Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/10/2024, 23:34
Behavioral task
behavioral1
Sample
71a3b2d10b5279bc2b4bc59ddf5fde51ad3a216fc6253bb4c4a8189e5ab147a1.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
71a3b2d10b5279bc2b4bc59ddf5fde51ad3a216fc6253bb4c4a8189e5ab147a1.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
71a3b2d10b5279bc2b4bc59ddf5fde51ad3a216fc6253bb4c4a8189e5ab147a1.exe
-
Size
112KB
-
MD5
fab569866578ff17f1ca532d136385bf
-
SHA1
cfb20d099092d380233687db49d992cb5f6578b7
-
SHA256
71a3b2d10b5279bc2b4bc59ddf5fde51ad3a216fc6253bb4c4a8189e5ab147a1
-
SHA512
c6ac7e6d9914b491651daa6f16183f744183537ea582bfd374e4f0af8db71b0e1d022d18f6f21dbeda7359301e26121fad585ef51ecdf00d0386ae811277583c
-
SSDEEP
3072:/oCBUi9k67O/FCsOqZ63VFeJLCQnFIBOaCUjKaVLjd:/D9k67O/FjnZ63VFeJLbnCBbC+nVLjd
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eldiehbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iipejmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfchqf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hememgdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hoalia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdphjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdedde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcidkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkmjjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Einebddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbofmcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdchneko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Felcbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idmlniea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhdcojaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhalngad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqjibkek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eojlbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afbnec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbomli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbepkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkedjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmnhgjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcghkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Decdmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffdilo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hoimecmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgiked32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ingmmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nflfad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oibohdmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fiqibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hofjem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijdppm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lilomj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glbaei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onfabgch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckhfpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fllaopcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhmldfdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioiidfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpikik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjoilfek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahpddmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epnkip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pioamlkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmdkjmip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aphcppmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkifkdjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdfjnkne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncamen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phehko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahhaobfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbjpem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahhaobfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efmckpko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imhqbkbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnbpqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjfnnajl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjpmdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egebjmdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eiilge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhnnnbaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhjpnj32.exe -
Executes dropped EXE 64 IoCs
pid Process 2700 Dcghkf32.exe 2688 Ejaphpnp.exe 2740 Ejcmmp32.exe 2552 Eldiehbk.exe 1776 Efjmbaba.exe 1484 Eihjolae.exe 2396 Eoebgcol.exe 744 Eeojcmfi.exe 1616 Elibpg32.exe 592 Ebckmaec.exe 2856 Ehpcehcj.exe 380 Eojlbb32.exe 2052 Fdgdji32.exe 444 Fkqlgc32.exe 1684 Fakdcnhh.exe 2988 Fdiqpigl.exe 1600 Famaimfe.exe 1980 Fdkmeiei.exe 2864 Fgjjad32.exe 1764 Fmdbnnlj.exe 3000 Faonom32.exe 1496 Fcqjfeja.exe 2504 Fglfgd32.exe 876 Fmfocnjg.exe 2004 Fgocmc32.exe 2764 Glklejoo.exe 2696 Gcedad32.exe 2828 Ghbljk32.exe 2728 Glnhjjml.exe 2628 Gefmcp32.exe 564 Ghdiokbq.exe 1456 Gkcekfad.exe 1160 Gcjmmdbf.exe 1260 Glbaei32.exe 572 Goqnae32.exe 2132 Gglbfg32.exe 768 Gockgdeh.exe 304 Hdpcokdo.exe 2156 Hgnokgcc.exe 2960 Hkjkle32.exe 2528 Hdbpekam.exe 2300 Hjohmbpd.exe 824 Hmmdin32.exe 2448 Hqkmplen.exe 1700 Honnki32.exe 1948 Hgeelf32.exe 3068 Hjcaha32.exe 2312 Hmbndmkb.exe 1912 Hoqjqhjf.exe 1576 Hbofmcij.exe 2872 Hjfnnajl.exe 2816 Hmdkjmip.exe 2604 Iocgfhhc.exe 2836 Ifmocb32.exe 2316 Iikkon32.exe 1796 Ioeclg32.exe 868 Ibcphc32.exe 1504 Iebldo32.exe 2348 Igqhpj32.exe 2000 Iaimipjl.exe 1512 Iipejmko.exe 2104 Iknafhjb.exe 940 Inmmbc32.exe 1848 Ibhicbao.exe -
Loads dropped DLL 64 IoCs
pid Process 2364 71a3b2d10b5279bc2b4bc59ddf5fde51ad3a216fc6253bb4c4a8189e5ab147a1.exe 2364 71a3b2d10b5279bc2b4bc59ddf5fde51ad3a216fc6253bb4c4a8189e5ab147a1.exe 2700 Dcghkf32.exe 2700 Dcghkf32.exe 2688 Ejaphpnp.exe 2688 Ejaphpnp.exe 2740 Ejcmmp32.exe 2740 Ejcmmp32.exe 2552 Eldiehbk.exe 2552 Eldiehbk.exe 1776 Efjmbaba.exe 1776 Efjmbaba.exe 1484 Eihjolae.exe 1484 Eihjolae.exe 2396 Eoebgcol.exe 2396 Eoebgcol.exe 744 Eeojcmfi.exe 744 Eeojcmfi.exe 1616 Elibpg32.exe 1616 Elibpg32.exe 592 Ebckmaec.exe 592 Ebckmaec.exe 2856 Ehpcehcj.exe 2856 Ehpcehcj.exe 380 Eojlbb32.exe 380 Eojlbb32.exe 2052 Fdgdji32.exe 2052 Fdgdji32.exe 444 Fkqlgc32.exe 444 Fkqlgc32.exe 1684 Fakdcnhh.exe 1684 Fakdcnhh.exe 2988 Fdiqpigl.exe 2988 Fdiqpigl.exe 1600 Famaimfe.exe 1600 Famaimfe.exe 1980 Fdkmeiei.exe 1980 Fdkmeiei.exe 2864 Fgjjad32.exe 2864 Fgjjad32.exe 1764 Fmdbnnlj.exe 1764 Fmdbnnlj.exe 3000 Faonom32.exe 3000 Faonom32.exe 1496 Fcqjfeja.exe 1496 Fcqjfeja.exe 2504 Fglfgd32.exe 2504 Fglfgd32.exe 876 Fmfocnjg.exe 876 Fmfocnjg.exe 2776 Gmhkin32.exe 2776 Gmhkin32.exe 2764 Glklejoo.exe 2764 Glklejoo.exe 2696 Gcedad32.exe 2696 Gcedad32.exe 2828 Ghbljk32.exe 2828 Ghbljk32.exe 2728 Glnhjjml.exe 2728 Glnhjjml.exe 2628 Gefmcp32.exe 2628 Gefmcp32.exe 564 Ghdiokbq.exe 564 Ghdiokbq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Nojnql32.exe Nllbdp32.exe File created C:\Windows\SysWOW64\Hhchpk32.dll Pcnfdl32.exe File created C:\Windows\SysWOW64\Dangeigl.dll Cnabffeo.exe File created C:\Windows\SysWOW64\Mlnbgj32.dll Fikelhib.exe File created C:\Windows\SysWOW64\Dniefn32.dll Eihjolae.exe File created C:\Windows\SysWOW64\Jmlfmn32.exe Jnifaajh.exe File opened for modification C:\Windows\SysWOW64\Dqfabdaf.exe Dnhefh32.exe File created C:\Windows\SysWOW64\Bchmahjj.dll Palbgn32.exe File created C:\Windows\SysWOW64\Kjmihjfj.dll Iqhfnifq.exe File created C:\Windows\SysWOW64\Ghibjjfb.dll Ngbpehpj.exe File created C:\Windows\SysWOW64\Ebooboeb.dll Hememgdi.exe File created C:\Windows\SysWOW64\Inmmbc32.exe Iknafhjb.exe File created C:\Windows\SysWOW64\Omlncc32.exe Oninhgae.exe File opened for modification C:\Windows\SysWOW64\Pfkimhhi.exe Pbomli32.exe File opened for modification C:\Windows\SysWOW64\Qpcjeaad.exe Qlgndbil.exe File created C:\Windows\SysWOW64\Hpmlce32.dll Hqochjnk.exe File opened for modification C:\Windows\SysWOW64\Ojkhjabc.exe Ogmkne32.exe File created C:\Windows\SysWOW64\Eeomnifk.dll Bgahkngh.exe File created C:\Windows\SysWOW64\Pfbaik32.dll Piadma32.exe File opened for modification C:\Windows\SysWOW64\Adgein32.exe Aahimb32.exe File opened for modification C:\Windows\SysWOW64\Jmdiahco.exe Jnbifl32.exe File created C:\Windows\SysWOW64\Pchbmigj.exe Peeabm32.exe File created C:\Windows\SysWOW64\Cpohhk32.exe Chhpgn32.exe File created C:\Windows\SysWOW64\Obffbh32.dll Kjepaa32.exe File created C:\Windows\SysWOW64\Bcpaqn32.dll Kcmdjgbh.exe File created C:\Windows\SysWOW64\Gdcfoq32.exe Gpgjnbnl.exe File created C:\Windows\SysWOW64\Ocfiif32.exe Oqgmmk32.exe File created C:\Windows\SysWOW64\Ndjhjkfi.dll Ahhchk32.exe File created C:\Windows\SysWOW64\Ndggib32.exe Nfdfmfle.exe File opened for modification C:\Windows\SysWOW64\Ckfjjqhd.exe Bjembh32.exe File created C:\Windows\SysWOW64\Einebddd.exe Eebibf32.exe File opened for modification C:\Windows\SysWOW64\Pmcgmkil.exe Ojdjqp32.exe File opened for modification C:\Windows\SysWOW64\Cgqmpkfg.exe Cojeomee.exe File created C:\Windows\SysWOW64\Ajgpacpe.dll Fmfalg32.exe File opened for modification C:\Windows\SysWOW64\Gkedjo32.exe Ghghnc32.exe File created C:\Windows\SysWOW64\Eihjolae.exe Efjmbaba.exe File created C:\Windows\SysWOW64\Phcleoho.exe Pdhpdq32.exe File created C:\Windows\SysWOW64\Kaholp32.exe Koibpd32.exe File created C:\Windows\SysWOW64\Oddphp32.exe Obecld32.exe File opened for modification C:\Windows\SysWOW64\Ojceef32.exe Oiahnnji.exe File opened for modification C:\Windows\SysWOW64\Jdlacfca.exe Jmdiahco.exe File created C:\Windows\SysWOW64\Jbfilffm.exe Jcciqi32.exe File opened for modification C:\Windows\SysWOW64\Bphooc32.exe Bnicbh32.exe File created C:\Windows\SysWOW64\Bhkghqpb.exe Bihgmdih.exe File created C:\Windows\SysWOW64\Bdcnhk32.exe Bphaglgo.exe File created C:\Windows\SysWOW64\Blghgj32.dll Ebckmaec.exe File created C:\Windows\SysWOW64\Cmnici32.dll Dkjpdcfj.exe File opened for modification C:\Windows\SysWOW64\Jnbpqb32.exe Iifghk32.exe File created C:\Windows\SysWOW64\Bedamd32.exe Bceeqi32.exe File opened for modification C:\Windows\SysWOW64\Efjpkj32.exe Ebockkal.exe File created C:\Windows\SysWOW64\Jmegnj32.dll Kjeglh32.exe File created C:\Windows\SysWOW64\Nhocol32.dll Jbphgpfg.exe File created C:\Windows\SysWOW64\Mopdpg32.exe Mhflcm32.exe File created C:\Windows\SysWOW64\Oaqejn32.dll Fjckelfm.exe File created C:\Windows\SysWOW64\Eglghm32.dll Mdgmbhgh.exe File created C:\Windows\SysWOW64\Cidffnka.dll Nkfkidmk.exe File opened for modification C:\Windows\SysWOW64\Mjilmejf.exe Mcodqkbi.exe File created C:\Windows\SysWOW64\Ickcibdp.dll Honfqb32.exe File created C:\Windows\SysWOW64\Ikagogco.exe Iickckcl.exe File opened for modification C:\Windows\SysWOW64\Jelhmlgm.exe Jbnlaqhi.exe File created C:\Windows\SysWOW64\Lfippfej.exe Ldkdckff.exe File created C:\Windows\SysWOW64\Gfdeopaj.dll Lehdhn32.exe File created C:\Windows\SysWOW64\Hbnjdf32.dll Iojopp32.exe File opened for modification C:\Windows\SysWOW64\Jinfli32.exe Jfojpn32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccgnelll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlpchfdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjiljf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibhicbao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lafahdcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmeebpkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgdfjfmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghbljk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkacfiga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbadagln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blnpddeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmclmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhkin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abhlak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggbieb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poacighp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebckmaec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fopnpaba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhpejbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jghqia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gieommdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeaahk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckecpjdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmmcjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpmkbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgcmod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hljaigmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnbpqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lophacfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlmoilni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dboglhna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamfdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aohgfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hokjkbkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgiked32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icplje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibibfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mebpakbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inojhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjbmll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmqmpdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ammmlcgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepclldc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mohhea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggklka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhehpbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcppkbia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blniinac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hememgdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndicnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gibbgmfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omfnnnhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpaohjkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Magdam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neibanod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojdjqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fogdap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbnhpdke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqbejp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ochcem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkdigfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnnfkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgcnahoo.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciqmoj32.dll" Khgkpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbhe32.dll" Pbomli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nopaoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oqmmbqgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdcdgpcj.dll" Ahpddmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahpddmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miqnbfnp.dll" Ioeclg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jikhnaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnqe32.dll" Ddbmcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Momapqgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mafalppn.dll" Ochenfdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bknmok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boobki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbdkbjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hipnaoog.dll" Lonlkcho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfippfej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqbnfda.dll" Dochelmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hocmpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbglqg32.dll" Pioamlkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkaoemjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abhlak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abbhje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmbjg32.dll" Mjkibehc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mihgebkh.dll" Chjjde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gafglb32.dll" Facdgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcfejhma.dll" Koibpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilifndlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mebpakbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbpqjma.dll" Ghdiokbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ioeclg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onchdkoc.dll" Miiofn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfkkeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmocbnop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbhfajia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nommodjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndjfgkha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chhpgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbpbgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecmjid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpjhmaca.dll" Dmjlof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnbpqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllgegfe.dll" Kamlhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Miapbpmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qchjfo32.dll" Nhhominh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Goqnae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cheleg32.dll" Cmqihg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfggkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldpnoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpoodc32.dll" Mlolnllf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mejmmqpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndafcmci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgnminke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lofifi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkpakq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hofjem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhqhmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Piadma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pidaba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbfjkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfgal32.dll" Kmiolk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhjpejc.dll" Mgfiocfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lficmm32.dll" Amglgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djepnq32.dll" Mpphdpcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hqochjnk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2700 2364 71a3b2d10b5279bc2b4bc59ddf5fde51ad3a216fc6253bb4c4a8189e5ab147a1.exe 30 PID 2364 wrote to memory of 2700 2364 71a3b2d10b5279bc2b4bc59ddf5fde51ad3a216fc6253bb4c4a8189e5ab147a1.exe 30 PID 2364 wrote to memory of 2700 2364 71a3b2d10b5279bc2b4bc59ddf5fde51ad3a216fc6253bb4c4a8189e5ab147a1.exe 30 PID 2364 wrote to memory of 2700 2364 71a3b2d10b5279bc2b4bc59ddf5fde51ad3a216fc6253bb4c4a8189e5ab147a1.exe 30 PID 2700 wrote to memory of 2688 2700 Dcghkf32.exe 31 PID 2700 wrote to memory of 2688 2700 Dcghkf32.exe 31 PID 2700 wrote to memory of 2688 2700 Dcghkf32.exe 31 PID 2700 wrote to memory of 2688 2700 Dcghkf32.exe 31 PID 2688 wrote to memory of 2740 2688 Ejaphpnp.exe 32 PID 2688 wrote to memory of 2740 2688 Ejaphpnp.exe 32 PID 2688 wrote to memory of 2740 2688 Ejaphpnp.exe 32 PID 2688 wrote to memory of 2740 2688 Ejaphpnp.exe 32 PID 2740 wrote to memory of 2552 2740 Ejcmmp32.exe 33 PID 2740 wrote to memory of 2552 2740 Ejcmmp32.exe 33 PID 2740 wrote to memory of 2552 2740 Ejcmmp32.exe 33 PID 2740 wrote to memory of 2552 2740 Ejcmmp32.exe 33 PID 2552 wrote to memory of 1776 2552 Eldiehbk.exe 34 PID 2552 wrote to memory of 1776 2552 Eldiehbk.exe 34 PID 2552 wrote to memory of 1776 2552 Eldiehbk.exe 34 PID 2552 wrote to memory of 1776 2552 Eldiehbk.exe 34 PID 1776 wrote to memory of 1484 1776 Efjmbaba.exe 35 PID 1776 wrote to memory of 1484 1776 Efjmbaba.exe 35 PID 1776 wrote to memory of 1484 1776 Efjmbaba.exe 35 PID 1776 wrote to memory of 1484 1776 Efjmbaba.exe 35 PID 1484 wrote to memory of 2396 1484 Eihjolae.exe 36 PID 1484 wrote to memory of 2396 1484 Eihjolae.exe 36 PID 1484 wrote to memory of 2396 1484 Eihjolae.exe 36 PID 1484 wrote to memory of 2396 1484 Eihjolae.exe 36 PID 2396 wrote to memory of 744 2396 Eoebgcol.exe 37 PID 2396 wrote to memory of 744 2396 Eoebgcol.exe 37 PID 2396 wrote to memory of 744 2396 Eoebgcol.exe 37 PID 2396 wrote to memory of 744 2396 Eoebgcol.exe 37 PID 744 wrote to memory of 1616 744 Eeojcmfi.exe 38 PID 744 wrote to memory of 1616 744 Eeojcmfi.exe 38 PID 744 wrote to memory of 1616 744 Eeojcmfi.exe 38 PID 744 wrote to memory of 1616 744 Eeojcmfi.exe 38 PID 1616 wrote to memory of 592 1616 Elibpg32.exe 39 PID 1616 wrote to memory of 592 1616 Elibpg32.exe 39 PID 1616 wrote to memory of 592 1616 Elibpg32.exe 39 PID 1616 wrote to memory of 592 1616 Elibpg32.exe 39 PID 592 wrote to memory of 2856 592 Ebckmaec.exe 40 PID 592 wrote to memory of 2856 592 Ebckmaec.exe 40 PID 592 wrote to memory of 2856 592 Ebckmaec.exe 40 PID 592 wrote to memory of 2856 592 Ebckmaec.exe 40 PID 2856 wrote to memory of 380 2856 Ehpcehcj.exe 41 PID 2856 wrote to memory of 380 2856 Ehpcehcj.exe 41 PID 2856 wrote to memory of 380 2856 Ehpcehcj.exe 41 PID 2856 wrote to memory of 380 2856 Ehpcehcj.exe 41 PID 380 wrote to memory of 2052 380 Eojlbb32.exe 42 PID 380 wrote to memory of 2052 380 Eojlbb32.exe 42 PID 380 wrote to memory of 2052 380 Eojlbb32.exe 42 PID 380 wrote to memory of 2052 380 Eojlbb32.exe 42 PID 2052 wrote to memory of 444 2052 Fdgdji32.exe 43 PID 2052 wrote to memory of 444 2052 Fdgdji32.exe 43 PID 2052 wrote to memory of 444 2052 Fdgdji32.exe 43 PID 2052 wrote to memory of 444 2052 Fdgdji32.exe 43 PID 444 wrote to memory of 1684 444 Fkqlgc32.exe 44 PID 444 wrote to memory of 1684 444 Fkqlgc32.exe 44 PID 444 wrote to memory of 1684 444 Fkqlgc32.exe 44 PID 444 wrote to memory of 1684 444 Fkqlgc32.exe 44 PID 1684 wrote to memory of 2988 1684 Fakdcnhh.exe 45 PID 1684 wrote to memory of 2988 1684 Fakdcnhh.exe 45 PID 1684 wrote to memory of 2988 1684 Fakdcnhh.exe 45 PID 1684 wrote to memory of 2988 1684 Fakdcnhh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\71a3b2d10b5279bc2b4bc59ddf5fde51ad3a216fc6253bb4c4a8189e5ab147a1.exe"C:\Users\Admin\AppData\Local\Temp\71a3b2d10b5279bc2b4bc59ddf5fde51ad3a216fc6253bb4c4a8189e5ab147a1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Dcghkf32.exeC:\Windows\system32\Dcghkf32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Ejaphpnp.exeC:\Windows\system32\Ejaphpnp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Ejcmmp32.exeC:\Windows\system32\Ejcmmp32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Eldiehbk.exeC:\Windows\system32\Eldiehbk.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Efjmbaba.exeC:\Windows\system32\Efjmbaba.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Eihjolae.exeC:\Windows\system32\Eihjolae.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Eoebgcol.exeC:\Windows\system32\Eoebgcol.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Eeojcmfi.exeC:\Windows\system32\Eeojcmfi.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\Elibpg32.exeC:\Windows\system32\Elibpg32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Ebckmaec.exeC:\Windows\system32\Ebckmaec.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Ehpcehcj.exeC:\Windows\system32\Ehpcehcj.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Eojlbb32.exeC:\Windows\system32\Eojlbb32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\Fdgdji32.exeC:\Windows\system32\Fdgdji32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Fkqlgc32.exeC:\Windows\system32\Fkqlgc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\SysWOW64\Fakdcnhh.exeC:\Windows\system32\Fakdcnhh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Fdiqpigl.exeC:\Windows\system32\Fdiqpigl.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Famaimfe.exeC:\Windows\system32\Famaimfe.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Fdkmeiei.exeC:\Windows\system32\Fdkmeiei.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Fgjjad32.exeC:\Windows\system32\Fgjjad32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Fmdbnnlj.exeC:\Windows\system32\Fmdbnnlj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Faonom32.exeC:\Windows\system32\Faonom32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Windows\SysWOW64\Fcqjfeja.exeC:\Windows\system32\Fcqjfeja.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1496 -
C:\Windows\SysWOW64\Fglfgd32.exeC:\Windows\system32\Fglfgd32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Fmfocnjg.exeC:\Windows\system32\Fmfocnjg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Fgocmc32.exeC:\Windows\system32\Fgocmc32.exe26⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Gmhkin32.exeC:\Windows\system32\Gmhkin32.exe27⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2776 -
C:\Windows\SysWOW64\Glklejoo.exeC:\Windows\system32\Glklejoo.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Gcedad32.exeC:\Windows\system32\Gcedad32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Ghbljk32.exeC:\Windows\system32\Ghbljk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Glnhjjml.exeC:\Windows\system32\Glnhjjml.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Gefmcp32.exeC:\Windows\system32\Gefmcp32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\Ghdiokbq.exeC:\Windows\system32\Ghdiokbq.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:564 -
C:\Windows\SysWOW64\Gkcekfad.exeC:\Windows\system32\Gkcekfad.exe34⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Gcjmmdbf.exeC:\Windows\system32\Gcjmmdbf.exe35⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Glbaei32.exeC:\Windows\system32\Glbaei32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Goqnae32.exeC:\Windows\system32\Goqnae32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:572 -
C:\Windows\SysWOW64\Gglbfg32.exeC:\Windows\system32\Gglbfg32.exe38⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Gockgdeh.exeC:\Windows\system32\Gockgdeh.exe39⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Hdpcokdo.exeC:\Windows\system32\Hdpcokdo.exe40⤵
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\Hgnokgcc.exeC:\Windows\system32\Hgnokgcc.exe41⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Hkjkle32.exeC:\Windows\system32\Hkjkle32.exe42⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Hdbpekam.exeC:\Windows\system32\Hdbpekam.exe43⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Hjohmbpd.exeC:\Windows\system32\Hjohmbpd.exe44⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Hmmdin32.exeC:\Windows\system32\Hmmdin32.exe45⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Hqkmplen.exeC:\Windows\system32\Hqkmplen.exe46⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Honnki32.exeC:\Windows\system32\Honnki32.exe47⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Hgeelf32.exeC:\Windows\system32\Hgeelf32.exe48⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Hjcaha32.exeC:\Windows\system32\Hjcaha32.exe49⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Hmbndmkb.exeC:\Windows\system32\Hmbndmkb.exe50⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Hoqjqhjf.exeC:\Windows\system32\Hoqjqhjf.exe51⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Hbofmcij.exeC:\Windows\system32\Hbofmcij.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Hjfnnajl.exeC:\Windows\system32\Hjfnnajl.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Hmdkjmip.exeC:\Windows\system32\Hmdkjmip.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Iocgfhhc.exeC:\Windows\system32\Iocgfhhc.exe55⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Ifmocb32.exeC:\Windows\system32\Ifmocb32.exe56⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Iikkon32.exeC:\Windows\system32\Iikkon32.exe57⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Ioeclg32.exeC:\Windows\system32\Ioeclg32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Ibcphc32.exeC:\Windows\system32\Ibcphc32.exe59⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Iebldo32.exeC:\Windows\system32\Iebldo32.exe60⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Igqhpj32.exeC:\Windows\system32\Igqhpj32.exe61⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Iaimipjl.exeC:\Windows\system32\Iaimipjl.exe62⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Iipejmko.exeC:\Windows\system32\Iipejmko.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Iknafhjb.exeC:\Windows\system32\Iknafhjb.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Inmmbc32.exeC:\Windows\system32\Inmmbc32.exe65⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Ibhicbao.exeC:\Windows\system32\Ibhicbao.exe66⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1848 -
C:\Windows\SysWOW64\Icifjk32.exeC:\Windows\system32\Icifjk32.exe67⤵PID:2084
-
C:\Windows\SysWOW64\Igebkiof.exeC:\Windows\system32\Igebkiof.exe68⤵PID:2240
-
C:\Windows\SysWOW64\Inojhc32.exeC:\Windows\system32\Inojhc32.exe69⤵
- System Location Discovery: System Language Discovery
PID:1300 -
C:\Windows\SysWOW64\Iamfdo32.exeC:\Windows\system32\Iamfdo32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\Iclbpj32.exeC:\Windows\system32\Iclbpj32.exe71⤵PID:1572
-
C:\Windows\SysWOW64\Jggoqimd.exeC:\Windows\system32\Jggoqimd.exe72⤵PID:2576
-
C:\Windows\SysWOW64\Jnagmc32.exeC:\Windows\system32\Jnagmc32.exe73⤵PID:2384
-
C:\Windows\SysWOW64\Jpbcek32.exeC:\Windows\system32\Jpbcek32.exe74⤵PID:1316
-
C:\Windows\SysWOW64\Jcnoejch.exeC:\Windows\system32\Jcnoejch.exe75⤵PID:2540
-
C:\Windows\SysWOW64\Jgjkfi32.exeC:\Windows\system32\Jgjkfi32.exe76⤵PID:992
-
C:\Windows\SysWOW64\Jikhnaao.exeC:\Windows\system32\Jikhnaao.exe77⤵
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Jabponba.exeC:\Windows\system32\Jabponba.exe78⤵PID:2344
-
C:\Windows\SysWOW64\Jcqlkjae.exeC:\Windows\system32\Jcqlkjae.exe79⤵PID:1908
-
C:\Windows\SysWOW64\Jbclgf32.exeC:\Windows\system32\Jbclgf32.exe80⤵PID:1668
-
C:\Windows\SysWOW64\Jjjdhc32.exeC:\Windows\system32\Jjjdhc32.exe81⤵PID:2904
-
C:\Windows\SysWOW64\Jmipdo32.exeC:\Windows\system32\Jmipdo32.exe82⤵PID:944
-
C:\Windows\SysWOW64\Jcciqi32.exeC:\Windows\system32\Jcciqi32.exe83⤵
- Drops file in System32 directory
PID:1852 -
C:\Windows\SysWOW64\Jbfilffm.exeC:\Windows\system32\Jbfilffm.exe84⤵PID:848
-
C:\Windows\SysWOW64\Jmkmjoec.exeC:\Windows\system32\Jmkmjoec.exe85⤵PID:2884
-
C:\Windows\SysWOW64\Jlnmel32.exeC:\Windows\system32\Jlnmel32.exe86⤵PID:1656
-
C:\Windows\SysWOW64\Jnmiag32.exeC:\Windows\system32\Jnmiag32.exe87⤵PID:2712
-
C:\Windows\SysWOW64\Jfcabd32.exeC:\Windows\system32\Jfcabd32.exe88⤵PID:1588
-
C:\Windows\SysWOW64\Jibnop32.exeC:\Windows\system32\Jibnop32.exe89⤵PID:1056
-
C:\Windows\SysWOW64\Jlqjkk32.exeC:\Windows\system32\Jlqjkk32.exe90⤵PID:2184
-
C:\Windows\SysWOW64\Jnofgg32.exeC:\Windows\system32\Jnofgg32.exe91⤵PID:1768
-
C:\Windows\SysWOW64\Kbjbge32.exeC:\Windows\system32\Kbjbge32.exe92⤵PID:2624
-
C:\Windows\SysWOW64\Keioca32.exeC:\Windows\system32\Keioca32.exe93⤵PID:2424
-
C:\Windows\SysWOW64\Khgkpl32.exeC:\Windows\system32\Khgkpl32.exe94⤵
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Kjeglh32.exeC:\Windows\system32\Kjeglh32.exe95⤵
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\Kapohbfp.exeC:\Windows\system32\Kapohbfp.exe96⤵PID:1080
-
C:\Windows\SysWOW64\Kdnkdmec.exeC:\Windows\system32\Kdnkdmec.exe97⤵PID:1532
-
C:\Windows\SysWOW64\Khjgel32.exeC:\Windows\system32\Khjgel32.exe98⤵PID:1092
-
C:\Windows\SysWOW64\Kocpbfei.exeC:\Windows\system32\Kocpbfei.exe99⤵PID:2640
-
C:\Windows\SysWOW64\Kablnadm.exeC:\Windows\system32\Kablnadm.exe100⤵PID:1268
-
C:\Windows\SysWOW64\Kdphjm32.exeC:\Windows\system32\Kdphjm32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2716 -
C:\Windows\SysWOW64\Kfodfh32.exeC:\Windows\system32\Kfodfh32.exe102⤵PID:2812
-
C:\Windows\SysWOW64\Kkjpggkn.exeC:\Windows\system32\Kkjpggkn.exe103⤵PID:2200
-
C:\Windows\SysWOW64\Kadica32.exeC:\Windows\system32\Kadica32.exe104⤵PID:580
-
C:\Windows\SysWOW64\Kdbepm32.exeC:\Windows\system32\Kdbepm32.exe105⤵PID:1528
-
C:\Windows\SysWOW64\Kfaalh32.exeC:\Windows\system32\Kfaalh32.exe106⤵PID:2272
-
C:\Windows\SysWOW64\Kipmhc32.exeC:\Windows\system32\Kipmhc32.exe107⤵PID:1944
-
C:\Windows\SysWOW64\Kmkihbho.exeC:\Windows\system32\Kmkihbho.exe108⤵PID:2944
-
C:\Windows\SysWOW64\Kdeaelok.exeC:\Windows\system32\Kdeaelok.exe109⤵PID:2508
-
C:\Windows\SysWOW64\Kgcnahoo.exeC:\Windows\system32\Kgcnahoo.exe110⤵
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\Lmmfnb32.exeC:\Windows\system32\Lmmfnb32.exe111⤵PID:604
-
C:\Windows\SysWOW64\Llpfjomf.exeC:\Windows\system32\Llpfjomf.exe112⤵PID:1788
-
C:\Windows\SysWOW64\Ldgnklmi.exeC:\Windows\system32\Ldgnklmi.exe113⤵PID:2796
-
C:\Windows\SysWOW64\Lgfjggll.exeC:\Windows\system32\Lgfjggll.exe114⤵PID:2724
-
C:\Windows\SysWOW64\Lidgcclp.exeC:\Windows\system32\Lidgcclp.exe115⤵PID:2392
-
C:\Windows\SysWOW64\Lpnopm32.exeC:\Windows\system32\Lpnopm32.exe116⤵PID:1480
-
C:\Windows\SysWOW64\Lcmklh32.exeC:\Windows\system32\Lcmklh32.exe117⤵PID:2144
-
C:\Windows\SysWOW64\Lekghdad.exeC:\Windows\system32\Lekghdad.exe118⤵PID:2968
-
C:\Windows\SysWOW64\Lhiddoph.exeC:\Windows\system32\Lhiddoph.exe119⤵PID:356
-
C:\Windows\SysWOW64\Lcohahpn.exeC:\Windows\system32\Lcohahpn.exe120⤵PID:1264
-
C:\Windows\SysWOW64\Lemdncoa.exeC:\Windows\system32\Lemdncoa.exe121⤵PID:2820
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-