Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17-10-2024 21:09
Static task
static1
Behavioral task
behavioral1
Sample
428ecc7c851202ab609d6657318a13e87dcdf63810793012e77cbbb8cef7353c.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
428ecc7c851202ab609d6657318a13e87dcdf63810793012e77cbbb8cef7353c.exe
Resource
win10v2004-20241007-en
General
-
Target
428ecc7c851202ab609d6657318a13e87dcdf63810793012e77cbbb8cef7353c.exe
-
Size
128KB
-
MD5
3c6b16cdf6f204f9050103b6ef4eea88
-
SHA1
9a8457584c0a9a65b61bb725ebe08afe1e77845f
-
SHA256
428ecc7c851202ab609d6657318a13e87dcdf63810793012e77cbbb8cef7353c
-
SHA512
62c0b7c282860bfc1d747877fea5519ea80a6278fc14b3e301b8f8800341901e696f7ac0f3389bb1cdc65d55c366339d6e45ca168a0e3bdd57e6503482bb2494
-
SSDEEP
3072:MPvlXJ77CFuj4Nhns1tteNUEdmjRrz3TIUV4BKi:MtV7CwjD12yEdGTBI
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kklikejc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phpjnnki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Annbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qcqaok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joiappkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcahoqhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqhhanig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkjnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbkbgjcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lnpgeopa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afjjed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjaelaok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaffbqaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odedge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpqnhadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lnjldf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cejphiik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhckfkbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Keqkofno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlkail32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Accnekon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Okgjodmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfoojj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apoooa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jhdihkcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjfpafmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mimgeigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fncmmmma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilkpogmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fogibnha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aakjdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oohqqlei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpbdmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmccqbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbhmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmeeepjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpadhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifjlcmmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkpqlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkfbfjdf.exe -
Executes dropped EXE 64 IoCs
pid Process 2920 Moidahcn.exe 2796 Nkpegi32.exe 2912 Ngfflj32.exe 2708 Nlcnda32.exe 1388 Nlekia32.exe 1044 Nenobfak.exe 380 Nhllob32.exe 2384 Ncbplk32.exe 2072 Oohqqlei.exe 2984 Ohaeia32.exe 2144 Oeeecekc.exe 1752 Oomjlk32.exe 1956 Ohendqhd.exe 2284 Okdkal32.exe 1784 Ojigbhlp.exe 2348 Odoloalf.exe 2000 Pdaheq32.exe 1680 Pjnamh32.exe 1764 Pokieo32.exe 1684 Pjpnbg32.exe 1544 Pmojocel.exe 1640 Pbkbgjcc.exe 2120 Pjbjhgde.exe 872 Pmagdbci.exe 1368 Pkfceo32.exe 2868 Qflhbhgg.exe 1704 Qgmdjp32.exe 2956 Qodlkm32.exe 3064 Aniimjbo.exe 2688 Aaheie32.exe 2748 Ajpjakhc.exe 2780 Aajbne32.exe 528 Annbhi32.exe 1788 Apoooa32.exe 2128 Aigchgkh.exe 3012 Aaolidlk.exe 3068 Alhmjbhj.exe 552 Acpdko32.exe 2156 Bnielm32.exe 2220 Blmfea32.exe 2216 Bphbeplm.exe 468 Bhdgjb32.exe 2440 Bdkgocpm.exe 692 Blaopqpo.exe 776 Bdmddc32.exe 2288 Bhhpeafc.exe 2908 Baadng32.exe 1772 Chkmkacq.exe 828 Cilibi32.exe 888 Cmgechbh.exe 2880 Cbdnko32.exe 2864 Cklfll32.exe 1644 Cmjbhh32.exe 2680 Cddjebgb.exe 572 Ciqcmiei.exe 3044 Cmlong32.exe 2612 Cpkkjc32.exe 2096 Cegcbjkn.exe 2208 Cpmhpbkc.exe 2064 Cckdlnjg.exe 2448 Cejphiik.exe 2280 Dldhdc32.exe 1472 Dkgippgb.exe 916 Daqamj32.exe -
Loads dropped DLL 64 IoCs
pid Process 2828 428ecc7c851202ab609d6657318a13e87dcdf63810793012e77cbbb8cef7353c.exe 2828 428ecc7c851202ab609d6657318a13e87dcdf63810793012e77cbbb8cef7353c.exe 2920 Moidahcn.exe 2920 Moidahcn.exe 2796 Nkpegi32.exe 2796 Nkpegi32.exe 2912 Ngfflj32.exe 2912 Ngfflj32.exe 2708 Nlcnda32.exe 2708 Nlcnda32.exe 1388 Nlekia32.exe 1388 Nlekia32.exe 1044 Nenobfak.exe 1044 Nenobfak.exe 380 Nhllob32.exe 380 Nhllob32.exe 2384 Ncbplk32.exe 2384 Ncbplk32.exe 2072 Oohqqlei.exe 2072 Oohqqlei.exe 2984 Ohaeia32.exe 2984 Ohaeia32.exe 2144 Oeeecekc.exe 2144 Oeeecekc.exe 1752 Oomjlk32.exe 1752 Oomjlk32.exe 1956 Ohendqhd.exe 1956 Ohendqhd.exe 2284 Okdkal32.exe 2284 Okdkal32.exe 1784 Ojigbhlp.exe 1784 Ojigbhlp.exe 2348 Odoloalf.exe 2348 Odoloalf.exe 2000 Pdaheq32.exe 2000 Pdaheq32.exe 1680 Pjnamh32.exe 1680 Pjnamh32.exe 1764 Pokieo32.exe 1764 Pokieo32.exe 1684 Pjpnbg32.exe 1684 Pjpnbg32.exe 1544 Pmojocel.exe 1544 Pmojocel.exe 1640 Pbkbgjcc.exe 1640 Pbkbgjcc.exe 2120 Pjbjhgde.exe 2120 Pjbjhgde.exe 872 Pmagdbci.exe 872 Pmagdbci.exe 1368 Pkfceo32.exe 1368 Pkfceo32.exe 2868 Qflhbhgg.exe 2868 Qflhbhgg.exe 1704 Qgmdjp32.exe 1704 Qgmdjp32.exe 2956 Qodlkm32.exe 2956 Qodlkm32.exe 3064 Aniimjbo.exe 3064 Aniimjbo.exe 2688 Aaheie32.exe 2688 Aaheie32.exe 2748 Ajpjakhc.exe 2748 Ajpjakhc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lkjjma32.exe Ldpbpgoh.exe File opened for modification C:\Windows\SysWOW64\Njfjnpgp.exe Nhgnaehm.exe File opened for modification C:\Windows\SysWOW64\Pbkbgjcc.exe Pmojocel.exe File created C:\Windows\SysWOW64\Apkodqok.dll Jajala32.exe File opened for modification C:\Windows\SysWOW64\Famope32.exe Fjegog32.exe File created C:\Windows\SysWOW64\Dcokpa32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Klfmijae.exe Process not Found File created C:\Windows\SysWOW64\Lbackc32.exe Lobgoh32.exe File created C:\Windows\SysWOW64\Oecpel32.dll Peanbblf.exe File created C:\Windows\SysWOW64\Ooicid32.exe Ohojmjep.exe File created C:\Windows\SysWOW64\Ljddjj32.exe Lonpma32.exe File opened for modification C:\Windows\SysWOW64\Fpokjd32.exe Process not Found File created C:\Windows\SysWOW64\Fdapcg32.exe Process not Found File created C:\Windows\SysWOW64\Djafaf32.exe Process not Found File created C:\Windows\SysWOW64\Ljlmgnqj.dll Ldpbpgoh.exe File created C:\Windows\SysWOW64\Phoogg32.dll Process not Found File created C:\Windows\SysWOW64\Emoldlmc.exe Process not Found File created C:\Windows\SysWOW64\Jnmiag32.exe Process not Found File created C:\Windows\SysWOW64\Qmeedp32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cngcll32.exe Process not Found File created C:\Windows\SysWOW64\Pcnfdl32.exe Process not Found File created C:\Windows\SysWOW64\Paafmp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dgnminke.exe Process not Found File created C:\Windows\SysWOW64\Hfjljina.dll Nledoj32.exe File opened for modification C:\Windows\SysWOW64\Jhjphfgi.exe Ielclkhe.exe File created C:\Windows\SysWOW64\Plibla32.dll Omqlpp32.exe File created C:\Windows\SysWOW64\Ppjedf32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cgkocj32.exe Cpdgbm32.exe File created C:\Windows\SysWOW64\Npneccok.dll Process not Found File created C:\Windows\SysWOW64\Lbpihjem.dll Process not Found File created C:\Windows\SysWOW64\Caokmd32.exe Process not Found File created C:\Windows\SysWOW64\Pndalkgf.exe Process not Found File created C:\Windows\SysWOW64\Nianhplq.exe Nfcbldmm.exe File created C:\Windows\SysWOW64\Njekpl32.dll Foafdoag.exe File created C:\Windows\SysWOW64\Abojgp32.dll Ibmgpoia.exe File opened for modification C:\Windows\SysWOW64\Bbgqjdce.exe Bkmhnjlh.exe File opened for modification C:\Windows\SysWOW64\Mphiqbon.exe Lnjldf32.exe File created C:\Windows\SysWOW64\Hmdkjmip.exe Process not Found File created C:\Windows\SysWOW64\Dmcjgd32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Onjgkf32.exe Process not Found File created C:\Windows\SysWOW64\Qadkpfeg.dll Elcdcgcc.exe File created C:\Windows\SysWOW64\Giioglkn.dll Gligjd32.exe File created C:\Windows\SysWOW64\Pdmjki32.dll Eecafd32.exe File opened for modification C:\Windows\SysWOW64\Akabgebj.exe Ajpepm32.exe File opened for modification C:\Windows\SysWOW64\Fgocmc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ndcapd32.exe Nbeedh32.exe File created C:\Windows\SysWOW64\Fhjoof32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hajinjff.exe Hicqmmfc.exe File opened for modification C:\Windows\SysWOW64\Hijgml32.exe Heokmmgb.exe File opened for modification C:\Windows\SysWOW64\Oanefo32.exe Okdmjdol.exe File created C:\Windows\SysWOW64\Lngkoe32.dll Gcbabpcf.exe File created C:\Windows\SysWOW64\Ffadkgnl.dll Process not Found File opened for modification C:\Windows\SysWOW64\Qeppdo32.exe Qdncmgbj.exe File created C:\Windows\SysWOW64\Cibgpofm.dll Dmijfmfi.exe File created C:\Windows\SysWOW64\Mdgldnho.dll Elacliin.exe File opened for modification C:\Windows\SysWOW64\Cepfgdnj.exe Cofnjj32.exe File created C:\Windows\SysWOW64\Kdkelolf.exe Kalipcmb.exe File created C:\Windows\SysWOW64\Nhnginii.dll Process not Found File created C:\Windows\SysWOW64\Hagianlf.exe Process not Found File created C:\Windows\SysWOW64\Fogiamne.dll Process not Found File created C:\Windows\SysWOW64\Gfbaonni.dll Process not Found File created C:\Windows\SysWOW64\Deankpkm.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jeoeclek.exe Process not Found File created C:\Windows\SysWOW64\Pmagdbci.exe Pjbjhgde.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8500 8660 Process not Found 1700 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkigoimd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eflill32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhoice32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdecea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjfpafmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mklcadfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obhdcanc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bffpki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjallg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkklp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqdefddb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cheido32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngbmlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgqpkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgjodmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adnpkjde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhfnkqgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljabkeaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmkomchi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibhndp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldahkaij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbaglpee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfbhkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igoomk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gonocmbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpdgbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjegog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldokfakl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfhjbobc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojabdlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmbcen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dilapopb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eogmcjef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dnlkmkpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hddlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodgbhpi.dll" Hdiejfej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcdgejhm.dll" Ackmih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eaphjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblkei32.dll" Iichjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mbnljqic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emfenggg.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Medefa32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kgnpeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jofejpmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bimoloog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbglcb32.dll" Lhpglecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doadcepg.dll" Nlnpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmdailj.dll" Bgoime32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcomncc.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pmojocel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ncfoch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkiolmdc.dll" Ffaaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifjlcmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lhpglecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgbioq32.dll" Mpebmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolgka32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bbbgod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ihmpobck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjjaebl.dll" Fgldnkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fihbcdgp.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hnmeen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ciihklpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mmakmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffbnkppp.dll" Badnhbce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qklpempi.dll" Njbdea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Micfag32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfeho32.dll" Mmfdhojb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkldcapk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmjkle32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfkpqnm.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hndlem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mhonngce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omlflo32.dll" Dmjqpdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajcdki32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inoqpi32.dll" Delmmigh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkadjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qcogbdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkedkm32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pcghof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abnhjmjc.dll" Lqipkhbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkmollme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbpjnb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2828 wrote to memory of 2920 2828 428ecc7c851202ab609d6657318a13e87dcdf63810793012e77cbbb8cef7353c.exe 30 PID 2828 wrote to memory of 2920 2828 428ecc7c851202ab609d6657318a13e87dcdf63810793012e77cbbb8cef7353c.exe 30 PID 2828 wrote to memory of 2920 2828 428ecc7c851202ab609d6657318a13e87dcdf63810793012e77cbbb8cef7353c.exe 30 PID 2828 wrote to memory of 2920 2828 428ecc7c851202ab609d6657318a13e87dcdf63810793012e77cbbb8cef7353c.exe 30 PID 2920 wrote to memory of 2796 2920 Moidahcn.exe 31 PID 2920 wrote to memory of 2796 2920 Moidahcn.exe 31 PID 2920 wrote to memory of 2796 2920 Moidahcn.exe 31 PID 2920 wrote to memory of 2796 2920 Moidahcn.exe 31 PID 2796 wrote to memory of 2912 2796 Nkpegi32.exe 32 PID 2796 wrote to memory of 2912 2796 Nkpegi32.exe 32 PID 2796 wrote to memory of 2912 2796 Nkpegi32.exe 32 PID 2796 wrote to memory of 2912 2796 Nkpegi32.exe 32 PID 2912 wrote to memory of 2708 2912 Ngfflj32.exe 33 PID 2912 wrote to memory of 2708 2912 Ngfflj32.exe 33 PID 2912 wrote to memory of 2708 2912 Ngfflj32.exe 33 PID 2912 wrote to memory of 2708 2912 Ngfflj32.exe 33 PID 2708 wrote to memory of 1388 2708 Nlcnda32.exe 34 PID 2708 wrote to memory of 1388 2708 Nlcnda32.exe 34 PID 2708 wrote to memory of 1388 2708 Nlcnda32.exe 34 PID 2708 wrote to memory of 1388 2708 Nlcnda32.exe 34 PID 1388 wrote to memory of 1044 1388 Nlekia32.exe 35 PID 1388 wrote to memory of 1044 1388 Nlekia32.exe 35 PID 1388 wrote to memory of 1044 1388 Nlekia32.exe 35 PID 1388 wrote to memory of 1044 1388 Nlekia32.exe 35 PID 1044 wrote to memory of 380 1044 Nenobfak.exe 36 PID 1044 wrote to memory of 380 1044 Nenobfak.exe 36 PID 1044 wrote to memory of 380 1044 Nenobfak.exe 36 PID 1044 wrote to memory of 380 1044 Nenobfak.exe 36 PID 380 wrote to memory of 2384 380 Nhllob32.exe 37 PID 380 wrote to memory of 2384 380 Nhllob32.exe 37 PID 380 wrote to memory of 2384 380 Nhllob32.exe 37 PID 380 wrote to memory of 2384 380 Nhllob32.exe 37 PID 2384 wrote to memory of 2072 2384 Ncbplk32.exe 38 PID 2384 wrote to memory of 2072 2384 Ncbplk32.exe 38 PID 2384 wrote to memory of 2072 2384 Ncbplk32.exe 38 PID 2384 wrote to memory of 2072 2384 Ncbplk32.exe 38 PID 2072 wrote to memory of 2984 2072 Oohqqlei.exe 39 PID 2072 wrote to memory of 2984 2072 Oohqqlei.exe 39 PID 2072 wrote to memory of 2984 2072 Oohqqlei.exe 39 PID 2072 wrote to memory of 2984 2072 Oohqqlei.exe 39 PID 2984 wrote to memory of 2144 2984 Ohaeia32.exe 40 PID 2984 wrote to memory of 2144 2984 Ohaeia32.exe 40 PID 2984 wrote to memory of 2144 2984 Ohaeia32.exe 40 PID 2984 wrote to memory of 2144 2984 Ohaeia32.exe 40 PID 2144 wrote to memory of 1752 2144 Oeeecekc.exe 41 PID 2144 wrote to memory of 1752 2144 Oeeecekc.exe 41 PID 2144 wrote to memory of 1752 2144 Oeeecekc.exe 41 PID 2144 wrote to memory of 1752 2144 Oeeecekc.exe 41 PID 1752 wrote to memory of 1956 1752 Oomjlk32.exe 42 PID 1752 wrote to memory of 1956 1752 Oomjlk32.exe 42 PID 1752 wrote to memory of 1956 1752 Oomjlk32.exe 42 PID 1752 wrote to memory of 1956 1752 Oomjlk32.exe 42 PID 1956 wrote to memory of 2284 1956 Ohendqhd.exe 43 PID 1956 wrote to memory of 2284 1956 Ohendqhd.exe 43 PID 1956 wrote to memory of 2284 1956 Ohendqhd.exe 43 PID 1956 wrote to memory of 2284 1956 Ohendqhd.exe 43 PID 2284 wrote to memory of 1784 2284 Okdkal32.exe 44 PID 2284 wrote to memory of 1784 2284 Okdkal32.exe 44 PID 2284 wrote to memory of 1784 2284 Okdkal32.exe 44 PID 2284 wrote to memory of 1784 2284 Okdkal32.exe 44 PID 1784 wrote to memory of 2348 1784 Ojigbhlp.exe 45 PID 1784 wrote to memory of 2348 1784 Ojigbhlp.exe 45 PID 1784 wrote to memory of 2348 1784 Ojigbhlp.exe 45 PID 1784 wrote to memory of 2348 1784 Ojigbhlp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\428ecc7c851202ab609d6657318a13e87dcdf63810793012e77cbbb8cef7353c.exe"C:\Users\Admin\AppData\Local\Temp\428ecc7c851202ab609d6657318a13e87dcdf63810793012e77cbbb8cef7353c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Moidahcn.exeC:\Windows\system32\Moidahcn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Nkpegi32.exeC:\Windows\system32\Nkpegi32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Ngfflj32.exeC:\Windows\system32\Ngfflj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Nlcnda32.exeC:\Windows\system32\Nlcnda32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Nlekia32.exeC:\Windows\system32\Nlekia32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Nenobfak.exeC:\Windows\system32\Nenobfak.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Nhllob32.exeC:\Windows\system32\Nhllob32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\Ncbplk32.exeC:\Windows\system32\Ncbplk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Oohqqlei.exeC:\Windows\system32\Oohqqlei.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Ohaeia32.exeC:\Windows\system32\Ohaeia32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Oeeecekc.exeC:\Windows\system32\Oeeecekc.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Oomjlk32.exeC:\Windows\system32\Oomjlk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Ohendqhd.exeC:\Windows\system32\Ohendqhd.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Okdkal32.exeC:\Windows\system32\Okdkal32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Ojigbhlp.exeC:\Windows\system32\Ojigbhlp.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Odoloalf.exeC:\Windows\system32\Odoloalf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Pdaheq32.exeC:\Windows\system32\Pdaheq32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Pjnamh32.exeC:\Windows\system32\Pjnamh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Pokieo32.exeC:\Windows\system32\Pokieo32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Pjpnbg32.exeC:\Windows\system32\Pjpnbg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Pmojocel.exeC:\Windows\system32\Pmojocel.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Pbkbgjcc.exeC:\Windows\system32\Pbkbgjcc.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\Pjbjhgde.exeC:\Windows\system32\Pjbjhgde.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\Pmagdbci.exeC:\Windows\system32\Pmagdbci.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:872 -
C:\Windows\SysWOW64\Pkfceo32.exeC:\Windows\system32\Pkfceo32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1368 -
C:\Windows\SysWOW64\Qflhbhgg.exeC:\Windows\system32\Qflhbhgg.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Qgmdjp32.exeC:\Windows\system32\Qgmdjp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Qodlkm32.exeC:\Windows\system32\Qodlkm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Aniimjbo.exeC:\Windows\system32\Aniimjbo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Aaheie32.exeC:\Windows\system32\Aaheie32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\Ajpjakhc.exeC:\Windows\system32\Ajpjakhc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Aajbne32.exeC:\Windows\system32\Aajbne32.exe33⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Annbhi32.exeC:\Windows\system32\Annbhi32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\Apoooa32.exeC:\Windows\system32\Apoooa32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Aigchgkh.exeC:\Windows\system32\Aigchgkh.exe36⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Aaolidlk.exeC:\Windows\system32\Aaolidlk.exe37⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Alhmjbhj.exeC:\Windows\system32\Alhmjbhj.exe38⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Acpdko32.exeC:\Windows\system32\Acpdko32.exe39⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Bnielm32.exeC:\Windows\system32\Bnielm32.exe40⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Blmfea32.exeC:\Windows\system32\Blmfea32.exe41⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Bphbeplm.exeC:\Windows\system32\Bphbeplm.exe42⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Bhdgjb32.exeC:\Windows\system32\Bhdgjb32.exe43⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Bdkgocpm.exeC:\Windows\system32\Bdkgocpm.exe44⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Blaopqpo.exeC:\Windows\system32\Blaopqpo.exe45⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Bdmddc32.exeC:\Windows\system32\Bdmddc32.exe46⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Bhhpeafc.exeC:\Windows\system32\Bhhpeafc.exe47⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Baadng32.exeC:\Windows\system32\Baadng32.exe48⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Chkmkacq.exeC:\Windows\system32\Chkmkacq.exe49⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Cilibi32.exeC:\Windows\system32\Cilibi32.exe50⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Cmgechbh.exeC:\Windows\system32\Cmgechbh.exe51⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Cbdnko32.exeC:\Windows\system32\Cbdnko32.exe52⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Cklfll32.exeC:\Windows\system32\Cklfll32.exe53⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Cmjbhh32.exeC:\Windows\system32\Cmjbhh32.exe54⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Cddjebgb.exeC:\Windows\system32\Cddjebgb.exe55⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Ciqcmiei.exeC:\Windows\system32\Ciqcmiei.exe56⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Cmlong32.exeC:\Windows\system32\Cmlong32.exe57⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Cpkkjc32.exeC:\Windows\system32\Cpkkjc32.exe58⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Cegcbjkn.exeC:\Windows\system32\Cegcbjkn.exe59⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Cpmhpbkc.exeC:\Windows\system32\Cpmhpbkc.exe60⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Cckdlnjg.exeC:\Windows\system32\Cckdlnjg.exe61⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Cejphiik.exeC:\Windows\system32\Cejphiik.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Dldhdc32.exeC:\Windows\system32\Dldhdc32.exe63⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Dkgippgb.exeC:\Windows\system32\Dkgippgb.exe64⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Daqamj32.exeC:\Windows\system32\Daqamj32.exe65⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Delmmigh.exeC:\Windows\system32\Delmmigh.exe66⤵
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Dlfejcoe.exeC:\Windows\system32\Dlfejcoe.exe67⤵PID:1532
-
C:\Windows\SysWOW64\Dodafoni.exeC:\Windows\system32\Dodafoni.exe68⤵PID:844
-
C:\Windows\SysWOW64\Dacnbjml.exeC:\Windows\system32\Dacnbjml.exe69⤵PID:1432
-
C:\Windows\SysWOW64\Dognlnlf.exeC:\Windows\system32\Dognlnlf.exe70⤵PID:2044
-
C:\Windows\SysWOW64\Daejhjkj.exeC:\Windows\system32\Daejhjkj.exe71⤵PID:1496
-
C:\Windows\SysWOW64\Daejhjkj.exeC:\Windows\system32\Daejhjkj.exe72⤵PID:2924
-
C:\Windows\SysWOW64\Dddfdejn.exeC:\Windows\system32\Dddfdejn.exe73⤵PID:2804
-
C:\Windows\SysWOW64\Dgbcpq32.exeC:\Windows\system32\Dgbcpq32.exe74⤵PID:3036
-
C:\Windows\SysWOW64\Dnlkmkpn.exeC:\Windows\system32\Dnlkmkpn.exe75⤵
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Dgdpfp32.exeC:\Windows\system32\Dgdpfp32.exe76⤵PID:2728
-
C:\Windows\SysWOW64\Djclbl32.exeC:\Windows\system32\Djclbl32.exe77⤵PID:1796
-
C:\Windows\SysWOW64\Ddhpod32.exeC:\Windows\system32\Ddhpod32.exe78⤵PID:2604
-
C:\Windows\SysWOW64\Eckpkamb.exeC:\Windows\system32\Eckpkamb.exe79⤵PID:1736
-
C:\Windows\SysWOW64\Efjlgmlf.exeC:\Windows\system32\Efjlgmlf.exe80⤵PID:2328
-
C:\Windows\SysWOW64\Elcdcgcc.exeC:\Windows\system32\Elcdcgcc.exe81⤵
- Drops file in System32 directory
PID:1308 -
C:\Windows\SysWOW64\Epoqde32.exeC:\Windows\system32\Epoqde32.exe82⤵PID:2308
-
C:\Windows\SysWOW64\Eflill32.exeC:\Windows\system32\Eflill32.exe83⤵
- System Location Discovery: System Language Discovery
PID:912 -
C:\Windows\SysWOW64\Elfaifaq.exeC:\Windows\system32\Elfaifaq.exe84⤵PID:1088
-
C:\Windows\SysWOW64\Eodnebpd.exeC:\Windows\system32\Eodnebpd.exe85⤵PID:1964
-
C:\Windows\SysWOW64\Ebcjamoh.exeC:\Windows\system32\Ebcjamoh.exe86⤵PID:884
-
C:\Windows\SysWOW64\Ehmbng32.exeC:\Windows\system32\Ehmbng32.exe87⤵PID:788
-
C:\Windows\SysWOW64\Ecbfkpfk.exeC:\Windows\system32\Ecbfkpfk.exe88⤵PID:1284
-
C:\Windows\SysWOW64\Efqbglen.exeC:\Windows\system32\Efqbglen.exe89⤵PID:1584
-
C:\Windows\SysWOW64\Emkkdf32.exeC:\Windows\system32\Emkkdf32.exe90⤵PID:2872
-
C:\Windows\SysWOW64\Eknkpbdf.exeC:\Windows\system32\Eknkpbdf.exe91⤵PID:2700
-
C:\Windows\SysWOW64\Ebgclm32.exeC:\Windows\system32\Ebgclm32.exe92⤵PID:768
-
C:\Windows\SysWOW64\Edfpih32.exeC:\Windows\system32\Edfpih32.exe93⤵PID:2080
-
C:\Windows\SysWOW64\Egdlec32.exeC:\Windows\system32\Egdlec32.exe94⤵PID:1700
-
C:\Windows\SysWOW64\Fnndan32.exeC:\Windows\system32\Fnndan32.exe95⤵PID:2108
-
C:\Windows\SysWOW64\Fbjpblip.exeC:\Windows\system32\Fbjpblip.exe96⤵PID:3052
-
C:\Windows\SysWOW64\Fdhlnhhc.exeC:\Windows\system32\Fdhlnhhc.exe97⤵PID:2140
-
C:\Windows\SysWOW64\Fgfhjcgg.exeC:\Windows\system32\Fgfhjcgg.exe98⤵PID:2248
-
C:\Windows\SysWOW64\Fnqqgm32.exeC:\Windows\system32\Fnqqgm32.exe99⤵PID:1128
-
C:\Windows\SysWOW64\Fdjidgfa.exeC:\Windows\system32\Fdjidgfa.exe100⤵PID:2104
-
C:\Windows\SysWOW64\Fgiepced.exeC:\Windows\system32\Fgiepced.exe101⤵PID:1740
-
C:\Windows\SysWOW64\Fncmmmma.exeC:\Windows\system32\Fncmmmma.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1208 -
C:\Windows\SysWOW64\Fqajihle.exeC:\Windows\system32\Fqajihle.exe103⤵PID:2960
-
C:\Windows\SysWOW64\Femeig32.exeC:\Windows\system32\Femeig32.exe104⤵PID:2928
-
C:\Windows\SysWOW64\Ffnbaojm.exeC:\Windows\system32\Ffnbaojm.exe105⤵PID:2732
-
C:\Windows\SysWOW64\Fqcfnhjb.exeC:\Windows\system32\Fqcfnhjb.exe106⤵PID:2388
-
C:\Windows\SysWOW64\Fgnokb32.exeC:\Windows\system32\Fgnokb32.exe107⤵PID:2548
-
C:\Windows\SysWOW64\Fpicodoj.exeC:\Windows\system32\Fpicodoj.exe108⤵PID:2656
-
C:\Windows\SysWOW64\Fbgpkpnn.exeC:\Windows\system32\Fbgpkpnn.exe109⤵PID:2584
-
C:\Windows\SysWOW64\Gjngmmnp.exeC:\Windows\system32\Gjngmmnp.exe110⤵PID:2204
-
C:\Windows\SysWOW64\Glpdde32.exeC:\Windows\system32\Glpdde32.exe111⤵PID:2436
-
C:\Windows\SysWOW64\Gfehan32.exeC:\Windows\system32\Gfehan32.exe112⤵PID:1924
-
C:\Windows\SysWOW64\Gicdnj32.exeC:\Windows\system32\Gicdnj32.exe113⤵PID:2320
-
C:\Windows\SysWOW64\Gnpmfqap.exeC:\Windows\system32\Gnpmfqap.exe114⤵PID:2396
-
C:\Windows\SysWOW64\Gejebk32.exeC:\Windows\system32\Gejebk32.exe115⤵PID:1040
-
C:\Windows\SysWOW64\Ghiaof32.exeC:\Windows\system32\Ghiaof32.exe116⤵PID:3040
-
C:\Windows\SysWOW64\Gppipc32.exeC:\Windows\system32\Gppipc32.exe117⤵PID:484
-
C:\Windows\SysWOW64\Gembhj32.exeC:\Windows\system32\Gembhj32.exe118⤵PID:932
-
C:\Windows\SysWOW64\Glgjednf.exeC:\Windows\system32\Glgjednf.exe119⤵PID:2764
-
C:\Windows\SysWOW64\Gbqbaofc.exeC:\Windows\system32\Gbqbaofc.exe120⤵PID:1244
-
C:\Windows\SysWOW64\Gdboig32.exeC:\Windows\system32\Gdboig32.exe121⤵PID:2200
-
C:\Windows\SysWOW64\Gligjd32.exeC:\Windows\system32\Gligjd32.exe122⤵
- Drops file in System32 directory
PID:2020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-