Analysis
-
max time kernel
48s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
17-08-2024 02:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8f60be94fa57329d23f7a7a8f8afef60N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
8f60be94fa57329d23f7a7a8f8afef60N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
8f60be94fa57329d23f7a7a8f8afef60N.exe
-
Size
80KB
-
MD5
8f60be94fa57329d23f7a7a8f8afef60
-
SHA1
b41f22916e4688618279520e31b88f29f38a5a5d
-
SHA256
db60d8e599c9dfba13664877a9c7882435669e5a3da9a64a313bc42796cf7191
-
SHA512
c4e93476c816cbeaf6c26d9caa53dad098fb5c125f92632f83e46fba239073c0e411f5043800d381c6cc4999e5b25f55a6168a54411805cf50037f2fa445d43f
-
SSDEEP
1536:qMCbowwU5LBL0G2tJqf9p9H4Fgmc7kDFo/rfD1dqAbhRQijR/RgpMujAYC+O+Y:rCbf9LBL0RtJCpS5DUfDnLNecVqLAYC1
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jacibm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbnhpdke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lglmefcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkaeob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hqochjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmqffonj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahngomkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chggdoee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Meemgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Joblkegc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlahdkjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oggeokoq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbbakc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mecglbfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paafmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjjpag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmgfgham.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmecbkgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imogcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjlmkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhflcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbfkeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogdaod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gieommdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhndnpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mkfojakp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aphehidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ogohdeam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiokholk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffjljmla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmdiahco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbfnchfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iifghk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhdjno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iafofkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhlbbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhcebj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igmepdbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofaolcmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obhpad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glpgibbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Blaobmkq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpcohbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnkffi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hafbghhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkfkidmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncipjieo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piadma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dboglhna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkmaed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdefnjkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdjoii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imacijjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlahdkjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbfjkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbhfajia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abkkpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icfbkded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bacefpbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjhnqfla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amhcad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhbbcail.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nchipb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qanolm32.exe -
Executes dropped EXE 64 IoCs
pid Process 2252 Gckfpc32.exe 2684 Gieommdc.exe 2764 Gpogiglp.exe 2696 Gigkbm32.exe 848 Glfgnh32.exe 2080 Genlgnhd.exe 604 Hijhhl32.exe 2468 Hcblqb32.exe 540 Haemloni.exe 1236 Hkmaed32.exe 584 Hagianlf.exe 2008 Hdefnjkj.exe 2320 Hlmnogkl.exe 1696 Hkpnjd32.exe 2212 Hokjkbkp.exe 2016 Hajfgnjc.exe 1672 Hfebhmbm.exe 1828 Hdhbci32.exe 1664 Hgfooe32.exe 1456 Hkbkpcpd.exe 1496 Hnpgloog.exe 1964 Halcmn32.exe 2232 Hqochjnk.exe 2204 Hdjoii32.exe 1680 Hhfkihon.exe 2668 Hgiked32.exe 2648 Hnbcaome.exe 2908 Hbnpbm32.exe 2636 Idmlniea.exe 1148 Icplje32.exe 1656 Igkhjdde.exe 348 Ijidfpci.exe 1460 Inepgn32.exe 812 Iqcmcj32.exe 664 Idohdhbo.exe 2848 Igmepdbc.exe 1524 Ingmmn32.exe 2304 Iqfiii32.exe 2112 Ioiidfon.exe 2496 Igpaec32.exe 332 Ijnnao32.exe 2388 Immjnj32.exe 1932 Iqhfnifq.exe 2296 Iokfjf32.exe 2104 Icfbkded.exe 1592 Ifengpdh.exe 1420 Iickckcl.exe 2584 Imogcj32.exe 1120 Ikagogco.exe 2504 Iomcpe32.exe 1268 Iciopdca.exe 2004 Ifgklp32.exe 2540 Ifgklp32.exe 1356 Iifghk32.exe 1560 Imacijjb.exe 2824 Jbnlaqhi.exe 2412 Jfjhbo32.exe 1140 Jihdnk32.exe 2732 Jgkdigfa.exe 1088 Jkfpjf32.exe 2868 Joblkegc.exe 3064 Jnemfa32.exe 2956 Jacibm32.exe 1940 Jijacjnc.exe -
Loads dropped DLL 64 IoCs
pid Process 2716 8f60be94fa57329d23f7a7a8f8afef60N.exe 2716 8f60be94fa57329d23f7a7a8f8afef60N.exe 2252 Gckfpc32.exe 2252 Gckfpc32.exe 2684 Gieommdc.exe 2684 Gieommdc.exe 2764 Gpogiglp.exe 2764 Gpogiglp.exe 2696 Gigkbm32.exe 2696 Gigkbm32.exe 848 Glfgnh32.exe 848 Glfgnh32.exe 2080 Genlgnhd.exe 2080 Genlgnhd.exe 604 Hijhhl32.exe 604 Hijhhl32.exe 2468 Hcblqb32.exe 2468 Hcblqb32.exe 540 Haemloni.exe 540 Haemloni.exe 1236 Hkmaed32.exe 1236 Hkmaed32.exe 584 Hagianlf.exe 584 Hagianlf.exe 2008 Hdefnjkj.exe 2008 Hdefnjkj.exe 2320 Hlmnogkl.exe 2320 Hlmnogkl.exe 1696 Hkpnjd32.exe 1696 Hkpnjd32.exe 2212 Hokjkbkp.exe 2212 Hokjkbkp.exe 2016 Hajfgnjc.exe 2016 Hajfgnjc.exe 1672 Hfebhmbm.exe 1672 Hfebhmbm.exe 1828 Hdhbci32.exe 1828 Hdhbci32.exe 1664 Hgfooe32.exe 1664 Hgfooe32.exe 1456 Hkbkpcpd.exe 1456 Hkbkpcpd.exe 1496 Hnpgloog.exe 1496 Hnpgloog.exe 1964 Halcmn32.exe 1964 Halcmn32.exe 2232 Hqochjnk.exe 2232 Hqochjnk.exe 2204 Hdjoii32.exe 2204 Hdjoii32.exe 1680 Hhfkihon.exe 1680 Hhfkihon.exe 2668 Hgiked32.exe 2668 Hgiked32.exe 2648 Hnbcaome.exe 2648 Hnbcaome.exe 2908 Hbnpbm32.exe 2908 Hbnpbm32.exe 2636 Idmlniea.exe 2636 Idmlniea.exe 1148 Icplje32.exe 1148 Icplje32.exe 1656 Igkhjdde.exe 1656 Igkhjdde.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Qfkgdd32.exe Qghgigkn.exe File created C:\Windows\SysWOW64\Lmcilp32.exe Lophacfl.exe File opened for modification C:\Windows\SysWOW64\Mlolnllf.exe Mhdpnm32.exe File created C:\Windows\SysWOW64\Ibkhgp32.dll Manjaldo.exe File created C:\Windows\SysWOW64\Blobmm32.exe Biqfpb32.exe File created C:\Windows\SysWOW64\Khqplf32.dll Ddppmclb.exe File created C:\Windows\SysWOW64\Imbige32.dll Ejcofica.exe File created C:\Windows\SysWOW64\Hdeoccgn.exe Hafbghhj.exe File opened for modification C:\Windows\SysWOW64\Ihiabfhk.exe Hghdjn32.exe File created C:\Windows\SysWOW64\Ihlnhffh.exe Iemalkgd.exe File created C:\Windows\SysWOW64\Kkalcdao.exe Kmnlhg32.exe File opened for modification C:\Windows\SysWOW64\Nndgeplo.exe Nkfkidmk.exe File created C:\Windows\SysWOW64\Jnifaajh.exe Jjnjqb32.exe File opened for modification C:\Windows\SysWOW64\Maanab32.exe Mneaacno.exe File opened for modification C:\Windows\SysWOW64\Hhlaiccm.exe Hememgdi.exe File created C:\Windows\SysWOW64\Binikb32.exe Bfpmog32.exe File opened for modification C:\Windows\SysWOW64\Kfidqb32.exe Kbnhpdke.exe File created C:\Windows\SysWOW64\Mokkegmm.exe Mpikik32.exe File opened for modification C:\Windows\SysWOW64\Hqochjnk.exe Halcmn32.exe File created C:\Windows\SysWOW64\Hmmobd32.dll Lpckce32.exe File created C:\Windows\SysWOW64\Kfggkc32.exe Kgdgpfnf.exe File created C:\Windows\SysWOW64\Bihgmdih.exe Bfjkphjd.exe File created C:\Windows\SysWOW64\Iqllghon.exe Iojopp32.exe File created C:\Windows\SysWOW64\Qjqnkk32.dll Aicfgn32.exe File created C:\Windows\SysWOW64\Algllb32.dll Hcblqb32.exe File created C:\Windows\SysWOW64\Icfbkded.exe Iokfjf32.exe File created C:\Windows\SysWOW64\Ejapnc32.dll Moenkf32.exe File created C:\Windows\SysWOW64\Cmpbigma.dll Bjiljf32.exe File created C:\Windows\SysWOW64\Kneibo32.dll Fikelhib.exe File opened for modification C:\Windows\SysWOW64\Ojdjqp32.exe Obnbpb32.exe File opened for modification C:\Windows\SysWOW64\Afndjdpe.exe Acohnhab.exe File opened for modification C:\Windows\SysWOW64\Beldao32.exe Bmelpa32.exe File created C:\Windows\SysWOW64\Hjhlmfio.dll Hnpgloog.exe File created C:\Windows\SysWOW64\Lfkfhl32.dll Lljkif32.exe File created C:\Windows\SysWOW64\Nfiebi32.dll Halcmn32.exe File created C:\Windows\SysWOW64\Opdnkeqd.dll Ogdhik32.exe File created C:\Windows\SysWOW64\Egebjmdn.exe Ecjgio32.exe File created C:\Windows\SysWOW64\Ekpbgbme.dll Knaeeo32.exe File opened for modification C:\Windows\SysWOW64\Pcmoie32.exe Pkfghh32.exe File created C:\Windows\SysWOW64\Ceipknjl.dll Hbnpbm32.exe File created C:\Windows\SysWOW64\Onjgkf32.exe Omhkcnfg.exe File created C:\Windows\SysWOW64\Dhgccbhp.exe Donojm32.exe File created C:\Windows\SysWOW64\Eqngcc32.exe Embkbdce.exe File opened for modification C:\Windows\SysWOW64\Bphaglgo.exe Bmjekahk.exe File created C:\Windows\SysWOW64\Bbikig32.exe Bpjnmlel.exe File created C:\Windows\SysWOW64\Eeebeabe.dll Lkelpd32.exe File created C:\Windows\SysWOW64\Ddnpnigl.dll Mkgeehnl.exe File created C:\Windows\SysWOW64\Ogcgmi32.dll Laaabo32.exe File opened for modification C:\Windows\SysWOW64\Keiqlihp.exe Kffqqm32.exe File created C:\Windows\SysWOW64\Gckfpc32.exe 8f60be94fa57329d23f7a7a8f8afef60N.exe File opened for modification C:\Windows\SysWOW64\Ndlbmk32.exe Nanfqo32.exe File created C:\Windows\SysWOW64\Mkgeehnl.exe Mkgeehnl.exe File created C:\Windows\SysWOW64\Bfqhifni.dll Mghfdcdi.exe File created C:\Windows\SysWOW64\Fbhfajia.exe Fhbbcail.exe File created C:\Windows\SysWOW64\Hgfheodo.exe Hplphd32.exe File opened for modification C:\Windows\SysWOW64\Gllnnc32.exe Gjjafkpe.exe File created C:\Windows\SysWOW64\Kipdmjne.dll Bfmqigba.exe File opened for modification C:\Windows\SysWOW64\Pcdldknm.exe Piohgbng.exe File created C:\Windows\SysWOW64\Amhcad32.exe Anecfgdc.exe File created C:\Windows\SysWOW64\Amoaeb32.dll Jjlmkb32.exe File created C:\Windows\SysWOW64\Dofohkkf.dll Kmclmm32.exe File created C:\Windows\SysWOW64\Ipgfpp32.dll Amjiln32.exe File created C:\Windows\SysWOW64\Nnlhab32.exe Ngbpehpj.exe File created C:\Windows\SysWOW64\Jagmhnkn.dll Maiqfl32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihnjmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lchqcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpogiglp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnjklb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlboca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbcien32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlbpme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iemalkgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clhecl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coindgbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqhfnifq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lijiaabk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlmoilni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogdhik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmbdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmhgba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qanolm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmficl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Addhcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccgnelll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfkgdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmclmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhehpbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lofkoamf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcjoci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bobleeef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hokjkbkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miocmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bihgmdih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Momapqgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Manjaldo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogohdeam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqjibkek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bopknhjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldhgnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjlgle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Embkbdce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kabngjla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nepokogo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngoleb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cobhdhha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfpmog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beggec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piohgbng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iklfia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kglfcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbipolj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkdbea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abkkpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbjjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcemnopj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efffpjmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecjgio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chofhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnpcpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmbdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmepdbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkdigfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aicmadmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkgldm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ladgkmlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojndpqpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nndgeplo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pegnglnm.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jajocl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhflcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nhmbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoeadjbl.dll" Nckmpicl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Meemgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chofhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hnpgloog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jbnlaqhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeapidjc.dll" Lpoaheja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjeji32.dll" Okhgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmpgan32.dll" Pgcnnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nbqjqehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnfoepmg.dll" Eclcon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jkopndcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kakabjnn.dll" Mgmoob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnenhj32.dll" Jajocl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekpbgbme.dll" Knaeeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lpoaheja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ldjmidcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdedod32.dll" Mgnfji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Objmgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fedfgejh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Abjeejep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Clkicbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jmgfgham.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lofkoamf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ijnnao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ihnjmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbfbij.dll" Celpqbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkhmod32.dll" Kfidqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiefbk32.dll" Oqepgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdodmlcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jijacjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Monhjgkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oekehomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llpaflnl.dll" Beldao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Apkbnibq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Blobmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkagib32.dll" Ojeakfnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dljfocan.dll" Bikcbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bbchkime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egbigm32.dll" Dhdfmbjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eclcon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmamh32.dll" Bbikig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmfjgc32.dll" Cobhdhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amljgema.dll" Ckiiiine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhfdfc32.dll" Mpikik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Naegmabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ogdhik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leaohdkk.dll" Glnkcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jcckibfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mdjihgef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kpfbegei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Adgein32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipoidefp.dll" Camnge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkmjjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jcoanb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcacil32.dll" Cjhckg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mebpakbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bbqkeioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bikcbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Khojcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Npfjbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkcjcede.dll" Gjjafkpe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2716 wrote to memory of 2252 2716 8f60be94fa57329d23f7a7a8f8afef60N.exe 30 PID 2716 wrote to memory of 2252 2716 8f60be94fa57329d23f7a7a8f8afef60N.exe 30 PID 2716 wrote to memory of 2252 2716 8f60be94fa57329d23f7a7a8f8afef60N.exe 30 PID 2716 wrote to memory of 2252 2716 8f60be94fa57329d23f7a7a8f8afef60N.exe 30 PID 2252 wrote to memory of 2684 2252 Gckfpc32.exe 31 PID 2252 wrote to memory of 2684 2252 Gckfpc32.exe 31 PID 2252 wrote to memory of 2684 2252 Gckfpc32.exe 31 PID 2252 wrote to memory of 2684 2252 Gckfpc32.exe 31 PID 2684 wrote to memory of 2764 2684 Gieommdc.exe 32 PID 2684 wrote to memory of 2764 2684 Gieommdc.exe 32 PID 2684 wrote to memory of 2764 2684 Gieommdc.exe 32 PID 2684 wrote to memory of 2764 2684 Gieommdc.exe 32 PID 2764 wrote to memory of 2696 2764 Gpogiglp.exe 33 PID 2764 wrote to memory of 2696 2764 Gpogiglp.exe 33 PID 2764 wrote to memory of 2696 2764 Gpogiglp.exe 33 PID 2764 wrote to memory of 2696 2764 Gpogiglp.exe 33 PID 2696 wrote to memory of 848 2696 Gigkbm32.exe 34 PID 2696 wrote to memory of 848 2696 Gigkbm32.exe 34 PID 2696 wrote to memory of 848 2696 Gigkbm32.exe 34 PID 2696 wrote to memory of 848 2696 Gigkbm32.exe 34 PID 848 wrote to memory of 2080 848 Glfgnh32.exe 35 PID 848 wrote to memory of 2080 848 Glfgnh32.exe 35 PID 848 wrote to memory of 2080 848 Glfgnh32.exe 35 PID 848 wrote to memory of 2080 848 Glfgnh32.exe 35 PID 2080 wrote to memory of 604 2080 Genlgnhd.exe 36 PID 2080 wrote to memory of 604 2080 Genlgnhd.exe 36 PID 2080 wrote to memory of 604 2080 Genlgnhd.exe 36 PID 2080 wrote to memory of 604 2080 Genlgnhd.exe 36 PID 604 wrote to memory of 2468 604 Hijhhl32.exe 37 PID 604 wrote to memory of 2468 604 Hijhhl32.exe 37 PID 604 wrote to memory of 2468 604 Hijhhl32.exe 37 PID 604 wrote to memory of 2468 604 Hijhhl32.exe 37 PID 2468 wrote to memory of 540 2468 Hcblqb32.exe 38 PID 2468 wrote to memory of 540 2468 Hcblqb32.exe 38 PID 2468 wrote to memory of 540 2468 Hcblqb32.exe 38 PID 2468 wrote to memory of 540 2468 Hcblqb32.exe 38 PID 540 wrote to memory of 1236 540 Haemloni.exe 39 PID 540 wrote to memory of 1236 540 Haemloni.exe 39 PID 540 wrote to memory of 1236 540 Haemloni.exe 39 PID 540 wrote to memory of 1236 540 Haemloni.exe 39 PID 1236 wrote to memory of 584 1236 Hkmaed32.exe 40 PID 1236 wrote to memory of 584 1236 Hkmaed32.exe 40 PID 1236 wrote to memory of 584 1236 Hkmaed32.exe 40 PID 1236 wrote to memory of 584 1236 Hkmaed32.exe 40 PID 584 wrote to memory of 2008 584 Hagianlf.exe 41 PID 584 wrote to memory of 2008 584 Hagianlf.exe 41 PID 584 wrote to memory of 2008 584 Hagianlf.exe 41 PID 584 wrote to memory of 2008 584 Hagianlf.exe 41 PID 2008 wrote to memory of 2320 2008 Hdefnjkj.exe 42 PID 2008 wrote to memory of 2320 2008 Hdefnjkj.exe 42 PID 2008 wrote to memory of 2320 2008 Hdefnjkj.exe 42 PID 2008 wrote to memory of 2320 2008 Hdefnjkj.exe 42 PID 2320 wrote to memory of 1696 2320 Hlmnogkl.exe 43 PID 2320 wrote to memory of 1696 2320 Hlmnogkl.exe 43 PID 2320 wrote to memory of 1696 2320 Hlmnogkl.exe 43 PID 2320 wrote to memory of 1696 2320 Hlmnogkl.exe 43 PID 1696 wrote to memory of 2212 1696 Hkpnjd32.exe 44 PID 1696 wrote to memory of 2212 1696 Hkpnjd32.exe 44 PID 1696 wrote to memory of 2212 1696 Hkpnjd32.exe 44 PID 1696 wrote to memory of 2212 1696 Hkpnjd32.exe 44 PID 2212 wrote to memory of 2016 2212 Hokjkbkp.exe 45 PID 2212 wrote to memory of 2016 2212 Hokjkbkp.exe 45 PID 2212 wrote to memory of 2016 2212 Hokjkbkp.exe 45 PID 2212 wrote to memory of 2016 2212 Hokjkbkp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f60be94fa57329d23f7a7a8f8afef60N.exe"C:\Users\Admin\AppData\Local\Temp\8f60be94fa57329d23f7a7a8f8afef60N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Gckfpc32.exeC:\Windows\system32\Gckfpc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Gieommdc.exeC:\Windows\system32\Gieommdc.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Gpogiglp.exeC:\Windows\system32\Gpogiglp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Gigkbm32.exeC:\Windows\system32\Gigkbm32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Glfgnh32.exeC:\Windows\system32\Glfgnh32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Genlgnhd.exeC:\Windows\system32\Genlgnhd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Hijhhl32.exeC:\Windows\system32\Hijhhl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\SysWOW64\Hcblqb32.exeC:\Windows\system32\Hcblqb32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Haemloni.exeC:\Windows\system32\Haemloni.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Hkmaed32.exeC:\Windows\system32\Hkmaed32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Hagianlf.exeC:\Windows\system32\Hagianlf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Hdefnjkj.exeC:\Windows\system32\Hdefnjkj.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Hlmnogkl.exeC:\Windows\system32\Hlmnogkl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Hkpnjd32.exeC:\Windows\system32\Hkpnjd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Hokjkbkp.exeC:\Windows\system32\Hokjkbkp.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Hajfgnjc.exeC:\Windows\system32\Hajfgnjc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2016 -
C:\Windows\SysWOW64\Hfebhmbm.exeC:\Windows\system32\Hfebhmbm.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\Hdhbci32.exeC:\Windows\system32\Hdhbci32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1828 -
C:\Windows\SysWOW64\Hgfooe32.exeC:\Windows\system32\Hgfooe32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Hkbkpcpd.exeC:\Windows\system32\Hkbkpcpd.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1456 -
C:\Windows\SysWOW64\Hnpgloog.exeC:\Windows\system32\Hnpgloog.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Halcmn32.exeC:\Windows\system32\Halcmn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Hqochjnk.exeC:\Windows\system32\Hqochjnk.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Hdjoii32.exeC:\Windows\system32\Hdjoii32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Windows\SysWOW64\Hhfkihon.exeC:\Windows\system32\Hhfkihon.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Hgiked32.exeC:\Windows\system32\Hgiked32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Hnbcaome.exeC:\Windows\system32\Hnbcaome.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Hbnpbm32.exeC:\Windows\system32\Hbnpbm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Idmlniea.exeC:\Windows\system32\Idmlniea.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Icplje32.exeC:\Windows\system32\Icplje32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1148 -
C:\Windows\SysWOW64\Igkhjdde.exeC:\Windows\system32\Igkhjdde.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Ijidfpci.exeC:\Windows\system32\Ijidfpci.exe33⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Inepgn32.exeC:\Windows\system32\Inepgn32.exe34⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Iqcmcj32.exeC:\Windows\system32\Iqcmcj32.exe35⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Idohdhbo.exeC:\Windows\system32\Idohdhbo.exe36⤵
- Executes dropped EXE
PID:664 -
C:\Windows\SysWOW64\Igmepdbc.exeC:\Windows\system32\Igmepdbc.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Ingmmn32.exeC:\Windows\system32\Ingmmn32.exe38⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Iqfiii32.exeC:\Windows\system32\Iqfiii32.exe39⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Ioiidfon.exeC:\Windows\system32\Ioiidfon.exe40⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Igpaec32.exeC:\Windows\system32\Igpaec32.exe41⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Ijnnao32.exeC:\Windows\system32\Ijnnao32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:332 -
C:\Windows\SysWOW64\Immjnj32.exeC:\Windows\system32\Immjnj32.exe43⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Iqhfnifq.exeC:\Windows\system32\Iqhfnifq.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1932 -
C:\Windows\SysWOW64\Iokfjf32.exeC:\Windows\system32\Iokfjf32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Icfbkded.exeC:\Windows\system32\Icfbkded.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Ifengpdh.exeC:\Windows\system32\Ifengpdh.exe47⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Iickckcl.exeC:\Windows\system32\Iickckcl.exe48⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Imogcj32.exeC:\Windows\system32\Imogcj32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Ikagogco.exeC:\Windows\system32\Ikagogco.exe50⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Iomcpe32.exeC:\Windows\system32\Iomcpe32.exe51⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Iciopdca.exeC:\Windows\system32\Iciopdca.exe52⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Ifgklp32.exeC:\Windows\system32\Ifgklp32.exe53⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Ifgklp32.exeC:\Windows\system32\Ifgklp32.exe54⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Iifghk32.exeC:\Windows\system32\Iifghk32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Imacijjb.exeC:\Windows\system32\Imacijjb.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Jbnlaqhi.exeC:\Windows\system32\Jbnlaqhi.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Jfjhbo32.exeC:\Windows\system32\Jfjhbo32.exe58⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Jihdnk32.exeC:\Windows\system32\Jihdnk32.exe59⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Jgkdigfa.exeC:\Windows\system32\Jgkdigfa.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\Jkfpjf32.exeC:\Windows\system32\Jkfpjf32.exe61⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Joblkegc.exeC:\Windows\system32\Joblkegc.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Jnemfa32.exeC:\Windows\system32\Jnemfa32.exe63⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Jacibm32.exeC:\Windows\system32\Jacibm32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Jijacjnc.exeC:\Windows\system32\Jijacjnc.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Jgmaog32.exeC:\Windows\system32\Jgmaog32.exe66⤵PID:1360
-
C:\Windows\SysWOW64\Jkimpfmg.exeC:\Windows\system32\Jkimpfmg.exe67⤵PID:2084
-
C:\Windows\SysWOW64\Jjlmkb32.exeC:\Windows\system32\Jjlmkb32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Jngilalk.exeC:\Windows\system32\Jngilalk.exe69⤵PID:1632
-
C:\Windows\SysWOW64\Jbcelp32.exeC:\Windows\system32\Jbcelp32.exe70⤵PID:1820
-
C:\Windows\SysWOW64\Jeaahk32.exeC:\Windows\system32\Jeaahk32.exe71⤵PID:2692
-
C:\Windows\SysWOW64\Jcdadhjb.exeC:\Windows\system32\Jcdadhjb.exe72⤵PID:1884
-
C:\Windows\SysWOW64\Jkkjeeke.exeC:\Windows\system32\Jkkjeeke.exe73⤵PID:1096
-
C:\Windows\SysWOW64\Jjnjqb32.exeC:\Windows\system32\Jjnjqb32.exe74⤵
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Jnifaajh.exeC:\Windows\system32\Jnifaajh.exe75⤵PID:1704
-
C:\Windows\SysWOW64\Jmlfmn32.exeC:\Windows\system32\Jmlfmn32.exe76⤵PID:2576
-
C:\Windows\SysWOW64\Jgbjjf32.exeC:\Windows\system32\Jgbjjf32.exe77⤵
- System Location Discovery: System Language Discovery
PID:1512 -
C:\Windows\SysWOW64\Jjpgfbom.exeC:\Windows\system32\Jjpgfbom.exe78⤵PID:3024
-
C:\Windows\SysWOW64\Jnlbgq32.exeC:\Windows\system32\Jnlbgq32.exe79⤵PID:1812
-
C:\Windows\SysWOW64\Jmocbnop.exeC:\Windows\system32\Jmocbnop.exe80⤵PID:1908
-
C:\Windows\SysWOW64\Jajocl32.exeC:\Windows\system32\Jajocl32.exe81⤵
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Jcikog32.exeC:\Windows\system32\Jcikog32.exe82⤵PID:2708
-
C:\Windows\SysWOW64\Kgdgpfnf.exeC:\Windows\system32\Kgdgpfnf.exe83⤵
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Kfggkc32.exeC:\Windows\system32\Kfggkc32.exe84⤵PID:1472
-
C:\Windows\SysWOW64\Kjbclamj.exeC:\Windows\system32\Kjbclamj.exe85⤵PID:2044
-
C:\Windows\SysWOW64\Kiecgo32.exeC:\Windows\system32\Kiecgo32.exe86⤵PID:2748
-
C:\Windows\SysWOW64\Kckhdg32.exeC:\Windows\system32\Kckhdg32.exe87⤵PID:2856
-
C:\Windows\SysWOW64\Kbnhpdke.exeC:\Windows\system32\Kbnhpdke.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Kfidqb32.exeC:\Windows\system32\Kfidqb32.exe89⤵
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Kihpmnbb.exeC:\Windows\system32\Kihpmnbb.exe90⤵PID:2812
-
C:\Windows\SysWOW64\Kmclmm32.exeC:\Windows\system32\Kmclmm32.exe91⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\Klfmijae.exeC:\Windows\system32\Klfmijae.exe92⤵PID:1076
-
C:\Windows\SysWOW64\Kpbhjh32.exeC:\Windows\system32\Kpbhjh32.exe93⤵PID:2800
-
C:\Windows\SysWOW64\Kbpefc32.exeC:\Windows\system32\Kbpefc32.exe94⤵PID:2532
-
C:\Windows\SysWOW64\Kflafbak.exeC:\Windows\system32\Kflafbak.exe95⤵PID:2600
-
C:\Windows\SysWOW64\Keoabo32.exeC:\Windows\system32\Keoabo32.exe96⤵PID:2260
-
C:\Windows\SysWOW64\Kmficl32.exeC:\Windows\system32\Kmficl32.exe97⤵
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Windows\SysWOW64\Klhioioc.exeC:\Windows\system32\Klhioioc.exe98⤵PID:764
-
C:\Windows\SysWOW64\Kbbakc32.exeC:\Windows\system32\Kbbakc32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:684 -
C:\Windows\SysWOW64\Kfnnlboi.exeC:\Windows\system32\Kfnnlboi.exe100⤵PID:1396
-
C:\Windows\SysWOW64\Keango32.exeC:\Windows\system32\Keango32.exe101⤵PID:804
-
C:\Windows\SysWOW64\Khojcj32.exeC:\Windows\system32\Khojcj32.exe102⤵
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Klkfdi32.exeC:\Windows\system32\Klkfdi32.exe103⤵PID:2964
-
C:\Windows\SysWOW64\Kpfbegei.exeC:\Windows\system32\Kpfbegei.exe104⤵
- Modifies registry class
PID:1320 -
C:\Windows\SysWOW64\Koibpd32.exeC:\Windows\system32\Koibpd32.exe105⤵PID:2348
-
C:\Windows\SysWOW64\Kbenacdm.exeC:\Windows\system32\Kbenacdm.exe106⤵PID:2840
-
C:\Windows\SysWOW64\Kaholp32.exeC:\Windows\system32\Kaholp32.exe107⤵PID:3048
-
C:\Windows\SysWOW64\Kecjmodq.exeC:\Windows\system32\Kecjmodq.exe108⤵PID:1156
-
C:\Windows\SysWOW64\Khagijcd.exeC:\Windows\system32\Khagijcd.exe109⤵PID:2064
-
C:\Windows\SysWOW64\Klmbjh32.exeC:\Windows\system32\Klmbjh32.exe110⤵PID:2796
-
C:\Windows\SysWOW64\Kjpceebh.exeC:\Windows\system32\Kjpceebh.exe111⤵PID:2340
-
C:\Windows\SysWOW64\Lolofd32.exeC:\Windows\system32\Lolofd32.exe112⤵PID:2024
-
C:\Windows\SysWOW64\Lbgkfbbj.exeC:\Windows\system32\Lbgkfbbj.exe113⤵PID:1612
-
C:\Windows\SysWOW64\Lajkbp32.exeC:\Windows\system32\Lajkbp32.exe114⤵PID:2968
-
C:\Windows\SysWOW64\Ldhgnk32.exeC:\Windows\system32\Ldhgnk32.exe115⤵
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Windows\SysWOW64\Lhdcojaa.exeC:\Windows\system32\Lhdcojaa.exe116⤵PID:1528
-
C:\Windows\SysWOW64\Llpoohik.exeC:\Windows\system32\Llpoohik.exe117⤵PID:2344
-
C:\Windows\SysWOW64\Lkbpke32.exeC:\Windows\system32\Lkbpke32.exe118⤵PID:1000
-
C:\Windows\SysWOW64\Lonlkcho.exeC:\Windows\system32\Lonlkcho.exe119⤵PID:2356
-
C:\Windows\SysWOW64\Lalhgogb.exeC:\Windows\system32\Lalhgogb.exe120⤵PID:3068
-
C:\Windows\SysWOW64\Lehdhn32.exeC:\Windows\system32\Lehdhn32.exe121⤵PID:2644
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-