Analysis
-
max time kernel
102s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
18/09/2024, 22:17
Behavioral task
behavioral1
Sample
881981da5e7cd4ed1066f3e2141f44b3eb6238f7ea6f34b9d206e42816bbf95aN.exe
Resource
win7-20240729-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
881981da5e7cd4ed1066f3e2141f44b3eb6238f7ea6f34b9d206e42816bbf95aN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
881981da5e7cd4ed1066f3e2141f44b3eb6238f7ea6f34b9d206e42816bbf95aN.exe
-
Size
256KB
-
MD5
a34f341c58ada523b98560785694b340
-
SHA1
34d417a09d1efc99a01dec9ce2efec64a9e9c7f3
-
SHA256
881981da5e7cd4ed1066f3e2141f44b3eb6238f7ea6f34b9d206e42816bbf95a
-
SHA512
cde843ea6e9c997572a324f7d0e1fef03569defcdc32ebf843a1af58e72608bbd2a3edaa77924c503d20d38c0a9c10ceaa38976b38fb83c23f6828aaefa32c85
-
SSDEEP
6144:rY/+c4EQ4RCVgIUmKyIxLDXXoq9FJZCUmK/:7z32XXf9Do3M
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Liekddkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chjmmnnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlocka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imkndofe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqhdfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djmknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kccbgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijopjhfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofomolo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbginomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojfcdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmjaddii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abldccka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hijmin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgpbfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhbhdnio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmiljb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpkmehol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qamjmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cniajdkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kccbgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pncljmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhklha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlmaad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Liboodmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nidmhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkpabqoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amkbpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odckfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ankabh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iilceh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acejlfhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqgqid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjboeenh.exe -
Executes dropped EXE 64 IoCs
pid Process 2848 Klhbdclg.exe 2648 Knfopnkk.exe 2688 Kmiolk32.exe 2548 Lcedne32.exe 2740 Lfdpjp32.exe 2496 Lbkaoalg.exe 2760 Lffmpp32.exe 2408 Lpanne32.exe 1604 Lbojjq32.exe 1124 Lepclldc.exe 2812 Lhoohgdg.exe 1324 Mkohjbah.exe 2428 Mkaeob32.exe 3068 Mghfdcdi.exe 2216 Mdlfngcc.exe 1536 Mgkbjb32.exe 1032 Nepokogo.exe 2984 Nohddd32.exe 2396 Neblqoel.exe 2992 Nphpng32.exe 2364 Ncfmjc32.exe 2340 Nloachkf.exe 988 Nommodjj.exe 2132 Nlanhh32.exe 3000 Noojdc32.exe 2668 Nhhominh.exe 1760 Noagjc32.exe 2452 Ohjkcile.exe 2500 Okhgod32.exe 2080 Occlcg32.exe 2940 Okkddd32.exe 2476 Ojndpqpq.exe 440 Ocfiif32.exe 2272 Oqjibkek.exe 2032 Ochenfdn.exe 2288 Oqlfhjch.exe 108 Ockbdebl.exe 1900 Pcmoie32.exe 1592 Pfkkeq32.exe 2196 Pkhdnh32.exe 1072 Pbblkaea.exe 2736 Pfnhkq32.exe 872 Pildgl32.exe 1820 Pnimpcke.exe 488 Pqgilnji.exe 2624 Pecelm32.exe 824 Pkmmigjo.exe 2260 Pjpmdd32.exe 3016 Pajeanhf.exe 2876 Pkojoghl.exe 2756 Pnnfkb32.exe 1356 Pmqffonj.exe 2468 Qcjoci32.exe 1228 Qnpcpa32.exe 1676 Qmcclolh.exe 2028 Qghgigkn.exe 1784 Qfkgdd32.exe 2412 Qmepanje.exe 1408 Apclnj32.exe 2256 Abbhje32.exe 776 Ajipkb32.exe 1568 Aljmbknm.exe 888 Acadchoo.exe 1648 Aebakp32.exe -
Loads dropped DLL 64 IoCs
pid Process 2172 881981da5e7cd4ed1066f3e2141f44b3eb6238f7ea6f34b9d206e42816bbf95aN.exe 2172 881981da5e7cd4ed1066f3e2141f44b3eb6238f7ea6f34b9d206e42816bbf95aN.exe 2848 Klhbdclg.exe 2848 Klhbdclg.exe 2648 Knfopnkk.exe 2648 Knfopnkk.exe 2688 Kmiolk32.exe 2688 Kmiolk32.exe 2548 Lcedne32.exe 2548 Lcedne32.exe 2740 Lfdpjp32.exe 2740 Lfdpjp32.exe 2496 Lbkaoalg.exe 2496 Lbkaoalg.exe 2760 Lffmpp32.exe 2760 Lffmpp32.exe 2408 Lpanne32.exe 2408 Lpanne32.exe 1604 Lbojjq32.exe 1604 Lbojjq32.exe 1124 Lepclldc.exe 1124 Lepclldc.exe 2812 Lhoohgdg.exe 2812 Lhoohgdg.exe 1324 Mkohjbah.exe 1324 Mkohjbah.exe 2428 Mkaeob32.exe 2428 Mkaeob32.exe 3068 Mghfdcdi.exe 3068 Mghfdcdi.exe 2216 Mdlfngcc.exe 2216 Mdlfngcc.exe 1536 Mgkbjb32.exe 1536 Mgkbjb32.exe 1032 Nepokogo.exe 1032 Nepokogo.exe 2984 Nohddd32.exe 2984 Nohddd32.exe 2396 Neblqoel.exe 2396 Neblqoel.exe 2992 Nphpng32.exe 2992 Nphpng32.exe 2364 Ncfmjc32.exe 2364 Ncfmjc32.exe 2340 Nloachkf.exe 2340 Nloachkf.exe 988 Nommodjj.exe 988 Nommodjj.exe 2132 Nlanhh32.exe 2132 Nlanhh32.exe 3000 Noojdc32.exe 3000 Noojdc32.exe 2668 Nhhominh.exe 2668 Nhhominh.exe 1760 Noagjc32.exe 1760 Noagjc32.exe 2452 Ohjkcile.exe 2452 Ohjkcile.exe 2500 Okhgod32.exe 2500 Okhgod32.exe 2080 Occlcg32.exe 2080 Occlcg32.exe 2940 Okkddd32.exe 2940 Okkddd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jqhdfe32.exe Jjnlikic.exe File created C:\Windows\SysWOW64\Imqfik32.dll Ipdaek32.exe File created C:\Windows\SysWOW64\Ifoncgpc.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pnnfkb32.exe Pkojoghl.exe File opened for modification C:\Windows\SysWOW64\Hidfjckg.exe Heijidbn.exe File opened for modification C:\Windows\SysWOW64\Jgeobdkc.exe Jbjcaf32.exe File created C:\Windows\SysWOW64\Lloejg32.dll Kcipqi32.exe File created C:\Windows\SysWOW64\Knfopnkk.exe Klhbdclg.exe File created C:\Windows\SysWOW64\Dkolfk32.dll Oolbcaij.exe File created C:\Windows\SysWOW64\Doeljaja.dll Opebpdad.exe File created C:\Windows\SysWOW64\Nkikgn32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Lllpclnk.exe Process not Found File created C:\Windows\SysWOW64\Flbehbqm.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oeobfgak.exe Process not Found File created C:\Windows\SysWOW64\Pmdocf32.exe Pgjfflkf.exe File created C:\Windows\SysWOW64\Oinpjm32.dll Ekbhnkhf.exe File opened for modification C:\Windows\SysWOW64\Hkejnl32.exe Hhfmbq32.exe File created C:\Windows\SysWOW64\Impcbm32.dll Imchcplm.exe File created C:\Windows\SysWOW64\Pegpamoo.exe Process not Found File created C:\Windows\SysWOW64\Bbojchdc.dll Process not Found File created C:\Windows\SysWOW64\Qekdpkgj.exe Qfhddn32.exe File opened for modification C:\Windows\SysWOW64\Cfkkam32.exe Process not Found File created C:\Windows\SysWOW64\Pljnmkoo.exe Process not Found File created C:\Windows\SysWOW64\Fefboabg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kihcakpa.exe Process not Found File created C:\Windows\SysWOW64\Mnpkkdjl.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ohqbbi32.exe Process not Found File created C:\Windows\SysWOW64\Qamleagn.exe Process not Found File created C:\Windows\SysWOW64\Eckomcec.dll Fjfjcdln.exe File opened for modification C:\Windows\SysWOW64\Enqfco32.exe Eonfgbhc.exe File created C:\Windows\SysWOW64\Ockbdebl.exe Oqlfhjch.exe File created C:\Windows\SysWOW64\Hkejnl32.exe Hhfmbq32.exe File opened for modification C:\Windows\SysWOW64\Hgmfjdbe.exe Process not Found File created C:\Windows\SysWOW64\Ihefej32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Nogjbbma.exe Process not Found File created C:\Windows\SysWOW64\Cgohnp32.dll Anfeop32.exe File opened for modification C:\Windows\SysWOW64\Jfigdl32.exe Process not Found File created C:\Windows\SysWOW64\Dbmlal32.exe Process not Found File created C:\Windows\SysWOW64\Ccpgdcke.dll Process not Found File created C:\Windows\SysWOW64\Pddlggin.exe Process not Found File created C:\Windows\SysWOW64\Mpoibb32.dll Idpmejag.exe File opened for modification C:\Windows\SysWOW64\Ihooog32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jfkbqcam.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ljndga32.exe Process not Found File created C:\Windows\SysWOW64\Pifmaooo.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jaamhb32.exe Jcnmme32.exe File created C:\Windows\SysWOW64\Qbcebiqf.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ebdoocdk.exe Ekjgbi32.exe File opened for modification C:\Windows\SysWOW64\Njlcah32.exe Nljcflbd.exe File created C:\Windows\SysWOW64\Kqpaln32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kmkodd32.exe Process not Found File created C:\Windows\SysWOW64\Dcemgk32.dll Afbpnlcd.exe File opened for modification C:\Windows\SysWOW64\Kiccle32.exe Process not Found File created C:\Windows\SysWOW64\Ifpjem32.dll Djjeedhp.exe File opened for modification C:\Windows\SysWOW64\Noepdo32.exe Mlgdhcmb.exe File opened for modification C:\Windows\SysWOW64\Ecjkkp32.exe Process not Found File created C:\Windows\SysWOW64\Nakjff32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jlkigbef.exe Process not Found File created C:\Windows\SysWOW64\Ohilhjfg.dll Process not Found File created C:\Windows\SysWOW64\Hbglqg32.dll Pecelm32.exe File created C:\Windows\SysWOW64\Qkdhdd32.dll Bbimbpld.exe File created C:\Windows\SysWOW64\Lpjgehii.dll Process not Found File created C:\Windows\SysWOW64\Kiopjgdl.dll Process not Found File opened for modification C:\Windows\SysWOW64\Edohki32.exe Enepnoji.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9644 2796 Process not Found 2206 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiljcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbfcbdce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blibghmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkhdnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbkgog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfnmbbnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbengc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiflpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdlclo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbppdfmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjiln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okcchbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdljjplb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oimpnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngencpel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmelpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlpmmpam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnnfkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mioeeifi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haohel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnmjgkpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqqdjceh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acjdgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbljgpja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgjfflkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffghjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkllnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kckjmpko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khcbpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iokhcodo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmiikipg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihqilnig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcocgkbp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okkiakec.dll" Ekddck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcnmme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfjncd32.dll" Amnanefa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdpinonc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhehfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpanne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcocgkbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nalldh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dlchfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbmicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifniaeqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glanhbmn.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfkldo32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kllpgcjb.dll" Mkaeob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjhhm32.dll" Oqlfhjch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdkqbd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glfjgaih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fldabn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cimooo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knpkhhhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdplfflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpdhjg32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opfeoj32.dll" Hkppcmjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njnjicba.dll" Hbjgbbpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqnmne32.dll" Echlmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnpopj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knoaeimg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjofjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghbhhnhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgbfcjag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inlmnebq.dll" Glcfgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enkdda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oibpdico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akphfbbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fonbff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hafjcm32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lobpmfmi.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmmjkf32.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2848 2172 881981da5e7cd4ed1066f3e2141f44b3eb6238f7ea6f34b9d206e42816bbf95aN.exe 29 PID 2172 wrote to memory of 2848 2172 881981da5e7cd4ed1066f3e2141f44b3eb6238f7ea6f34b9d206e42816bbf95aN.exe 29 PID 2172 wrote to memory of 2848 2172 881981da5e7cd4ed1066f3e2141f44b3eb6238f7ea6f34b9d206e42816bbf95aN.exe 29 PID 2172 wrote to memory of 2848 2172 881981da5e7cd4ed1066f3e2141f44b3eb6238f7ea6f34b9d206e42816bbf95aN.exe 29 PID 2848 wrote to memory of 2648 2848 Klhbdclg.exe 30 PID 2848 wrote to memory of 2648 2848 Klhbdclg.exe 30 PID 2848 wrote to memory of 2648 2848 Klhbdclg.exe 30 PID 2848 wrote to memory of 2648 2848 Klhbdclg.exe 30 PID 2648 wrote to memory of 2688 2648 Knfopnkk.exe 31 PID 2648 wrote to memory of 2688 2648 Knfopnkk.exe 31 PID 2648 wrote to memory of 2688 2648 Knfopnkk.exe 31 PID 2648 wrote to memory of 2688 2648 Knfopnkk.exe 31 PID 2688 wrote to memory of 2548 2688 Kmiolk32.exe 32 PID 2688 wrote to memory of 2548 2688 Kmiolk32.exe 32 PID 2688 wrote to memory of 2548 2688 Kmiolk32.exe 32 PID 2688 wrote to memory of 2548 2688 Kmiolk32.exe 32 PID 2548 wrote to memory of 2740 2548 Lcedne32.exe 33 PID 2548 wrote to memory of 2740 2548 Lcedne32.exe 33 PID 2548 wrote to memory of 2740 2548 Lcedne32.exe 33 PID 2548 wrote to memory of 2740 2548 Lcedne32.exe 33 PID 2740 wrote to memory of 2496 2740 Lfdpjp32.exe 34 PID 2740 wrote to memory of 2496 2740 Lfdpjp32.exe 34 PID 2740 wrote to memory of 2496 2740 Lfdpjp32.exe 34 PID 2740 wrote to memory of 2496 2740 Lfdpjp32.exe 34 PID 2496 wrote to memory of 2760 2496 Lbkaoalg.exe 35 PID 2496 wrote to memory of 2760 2496 Lbkaoalg.exe 35 PID 2496 wrote to memory of 2760 2496 Lbkaoalg.exe 35 PID 2496 wrote to memory of 2760 2496 Lbkaoalg.exe 35 PID 2760 wrote to memory of 2408 2760 Lffmpp32.exe 36 PID 2760 wrote to memory of 2408 2760 Lffmpp32.exe 36 PID 2760 wrote to memory of 2408 2760 Lffmpp32.exe 36 PID 2760 wrote to memory of 2408 2760 Lffmpp32.exe 36 PID 2408 wrote to memory of 1604 2408 Lpanne32.exe 37 PID 2408 wrote to memory of 1604 2408 Lpanne32.exe 37 PID 2408 wrote to memory of 1604 2408 Lpanne32.exe 37 PID 2408 wrote to memory of 1604 2408 Lpanne32.exe 37 PID 1604 wrote to memory of 1124 1604 Lbojjq32.exe 38 PID 1604 wrote to memory of 1124 1604 Lbojjq32.exe 38 PID 1604 wrote to memory of 1124 1604 Lbojjq32.exe 38 PID 1604 wrote to memory of 1124 1604 Lbojjq32.exe 38 PID 1124 wrote to memory of 2812 1124 Lepclldc.exe 39 PID 1124 wrote to memory of 2812 1124 Lepclldc.exe 39 PID 1124 wrote to memory of 2812 1124 Lepclldc.exe 39 PID 1124 wrote to memory of 2812 1124 Lepclldc.exe 39 PID 2812 wrote to memory of 1324 2812 Lhoohgdg.exe 40 PID 2812 wrote to memory of 1324 2812 Lhoohgdg.exe 40 PID 2812 wrote to memory of 1324 2812 Lhoohgdg.exe 40 PID 2812 wrote to memory of 1324 2812 Lhoohgdg.exe 40 PID 1324 wrote to memory of 2428 1324 Mkohjbah.exe 41 PID 1324 wrote to memory of 2428 1324 Mkohjbah.exe 41 PID 1324 wrote to memory of 2428 1324 Mkohjbah.exe 41 PID 1324 wrote to memory of 2428 1324 Mkohjbah.exe 41 PID 2428 wrote to memory of 3068 2428 Mkaeob32.exe 42 PID 2428 wrote to memory of 3068 2428 Mkaeob32.exe 42 PID 2428 wrote to memory of 3068 2428 Mkaeob32.exe 42 PID 2428 wrote to memory of 3068 2428 Mkaeob32.exe 42 PID 3068 wrote to memory of 2216 3068 Mghfdcdi.exe 43 PID 3068 wrote to memory of 2216 3068 Mghfdcdi.exe 43 PID 3068 wrote to memory of 2216 3068 Mghfdcdi.exe 43 PID 3068 wrote to memory of 2216 3068 Mghfdcdi.exe 43 PID 2216 wrote to memory of 1536 2216 Mdlfngcc.exe 44 PID 2216 wrote to memory of 1536 2216 Mdlfngcc.exe 44 PID 2216 wrote to memory of 1536 2216 Mdlfngcc.exe 44 PID 2216 wrote to memory of 1536 2216 Mdlfngcc.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\881981da5e7cd4ed1066f3e2141f44b3eb6238f7ea6f34b9d206e42816bbf95aN.exe"C:\Users\Admin\AppData\Local\Temp\881981da5e7cd4ed1066f3e2141f44b3eb6238f7ea6f34b9d206e42816bbf95aN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Klhbdclg.exeC:\Windows\system32\Klhbdclg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Knfopnkk.exeC:\Windows\system32\Knfopnkk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Kmiolk32.exeC:\Windows\system32\Kmiolk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Lcedne32.exeC:\Windows\system32\Lcedne32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Lfdpjp32.exeC:\Windows\system32\Lfdpjp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Lbkaoalg.exeC:\Windows\system32\Lbkaoalg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Lffmpp32.exeC:\Windows\system32\Lffmpp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Lpanne32.exeC:\Windows\system32\Lpanne32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Lbojjq32.exeC:\Windows\system32\Lbojjq32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Lepclldc.exeC:\Windows\system32\Lepclldc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Lhoohgdg.exeC:\Windows\system32\Lhoohgdg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Mkohjbah.exeC:\Windows\system32\Mkohjbah.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Mkaeob32.exeC:\Windows\system32\Mkaeob32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Mghfdcdi.exeC:\Windows\system32\Mghfdcdi.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Mdlfngcc.exeC:\Windows\system32\Mdlfngcc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Mgkbjb32.exeC:\Windows\system32\Mgkbjb32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Nepokogo.exeC:\Windows\system32\Nepokogo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1032 -
C:\Windows\SysWOW64\Nohddd32.exeC:\Windows\system32\Nohddd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Neblqoel.exeC:\Windows\system32\Neblqoel.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Nphpng32.exeC:\Windows\system32\Nphpng32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Windows\SysWOW64\Ncfmjc32.exeC:\Windows\system32\Ncfmjc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Nloachkf.exeC:\Windows\system32\Nloachkf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2340 -
C:\Windows\SysWOW64\Nommodjj.exeC:\Windows\system32\Nommodjj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:988 -
C:\Windows\SysWOW64\Nlanhh32.exeC:\Windows\system32\Nlanhh32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Noojdc32.exeC:\Windows\system32\Noojdc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Windows\SysWOW64\Nhhominh.exeC:\Windows\system32\Nhhominh.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Noagjc32.exeC:\Windows\system32\Noagjc32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\Ohjkcile.exeC:\Windows\system32\Ohjkcile.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Okhgod32.exeC:\Windows\system32\Okhgod32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Occlcg32.exeC:\Windows\system32\Occlcg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Okkddd32.exeC:\Windows\system32\Okkddd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Ojndpqpq.exeC:\Windows\system32\Ojndpqpq.exe33⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Ocfiif32.exeC:\Windows\system32\Ocfiif32.exe34⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Oqjibkek.exeC:\Windows\system32\Oqjibkek.exe35⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Ochenfdn.exeC:\Windows\system32\Ochenfdn.exe36⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Oqlfhjch.exeC:\Windows\system32\Oqlfhjch.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Ockbdebl.exeC:\Windows\system32\Ockbdebl.exe38⤵
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\Pcmoie32.exeC:\Windows\system32\Pcmoie32.exe39⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Pfkkeq32.exeC:\Windows\system32\Pfkkeq32.exe40⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Pkhdnh32.exeC:\Windows\system32\Pkhdnh32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2196 -
C:\Windows\SysWOW64\Pbblkaea.exeC:\Windows\system32\Pbblkaea.exe42⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Pfnhkq32.exeC:\Windows\system32\Pfnhkq32.exe43⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Pildgl32.exeC:\Windows\system32\Pildgl32.exe44⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Pnimpcke.exeC:\Windows\system32\Pnimpcke.exe45⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Pqgilnji.exeC:\Windows\system32\Pqgilnji.exe46⤵
- Executes dropped EXE
PID:488 -
C:\Windows\SysWOW64\Pecelm32.exeC:\Windows\system32\Pecelm32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Pkmmigjo.exeC:\Windows\system32\Pkmmigjo.exe48⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Pjpmdd32.exeC:\Windows\system32\Pjpmdd32.exe49⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Pajeanhf.exeC:\Windows\system32\Pajeanhf.exe50⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Pkojoghl.exeC:\Windows\system32\Pkojoghl.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Pnnfkb32.exeC:\Windows\system32\Pnnfkb32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\Pmqffonj.exeC:\Windows\system32\Pmqffonj.exe53⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Qcjoci32.exeC:\Windows\system32\Qcjoci32.exe54⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Qnpcpa32.exeC:\Windows\system32\Qnpcpa32.exe55⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Qmcclolh.exeC:\Windows\system32\Qmcclolh.exe56⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Qghgigkn.exeC:\Windows\system32\Qghgigkn.exe57⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Qfkgdd32.exeC:\Windows\system32\Qfkgdd32.exe58⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Qmepanje.exeC:\Windows\system32\Qmepanje.exe59⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Apclnj32.exeC:\Windows\system32\Apclnj32.exe60⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Abbhje32.exeC:\Windows\system32\Abbhje32.exe61⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Ajipkb32.exeC:\Windows\system32\Ajipkb32.exe62⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Aljmbknm.exeC:\Windows\system32\Aljmbknm.exe63⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Acadchoo.exeC:\Windows\system32\Acadchoo.exe64⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Aebakp32.exeC:\Windows\system32\Aebakp32.exe65⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Amjiln32.exeC:\Windows\system32\Amjiln32.exe66⤵
- System Location Discovery: System Language Discovery
PID:276 -
C:\Windows\SysWOW64\Almihjlj.exeC:\Windows\system32\Almihjlj.exe67⤵PID:880
-
C:\Windows\SysWOW64\Abgaeddg.exeC:\Windows\system32\Abgaeddg.exe68⤵PID:2164
-
C:\Windows\SysWOW64\Aeenapck.exeC:\Windows\system32\Aeenapck.exe69⤵PID:2236
-
C:\Windows\SysWOW64\Alofnj32.exeC:\Windows\system32\Alofnj32.exe70⤵PID:2676
-
C:\Windows\SysWOW64\Anmbje32.exeC:\Windows\system32\Anmbje32.exe71⤵PID:2572
-
C:\Windows\SysWOW64\Aalofa32.exeC:\Windows\system32\Aalofa32.exe72⤵PID:2576
-
C:\Windows\SysWOW64\Ahfgbkpl.exeC:\Windows\system32\Ahfgbkpl.exe73⤵PID:2608
-
C:\Windows\SysWOW64\Ajdcofop.exeC:\Windows\system32\Ajdcofop.exe74⤵PID:2672
-
C:\Windows\SysWOW64\Aankkqfl.exeC:\Windows\system32\Aankkqfl.exe75⤵PID:2456
-
C:\Windows\SysWOW64\Admgglep.exeC:\Windows\system32\Admgglep.exe76⤵PID:2956
-
C:\Windows\SysWOW64\Bjfpdf32.exeC:\Windows\system32\Bjfpdf32.exe77⤵PID:2300
-
C:\Windows\SysWOW64\Bmelpa32.exeC:\Windows\system32\Bmelpa32.exe78⤵
- System Location Discovery: System Language Discovery
PID:1680 -
C:\Windows\SysWOW64\Bdodmlcm.exeC:\Windows\system32\Bdodmlcm.exe79⤵PID:604
-
C:\Windows\SysWOW64\Bfmqigba.exeC:\Windows\system32\Bfmqigba.exe80⤵PID:1868
-
C:\Windows\SysWOW64\Bodhjdcc.exeC:\Windows\system32\Bodhjdcc.exe81⤵PID:3020
-
C:\Windows\SysWOW64\Bacefpbg.exeC:\Windows\system32\Bacefpbg.exe82⤵PID:1940
-
C:\Windows\SysWOW64\Bhmmcjjd.exeC:\Windows\system32\Bhmmcjjd.exe83⤵PID:1872
-
C:\Windows\SysWOW64\Bkkioeig.exeC:\Windows\system32\Bkkioeig.exe84⤵PID:336
-
C:\Windows\SysWOW64\Bmjekahk.exeC:\Windows\system32\Bmjekahk.exe85⤵PID:1980
-
C:\Windows\SysWOW64\Bdcnhk32.exeC:\Windows\system32\Bdcnhk32.exe86⤵PID:2324
-
C:\Windows\SysWOW64\Bbfnchfb.exeC:\Windows\system32\Bbfnchfb.exe87⤵PID:2592
-
C:\Windows\SysWOW64\Biqfpb32.exeC:\Windows\system32\Biqfpb32.exe88⤵PID:2480
-
C:\Windows\SysWOW64\Bpjnmlel.exeC:\Windows\system32\Bpjnmlel.exe89⤵PID:1584
-
C:\Windows\SysWOW64\Bbikig32.exeC:\Windows\system32\Bbikig32.exe90⤵PID:2616
-
C:\Windows\SysWOW64\Biccfalm.exeC:\Windows\system32\Biccfalm.exe91⤵PID:2040
-
C:\Windows\SysWOW64\Blaobmkq.exeC:\Windows\system32\Blaobmkq.exe92⤵PID:1372
-
C:\Windows\SysWOW64\Cbkgog32.exeC:\Windows\system32\Cbkgog32.exe93⤵
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\Ceickb32.exeC:\Windows\system32\Ceickb32.exe94⤵PID:668
-
C:\Windows\SysWOW64\Chhpgn32.exeC:\Windows\system32\Chhpgn32.exe95⤵PID:1992
-
C:\Windows\SysWOW64\Cobhdhha.exeC:\Windows\system32\Cobhdhha.exe96⤵PID:1944
-
C:\Windows\SysWOW64\Capdpcge.exeC:\Windows\system32\Capdpcge.exe97⤵PID:1212
-
C:\Windows\SysWOW64\Chjmmnnb.exeC:\Windows\system32\Chjmmnnb.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1864 -
C:\Windows\SysWOW64\Ckiiiine.exeC:\Windows\system32\Ckiiiine.exe99⤵PID:784
-
C:\Windows\SysWOW64\Ccpqjfnh.exeC:\Windows\system32\Ccpqjfnh.exe100⤵PID:2768
-
C:\Windows\SysWOW64\Cdamao32.exeC:\Windows\system32\Cdamao32.exe101⤵PID:2092
-
C:\Windows\SysWOW64\Clhecl32.exeC:\Windows\system32\Clhecl32.exe102⤵PID:1640
-
C:\Windows\SysWOW64\Cniajdkg.exeC:\Windows\system32\Cniajdkg.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2724 -
C:\Windows\SysWOW64\Ceqjla32.exeC:\Windows\system32\Ceqjla32.exe104⤵PID:2460
-
C:\Windows\SysWOW64\Cgbfcjag.exeC:\Windows\system32\Cgbfcjag.exe105⤵
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Ckmbdh32.exeC:\Windows\system32\Ckmbdh32.exe106⤵PID:2276
-
C:\Windows\SysWOW64\Cnlnpd32.exeC:\Windows\system32\Cnlnpd32.exe107⤵PID:1092
-
C:\Windows\SysWOW64\Cdfgmnpa.exeC:\Windows\system32\Cdfgmnpa.exe108⤵PID:1556
-
C:\Windows\SysWOW64\Ckpoih32.exeC:\Windows\system32\Ckpoih32.exe109⤵PID:1624
-
C:\Windows\SysWOW64\Cjboeenh.exeC:\Windows\system32\Cjboeenh.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:684 -
C:\Windows\SysWOW64\Ddhcbnnn.exeC:\Windows\system32\Ddhcbnnn.exe111⤵PID:780
-
C:\Windows\SysWOW64\Dckcnj32.exeC:\Windows\system32\Dckcnj32.exe112⤵PID:1016
-
C:\Windows\SysWOW64\Djeljd32.exeC:\Windows\system32\Djeljd32.exe113⤵PID:2976
-
C:\Windows\SysWOW64\Dlchfp32.exeC:\Windows\system32\Dlchfp32.exe114⤵
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Ddjphm32.exeC:\Windows\system32\Ddjphm32.exe115⤵PID:2612
-
C:\Windows\SysWOW64\Dgildi32.exeC:\Windows\system32\Dgildi32.exe116⤵PID:1720
-
C:\Windows\SysWOW64\Dleelp32.exeC:\Windows\system32\Dleelp32.exe117⤵PID:2804
-
C:\Windows\SysWOW64\Dpaqmnap.exeC:\Windows\system32\Dpaqmnap.exe118⤵PID:1452
-
C:\Windows\SysWOW64\Dfniee32.exeC:\Windows\system32\Dfniee32.exe119⤵PID:1220
-
C:\Windows\SysWOW64\Djjeedhp.exeC:\Windows\system32\Djjeedhp.exe120⤵
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Dpcnbn32.exeC:\Windows\system32\Dpcnbn32.exe121⤵PID:1520
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-