Analysis
-
max time kernel
98s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22/08/2024, 08:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d2f4ea1e571b033b42bbcbbe88acbba0N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
d2f4ea1e571b033b42bbcbbe88acbba0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
d2f4ea1e571b033b42bbcbbe88acbba0N.exe
-
Size
121KB
-
MD5
d2f4ea1e571b033b42bbcbbe88acbba0
-
SHA1
4daecb1c0064e88eeb220acd66e9f0ec79b92086
-
SHA256
1ea69f0ced287c0616abd3b580db97287a16358b967328c76794b8d43433ad46
-
SHA512
a73a7e92444a36bcaa45ffb2052fe06e1aa53db1aefdd9072fd19784a17074784f7ac183dc4c349939a22e1539e3e777a2cc5f105b927cc7dbb692b33270bc2d
-
SSDEEP
1536:TLWC+xxL0O+cONxWaKR/2Rso/vdxgj9lHzOI3gCV19zQYOd5ijJnD5ir3oGuiWDD:OCI0O+cONxyBkr/lyl93dO7AJnD5tvv
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lchpeebo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjbelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdidhfdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhpajd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgmjla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hckblf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qeakmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdikch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfmcapna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efeaqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljjnpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbibla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbjjll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hebckd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfqpmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgljced.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdlcnkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcmcmcjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bciohe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onmkhlph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjqpcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nipgab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcohih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aacjba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjmnfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfhdeoqh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcgfcbbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kajbie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeommfnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcjcefbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmgiga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deficgha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocakjjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djahmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jqeqhlii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoimmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kheloh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mchldhej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Peandcih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qklfqm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhglpqeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogjjie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oejfelin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inbpnbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjphff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egpdom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcpdip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olclimif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boblbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlbncmih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meeqkijg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elolfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcbjfjnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgablmfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbeakllj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqgjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agikmeeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icdllk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaolne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cehlbihg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doipoldo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fniikj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbgnpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdphbm32.exe -
Executes dropped EXE 64 IoCs
pid Process 2520 Gonlld32.exe 2196 Hhfqejoh.exe 2112 Hkgjge32.exe 2804 Hgnjlfam.exe 2752 Hcdkagga.exe 2640 Hlmpjl32.exe 852 Hjqpcq32.exe 2664 Icidlf32.exe 2404 Ipmeej32.exe 1864 Ianambhc.exe 1108 Ikfffh32.exe 1420 Idojon32.exe 1744 Ibehna32.exe 2980 Jjqlbdog.exe 320 Jciaki32.exe 2384 Jcknqicd.exe 1588 Jcmjfiab.exe 792 Jijbnppi.exe 1664 Jcpglhpo.exe 2016 Kfqpmc32.exe 1512 Kmjhjndm.exe 2436 Kamncagl.exe 2052 Kaojiqej.exe 1724 Kjgoaflj.exe 3068 Kfnpgg32.exe 2160 Lfpllg32.exe 3052 Lafpipoa.exe 2456 Lbgmah32.exe 2084 Licbca32.exe 2876 Lfgbmf32.exe 2740 Lbncbgoh.exe 2852 Mbqpgf32.exe 2668 Mlidplcf.exe 1716 Mddidnqa.exe 3036 Mojmbg32.exe 2516 Mggoli32.exe 1808 Npbpjn32.exe 2780 Neohbe32.exe 944 Nimaic32.exe 2364 Noiiaj32.exe 1036 Ndfbia32.exe 2420 Nkpjfkhf.exe 2496 Ohdkop32.exe 1152 Oamohenq.exe 1012 Ohfgeo32.exe 2188 Oaolne32.exe 2308 Ooiepnen.exe 2184 Ommfibdg.exe 1504 Polbemck.exe 1596 Ponokmah.exe 2232 Pfhghgie.exe 2756 Pkeppngm.exe 2020 Pfjdmggb.exe 2888 Pobhfl32.exe 1996 Pikmob32.exe 1844 Pjlifjjb.exe 2932 Peandcih.exe 688 Qklfqm32.exe 2316 Qmmbhegc.exe 1260 Qcgkeonp.exe 2332 Qnlobhne.exe 816 Afhcgjkq.exe 1708 Aamhdckg.exe 828 Afjplj32.exe -
Loads dropped DLL 64 IoCs
pid Process 3008 d2f4ea1e571b033b42bbcbbe88acbba0N.exe 3008 d2f4ea1e571b033b42bbcbbe88acbba0N.exe 2520 Gonlld32.exe 2520 Gonlld32.exe 2196 Hhfqejoh.exe 2196 Hhfqejoh.exe 2112 Hkgjge32.exe 2112 Hkgjge32.exe 2804 Hgnjlfam.exe 2804 Hgnjlfam.exe 2752 Hcdkagga.exe 2752 Hcdkagga.exe 2640 Hlmpjl32.exe 2640 Hlmpjl32.exe 852 Hjqpcq32.exe 852 Hjqpcq32.exe 2664 Icidlf32.exe 2664 Icidlf32.exe 2404 Ipmeej32.exe 2404 Ipmeej32.exe 1864 Ianambhc.exe 1864 Ianambhc.exe 1108 Ikfffh32.exe 1108 Ikfffh32.exe 1420 Idojon32.exe 1420 Idojon32.exe 1744 Ibehna32.exe 1744 Ibehna32.exe 2980 Jjqlbdog.exe 2980 Jjqlbdog.exe 320 Jciaki32.exe 320 Jciaki32.exe 2384 Jcknqicd.exe 2384 Jcknqicd.exe 1588 Jcmjfiab.exe 1588 Jcmjfiab.exe 792 Jijbnppi.exe 792 Jijbnppi.exe 1664 Jcpglhpo.exe 1664 Jcpglhpo.exe 2016 Kfqpmc32.exe 2016 Kfqpmc32.exe 1512 Kmjhjndm.exe 1512 Kmjhjndm.exe 2436 Kamncagl.exe 2436 Kamncagl.exe 2052 Kaojiqej.exe 2052 Kaojiqej.exe 1724 Kjgoaflj.exe 1724 Kjgoaflj.exe 3068 Kfnpgg32.exe 3068 Kfnpgg32.exe 2160 Lfpllg32.exe 2160 Lfpllg32.exe 3052 Lafpipoa.exe 3052 Lafpipoa.exe 2456 Lbgmah32.exe 2456 Lbgmah32.exe 2084 Licbca32.exe 2084 Licbca32.exe 2876 Lfgbmf32.exe 2876 Lfgbmf32.exe 2740 Lbncbgoh.exe 2740 Lbncbgoh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hjjmgo32.exe Hcpejd32.exe File opened for modification C:\Windows\SysWOW64\Kheloh32.exe Klnljghg.exe File created C:\Windows\SysWOW64\Keimhmmd.exe Kheloh32.exe File opened for modification C:\Windows\SysWOW64\Moanpe32.exe Mammfa32.exe File created C:\Windows\SysWOW64\Heefcm32.dll Amlhmb32.exe File created C:\Windows\SysWOW64\Bilkhbcl.exe Bpdgolml.exe File created C:\Windows\SysWOW64\Acmlqg32.dll Beibln32.exe File opened for modification C:\Windows\SysWOW64\Lfhgng32.exe Lpiaqqlg.exe File opened for modification C:\Windows\SysWOW64\Pmngef32.exe Pbhcgn32.exe File created C:\Windows\SysWOW64\Cpabgb32.exe Cigijhne.exe File opened for modification C:\Windows\SysWOW64\Aihmhe32.exe Afjplj32.exe File created C:\Windows\SysWOW64\Obngnphg.exe Oejfelin.exe File opened for modification C:\Windows\SysWOW64\Ifchhf32.exe Icdllk32.exe File created C:\Windows\SysWOW64\Eiajbl32.dll Mjoecjgf.exe File opened for modification C:\Windows\SysWOW64\Hnanceem.exe Hidekn32.exe File created C:\Windows\SysWOW64\Bkjneo32.dll Hhfqejoh.exe File created C:\Windows\SysWOW64\Gbgnpl32.exe Gbeakllj.exe File created C:\Windows\SysWOW64\Edhpdbbm.dll Lmkgajnm.exe File created C:\Windows\SysWOW64\Kcflbpnn.exe Kpecad32.exe File created C:\Windows\SysWOW64\Demljd32.dll Bndjei32.exe File created C:\Windows\SysWOW64\Lgcmmb32.dll Fhikiefk.exe File created C:\Windows\SysWOW64\Kklbpg32.dll Fgpqnpjh.exe File opened for modification C:\Windows\SysWOW64\Alcbno32.exe Aaiamamk.exe File created C:\Windows\SysWOW64\Qnommd32.dll Cijkaehj.exe File opened for modification C:\Windows\SysWOW64\Cobkja32.exe Cfjfal32.exe File opened for modification C:\Windows\SysWOW64\Pmcjceam.exe Pdkejo32.exe File opened for modification C:\Windows\SysWOW64\Kamncagl.exe Kmjhjndm.exe File created C:\Windows\SysWOW64\Fpifgqmh.dll Oimpppoj.exe File opened for modification C:\Windows\SysWOW64\Aocgnh32.exe Ambnlmja.exe File created C:\Windows\SysWOW64\Obdolb32.dll Ikaglgei.exe File opened for modification C:\Windows\SysWOW64\Kfqpmc32.exe Jcpglhpo.exe File created C:\Windows\SysWOW64\Fhjcmcep.exe Efjklh32.exe File created C:\Windows\SysWOW64\Pkalph32.exe Pdhdcnng.exe File created C:\Windows\SysWOW64\Iejkel32.exe Ikaglgei.exe File created C:\Windows\SysWOW64\Ebnfdkdf.dll Fhpajd32.exe File created C:\Windows\SysWOW64\Ibehna32.exe Idojon32.exe File created C:\Windows\SysWOW64\Mggoli32.exe Mojmbg32.exe File created C:\Windows\SysWOW64\Dmkhid32.dll Clnkdc32.exe File created C:\Windows\SysWOW64\Ohjfni32.dll Fbflfomj.exe File opened for modification C:\Windows\SysWOW64\Qmmbhegc.exe Qklfqm32.exe File created C:\Windows\SysWOW64\Fdcahdib.exe Fniikj32.exe File created C:\Windows\SysWOW64\Cfkhno32.dll Lkkcmqcn.exe File created C:\Windows\SysWOW64\Plfhfiqc.exe Pcmcmcjc.exe File opened for modification C:\Windows\SysWOW64\Hkqgkcpp.exe Hecnblah.exe File opened for modification C:\Windows\SysWOW64\Hfmcapna.exe Hiichkog.exe File created C:\Windows\SysWOW64\Nlfmoidh.exe Nlcpjj32.exe File opened for modification C:\Windows\SysWOW64\Mfjaknoe.exe Lfhdeoqh.exe File created C:\Windows\SysWOW64\Lkkcmqcn.exe Ldqkqf32.exe File created C:\Windows\SysWOW64\Lfpllg32.exe Kfnpgg32.exe File created C:\Windows\SysWOW64\Fbkphjih.dll Paldmbmq.exe File opened for modification C:\Windows\SysWOW64\Lkkcmqcn.exe Ldqkqf32.exe File created C:\Windows\SysWOW64\Fdimld32.dll Pndoqf32.exe File created C:\Windows\SysWOW64\Pjddeg32.dll Fhgnie32.exe File created C:\Windows\SysWOW64\Jhohclgg.dll Dpifln32.exe File opened for modification C:\Windows\SysWOW64\Qcgfcbbh.exe Qhabfibb.exe File created C:\Windows\SysWOW64\Ogffpcnh.dll Phgjnm32.exe File opened for modification C:\Windows\SysWOW64\Qdbbedhp.exe Plgmabke.exe File created C:\Windows\SysWOW64\Pqhpil32.dll Pekkga32.exe File created C:\Windows\SysWOW64\Qadhba32.exe Qjkpegic.exe File opened for modification C:\Windows\SysWOW64\Daqoafkh.exe Dkggel32.exe File opened for modification C:\Windows\SysWOW64\Pgklcaqi.exe Plfhfiqc.exe File opened for modification C:\Windows\SysWOW64\Fkibbh32.exe Feljja32.exe File created C:\Windows\SysWOW64\Khpqkq32.exe Koglbkdl.exe File created C:\Windows\SysWOW64\Keeeld32.dll Olijen32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3484 5092 WerFault.exe 737 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Holqbipe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndfbia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acnqen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhjdpgic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbfbfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caofmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcmnbbja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diqabd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjbfek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omdfgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qadhba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aigcgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoipflcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deficgha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdpbnlbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkpbbeda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogbkakeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjbnlqld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngonpgqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmkgajnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiabbicf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eogckqkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaaajo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elolfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cchdlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcpejd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okmceiii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nifmqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bflghh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmahbhei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdphbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgojdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goojldgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcbngf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgaoqdmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefdhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpdgolml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnbinl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfddcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keicbcqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bebmgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jijbnppi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgljced.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enmplm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcflbpnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qklfqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icdllk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnqkammo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aocgnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcohih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ellhffim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kagnipna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpdide32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmmommnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chahin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abfonl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgmjla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epimjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfpllg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeommfnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egchocif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeidlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dilggefh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjjdpdga.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fokqae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjlifjjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngonpgqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgcmoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plbbmjhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pqfdlmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejfnfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbdalg32.dll" Kdmehh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odhjmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmjhod32.dll" Hnkmnpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhoofpn.dll" Gakchj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dknejb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pikmob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nanlla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbqpika.dll" Ohdmhhod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmmfoaha.dll" Jdlefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plhfda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjbnlqld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lejmjh32.dll" Nmgiga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Himipmhj.dll" Acbigfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcpejd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmdgqp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcaankpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogffpcnh.dll" Phgjnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Laifbnho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljdjildq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Goojldgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhjfm32.dll" Ijipbchn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocehf32.dll" Ahfmjafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbibla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fffckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jakkigmi.dll" Pphlokep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icadpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnolgkcg.dll" Bbnjphpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbnajcig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcnmjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgklcaqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jojmigpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojjanlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afojgiei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leiabnbn.dll" Laifbnho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggniamja.dll" Nchkjhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idffib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Paagkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnllppfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohifch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epmdljal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkpbbeda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agaigjmi.dll" Dnqkammo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Acdcdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhjcmcep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdmehh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hebckd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jafnhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idojon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nipgab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acbigfii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blfodb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmoehh32.dll" Ecnbpcje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fndfmljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gqgjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhhiqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mochmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qnlobhne.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3008 wrote to memory of 2520 3008 d2f4ea1e571b033b42bbcbbe88acbba0N.exe 29 PID 3008 wrote to memory of 2520 3008 d2f4ea1e571b033b42bbcbbe88acbba0N.exe 29 PID 3008 wrote to memory of 2520 3008 d2f4ea1e571b033b42bbcbbe88acbba0N.exe 29 PID 3008 wrote to memory of 2520 3008 d2f4ea1e571b033b42bbcbbe88acbba0N.exe 29 PID 2520 wrote to memory of 2196 2520 Gonlld32.exe 30 PID 2520 wrote to memory of 2196 2520 Gonlld32.exe 30 PID 2520 wrote to memory of 2196 2520 Gonlld32.exe 30 PID 2520 wrote to memory of 2196 2520 Gonlld32.exe 30 PID 2196 wrote to memory of 2112 2196 Hhfqejoh.exe 31 PID 2196 wrote to memory of 2112 2196 Hhfqejoh.exe 31 PID 2196 wrote to memory of 2112 2196 Hhfqejoh.exe 31 PID 2196 wrote to memory of 2112 2196 Hhfqejoh.exe 31 PID 2112 wrote to memory of 2804 2112 Hkgjge32.exe 32 PID 2112 wrote to memory of 2804 2112 Hkgjge32.exe 32 PID 2112 wrote to memory of 2804 2112 Hkgjge32.exe 32 PID 2112 wrote to memory of 2804 2112 Hkgjge32.exe 32 PID 2804 wrote to memory of 2752 2804 Hgnjlfam.exe 33 PID 2804 wrote to memory of 2752 2804 Hgnjlfam.exe 33 PID 2804 wrote to memory of 2752 2804 Hgnjlfam.exe 33 PID 2804 wrote to memory of 2752 2804 Hgnjlfam.exe 33 PID 2752 wrote to memory of 2640 2752 Hcdkagga.exe 34 PID 2752 wrote to memory of 2640 2752 Hcdkagga.exe 34 PID 2752 wrote to memory of 2640 2752 Hcdkagga.exe 34 PID 2752 wrote to memory of 2640 2752 Hcdkagga.exe 34 PID 2640 wrote to memory of 852 2640 Hlmpjl32.exe 35 PID 2640 wrote to memory of 852 2640 Hlmpjl32.exe 35 PID 2640 wrote to memory of 852 2640 Hlmpjl32.exe 35 PID 2640 wrote to memory of 852 2640 Hlmpjl32.exe 35 PID 852 wrote to memory of 2664 852 Hjqpcq32.exe 36 PID 852 wrote to memory of 2664 852 Hjqpcq32.exe 36 PID 852 wrote to memory of 2664 852 Hjqpcq32.exe 36 PID 852 wrote to memory of 2664 852 Hjqpcq32.exe 36 PID 2664 wrote to memory of 2404 2664 Icidlf32.exe 37 PID 2664 wrote to memory of 2404 2664 Icidlf32.exe 37 PID 2664 wrote to memory of 2404 2664 Icidlf32.exe 37 PID 2664 wrote to memory of 2404 2664 Icidlf32.exe 37 PID 2404 wrote to memory of 1864 2404 Ipmeej32.exe 38 PID 2404 wrote to memory of 1864 2404 Ipmeej32.exe 38 PID 2404 wrote to memory of 1864 2404 Ipmeej32.exe 38 PID 2404 wrote to memory of 1864 2404 Ipmeej32.exe 38 PID 1864 wrote to memory of 1108 1864 Ianambhc.exe 39 PID 1864 wrote to memory of 1108 1864 Ianambhc.exe 39 PID 1864 wrote to memory of 1108 1864 Ianambhc.exe 39 PID 1864 wrote to memory of 1108 1864 Ianambhc.exe 39 PID 1108 wrote to memory of 1420 1108 Ikfffh32.exe 40 PID 1108 wrote to memory of 1420 1108 Ikfffh32.exe 40 PID 1108 wrote to memory of 1420 1108 Ikfffh32.exe 40 PID 1108 wrote to memory of 1420 1108 Ikfffh32.exe 40 PID 1420 wrote to memory of 1744 1420 Idojon32.exe 41 PID 1420 wrote to memory of 1744 1420 Idojon32.exe 41 PID 1420 wrote to memory of 1744 1420 Idojon32.exe 41 PID 1420 wrote to memory of 1744 1420 Idojon32.exe 41 PID 1744 wrote to memory of 2980 1744 Ibehna32.exe 42 PID 1744 wrote to memory of 2980 1744 Ibehna32.exe 42 PID 1744 wrote to memory of 2980 1744 Ibehna32.exe 42 PID 1744 wrote to memory of 2980 1744 Ibehna32.exe 42 PID 2980 wrote to memory of 320 2980 Jjqlbdog.exe 43 PID 2980 wrote to memory of 320 2980 Jjqlbdog.exe 43 PID 2980 wrote to memory of 320 2980 Jjqlbdog.exe 43 PID 2980 wrote to memory of 320 2980 Jjqlbdog.exe 43 PID 320 wrote to memory of 2384 320 Jciaki32.exe 44 PID 320 wrote to memory of 2384 320 Jciaki32.exe 44 PID 320 wrote to memory of 2384 320 Jciaki32.exe 44 PID 320 wrote to memory of 2384 320 Jciaki32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2f4ea1e571b033b42bbcbbe88acbba0N.exe"C:\Users\Admin\AppData\Local\Temp\d2f4ea1e571b033b42bbcbbe88acbba0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Gonlld32.exeC:\Windows\system32\Gonlld32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Hhfqejoh.exeC:\Windows\system32\Hhfqejoh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Hkgjge32.exeC:\Windows\system32\Hkgjge32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Hgnjlfam.exeC:\Windows\system32\Hgnjlfam.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Hcdkagga.exeC:\Windows\system32\Hcdkagga.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Hlmpjl32.exeC:\Windows\system32\Hlmpjl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Hjqpcq32.exeC:\Windows\system32\Hjqpcq32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Icidlf32.exeC:\Windows\system32\Icidlf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Ipmeej32.exeC:\Windows\system32\Ipmeej32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Ianambhc.exeC:\Windows\system32\Ianambhc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Ikfffh32.exeC:\Windows\system32\Ikfffh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Idojon32.exeC:\Windows\system32\Idojon32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Ibehna32.exeC:\Windows\system32\Ibehna32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Jjqlbdog.exeC:\Windows\system32\Jjqlbdog.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Jciaki32.exeC:\Windows\system32\Jciaki32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Jcknqicd.exeC:\Windows\system32\Jcknqicd.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384 -
C:\Windows\SysWOW64\Jcmjfiab.exeC:\Windows\system32\Jcmjfiab.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Jijbnppi.exeC:\Windows\system32\Jijbnppi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:792 -
C:\Windows\SysWOW64\Jcpglhpo.exeC:\Windows\system32\Jcpglhpo.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Kfqpmc32.exeC:\Windows\system32\Kfqpmc32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2016 -
C:\Windows\SysWOW64\Kmjhjndm.exeC:\Windows\system32\Kmjhjndm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Kamncagl.exeC:\Windows\system32\Kamncagl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2436 -
C:\Windows\SysWOW64\Kaojiqej.exeC:\Windows\system32\Kaojiqej.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Kjgoaflj.exeC:\Windows\system32\Kjgoaflj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Kfnpgg32.exeC:\Windows\system32\Kfnpgg32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Lfpllg32.exeC:\Windows\system32\Lfpllg32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2160 -
C:\Windows\SysWOW64\Lafpipoa.exeC:\Windows\system32\Lafpipoa.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Lbgmah32.exeC:\Windows\system32\Lbgmah32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Licbca32.exeC:\Windows\system32\Licbca32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2084 -
C:\Windows\SysWOW64\Lfgbmf32.exeC:\Windows\system32\Lfgbmf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Lbncbgoh.exeC:\Windows\system32\Lbncbgoh.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Mbqpgf32.exeC:\Windows\system32\Mbqpgf32.exe33⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Mlidplcf.exeC:\Windows\system32\Mlidplcf.exe34⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Mddidnqa.exeC:\Windows\system32\Mddidnqa.exe35⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Mojmbg32.exeC:\Windows\system32\Mojmbg32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Mggoli32.exeC:\Windows\system32\Mggoli32.exe37⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Npbpjn32.exeC:\Windows\system32\Npbpjn32.exe38⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Neohbe32.exeC:\Windows\system32\Neohbe32.exe39⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Nimaic32.exeC:\Windows\system32\Nimaic32.exe40⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Noiiaj32.exeC:\Windows\system32\Noiiaj32.exe41⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Ndfbia32.exeC:\Windows\system32\Ndfbia32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1036 -
C:\Windows\SysWOW64\Nkpjfkhf.exeC:\Windows\system32\Nkpjfkhf.exe43⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Ohdkop32.exeC:\Windows\system32\Ohdkop32.exe44⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Oamohenq.exeC:\Windows\system32\Oamohenq.exe45⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Ohfgeo32.exeC:\Windows\system32\Ohfgeo32.exe46⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Oaolne32.exeC:\Windows\system32\Oaolne32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Ooiepnen.exeC:\Windows\system32\Ooiepnen.exe48⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Ommfibdg.exeC:\Windows\system32\Ommfibdg.exe49⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Polbemck.exeC:\Windows\system32\Polbemck.exe50⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Ponokmah.exeC:\Windows\system32\Ponokmah.exe51⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Pfhghgie.exeC:\Windows\system32\Pfhghgie.exe52⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Pkeppngm.exeC:\Windows\system32\Pkeppngm.exe53⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Pfjdmggb.exeC:\Windows\system32\Pfjdmggb.exe54⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Pobhfl32.exeC:\Windows\system32\Pobhfl32.exe55⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Pikmob32.exeC:\Windows\system32\Pikmob32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Pjlifjjb.exeC:\Windows\system32\Pjlifjjb.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1844 -
C:\Windows\SysWOW64\Peandcih.exeC:\Windows\system32\Peandcih.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Qklfqm32.exeC:\Windows\system32\Qklfqm32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:688 -
C:\Windows\SysWOW64\Qmmbhegc.exeC:\Windows\system32\Qmmbhegc.exe60⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Qcgkeonp.exeC:\Windows\system32\Qcgkeonp.exe61⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Qnlobhne.exeC:\Windows\system32\Qnlobhne.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Afhcgjkq.exeC:\Windows\system32\Afhcgjkq.exe63⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Aamhdckg.exeC:\Windows\system32\Aamhdckg.exe64⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Afjplj32.exeC:\Windows\system32\Afjplj32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:828 -
C:\Windows\SysWOW64\Aihmhe32.exeC:\Windows\system32\Aihmhe32.exe66⤵PID:1532
-
C:\Windows\SysWOW64\Acnqen32.exeC:\Windows\system32\Acnqen32.exe67⤵
- System Location Discovery: System Language Discovery
PID:924 -
C:\Windows\SysWOW64\Aeommfnf.exeC:\Windows\system32\Aeommfnf.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Windows\SysWOW64\Apeakonl.exeC:\Windows\system32\Apeakonl.exe69⤵PID:3028
-
C:\Windows\SysWOW64\Afojgiei.exeC:\Windows\system32\Afojgiei.exe70⤵
- Modifies registry class
PID:856 -
C:\Windows\SysWOW64\Anjnllbd.exeC:\Windows\system32\Anjnllbd.exe71⤵PID:2968
-
C:\Windows\SysWOW64\Ahbcda32.exeC:\Windows\system32\Ahbcda32.exe72⤵PID:2824
-
C:\Windows\SysWOW64\Bakgmgpe.exeC:\Windows\system32\Bakgmgpe.exe73⤵PID:912
-
C:\Windows\SysWOW64\Bhdpjaga.exeC:\Windows\system32\Bhdpjaga.exe74⤵PID:3040
-
C:\Windows\SysWOW64\Bmahbhei.exeC:\Windows\system32\Bmahbhei.exe75⤵
- System Location Discovery: System Language Discovery
PID:3024 -
C:\Windows\SysWOW64\Bhglpqeo.exeC:\Windows\system32\Bhglpqeo.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2012 -
C:\Windows\SysWOW64\Bhiiepcl.exeC:\Windows\system32\Bhiiepcl.exe77⤵PID:2488
-
C:\Windows\SysWOW64\Bikemiik.exeC:\Windows\system32\Bikemiik.exe78⤵PID:2192
-
C:\Windows\SysWOW64\Bbcjfn32.exeC:\Windows\system32\Bbcjfn32.exe79⤵PID:2700
-
C:\Windows\SysWOW64\Bmhncg32.exeC:\Windows\system32\Bmhncg32.exe80⤵PID:2248
-
C:\Windows\SysWOW64\Bgablmfa.exeC:\Windows\system32\Bgablmfa.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1376 -
C:\Windows\SysWOW64\Clnkdc32.exeC:\Windows\system32\Clnkdc32.exe82⤵
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Cialng32.exeC:\Windows\system32\Cialng32.exe83⤵PID:1992
-
C:\Windows\SysWOW64\Clphjc32.exeC:\Windows\system32\Clphjc32.exe84⤵PID:2128
-
C:\Windows\SysWOW64\Cehlbihg.exeC:\Windows\system32\Cehlbihg.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2224 -
C:\Windows\SysWOW64\Chghodgj.exeC:\Windows\system32\Chghodgj.exe86⤵PID:1476
-
C:\Windows\SysWOW64\Cclmlm32.exeC:\Windows\system32\Cclmlm32.exe87⤵PID:2712
-
C:\Windows\SysWOW64\Cdnicemo.exeC:\Windows\system32\Cdnicemo.exe88⤵PID:2116
-
C:\Windows\SysWOW64\Ckgapo32.exeC:\Windows\system32\Ckgapo32.exe89⤵PID:2904
-
C:\Windows\SysWOW64\Cemfnh32.exeC:\Windows\system32\Cemfnh32.exe90⤵PID:2760
-
C:\Windows\SysWOW64\Cnhjbjam.exeC:\Windows\system32\Cnhjbjam.exe91⤵PID:976
-
C:\Windows\SysWOW64\Ddbbod32.exeC:\Windows\system32\Ddbbod32.exe92⤵PID:304
-
C:\Windows\SysWOW64\Dpicceon.exeC:\Windows\system32\Dpicceon.exe93⤵PID:1812
-
C:\Windows\SysWOW64\Djahmk32.exeC:\Windows\system32\Djahmk32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2928 -
C:\Windows\SysWOW64\Ddgljced.exeC:\Windows\system32\Ddgljced.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:836 -
C:\Windows\SysWOW64\Djddbkck.exeC:\Windows\system32\Djddbkck.exe96⤵PID:1736
-
C:\Windows\SysWOW64\Dfjegl32.exeC:\Windows\system32\Dfjegl32.exe97⤵PID:920
-
C:\Windows\SysWOW64\Dppiddie.exeC:\Windows\system32\Dppiddie.exe98⤵PID:2536
-
C:\Windows\SysWOW64\Dfmbmkgm.exeC:\Windows\system32\Dfmbmkgm.exe99⤵PID:1280
-
C:\Windows\SysWOW64\Ekjjebed.exeC:\Windows\system32\Ekjjebed.exe100⤵PID:2748
-
C:\Windows\SysWOW64\Edbonh32.exeC:\Windows\system32\Edbonh32.exe101⤵PID:2836
-
C:\Windows\SysWOW64\Eogckqkk.exeC:\Windows\system32\Eogckqkk.exe102⤵
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Windows\SysWOW64\Egchocif.exeC:\Windows\system32\Egchocif.exe103⤵
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\Enmplm32.exeC:\Windows\system32\Enmplm32.exe104⤵
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Windows\SysWOW64\Ekqqea32.exeC:\Windows\system32\Ekqqea32.exe105⤵PID:1760
-
C:\Windows\SysWOW64\Ebkibk32.exeC:\Windows\system32\Ebkibk32.exe106⤵PID:1988
-
C:\Windows\SysWOW64\Eclejclg.exeC:\Windows\system32\Eclejclg.exe107⤵PID:1820
-
C:\Windows\SysWOW64\Ejfnfn32.exeC:\Windows\system32\Ejfnfn32.exe108⤵
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Ecnbpcje.exeC:\Windows\system32\Ecnbpcje.exe109⤵
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Fndfmljk.exeC:\Windows\system32\Fndfmljk.exe110⤵
- Modifies registry class
PID:564 -
C:\Windows\SysWOW64\Fcqoec32.exeC:\Windows\system32\Fcqoec32.exe111⤵PID:2280
-
C:\Windows\SysWOW64\Fimgmj32.exeC:\Windows\system32\Fimgmj32.exe112⤵PID:2004
-
C:\Windows\SysWOW64\Fbflfomj.exeC:\Windows\system32\Fbflfomj.exe113⤵
- Drops file in System32 directory
PID:632 -
C:\Windows\SysWOW64\Fmkpchmp.exeC:\Windows\system32\Fmkpchmp.exe114⤵PID:2704
-
C:\Windows\SysWOW64\Fefdhj32.exeC:\Windows\system32\Fefdhj32.exe115⤵
- System Location Discovery: System Language Discovery
PID:936 -
C:\Windows\SysWOW64\Fnoiqpqk.exeC:\Windows\system32\Fnoiqpqk.exe116⤵PID:436
-
C:\Windows\SysWOW64\Fhgnie32.exeC:\Windows\system32\Fhgnie32.exe117⤵
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Gnaffpoi.exeC:\Windows\system32\Gnaffpoi.exe118⤵PID:2292
-
C:\Windows\SysWOW64\Ghjjoeei.exeC:\Windows\system32\Ghjjoeei.exe119⤵PID:676
-
C:\Windows\SysWOW64\Gabohk32.exeC:\Windows\system32\Gabohk32.exe120⤵PID:2252
-
C:\Windows\SysWOW64\Gdpkdf32.exeC:\Windows\system32\Gdpkdf32.exe121⤵PID:1520
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-