Analysis
-
max time kernel
121s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22-08-2024 17:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c7e85e6b3b24615866bdeac4f5bdc340N.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
c7e85e6b3b24615866bdeac4f5bdc340N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
c7e85e6b3b24615866bdeac4f5bdc340N.exe
-
Size
285KB
-
MD5
c7e85e6b3b24615866bdeac4f5bdc340
-
SHA1
9a2707d184be8801d8911780fbb682029f55c2eb
-
SHA256
06600a5acdafe44554faea0fb7ca6fd148d07cabc86d7a92a6daff405ab8fa6f
-
SHA512
99dce67f826e38477ea55946ae532d5617d9f40a55129167fb9c796c598d6cb471a6561ab681a382f49fe116b816a4c5456f2b81ea405d08f53777bf7ac502e9
-
SSDEEP
3072:7ixhzWvnVDeirecKVcbMloVRr3uMg0kAqSxYiJ2QM4GKch:WxAycKQIoi7tWa
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbjonicb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Effidg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdfche32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qjleem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ldpdfp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnhioeof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkopjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbebjpaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llooad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dobcekld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdoblckh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcmoafph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Obamebfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gdophn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phmkaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jffhec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbmnjenb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfjbdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeidob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bijobb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgcgebhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmjqhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mklegm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bgkeol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbgcdmjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kgdgaflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mneancpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blhifemo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doipoldo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajindjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekcdegqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odiagj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iglngj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gajlcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajibeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahhhgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igfkkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aonial32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aflkiapg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igjabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dofilm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofdicodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbhmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpndlobg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbdfoiki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdapqgom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kacakgip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjmbohhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jodmdboj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mooppe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fcnkemgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bclnfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgmofbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Flmlmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkdhfdnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjpnjheg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckebbgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onkjocjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpcghl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdjfmolo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ooaflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opaeok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhhkiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccjbobnf.exe -
Executes dropped EXE 64 IoCs
pid Process 2252 Bgqeea32.exe 2796 Bedene32.exe 2744 Ccjbobnf.exe 2856 Ccolja32.exe 2812 Daplmimi.exe 2628 Dofilm32.exe 2504 Empphi32.exe 2276 Eigpmjqg.exe 2632 Fgcgebhd.exe 2128 Fnbhmlkk.exe 3016 Ghnfci32.exe 2280 Gjnbmlmj.exe 1776 Hbnqln32.exe 2316 Hndaao32.exe 2308 Hiblmldn.exe 2228 Infjfblm.exe 1804 Jffhec32.exe 3056 Jigagocd.exe 2180 Jgmofbpk.exe 844 Joicje32.exe 1564 Jinghn32.exe 2528 Khcdijac.exe 656 Kopikdgn.exe 2124 Khhndi32.exe 1524 Kjlgaa32.exe 2992 Ldchdjom.exe 1620 Lcieef32.exe 2840 Lfgaaa32.exe 2864 Lbnbfb32.exe 612 Lflklaoc.exe 1632 Mhlcnl32.exe 2188 Mnlilb32.exe 2388 Mcknjidn.exe 2496 Mcmkoi32.exe 1164 Nfncad32.exe 2956 Nfppfcmj.exe 1016 Nfbmlckg.exe 1468 Nhffikob.exe 2060 Oejgbonl.exe 2440 Ojilqf32.exe 2456 Ofpmegpe.exe 2292 Oddmokoo.exe 700 Obijpgcf.exe 1568 Ppmkilbp.exe 768 Pejcab32.exe 3064 Pobgjhgh.exe 1844 Pihlhagn.exe 1692 Pacqlcdi.exe 1404 Paemac32.exe 1316 Poinkg32.exe 2300 Qajfmbna.exe 2892 Qkbkfh32.exe 2776 Acnpjj32.exe 2688 Alfdcp32.exe 2448 Alhaho32.exe 3028 Bgkeol32.exe 2712 Dimfmeef.exe 2052 Ebekej32.exe 2508 Elnonp32.exe 1264 Edidcb32.exe 2212 Egimdmmc.exe 1800 Ehiiop32.exe 2156 Emfbgg32.exe 2088 Fgnfpm32.exe -
Loads dropped DLL 64 IoCs
pid Process 708 c7e85e6b3b24615866bdeac4f5bdc340N.exe 708 c7e85e6b3b24615866bdeac4f5bdc340N.exe 2252 Bgqeea32.exe 2252 Bgqeea32.exe 2796 Bedene32.exe 2796 Bedene32.exe 2744 Ccjbobnf.exe 2744 Ccjbobnf.exe 2856 Ccolja32.exe 2856 Ccolja32.exe 2812 Daplmimi.exe 2812 Daplmimi.exe 2628 Dofilm32.exe 2628 Dofilm32.exe 2504 Empphi32.exe 2504 Empphi32.exe 2276 Eigpmjqg.exe 2276 Eigpmjqg.exe 2632 Fgcgebhd.exe 2632 Fgcgebhd.exe 2128 Fnbhmlkk.exe 2128 Fnbhmlkk.exe 3016 Ghnfci32.exe 3016 Ghnfci32.exe 2280 Gjnbmlmj.exe 2280 Gjnbmlmj.exe 1776 Hbnqln32.exe 1776 Hbnqln32.exe 2316 Hndaao32.exe 2316 Hndaao32.exe 2308 Hiblmldn.exe 2308 Hiblmldn.exe 2228 Infjfblm.exe 2228 Infjfblm.exe 1804 Jffhec32.exe 1804 Jffhec32.exe 3056 Jigagocd.exe 3056 Jigagocd.exe 2180 Jgmofbpk.exe 2180 Jgmofbpk.exe 844 Joicje32.exe 844 Joicje32.exe 1564 Jinghn32.exe 1564 Jinghn32.exe 2528 Khcdijac.exe 2528 Khcdijac.exe 656 Kopikdgn.exe 656 Kopikdgn.exe 2124 Khhndi32.exe 2124 Khhndi32.exe 1524 Kjlgaa32.exe 1524 Kjlgaa32.exe 2992 Ldchdjom.exe 2992 Ldchdjom.exe 1620 Lcieef32.exe 1620 Lcieef32.exe 2840 Lfgaaa32.exe 2840 Lfgaaa32.exe 2864 Lbnbfb32.exe 2864 Lbnbfb32.exe 612 Lflklaoc.exe 612 Lflklaoc.exe 1632 Mhlcnl32.exe 1632 Mhlcnl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mkmlbc32.exe Mcagma32.exe File created C:\Windows\SysWOW64\Ahhhgh32.exe Anpgdp32.exe File created C:\Windows\SysWOW64\Ikejpa32.dll Ofpmegpe.exe File created C:\Windows\SysWOW64\Oacqge32.dll Bbflkcao.exe File created C:\Windows\SysWOW64\Afjncabj.exe Aamekk32.exe File opened for modification C:\Windows\SysWOW64\Cdmgkl32.exe Ckebbgoj.exe File opened for modification C:\Windows\SysWOW64\Legmpdga.exe Llnhgn32.exe File opened for modification C:\Windows\SysWOW64\Giogonlb.exe Gljfeimi.exe File opened for modification C:\Windows\SysWOW64\Pofnok32.exe Pfnjfepp.exe File created C:\Windows\SysWOW64\Phcdopoi.dll Dfoplkel.exe File created C:\Windows\SysWOW64\Jigagocd.exe Jffhec32.exe File created C:\Windows\SysWOW64\Odiagj32.exe Nkqlodpk.exe File created C:\Windows\SysWOW64\Mdafcaak.dll Ppacfg32.exe File opened for modification C:\Windows\SysWOW64\Nnjnbl32.exe Ncqmbn32.exe File created C:\Windows\SysWOW64\Cibpoi32.exe Cojlfckj.exe File created C:\Windows\SysWOW64\Cfllpb32.dll Gafcahil.exe File created C:\Windows\SysWOW64\Gchligab.dll Kacakgip.exe File created C:\Windows\SysWOW64\Kefjafkp.dll Mgglcqdk.exe File created C:\Windows\SysWOW64\Cnbndbhi.dll Nipgab32.exe File opened for modification C:\Windows\SysWOW64\Mnnhjk32.exe Mhaobd32.exe File opened for modification C:\Windows\SysWOW64\Qfedhb32.exe Pjndca32.exe File created C:\Windows\SysWOW64\Cjaieoko.exe Ccgahe32.exe File created C:\Windows\SysWOW64\Ecabfpff.exe Dldndf32.exe File created C:\Windows\SysWOW64\Gjdgoh32.dll Bjhgjdjd.exe File created C:\Windows\SysWOW64\Lgebaj32.dll Mmmkdo32.exe File created C:\Windows\SysWOW64\Ejqakjgg.dll Kbhckm32.exe File created C:\Windows\SysWOW64\Aehhenpj.dll Nbehjb32.exe File opened for modification C:\Windows\SysWOW64\Lojeda32.exe Lddagi32.exe File created C:\Windows\SysWOW64\Hpamlo32.dll Nbmcjc32.exe File created C:\Windows\SysWOW64\Gbgbmipo.dll Gkgdbh32.exe File opened for modification C:\Windows\SysWOW64\Pneiaidn.exe Piipibff.exe File created C:\Windows\SysWOW64\Halhkamm.dll Enliaf32.exe File opened for modification C:\Windows\SysWOW64\Iaaqkkme.exe Iiflgi32.exe File created C:\Windows\SysWOW64\Iiiapg32.exe Impdeg32.exe File created C:\Windows\SysWOW64\Oecfbi32.dll Bgmjla32.exe File created C:\Windows\SysWOW64\Fdockgqp.exe Fiiono32.exe File opened for modification C:\Windows\SysWOW64\Fhifmcfa.exe Faonqiod.exe File created C:\Windows\SysWOW64\Kaebeiqd.dll Ahgdbk32.exe File created C:\Windows\SysWOW64\Aaeeoihj.exe Afoqbpid.exe File created C:\Windows\SysWOW64\Kbkiab32.dll Lkkcmqcn.exe File opened for modification C:\Windows\SysWOW64\Pijhompm.exe Ppacfg32.exe File created C:\Windows\SysWOW64\Nfhcmkkg.exe Mjabhjec.exe File opened for modification C:\Windows\SysWOW64\Ckpdej32.exe Bjnhpj32.exe File created C:\Windows\SysWOW64\Kfkedoij.dll Dljoac32.exe File created C:\Windows\SysWOW64\Aohoja32.dll Fedinobh.exe File created C:\Windows\SysWOW64\Capopb32.exe Cidklp32.exe File opened for modification C:\Windows\SysWOW64\Bqjcli32.exe Ammjekmg.exe File opened for modification C:\Windows\SysWOW64\Mhlcnl32.exe Lflklaoc.exe File created C:\Windows\SysWOW64\Fnjklkdh.dll Ompgqonl.exe File created C:\Windows\SysWOW64\Aednha32.dll Blcmbmip.exe File opened for modification C:\Windows\SysWOW64\Jnppei32.exe Jckkhplq.exe File created C:\Windows\SysWOW64\Jlbchbqk.dll Kbdmboqk.exe File created C:\Windows\SysWOW64\Oocqan32.dll Paojeafn.exe File created C:\Windows\SysWOW64\Eclqhfpp.exe Eonhbg32.exe File created C:\Windows\SysWOW64\Cmhhkcdp.dll Nnbagfdg.exe File created C:\Windows\SysWOW64\Edbmec32.exe Enedml32.exe File created C:\Windows\SysWOW64\Pdhbhf32.dll Qkbkfh32.exe File opened for modification C:\Windows\SysWOW64\Afoqbpid.exe Alfpab32.exe File opened for modification C:\Windows\SysWOW64\Nkpjfkhf.exe Nceeaikk.exe File created C:\Windows\SysWOW64\Dafeaapg.exe Depelp32.exe File created C:\Windows\SysWOW64\Gfkbpk32.dll Ncqmbn32.exe File created C:\Windows\SysWOW64\Jnjlhomc.dll Kcmfeldm.exe File created C:\Windows\SysWOW64\Hfqlcg32.exe Hmhgjahb.exe File created C:\Windows\SysWOW64\Pfganlfn.dll Qpnkjq32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckopch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lejppj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igeggkoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfppfcmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njaoeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpjeaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmnoll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akjjifji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pijhompm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjngfjha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdmgkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdciej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kldchgag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dibjec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmdfglhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nogodcli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidekn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnbinl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkklflj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nceeaikk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqgnmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjdqbbkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpgpjdnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdbloobc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odbcnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnboonmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebojbaga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apgcbmha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lobgah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccckabef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qegpbaqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndlanf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkgmdbja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbdihbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mncdhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkiooocb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefnmdfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kemjieol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmcpfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnogakma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkbdib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anjqdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbcaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moahdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dalffg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnfbcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iccqedfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjpipkgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmjknb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pacqlcdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaiijgbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpehj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfqlcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckpdej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gecmghkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgjcdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfnmnojj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keicbcqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqokoeig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emnelbdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibeeeijg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Occgce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chldbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkfigqjn.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Deegjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Empphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcpkl32.dll" Nnnmoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chfadndo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eklicjkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gogilc32.dll" Ahhhgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Elbkbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fbebcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdhbhf32.dll" Qkbkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqiofk32.dll" Ldpbmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Heoadcmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkljljko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eaegaaah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fdjfmolo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iacojc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aipmdl32.dll" Ccckabef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olafdoej.dll" Iaicpepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnmaga32.dll" Ndadld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Omodibcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lkkfdmpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piaebfcm.dll" Nbgcdmjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Homfboco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Diklpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmbcmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafacbhp.dll" Qiqpmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njjdqigf.dll" Dekgpdqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bgmjla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ccjbobnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ibhieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Coghfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqnhl32.dll" Bmhncg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dlpdifda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pkopjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lfanep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pkebig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bakjfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebekej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gknhjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lnhioeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mlikkbga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fcfojhhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iccngdqj.dll" Bgedlbfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fkmhij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iliehb32.dll" Chkpakla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djfagjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Flnpoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fapfjh32.dll" Nogodcli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bpepbkhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mbiadm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjdnenjf.dll" Ifhacfhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehiiop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iglngj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mliibj32.dll" Icohfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mbicmfqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mghjcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afamgpga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Giogonlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fapdgk32.dll" Lbbmlbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkoqaae.dll" Dnecag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kgjgglko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pkjnmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjeace32.dll" Khhndi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hdolga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keeeld32.dll" Ohmneokp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 708 wrote to memory of 2252 708 c7e85e6b3b24615866bdeac4f5bdc340N.exe 29 PID 708 wrote to memory of 2252 708 c7e85e6b3b24615866bdeac4f5bdc340N.exe 29 PID 708 wrote to memory of 2252 708 c7e85e6b3b24615866bdeac4f5bdc340N.exe 29 PID 708 wrote to memory of 2252 708 c7e85e6b3b24615866bdeac4f5bdc340N.exe 29 PID 2252 wrote to memory of 2796 2252 Bgqeea32.exe 30 PID 2252 wrote to memory of 2796 2252 Bgqeea32.exe 30 PID 2252 wrote to memory of 2796 2252 Bgqeea32.exe 30 PID 2252 wrote to memory of 2796 2252 Bgqeea32.exe 30 PID 2796 wrote to memory of 2744 2796 Bedene32.exe 31 PID 2796 wrote to memory of 2744 2796 Bedene32.exe 31 PID 2796 wrote to memory of 2744 2796 Bedene32.exe 31 PID 2796 wrote to memory of 2744 2796 Bedene32.exe 31 PID 2744 wrote to memory of 2856 2744 Ccjbobnf.exe 32 PID 2744 wrote to memory of 2856 2744 Ccjbobnf.exe 32 PID 2744 wrote to memory of 2856 2744 Ccjbobnf.exe 32 PID 2744 wrote to memory of 2856 2744 Ccjbobnf.exe 32 PID 2856 wrote to memory of 2812 2856 Ccolja32.exe 33 PID 2856 wrote to memory of 2812 2856 Ccolja32.exe 33 PID 2856 wrote to memory of 2812 2856 Ccolja32.exe 33 PID 2856 wrote to memory of 2812 2856 Ccolja32.exe 33 PID 2812 wrote to memory of 2628 2812 Daplmimi.exe 34 PID 2812 wrote to memory of 2628 2812 Daplmimi.exe 34 PID 2812 wrote to memory of 2628 2812 Daplmimi.exe 34 PID 2812 wrote to memory of 2628 2812 Daplmimi.exe 34 PID 2628 wrote to memory of 2504 2628 Dofilm32.exe 35 PID 2628 wrote to memory of 2504 2628 Dofilm32.exe 35 PID 2628 wrote to memory of 2504 2628 Dofilm32.exe 35 PID 2628 wrote to memory of 2504 2628 Dofilm32.exe 35 PID 2504 wrote to memory of 2276 2504 Empphi32.exe 36 PID 2504 wrote to memory of 2276 2504 Empphi32.exe 36 PID 2504 wrote to memory of 2276 2504 Empphi32.exe 36 PID 2504 wrote to memory of 2276 2504 Empphi32.exe 36 PID 2276 wrote to memory of 2632 2276 Eigpmjqg.exe 37 PID 2276 wrote to memory of 2632 2276 Eigpmjqg.exe 37 PID 2276 wrote to memory of 2632 2276 Eigpmjqg.exe 37 PID 2276 wrote to memory of 2632 2276 Eigpmjqg.exe 37 PID 2632 wrote to memory of 2128 2632 Fgcgebhd.exe 38 PID 2632 wrote to memory of 2128 2632 Fgcgebhd.exe 38 PID 2632 wrote to memory of 2128 2632 Fgcgebhd.exe 38 PID 2632 wrote to memory of 2128 2632 Fgcgebhd.exe 38 PID 2128 wrote to memory of 3016 2128 Fnbhmlkk.exe 39 PID 2128 wrote to memory of 3016 2128 Fnbhmlkk.exe 39 PID 2128 wrote to memory of 3016 2128 Fnbhmlkk.exe 39 PID 2128 wrote to memory of 3016 2128 Fnbhmlkk.exe 39 PID 3016 wrote to memory of 2280 3016 Ghnfci32.exe 40 PID 3016 wrote to memory of 2280 3016 Ghnfci32.exe 40 PID 3016 wrote to memory of 2280 3016 Ghnfci32.exe 40 PID 3016 wrote to memory of 2280 3016 Ghnfci32.exe 40 PID 2280 wrote to memory of 1776 2280 Gjnbmlmj.exe 41 PID 2280 wrote to memory of 1776 2280 Gjnbmlmj.exe 41 PID 2280 wrote to memory of 1776 2280 Gjnbmlmj.exe 41 PID 2280 wrote to memory of 1776 2280 Gjnbmlmj.exe 41 PID 1776 wrote to memory of 2316 1776 Hbnqln32.exe 42 PID 1776 wrote to memory of 2316 1776 Hbnqln32.exe 42 PID 1776 wrote to memory of 2316 1776 Hbnqln32.exe 42 PID 1776 wrote to memory of 2316 1776 Hbnqln32.exe 42 PID 2316 wrote to memory of 2308 2316 Hndaao32.exe 43 PID 2316 wrote to memory of 2308 2316 Hndaao32.exe 43 PID 2316 wrote to memory of 2308 2316 Hndaao32.exe 43 PID 2316 wrote to memory of 2308 2316 Hndaao32.exe 43 PID 2308 wrote to memory of 2228 2308 Hiblmldn.exe 44 PID 2308 wrote to memory of 2228 2308 Hiblmldn.exe 44 PID 2308 wrote to memory of 2228 2308 Hiblmldn.exe 44 PID 2308 wrote to memory of 2228 2308 Hiblmldn.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7e85e6b3b24615866bdeac4f5bdc340N.exe"C:\Users\Admin\AppData\Local\Temp\c7e85e6b3b24615866bdeac4f5bdc340N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Windows\SysWOW64\Bgqeea32.exeC:\Windows\system32\Bgqeea32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Bedene32.exeC:\Windows\system32\Bedene32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Ccjbobnf.exeC:\Windows\system32\Ccjbobnf.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Ccolja32.exeC:\Windows\system32\Ccolja32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Daplmimi.exeC:\Windows\system32\Daplmimi.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Dofilm32.exeC:\Windows\system32\Dofilm32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Empphi32.exeC:\Windows\system32\Empphi32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Eigpmjqg.exeC:\Windows\system32\Eigpmjqg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Fgcgebhd.exeC:\Windows\system32\Fgcgebhd.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Fnbhmlkk.exeC:\Windows\system32\Fnbhmlkk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Ghnfci32.exeC:\Windows\system32\Ghnfci32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Gjnbmlmj.exeC:\Windows\system32\Gjnbmlmj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Hbnqln32.exeC:\Windows\system32\Hbnqln32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Hndaao32.exeC:\Windows\system32\Hndaao32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Hiblmldn.exeC:\Windows\system32\Hiblmldn.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Infjfblm.exeC:\Windows\system32\Infjfblm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2228 -
C:\Windows\SysWOW64\Jffhec32.exeC:\Windows\system32\Jffhec32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Jigagocd.exeC:\Windows\system32\Jigagocd.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Jgmofbpk.exeC:\Windows\system32\Jgmofbpk.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Joicje32.exeC:\Windows\system32\Joicje32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:844 -
C:\Windows\SysWOW64\Jinghn32.exeC:\Windows\system32\Jinghn32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1564 -
C:\Windows\SysWOW64\Khcdijac.exeC:\Windows\system32\Khcdijac.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Kopikdgn.exeC:\Windows\system32\Kopikdgn.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:656 -
C:\Windows\SysWOW64\Khhndi32.exeC:\Windows\system32\Khhndi32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Kjlgaa32.exeC:\Windows\system32\Kjlgaa32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1524 -
C:\Windows\SysWOW64\Ldchdjom.exeC:\Windows\system32\Ldchdjom.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Windows\SysWOW64\Lcieef32.exeC:\Windows\system32\Lcieef32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Lfgaaa32.exeC:\Windows\system32\Lfgaaa32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Lbnbfb32.exeC:\Windows\system32\Lbnbfb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Lflklaoc.exeC:\Windows\system32\Lflklaoc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:612 -
C:\Windows\SysWOW64\Mhlcnl32.exeC:\Windows\system32\Mhlcnl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632 -
C:\Windows\SysWOW64\Mnlilb32.exeC:\Windows\system32\Mnlilb32.exe33⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Mcknjidn.exeC:\Windows\system32\Mcknjidn.exe34⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Mcmkoi32.exeC:\Windows\system32\Mcmkoi32.exe35⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Nfncad32.exeC:\Windows\system32\Nfncad32.exe36⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Nfppfcmj.exeC:\Windows\system32\Nfppfcmj.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Nfbmlckg.exeC:\Windows\system32\Nfbmlckg.exe38⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Nhffikob.exeC:\Windows\system32\Nhffikob.exe39⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Oejgbonl.exeC:\Windows\system32\Oejgbonl.exe40⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Ojilqf32.exeC:\Windows\system32\Ojilqf32.exe41⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Ofpmegpe.exeC:\Windows\system32\Ofpmegpe.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\Oddmokoo.exeC:\Windows\system32\Oddmokoo.exe43⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Obijpgcf.exeC:\Windows\system32\Obijpgcf.exe44⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Ppmkilbp.exeC:\Windows\system32\Ppmkilbp.exe45⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Pejcab32.exeC:\Windows\system32\Pejcab32.exe46⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Pobgjhgh.exeC:\Windows\system32\Pobgjhgh.exe47⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Pihlhagn.exeC:\Windows\system32\Pihlhagn.exe48⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Pacqlcdi.exeC:\Windows\system32\Pacqlcdi.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\Paemac32.exeC:\Windows\system32\Paemac32.exe50⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Poinkg32.exeC:\Windows\system32\Poinkg32.exe51⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Qajfmbna.exeC:\Windows\system32\Qajfmbna.exe52⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Qkbkfh32.exeC:\Windows\system32\Qkbkfh32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Acnpjj32.exeC:\Windows\system32\Acnpjj32.exe54⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Alfdcp32.exeC:\Windows\system32\Alfdcp32.exe55⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Alhaho32.exeC:\Windows\system32\Alhaho32.exe56⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Bgkeol32.exeC:\Windows\system32\Bgkeol32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Dimfmeef.exeC:\Windows\system32\Dimfmeef.exe58⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Ebekej32.exeC:\Windows\system32\Ebekej32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Elnonp32.exeC:\Windows\system32\Elnonp32.exe60⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Edidcb32.exeC:\Windows\system32\Edidcb32.exe61⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Egimdmmc.exeC:\Windows\system32\Egimdmmc.exe62⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Ehiiop32.exeC:\Windows\system32\Ehiiop32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Emfbgg32.exeC:\Windows\system32\Emfbgg32.exe64⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Fgnfpm32.exeC:\Windows\system32\Fgnfpm32.exe65⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Fpfkhbon.exeC:\Windows\system32\Fpfkhbon.exe66⤵PID:1952
-
C:\Windows\SysWOW64\Flmlmc32.exeC:\Windows\system32\Flmlmc32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1640 -
C:\Windows\SysWOW64\Ficilgai.exeC:\Windows\system32\Ficilgai.exe68⤵PID:3012
-
C:\Windows\SysWOW64\Faonqiod.exeC:\Windows\system32\Faonqiod.exe69⤵
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Fhifmcfa.exeC:\Windows\system32\Fhifmcfa.exe70⤵PID:1616
-
C:\Windows\SysWOW64\Gemfghek.exeC:\Windows\system32\Gemfghek.exe71⤵PID:2896
-
C:\Windows\SysWOW64\Gkiooocb.exeC:\Windows\system32\Gkiooocb.exe72⤵
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Windows\SysWOW64\Ggppdpif.exeC:\Windows\system32\Ggppdpif.exe73⤵PID:2656
-
C:\Windows\SysWOW64\Gafcahil.exeC:\Windows\system32\Gafcahil.exe74⤵
- Drops file in System32 directory
PID:868 -
C:\Windows\SysWOW64\Gknhjn32.exeC:\Windows\system32\Gknhjn32.exe75⤵
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Gcimop32.exeC:\Windows\system32\Gcimop32.exe76⤵PID:1312
-
C:\Windows\SysWOW64\Gnoaliln.exeC:\Windows\system32\Gnoaliln.exe77⤵PID:776
-
C:\Windows\SysWOW64\Gcljdpke.exeC:\Windows\system32\Gcljdpke.exe78⤵PID:2964
-
C:\Windows\SysWOW64\Hbafel32.exeC:\Windows\system32\Hbafel32.exe79⤵PID:2404
-
C:\Windows\SysWOW64\Hcqcoo32.exeC:\Windows\system32\Hcqcoo32.exe80⤵PID:2204
-
C:\Windows\SysWOW64\Hmighemp.exeC:\Windows\system32\Hmighemp.exe81⤵PID:2384
-
C:\Windows\SysWOW64\Hedllgjk.exeC:\Windows\system32\Hedllgjk.exe82⤵PID:548
-
C:\Windows\SysWOW64\Hbhmfk32.exeC:\Windows\system32\Hbhmfk32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1108 -
C:\Windows\SysWOW64\Hnomkloi.exeC:\Windows\system32\Hnomkloi.exe84⤵PID:236
-
C:\Windows\SysWOW64\Iclfccmq.exeC:\Windows\system32\Iclfccmq.exe85⤵PID:2016
-
C:\Windows\SysWOW64\Ijenpn32.exeC:\Windows\system32\Ijenpn32.exe86⤵PID:1492
-
C:\Windows\SysWOW64\Ifloeo32.exeC:\Windows\system32\Ifloeo32.exe87⤵PID:2468
-
C:\Windows\SysWOW64\Iglkoaad.exeC:\Windows\system32\Iglkoaad.exe88⤵PID:2672
-
C:\Windows\SysWOW64\Ipgpcc32.exeC:\Windows\system32\Ipgpcc32.exe89⤵PID:2716
-
C:\Windows\SysWOW64\Imkqmh32.exeC:\Windows\system32\Imkqmh32.exe90⤵PID:1160
-
C:\Windows\SysWOW64\Ibhieo32.exeC:\Windows\system32\Ibhieo32.exe91⤵
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Jmmmbg32.exeC:\Windows\system32\Jmmmbg32.exe92⤵PID:2908
-
C:\Windows\SysWOW64\Jehbfjia.exeC:\Windows\system32\Jehbfjia.exe93⤵PID:1112
-
C:\Windows\SysWOW64\Jnafop32.exeC:\Windows\system32\Jnafop32.exe94⤵PID:1668
-
C:\Windows\SysWOW64\Jlegic32.exeC:\Windows\system32\Jlegic32.exe95⤵PID:2200
-
C:\Windows\SysWOW64\Jlgcncli.exeC:\Windows\system32\Jlgcncli.exe96⤵PID:2216
-
C:\Windows\SysWOW64\Jephgi32.exeC:\Windows\system32\Jephgi32.exe97⤵PID:1808
-
C:\Windows\SysWOW64\Jmkmlk32.exeC:\Windows\system32\Jmkmlk32.exe98⤵PID:1716
-
C:\Windows\SysWOW64\Kkomepon.exeC:\Windows\system32\Kkomepon.exe99⤵PID:1720
-
C:\Windows\SysWOW64\Kplfmfmf.exeC:\Windows\system32\Kplfmfmf.exe100⤵PID:2144
-
C:\Windows\SysWOW64\Kmpfgklo.exeC:\Windows\system32\Kmpfgklo.exe101⤵PID:2584
-
C:\Windows\SysWOW64\Kekkkm32.exeC:\Windows\system32\Kekkkm32.exe102⤵PID:2868
-
C:\Windows\SysWOW64\Kldchgag.exeC:\Windows\system32\Kldchgag.exe103⤵
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\Kcahjqfa.exeC:\Windows\system32\Kcahjqfa.exe104⤵PID:2660
-
C:\Windows\SysWOW64\Khnqbhdi.exeC:\Windows\system32\Khnqbhdi.exe105⤵PID:980
-
C:\Windows\SysWOW64\Lddagi32.exeC:\Windows\system32\Lddagi32.exe106⤵
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Lojeda32.exeC:\Windows\system32\Lojeda32.exe107⤵PID:1196
-
C:\Windows\SysWOW64\Lolbjahp.exeC:\Windows\system32\Lolbjahp.exe108⤵PID:1248
-
C:\Windows\SysWOW64\Lhegcg32.exeC:\Windows\system32\Lhegcg32.exe109⤵PID:2036
-
C:\Windows\SysWOW64\Lamkllea.exeC:\Windows\system32\Lamkllea.exe110⤵PID:1284
-
C:\Windows\SysWOW64\Lgjcdc32.exeC:\Windows\system32\Lgjcdc32.exe111⤵
- System Location Discovery: System Language Discovery
PID:1328 -
C:\Windows\SysWOW64\Lcqdidim.exeC:\Windows\system32\Lcqdidim.exe112⤵PID:1496
-
C:\Windows\SysWOW64\Moahdd32.exeC:\Windows\system32\Moahdd32.exe113⤵
- System Location Discovery: System Language Discovery
PID:1004 -
C:\Windows\SysWOW64\Nkhhie32.exeC:\Windows\system32\Nkhhie32.exe114⤵PID:2296
-
C:\Windows\SysWOW64\Nmnoll32.exeC:\Windows\system32\Nmnoll32.exe115⤵
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Njaoeq32.exeC:\Windows\system32\Njaoeq32.exe116⤵
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Nbmcjc32.exeC:\Windows\system32\Nbmcjc32.exe117⤵
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Oclpdf32.exeC:\Windows\system32\Oclpdf32.exe118⤵PID:2512
-
C:\Windows\SysWOW64\Oiiilm32.exeC:\Windows\system32\Oiiilm32.exe119⤵PID:368
-
C:\Windows\SysWOW64\Obamebfc.exeC:\Windows\system32\Obamebfc.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2288 -
C:\Windows\SysWOW64\Opennf32.exeC:\Windows\system32\Opennf32.exe121⤵PID:1056
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-