Analysis
-
max time kernel
116s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2024, 09:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e556d89e4d8c3cefce046ebdc7c9d2a0N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
e556d89e4d8c3cefce046ebdc7c9d2a0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
e556d89e4d8c3cefce046ebdc7c9d2a0N.exe
-
Size
2.2MB
-
MD5
e556d89e4d8c3cefce046ebdc7c9d2a0
-
SHA1
9b484b8bfb048b7136991f359d4d1b1fefd54701
-
SHA256
566ecfcdaf842968465edd7837b02cc225f951ad9f4592b0ba65235812e3e830
-
SHA512
d7369dcf22cee54561d3fe283bea69cfaa66715451358e2f680c9570424bf03deff2d104fb7b21ce3973db64df527e7a64cc6631a91c3a4bcdb9b00baff2d356
-
SSDEEP
24576:O0Tq5hM5Dgq5h3q5hL6X1q5h3q5hPPh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YNb:OUI6BbazR0vKLXZb
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhjcbljf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emioab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdflaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmonbbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfljnejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mapgfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcedmkmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agckiqgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjgfgbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omjnhiiq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enlcahgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbpnjdkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbqinm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbfkceca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlefjnno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcggga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfjfhbpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncoaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeglbeea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgnblm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" e556d89e4d8c3cefce046ebdc7c9d2a0N.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kajfdk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbngeadf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fljlom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icciccmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nggjog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iljpgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llngbabj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eojeodga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiqomj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmlpjdgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oojalb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abflfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dabhomea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hllcfnhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijmapm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcaeea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knkcmild.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhjcbljf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkegbpca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfngcdhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eblgon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohdbkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaflio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kalcik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oooaah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clijablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ignnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijlkfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjjjghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gclafmej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeodqocd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcdfho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofijnbkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cepadh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqpclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbbmmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlnpio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odedipge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhmgfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efampahd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmaooihb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdaile32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdnebc32.exe -
Executes dropped EXE 64 IoCs
pid Process 2088 Ckbncapd.exe 3960 Cigkdmel.exe 4216 Cgklmacf.exe 396 Ccblbb32.exe 4856 Cmgqpkip.exe 1104 Cdaile32.exe 3376 Dinael32.exe 944 Dphiaffa.exe 3632 Dknnoofg.exe 3288 Dahfkimd.exe 3712 Ddfbgelh.exe 704 Dkpjdo32.exe 1932 Dnngpj32.exe 2792 Dggkipii.exe 3832 Dnqcfjae.exe 3624 Ddklbd32.exe 2236 Dkedonpo.exe 2360 Daollh32.exe 4912 Dcphdqmj.exe 4200 Ejjaqk32.exe 3104 Eaaiahei.exe 3936 Ecbeip32.exe 2268 Ejlnfjbd.exe 3236 Epffbd32.exe 1220 Egpnooan.exe 4792 Enjfli32.exe 2284 Eddnic32.exe 640 Egbken32.exe 3168 Enlcahgh.exe 1764 Edfknb32.exe 812 Egegjn32.exe 3548 Enopghee.exe 3700 Eqmlccdi.exe 2292 Fggdpnkf.exe 4256 Fnalmh32.exe 780 Fqphic32.exe 4156 Fgiaemic.exe 4416 Fncibg32.exe 2932 Fqbeoc32.exe 948 Fglnkm32.exe 4016 Fnffhgon.exe 5152 Fdpnda32.exe 5192 Fkjfakng.exe 5232 Fbdnne32.exe 5272 Fdbkja32.exe 5312 Fklcgk32.exe 5352 Fbfkceca.exe 5392 Gcghkm32.exe 5432 Gkoplk32.exe 5472 Gbhhieao.exe 5512 Gcjdam32.exe 5552 Gjcmngnj.exe 5592 Gbkdod32.exe 5632 Gclafmej.exe 5672 Gjficg32.exe 5712 Gqpapacd.exe 5752 Gkefmjcj.exe 5792 Gbpnjdkg.exe 5832 Gdnjfojj.exe 5872 Gglfbkin.exe 5912 Gjkbnfha.exe 5952 Hqdkkp32.exe 5992 Hgocgjgk.exe 6032 Hjmodffo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Onlaqbaj.dll Ghcbohpp.exe File created C:\Windows\SysWOW64\Iooodacm.dll Mfmpob32.exe File created C:\Windows\SysWOW64\Kmjaeema.dll Obidcdfo.exe File created C:\Windows\SysWOW64\Jdbdgngl.dll Engaon32.exe File opened for modification C:\Windows\SysWOW64\Fkehdnee.exe Fbjcplhj.exe File opened for modification C:\Windows\SysWOW64\Fbqiak32.exe Fkiapn32.exe File opened for modification C:\Windows\SysWOW64\Pnknim32.exe Pdbiphhi.exe File created C:\Windows\SysWOW64\Epanfaei.dll Mhfmbl32.exe File created C:\Windows\SysWOW64\Dejhkj32.dll Dcmedk32.exe File created C:\Windows\SysWOW64\Aclghpae.dll Mankaked.exe File created C:\Windows\SysWOW64\Oljoen32.exe Nfpghccm.exe File opened for modification C:\Windows\SysWOW64\Ilcjgm32.exe Ijdnka32.exe File created C:\Windows\SysWOW64\Dbfjih32.dll Akfdcq32.exe File created C:\Windows\SysWOW64\Bcbeqaia.exe Bmimdg32.exe File created C:\Windows\SysWOW64\Apfemf32.dll Knifging.exe File created C:\Windows\SysWOW64\Pljpbhin.dll Phfhfa32.exe File created C:\Windows\SysWOW64\Hebkid32.exe Hikkdc32.exe File opened for modification C:\Windows\SysWOW64\Hjfbjdnd.exe Hghfnioq.exe File created C:\Windows\SysWOW64\Gkefmjcj.exe Gqpapacd.exe File created C:\Windows\SysWOW64\Llimgb32.exe Ldbefe32.exe File opened for modification C:\Windows\SysWOW64\Ndkjik32.exe Namnmp32.exe File created C:\Windows\SysWOW64\Jcgldl32.exe Jqhphq32.exe File created C:\Windows\SysWOW64\Cjodhbii.dll Jcnbekok.exe File opened for modification C:\Windows\SysWOW64\Daollh32.exe Dkedonpo.exe File opened for modification C:\Windows\SysWOW64\Kbeibo32.exe Jlkafdco.exe File opened for modification C:\Windows\SysWOW64\Llimgb32.exe Ldbefe32.exe File created C:\Windows\SysWOW64\Lgilmo32.dll Aijlgkjq.exe File created C:\Windows\SysWOW64\Hcifmdeo.exe Hmpnqj32.exe File created C:\Windows\SysWOW64\Hdicggla.exe Hjcojo32.exe File opened for modification C:\Windows\SysWOW64\Abgcqjhp.exe Aohfdnil.exe File opened for modification C:\Windows\SysWOW64\Bihancje.exe Bnbmqjjo.exe File opened for modification C:\Windows\SysWOW64\Jnbgaa32.exe Jhhodg32.exe File opened for modification C:\Windows\SysWOW64\Liabjh32.exe Lcdjba32.exe File opened for modification C:\Windows\SysWOW64\Hommhi32.exe Hedhoc32.exe File created C:\Windows\SysWOW64\Mfikmmob.dll Egbken32.exe File opened for modification C:\Windows\SysWOW64\Bmimdg32.exe Bfoegm32.exe File opened for modification C:\Windows\SysWOW64\Iedbcebd.exe Imnjbhaa.exe File created C:\Windows\SysWOW64\Bbjogi32.dll Namnmp32.exe File opened for modification C:\Windows\SysWOW64\Ejlnfjbd.exe Ecbeip32.exe File created C:\Windows\SysWOW64\Iodjcnca.exe Icminm32.exe File created C:\Windows\SysWOW64\Jjknakhq.exe Jcaeea32.exe File created C:\Windows\SysWOW64\Fcddkggf.exe Fljlom32.exe File created C:\Windows\SysWOW64\Obmbfpea.dll Icmbcg32.exe File created C:\Windows\SysWOW64\Befogbik.dll Cdnelpod.exe File created C:\Windows\SysWOW64\Cicjokll.exe Cnmebblf.exe File created C:\Windows\SysWOW64\Lfbgmj32.exe Leqkeajd.exe File created C:\Windows\SysWOW64\Dmphdomb.dll Eelpqi32.exe File created C:\Windows\SysWOW64\Bfgcag32.dll Ppamjcpj.exe File created C:\Windows\SysWOW64\Pgbkgmao.exe Pklkbl32.exe File created C:\Windows\SysWOW64\Ecdkdj32.exe Eljchpnl.exe File created C:\Windows\SysWOW64\Gnjhhpgl.exe Ffcpgcfj.exe File created C:\Windows\SysWOW64\Logbigbg.exe Lennpb32.exe File opened for modification C:\Windows\SysWOW64\Noehac32.exe Nemchn32.exe File opened for modification C:\Windows\SysWOW64\Dioiki32.exe Djmima32.exe File opened for modification C:\Windows\SysWOW64\Ohcmpn32.exe Obidcdfo.exe File created C:\Windows\SysWOW64\Clijablo.exe Cepadh32.exe File created C:\Windows\SysWOW64\Eeodqocd.exe Efjgpc32.exe File created C:\Windows\SysWOW64\Obkcmi32.dll Ammnhilb.exe File created C:\Windows\SysWOW64\Qhjgfkpf.dll Hdicggla.exe File created C:\Windows\SysWOW64\Kmbmdeoj.exe Kallod32.exe File created C:\Windows\SysWOW64\Ocadkb32.dll Onjebpml.exe File created C:\Windows\SysWOW64\Dggkipii.exe Dnngpj32.exe File created C:\Windows\SysWOW64\Abcppq32.exe Apddce32.exe File created C:\Windows\SysWOW64\Eleimp32.exe Dcmedk32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5712 6992 WerFault.exe 712 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlgjhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnpio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcojo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inagpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knmpbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkhhbbck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iodjcnca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljoiibbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgjcfgoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epffbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaopoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncjdki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndlacapp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbpeghpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjpkjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecbeip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohcmpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikcmmjkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieknpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Halaloif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aflpkpjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnmglk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igghilhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjpkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dggkipii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odedipge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofgmib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keekjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfbgmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eojeodga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnqcfjae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcjdam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maoifh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cepadh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijngkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kokbpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaaiahei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enopghee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaqejcep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpejlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdfho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijedehgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljhchc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfmpob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcghkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdngpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcmnkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcpcgfmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejjaqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nefdbekh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omjnhiiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okbhlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjjjghg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdiamnpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khfkfedn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcaeea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeglbeea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnghhqdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhhgmlli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhbmnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhldc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicjokll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkefmjcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlcidopb.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcifmdeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqpclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmopone.dll" Bbpeghpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbddhbhn.dll" Ihceigec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kalcik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onlaqbaj.dll" Ghcbohpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmajnph.dll" Geflne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcefei32.dll" Ignnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bglgdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdjfohjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lamlphoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eepkkefp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohcmpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkiapn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdfnq32.dll" Odedipge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npfnef32.dll" Fbqiak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jblflp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjlpbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjmkoamp.dll" Nncoaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lijlii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhdqml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfjih32.dll" Akfdcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iodjcnca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijcdi32.dll" Gjqinamq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djdpbope.dll" Ejiiippb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieknpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anncek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iljpgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmoikj32.dll" Mepnaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncaklhdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcbdcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bggnijof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abaqlb32.dll" Eleimp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkkdccim.dll" Nahdapae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpfcf32.dll" Mpedgghj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdaaqg32.dll" Ofgmib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqjhif32.dll" Abcppq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnjhhpgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhjmnaoj.dll" Iqmplbpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dacnkkem.dll" Jckeokan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnnllhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljoiibbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqdkkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kknikplo.dll" Iagqgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlgbon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjfmminc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abjdng32.dll" Mgkjch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmdjlcnk.dll" Gcghkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgcmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lefkkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkacdofa.dll" Ohcmpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honhbgej.dll" Mopeofjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddhhbngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdbiphhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oediim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgkjch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faamghko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loopdmpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keekjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjfmminc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hllcfnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epanfaei.dll" Mhfmbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lojfin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abfmnkfh.dll" Imnjbhaa.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2884 wrote to memory of 2088 2884 e556d89e4d8c3cefce046ebdc7c9d2a0N.exe 91 PID 2884 wrote to memory of 2088 2884 e556d89e4d8c3cefce046ebdc7c9d2a0N.exe 91 PID 2884 wrote to memory of 2088 2884 e556d89e4d8c3cefce046ebdc7c9d2a0N.exe 91 PID 2088 wrote to memory of 3960 2088 Ckbncapd.exe 92 PID 2088 wrote to memory of 3960 2088 Ckbncapd.exe 92 PID 2088 wrote to memory of 3960 2088 Ckbncapd.exe 92 PID 3960 wrote to memory of 4216 3960 Cigkdmel.exe 93 PID 3960 wrote to memory of 4216 3960 Cigkdmel.exe 93 PID 3960 wrote to memory of 4216 3960 Cigkdmel.exe 93 PID 4216 wrote to memory of 396 4216 Cgklmacf.exe 94 PID 4216 wrote to memory of 396 4216 Cgklmacf.exe 94 PID 4216 wrote to memory of 396 4216 Cgklmacf.exe 94 PID 396 wrote to memory of 4856 396 Ccblbb32.exe 95 PID 396 wrote to memory of 4856 396 Ccblbb32.exe 95 PID 396 wrote to memory of 4856 396 Ccblbb32.exe 95 PID 4856 wrote to memory of 1104 4856 Cmgqpkip.exe 96 PID 4856 wrote to memory of 1104 4856 Cmgqpkip.exe 96 PID 4856 wrote to memory of 1104 4856 Cmgqpkip.exe 96 PID 1104 wrote to memory of 3376 1104 Cdaile32.exe 97 PID 1104 wrote to memory of 3376 1104 Cdaile32.exe 97 PID 1104 wrote to memory of 3376 1104 Cdaile32.exe 97 PID 3376 wrote to memory of 944 3376 Dinael32.exe 98 PID 3376 wrote to memory of 944 3376 Dinael32.exe 98 PID 3376 wrote to memory of 944 3376 Dinael32.exe 98 PID 944 wrote to memory of 3632 944 Dphiaffa.exe 100 PID 944 wrote to memory of 3632 944 Dphiaffa.exe 100 PID 944 wrote to memory of 3632 944 Dphiaffa.exe 100 PID 3632 wrote to memory of 3288 3632 Dknnoofg.exe 101 PID 3632 wrote to memory of 3288 3632 Dknnoofg.exe 101 PID 3632 wrote to memory of 3288 3632 Dknnoofg.exe 101 PID 3288 wrote to memory of 3712 3288 Dahfkimd.exe 102 PID 3288 wrote to memory of 3712 3288 Dahfkimd.exe 102 PID 3288 wrote to memory of 3712 3288 Dahfkimd.exe 102 PID 3712 wrote to memory of 704 3712 Ddfbgelh.exe 103 PID 3712 wrote to memory of 704 3712 Ddfbgelh.exe 103 PID 3712 wrote to memory of 704 3712 Ddfbgelh.exe 103 PID 704 wrote to memory of 1932 704 Dkpjdo32.exe 104 PID 704 wrote to memory of 1932 704 Dkpjdo32.exe 104 PID 704 wrote to memory of 1932 704 Dkpjdo32.exe 104 PID 1932 wrote to memory of 2792 1932 Dnngpj32.exe 105 PID 1932 wrote to memory of 2792 1932 Dnngpj32.exe 105 PID 1932 wrote to memory of 2792 1932 Dnngpj32.exe 105 PID 2792 wrote to memory of 3832 2792 Dggkipii.exe 106 PID 2792 wrote to memory of 3832 2792 Dggkipii.exe 106 PID 2792 wrote to memory of 3832 2792 Dggkipii.exe 106 PID 3832 wrote to memory of 3624 3832 Dnqcfjae.exe 107 PID 3832 wrote to memory of 3624 3832 Dnqcfjae.exe 107 PID 3832 wrote to memory of 3624 3832 Dnqcfjae.exe 107 PID 3624 wrote to memory of 2236 3624 Ddklbd32.exe 108 PID 3624 wrote to memory of 2236 3624 Ddklbd32.exe 108 PID 3624 wrote to memory of 2236 3624 Ddklbd32.exe 108 PID 2236 wrote to memory of 2360 2236 Dkedonpo.exe 109 PID 2236 wrote to memory of 2360 2236 Dkedonpo.exe 109 PID 2236 wrote to memory of 2360 2236 Dkedonpo.exe 109 PID 2360 wrote to memory of 4912 2360 Daollh32.exe 110 PID 2360 wrote to memory of 4912 2360 Daollh32.exe 110 PID 2360 wrote to memory of 4912 2360 Daollh32.exe 110 PID 4912 wrote to memory of 4200 4912 Dcphdqmj.exe 111 PID 4912 wrote to memory of 4200 4912 Dcphdqmj.exe 111 PID 4912 wrote to memory of 4200 4912 Dcphdqmj.exe 111 PID 4200 wrote to memory of 3104 4200 Ejjaqk32.exe 112 PID 4200 wrote to memory of 3104 4200 Ejjaqk32.exe 112 PID 4200 wrote to memory of 3104 4200 Ejjaqk32.exe 112 PID 3104 wrote to memory of 3936 3104 Eaaiahei.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\e556d89e4d8c3cefce046ebdc7c9d2a0N.exe"C:\Users\Admin\AppData\Local\Temp\e556d89e4d8c3cefce046ebdc7c9d2a0N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Ckbncapd.exeC:\Windows\system32\Ckbncapd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Cigkdmel.exeC:\Windows\system32\Cigkdmel.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\Cgklmacf.exeC:\Windows\system32\Cgklmacf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\Ccblbb32.exeC:\Windows\system32\Ccblbb32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Cmgqpkip.exeC:\Windows\system32\Cmgqpkip.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\Cdaile32.exeC:\Windows\system32\Cdaile32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Dinael32.exeC:\Windows\system32\Dinael32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\Dphiaffa.exeC:\Windows\system32\Dphiaffa.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Dknnoofg.exeC:\Windows\system32\Dknnoofg.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\Dahfkimd.exeC:\Windows\system32\Dahfkimd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\SysWOW64\Ddfbgelh.exeC:\Windows\system32\Ddfbgelh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\Dkpjdo32.exeC:\Windows\system32\Dkpjdo32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SysWOW64\Dnngpj32.exeC:\Windows\system32\Dnngpj32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Dggkipii.exeC:\Windows\system32\Dggkipii.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Dnqcfjae.exeC:\Windows\system32\Dnqcfjae.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\Ddklbd32.exeC:\Windows\system32\Ddklbd32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\Dkedonpo.exeC:\Windows\system32\Dkedonpo.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Daollh32.exeC:\Windows\system32\Daollh32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Dcphdqmj.exeC:\Windows\system32\Dcphdqmj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\Ejjaqk32.exeC:\Windows\system32\Ejjaqk32.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\Eaaiahei.exeC:\Windows\system32\Eaaiahei.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\Ecbeip32.exeC:\Windows\system32\Ecbeip32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3936 -
C:\Windows\SysWOW64\Ejlnfjbd.exeC:\Windows\system32\Ejlnfjbd.exe24⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Epffbd32.exeC:\Windows\system32\Epffbd32.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3236 -
C:\Windows\SysWOW64\Egpnooan.exeC:\Windows\system32\Egpnooan.exe26⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Enjfli32.exeC:\Windows\system32\Enjfli32.exe27⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Eddnic32.exeC:\Windows\system32\Eddnic32.exe28⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Egbken32.exeC:\Windows\system32\Egbken32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:640 -
C:\Windows\SysWOW64\Enlcahgh.exeC:\Windows\system32\Enlcahgh.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Edfknb32.exeC:\Windows\system32\Edfknb32.exe31⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Egegjn32.exeC:\Windows\system32\Egegjn32.exe32⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Enopghee.exeC:\Windows\system32\Enopghee.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3548 -
C:\Windows\SysWOW64\Eqmlccdi.exeC:\Windows\system32\Eqmlccdi.exe34⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Fggdpnkf.exeC:\Windows\system32\Fggdpnkf.exe35⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Fnalmh32.exeC:\Windows\system32\Fnalmh32.exe36⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Fqphic32.exeC:\Windows\system32\Fqphic32.exe37⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Fgiaemic.exeC:\Windows\system32\Fgiaemic.exe38⤵
- Executes dropped EXE
PID:4156 -
C:\Windows\SysWOW64\Fncibg32.exeC:\Windows\system32\Fncibg32.exe39⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Fqbeoc32.exeC:\Windows\system32\Fqbeoc32.exe40⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Fglnkm32.exeC:\Windows\system32\Fglnkm32.exe41⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Fnffhgon.exeC:\Windows\system32\Fnffhgon.exe42⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Fdpnda32.exeC:\Windows\system32\Fdpnda32.exe43⤵
- Executes dropped EXE
PID:5152 -
C:\Windows\SysWOW64\Fkjfakng.exeC:\Windows\system32\Fkjfakng.exe44⤵
- Executes dropped EXE
PID:5192 -
C:\Windows\SysWOW64\Fbdnne32.exeC:\Windows\system32\Fbdnne32.exe45⤵
- Executes dropped EXE
PID:5232 -
C:\Windows\SysWOW64\Fdbkja32.exeC:\Windows\system32\Fdbkja32.exe46⤵
- Executes dropped EXE
PID:5272 -
C:\Windows\SysWOW64\Fklcgk32.exeC:\Windows\system32\Fklcgk32.exe47⤵
- Executes dropped EXE
PID:5312 -
C:\Windows\SysWOW64\Fbfkceca.exeC:\Windows\system32\Fbfkceca.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5352 -
C:\Windows\SysWOW64\Gcghkm32.exeC:\Windows\system32\Gcghkm32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5392 -
C:\Windows\SysWOW64\Gkoplk32.exeC:\Windows\system32\Gkoplk32.exe50⤵
- Executes dropped EXE
PID:5432 -
C:\Windows\SysWOW64\Gbhhieao.exeC:\Windows\system32\Gbhhieao.exe51⤵
- Executes dropped EXE
PID:5472 -
C:\Windows\SysWOW64\Gcjdam32.exeC:\Windows\system32\Gcjdam32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5512 -
C:\Windows\SysWOW64\Gjcmngnj.exeC:\Windows\system32\Gjcmngnj.exe53⤵
- Executes dropped EXE
PID:5552 -
C:\Windows\SysWOW64\Gbkdod32.exeC:\Windows\system32\Gbkdod32.exe54⤵
- Executes dropped EXE
PID:5592 -
C:\Windows\SysWOW64\Gclafmej.exeC:\Windows\system32\Gclafmej.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5632 -
C:\Windows\SysWOW64\Gjficg32.exeC:\Windows\system32\Gjficg32.exe56⤵
- Executes dropped EXE
PID:5672 -
C:\Windows\SysWOW64\Gqpapacd.exeC:\Windows\system32\Gqpapacd.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5712 -
C:\Windows\SysWOW64\Gkefmjcj.exeC:\Windows\system32\Gkefmjcj.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5752 -
C:\Windows\SysWOW64\Gbpnjdkg.exeC:\Windows\system32\Gbpnjdkg.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5792 -
C:\Windows\SysWOW64\Gdnjfojj.exeC:\Windows\system32\Gdnjfojj.exe60⤵
- Executes dropped EXE
PID:5832 -
C:\Windows\SysWOW64\Gglfbkin.exeC:\Windows\system32\Gglfbkin.exe61⤵
- Executes dropped EXE
PID:5872 -
C:\Windows\SysWOW64\Gjkbnfha.exeC:\Windows\system32\Gjkbnfha.exe62⤵
- Executes dropped EXE
PID:5912 -
C:\Windows\SysWOW64\Hqdkkp32.exeC:\Windows\system32\Hqdkkp32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:5952 -
C:\Windows\SysWOW64\Hgocgjgk.exeC:\Windows\system32\Hgocgjgk.exe64⤵
- Executes dropped EXE
PID:5992 -
C:\Windows\SysWOW64\Hjmodffo.exeC:\Windows\system32\Hjmodffo.exe65⤵
- Executes dropped EXE
PID:6032 -
C:\Windows\SysWOW64\Hbdgec32.exeC:\Windows\system32\Hbdgec32.exe66⤵PID:6072
-
C:\Windows\SysWOW64\Hcedmkmp.exeC:\Windows\system32\Hcedmkmp.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6112 -
C:\Windows\SysWOW64\Hkmlnimb.exeC:\Windows\system32\Hkmlnimb.exe68⤵PID:548
-
C:\Windows\SysWOW64\Hnkhjdle.exeC:\Windows\system32\Hnkhjdle.exe69⤵PID:1088
-
C:\Windows\SysWOW64\Haidfpki.exeC:\Windows\system32\Haidfpki.exe70⤵PID:4820
-
C:\Windows\SysWOW64\Hgcmbj32.exeC:\Windows\system32\Hgcmbj32.exe71⤵
- Modifies registry class
PID:4540 -
C:\Windows\SysWOW64\Hjaioe32.exeC:\Windows\system32\Hjaioe32.exe72⤵PID:1400
-
C:\Windows\SysWOW64\Halaloif.exeC:\Windows\system32\Halaloif.exe73⤵
- System Location Discovery: System Language Discovery
PID:5064 -
C:\Windows\SysWOW64\Hcjmhk32.exeC:\Windows\system32\Hcjmhk32.exe74⤵PID:5180
-
C:\Windows\SysWOW64\Hjdedepg.exeC:\Windows\system32\Hjdedepg.exe75⤵PID:5260
-
C:\Windows\SysWOW64\Hannao32.exeC:\Windows\system32\Hannao32.exe76⤵PID:5340
-
C:\Windows\SysWOW64\Hghfnioq.exeC:\Windows\system32\Hghfnioq.exe77⤵
- Drops file in System32 directory
PID:5420 -
C:\Windows\SysWOW64\Hjfbjdnd.exeC:\Windows\system32\Hjfbjdnd.exe78⤵PID:5496
-
C:\Windows\SysWOW64\Iapjgo32.exeC:\Windows\system32\Iapjgo32.exe79⤵PID:5576
-
C:\Windows\SysWOW64\Icogcjde.exeC:\Windows\system32\Icogcjde.exe80⤵PID:5656
-
C:\Windows\SysWOW64\Ijiopd32.exeC:\Windows\system32\Ijiopd32.exe81⤵PID:5708
-
C:\Windows\SysWOW64\Iabglnco.exeC:\Windows\system32\Iabglnco.exe82⤵PID:5788
-
C:\Windows\SysWOW64\Icachjbb.exeC:\Windows\system32\Icachjbb.exe83⤵PID:5868
-
C:\Windows\SysWOW64\Ijkled32.exeC:\Windows\system32\Ijkled32.exe84⤵PID:5944
-
C:\Windows\SysWOW64\Iaedanal.exeC:\Windows\system32\Iaedanal.exe85⤵PID:6024
-
C:\Windows\SysWOW64\Iccpniqp.exeC:\Windows\system32\Iccpniqp.exe86⤵PID:6096
-
C:\Windows\SysWOW64\Ijmhkchl.exeC:\Windows\system32\Ijmhkchl.exe87⤵PID:2104
-
C:\Windows\SysWOW64\Iagqgn32.exeC:\Windows\system32\Iagqgn32.exe88⤵
- Modifies registry class
PID:3572 -
C:\Windows\SysWOW64\Ihaidhgf.exeC:\Windows\system32\Ihaidhgf.exe89⤵PID:3900
-
C:\Windows\SysWOW64\Ijpepcfj.exeC:\Windows\system32\Ijpepcfj.exe90⤵PID:6172
-
C:\Windows\SysWOW64\Iajmmm32.exeC:\Windows\system32\Iajmmm32.exe91⤵PID:6212
-
C:\Windows\SysWOW64\Ihceigec.exeC:\Windows\system32\Ihceigec.exe92⤵
- Modifies registry class
PID:6252 -
C:\Windows\SysWOW64\Ijbbfc32.exeC:\Windows\system32\Ijbbfc32.exe93⤵PID:6292
-
C:\Windows\SysWOW64\Jbijgp32.exeC:\Windows\system32\Jbijgp32.exe94⤵PID:6332
-
C:\Windows\SysWOW64\Jdjfohjg.exeC:\Windows\system32\Jdjfohjg.exe95⤵
- Modifies registry class
PID:6372 -
C:\Windows\SysWOW64\Jjdokb32.exeC:\Windows\system32\Jjdokb32.exe96⤵PID:6412
-
C:\Windows\SysWOW64\Jblflp32.exeC:\Windows\system32\Jblflp32.exe97⤵
- Modifies registry class
PID:6452 -
C:\Windows\SysWOW64\Jhhodg32.exeC:\Windows\system32\Jhhodg32.exe98⤵
- Drops file in System32 directory
PID:6492 -
C:\Windows\SysWOW64\Jnbgaa32.exeC:\Windows\system32\Jnbgaa32.exe99⤵PID:6532
-
C:\Windows\SysWOW64\Jaqcnl32.exeC:\Windows\system32\Jaqcnl32.exe100⤵PID:6572
-
C:\Windows\SysWOW64\Jhkljfok.exeC:\Windows\system32\Jhkljfok.exe101⤵PID:6612
-
C:\Windows\SysWOW64\Jjihfbno.exeC:\Windows\system32\Jjihfbno.exe102⤵PID:6652
-
C:\Windows\SysWOW64\Jacpcl32.exeC:\Windows\system32\Jacpcl32.exe103⤵PID:6692
-
C:\Windows\SysWOW64\Jdalog32.exeC:\Windows\system32\Jdalog32.exe104⤵PID:6732
-
C:\Windows\SysWOW64\Jjkdlall.exeC:\Windows\system32\Jjkdlall.exe105⤵PID:6772
-
C:\Windows\SysWOW64\Jbbmmo32.exeC:\Windows\system32\Jbbmmo32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6812 -
C:\Windows\SysWOW64\Jddiegbm.exeC:\Windows\system32\Jddiegbm.exe107⤵PID:6852
-
C:\Windows\SysWOW64\Jlkafdco.exeC:\Windows\system32\Jlkafdco.exe108⤵
- Drops file in System32 directory
PID:6892 -
C:\Windows\SysWOW64\Kbeibo32.exeC:\Windows\system32\Kbeibo32.exe109⤵PID:6932
-
C:\Windows\SysWOW64\Keceoj32.exeC:\Windows\system32\Keceoj32.exe110⤵PID:6972
-
C:\Windows\SysWOW64\Klmnkdal.exeC:\Windows\system32\Klmnkdal.exe111⤵PID:7012
-
C:\Windows\SysWOW64\Koljgppp.exeC:\Windows\system32\Koljgppp.exe112⤵PID:7052
-
C:\Windows\SysWOW64\Kajfdk32.exeC:\Windows\system32\Kajfdk32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7092 -
C:\Windows\SysWOW64\Khdoqefq.exeC:\Windows\system32\Khdoqefq.exe114⤵PID:7132
-
C:\Windows\SysWOW64\Kongmo32.exeC:\Windows\system32\Kongmo32.exe115⤵PID:5148
-
C:\Windows\SysWOW64\Kalcik32.exeC:\Windows\system32\Kalcik32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5296 -
C:\Windows\SysWOW64\Khfkfedn.exeC:\Windows\system32\Khfkfedn.exe117⤵
- System Location Discovery: System Language Discovery
PID:5408 -
C:\Windows\SysWOW64\Kkegbpca.exeC:\Windows\system32\Kkegbpca.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5544 -
C:\Windows\SysWOW64\Kaopoj32.exeC:\Windows\system32\Kaopoj32.exe119⤵
- System Location Discovery: System Language Discovery
PID:5696 -
C:\Windows\SysWOW64\Khihld32.exeC:\Windows\system32\Khihld32.exe120⤵PID:5848
-
C:\Windows\SysWOW64\Kocphojh.exeC:\Windows\system32\Kocphojh.exe121⤵PID:5988
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-