Analysis
-
max time kernel
150s -
max time network
22s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
27-07-2024 23:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
716a046ff7724dc935d7d6278a4386a8c03eb092ca7e22d5fce85cfd24e147ef.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
716a046ff7724dc935d7d6278a4386a8c03eb092ca7e22d5fce85cfd24e147ef.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
716a046ff7724dc935d7d6278a4386a8c03eb092ca7e22d5fce85cfd24e147ef.exe
-
Size
1024KB
-
MD5
ee76632bdfc5efcc77e0986cf2e7a83e
-
SHA1
24d795c8f533dc35dc76038219b003b5b312373b
-
SHA256
716a046ff7724dc935d7d6278a4386a8c03eb092ca7e22d5fce85cfd24e147ef
-
SHA512
feab7b6789725e24fa09e6ce8d2c01dd27b06522f18d0f2a5c21224d1b9c6f65a01747298a72c3f6ec3c93ed5f483d93db266c3ab1d3e647732bb23167a6736c
-
SSDEEP
12288:q+ikY660fIaDZkY660f8jTK/XhdAwlt01PBExKN4P6IfKTLR+6CwUkEoH:q+igsaDZgQjGkwlks/6HnEO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iegjnkod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgmagh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abgjecap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnponefo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnmaka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdajgfkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afkcqg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdmonf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obhdpaqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdlplb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiepca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmpoji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cagpldqg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kahedf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhbceb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccehgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Goojldgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iglmjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfpmmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mflncjgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpcaqg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhbbkahk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebdffijp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abbfnade.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaiqnmgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fifkni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoaooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnmmjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjopoifk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncdlcbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omodibcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giaipo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacgpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbedqcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgelih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koeqhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgebfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhnede32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ociooe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jodfilko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdbjcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Colgpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onplmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajnnipnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilkdpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkhmkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oeibcnmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdiamnki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpjjcohd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifdlmcjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgbfen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cleaebna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiaqie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onelbfab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilihij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgccjenb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqakqmpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhjeqhil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmjagh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbfnade.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feblho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jandikbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hegpim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfaigbkc.exe -
Executes dropped EXE 64 IoCs
pid Process 3064 Ecfcle32.exe 1492 Echpaecj.exe 2260 Flkjffkm.exe 2888 Geqnho32.exe 2720 Hmcimq32.exe 2892 Hgknffcp.exe 2656 Iejnna32.exe 3044 Iobbfggm.exe 2540 Jqmadn32.exe 1108 Jnqanbcj.exe 1536 Kkpekjie.exe 1676 Kbljmd32.exe 2780 Lpfdpmho.exe 2936 Mgebfi32.exe 2284 Nknmplji.exe 804 Onacgf32.exe 2368 Ojhdmgkl.exe 536 Onelbfab.exe 1348 Pbjoaibo.exe 1736 Pgnmjokn.exe 868 Qklfqm32.exe 2268 Qgbfen32.exe 2052 Amalcd32.exe 2564 Aihmhe32.exe 3052 Aeommfnf.exe 2176 Anjnllbd.exe 2280 Bbhgbj32.exe 2732 Bamdcf32.exe 2760 Bjehlldb.exe 2800 Bhiiepcl.exe 2756 Bpgjob32.exe 2664 Colgpo32.exe 2772 Chghodgj.exe 2704 Cleaebna.exe 976 Cdpfiekl.exe 1768 Djokgk32.exe 2848 Dkohanoc.exe 1688 Dpnmoe32.exe 2928 Dfjegl32.exe 456 Ebccal32.exe 828 Eogckqkk.exe 2412 Ekndpa32.exe 1664 Ekqqea32.exe 1704 Eggajb32.exe 1380 Eqpfchka.exe 1292 Fpecddpi.exe 2576 Fpgpjdnf.exe 3068 Fpjlpclc.exe 2532 Gigjch32.exe 2824 Hlgodgnk.exe 2640 Hljljflh.exe 2752 Hlliof32.exe 2132 Iegjnkod.exe 632 Ikcbfb32.exe 2488 Idncdgai.exe 436 Ilihij32.exe 304 Jpgaohej.exe 1712 Jfdigocb.exe 1808 Jcjffc32.exe 892 Jlckoh32.exe 2164 Jhjldiln.exe 236 Jbbpmo32.exe 1732 Kdcinjpo.exe 920 Kqijck32.exe -
Loads dropped DLL 64 IoCs
pid Process 2056 716a046ff7724dc935d7d6278a4386a8c03eb092ca7e22d5fce85cfd24e147ef.exe 2056 716a046ff7724dc935d7d6278a4386a8c03eb092ca7e22d5fce85cfd24e147ef.exe 3064 Ecfcle32.exe 3064 Ecfcle32.exe 1492 Echpaecj.exe 1492 Echpaecj.exe 2260 Flkjffkm.exe 2260 Flkjffkm.exe 2888 Geqnho32.exe 2888 Geqnho32.exe 2720 Hmcimq32.exe 2720 Hmcimq32.exe 2892 Hgknffcp.exe 2892 Hgknffcp.exe 2656 Iejnna32.exe 2656 Iejnna32.exe 3044 Iobbfggm.exe 3044 Iobbfggm.exe 2540 Jqmadn32.exe 2540 Jqmadn32.exe 1108 Jnqanbcj.exe 1108 Jnqanbcj.exe 1536 Kkpekjie.exe 1536 Kkpekjie.exe 1676 Kbljmd32.exe 1676 Kbljmd32.exe 2780 Lpfdpmho.exe 2780 Lpfdpmho.exe 2936 Mgebfi32.exe 2936 Mgebfi32.exe 2284 Nknmplji.exe 2284 Nknmplji.exe 804 Onacgf32.exe 804 Onacgf32.exe 2368 Ojhdmgkl.exe 2368 Ojhdmgkl.exe 536 Onelbfab.exe 536 Onelbfab.exe 1348 Pbjoaibo.exe 1348 Pbjoaibo.exe 1736 Pgnmjokn.exe 1736 Pgnmjokn.exe 868 Qklfqm32.exe 868 Qklfqm32.exe 2268 Qgbfen32.exe 2268 Qgbfen32.exe 2052 Amalcd32.exe 2052 Amalcd32.exe 2564 Aihmhe32.exe 2564 Aihmhe32.exe 3052 Aeommfnf.exe 3052 Aeommfnf.exe 2176 Anjnllbd.exe 2176 Anjnllbd.exe 2280 Bbhgbj32.exe 2280 Bbhgbj32.exe 2732 Bamdcf32.exe 2732 Bamdcf32.exe 2760 Bjehlldb.exe 2760 Bjehlldb.exe 2800 Bhiiepcl.exe 2800 Bhiiepcl.exe 2756 Bpgjob32.exe 2756 Bpgjob32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Colpkh32.dll Bcqlcj32.exe File opened for modification C:\Windows\SysWOW64\Kgahcn32.exe Knicjipf.exe File created C:\Windows\SysWOW64\Kfknpj32.exe Knnmeh32.exe File created C:\Windows\SysWOW64\Adjbob32.dll Higkdm32.exe File created C:\Windows\SysWOW64\Poekgnkk.exe Okgbapdd.exe File created C:\Windows\SysWOW64\Mpcmojia.exe Lhhhjhkf.exe File opened for modification C:\Windows\SysWOW64\Injnfl32.exe Ilfeidmk.exe File opened for modification C:\Windows\SysWOW64\Kdcinjpo.exe Jbbpmo32.exe File opened for modification C:\Windows\SysWOW64\Mjocja32.exe Mafoal32.exe File created C:\Windows\SysWOW64\Folknlae.exe Fojnhlch.exe File created C:\Windows\SysWOW64\Pgbjigoo.exe Pbeappqg.exe File created C:\Windows\SysWOW64\Kmobll32.dll Gimpfdch.exe File created C:\Windows\SysWOW64\Pagfag32.dll Nlgigemg.exe File opened for modification C:\Windows\SysWOW64\Qgbfen32.exe Qklfqm32.exe File created C:\Windows\SysWOW64\Jhbikcdn.dll Ebccal32.exe File opened for modification C:\Windows\SysWOW64\Lbeonhhj.exe Lbcbih32.exe File opened for modification C:\Windows\SysWOW64\Cjmcpi32.exe Cadngcad.exe File created C:\Windows\SysWOW64\Ejeglg32.exe Eqmbca32.exe File opened for modification C:\Windows\SysWOW64\Lncodf32.exe Khbmqpii.exe File opened for modification C:\Windows\SysWOW64\Djbkahcm.exe Djpnkhep.exe File created C:\Windows\SysWOW64\Eohcfgjn.dll Nkacdnkn.exe File created C:\Windows\SysWOW64\Enaocnlg.exe Dhegkgnp.exe File created C:\Windows\SysWOW64\Opbkcp32.dll Kqijck32.exe File opened for modification C:\Windows\SysWOW64\Lhhhjhkf.exe Lnpcabef.exe File created C:\Windows\SysWOW64\Gabpco32.exe Ghhoej32.exe File created C:\Windows\SysWOW64\Abbldqca.dll Cknikooe.exe File opened for modification C:\Windows\SysWOW64\Fqdailia.exe Fhgpoj32.exe File created C:\Windows\SysWOW64\Ikcbmcgm.dll Cmemnf32.exe File opened for modification C:\Windows\SysWOW64\Cgqcimfn.exe Cjmcpi32.exe File created C:\Windows\SysWOW64\Lkjadh32.exe Lfmhla32.exe File created C:\Windows\SysWOW64\Oejbgc32.dll Bcklmdqn.exe File created C:\Windows\SysWOW64\Iedigigd.dll Lpjfbb32.exe File created C:\Windows\SysWOW64\Eiamal32.exe Edcdkm32.exe File opened for modification C:\Windows\SysWOW64\Nbbdlhlh.exe Njdbbf32.exe File created C:\Windows\SysWOW64\Lhcpkmef.exe Lajgnb32.exe File opened for modification C:\Windows\SysWOW64\Mdplcfoi.exe Mdmonf32.exe File opened for modification C:\Windows\SysWOW64\Kphmnojf.exe Koeqhp32.exe File created C:\Windows\SysWOW64\Dnlmdpem.exe Dkkdcd32.exe File opened for modification C:\Windows\SysWOW64\Jagfnf32.exe Jenicf32.exe File created C:\Windows\SysWOW64\Ngknpb32.dll Lkjadh32.exe File created C:\Windows\SysWOW64\Qjdkneao.dll Knekknjg.exe File created C:\Windows\SysWOW64\Dibjai32.dll Mdplcfoi.exe File created C:\Windows\SysWOW64\Hnpfci32.dll Hoaooj32.exe File created C:\Windows\SysWOW64\Eogckqkk.exe Ebccal32.exe File opened for modification C:\Windows\SysWOW64\Pahpcd32.exe Opdffmlb.exe File created C:\Windows\SysWOW64\Aakepd32.dll Ckdnpicb.exe File opened for modification C:\Windows\SysWOW64\Fiiafg32.exe Fmbpaf32.exe File opened for modification C:\Windows\SysWOW64\Bhhbmfjb.exe Bkdacb32.exe File opened for modification C:\Windows\SysWOW64\Pgekphld.exe Pkojkg32.exe File created C:\Windows\SysWOW64\Echpaecj.exe Ecfcle32.exe File opened for modification C:\Windows\SysWOW64\Mdaedhoh.exe Mpcmojia.exe File created C:\Windows\SysWOW64\Ppanehoa.dll Nfjnja32.exe File created C:\Windows\SysWOW64\Gjhlii32.dll Phcbmend.exe File created C:\Windows\SysWOW64\Nbipmk32.dll Bfhnmiii.exe File created C:\Windows\SysWOW64\Gpcaqg32.exe Gnmknp32.exe File opened for modification C:\Windows\SysWOW64\Lpfdpmho.exe Kbljmd32.exe File opened for modification C:\Windows\SysWOW64\Dopfpkng.exe Degage32.exe File created C:\Windows\SysWOW64\Mhggld32.exe Mmnflf32.exe File created C:\Windows\SysWOW64\Gbgnmgqk.dll Jbjccf32.exe File created C:\Windows\SysWOW64\Aepcmk32.dll Lpfdpmho.exe File created C:\Windows\SysWOW64\Dpnmoe32.exe Dkohanoc.exe File created C:\Windows\SysWOW64\Jpgcjm32.exe Jdqbdl32.exe File created C:\Windows\SysWOW64\Ijgcmc32.exe Icjokidf.exe File created C:\Windows\SysWOW64\Kcoqoi32.dll Fmjmml32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmqjoljn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlliof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccmdbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aclhap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imblii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aofhejdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnddkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jagfnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhhhjhkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qijffhki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbinidpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgedlbfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djbkahcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajgdbgnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edcdkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqpfchka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glpbiaqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boboknnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blghhahp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hehikpol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmhhie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ockiklha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiqfoble.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eglqacpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjocja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbgdonkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcihlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqmbca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lncodf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgbfen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaakmnah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coenifch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdpplcjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmnflf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iegjnkod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgficdgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pckcajfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdcinjpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgihopao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkgmkbih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqdeciho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhlilip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpfojp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfpagd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmefidoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clnnhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdnkhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mheqie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibdcnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deloen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlepbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leqjcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioikjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcbndg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onadck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoloae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeahbndo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbqech32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhdpka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilihij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fphbna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hchcmnlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elaloeai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egimam32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdldmn32.dll" Mibgho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilfeidmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbebjpaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljjpighp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onejljep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbeonhhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdoedp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpmmce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdplcfoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehchin32.dll" Oholdojo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emahhhhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqeeabhm.dll" Gggihhkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lncodf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldnoed32.dll" Icjokidf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iqldgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfomabme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egbkjc32.dll" Bjehlldb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olapcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abieajgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lelbak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onfihj32.dll" Acfcme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaglhcal.dll" Eglqacpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eqmbca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olnlgjof.dll" Ejeglg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oejllo32.dll" Bnlihgln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpgbcf.dll" Djokgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fknido32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfjnja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnmmjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdieagcj.dll" Nhbbkahk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oagkod32.dll" Qjjikafh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qcbndg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgfjbhlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Haigco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nacgpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjbophb.dll" Qhabfibb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjabhjec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akpafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmpdfi32.dll" Bcmheqim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinkmg32.dll" Dhkmjbbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gigjch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkgllndq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpbnpchg.dll" Lgdcqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofmkpfqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmfcmlfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mddigg32.dll" Gninpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgccjenb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihocmeao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgodiaaa.dll" Mlogojjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcljlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhnede32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekndpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfioaaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqbkknqb.dll" Phacnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cajmbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgdcqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qjkpegic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlmmmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lghkma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkdjjgem.dll" Fgfjbhlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbiohiea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgihopao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aiioanpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klkekggl.dll" Jdpplcjh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2056 wrote to memory of 3064 2056 716a046ff7724dc935d7d6278a4386a8c03eb092ca7e22d5fce85cfd24e147ef.exe 29 PID 2056 wrote to memory of 3064 2056 716a046ff7724dc935d7d6278a4386a8c03eb092ca7e22d5fce85cfd24e147ef.exe 29 PID 2056 wrote to memory of 3064 2056 716a046ff7724dc935d7d6278a4386a8c03eb092ca7e22d5fce85cfd24e147ef.exe 29 PID 2056 wrote to memory of 3064 2056 716a046ff7724dc935d7d6278a4386a8c03eb092ca7e22d5fce85cfd24e147ef.exe 29 PID 3064 wrote to memory of 1492 3064 Ecfcle32.exe 30 PID 3064 wrote to memory of 1492 3064 Ecfcle32.exe 30 PID 3064 wrote to memory of 1492 3064 Ecfcle32.exe 30 PID 3064 wrote to memory of 1492 3064 Ecfcle32.exe 30 PID 1492 wrote to memory of 2260 1492 Echpaecj.exe 31 PID 1492 wrote to memory of 2260 1492 Echpaecj.exe 31 PID 1492 wrote to memory of 2260 1492 Echpaecj.exe 31 PID 1492 wrote to memory of 2260 1492 Echpaecj.exe 31 PID 2260 wrote to memory of 2888 2260 Flkjffkm.exe 32 PID 2260 wrote to memory of 2888 2260 Flkjffkm.exe 32 PID 2260 wrote to memory of 2888 2260 Flkjffkm.exe 32 PID 2260 wrote to memory of 2888 2260 Flkjffkm.exe 32 PID 2888 wrote to memory of 2720 2888 Geqnho32.exe 33 PID 2888 wrote to memory of 2720 2888 Geqnho32.exe 33 PID 2888 wrote to memory of 2720 2888 Geqnho32.exe 33 PID 2888 wrote to memory of 2720 2888 Geqnho32.exe 33 PID 2720 wrote to memory of 2892 2720 Hmcimq32.exe 34 PID 2720 wrote to memory of 2892 2720 Hmcimq32.exe 34 PID 2720 wrote to memory of 2892 2720 Hmcimq32.exe 34 PID 2720 wrote to memory of 2892 2720 Hmcimq32.exe 34 PID 2892 wrote to memory of 2656 2892 Hgknffcp.exe 35 PID 2892 wrote to memory of 2656 2892 Hgknffcp.exe 35 PID 2892 wrote to memory of 2656 2892 Hgknffcp.exe 35 PID 2892 wrote to memory of 2656 2892 Hgknffcp.exe 35 PID 2656 wrote to memory of 3044 2656 Iejnna32.exe 36 PID 2656 wrote to memory of 3044 2656 Iejnna32.exe 36 PID 2656 wrote to memory of 3044 2656 Iejnna32.exe 36 PID 2656 wrote to memory of 3044 2656 Iejnna32.exe 36 PID 3044 wrote to memory of 2540 3044 Iobbfggm.exe 37 PID 3044 wrote to memory of 2540 3044 Iobbfggm.exe 37 PID 3044 wrote to memory of 2540 3044 Iobbfggm.exe 37 PID 3044 wrote to memory of 2540 3044 Iobbfggm.exe 37 PID 2540 wrote to memory of 1108 2540 Jqmadn32.exe 38 PID 2540 wrote to memory of 1108 2540 Jqmadn32.exe 38 PID 2540 wrote to memory of 1108 2540 Jqmadn32.exe 38 PID 2540 wrote to memory of 1108 2540 Jqmadn32.exe 38 PID 1108 wrote to memory of 1536 1108 Jnqanbcj.exe 39 PID 1108 wrote to memory of 1536 1108 Jnqanbcj.exe 39 PID 1108 wrote to memory of 1536 1108 Jnqanbcj.exe 39 PID 1108 wrote to memory of 1536 1108 Jnqanbcj.exe 39 PID 1536 wrote to memory of 1676 1536 Kkpekjie.exe 40 PID 1536 wrote to memory of 1676 1536 Kkpekjie.exe 40 PID 1536 wrote to memory of 1676 1536 Kkpekjie.exe 40 PID 1536 wrote to memory of 1676 1536 Kkpekjie.exe 40 PID 1676 wrote to memory of 2780 1676 Kbljmd32.exe 41 PID 1676 wrote to memory of 2780 1676 Kbljmd32.exe 41 PID 1676 wrote to memory of 2780 1676 Kbljmd32.exe 41 PID 1676 wrote to memory of 2780 1676 Kbljmd32.exe 41 PID 2780 wrote to memory of 2936 2780 Lpfdpmho.exe 42 PID 2780 wrote to memory of 2936 2780 Lpfdpmho.exe 42 PID 2780 wrote to memory of 2936 2780 Lpfdpmho.exe 42 PID 2780 wrote to memory of 2936 2780 Lpfdpmho.exe 42 PID 2936 wrote to memory of 2284 2936 Mgebfi32.exe 43 PID 2936 wrote to memory of 2284 2936 Mgebfi32.exe 43 PID 2936 wrote to memory of 2284 2936 Mgebfi32.exe 43 PID 2936 wrote to memory of 2284 2936 Mgebfi32.exe 43 PID 2284 wrote to memory of 804 2284 Nknmplji.exe 44 PID 2284 wrote to memory of 804 2284 Nknmplji.exe 44 PID 2284 wrote to memory of 804 2284 Nknmplji.exe 44 PID 2284 wrote to memory of 804 2284 Nknmplji.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\716a046ff7724dc935d7d6278a4386a8c03eb092ca7e22d5fce85cfd24e147ef.exe"C:\Users\Admin\AppData\Local\Temp\716a046ff7724dc935d7d6278a4386a8c03eb092ca7e22d5fce85cfd24e147ef.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Ecfcle32.exeC:\Windows\system32\Ecfcle32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Echpaecj.exeC:\Windows\system32\Echpaecj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Flkjffkm.exeC:\Windows\system32\Flkjffkm.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Geqnho32.exeC:\Windows\system32\Geqnho32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Hmcimq32.exeC:\Windows\system32\Hmcimq32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Hgknffcp.exeC:\Windows\system32\Hgknffcp.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Iejnna32.exeC:\Windows\system32\Iejnna32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Iobbfggm.exeC:\Windows\system32\Iobbfggm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Jqmadn32.exeC:\Windows\system32\Jqmadn32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Jnqanbcj.exeC:\Windows\system32\Jnqanbcj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Kkpekjie.exeC:\Windows\system32\Kkpekjie.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Kbljmd32.exeC:\Windows\system32\Kbljmd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Lpfdpmho.exeC:\Windows\system32\Lpfdpmho.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Mgebfi32.exeC:\Windows\system32\Mgebfi32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Nknmplji.exeC:\Windows\system32\Nknmplji.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Onacgf32.exeC:\Windows\system32\Onacgf32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:804 -
C:\Windows\SysWOW64\Ojhdmgkl.exeC:\Windows\system32\Ojhdmgkl.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Onelbfab.exeC:\Windows\system32\Onelbfab.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:536 -
C:\Windows\SysWOW64\Pbjoaibo.exeC:\Windows\system32\Pbjoaibo.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1348 -
C:\Windows\SysWOW64\Pgnmjokn.exeC:\Windows\system32\Pgnmjokn.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Qklfqm32.exeC:\Windows\system32\Qklfqm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:868 -
C:\Windows\SysWOW64\Qgbfen32.exeC:\Windows\system32\Qgbfen32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2268 -
C:\Windows\SysWOW64\Amalcd32.exeC:\Windows\system32\Amalcd32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Aihmhe32.exeC:\Windows\system32\Aihmhe32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Aeommfnf.exeC:\Windows\system32\Aeommfnf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Anjnllbd.exeC:\Windows\system32\Anjnllbd.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Bbhgbj32.exeC:\Windows\system32\Bbhgbj32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Bamdcf32.exeC:\Windows\system32\Bamdcf32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Bjehlldb.exeC:\Windows\system32\Bjehlldb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Bhiiepcl.exeC:\Windows\system32\Bhiiepcl.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Bpgjob32.exeC:\Windows\system32\Bpgjob32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Colgpo32.exeC:\Windows\system32\Colgpo32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Chghodgj.exeC:\Windows\system32\Chghodgj.exe34⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Cleaebna.exeC:\Windows\system32\Cleaebna.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Cdpfiekl.exeC:\Windows\system32\Cdpfiekl.exe36⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Djokgk32.exeC:\Windows\system32\Djokgk32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Dkohanoc.exeC:\Windows\system32\Dkohanoc.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Dpnmoe32.exeC:\Windows\system32\Dpnmoe32.exe39⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Dfjegl32.exeC:\Windows\system32\Dfjegl32.exe40⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Ebccal32.exeC:\Windows\system32\Ebccal32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:456 -
C:\Windows\SysWOW64\Eogckqkk.exeC:\Windows\system32\Eogckqkk.exe42⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Ekndpa32.exeC:\Windows\system32\Ekndpa32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Ekqqea32.exeC:\Windows\system32\Ekqqea32.exe44⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Eggajb32.exeC:\Windows\system32\Eggajb32.exe45⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Eqpfchka.exeC:\Windows\system32\Eqpfchka.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1380 -
C:\Windows\SysWOW64\Fpecddpi.exeC:\Windows\system32\Fpecddpi.exe47⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Fpgpjdnf.exeC:\Windows\system32\Fpgpjdnf.exe48⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Fpjlpclc.exeC:\Windows\system32\Fpjlpclc.exe49⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Gigjch32.exeC:\Windows\system32\Gigjch32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Hbokkagk.exeC:\Windows\system32\Hbokkagk.exe51⤵PID:2208
-
C:\Windows\SysWOW64\Hlgodgnk.exeC:\Windows\system32\Hlgodgnk.exe52⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Hljljflh.exeC:\Windows\system32\Hljljflh.exe53⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Hlliof32.exeC:\Windows\system32\Hlliof32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\Iegjnkod.exeC:\Windows\system32\Iegjnkod.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2132 -
C:\Windows\SysWOW64\Ikcbfb32.exeC:\Windows\system32\Ikcbfb32.exe56⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Idncdgai.exeC:\Windows\system32\Idncdgai.exe57⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Ilihij32.exeC:\Windows\system32\Ilihij32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:436 -
C:\Windows\SysWOW64\Jpgaohej.exeC:\Windows\system32\Jpgaohej.exe59⤵
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\Jfdigocb.exeC:\Windows\system32\Jfdigocb.exe60⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Jcjffc32.exeC:\Windows\system32\Jcjffc32.exe61⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Jlckoh32.exeC:\Windows\system32\Jlckoh32.exe62⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Jhjldiln.exeC:\Windows\system32\Jhjldiln.exe63⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Jbbpmo32.exeC:\Windows\system32\Jbbpmo32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:236 -
C:\Windows\SysWOW64\Kdcinjpo.exeC:\Windows\system32\Kdcinjpo.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\Kqijck32.exeC:\Windows\system32\Kqijck32.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:920 -
C:\Windows\SysWOW64\Kfioaaah.exeC:\Windows\system32\Kfioaaah.exe67⤵
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Kbppfb32.exeC:\Windows\system32\Kbppfb32.exe68⤵PID:1724
-
C:\Windows\SysWOW64\Lfmhla32.exeC:\Windows\system32\Lfmhla32.exe69⤵
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Lkjadh32.exeC:\Windows\system32\Lkjadh32.exe70⤵
- Drops file in System32 directory
PID:1476 -
C:\Windows\SysWOW64\Linanl32.exeC:\Windows\system32\Linanl32.exe71⤵PID:472
-
C:\Windows\SysWOW64\Laifbnho.exeC:\Windows\system32\Laifbnho.exe72⤵PID:2392
-
C:\Windows\SysWOW64\Lnpcabef.exeC:\Windows\system32\Lnpcabef.exe73⤵
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Lhhhjhkf.exeC:\Windows\system32\Lhhhjhkf.exe74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Mpcmojia.exeC:\Windows\system32\Mpcmojia.exe75⤵
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Mdaedhoh.exeC:\Windows\system32\Mdaedhoh.exe76⤵PID:1420
-
C:\Windows\SysWOW64\Mbfbfe32.exeC:\Windows\system32\Mbfbfe32.exe77⤵PID:528
-
C:\Windows\SysWOW64\Mlogojjp.exeC:\Windows\system32\Mlogojjp.exe78⤵
- Modifies registry class
PID:1236 -
C:\Windows\SysWOW64\Mibgho32.exeC:\Windows\system32\Mibgho32.exe79⤵
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Nanlla32.exeC:\Windows\system32\Nanlla32.exe80⤵PID:2220
-
C:\Windows\SysWOW64\Nkhmkf32.exeC:\Windows\system32\Nkhmkf32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2120 -
C:\Windows\SysWOW64\Ndaaclac.exeC:\Windows\system32\Ndaaclac.exe82⤵PID:1260
-
C:\Windows\SysWOW64\Nhojjjhj.exeC:\Windows\system32\Nhojjjhj.exe83⤵PID:2552
-
C:\Windows\SysWOW64\Olapcm32.exeC:\Windows\system32\Olapcm32.exe84⤵
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Onplmp32.exeC:\Windows\system32\Onplmp32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1532 -
C:\Windows\SysWOW64\Ohjmnn32.exeC:\Windows\system32\Ohjmnn32.exe86⤵PID:2060
-
C:\Windows\SysWOW64\Olhfdl32.exeC:\Windows\system32\Olhfdl32.exe87⤵PID:564
-
C:\Windows\SysWOW64\Phacnm32.exeC:\Windows\system32\Phacnm32.exe88⤵
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Phcpdm32.exeC:\Windows\system32\Phcpdm32.exe89⤵PID:2624
-
C:\Windows\SysWOW64\Pdjqinld.exeC:\Windows\system32\Pdjqinld.exe90⤵PID:2788
-
C:\Windows\SysWOW64\Bajqcqli.exeC:\Windows\system32\Bajqcqli.exe91⤵PID:2872
-
C:\Windows\SysWOW64\Bpdgolml.exeC:\Windows\system32\Bpdgolml.exe92⤵PID:1200
-
C:\Windows\SysWOW64\Cagpldqg.exeC:\Windows\system32\Cagpldqg.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1416 -
C:\Windows\SysWOW64\Cajmbd32.exeC:\Windows\system32\Cajmbd32.exe94⤵
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Cmqmgedi.exeC:\Windows\system32\Cmqmgedi.exe95⤵PID:1988
-
C:\Windows\SysWOW64\Ckdnpicb.exeC:\Windows\system32\Ckdnpicb.exe96⤵
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Cmegbd32.exeC:\Windows\system32\Cmegbd32.exe97⤵PID:1076
-
C:\Windows\SysWOW64\Ceqlff32.exeC:\Windows\system32\Ceqlff32.exe98⤵PID:2580
-
C:\Windows\SysWOW64\Dhadhakp.exeC:\Windows\system32\Dhadhakp.exe99⤵PID:1848
-
C:\Windows\SysWOW64\Dajiag32.exeC:\Windows\system32\Dajiag32.exe100⤵PID:1288
-
C:\Windows\SysWOW64\Degage32.exeC:\Windows\system32\Degage32.exe101⤵
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Dopfpkng.exeC:\Windows\system32\Dopfpkng.exe102⤵PID:2464
-
C:\Windows\SysWOW64\Epcomc32.exeC:\Windows\system32\Epcomc32.exe103⤵PID:2004
-
C:\Windows\SysWOW64\Ejldfh32.exeC:\Windows\system32\Ejldfh32.exe104⤵PID:928
-
C:\Windows\SysWOW64\Elmmhc32.exeC:\Windows\system32\Elmmhc32.exe105⤵PID:2372
-
C:\Windows\SysWOW64\Efeaqi32.exeC:\Windows\system32\Efeaqi32.exe106⤵PID:2304
-
C:\Windows\SysWOW64\Eqmbca32.exeC:\Windows\system32\Eqmbca32.exe107⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Ejeglg32.exeC:\Windows\system32\Ejeglg32.exe108⤵
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Fobodn32.exeC:\Windows\system32\Fobodn32.exe109⤵PID:2364
-
C:\Windows\SysWOW64\Fmfpnb32.exeC:\Windows\system32\Fmfpnb32.exe110⤵PID:1604
-
C:\Windows\SysWOW64\Fknido32.exeC:\Windows\system32\Fknido32.exe111⤵
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Fjbfek32.exeC:\Windows\system32\Fjbfek32.exe112⤵PID:2960
-
C:\Windows\SysWOW64\Gfigkljk.exeC:\Windows\system32\Gfigkljk.exe113⤵PID:2828
-
C:\Windows\SysWOW64\Gaahmd32.exeC:\Windows\system32\Gaahmd32.exe114⤵PID:2152
-
C:\Windows\SysWOW64\Gpfeoqmf.exeC:\Windows\system32\Gpfeoqmf.exe115⤵PID:3032
-
C:\Windows\SysWOW64\Gecmghkm.exeC:\Windows\system32\Gecmghkm.exe116⤵PID:1956
-
C:\Windows\SysWOW64\Glpbiaqg.exeC:\Windows\system32\Glpbiaqg.exe117⤵
- System Location Discovery: System Language Discovery
PID:1772 -
C:\Windows\SysWOW64\Hehgbg32.exeC:\Windows\system32\Hehgbg32.exe118⤵PID:2332
-
C:\Windows\SysWOW64\Hejcggee.exeC:\Windows\system32\Hejcggee.exe119⤵PID:2976
-
C:\Windows\SysWOW64\Hmehlibq.exeC:\Windows\system32\Hmehlibq.exe120⤵PID:2300
-
C:\Windows\SysWOW64\Hhmioa32.exeC:\Windows\system32\Hhmioa32.exe121⤵PID:3048
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-