Analysis
-
max time kernel
147s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 21:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
823f27ed645de92db1124b97119fea17679610ed39f4519b3eabcc01fee2cbc3.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
823f27ed645de92db1124b97119fea17679610ed39f4519b3eabcc01fee2cbc3.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
823f27ed645de92db1124b97119fea17679610ed39f4519b3eabcc01fee2cbc3.exe
-
Size
320KB
-
MD5
bec9eb8afb94e377989a4a5bc1483eee
-
SHA1
77d91ebe5fc638d4a57f996226e5278c2b61a4ad
-
SHA256
823f27ed645de92db1124b97119fea17679610ed39f4519b3eabcc01fee2cbc3
-
SHA512
4b6f4ef76758f27b835a6e7435a86514573fff3de422e112d404b67c43e8d0c3acb449a7d8854d3dca97867404df91ba210d1ece754c643f375f98f1bcb4e07e
-
SSDEEP
6144:w687nmAtDyB8LoedCFJ369BJ369vpui6yYPaIGckvNP8:w68vtyWUedCv2EpV6yYPaN0
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndcnik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejjhlmqa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gohlik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pijjhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggohlf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lokkag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ceoffq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbnajcig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Okkfoikl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oichhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Befcne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibobhgno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldcjooac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebgbkihn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfkojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mofidn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihjfolmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mklegm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpdpcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfoiejdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmoijc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okkhhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecggmfde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Albpef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Algjpenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Meiigppp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oipdhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npdlbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iacmakkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecpbhlqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nopqlj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfjfal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jejjlh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iccdhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcdmekne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhobbqkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meeqkijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbdegeei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnenmfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnmlgpeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moapinnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amnheklf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgpjpnhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omipbpfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpcdhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaikjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acjmheap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjemgibi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Konpjafp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Klflfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kenaoojo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nliqoofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plpehj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlcpqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmbpaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbhppd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oqaliabh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhippbem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Glmecbbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fphgpnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnlkkkod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mokgqjaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alpmep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bklpglom.exe -
Executes dropped EXE 64 IoCs
pid Process 2532 Djnbdlla.exe 268 Dbighojl.exe 2792 Engnno32.exe 2720 Efdohq32.exe 2628 Epmcqf32.exe 2648 Flhnqf32.exe 2640 Feqbilcq.exe 2948 Fallil32.exe 2380 Fjdqbbkp.exe 1860 Gpfbfh32.exe 1176 Glmckikf.exe 2868 Hdmajkdl.exe 1556 Haqbcoce.exe 2108 Hpfoekhm.exe 2420 Hkkcbdhc.exe 2320 Ikfffh32.exe 1104 Ihjfolmn.exe 2552 Ibehna32.exe 1688 Jgbpfhpc.exe 1336 Jbgdcapi.exe 1684 Jjcigcmd.exe 592 Jgiffg32.exe 320 Jmfoon32.exe 2520 Jfnchd32.exe 2556 Kfqpmc32.exe 2528 Knldaf32.exe 2120 Kehidp32.exe 900 Lfpllg32.exe 2896 Lcdmekne.exe 2248 Liaenblm.exe 2768 Ldgikklb.exe 2760 Llbnpm32.exe 2624 Lifoia32.exe 2924 Lbncbgoh.exe 2116 Mkihfi32.exe 2852 Meaiia32.exe 2856 Mmlmmdga.exe 2024 Mdibpn32.exe 2836 Nppceo32.exe 1448 Nihgndip.exe 2264 Nijdcdgn.exe 2312 Nliqoofa.exe 2368 Nimaic32.exe 2168 Noiiaj32.exe 2016 Necandjo.exe 2176 Nkpjfkhf.exe 1332 Ndhooaog.exe 1540 Ooncljom.exe 932 Okecak32.exe 868 Oqaliabh.exe 1616 Ogldfl32.exe 2052 Olhmnb32.exe 2348 Ocbekmpi.exe 3000 Oqfeda32.exe 2872 Ofcnmh32.exe 2084 Oqibjq32.exe 2216 Pfekbg32.exe 2028 Pidgnc32.exe 1852 Ponokmah.exe 2572 Pifcdbhi.exe 2828 Pemdic32.exe 1772 Pobhfl32.exe 2772 Peoanckj.exe 1952 Pjlifjjb.exe -
Loads dropped DLL 64 IoCs
pid Process 2564 823f27ed645de92db1124b97119fea17679610ed39f4519b3eabcc01fee2cbc3.exe 2564 823f27ed645de92db1124b97119fea17679610ed39f4519b3eabcc01fee2cbc3.exe 2532 Djnbdlla.exe 2532 Djnbdlla.exe 268 Dbighojl.exe 268 Dbighojl.exe 2792 Engnno32.exe 2792 Engnno32.exe 2720 Efdohq32.exe 2720 Efdohq32.exe 2628 Epmcqf32.exe 2628 Epmcqf32.exe 2648 Flhnqf32.exe 2648 Flhnqf32.exe 2640 Feqbilcq.exe 2640 Feqbilcq.exe 2948 Fallil32.exe 2948 Fallil32.exe 2380 Fjdqbbkp.exe 2380 Fjdqbbkp.exe 1860 Gpfbfh32.exe 1860 Gpfbfh32.exe 1176 Glmckikf.exe 1176 Glmckikf.exe 2868 Hdmajkdl.exe 2868 Hdmajkdl.exe 1556 Haqbcoce.exe 1556 Haqbcoce.exe 2108 Hpfoekhm.exe 2108 Hpfoekhm.exe 2420 Hkkcbdhc.exe 2420 Hkkcbdhc.exe 2320 Ikfffh32.exe 2320 Ikfffh32.exe 1104 Ihjfolmn.exe 1104 Ihjfolmn.exe 2552 Ibehna32.exe 2552 Ibehna32.exe 1688 Jgbpfhpc.exe 1688 Jgbpfhpc.exe 1336 Jbgdcapi.exe 1336 Jbgdcapi.exe 1684 Jjcigcmd.exe 1684 Jjcigcmd.exe 592 Jgiffg32.exe 592 Jgiffg32.exe 320 Jmfoon32.exe 320 Jmfoon32.exe 2520 Jfnchd32.exe 2520 Jfnchd32.exe 2556 Kfqpmc32.exe 2556 Kfqpmc32.exe 2528 Knldaf32.exe 2528 Knldaf32.exe 2120 Kehidp32.exe 2120 Kehidp32.exe 900 Lfpllg32.exe 900 Lfpllg32.exe 2896 Lcdmekne.exe 2896 Lcdmekne.exe 2248 Liaenblm.exe 2248 Liaenblm.exe 2768 Ldgikklb.exe 2768 Ldgikklb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bhgdbpae.dll Qbbjon32.exe File opened for modification C:\Windows\SysWOW64\Nogodcli.exe Nfljpa32.exe File created C:\Windows\SysWOW64\Jhcajp32.dll Hgfnlejd.exe File created C:\Windows\SysWOW64\Liehdo32.dll Ndhpiapi.exe File created C:\Windows\SysWOW64\Pijjhf32.exe Pdmbpo32.exe File created C:\Windows\SysWOW64\Joccei32.dll Dhhkiq32.exe File created C:\Windows\SysWOW64\Cgogbano.exe Bfojhngl.exe File created C:\Windows\SysWOW64\Hepfob32.dll Jmbhhl32.exe File created C:\Windows\SysWOW64\Dbadgl32.dll Pjccjblp.exe File created C:\Windows\SysWOW64\Macllibi.dll Fphgpnhm.exe File created C:\Windows\SysWOW64\Gckfmc32.exe Ghebpjpj.exe File created C:\Windows\SysWOW64\Cgdippej.exe Cnlegj32.exe File created C:\Windows\SysWOW64\Dgnfedkf.dll Fifnfage.exe File created C:\Windows\SysWOW64\Ieepad32.exe Hllkhoaj.exe File created C:\Windows\SysWOW64\Kjdfge32.dll Lancqglp.exe File created C:\Windows\SysWOW64\Ldbcdhng.exe Lmikhn32.exe File created C:\Windows\SysWOW64\Ibghfj32.exe Iaekqk32.exe File created C:\Windows\SysWOW64\Noeijl32.dll Process not Found File created C:\Windows\SysWOW64\Ibfkoi32.dll Famhqclj.exe File created C:\Windows\SysWOW64\Iilqnp32.exe Iaqljman.exe File created C:\Windows\SysWOW64\Jlmjko32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mnnlihll.exe Process not Found File created C:\Windows\SysWOW64\Hhgfbpdk.exe Hkcfikea.exe File created C:\Windows\SysWOW64\Ejidna32.dll Knldaf32.exe File created C:\Windows\SysWOW64\Knjfogkd.dll Eogckqkk.exe File created C:\Windows\SysWOW64\Penlon32.exe Phcbmend.exe File opened for modification C:\Windows\SysWOW64\Monjpp32.exe Ldhfcgea.exe File created C:\Windows\SysWOW64\Meonlkcm.exe Mnefpq32.exe File created C:\Windows\SysWOW64\Icqfcj32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Lkgpmj32.exe Laokdekd.exe File created C:\Windows\SysWOW64\Kfbjlgnk.exe Kphbom32.exe File opened for modification C:\Windows\SysWOW64\Ebgbkihn.exe Einnbc32.exe File opened for modification C:\Windows\SysWOW64\Flmgnbcl.exe Feboahlo.exe File created C:\Windows\SysWOW64\Dokjce32.dll Peoanckj.exe File created C:\Windows\SysWOW64\Mfpbnmhk.dll Khonbhch.exe File created C:\Windows\SysWOW64\Damhij32.dll Ainhln32.exe File created C:\Windows\SysWOW64\Dmklikob.exe Dbbkhnbc.exe File opened for modification C:\Windows\SysWOW64\Bcqlcj32.exe Bgjknijp.exe File opened for modification C:\Windows\SysWOW64\Kmiaad32.exe Kfoiejdf.exe File created C:\Windows\SysWOW64\Dipfpa32.dll Omnpgqdo.exe File created C:\Windows\SysWOW64\Cpafhpaj.exe Ckdnpicb.exe File created C:\Windows\SysWOW64\Fallil32.exe Feqbilcq.exe File created C:\Windows\SysWOW64\Hnanceem.exe Goidmibg.exe File created C:\Windows\SysWOW64\Cibnfpjg.exe Clnmmlkm.exe File created C:\Windows\SysWOW64\Cnodfbdj.exe Cpkclnea.exe File created C:\Windows\SysWOW64\Mjialchg.exe Mcoioi32.exe File created C:\Windows\SysWOW64\Elmmhc32.exe Epflbbpp.exe File created C:\Windows\SysWOW64\Lgladc32.exe Khfdcgmp.exe File opened for modification C:\Windows\SysWOW64\Cbdpag32.exe Bholco32.exe File created C:\Windows\SysWOW64\Cmnqae32.exe Cbdpag32.exe File opened for modification C:\Windows\SysWOW64\Cnodfbdj.exe Cpkclnea.exe File created C:\Windows\SysWOW64\Pamdpnhj.dll Iikneggd.exe File opened for modification C:\Windows\SysWOW64\Oqfeda32.exe Ocbekmpi.exe File opened for modification C:\Windows\SysWOW64\Cbcgmi32.exe Bdogceln.exe File opened for modification C:\Windows\SysWOW64\Hljljflh.exe Hbagaa32.exe File created C:\Windows\SysWOW64\Gipahplk.dll Jbmgapgc.exe File created C:\Windows\SysWOW64\Cmghoe32.dll Nndkdn32.exe File created C:\Windows\SysWOW64\Jeenip32.exe Jlmipk32.exe File created C:\Windows\SysWOW64\Ocmdeg32.exe Ogfdpfjo.exe File created C:\Windows\SysWOW64\Fcknai32.exe Edeapm32.exe File opened for modification C:\Windows\SysWOW64\Nanlla32.exe Mjialchg.exe File created C:\Windows\SysWOW64\Aacknfhl.exe Ahkgeq32.exe File created C:\Windows\SysWOW64\Oabonopg.exe Ogjkei32.exe File opened for modification C:\Windows\SysWOW64\Kfoiejdf.exe Kikhkeel.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3328 4840 Process not Found 1107 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfekbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befcne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inqjbhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aidfacjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cidklp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goadik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghpnihbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omflbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icjjilho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogfdpfjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmmmdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eogckqkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbbacdfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmabhfca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocnanmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jegknp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqaanoah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meeqkijg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcbchhmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Holcka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcgfcbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnkgnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emfhbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Looajf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcnmdend.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejhnofjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekmmgghe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdibpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Necandjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckdnpicb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gckknqkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iilqnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ongfai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnbpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glmecbbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obpccped.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghebpjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbdihbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llbnpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khgglp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cflcglho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmoagi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkipoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbonnjpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnjbmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlkkkod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhippbem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gckfmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcknai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gejgjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nanlla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qohkdkdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oobkna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pipnohdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnnpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abldpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhqmogam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gflcplhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnbbpkjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhpdlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeajcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnnbfjmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Papmnj32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jejjlh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nmgiga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iapjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkpgjl32.dll" Llpbeaak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkkifgpn.dll" Kbanfbfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qimifn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lgclfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Icjjilho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ceibpnnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcgphlkf.dll" Odbcnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgkkdkae.dll" Kkchkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmdamojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfogkalg.dll" Cbdpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Khfdcgmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmdohj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jgiffg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nblmfl32.dll" Kqncnjan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbkodfgc.dll" Odgennoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eenchbje.dll" Alglin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hjemai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pqaanoah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmlokdgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Koaohila.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmmkao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nndkdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mkjibnbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nlojcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iinjak32.dll" Obnkpafp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dbhppd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Epflbbpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ophiff32.dll" Ccfjpkkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gobijm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdkpob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbkhjjg.dll" Cocnanmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blllchcf.dll" Jbpcgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hjglpncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llgade32.dll" Begegn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jlmipk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mlenijej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hhqmogam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memghn32.dll" Gmlokdgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lhmijn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pdflopoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Begegn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Acjmheap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nppceo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Goemjbna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkmckm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebaggaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lcpaag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbbihj32.dll" Ahkgeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkdeihf.dll" Fnebdhci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hahhejmf.dll" Cgpkcbmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jhbfcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maimbpld.dll" Klcjfdqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cbhhbojn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cgoikj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lmkjfgll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Monjpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mpacmghc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ejhnofjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfilj32.dll" Gmleqnbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehgjigei.dll" Jnhblp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2564 wrote to memory of 2532 2564 823f27ed645de92db1124b97119fea17679610ed39f4519b3eabcc01fee2cbc3.exe 29 PID 2564 wrote to memory of 2532 2564 823f27ed645de92db1124b97119fea17679610ed39f4519b3eabcc01fee2cbc3.exe 29 PID 2564 wrote to memory of 2532 2564 823f27ed645de92db1124b97119fea17679610ed39f4519b3eabcc01fee2cbc3.exe 29 PID 2564 wrote to memory of 2532 2564 823f27ed645de92db1124b97119fea17679610ed39f4519b3eabcc01fee2cbc3.exe 29 PID 2532 wrote to memory of 268 2532 Djnbdlla.exe 30 PID 2532 wrote to memory of 268 2532 Djnbdlla.exe 30 PID 2532 wrote to memory of 268 2532 Djnbdlla.exe 30 PID 2532 wrote to memory of 268 2532 Djnbdlla.exe 30 PID 268 wrote to memory of 2792 268 Dbighojl.exe 31 PID 268 wrote to memory of 2792 268 Dbighojl.exe 31 PID 268 wrote to memory of 2792 268 Dbighojl.exe 31 PID 268 wrote to memory of 2792 268 Dbighojl.exe 31 PID 2792 wrote to memory of 2720 2792 Engnno32.exe 32 PID 2792 wrote to memory of 2720 2792 Engnno32.exe 32 PID 2792 wrote to memory of 2720 2792 Engnno32.exe 32 PID 2792 wrote to memory of 2720 2792 Engnno32.exe 32 PID 2720 wrote to memory of 2628 2720 Efdohq32.exe 33 PID 2720 wrote to memory of 2628 2720 Efdohq32.exe 33 PID 2720 wrote to memory of 2628 2720 Efdohq32.exe 33 PID 2720 wrote to memory of 2628 2720 Efdohq32.exe 33 PID 2628 wrote to memory of 2648 2628 Epmcqf32.exe 34 PID 2628 wrote to memory of 2648 2628 Epmcqf32.exe 34 PID 2628 wrote to memory of 2648 2628 Epmcqf32.exe 34 PID 2628 wrote to memory of 2648 2628 Epmcqf32.exe 34 PID 2648 wrote to memory of 2640 2648 Flhnqf32.exe 35 PID 2648 wrote to memory of 2640 2648 Flhnqf32.exe 35 PID 2648 wrote to memory of 2640 2648 Flhnqf32.exe 35 PID 2648 wrote to memory of 2640 2648 Flhnqf32.exe 35 PID 2640 wrote to memory of 2948 2640 Feqbilcq.exe 36 PID 2640 wrote to memory of 2948 2640 Feqbilcq.exe 36 PID 2640 wrote to memory of 2948 2640 Feqbilcq.exe 36 PID 2640 wrote to memory of 2948 2640 Feqbilcq.exe 36 PID 2948 wrote to memory of 2380 2948 Fallil32.exe 37 PID 2948 wrote to memory of 2380 2948 Fallil32.exe 37 PID 2948 wrote to memory of 2380 2948 Fallil32.exe 37 PID 2948 wrote to memory of 2380 2948 Fallil32.exe 37 PID 2380 wrote to memory of 1860 2380 Fjdqbbkp.exe 38 PID 2380 wrote to memory of 1860 2380 Fjdqbbkp.exe 38 PID 2380 wrote to memory of 1860 2380 Fjdqbbkp.exe 38 PID 2380 wrote to memory of 1860 2380 Fjdqbbkp.exe 38 PID 1860 wrote to memory of 1176 1860 Gpfbfh32.exe 39 PID 1860 wrote to memory of 1176 1860 Gpfbfh32.exe 39 PID 1860 wrote to memory of 1176 1860 Gpfbfh32.exe 39 PID 1860 wrote to memory of 1176 1860 Gpfbfh32.exe 39 PID 1176 wrote to memory of 2868 1176 Glmckikf.exe 40 PID 1176 wrote to memory of 2868 1176 Glmckikf.exe 40 PID 1176 wrote to memory of 2868 1176 Glmckikf.exe 40 PID 1176 wrote to memory of 2868 1176 Glmckikf.exe 40 PID 2868 wrote to memory of 1556 2868 Hdmajkdl.exe 41 PID 2868 wrote to memory of 1556 2868 Hdmajkdl.exe 41 PID 2868 wrote to memory of 1556 2868 Hdmajkdl.exe 41 PID 2868 wrote to memory of 1556 2868 Hdmajkdl.exe 41 PID 1556 wrote to memory of 2108 1556 Haqbcoce.exe 42 PID 1556 wrote to memory of 2108 1556 Haqbcoce.exe 42 PID 1556 wrote to memory of 2108 1556 Haqbcoce.exe 42 PID 1556 wrote to memory of 2108 1556 Haqbcoce.exe 42 PID 2108 wrote to memory of 2420 2108 Hpfoekhm.exe 43 PID 2108 wrote to memory of 2420 2108 Hpfoekhm.exe 43 PID 2108 wrote to memory of 2420 2108 Hpfoekhm.exe 43 PID 2108 wrote to memory of 2420 2108 Hpfoekhm.exe 43 PID 2420 wrote to memory of 2320 2420 Hkkcbdhc.exe 44 PID 2420 wrote to memory of 2320 2420 Hkkcbdhc.exe 44 PID 2420 wrote to memory of 2320 2420 Hkkcbdhc.exe 44 PID 2420 wrote to memory of 2320 2420 Hkkcbdhc.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\823f27ed645de92db1124b97119fea17679610ed39f4519b3eabcc01fee2cbc3.exe"C:\Users\Admin\AppData\Local\Temp\823f27ed645de92db1124b97119fea17679610ed39f4519b3eabcc01fee2cbc3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Djnbdlla.exeC:\Windows\system32\Djnbdlla.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Dbighojl.exeC:\Windows\system32\Dbighojl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\Engnno32.exeC:\Windows\system32\Engnno32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Efdohq32.exeC:\Windows\system32\Efdohq32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Epmcqf32.exeC:\Windows\system32\Epmcqf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Flhnqf32.exeC:\Windows\system32\Flhnqf32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Feqbilcq.exeC:\Windows\system32\Feqbilcq.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Fallil32.exeC:\Windows\system32\Fallil32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Fjdqbbkp.exeC:\Windows\system32\Fjdqbbkp.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Gpfbfh32.exeC:\Windows\system32\Gpfbfh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Glmckikf.exeC:\Windows\system32\Glmckikf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Hdmajkdl.exeC:\Windows\system32\Hdmajkdl.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Haqbcoce.exeC:\Windows\system32\Haqbcoce.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Hpfoekhm.exeC:\Windows\system32\Hpfoekhm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Hkkcbdhc.exeC:\Windows\system32\Hkkcbdhc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Ikfffh32.exeC:\Windows\system32\Ikfffh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Ihjfolmn.exeC:\Windows\system32\Ihjfolmn.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1104 -
C:\Windows\SysWOW64\Ibehna32.exeC:\Windows\system32\Ibehna32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Jgbpfhpc.exeC:\Windows\system32\Jgbpfhpc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Jbgdcapi.exeC:\Windows\system32\Jbgdcapi.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1336 -
C:\Windows\SysWOW64\Jjcigcmd.exeC:\Windows\system32\Jjcigcmd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Jgiffg32.exeC:\Windows\system32\Jgiffg32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Jmfoon32.exeC:\Windows\system32\Jmfoon32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:320 -
C:\Windows\SysWOW64\Jfnchd32.exeC:\Windows\system32\Jfnchd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Kfqpmc32.exeC:\Windows\system32\Kfqpmc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Knldaf32.exeC:\Windows\system32\Knldaf32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Kehidp32.exeC:\Windows\system32\Kehidp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\Lfpllg32.exeC:\Windows\system32\Lfpllg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Lcdmekne.exeC:\Windows\system32\Lcdmekne.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Liaenblm.exeC:\Windows\system32\Liaenblm.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Ldgikklb.exeC:\Windows\system32\Ldgikklb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Llbnpm32.exeC:\Windows\system32\Llbnpm32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\Lifoia32.exeC:\Windows\system32\Lifoia32.exe34⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Lbncbgoh.exeC:\Windows\system32\Lbncbgoh.exe35⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Mkihfi32.exeC:\Windows\system32\Mkihfi32.exe36⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Meaiia32.exeC:\Windows\system32\Meaiia32.exe37⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Mmlmmdga.exeC:\Windows\system32\Mmlmmdga.exe38⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Mdibpn32.exeC:\Windows\system32\Mdibpn32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2024 -
C:\Windows\SysWOW64\Nppceo32.exeC:\Windows\system32\Nppceo32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Nihgndip.exeC:\Windows\system32\Nihgndip.exe41⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Nijdcdgn.exeC:\Windows\system32\Nijdcdgn.exe42⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Nliqoofa.exeC:\Windows\system32\Nliqoofa.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Nimaic32.exeC:\Windows\system32\Nimaic32.exe44⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Noiiaj32.exeC:\Windows\system32\Noiiaj32.exe45⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Necandjo.exeC:\Windows\system32\Necandjo.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Windows\SysWOW64\Nkpjfkhf.exeC:\Windows\system32\Nkpjfkhf.exe47⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Ndhooaog.exeC:\Windows\system32\Ndhooaog.exe48⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Ooncljom.exeC:\Windows\system32\Ooncljom.exe49⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Okecak32.exeC:\Windows\system32\Okecak32.exe50⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Oqaliabh.exeC:\Windows\system32\Oqaliabh.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Ogldfl32.exeC:\Windows\system32\Ogldfl32.exe52⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Olhmnb32.exeC:\Windows\system32\Olhmnb32.exe53⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Ocbekmpi.exeC:\Windows\system32\Ocbekmpi.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Oqfeda32.exeC:\Windows\system32\Oqfeda32.exe55⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Ofcnmh32.exeC:\Windows\system32\Ofcnmh32.exe56⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Oqibjq32.exeC:\Windows\system32\Oqibjq32.exe57⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Pfekbg32.exeC:\Windows\system32\Pfekbg32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\Pidgnc32.exeC:\Windows\system32\Pidgnc32.exe59⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Ponokmah.exeC:\Windows\system32\Ponokmah.exe60⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Pifcdbhi.exeC:\Windows\system32\Pifcdbhi.exe61⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Pemdic32.exeC:\Windows\system32\Pemdic32.exe62⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Pobhfl32.exeC:\Windows\system32\Pobhfl32.exe63⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Peoanckj.exeC:\Windows\system32\Peoanckj.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Pjlifjjb.exeC:\Windows\system32\Pjlifjjb.exe65⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Pbcahgjd.exeC:\Windows\system32\Pbcahgjd.exe66⤵PID:2476
-
C:\Windows\SysWOW64\Pgpjpnhk.exeC:\Windows\system32\Pgpjpnhk.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1360 -
C:\Windows\SysWOW64\Qnjbmh32.exeC:\Windows\system32\Qnjbmh32.exe68⤵
- System Location Discovery: System Language Discovery
PID:1844 -
C:\Windows\SysWOW64\Qcgkeonp.exeC:\Windows\system32\Qcgkeonp.exe69⤵PID:1488
-
C:\Windows\SysWOW64\Qmoone32.exeC:\Windows\system32\Qmoone32.exe70⤵PID:844
-
C:\Windows\SysWOW64\Qgeckn32.exeC:\Windows\system32\Qgeckn32.exe71⤵PID:756
-
C:\Windows\SysWOW64\Amalcd32.exeC:\Windows\system32\Amalcd32.exe72⤵PID:2464
-
C:\Windows\SysWOW64\Afjplj32.exeC:\Windows\system32\Afjplj32.exe73⤵PID:2812
-
C:\Windows\SysWOW64\Amdhidqk.exeC:\Windows\system32\Amdhidqk.exe74⤵PID:2816
-
C:\Windows\SysWOW64\Aeommfnf.exeC:\Windows\system32\Aeommfnf.exe75⤵PID:2596
-
C:\Windows\SysWOW64\Abcngkmp.exeC:\Windows\system32\Abcngkmp.exe76⤵PID:2268
-
C:\Windows\SysWOW64\Aeajcf32.exeC:\Windows\system32\Aeajcf32.exe77⤵
- System Location Discovery: System Language Discovery
PID:684 -
C:\Windows\SysWOW64\Allbpqcp.exeC:\Windows\system32\Allbpqcp.exe78⤵PID:1648
-
C:\Windows\SysWOW64\Aahkhgag.exeC:\Windows\system32\Aahkhgag.exe79⤵PID:1516
-
C:\Windows\SysWOW64\Aipbidbj.exeC:\Windows\system32\Aipbidbj.exe80⤵PID:2860
-
C:\Windows\SysWOW64\Anlkakqa.exeC:\Windows\system32\Anlkakqa.exe81⤵PID:2508
-
C:\Windows\SysWOW64\Befcne32.exeC:\Windows\system32\Befcne32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1468 -
C:\Windows\SysWOW64\Bmahbhei.exeC:\Windows\system32\Bmahbhei.exe83⤵PID:2400
-
C:\Windows\SysWOW64\Bdkpob32.exeC:\Windows\system32\Bdkpob32.exe84⤵
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Boadlk32.exeC:\Windows\system32\Boadlk32.exe85⤵PID:2240
-
C:\Windows\SysWOW64\Bhiiepcl.exeC:\Windows\system32\Bhiiepcl.exe86⤵PID:1956
-
C:\Windows\SysWOW64\Bikemiik.exeC:\Windows\system32\Bikemiik.exe87⤵PID:1596
-
C:\Windows\SysWOW64\Bdpjjaiq.exeC:\Windows\system32\Bdpjjaiq.exe88⤵PID:2296
-
C:\Windows\SysWOW64\Blkoocfl.exeC:\Windows\system32\Blkoocfl.exe89⤵PID:1696
-
C:\Windows\SysWOW64\Bdbfpafn.exeC:\Windows\system32\Bdbfpafn.exe90⤵PID:2824
-
C:\Windows\SysWOW64\Clnkdc32.exeC:\Windows\system32\Clnkdc32.exe91⤵PID:2832
-
C:\Windows\SysWOW64\Cbhcankf.exeC:\Windows\system32\Cbhcankf.exe92⤵PID:2712
-
C:\Windows\SysWOW64\Cialng32.exeC:\Windows\system32\Cialng32.exe93⤵PID:2908
-
C:\Windows\SysWOW64\Clphjc32.exeC:\Windows\system32\Clphjc32.exe94⤵PID:2964
-
C:\Windows\SysWOW64\Campbj32.exeC:\Windows\system32\Campbj32.exe95⤵PID:2064
-
C:\Windows\SysWOW64\Coqaknog.exeC:\Windows\system32\Coqaknog.exe96⤵PID:2036
-
C:\Windows\SysWOW64\Chiedc32.exeC:\Windows\system32\Chiedc32.exe97⤵PID:1788
-
C:\Windows\SysWOW64\Cocnanmd.exeC:\Windows\system32\Cocnanmd.exe98⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:328 -
C:\Windows\SysWOW64\Cemfnh32.exeC:\Windows\system32\Cemfnh32.exe99⤵PID:2144
-
C:\Windows\SysWOW64\Cgnbepjp.exeC:\Windows\system32\Cgnbepjp.exe100⤵PID:2696
-
C:\Windows\SysWOW64\Ddbbod32.exeC:\Windows\system32\Ddbbod32.exe101⤵PID:2980
-
C:\Windows\SysWOW64\Dclikp32.exeC:\Windows\system32\Dclikp32.exe102⤵PID:1908
-
C:\Windows\SysWOW64\Dbaflm32.exeC:\Windows\system32\Dbaflm32.exe103⤵PID:1736
-
C:\Windows\SysWOW64\Edbonh32.exeC:\Windows\system32\Edbonh32.exe104⤵PID:1856
-
C:\Windows\SysWOW64\Eogckqkk.exeC:\Windows\system32\Eogckqkk.exe105⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\Egchocif.exeC:\Windows\system32\Egchocif.exe106⤵PID:2900
-
C:\Windows\SysWOW64\Ebhlmlhl.exeC:\Windows\system32\Ebhlmlhl.exe107⤵PID:1324
-
C:\Windows\SysWOW64\Enomam32.exeC:\Windows\system32\Enomam32.exe108⤵PID:1660
-
C:\Windows\SysWOW64\Eclejclg.exeC:\Windows\system32\Eclejclg.exe109⤵PID:1864
-
C:\Windows\SysWOW64\Enajgllm.exeC:\Windows\system32\Enajgllm.exe110⤵PID:824
-
C:\Windows\SysWOW64\Fgjnpb32.exeC:\Windows\system32\Fgjnpb32.exe111⤵PID:736
-
C:\Windows\SysWOW64\Fqbbig32.exeC:\Windows\system32\Fqbbig32.exe112⤵PID:2580
-
C:\Windows\SysWOW64\Fglkeaqk.exeC:\Windows\system32\Fglkeaqk.exe113⤵PID:1768
-
C:\Windows\SysWOW64\Ffahgn32.exeC:\Windows\system32\Ffahgn32.exe114⤵PID:2288
-
C:\Windows\SysWOW64\Fmkpchmp.exeC:\Windows\system32\Fmkpchmp.exe115⤵PID:1084
-
C:\Windows\SysWOW64\Ffcdlncp.exeC:\Windows\system32\Ffcdlncp.exe116⤵PID:2096
-
C:\Windows\SysWOW64\Fmnmih32.exeC:\Windows\system32\Fmnmih32.exe117⤵PID:912
-
C:\Windows\SysWOW64\Fpliec32.exeC:\Windows\system32\Fpliec32.exe118⤵PID:2780
-
C:\Windows\SysWOW64\Feiamj32.exeC:\Windows\system32\Feiamj32.exe119⤵PID:1576
-
C:\Windows\SysWOW64\Fhgnie32.exeC:\Windows\system32\Fhgnie32.exe120⤵PID:400
-
C:\Windows\SysWOW64\Gapbbk32.exeC:\Windows\system32\Gapbbk32.exe121⤵PID:2748
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-