC:\Windows\system32\Akfkbd32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Aoagccfn.exeC:\Windows\system32\Aoagccfn.exe60⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Bhjlli32.exeC:\Windows\system32\Bhjlli32.exe61⤵
- Executes dropped EXE
PID:484 -
C:\Windows\SysWOW64\Bjkhdacm.exeC:\Windows\system32\Bjkhdacm.exe62⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Bnfddp32.exeC:\Windows\system32\Bnfddp32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Bqeqqk32.exeC:\Windows\system32\Bqeqqk32.exe64⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Bdqlajbb.exeC:\Windows\system32\Bdqlajbb.exe65⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Bgoime32.exeC:\Windows\system32\Bgoime32.exe66⤵PID:2184
-
C:\Windows\SysWOW64\Bmlael32.exeC:\Windows\system32\Bmlael32.exe67⤵PID:2244
-
C:\Windows\SysWOW64\Bqgmfkhg.exeC:\Windows\system32\Bqgmfkhg.exe68⤵
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Bfdenafn.exeC:\Windows\system32\Bfdenafn.exe69⤵PID:1864
-
C:\Windows\SysWOW64\Bnknoogp.exeC:\Windows\system32\Bnknoogp.exe70⤵
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Windows\SysWOW64\Bchfhfeh.exeC:\Windows\system32\Bchfhfeh.exe71⤵PID:1336
-
C:\Windows\SysWOW64\Bffbdadk.exeC:\Windows\system32\Bffbdadk.exe72⤵PID:2708
-
C:\Windows\SysWOW64\Bjbndpmd.exeC:\Windows\system32\Bjbndpmd.exe73⤵PID:2576
-
C:\Windows\SysWOW64\Bmpkqklh.exeC:\Windows\system32\Bmpkqklh.exe74⤵PID:2736
-
C:\Windows\SysWOW64\Bcjcme32.exeC:\Windows\system32\Bcjcme32.exe75⤵PID:2128
-
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe76⤵PID:1956
-
C:\Windows\SysWOW64\Bjdkjpkb.exeC:\Windows\system32\Bjdkjpkb.exe77⤵PID:1976
-
C:\Windows\SysWOW64\Bmbgfkje.exeC:\Windows\system32\Bmbgfkje.exe78⤵PID:2932
-
C:\Windows\SysWOW64\Ccmpce32.exeC:\Windows\system32\Ccmpce32.exe79⤵PID:1828
-
C:\Windows\SysWOW64\Cfkloq32.exeC:\Windows\system32\Cfkloq32.exe80⤵PID:2376
-
C:\Windows\SysWOW64\Cocphf32.exeC:\Windows\system32\Cocphf32.exe81⤵PID:2036
-
C:\Windows\SysWOW64\Cfmhdpnc.exeC:\Windows\system32\Cfmhdpnc.exe82⤵PID:1012
-
C:\Windows\SysWOW64\Cileqlmg.exeC:\Windows\system32\Cileqlmg.exe83⤵PID:856
-
C:\Windows\SysWOW64\Cagienkb.exeC:\Windows\system32\Cagienkb.exe84⤵PID:2396
-
C:\Windows\SysWOW64\Cebeem32.exeC:\Windows\system32\Cebeem32.exe85⤵PID:1652
-
C:\Windows\SysWOW64\Ckmnbg32.exeC:\Windows\system32\Ckmnbg32.exe86⤵PID:332
-
C:\Windows\SysWOW64\Cbffoabe.exeC:\Windows\system32\Cbffoabe.exe87⤵PID:2888
-
C:\Windows\SysWOW64\Caifjn32.exeC:\Windows\system32\Caifjn32.exe88⤵PID:2480
-
C:\Windows\SysWOW64\Clojhf32.exeC:\Windows\system32\Clojhf32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2756 -
C:\Windows\SysWOW64\Cjakccop.exeC:\Windows\system32\Cjakccop.exe90⤵PID:2948
-
C:\Windows\SysWOW64\Cmpgpond.exeC:\Windows\system32\Cmpgpond.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2604 -
C:\Windows\SysWOW64\Cegoqlof.exeC:\Windows\system32\Cegoqlof.exe92⤵PID:1648
-
C:\Windows\SysWOW64\Cgfkmgnj.exeC:\Windows\system32\Cgfkmgnj.exe93⤵
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Cfhkhd32.exeC:\Windows\system32\Cfhkhd32.exe94⤵PID:2912
-
C:\Windows\SysWOW64\Djdgic32.exeC:\Windows\system32\Djdgic32.exe95⤵PID:632
-
C:\Windows\SysWOW64\Danpemej.exeC:\Windows\system32\Danpemej.exe96⤵PID:2060
-
C:\Windows\SysWOW64\Dcllbhdn.exeC:\Windows\system32\Dcllbhdn.exe97⤵PID:2416
-
C:\Windows\SysWOW64\Djfdob32.exeC:\Windows\system32\Djfdob32.exe98⤵PID:928
-
C:\Windows\SysWOW64\Dmepkn32.exeC:\Windows\system32\Dmepkn32.exe99⤵
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Dcohghbk.exeC:\Windows\system32\Dcohghbk.exe100⤵PID:2456
-
C:\Windows\SysWOW64\Dbdehdfc.exeC:\Windows\system32\Dbdehdfc.exe101⤵PID:2504
-
C:\Windows\SysWOW64\Debadpeg.exeC:\Windows\system32\Debadpeg.exe102⤵
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\Dmijfmfi.exeC:\Windows\system32\Dmijfmfi.exe103⤵
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Dphfbiem.exeC:\Windows\system32\Dphfbiem.exe104⤵PID:2772
-
C:\Windows\SysWOW64\Deenjpcd.exeC:\Windows\system32\Deenjpcd.exe105⤵
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Dhckfkbh.exeC:\Windows\system32\Dhckfkbh.exe106⤵PID:2264
-
C:\Windows\SysWOW64\Dbiocd32.exeC:\Windows\system32\Dbiocd32.exe107⤵PID:2656
-
C:\Windows\SysWOW64\Eibgpnjk.exeC:\Windows\system32\Eibgpnjk.exe108⤵PID:2744
-
C:\Windows\SysWOW64\Ebklic32.exeC:\Windows\system32\Ebklic32.exe109⤵PID:1228
-
C:\Windows\SysWOW64\Edlhqlfi.exeC:\Windows\system32\Edlhqlfi.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2664 -
C:\Windows\SysWOW64\Emdmjamj.exeC:\Windows\system32\Emdmjamj.exe111⤵PID:1672
-
C:\Windows\SysWOW64\Edoefl32.exeC:\Windows\system32\Edoefl32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2080 -
C:\Windows\SysWOW64\Eabepp32.exeC:\Windows\system32\Eabepp32.exe113⤵
- Drops file in System32 directory
PID:1560 -
C:\Windows\SysWOW64\Epeekmjk.exeC:\Windows\system32\Epeekmjk.exe114⤵PID:2232
-
C:\Windows\SysWOW64\Ehlmljkm.exeC:\Windows\system32\Ehlmljkm.exe115⤵PID:2372
-
C:\Windows\SysWOW64\Egonhf32.exeC:\Windows\system32\Egonhf32.exe116⤵PID:1568
-
C:\Windows\SysWOW64\Eaebeoan.exeC:\Windows\system32\Eaebeoan.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2720 -
C:\Windows\SysWOW64\Edcnakpa.exeC:\Windows\system32\Edcnakpa.exe118⤵PID:2444
-
C:\Windows\SysWOW64\Eipgjaoi.exeC:\Windows\system32\Eipgjaoi.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1988 -
C:\Windows\SysWOW64\Fpjofl32.exeC:\Windows\system32\Fpjofl32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1876 -
C:\Windows\SysWOW64\Fgdgcfmb.exeC:\Windows\system32\Fgdgcfmb.exe121⤵PID:2928
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-