Analysis
-
max time kernel
150s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 22:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d2f2dff42ac835b9db9ad10652b4d9148b6023163a978eef0862d9608bb75f72.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
d2f2dff42ac835b9db9ad10652b4d9148b6023163a978eef0862d9608bb75f72.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
d2f2dff42ac835b9db9ad10652b4d9148b6023163a978eef0862d9608bb75f72.exe
-
Size
93KB
-
MD5
eb177deb567111f27f54f89a6d13e84c
-
SHA1
849a6ceea8391a894c6b8595e36b21057837ebdf
-
SHA256
d2f2dff42ac835b9db9ad10652b4d9148b6023163a978eef0862d9608bb75f72
-
SHA512
2c0090b6a173f81e5160d06f5b06730f3caf41195d7a9250663ac3399f863ebe18ba2d9611f42278d367489412a4b60c7ffa12e4d49dc06cb1b03a65fa1e6c17
-
SSDEEP
1536:TkrELXZi/bcaVsG/KAP2rqHFEh8YAaVaaaaaaahaXxsRQ4RkRLJzeLD9N0iQGRN6:oCpGcy7P2rqHah8nRhaee4SJdEN0s4Wg
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Okkfoikl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hglobj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pibmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Penlon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qimifn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpjboi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqnicl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgfbhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgpmcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddjpjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plgmabke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iodnncol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cljemaem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Baannfim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gegecopf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Obhdpaqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkomhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmcfeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cecnflpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmlgcbei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkepfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggfgoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kncmknkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbpbklpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plecdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Johpcgap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbfalecf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlhamp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjqjoolp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aoeflamd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oppmkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifckaodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggmlffbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dglbjgff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlmipk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmcjceam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbckh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Flkjffkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlnlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkjgiiln.exe -
Executes dropped EXE 64 IoCs
pid Process 2532 Ddgcdjip.exe 2780 Dnpgmp32.exe 2792 Ddjpjj32.exe 2720 Ddoiei32.exe 2628 Edafjiqe.exe 2708 Efdohq32.exe 964 Epmcqf32.exe 2832 Fenedlec.exe 1864 Flkjffkm.exe 1176 Fjbdmbmb.exe 2920 Fdkheh32.exe 2560 Gbbbld32.exe 632 Gpfbfh32.exe 2236 Gbihmcqp.exe 816 Hopibdfd.exe 1728 Hobfgcdb.exe 1808 Hdakej32.exe 1336 Igdqmeke.exe 1812 Ilaieljl.exe 2412 Ihhjjm32.exe 828 Ikibkhla.exe 1636 Jgbpfhpc.exe 1736 Jnlhbb32.exe 1460 Jggiah32.exe 2164 Jobnej32.exe 2736 Jmhkdnfp.exe 2808 Kcbcah32.exe 2984 Koidficq.exe 2616 Kiaiooja.exe 2612 Kaojiqej.exe 2644 Lhiodnob.exe 2696 Mlidplcf.exe 2948 Mafmhcam.exe 1580 Mpkjjofe.exe 2868 Mkqnghfk.exe 2568 Mdibpn32.exe 3008 Miekhd32.exe 2772 Ndkoemji.exe 856 Nelkme32.exe 3012 Nmccnc32.exe 2388 Neohbe32.exe 2496 Naeigf32.exe 328 Nlkmeo32.exe 1704 Nceeaikk.exe 2224 Nlmjjo32.exe 1924 Najbbepc.exe 824 Onacgf32.exe 848 Ohfgeo32.exe 2428 Oaolne32.exe 2540 Ocphembl.exe 2896 Onelbfab.exe 2828 Ojlmgg32.exe 2840 Oqfeda32.exe 2592 Ojojmfed.exe 1524 Polbemck.exe 2924 Pjafbfca.exe 2936 Pblkgh32.exe 1000 Pbohmh32.exe 2692 Piipibff.exe 968 Pneiaidn.exe 1712 Pikmob32.exe 2168 Pbcahgjd.exe 2368 Pgpjpnhk.exe 2272 Qcgkeonp.exe -
Loads dropped DLL 64 IoCs
pid Process 1840 d2f2dff42ac835b9db9ad10652b4d9148b6023163a978eef0862d9608bb75f72.exe 1840 d2f2dff42ac835b9db9ad10652b4d9148b6023163a978eef0862d9608bb75f72.exe 2532 Ddgcdjip.exe 2532 Ddgcdjip.exe 2780 Dnpgmp32.exe 2780 Dnpgmp32.exe 2792 Ddjpjj32.exe 2792 Ddjpjj32.exe 2720 Ddoiei32.exe 2720 Ddoiei32.exe 2628 Edafjiqe.exe 2628 Edafjiqe.exe 2708 Efdohq32.exe 2708 Efdohq32.exe 964 Epmcqf32.exe 964 Epmcqf32.exe 2832 Fenedlec.exe 2832 Fenedlec.exe 1864 Flkjffkm.exe 1864 Flkjffkm.exe 1176 Fjbdmbmb.exe 1176 Fjbdmbmb.exe 2920 Fdkheh32.exe 2920 Fdkheh32.exe 2560 Gbbbld32.exe 2560 Gbbbld32.exe 632 Gpfbfh32.exe 632 Gpfbfh32.exe 2236 Gbihmcqp.exe 2236 Gbihmcqp.exe 816 Hopibdfd.exe 816 Hopibdfd.exe 1728 Hobfgcdb.exe 1728 Hobfgcdb.exe 1808 Hdakej32.exe 1808 Hdakej32.exe 1336 Igdqmeke.exe 1336 Igdqmeke.exe 1812 Ilaieljl.exe 1812 Ilaieljl.exe 2412 Ihhjjm32.exe 2412 Ihhjjm32.exe 828 Ikibkhla.exe 828 Ikibkhla.exe 1636 Jgbpfhpc.exe 1636 Jgbpfhpc.exe 1736 Jnlhbb32.exe 1736 Jnlhbb32.exe 1460 Jggiah32.exe 1460 Jggiah32.exe 2164 Jobnej32.exe 2164 Jobnej32.exe 2736 Jmhkdnfp.exe 2736 Jmhkdnfp.exe 2808 Kcbcah32.exe 2808 Kcbcah32.exe 2984 Koidficq.exe 2984 Koidficq.exe 2616 Kiaiooja.exe 2616 Kiaiooja.exe 2612 Kaojiqej.exe 2612 Kaojiqej.exe 2644 Lhiodnob.exe 2644 Lhiodnob.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cdhjjddc.exe Cjcflkdm.exe File opened for modification C:\Windows\SysWOW64\Cgljnn32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gpihog32.exe Gnhlgoia.exe File created C:\Windows\SysWOW64\Joafii32.dll Aggbif32.exe File created C:\Windows\SysWOW64\Fpkdloal.dll Ifjqbnnl.exe File opened for modification C:\Windows\SysWOW64\Foljognc.exe Process not Found File opened for modification C:\Windows\SysWOW64\Iiegggod.exe Process not Found File created C:\Windows\SysWOW64\Gbihmcqp.exe Gpfbfh32.exe File created C:\Windows\SysWOW64\Dlljfo32.dll Mlhaip32.exe File opened for modification C:\Windows\SysWOW64\Jgccjenb.exe Jmmommnl.exe File created C:\Windows\SysWOW64\Lkeeqckl.exe Keimhmmd.exe File created C:\Windows\SysWOW64\Lebicfkd.dll Apkkng32.exe File opened for modification C:\Windows\SysWOW64\Acfcme32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hgcaia32.exe Process not Found File created C:\Windows\SysWOW64\Dlimkgla.exe Process not Found File created C:\Windows\SysWOW64\Hmehlibq.exe Hhipcbdi.exe File created C:\Windows\SysWOW64\Mboekp32.exe Lmbmbi32.exe File opened for modification C:\Windows\SysWOW64\Qlmnfh32.exe Qecejnco.exe File created C:\Windows\SysWOW64\Qdbbedhp.exe Plgmabke.exe File opened for modification C:\Windows\SysWOW64\Gegecopf.exe Fpjmkhbo.exe File created C:\Windows\SysWOW64\Oihacbfh.exe Oppmkm32.exe File created C:\Windows\SysWOW64\Geddla32.exe Fjopoifk.exe File created C:\Windows\SysWOW64\Mpifkq32.dll Process not Found File created C:\Windows\SysWOW64\Hlfjdeme.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ghlgdecf.exe Gboolneo.exe File created C:\Windows\SysWOW64\Lcpecdio.exe Kncmknkg.exe File created C:\Windows\SysWOW64\Dbgmglin.exe Dioinf32.exe File created C:\Windows\SysWOW64\Coenifch.exe Biheapeq.exe File created C:\Windows\SysWOW64\Hlnihopi.exe Process not Found File opened for modification C:\Windows\SysWOW64\Apoagf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Iihhmhng.exe Ildhcd32.exe File created C:\Windows\SysWOW64\Oljpfqgg.dll Ledplq32.exe File created C:\Windows\SysWOW64\Gnehie32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mijcdpbl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gdaqal32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jfcboejh.exe Process not Found File created C:\Windows\SysWOW64\Cmjlcneh.dll Process not Found File created C:\Windows\SysWOW64\Bnnekk32.dll Nhjaok32.exe File created C:\Windows\SysWOW64\Joccei32.dll Dgkkdnkb.exe File created C:\Windows\SysWOW64\Eipojekb.dll Cdhjjddc.exe File created C:\Windows\SysWOW64\Mqcbol32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Oghbqk32.exe Process not Found File created C:\Windows\SysWOW64\Nhlidi32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pkjkdfjk.exe Pnfkjb32.exe File created C:\Windows\SysWOW64\Hoppal32.dll Hglobj32.exe File opened for modification C:\Windows\SysWOW64\Jblmpmfe.exe Jnnejo32.exe File opened for modification C:\Windows\SysWOW64\Ofeoqeii.exe Process not Found File created C:\Windows\SysWOW64\Edafjiqe.exe Ddoiei32.exe File created C:\Windows\SysWOW64\Dpicceon.exe Ddbbod32.exe File created C:\Windows\SysWOW64\Jgbfehfd.dll Ijklmn32.exe File opened for modification C:\Windows\SysWOW64\Dkelhemb.exe Dbihccpg.exe File opened for modification C:\Windows\SysWOW64\Jdkolm32.exe Jfgnbi32.exe File created C:\Windows\SysWOW64\Ehhoncce.dll Hdeekjmc.exe File created C:\Windows\SysWOW64\Kigpdmnj.dll Process not Found File created C:\Windows\SysWOW64\Nphbhm32.exe Nhlndj32.exe File created C:\Windows\SysWOW64\Ldamfd32.dll Ckhdihlp.exe File created C:\Windows\SysWOW64\Bjfchp32.dll Hqmmja32.exe File opened for modification C:\Windows\SysWOW64\Jklbed32.exe Jafnhl32.exe File opened for modification C:\Windows\SysWOW64\Kcilml32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pkqegnmi.exe Process not Found File created C:\Windows\SysWOW64\Jenkgpqo.dll Process not Found File created C:\Windows\SysWOW64\Idfnkedk.dll Process not Found File created C:\Windows\SysWOW64\Eipgonjl.dll Ikfokb32.exe File created C:\Windows\SysWOW64\Hffpiikm.exe Gmnkqcem.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2792 3800 Process not Found 1681 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cokqfhpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbnhmdmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmdonf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qagehaon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndkoemji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmkipb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edkegplp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbehjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkepfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kncmknkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkkkgkla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdoacc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaiodh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihhjjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbikah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfpebq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehfjbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkkajlph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mafmhcam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gioigf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqbbpghe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajcpgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flqmddah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phibbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgmmnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgbqlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfjcocad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efdohq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbbbld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afkcqg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecaeoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbenhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggeoka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckfhom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijklmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Penlon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bagafeai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbefen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgnbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kabbehjb.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oppmkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lhehnlqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dqdfbmmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fepkabjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feoqpaij.dll" Kpgpfdoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpoegc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bnfbilgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlljfo32.dll" Mlhaip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jakkigmi.dll" Paelcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Epimjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdgemq32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehohbg32.dll" Gioigf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mmmpfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ogncddpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Acncngpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ggmlffbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdldpa32.dll" Dkkajlph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hckddoio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddjpjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Opaeok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ncogge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddjmaebi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hegmoi32.dll" Jbnhmdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nqnicl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cljemaem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leiabnbn.dll" Leebcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjgbfapp.dll" Dilggefh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpaomafp.dll" Cjnjhcqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pjmnck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmpplf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnjlce32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kbikah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bnojpdfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qecejnco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bnemnbmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pecddd32.dll" Ilbnfmhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnglmffc.dll" Edpnfjap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nadbabeo.dll" Fdabip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpcbdm32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Opaggdfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cflcglho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lomaoi32.dll" Iolojejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckoqog32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Foqgqppk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mpkjjofe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Okkfoikl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fojnhlch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lnhioeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bonepo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Okcjphdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnpkboh.dll" Cnodfbdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdoijb32.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1840 wrote to memory of 2532 1840 d2f2dff42ac835b9db9ad10652b4d9148b6023163a978eef0862d9608bb75f72.exe 29 PID 1840 wrote to memory of 2532 1840 d2f2dff42ac835b9db9ad10652b4d9148b6023163a978eef0862d9608bb75f72.exe 29 PID 1840 wrote to memory of 2532 1840 d2f2dff42ac835b9db9ad10652b4d9148b6023163a978eef0862d9608bb75f72.exe 29 PID 1840 wrote to memory of 2532 1840 d2f2dff42ac835b9db9ad10652b4d9148b6023163a978eef0862d9608bb75f72.exe 29 PID 2532 wrote to memory of 2780 2532 Ddgcdjip.exe 30 PID 2532 wrote to memory of 2780 2532 Ddgcdjip.exe 30 PID 2532 wrote to memory of 2780 2532 Ddgcdjip.exe 30 PID 2532 wrote to memory of 2780 2532 Ddgcdjip.exe 30 PID 2780 wrote to memory of 2792 2780 Dnpgmp32.exe 31 PID 2780 wrote to memory of 2792 2780 Dnpgmp32.exe 31 PID 2780 wrote to memory of 2792 2780 Dnpgmp32.exe 31 PID 2780 wrote to memory of 2792 2780 Dnpgmp32.exe 31 PID 2792 wrote to memory of 2720 2792 Ddjpjj32.exe 32 PID 2792 wrote to memory of 2720 2792 Ddjpjj32.exe 32 PID 2792 wrote to memory of 2720 2792 Ddjpjj32.exe 32 PID 2792 wrote to memory of 2720 2792 Ddjpjj32.exe 32 PID 2720 wrote to memory of 2628 2720 Ddoiei32.exe 33 PID 2720 wrote to memory of 2628 2720 Ddoiei32.exe 33 PID 2720 wrote to memory of 2628 2720 Ddoiei32.exe 33 PID 2720 wrote to memory of 2628 2720 Ddoiei32.exe 33 PID 2628 wrote to memory of 2708 2628 Edafjiqe.exe 34 PID 2628 wrote to memory of 2708 2628 Edafjiqe.exe 34 PID 2628 wrote to memory of 2708 2628 Edafjiqe.exe 34 PID 2628 wrote to memory of 2708 2628 Edafjiqe.exe 34 PID 2708 wrote to memory of 964 2708 Efdohq32.exe 35 PID 2708 wrote to memory of 964 2708 Efdohq32.exe 35 PID 2708 wrote to memory of 964 2708 Efdohq32.exe 35 PID 2708 wrote to memory of 964 2708 Efdohq32.exe 35 PID 964 wrote to memory of 2832 964 Epmcqf32.exe 36 PID 964 wrote to memory of 2832 964 Epmcqf32.exe 36 PID 964 wrote to memory of 2832 964 Epmcqf32.exe 36 PID 964 wrote to memory of 2832 964 Epmcqf32.exe 36 PID 2832 wrote to memory of 1864 2832 Fenedlec.exe 37 PID 2832 wrote to memory of 1864 2832 Fenedlec.exe 37 PID 2832 wrote to memory of 1864 2832 Fenedlec.exe 37 PID 2832 wrote to memory of 1864 2832 Fenedlec.exe 37 PID 1864 wrote to memory of 1176 1864 Flkjffkm.exe 38 PID 1864 wrote to memory of 1176 1864 Flkjffkm.exe 38 PID 1864 wrote to memory of 1176 1864 Flkjffkm.exe 38 PID 1864 wrote to memory of 1176 1864 Flkjffkm.exe 38 PID 1176 wrote to memory of 2920 1176 Fjbdmbmb.exe 39 PID 1176 wrote to memory of 2920 1176 Fjbdmbmb.exe 39 PID 1176 wrote to memory of 2920 1176 Fjbdmbmb.exe 39 PID 1176 wrote to memory of 2920 1176 Fjbdmbmb.exe 39 PID 2920 wrote to memory of 2560 2920 Fdkheh32.exe 40 PID 2920 wrote to memory of 2560 2920 Fdkheh32.exe 40 PID 2920 wrote to memory of 2560 2920 Fdkheh32.exe 40 PID 2920 wrote to memory of 2560 2920 Fdkheh32.exe 40 PID 2560 wrote to memory of 632 2560 Gbbbld32.exe 41 PID 2560 wrote to memory of 632 2560 Gbbbld32.exe 41 PID 2560 wrote to memory of 632 2560 Gbbbld32.exe 41 PID 2560 wrote to memory of 632 2560 Gbbbld32.exe 41 PID 632 wrote to memory of 2236 632 Gpfbfh32.exe 42 PID 632 wrote to memory of 2236 632 Gpfbfh32.exe 42 PID 632 wrote to memory of 2236 632 Gpfbfh32.exe 42 PID 632 wrote to memory of 2236 632 Gpfbfh32.exe 42 PID 2236 wrote to memory of 816 2236 Gbihmcqp.exe 43 PID 2236 wrote to memory of 816 2236 Gbihmcqp.exe 43 PID 2236 wrote to memory of 816 2236 Gbihmcqp.exe 43 PID 2236 wrote to memory of 816 2236 Gbihmcqp.exe 43 PID 816 wrote to memory of 1728 816 Hopibdfd.exe 44 PID 816 wrote to memory of 1728 816 Hopibdfd.exe 44 PID 816 wrote to memory of 1728 816 Hopibdfd.exe 44 PID 816 wrote to memory of 1728 816 Hopibdfd.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2f2dff42ac835b9db9ad10652b4d9148b6023163a978eef0862d9608bb75f72.exe"C:\Users\Admin\AppData\Local\Temp\d2f2dff42ac835b9db9ad10652b4d9148b6023163a978eef0862d9608bb75f72.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Ddgcdjip.exeC:\Windows\system32\Ddgcdjip.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Dnpgmp32.exeC:\Windows\system32\Dnpgmp32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Ddjpjj32.exeC:\Windows\system32\Ddjpjj32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Ddoiei32.exeC:\Windows\system32\Ddoiei32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Edafjiqe.exeC:\Windows\system32\Edafjiqe.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Efdohq32.exeC:\Windows\system32\Efdohq32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Epmcqf32.exeC:\Windows\system32\Epmcqf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Fenedlec.exeC:\Windows\system32\Fenedlec.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Flkjffkm.exeC:\Windows\system32\Flkjffkm.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Fjbdmbmb.exeC:\Windows\system32\Fjbdmbmb.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Fdkheh32.exeC:\Windows\system32\Fdkheh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Gbbbld32.exeC:\Windows\system32\Gbbbld32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Gpfbfh32.exeC:\Windows\system32\Gpfbfh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Gbihmcqp.exeC:\Windows\system32\Gbihmcqp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Hopibdfd.exeC:\Windows\system32\Hopibdfd.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\Hobfgcdb.exeC:\Windows\system32\Hobfgcdb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\Hdakej32.exeC:\Windows\system32\Hdakej32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Windows\SysWOW64\Igdqmeke.exeC:\Windows\system32\Igdqmeke.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1336 -
C:\Windows\SysWOW64\Ilaieljl.exeC:\Windows\system32\Ilaieljl.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Ihhjjm32.exeC:\Windows\system32\Ihhjjm32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2412 -
C:\Windows\SysWOW64\Ikibkhla.exeC:\Windows\system32\Ikibkhla.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:828 -
C:\Windows\SysWOW64\Jgbpfhpc.exeC:\Windows\system32\Jgbpfhpc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636 -
C:\Windows\SysWOW64\Jnlhbb32.exeC:\Windows\system32\Jnlhbb32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Jggiah32.exeC:\Windows\system32\Jggiah32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1460 -
C:\Windows\SysWOW64\Jobnej32.exeC:\Windows\system32\Jobnej32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Jmhkdnfp.exeC:\Windows\system32\Jmhkdnfp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Kcbcah32.exeC:\Windows\system32\Kcbcah32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Koidficq.exeC:\Windows\system32\Koidficq.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Kiaiooja.exeC:\Windows\system32\Kiaiooja.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Kaojiqej.exeC:\Windows\system32\Kaojiqej.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Lhiodnob.exeC:\Windows\system32\Lhiodnob.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Mlidplcf.exeC:\Windows\system32\Mlidplcf.exe33⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Mafmhcam.exeC:\Windows\system32\Mafmhcam.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\Mpkjjofe.exeC:\Windows\system32\Mpkjjofe.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Mkqnghfk.exeC:\Windows\system32\Mkqnghfk.exe36⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Mdibpn32.exeC:\Windows\system32\Mdibpn32.exe37⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Miekhd32.exeC:\Windows\system32\Miekhd32.exe38⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Ndkoemji.exeC:\Windows\system32\Ndkoemji.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2772 -
C:\Windows\SysWOW64\Nelkme32.exeC:\Windows\system32\Nelkme32.exe40⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Nmccnc32.exeC:\Windows\system32\Nmccnc32.exe41⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Neohbe32.exeC:\Windows\system32\Neohbe32.exe42⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Naeigf32.exeC:\Windows\system32\Naeigf32.exe43⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Nlkmeo32.exeC:\Windows\system32\Nlkmeo32.exe44⤵
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Nceeaikk.exeC:\Windows\system32\Nceeaikk.exe45⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Nlmjjo32.exeC:\Windows\system32\Nlmjjo32.exe46⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Najbbepc.exeC:\Windows\system32\Najbbepc.exe47⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Onacgf32.exeC:\Windows\system32\Onacgf32.exe48⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Ohfgeo32.exeC:\Windows\system32\Ohfgeo32.exe49⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Oaolne32.exeC:\Windows\system32\Oaolne32.exe50⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Ocphembl.exeC:\Windows\system32\Ocphembl.exe51⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Onelbfab.exeC:\Windows\system32\Onelbfab.exe52⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Ojlmgg32.exeC:\Windows\system32\Ojlmgg32.exe53⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Oqfeda32.exeC:\Windows\system32\Oqfeda32.exe54⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Ojojmfed.exeC:\Windows\system32\Ojojmfed.exe55⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Polbemck.exeC:\Windows\system32\Polbemck.exe56⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Pjafbfca.exeC:\Windows\system32\Pjafbfca.exe57⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Pblkgh32.exeC:\Windows\system32\Pblkgh32.exe58⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Pbohmh32.exeC:\Windows\system32\Pbohmh32.exe59⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Piipibff.exeC:\Windows\system32\Piipibff.exe60⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Pneiaidn.exeC:\Windows\system32\Pneiaidn.exe61⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Pikmob32.exeC:\Windows\system32\Pikmob32.exe62⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Pbcahgjd.exeC:\Windows\system32\Pbcahgjd.exe63⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Pgpjpnhk.exeC:\Windows\system32\Pgpjpnhk.exe64⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Qcgkeonp.exeC:\Windows\system32\Qcgkeonp.exe65⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Qmoone32.exeC:\Windows\system32\Qmoone32.exe66⤵PID:1928
-
C:\Windows\SysWOW64\Ajcpgi32.exeC:\Windows\system32\Ajcpgi32.exe67⤵
- System Location Discovery: System Language Discovery
PID:1684 -
C:\Windows\SysWOW64\Afjplj32.exeC:\Windows\system32\Afjplj32.exe68⤵PID:2188
-
C:\Windows\SysWOW64\Aeommfnf.exeC:\Windows\system32\Aeommfnf.exe69⤵PID:3020
-
C:\Windows\SysWOW64\Angafl32.exeC:\Windows\system32\Angafl32.exe70⤵PID:2232
-
C:\Windows\SysWOW64\Allbpqcp.exeC:\Windows\system32\Allbpqcp.exe71⤵PID:2472
-
C:\Windows\SysWOW64\Befcne32.exeC:\Windows\system32\Befcne32.exe72⤵PID:1700
-
C:\Windows\SysWOW64\Boadlk32.exeC:\Windows\system32\Boadlk32.exe73⤵PID:2120
-
C:\Windows\SysWOW64\Bdnmda32.exeC:\Windows\system32\Bdnmda32.exe74⤵PID:2728
-
C:\Windows\SysWOW64\Baannfim.exeC:\Windows\system32\Baannfim.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2816 -
C:\Windows\SysWOW64\Bkjbgk32.exeC:\Windows\system32\Bkjbgk32.exe76⤵PID:2912
-
C:\Windows\SysWOW64\Bbegkn32.exeC:\Windows\system32\Bbegkn32.exe77⤵PID:2220
-
C:\Windows\SysWOW64\Cmkkhfmn.exeC:\Windows\system32\Cmkkhfmn.exe78⤵PID:1144
-
C:\Windows\SysWOW64\Cbhcankf.exeC:\Windows\system32\Cbhcankf.exe79⤵PID:1312
-
C:\Windows\SysWOW64\Chdlidjm.exeC:\Windows\system32\Chdlidjm.exe80⤵PID:1080
-
C:\Windows\SysWOW64\Cidhcg32.exeC:\Windows\system32\Cidhcg32.exe81⤵PID:2836
-
C:\Windows\SysWOW64\Ckeekp32.exeC:\Windows\system32\Ckeekp32.exe82⤵PID:2064
-
C:\Windows\SysWOW64\Chiedc32.exeC:\Windows\system32\Chiedc32.exe83⤵PID:2276
-
C:\Windows\SysWOW64\Cdpfiekl.exeC:\Windows\system32\Cdpfiekl.exe84⤵PID:2476
-
C:\Windows\SysWOW64\Ckjnfobi.exeC:\Windows\system32\Ckjnfobi.exe85⤵PID:1932
-
C:\Windows\SysWOW64\Ddbbod32.exeC:\Windows\system32\Ddbbod32.exe86⤵
- Drops file in System32 directory
PID:1844 -
C:\Windows\SysWOW64\Dpicceon.exeC:\Windows\system32\Dpicceon.exe87⤵PID:2576
-
C:\Windows\SysWOW64\Dkohanoc.exeC:\Windows\system32\Dkohanoc.exe88⤵PID:2152
-
C:\Windows\SysWOW64\Dpkpie32.exeC:\Windows\system32\Dpkpie32.exe89⤵PID:2664
-
C:\Windows\SysWOW64\Dfhial32.exeC:\Windows\system32\Dfhial32.exe90⤵PID:3060
-
C:\Windows\SysWOW64\Dghekobe.exeC:\Windows\system32\Dghekobe.exe91⤵PID:2704
-
C:\Windows\SysWOW64\Ejfnfn32.exeC:\Windows\system32\Ejfnfn32.exe92⤵PID:2972
-
C:\Windows\SysWOW64\Fmffhi32.exeC:\Windows\system32\Fmffhi32.exe93⤵PID:2968
-
C:\Windows\SysWOW64\Fmkpchmp.exeC:\Windows\system32\Fmkpchmp.exe94⤵PID:2588
-
C:\Windows\SysWOW64\Ffcdlncp.exeC:\Windows\system32\Ffcdlncp.exe95⤵PID:2216
-
C:\Windows\SysWOW64\Flqmddah.exeC:\Windows\system32\Flqmddah.exe96⤵
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Windows\SysWOW64\Fidmniqa.exeC:\Windows\system32\Fidmniqa.exe97⤵PID:2076
-
C:\Windows\SysWOW64\Fpnekc32.exeC:\Windows\system32\Fpnekc32.exe98⤵PID:612
-
C:\Windows\SysWOW64\Ghjjoeei.exeC:\Windows\system32\Ghjjoeei.exe99⤵PID:1372
-
C:\Windows\SysWOW64\Gboolneo.exeC:\Windows\system32\Gboolneo.exe100⤵
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Ghlgdecf.exeC:\Windows\system32\Ghlgdecf.exe101⤵PID:2404
-
C:\Windows\SysWOW64\Gepgni32.exeC:\Windows\system32\Gepgni32.exe102⤵PID:1332
-
C:\Windows\SysWOW64\Gnhlgoia.exeC:\Windows\system32\Gnhlgoia.exe103⤵
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\Gpihog32.exeC:\Windows\system32\Gpihog32.exe104⤵PID:3036
-
C:\Windows\SysWOW64\Gibmglep.exeC:\Windows\system32\Gibmglep.exe105⤵PID:2504
-
C:\Windows\SysWOW64\Ghcmedmo.exeC:\Windows\system32\Ghcmedmo.exe106⤵PID:2744
-
C:\Windows\SysWOW64\Hbmnfajm.exeC:\Windows\system32\Hbmnfajm.exe107⤵PID:764
-
C:\Windows\SysWOW64\Hiffbl32.exeC:\Windows\system32\Hiffbl32.exe108⤵PID:2960
-
C:\Windows\SysWOW64\Hdlkpd32.exeC:\Windows\system32\Hdlkpd32.exe109⤵PID:2640
-
C:\Windows\SysWOW64\Hlgodgnk.exeC:\Windows\system32\Hlgodgnk.exe110⤵PID:3044
-
C:\Windows\SysWOW64\Hljljflh.exeC:\Windows\system32\Hljljflh.exe111⤵PID:2856
-
C:\Windows\SysWOW64\Hebqbl32.exeC:\Windows\system32\Hebqbl32.exe112⤵PID:2580
-
C:\Windows\SysWOW64\Hojeka32.exeC:\Windows\system32\Hojeka32.exe113⤵PID:1768
-
C:\Windows\SysWOW64\Idgmch32.exeC:\Windows\system32\Idgmch32.exe114⤵PID:1788
-
C:\Windows\SysWOW64\Impblnna.exeC:\Windows\system32\Impblnna.exe115⤵PID:684
-
C:\Windows\SysWOW64\Inbobn32.exeC:\Windows\system32\Inbobn32.exe116⤵PID:2148
-
C:\Windows\SysWOW64\Ippkni32.exeC:\Windows\system32\Ippkni32.exe117⤵PID:1004
-
C:\Windows\SysWOW64\Ikfokb32.exeC:\Windows\system32\Ikfokb32.exe118⤵
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Indkgm32.exeC:\Windows\system32\Indkgm32.exe119⤵PID:1596
-
C:\Windows\SysWOW64\Ipbgci32.exeC:\Windows\system32\Ipbgci32.exe120⤵PID:2544
-
C:\Windows\SysWOW64\Ijklmn32.exeC:\Windows\system32\Ijklmn32.exe121⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-