Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
01-09-2024 21:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
48dae7bd0436e482d655ead66d62b099fab1d05991246aa379574e3be55db6da.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
48dae7bd0436e482d655ead66d62b099fab1d05991246aa379574e3be55db6da.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
48dae7bd0436e482d655ead66d62b099fab1d05991246aa379574e3be55db6da.exe
-
Size
80KB
-
MD5
49c0499bb4925acc904efff5b68db0f1
-
SHA1
f4254484eac61f587143b5ef1252bc730660ebf7
-
SHA256
48dae7bd0436e482d655ead66d62b099fab1d05991246aa379574e3be55db6da
-
SHA512
1329054de027594bb59ff52bff0fcb8f63d3fdb1b2f047333fcfbf998e9a2ab7d7b3e5a48c911ead2bde39fd47dcc2dbe233bbbef3bc3d1359d219e778deabfe
-
SSDEEP
1536:niX/mIw3ePzWupV32L5J9VqDlzVxyh+CbxMa:n3XefpC5J9IDlRxyhTb7
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmlablaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apclnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gecklbih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Immjnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcnfdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldmaijdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Malmllfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abgaeddg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjboeenh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nndgeplo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgkiih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkmncl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egmbnkie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhfpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keoabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcmoie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qblfkgqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ollqllod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgnchplb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bphaglgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfjjkhhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knoaeimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmclmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oielnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anbmbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhjneadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpfkeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoalia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogdaod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmcgmkil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcflko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emeobj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecogodlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hijhhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnicoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmoppefc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcggef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdojnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obcffefa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kghmhegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okhgod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkqiek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebialmjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfglfdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjjkfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iadbqlmh.exe -
Executes dropped EXE 64 IoCs
pid Process 2792 Nghpjn32.exe 2796 Nqpdcc32.exe 2596 Ndlpdbnj.exe 2576 Njhilimb.exe 3012 Ogliemkk.exe 2200 Ojkeah32.exe 2264 Occjjnap.exe 2032 Ofafgipc.exe 620 Ocefpnom.exe 2012 Ojpomh32.exe 1640 Oaigib32.exe 1888 Obkcajde.exe 784 Oielnd32.exe 2196 Olchjp32.exe 2036 Obmpgjbb.exe 2232 Oighcd32.exe 1308 Ombddbah.exe 920 Pfkimhhi.exe 1960 Phledp32.exe 1288 Ppcmfn32.exe 1672 Padjmfdg.exe 2492 Pilbocej.exe 2412 Pbdfgilj.exe 708 Paggce32.exe 2776 Pllkpn32.exe 2664 Phcleoho.exe 2900 Pmpdmfff.exe 2404 Pdjljpnc.exe 3020 Qjddgj32.exe 1908 Qmbqcf32.exe 2208 Qjfalj32.exe 2216 Qmenhe32.exe 2560 Qlgndbil.exe 1872 Aepbmhpl.exe 2240 Aohgfm32.exe 484 Afpogk32.exe 2192 Ahqkocmm.exe 264 Allgoa32.exe 2052 Aokckm32.exe 2336 Alodeacc.exe 2436 Aaklmhak.exe 2260 Adjhicpo.exe 1500 Ahedjb32.exe 272 Anbmbi32.exe 1128 Aanibhoh.exe 1572 Aeiecfga.exe 2312 Adleoc32.exe 2812 Agkako32.exe 3036 Akfnkmei.exe 2696 Andjgidl.exe 1464 Bapfhg32.exe 2372 Bdobdc32.exe 2408 Bhjneadb.exe 2204 Bkhjamcf.exe 1636 Bngfmhbj.exe 320 Babbng32.exe 2268 Bdaojbjf.exe 1704 Bgokfnij.exe 2092 Bjngbihn.exe 1804 Bllcnega.exe 1216 Bphooc32.exe 288 Bcflko32.exe 2104 Bgahkngh.exe 2800 Bjpdhifk.exe -
Loads dropped DLL 64 IoCs
pid Process 2716 48dae7bd0436e482d655ead66d62b099fab1d05991246aa379574e3be55db6da.exe 2716 48dae7bd0436e482d655ead66d62b099fab1d05991246aa379574e3be55db6da.exe 2792 Nghpjn32.exe 2792 Nghpjn32.exe 2796 Nqpdcc32.exe 2796 Nqpdcc32.exe 2596 Ndlpdbnj.exe 2596 Ndlpdbnj.exe 2576 Njhilimb.exe 2576 Njhilimb.exe 3012 Ogliemkk.exe 3012 Ogliemkk.exe 2200 Ojkeah32.exe 2200 Ojkeah32.exe 2264 Occjjnap.exe 2264 Occjjnap.exe 2032 Ofafgipc.exe 2032 Ofafgipc.exe 620 Ocefpnom.exe 620 Ocefpnom.exe 2012 Ojpomh32.exe 2012 Ojpomh32.exe 1640 Oaigib32.exe 1640 Oaigib32.exe 1888 Obkcajde.exe 1888 Obkcajde.exe 784 Oielnd32.exe 784 Oielnd32.exe 2196 Olchjp32.exe 2196 Olchjp32.exe 2036 Obmpgjbb.exe 2036 Obmpgjbb.exe 2232 Oighcd32.exe 2232 Oighcd32.exe 1308 Ombddbah.exe 1308 Ombddbah.exe 920 Pfkimhhi.exe 920 Pfkimhhi.exe 1960 Phledp32.exe 1960 Phledp32.exe 1288 Ppcmfn32.exe 1288 Ppcmfn32.exe 1672 Padjmfdg.exe 1672 Padjmfdg.exe 2492 Pilbocej.exe 2492 Pilbocej.exe 2412 Pbdfgilj.exe 2412 Pbdfgilj.exe 708 Paggce32.exe 708 Paggce32.exe 2776 Pllkpn32.exe 2776 Pllkpn32.exe 2664 Phcleoho.exe 2664 Phcleoho.exe 2900 Pmpdmfff.exe 2900 Pmpdmfff.exe 2404 Pdjljpnc.exe 2404 Pdjljpnc.exe 3020 Qjddgj32.exe 3020 Qjddgj32.exe 1908 Qmbqcf32.exe 1908 Qmbqcf32.exe 2208 Qjfalj32.exe 2208 Qjfalj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Inkcem32.exe Iklfia32.exe File created C:\Windows\SysWOW64\Pphkcaig.dll Pfnhkq32.exe File created C:\Windows\SysWOW64\Doabjbci.exe Doabjbci.exe File opened for modification C:\Windows\SysWOW64\Imhqbkbm.exe Ijidfpci.exe File created C:\Windows\SysWOW64\Lcpnpp32.dll Mlolnllf.exe File opened for modification C:\Windows\SysWOW64\Ndfpnl32.exe Nnlhab32.exe File opened for modification C:\Windows\SysWOW64\Mheeif32.exe Mdjihgef.exe File created C:\Windows\SysWOW64\Dbidpo32.dll Ailqfooi.exe File created C:\Windows\SysWOW64\Jpfncf32.dll Ecoihm32.exe File created C:\Windows\SysWOW64\Olgpff32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jjnjqb32.exe Jkkjeeke.exe File opened for modification C:\Windows\SysWOW64\Oqmmbqgd.exe Objmgd32.exe File opened for modification C:\Windows\SysWOW64\Bklpjlmc.exe Bhndnpnp.exe File created C:\Windows\SysWOW64\Bkqiek32.exe Bhbmip32.exe File created C:\Windows\SysWOW64\Pihjghlh.dll Process not Found File created C:\Windows\SysWOW64\Hkpnjd32.exe Hlmnogkl.exe File created C:\Windows\SysWOW64\Bdajpkkj.dll Bhpqcpkm.exe File opened for modification C:\Windows\SysWOW64\Fmaqgaae.exe Fejifdab.exe File opened for modification C:\Windows\SysWOW64\Lcncbc32.exe Process not Found File created C:\Windows\SysWOW64\Kbdmdd32.dll Alodeacc.exe File opened for modification C:\Windows\SysWOW64\Eegmhhie.exe Ebialmjb.exe File opened for modification C:\Windows\SysWOW64\Nljhhi32.exe Nmggllha.exe File created C:\Windows\SysWOW64\Lpfhlhbn.dll Fnbmoi32.exe File created C:\Windows\SysWOW64\Lanmhmjq.dll Booiep32.exe File opened for modification C:\Windows\SysWOW64\Ikgfdlcb.exe Igkjcm32.exe File opened for modification C:\Windows\SysWOW64\Bdinnqon.exe Bakaaepk.exe File created C:\Windows\SysWOW64\Djcnme32.dll Abgaeddg.exe File created C:\Windows\SysWOW64\Pdigkk32.exe Process not Found File created C:\Windows\SysWOW64\Efbfbl32.dll Jnlepioj.exe File created C:\Windows\SysWOW64\Acjdgf32.exe Process not Found File created C:\Windows\SysWOW64\Dgalhgpg.exe Process not Found File created C:\Windows\SysWOW64\Mecbjd32.exe Process not Found File created C:\Windows\SysWOW64\Cifqgb32.dll Hnnjfo32.exe File created C:\Windows\SysWOW64\Bdfahaaa.exe Bahelebm.exe File created C:\Windows\SysWOW64\Akkiob32.dll Ikjjda32.exe File created C:\Windows\SysWOW64\Pigklmqc.exe Ofiopaap.exe File created C:\Windows\SysWOW64\Befpkmph.exe Process not Found File created C:\Windows\SysWOW64\Dammoahg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fhglop32.exe Feipbefb.exe File opened for modification C:\Windows\SysWOW64\Hmfmkjdf.exe Gleqdb32.exe File created C:\Windows\SysWOW64\Kfhjbc32.dll Ockbdebl.exe File opened for modification C:\Windows\SysWOW64\Ohmalgeb.exe Process not Found File created C:\Windows\SysWOW64\Amglgn32.exe Ailqfooi.exe File opened for modification C:\Windows\SysWOW64\Mlhmkbhb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ocihgo32.exe Process not Found File created C:\Windows\SysWOW64\Pjlgle32.exe Pbepkh32.exe File created C:\Windows\SysWOW64\Fnmjpk32.exe Fjaoplho.exe File created C:\Windows\SysWOW64\Lbmnea32.exe Lpoaheja.exe File created C:\Windows\SysWOW64\Jpopml32.dll Peeabm32.exe File created C:\Windows\SysWOW64\Dbmkfh32.exe Donojm32.exe File opened for modification C:\Windows\SysWOW64\Lefikg32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ncloha32.exe Process not Found File created C:\Windows\SysWOW64\Jkcmjpma.exe Jcleiclo.exe File opened for modification C:\Windows\SysWOW64\Gnabcf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jcfoihhp.exe Jahbmlil.exe File opened for modification C:\Windows\SysWOW64\Alaccj32.exe Aicfgn32.exe File created C:\Windows\SysWOW64\Akjfhdka.exe Process not Found File created C:\Windows\SysWOW64\Pnnbagpd.dll Process not Found File created C:\Windows\SysWOW64\Piohgbng.exe Pjlgle32.exe File created C:\Windows\SysWOW64\Hpicbe32.exe Hnkffi32.exe File opened for modification C:\Windows\SysWOW64\Edofbpja.exe Emhnqbjo.exe File opened for modification C:\Windows\SysWOW64\Lpgqlc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bfgdmjlp.exe Bchhqo32.exe File opened for modification C:\Windows\SysWOW64\Hlmnogkl.exe Hdefnjkj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4360 5036 Process not Found 1521 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiofnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcnfdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddmchcnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdgkicek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoalia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kimjhnnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gajjhkgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fakglf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmdiahco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kepgmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhoohgdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nipefmkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfhmehji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbkjap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chggdoee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kabngjla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mebpakbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfpfke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haleefoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eldbkbop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knaeeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llebnfpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alofnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnbcaome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdfahaaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpjfcali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogohdeam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofgbkacb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghoijebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggiofa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feipbefb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkppcmjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Endklmlq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbmnea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flhhed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcedne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkaeob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbgefa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjnjqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmndfnpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmebcgbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebknblho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkdigfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojkeah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djmiejji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpemhb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfdhck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pggocl32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpbhjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doabjbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmjkle32.dll" Ejklan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokegi32.dll" Celpqbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmlibo32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dppfbm32.dll" Dfkjgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gncgbkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikjjda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oabplobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdgfnh32.dll" Aeenapck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehclbpic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejklan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keoncpnb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bboqbe32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbimkpmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hilkhl32.dll" Fhkagonc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkbafe32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaaie32.dll" Ebappk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cofaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbjmj32.dll" Knoaeimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miafbgjl.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpqaniil.dll" Jneoojeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbnhpdke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnlhab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmbqcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjqjnn32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bahelebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfpqgmpi.dll" Glbdnbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgcnnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjdgpcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkggemii.dll" Qaqlbmbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oneqchee.dll" Haleefoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoicpqbb.dll" Fiqibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlddd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckkcep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgpock32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qemomb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knaeeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Admgglep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhiqbpqm.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phledp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnbdnonc.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2716 wrote to memory of 2792 2716 48dae7bd0436e482d655ead66d62b099fab1d05991246aa379574e3be55db6da.exe 30 PID 2716 wrote to memory of 2792 2716 48dae7bd0436e482d655ead66d62b099fab1d05991246aa379574e3be55db6da.exe 30 PID 2716 wrote to memory of 2792 2716 48dae7bd0436e482d655ead66d62b099fab1d05991246aa379574e3be55db6da.exe 30 PID 2716 wrote to memory of 2792 2716 48dae7bd0436e482d655ead66d62b099fab1d05991246aa379574e3be55db6da.exe 30 PID 2792 wrote to memory of 2796 2792 Nghpjn32.exe 31 PID 2792 wrote to memory of 2796 2792 Nghpjn32.exe 31 PID 2792 wrote to memory of 2796 2792 Nghpjn32.exe 31 PID 2792 wrote to memory of 2796 2792 Nghpjn32.exe 31 PID 2796 wrote to memory of 2596 2796 Nqpdcc32.exe 32 PID 2796 wrote to memory of 2596 2796 Nqpdcc32.exe 32 PID 2796 wrote to memory of 2596 2796 Nqpdcc32.exe 32 PID 2796 wrote to memory of 2596 2796 Nqpdcc32.exe 32 PID 2596 wrote to memory of 2576 2596 Ndlpdbnj.exe 33 PID 2596 wrote to memory of 2576 2596 Ndlpdbnj.exe 33 PID 2596 wrote to memory of 2576 2596 Ndlpdbnj.exe 33 PID 2596 wrote to memory of 2576 2596 Ndlpdbnj.exe 33 PID 2576 wrote to memory of 3012 2576 Njhilimb.exe 34 PID 2576 wrote to memory of 3012 2576 Njhilimb.exe 34 PID 2576 wrote to memory of 3012 2576 Njhilimb.exe 34 PID 2576 wrote to memory of 3012 2576 Njhilimb.exe 34 PID 3012 wrote to memory of 2200 3012 Ogliemkk.exe 35 PID 3012 wrote to memory of 2200 3012 Ogliemkk.exe 35 PID 3012 wrote to memory of 2200 3012 Ogliemkk.exe 35 PID 3012 wrote to memory of 2200 3012 Ogliemkk.exe 35 PID 2200 wrote to memory of 2264 2200 Ojkeah32.exe 36 PID 2200 wrote to memory of 2264 2200 Ojkeah32.exe 36 PID 2200 wrote to memory of 2264 2200 Ojkeah32.exe 36 PID 2200 wrote to memory of 2264 2200 Ojkeah32.exe 36 PID 2264 wrote to memory of 2032 2264 Occjjnap.exe 37 PID 2264 wrote to memory of 2032 2264 Occjjnap.exe 37 PID 2264 wrote to memory of 2032 2264 Occjjnap.exe 37 PID 2264 wrote to memory of 2032 2264 Occjjnap.exe 37 PID 2032 wrote to memory of 620 2032 Ofafgipc.exe 38 PID 2032 wrote to memory of 620 2032 Ofafgipc.exe 38 PID 2032 wrote to memory of 620 2032 Ofafgipc.exe 38 PID 2032 wrote to memory of 620 2032 Ofafgipc.exe 38 PID 620 wrote to memory of 2012 620 Ocefpnom.exe 39 PID 620 wrote to memory of 2012 620 Ocefpnom.exe 39 PID 620 wrote to memory of 2012 620 Ocefpnom.exe 39 PID 620 wrote to memory of 2012 620 Ocefpnom.exe 39 PID 2012 wrote to memory of 1640 2012 Ojpomh32.exe 40 PID 2012 wrote to memory of 1640 2012 Ojpomh32.exe 40 PID 2012 wrote to memory of 1640 2012 Ojpomh32.exe 40 PID 2012 wrote to memory of 1640 2012 Ojpomh32.exe 40 PID 1640 wrote to memory of 1888 1640 Oaigib32.exe 41 PID 1640 wrote to memory of 1888 1640 Oaigib32.exe 41 PID 1640 wrote to memory of 1888 1640 Oaigib32.exe 41 PID 1640 wrote to memory of 1888 1640 Oaigib32.exe 41 PID 1888 wrote to memory of 784 1888 Obkcajde.exe 42 PID 1888 wrote to memory of 784 1888 Obkcajde.exe 42 PID 1888 wrote to memory of 784 1888 Obkcajde.exe 42 PID 1888 wrote to memory of 784 1888 Obkcajde.exe 42 PID 784 wrote to memory of 2196 784 Oielnd32.exe 43 PID 784 wrote to memory of 2196 784 Oielnd32.exe 43 PID 784 wrote to memory of 2196 784 Oielnd32.exe 43 PID 784 wrote to memory of 2196 784 Oielnd32.exe 43 PID 2196 wrote to memory of 2036 2196 Olchjp32.exe 44 PID 2196 wrote to memory of 2036 2196 Olchjp32.exe 44 PID 2196 wrote to memory of 2036 2196 Olchjp32.exe 44 PID 2196 wrote to memory of 2036 2196 Olchjp32.exe 44 PID 2036 wrote to memory of 2232 2036 Obmpgjbb.exe 45 PID 2036 wrote to memory of 2232 2036 Obmpgjbb.exe 45 PID 2036 wrote to memory of 2232 2036 Obmpgjbb.exe 45 PID 2036 wrote to memory of 2232 2036 Obmpgjbb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\48dae7bd0436e482d655ead66d62b099fab1d05991246aa379574e3be55db6da.exe"C:\Users\Admin\AppData\Local\Temp\48dae7bd0436e482d655ead66d62b099fab1d05991246aa379574e3be55db6da.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Nghpjn32.exeC:\Windows\system32\Nghpjn32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Nqpdcc32.exeC:\Windows\system32\Nqpdcc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Ndlpdbnj.exeC:\Windows\system32\Ndlpdbnj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Njhilimb.exeC:\Windows\system32\Njhilimb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Ogliemkk.exeC:\Windows\system32\Ogliemkk.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Ojkeah32.exeC:\Windows\system32\Ojkeah32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Occjjnap.exeC:\Windows\system32\Occjjnap.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Ofafgipc.exeC:\Windows\system32\Ofafgipc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Ocefpnom.exeC:\Windows\system32\Ocefpnom.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\Ojpomh32.exeC:\Windows\system32\Ojpomh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Oaigib32.exeC:\Windows\system32\Oaigib32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Obkcajde.exeC:\Windows\system32\Obkcajde.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Oielnd32.exeC:\Windows\system32\Oielnd32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\Olchjp32.exeC:\Windows\system32\Olchjp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Obmpgjbb.exeC:\Windows\system32\Obmpgjbb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Oighcd32.exeC:\Windows\system32\Oighcd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Ombddbah.exeC:\Windows\system32\Ombddbah.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1308 -
C:\Windows\SysWOW64\Pfkimhhi.exeC:\Windows\system32\Pfkimhhi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:920 -
C:\Windows\SysWOW64\Phledp32.exeC:\Windows\system32\Phledp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Ppcmfn32.exeC:\Windows\system32\Ppcmfn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288 -
C:\Windows\SysWOW64\Padjmfdg.exeC:\Windows\system32\Padjmfdg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\Pilbocej.exeC:\Windows\system32\Pilbocej.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Pbdfgilj.exeC:\Windows\system32\Pbdfgilj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Paggce32.exeC:\Windows\system32\Paggce32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:708 -
C:\Windows\SysWOW64\Pllkpn32.exeC:\Windows\system32\Pllkpn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Phcleoho.exeC:\Windows\system32\Phcleoho.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Pmpdmfff.exeC:\Windows\system32\Pmpdmfff.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Pdjljpnc.exeC:\Windows\system32\Pdjljpnc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Qjddgj32.exeC:\Windows\system32\Qjddgj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Qmbqcf32.exeC:\Windows\system32\Qmbqcf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\Qjfalj32.exeC:\Windows\system32\Qjfalj32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Qmenhe32.exeC:\Windows\system32\Qmenhe32.exe33⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Qlgndbil.exeC:\Windows\system32\Qlgndbil.exe34⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Aepbmhpl.exeC:\Windows\system32\Aepbmhpl.exe35⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Aohgfm32.exeC:\Windows\system32\Aohgfm32.exe36⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Afpogk32.exeC:\Windows\system32\Afpogk32.exe37⤵
- Executes dropped EXE
PID:484 -
C:\Windows\SysWOW64\Ahqkocmm.exeC:\Windows\system32\Ahqkocmm.exe38⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Allgoa32.exeC:\Windows\system32\Allgoa32.exe39⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Aokckm32.exeC:\Windows\system32\Aokckm32.exe40⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Alodeacc.exeC:\Windows\system32\Alodeacc.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Aaklmhak.exeC:\Windows\system32\Aaklmhak.exe42⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Adjhicpo.exeC:\Windows\system32\Adjhicpo.exe43⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Ahedjb32.exeC:\Windows\system32\Ahedjb32.exe44⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Anbmbi32.exeC:\Windows\system32\Anbmbi32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:272 -
C:\Windows\SysWOW64\Aanibhoh.exeC:\Windows\system32\Aanibhoh.exe46⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Aeiecfga.exeC:\Windows\system32\Aeiecfga.exe47⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Adleoc32.exeC:\Windows\system32\Adleoc32.exe48⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Agkako32.exeC:\Windows\system32\Agkako32.exe49⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Akfnkmei.exeC:\Windows\system32\Akfnkmei.exe50⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Andjgidl.exeC:\Windows\system32\Andjgidl.exe51⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Bapfhg32.exeC:\Windows\system32\Bapfhg32.exe52⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Bdobdc32.exeC:\Windows\system32\Bdobdc32.exe53⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Bhjneadb.exeC:\Windows\system32\Bhjneadb.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Bkhjamcf.exeC:\Windows\system32\Bkhjamcf.exe55⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Bngfmhbj.exeC:\Windows\system32\Bngfmhbj.exe56⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Babbng32.exeC:\Windows\system32\Babbng32.exe57⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Bdaojbjf.exeC:\Windows\system32\Bdaojbjf.exe58⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Bgokfnij.exeC:\Windows\system32\Bgokfnij.exe59⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Bjngbihn.exeC:\Windows\system32\Bjngbihn.exe60⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Bllcnega.exeC:\Windows\system32\Bllcnega.exe61⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Bphooc32.exeC:\Windows\system32\Bphooc32.exe62⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Bcflko32.exeC:\Windows\system32\Bcflko32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\Bgahkngh.exeC:\Windows\system32\Bgahkngh.exe64⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Bjpdhifk.exeC:\Windows\system32\Bjpdhifk.exe65⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Bnlphh32.exeC:\Windows\system32\Bnlphh32.exe66⤵PID:2740
-
C:\Windows\SysWOW64\Bpjldc32.exeC:\Windows\system32\Bpjldc32.exe67⤵PID:2648
-
C:\Windows\SysWOW64\Bchhqo32.exeC:\Windows\system32\Bchhqo32.exe68⤵
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Bfgdmjlp.exeC:\Windows\system32\Bfgdmjlp.exe69⤵PID:1488
-
C:\Windows\SysWOW64\Bheaiekc.exeC:\Windows\system32\Bheaiekc.exe70⤵PID:1796
-
C:\Windows\SysWOW64\Blqmid32.exeC:\Windows\system32\Blqmid32.exe71⤵PID:1800
-
C:\Windows\SysWOW64\Booiep32.exeC:\Windows\system32\Booiep32.exe72⤵
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Bckefnki.exeC:\Windows\system32\Bckefnki.exe73⤵PID:2252
-
C:\Windows\SysWOW64\Bfiabjjm.exeC:\Windows\system32\Bfiabjjm.exe74⤵PID:2532
-
C:\Windows\SysWOW64\Chgnneiq.exeC:\Windows\system32\Chgnneiq.exe75⤵PID:2320
-
C:\Windows\SysWOW64\Ckfjjqhd.exeC:\Windows\system32\Ckfjjqhd.exe76⤵PID:1808
-
C:\Windows\SysWOW64\Coafko32.exeC:\Windows\system32\Coafko32.exe77⤵PID:1540
-
C:\Windows\SysWOW64\Cbpbgk32.exeC:\Windows\system32\Cbpbgk32.exe78⤵PID:1668
-
C:\Windows\SysWOW64\Cfknhi32.exeC:\Windows\system32\Cfknhi32.exe79⤵PID:868
-
C:\Windows\SysWOW64\Cdnncfoe.exeC:\Windows\system32\Cdnncfoe.exe80⤵PID:1616
-
C:\Windows\SysWOW64\Clefdcog.exeC:\Windows\system32\Clefdcog.exe81⤵PID:824
-
C:\Windows\SysWOW64\Ckhfpp32.exeC:\Windows\system32\Ckhfpp32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3048 -
C:\Windows\SysWOW64\Cngcll32.exeC:\Windows\system32\Cngcll32.exe83⤵PID:2840
-
C:\Windows\SysWOW64\Cbbomjnn.exeC:\Windows\system32\Cbbomjnn.exe84⤵PID:2952
-
C:\Windows\SysWOW64\Cdqkifmb.exeC:\Windows\system32\Cdqkifmb.exe85⤵PID:308
-
C:\Windows\SysWOW64\Ckkcep32.exeC:\Windows\system32\Ckkcep32.exe86⤵
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Cqglng32.exeC:\Windows\system32\Cqglng32.exe87⤵PID:1876
-
C:\Windows\SysWOW64\Cgadja32.exeC:\Windows\system32\Cgadja32.exe88⤵PID:2112
-
C:\Windows\SysWOW64\Ckmpkpbl.exeC:\Windows\system32\Ckmpkpbl.exe89⤵PID:1788
-
C:\Windows\SysWOW64\Cgdqpq32.exeC:\Windows\system32\Cgdqpq32.exe90⤵PID:2228
-
C:\Windows\SysWOW64\Cnnimkom.exeC:\Windows\system32\Cnnimkom.exe91⤵PID:2472
-
C:\Windows\SysWOW64\Cqleifna.exeC:\Windows\system32\Cqleifna.exe92⤵PID:1380
-
C:\Windows\SysWOW64\Dcjaeamd.exeC:\Windows\system32\Dcjaeamd.exe93⤵PID:2140
-
C:\Windows\SysWOW64\Dgfmep32.exeC:\Windows\system32\Dgfmep32.exe94⤵PID:568
-
C:\Windows\SysWOW64\Dnpebj32.exeC:\Windows\system32\Dnpebj32.exe95⤵PID:1916
-
C:\Windows\SysWOW64\Dmcfngde.exeC:\Windows\system32\Dmcfngde.exe96⤵PID:1700
-
C:\Windows\SysWOW64\Doabjbci.exeC:\Windows\system32\Doabjbci.exe97⤵
- Drops file in System32 directory
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Doabjbci.exeC:\Windows\system32\Doabjbci.exe98⤵PID:1644
-
C:\Windows\SysWOW64\Dghjkpck.exeC:\Windows\system32\Dghjkpck.exe99⤵PID:1376
-
C:\Windows\SysWOW64\Dfkjgm32.exeC:\Windows\system32\Dfkjgm32.exe100⤵
- Modifies registry class
PID:540 -
C:\Windows\SysWOW64\Dijfch32.exeC:\Windows\system32\Dijfch32.exe101⤵PID:2424
-
C:\Windows\SysWOW64\Dmebcgbb.exeC:\Windows\system32\Dmebcgbb.exe102⤵
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Docopbaf.exeC:\Windows\system32\Docopbaf.exe103⤵PID:304
-
C:\Windows\SysWOW64\Dbbklnpj.exeC:\Windows\system32\Dbbklnpj.exe104⤵PID:1964
-
C:\Windows\SysWOW64\Dilchhgg.exeC:\Windows\system32\Dilchhgg.exe105⤵PID:2688
-
C:\Windows\SysWOW64\Dmgoif32.exeC:\Windows\system32\Dmgoif32.exe106⤵PID:3052
-
C:\Windows\SysWOW64\Dpfkeb32.exeC:\Windows\system32\Dpfkeb32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1532 -
C:\Windows\SysWOW64\Dfpcblfp.exeC:\Windows\system32\Dfpcblfp.exe108⤵PID:408
-
C:\Windows\SysWOW64\Dmjlof32.exeC:\Windows\system32\Dmjlof32.exe109⤵PID:2116
-
C:\Windows\SysWOW64\Dkmljcdh.exeC:\Windows\system32\Dkmljcdh.exe110⤵PID:2220
-
C:\Windows\SysWOW64\Dnkhfnck.exeC:\Windows\system32\Dnkhfnck.exe111⤵PID:980
-
C:\Windows\SysWOW64\Dfbqgldn.exeC:\Windows\system32\Dfbqgldn.exe112⤵PID:588
-
C:\Windows\SysWOW64\Diqmcgca.exeC:\Windows\system32\Diqmcgca.exe113⤵PID:1880
-
C:\Windows\SysWOW64\Eloipb32.exeC:\Windows\system32\Eloipb32.exe114⤵PID:2500
-
C:\Windows\SysWOW64\Epkepakn.exeC:\Windows\system32\Epkepakn.exe115⤵PID:2588
-
C:\Windows\SysWOW64\Ebialmjb.exeC:\Windows\system32\Ebialmjb.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:276 -
C:\Windows\SysWOW64\Eegmhhie.exeC:\Windows\system32\Eegmhhie.exe117⤵PID:348
-
C:\Windows\SysWOW64\Elaeeb32.exeC:\Windows\system32\Elaeeb32.exe118⤵PID:1228
-
C:\Windows\SysWOW64\Ebknblho.exeC:\Windows\system32\Ebknblho.exe119⤵
- System Location Discovery: System Language Discovery
PID:1276 -
C:\Windows\SysWOW64\Eejjnhgc.exeC:\Windows\system32\Eejjnhgc.exe120⤵PID:1936
-
C:\Windows\SysWOW64\Eldbkbop.exeC:\Windows\system32\Eldbkbop.exe121⤵
- System Location Discovery: System Language Discovery
PID:2504
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-