Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
22-08-2024 22:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
454779a1b63c0d1a71577405edabcff0N.exe
Resource
win7-20240705-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
454779a1b63c0d1a71577405edabcff0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
454779a1b63c0d1a71577405edabcff0N.exe
-
Size
95KB
-
MD5
454779a1b63c0d1a71577405edabcff0
-
SHA1
c0b73aa5d1cab563e3ccd6d8286264bbb23e42d0
-
SHA256
cd67ee89d7253c3fc3cbbdaabdd79b04801dab741f11ec3e9a533384131da5c3
-
SHA512
741f8ccec23e11fe1dc406cec74a366d56e81d4ecf0e037d84daf876a89fe99629a96a2eb266719f0f6de86626f3eaa4854446bb7b9a5c82809052905762ae11
-
SSDEEP
1536:YGGGCJEz66nYWVnW8crsFeurvXY+fp2EiFRArRQrSRVRoRch1dROrwpOudRirVtB:Y+d+18WSxImAzFaeeTWM1dQrTOwZtFKO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfaqfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlgkbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfbjdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqpmimbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccgnelll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkjnenbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfnhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjiljf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbfnchfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njchfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qlggjlep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Clnehado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhebhipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhmmcjjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nopaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofobgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qekbgbpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiaqle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnabffeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ligfakaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnhhge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmddgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfdpjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bldpiifb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgqmpkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egebjmdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhcebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Apilcoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lbojjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Biqfpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkqiek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Embkbdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kghmhegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qnpcpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aebakp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjijkmbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhhominh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Embkbdce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epqgopbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Habili32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmdiahco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpldcfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nopaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nqpmimbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dboglhna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmfalg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neibanod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbikig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bopknhjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miclhpjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Okpdjjil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adgein32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebockkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mheeif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nndgeplo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjhnqfla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hadfah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kndbko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maoalb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfpjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kimjhnnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbfkeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnkiebib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abdeoe32.exe -
Executes dropped EXE 64 IoCs
pid Process 2768 Jaeehmko.exe 2916 Jgpndg32.exe 2732 Jecnnk32.exe 2660 Jjpgfbom.exe 2616 Jmocbnop.exe 2820 Kgdgpfnf.exe 868 Kiecgo32.exe 2348 Kihpmnbb.exe 2052 Kpbhjh32.exe 2128 Kijmbnpo.exe 2208 Klhioioc.exe 1064 Kimjhnnl.exe 2144 Klkfdi32.exe 1920 Khagijcd.exe 1296 Kjpceebh.exe 2504 Lonlkcho.exe 1356 Lehdhn32.exe 1480 Lkelpd32.exe 1224 Lmcilp32.exe 1760 Lmeebpkd.exe 2116 Laaabo32.exe 1004 Lpfnckhe.exe 2900 Lcdjpfgh.exe 2336 Mlmoilni.exe 2928 Mcggef32.exe 2620 Miapbpmb.exe 2996 Miclhpjp.exe 1928 Mopdpg32.exe 2520 Maoalb32.exe 2180 Mdmmhn32.exe 2168 Mldeik32.exe 1664 Mobaef32.exe 800 Mneaacno.exe 812 Maanab32.exe 2156 Mdojnm32.exe 2300 Mkibjgli.exe 1860 Moenkf32.exe 3068 Macjgadf.exe 2008 Ndafcmci.exe 908 Ngpcohbm.exe 1276 Njnokdaq.exe 2476 Nnjklb32.exe 612 Naegmabc.exe 1904 Nddcimag.exe 2496 Ngbpehpj.exe 3024 Nknkeg32.exe 1380 Nnlhab32.exe 2764 Nlohmonb.exe 1912 Ndfpnl32.exe 2460 Ngeljh32.exe 1248 Njchfc32.exe 2308 Nnodgbed.exe 964 Nqmqcmdh.exe 2580 Nopaoj32.exe 2292 Nggipg32.exe 2088 Njeelc32.exe 2152 Nldahn32.exe 1844 Nqpmimbe.exe 2364 Ncnjeh32.exe 2148 Nflfad32.exe 276 Nhkbmo32.exe 2920 Oodjjign.exe 1052 Obcffefa.exe 1872 Ofobgc32.exe -
Loads dropped DLL 64 IoCs
pid Process 2688 454779a1b63c0d1a71577405edabcff0N.exe 2688 454779a1b63c0d1a71577405edabcff0N.exe 2768 Jaeehmko.exe 2768 Jaeehmko.exe 2916 Jgpndg32.exe 2916 Jgpndg32.exe 2732 Jecnnk32.exe 2732 Jecnnk32.exe 2660 Jjpgfbom.exe 2660 Jjpgfbom.exe 2616 Jmocbnop.exe 2616 Jmocbnop.exe 2820 Kgdgpfnf.exe 2820 Kgdgpfnf.exe 868 Kiecgo32.exe 868 Kiecgo32.exe 2348 Kihpmnbb.exe 2348 Kihpmnbb.exe 2052 Kpbhjh32.exe 2052 Kpbhjh32.exe 2128 Kijmbnpo.exe 2128 Kijmbnpo.exe 2208 Klhioioc.exe 2208 Klhioioc.exe 1064 Kimjhnnl.exe 1064 Kimjhnnl.exe 2144 Klkfdi32.exe 2144 Klkfdi32.exe 1920 Khagijcd.exe 1920 Khagijcd.exe 1296 Kjpceebh.exe 1296 Kjpceebh.exe 2504 Lonlkcho.exe 2504 Lonlkcho.exe 1356 Lehdhn32.exe 1356 Lehdhn32.exe 1480 Lkelpd32.exe 1480 Lkelpd32.exe 1224 Lmcilp32.exe 1224 Lmcilp32.exe 1760 Lmeebpkd.exe 1760 Lmeebpkd.exe 2116 Laaabo32.exe 2116 Laaabo32.exe 1004 Lpfnckhe.exe 1004 Lpfnckhe.exe 2900 Lcdjpfgh.exe 2900 Lcdjpfgh.exe 2336 Mlmoilni.exe 2336 Mlmoilni.exe 2928 Mcggef32.exe 2928 Mcggef32.exe 2620 Miapbpmb.exe 2620 Miapbpmb.exe 2996 Miclhpjp.exe 2996 Miclhpjp.exe 1928 Mopdpg32.exe 1928 Mopdpg32.exe 2520 Maoalb32.exe 2520 Maoalb32.exe 2180 Mdmmhn32.exe 2180 Mdmmhn32.exe 2168 Mldeik32.exe 2168 Mldeik32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lkmldbcj.exe Lljkif32.exe File created C:\Windows\SysWOW64\Nlldmimi.exe Nhqhmj32.exe File created C:\Windows\SysWOW64\Lehdhn32.exe Lonlkcho.exe File created C:\Windows\SysWOW64\Djafaf32.exe Cbjnqh32.exe File created C:\Windows\SysWOW64\Amglgn32.exe Ailqfooi.exe File opened for modification C:\Windows\SysWOW64\Ajamfh32.exe Afeaei32.exe File created C:\Windows\SysWOW64\Lbmnea32.exe Lpoaheja.exe File created C:\Windows\SysWOW64\Lcdjpfgh.exe Lpfnckhe.exe File created C:\Windows\SysWOW64\Lbojjq32.exe Lpanne32.exe File created C:\Windows\SysWOW64\Okkddd32.exe Occlcg32.exe File created C:\Windows\SysWOW64\Paafmp32.exe Pncjad32.exe File created C:\Windows\SysWOW64\Ihbdhepp.exe Iqllghon.exe File opened for modification C:\Windows\SysWOW64\Qaqlbmbn.exe Qijdqp32.exe File created C:\Windows\SysWOW64\Okkkoj32.exe Omhkcnfg.exe File opened for modification C:\Windows\SysWOW64\Momapqgn.exe Mgfiocfl.exe File created C:\Windows\SysWOW64\Mcofid32.exe Mpqjmh32.exe File opened for modification C:\Windows\SysWOW64\Poacighp.exe Pkfghh32.exe File created C:\Windows\SysWOW64\Dhhdmc32.dll Chhpgn32.exe File created C:\Windows\SysWOW64\Ncnjeh32.exe Nqpmimbe.exe File opened for modification C:\Windows\SysWOW64\Aiaqle32.exe Ajnqphhe.exe File created C:\Windows\SysWOW64\Ollqllod.exe Ojndpqpq.exe File created C:\Windows\SysWOW64\Ckpmmabh.dll Cjmmffgn.exe File created C:\Windows\SysWOW64\Ilmhbk32.dll Gleqdb32.exe File created C:\Windows\SysWOW64\Lhapocoi.exe Kpjhnfof.exe File created C:\Windows\SysWOW64\Kaimoj32.dll Nhcebj32.exe File created C:\Windows\SysWOW64\Hdgkicek.exe Hplphd32.exe File created C:\Windows\SysWOW64\Klhbdclg.exe Kcajceke.exe File opened for modification C:\Windows\SysWOW64\Celpqbon.exe Ccnddg32.exe File created C:\Windows\SysWOW64\Dldbfo32.dll Jmocbnop.exe File created C:\Windows\SysWOW64\Cpiaipmh.exe Clnehado.exe File created C:\Windows\SysWOW64\Beegbq32.dll Peqhgmdd.exe File created C:\Windows\SysWOW64\Peapkpkj.dll Bopknhjd.exe File created C:\Windows\SysWOW64\Hcgqbmgm.dll Kijmbnpo.exe File created C:\Windows\SysWOW64\Bjpjcm32.dll Nepokogo.exe File created C:\Windows\SysWOW64\Hnmcli32.exe Hibgkjee.exe File opened for modification C:\Windows\SysWOW64\Klhbdclg.exe Kcajceke.exe File opened for modification C:\Windows\SysWOW64\Ollqllod.exe Ojndpqpq.exe File created C:\Windows\SysWOW64\Kecfmlgq.dll Cceapl32.exe File created C:\Windows\SysWOW64\Qmpebb32.dll Klhbdclg.exe File opened for modification C:\Windows\SysWOW64\Nikkkn32.exe Nepokogo.exe File created C:\Windows\SysWOW64\Bmnofp32.exe Beggec32.exe File created C:\Windows\SysWOW64\Nliqma32.dll Cpgecq32.exe File opened for modification C:\Windows\SysWOW64\Goapjnoo.exe Glbdnbpk.exe File opened for modification C:\Windows\SysWOW64\Mokdja32.exe Mllhne32.exe File created C:\Windows\SysWOW64\Abdeoe32.exe Apfici32.exe File opened for modification C:\Windows\SysWOW64\Nddcimag.exe Naegmabc.exe File created C:\Windows\SysWOW64\Obecld32.exe Ooggpiek.exe File opened for modification C:\Windows\SysWOW64\Blaobmkq.exe Bmnofp32.exe File created C:\Windows\SysWOW64\Qlggjlep.exe Qhkkim32.exe File created C:\Windows\SysWOW64\Pdkiinlj.dll Pijgbl32.exe File created C:\Windows\SysWOW64\Obhpad32.exe Ooidei32.exe File created C:\Windows\SysWOW64\Imbige32.dll Eifobe32.exe File created C:\Windows\SysWOW64\Ljppckof.dll Goapjnoo.exe File opened for modification C:\Windows\SysWOW64\Bceeqi32.exe Bknmok32.exe File created C:\Windows\SysWOW64\Bknmok32.exe Blkmdodf.exe File opened for modification C:\Windows\SysWOW64\Golgon32.exe Gmkjgfmf.exe File created C:\Windows\SysWOW64\Nakikpin.exe Nommodjj.exe File created C:\Windows\SysWOW64\Fjigapme.dll Ohengmcf.exe File created C:\Windows\SysWOW64\Lfehem32.dll Chmibmlo.exe File created C:\Windows\SysWOW64\Miclhpjp.exe Miapbpmb.exe File opened for modification C:\Windows\SysWOW64\Naegmabc.exe Nnjklb32.exe File created C:\Windows\SysWOW64\Lficmm32.dll Amglgn32.exe File opened for modification C:\Windows\SysWOW64\Clhecl32.exe Chmibmlo.exe File created C:\Windows\SysWOW64\Bedoacoi.dll Bnofaf32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjhnqfla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhpejbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gibkmgcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aphehidc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caenkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jecnnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mopdpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkmjjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbfkeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojndpqpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnnfkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceickb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Codeih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecgjdong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enhaeldn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icabeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgjgol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hganjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ongckp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ankedf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdngip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Admgglep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bopknhjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiecgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miapbpmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddbmcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibgkjee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joebccpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omcngamh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhgggim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amoibc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjpag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlboca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdqiiaih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peeabm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpaohjkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 454779a1b63c0d1a71577405edabcff0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofaolcmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igcgnbim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kffqqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aebakp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obhpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhdfmbjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcacochk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbagpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgkbjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmfmkjdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jibpghbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnimpcke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehicoom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bedamd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acohnhab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbobaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikjjda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfeeff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdkkcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obecld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojceef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lffmpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncdpdcfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qghgigkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khagijcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moenkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklpjlmc.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nhebhipj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obnbpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jgpndg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pglojj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ncdpdcfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laoekk32.dll" Hibgkjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcacochk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiagedmf.dll" Mkdbea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oknhdjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lmcilp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lpfnckhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nohefjhb.dll" Pgaahh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kpbhjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaqejn32.dll" Fheoiqgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fhbbcail.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pkfghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbflbd32.dll" Bhmmcjjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pehebbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkljm32.dll" Einebddd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hdpehd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iemalkgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jmgfgham.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kbkdpnil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afbnec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgepogei.dll" Nggipg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodohnaa.dll" Afeaei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Plpqim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pncjad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qemomb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aengebaf.dll" Hnmcli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbekkd32.dll" Lkelpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ncnjeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpopml32.dll" Peeabm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kihpmnbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmmlmc32.dll" Bkqiek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pnfpjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efoifiep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lidilk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmpeljkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aegibbeb.dll" Ofdeeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpjqnpjb.dll" Ooofcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhhkobjh.dll" Macjgadf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aocbokia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Miapbpmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckhpejbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdfahaaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpgope32.dll" Hlbpme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ahcjmkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogiamne.dll" Lehdhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nflfad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gipjkn32.dll" Paafmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fabmmejd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kimjhnnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Goocenaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obckefai.dll" Nopaoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bimphc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gefolhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghldgj32.dll" Ikocoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mdmmhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ngpcohbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gekhgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jkcmjpma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nnlhab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjoilfek.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2688 wrote to memory of 2768 2688 454779a1b63c0d1a71577405edabcff0N.exe 30 PID 2688 wrote to memory of 2768 2688 454779a1b63c0d1a71577405edabcff0N.exe 30 PID 2688 wrote to memory of 2768 2688 454779a1b63c0d1a71577405edabcff0N.exe 30 PID 2688 wrote to memory of 2768 2688 454779a1b63c0d1a71577405edabcff0N.exe 30 PID 2768 wrote to memory of 2916 2768 Jaeehmko.exe 31 PID 2768 wrote to memory of 2916 2768 Jaeehmko.exe 31 PID 2768 wrote to memory of 2916 2768 Jaeehmko.exe 31 PID 2768 wrote to memory of 2916 2768 Jaeehmko.exe 31 PID 2916 wrote to memory of 2732 2916 Jgpndg32.exe 32 PID 2916 wrote to memory of 2732 2916 Jgpndg32.exe 32 PID 2916 wrote to memory of 2732 2916 Jgpndg32.exe 32 PID 2916 wrote to memory of 2732 2916 Jgpndg32.exe 32 PID 2732 wrote to memory of 2660 2732 Jecnnk32.exe 33 PID 2732 wrote to memory of 2660 2732 Jecnnk32.exe 33 PID 2732 wrote to memory of 2660 2732 Jecnnk32.exe 33 PID 2732 wrote to memory of 2660 2732 Jecnnk32.exe 33 PID 2660 wrote to memory of 2616 2660 Jjpgfbom.exe 34 PID 2660 wrote to memory of 2616 2660 Jjpgfbom.exe 34 PID 2660 wrote to memory of 2616 2660 Jjpgfbom.exe 34 PID 2660 wrote to memory of 2616 2660 Jjpgfbom.exe 34 PID 2616 wrote to memory of 2820 2616 Jmocbnop.exe 35 PID 2616 wrote to memory of 2820 2616 Jmocbnop.exe 35 PID 2616 wrote to memory of 2820 2616 Jmocbnop.exe 35 PID 2616 wrote to memory of 2820 2616 Jmocbnop.exe 35 PID 2820 wrote to memory of 868 2820 Kgdgpfnf.exe 36 PID 2820 wrote to memory of 868 2820 Kgdgpfnf.exe 36 PID 2820 wrote to memory of 868 2820 Kgdgpfnf.exe 36 PID 2820 wrote to memory of 868 2820 Kgdgpfnf.exe 36 PID 868 wrote to memory of 2348 868 Kiecgo32.exe 37 PID 868 wrote to memory of 2348 868 Kiecgo32.exe 37 PID 868 wrote to memory of 2348 868 Kiecgo32.exe 37 PID 868 wrote to memory of 2348 868 Kiecgo32.exe 37 PID 2348 wrote to memory of 2052 2348 Kihpmnbb.exe 38 PID 2348 wrote to memory of 2052 2348 Kihpmnbb.exe 38 PID 2348 wrote to memory of 2052 2348 Kihpmnbb.exe 38 PID 2348 wrote to memory of 2052 2348 Kihpmnbb.exe 38 PID 2052 wrote to memory of 2128 2052 Kpbhjh32.exe 39 PID 2052 wrote to memory of 2128 2052 Kpbhjh32.exe 39 PID 2052 wrote to memory of 2128 2052 Kpbhjh32.exe 39 PID 2052 wrote to memory of 2128 2052 Kpbhjh32.exe 39 PID 2128 wrote to memory of 2208 2128 Kijmbnpo.exe 40 PID 2128 wrote to memory of 2208 2128 Kijmbnpo.exe 40 PID 2128 wrote to memory of 2208 2128 Kijmbnpo.exe 40 PID 2128 wrote to memory of 2208 2128 Kijmbnpo.exe 40 PID 2208 wrote to memory of 1064 2208 Klhioioc.exe 41 PID 2208 wrote to memory of 1064 2208 Klhioioc.exe 41 PID 2208 wrote to memory of 1064 2208 Klhioioc.exe 41 PID 2208 wrote to memory of 1064 2208 Klhioioc.exe 41 PID 1064 wrote to memory of 2144 1064 Kimjhnnl.exe 42 PID 1064 wrote to memory of 2144 1064 Kimjhnnl.exe 42 PID 1064 wrote to memory of 2144 1064 Kimjhnnl.exe 42 PID 1064 wrote to memory of 2144 1064 Kimjhnnl.exe 42 PID 2144 wrote to memory of 1920 2144 Klkfdi32.exe 43 PID 2144 wrote to memory of 1920 2144 Klkfdi32.exe 43 PID 2144 wrote to memory of 1920 2144 Klkfdi32.exe 43 PID 2144 wrote to memory of 1920 2144 Klkfdi32.exe 43 PID 1920 wrote to memory of 1296 1920 Khagijcd.exe 44 PID 1920 wrote to memory of 1296 1920 Khagijcd.exe 44 PID 1920 wrote to memory of 1296 1920 Khagijcd.exe 44 PID 1920 wrote to memory of 1296 1920 Khagijcd.exe 44 PID 1296 wrote to memory of 2504 1296 Kjpceebh.exe 45 PID 1296 wrote to memory of 2504 1296 Kjpceebh.exe 45 PID 1296 wrote to memory of 2504 1296 Kjpceebh.exe 45 PID 1296 wrote to memory of 2504 1296 Kjpceebh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\454779a1b63c0d1a71577405edabcff0N.exe"C:\Users\Admin\AppData\Local\Temp\454779a1b63c0d1a71577405edabcff0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Jaeehmko.exeC:\Windows\system32\Jaeehmko.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Jgpndg32.exeC:\Windows\system32\Jgpndg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Jecnnk32.exeC:\Windows\system32\Jecnnk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Jjpgfbom.exeC:\Windows\system32\Jjpgfbom.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Jmocbnop.exeC:\Windows\system32\Jmocbnop.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Kgdgpfnf.exeC:\Windows\system32\Kgdgpfnf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Kiecgo32.exeC:\Windows\system32\Kiecgo32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Kihpmnbb.exeC:\Windows\system32\Kihpmnbb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Kpbhjh32.exeC:\Windows\system32\Kpbhjh32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Kijmbnpo.exeC:\Windows\system32\Kijmbnpo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Klhioioc.exeC:\Windows\system32\Klhioioc.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Kimjhnnl.exeC:\Windows\system32\Kimjhnnl.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Klkfdi32.exeC:\Windows\system32\Klkfdi32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Khagijcd.exeC:\Windows\system32\Khagijcd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Kjpceebh.exeC:\Windows\system32\Kjpceebh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Lonlkcho.exeC:\Windows\system32\Lonlkcho.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Lehdhn32.exeC:\Windows\system32\Lehdhn32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1356 -
C:\Windows\SysWOW64\Lkelpd32.exeC:\Windows\system32\Lkelpd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Lmcilp32.exeC:\Windows\system32\Lmcilp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1224 -
C:\Windows\SysWOW64\Lmeebpkd.exeC:\Windows\system32\Lmeebpkd.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\Laaabo32.exeC:\Windows\system32\Laaabo32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Windows\SysWOW64\Lpfnckhe.exeC:\Windows\system32\Lpfnckhe.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1004 -
C:\Windows\SysWOW64\Lcdjpfgh.exeC:\Windows\system32\Lcdjpfgh.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Mlmoilni.exeC:\Windows\system32\Mlmoilni.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Mcggef32.exeC:\Windows\system32\Mcggef32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Miapbpmb.exeC:\Windows\system32\Miapbpmb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Miclhpjp.exeC:\Windows\system32\Miclhpjp.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Mopdpg32.exeC:\Windows\system32\Mopdpg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Windows\SysWOW64\Maoalb32.exeC:\Windows\system32\Maoalb32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Mdmmhn32.exeC:\Windows\system32\Mdmmhn32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Mldeik32.exeC:\Windows\system32\Mldeik32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\Mobaef32.exeC:\Windows\system32\Mobaef32.exe33⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Mneaacno.exeC:\Windows\system32\Mneaacno.exe34⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Maanab32.exeC:\Windows\system32\Maanab32.exe35⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Mdojnm32.exeC:\Windows\system32\Mdojnm32.exe36⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Mkibjgli.exeC:\Windows\system32\Mkibjgli.exe37⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Moenkf32.exeC:\Windows\system32\Moenkf32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1860 -
C:\Windows\SysWOW64\Macjgadf.exeC:\Windows\system32\Macjgadf.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Ndafcmci.exeC:\Windows\system32\Ndafcmci.exe40⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Ngpcohbm.exeC:\Windows\system32\Ngpcohbm.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Njnokdaq.exeC:\Windows\system32\Njnokdaq.exe42⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Nnjklb32.exeC:\Windows\system32\Nnjklb32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Naegmabc.exeC:\Windows\system32\Naegmabc.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:612 -
C:\Windows\SysWOW64\Nddcimag.exeC:\Windows\system32\Nddcimag.exe45⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Ngbpehpj.exeC:\Windows\system32\Ngbpehpj.exe46⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Nknkeg32.exeC:\Windows\system32\Nknkeg32.exe47⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Nnlhab32.exeC:\Windows\system32\Nnlhab32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1380 -
C:\Windows\SysWOW64\Nlohmonb.exeC:\Windows\system32\Nlohmonb.exe49⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Ndfpnl32.exeC:\Windows\system32\Ndfpnl32.exe50⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Ngeljh32.exeC:\Windows\system32\Ngeljh32.exe51⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Njchfc32.exeC:\Windows\system32\Njchfc32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Nnodgbed.exeC:\Windows\system32\Nnodgbed.exe53⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Nqmqcmdh.exeC:\Windows\system32\Nqmqcmdh.exe54⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Nopaoj32.exeC:\Windows\system32\Nopaoj32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Nggipg32.exeC:\Windows\system32\Nggipg32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Njeelc32.exeC:\Windows\system32\Njeelc32.exe57⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Nldahn32.exeC:\Windows\system32\Nldahn32.exe58⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Nqpmimbe.exeC:\Windows\system32\Nqpmimbe.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1844 -
C:\Windows\SysWOW64\Ncnjeh32.exeC:\Windows\system32\Ncnjeh32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Nflfad32.exeC:\Windows\system32\Nflfad32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Nhkbmo32.exeC:\Windows\system32\Nhkbmo32.exe62⤵
- Executes dropped EXE
PID:276 -
C:\Windows\SysWOW64\Oodjjign.exeC:\Windows\system32\Oodjjign.exe63⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Obcffefa.exeC:\Windows\system32\Obcffefa.exe64⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Ofobgc32.exeC:\Windows\system32\Ofobgc32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Ohmoco32.exeC:\Windows\system32\Ohmoco32.exe66⤵PID:792
-
C:\Windows\SysWOW64\Omhkcnfg.exeC:\Windows\system32\Omhkcnfg.exe67⤵
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Okkkoj32.exeC:\Windows\system32\Okkkoj32.exe68⤵PID:892
-
C:\Windows\SysWOW64\Ooggpiek.exeC:\Windows\system32\Ooggpiek.exe69⤵
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Obecld32.exeC:\Windows\system32\Obecld32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\Ofaolcmh.exeC:\Windows\system32\Ofaolcmh.exe71⤵
- System Location Discovery: System Language Discovery
PID:776 -
C:\Windows\SysWOW64\Oiokholk.exeC:\Windows\system32\Oiokholk.exe72⤵PID:2064
-
C:\Windows\SysWOW64\Oknhdjko.exeC:\Windows\system32\Oknhdjko.exe73⤵
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Ooidei32.exeC:\Windows\system32\Ooidei32.exe74⤵
- Drops file in System32 directory
PID:1308 -
C:\Windows\SysWOW64\Obhpad32.exeC:\Windows\system32\Obhpad32.exe75⤵
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Odflmp32.exeC:\Windows\system32\Odflmp32.exe76⤵PID:772
-
C:\Windows\SysWOW64\Oiahnnji.exeC:\Windows\system32\Oiahnnji.exe77⤵PID:2340
-
C:\Windows\SysWOW64\Okpdjjil.exeC:\Windows\system32\Okpdjjil.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2096 -
C:\Windows\SysWOW64\Ojceef32.exeC:\Windows\system32\Ojceef32.exe79⤵
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\Objmgd32.exeC:\Windows\system32\Objmgd32.exe80⤵PID:2796
-
C:\Windows\SysWOW64\Oqmmbqgd.exeC:\Windows\system32\Oqmmbqgd.exe81⤵PID:2628
-
C:\Windows\SysWOW64\Oehicoom.exeC:\Windows\system32\Oehicoom.exe82⤵
- System Location Discovery: System Language Discovery
PID:2468 -
C:\Windows\SysWOW64\Ockinl32.exeC:\Windows\system32\Ockinl32.exe83⤵PID:2212
-
C:\Windows\SysWOW64\Okbapi32.exeC:\Windows\system32\Okbapi32.exe84⤵PID:692
-
C:\Windows\SysWOW64\Ojeakfnd.exeC:\Windows\system32\Ojeakfnd.exe85⤵PID:1528
-
C:\Windows\SysWOW64\Omcngamh.exeC:\Windows\system32\Omcngamh.exe86⤵
- System Location Discovery: System Language Discovery
PID:896 -
C:\Windows\SysWOW64\Oekehomj.exeC:\Windows\system32\Oekehomj.exe87⤵PID:2424
-
C:\Windows\SysWOW64\Pgibdjln.exeC:\Windows\system32\Pgibdjln.exe88⤵PID:1836
-
C:\Windows\SysWOW64\Pflbpg32.exeC:\Windows\system32\Pflbpg32.exe89⤵PID:3004
-
C:\Windows\SysWOW64\Pjhnqfla.exeC:\Windows\system32\Pjhnqfla.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\Pncjad32.exeC:\Windows\system32\Pncjad32.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Paafmp32.exeC:\Windows\system32\Paafmp32.exe92⤵
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Pglojj32.exeC:\Windows\system32\Pglojj32.exe93⤵
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Pfnoegaf.exeC:\Windows\system32\Pfnoegaf.exe94⤵PID:2416
-
C:\Windows\SysWOW64\Pmhgba32.exeC:\Windows\system32\Pmhgba32.exe95⤵PID:2488
-
C:\Windows\SysWOW64\Padccpal.exeC:\Windows\system32\Padccpal.exe96⤵PID:856
-
C:\Windows\SysWOW64\Ppgcol32.exeC:\Windows\system32\Ppgcol32.exe97⤵PID:1868
-
C:\Windows\SysWOW64\Pbepkh32.exeC:\Windows\system32\Pbepkh32.exe98⤵PID:1556
-
C:\Windows\SysWOW64\Pjlgle32.exeC:\Windows\system32\Pjlgle32.exe99⤵PID:1924
-
C:\Windows\SysWOW64\Piohgbng.exeC:\Windows\system32\Piohgbng.exe100⤵PID:2752
-
C:\Windows\SysWOW64\Plndcmmj.exeC:\Windows\system32\Plndcmmj.exe101⤵PID:1096
-
C:\Windows\SysWOW64\Pfchqf32.exeC:\Windows\system32\Pfchqf32.exe102⤵PID:2384
-
C:\Windows\SysWOW64\Pefhlcdk.exeC:\Windows\system32\Pefhlcdk.exe103⤵PID:2848
-
C:\Windows\SysWOW64\Plpqim32.exeC:\Windows\system32\Plpqim32.exe104⤵
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Pnnmeh32.exeC:\Windows\system32\Pnnmeh32.exe105⤵PID:1512
-
C:\Windows\SysWOW64\Pfeeff32.exeC:\Windows\system32\Pfeeff32.exe106⤵
- System Location Discovery: System Language Discovery
PID:968 -
C:\Windows\SysWOW64\Pehebbbh.exeC:\Windows\system32\Pehebbbh.exe107⤵
- Modifies registry class
PID:560 -
C:\Windows\SysWOW64\Plbmom32.exeC:\Windows\system32\Plbmom32.exe108⤵PID:1244
-
C:\Windows\SysWOW64\Qaofgc32.exeC:\Windows\system32\Qaofgc32.exe109⤵PID:1416
-
C:\Windows\SysWOW64\Qekbgbpf.exeC:\Windows\system32\Qekbgbpf.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1532 -
C:\Windows\SysWOW64\Qjgjpi32.exeC:\Windows\system32\Qjgjpi32.exe111⤵PID:1092
-
C:\Windows\SysWOW64\Qncfphff.exeC:\Windows\system32\Qncfphff.exe112⤵PID:444
-
C:\Windows\SysWOW64\Qbobaf32.exeC:\Windows\system32\Qbobaf32.exe113⤵
- System Location Discovery: System Language Discovery
PID:2524 -
C:\Windows\SysWOW64\Qemomb32.exeC:\Windows\system32\Qemomb32.exe114⤵
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Qdpohodn.exeC:\Windows\system32\Qdpohodn.exe115⤵PID:1704
-
C:\Windows\SysWOW64\Qhkkim32.exeC:\Windows\system32\Qhkkim32.exe116⤵
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Qlggjlep.exeC:\Windows\system32\Qlggjlep.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1720 -
C:\Windows\SysWOW64\Amhcad32.exeC:\Windows\system32\Amhcad32.exe118⤵PID:1572
-
C:\Windows\SysWOW64\Adblnnbk.exeC:\Windows\system32\Adblnnbk.exe119⤵PID:2964
-
C:\Windows\SysWOW64\Afqhjj32.exeC:\Windows\system32\Afqhjj32.exe120⤵PID:2600
-
C:\Windows\SysWOW64\Anhpkg32.exeC:\Windows\system32\Anhpkg32.exe121⤵PID:1732
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-