Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 20:12
Static task
static1
Behavioral task
behavioral1
Sample
df388ff33b726f76c241e1da628c1bc76f0ac4139faa84f32cc0949f57f9591cN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
df388ff33b726f76c241e1da628c1bc76f0ac4139faa84f32cc0949f57f9591cN.exe
Resource
win10v2004-20241007-en
General
-
Target
df388ff33b726f76c241e1da628c1bc76f0ac4139faa84f32cc0949f57f9591cN.exe
-
Size
92KB
-
MD5
def15f5a4462c3fea2b314eff26dd290
-
SHA1
b4c18d0bbf1ae4ccaab7976940533aa98f905972
-
SHA256
df388ff33b726f76c241e1da628c1bc76f0ac4139faa84f32cc0949f57f9591c
-
SHA512
df1651519aaa06ae532bdb8fb27ad178e3052fdc92fc6d349ccccb2efa84ee7a47379d2d5c29ea08d1216d7390601c857497e98a0e64d1c28499275eec48aa34
-
SSDEEP
1536:SfR5xBLVkrEOZNe53ny9NZ+b+n9zTbDlYBG3QYD3Q55+O6iE1A:uhLVkrEGNe5C9DhT/K8Qr5+ViKA
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcpacf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djjjga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpaom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppmgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blkjkflb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gojhafnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lopfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdkjdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgqlafap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fibcoalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igmbgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pioeoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibcphc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpbcek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kenhopmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eipgjaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmcopebh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goqnae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kidjdpie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgkkmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhmaeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbbobkol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlilqbgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piliii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kapohbfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcojam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emoldlmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boemlbpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epeoaffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giolnomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jibnop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aknngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlifadkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgnklmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijkocg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpdmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhdegn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkpqlm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojglhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnejim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kambcbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbhbai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kechdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apkgpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckeqga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfibhjlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mneohj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obgnhkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccpeld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggdcbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohdfqbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhljkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejmpqop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mciabmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkcekfad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpieengb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkhibino.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqokpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfnmmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfckcoen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcqjfeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghdiokbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmkihbho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiaoclgl.exe -
Executes dropped EXE 64 IoCs
pid Process 2760 Dbiocd32.exe 2560 Eegkpo32.exe 2852 Elacliin.exe 2600 Elacliin.exe 2564 Ekdchf32.exe 1988 Edlhqlfi.exe 2912 Eeldkonl.exe 2192 Ekhmcelc.exe 860 Emgioakg.exe 856 Ehlmljkm.exe 1216 Einjdb32.exe 584 Ecfnmh32.exe 340 Eipgjaoi.exe 2208 Fmlbjq32.exe 704 Fgdgcfmb.exe 2108 Fibcoalf.exe 2044 Flapkmlj.exe 2416 Foolgh32.exe 800 Feiddbbj.exe 784 Figmjq32.exe 1980 Fkhibino.exe 2504 Fcpacf32.exe 1592 Fhljkm32.exe 2916 Gdcjpncm.exe 2660 Goiongbc.exe 2580 Ghacfmic.exe 2752 Ggdcbi32.exe 2712 Gaihob32.exe 2796 Gckdgjeb.exe 2524 Gcmamj32.exe 1908 Gfkmie32.exe 3024 Gnbejb32.exe 2352 Ggkibhjf.exe 1564 Gfnjne32.exe 2388 Hofngkga.exe 2652 Hfpfdeon.exe 2952 Hinbppna.exe 1700 Hdecea32.exe 2256 Hmlkfo32.exe 272 Hbidne32.exe 1008 Hkahgk32.exe 1800 Homdhjai.exe 2992 Hbkqdepm.exe 1772 Hejmpqop.exe 2000 Hieiqo32.exe 2100 Hkdemk32.exe 2976 Hnbaif32.exe 896 Hnbaif32.exe 2764 Haqnea32.exe 1504 Hcojam32.exe 2724 Ikfbbjdj.exe 2704 Indnnfdn.exe 2820 Iacjjacb.exe 3012 Ieofkp32.exe 2892 Igmbgk32.exe 2128 Ijkocg32.exe 624 Imjkpb32.exe 1752 Iphgln32.exe 608 Igoomk32.exe 556 Ijnkifgp.exe 2376 Imlhebfc.exe 2384 Iahceq32.exe 960 Ibipmiek.exe 1284 Ifdlng32.exe -
Loads dropped DLL 64 IoCs
pid Process 2268 df388ff33b726f76c241e1da628c1bc76f0ac4139faa84f32cc0949f57f9591cN.exe 2268 df388ff33b726f76c241e1da628c1bc76f0ac4139faa84f32cc0949f57f9591cN.exe 2760 Dbiocd32.exe 2760 Dbiocd32.exe 2560 Eegkpo32.exe 2560 Eegkpo32.exe 2852 Elacliin.exe 2852 Elacliin.exe 2600 Elacliin.exe 2600 Elacliin.exe 2564 Ekdchf32.exe 2564 Ekdchf32.exe 1988 Edlhqlfi.exe 1988 Edlhqlfi.exe 2912 Eeldkonl.exe 2912 Eeldkonl.exe 2192 Ekhmcelc.exe 2192 Ekhmcelc.exe 860 Emgioakg.exe 860 Emgioakg.exe 856 Ehlmljkm.exe 856 Ehlmljkm.exe 1216 Einjdb32.exe 1216 Einjdb32.exe 584 Ecfnmh32.exe 584 Ecfnmh32.exe 340 Eipgjaoi.exe 340 Eipgjaoi.exe 2208 Fmlbjq32.exe 2208 Fmlbjq32.exe 704 Fgdgcfmb.exe 704 Fgdgcfmb.exe 2108 Fibcoalf.exe 2108 Fibcoalf.exe 2044 Flapkmlj.exe 2044 Flapkmlj.exe 2416 Foolgh32.exe 2416 Foolgh32.exe 800 Feiddbbj.exe 800 Feiddbbj.exe 784 Figmjq32.exe 784 Figmjq32.exe 1980 Fkhibino.exe 1980 Fkhibino.exe 2504 Fcpacf32.exe 2504 Fcpacf32.exe 1592 Fhljkm32.exe 1592 Fhljkm32.exe 2916 Gdcjpncm.exe 2916 Gdcjpncm.exe 2660 Goiongbc.exe 2660 Goiongbc.exe 2580 Ghacfmic.exe 2580 Ghacfmic.exe 2752 Ggdcbi32.exe 2752 Ggdcbi32.exe 2712 Gaihob32.exe 2712 Gaihob32.exe 2796 Gckdgjeb.exe 2796 Gckdgjeb.exe 2524 Gcmamj32.exe 2524 Gcmamj32.exe 1908 Gfkmie32.exe 1908 Gfkmie32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Edlafebn.exe Eldiehbk.exe File created C:\Windows\SysWOW64\Bmblbf32.dll Fkcilc32.exe File opened for modification C:\Windows\SysWOW64\Fmdbnnlj.exe Fkefbcmf.exe File opened for modification C:\Windows\SysWOW64\Hgeelf32.exe Hcjilgdb.exe File created C:\Windows\SysWOW64\Glehgdkn.dll Ikfbbjdj.exe File created C:\Windows\SysWOW64\Cfcqihha.dll Klfjpa32.exe File created C:\Windows\SysWOW64\Jhhcghdk.dll Dlifadkk.exe File created C:\Windows\SysWOW64\Bddbjhlp.exe Baefnmml.exe File opened for modification C:\Windows\SysWOW64\Cehhdkjf.exe Cfehhn32.exe File opened for modification C:\Windows\SysWOW64\Fkhibino.exe Figmjq32.exe File opened for modification C:\Windows\SysWOW64\Ngdjaofc.exe Ndfnecgp.exe File created C:\Windows\SysWOW64\Jdilhpcp.dll Pfebnmcj.exe File created C:\Windows\SysWOW64\Ipbkjl32.dll Kgcnahoo.exe File created C:\Windows\SysWOW64\Haqnea32.exe Hnbaif32.exe File opened for modification C:\Windows\SysWOW64\Cceogcfj.exe Coicfd32.exe File opened for modification C:\Windows\SysWOW64\Koaclfgl.exe Klcgpkhh.exe File created C:\Windows\SysWOW64\Ijcngenj.exe Igebkiof.exe File created C:\Windows\SysWOW64\Pbkboega.dll Klcgpkhh.exe File created C:\Windows\SysWOW64\Dchdgl32.dll Mneohj32.exe File created C:\Windows\SysWOW64\Icjgpj32.dll Bhmaeg32.exe File created C:\Windows\SysWOW64\Hiioin32.exe Hfjbmb32.exe File created C:\Windows\SysWOW64\Gbdnfd32.dll Ijkocg32.exe File opened for modification C:\Windows\SysWOW64\Aphjjf32.exe Aaejojjq.exe File created C:\Windows\SysWOW64\Cqdfehii.exe Cnejim32.exe File created C:\Windows\SysWOW64\Bccblb32.dll Cgnnab32.exe File created C:\Windows\SysWOW64\Lpmdgf32.dll Igqhpj32.exe File created C:\Windows\SysWOW64\Nomdjlpi.dll Imodkadq.exe File created C:\Windows\SysWOW64\Aehlpleg.dll Kbbobkol.exe File opened for modification C:\Windows\SysWOW64\Khohkamc.exe Kgnkci32.exe File opened for modification C:\Windows\SysWOW64\Dgnjqe32.exe Deondj32.exe File created C:\Windows\SysWOW64\Flpkcb32.dll Hnhgha32.exe File created C:\Windows\SysWOW64\Japciodd.exe Jjfkmdlg.exe File created C:\Windows\SysWOW64\Gnbejb32.exe Gfkmie32.exe File opened for modification C:\Windows\SysWOW64\Iladfn32.exe Imodkadq.exe File created C:\Windows\SysWOW64\Mqehjecl.exe Mnglnj32.exe File opened for modification C:\Windows\SysWOW64\Gmemln32.dll Hnbaif32.exe File opened for modification C:\Windows\SysWOW64\Aacmij32.exe Qoeamo32.exe File opened for modification C:\Windows\SysWOW64\Jpgmpk32.exe Jimdcqom.exe File created C:\Windows\SysWOW64\Adaiee32.exe Aacmij32.exe File opened for modification C:\Windows\SysWOW64\Deondj32.exe Dbabho32.exe File created C:\Windows\SysWOW64\Iocgfhhc.exe Ikgkei32.exe File opened for modification C:\Windows\SysWOW64\Jedehaea.exe Jfaeme32.exe File created C:\Windows\SysWOW64\Padqpaec.dll Gdcjpncm.exe File created C:\Windows\SysWOW64\Njnmbk32.exe Ngpqfp32.exe File opened for modification C:\Windows\SysWOW64\Nlilqbgp.exe Nmflee32.exe File opened for modification C:\Windows\SysWOW64\Ieponofk.exe Ifmocb32.exe File created C:\Windows\SysWOW64\Kambcbhb.exe Kbjbge32.exe File opened for modification C:\Windows\SysWOW64\Kdnkdmec.exe Kapohbfp.exe File opened for modification C:\Windows\SysWOW64\Kmfpmc32.exe Kjhcag32.exe File opened for modification C:\Windows\SysWOW64\Kadica32.exe Koflgf32.exe File opened for modification C:\Windows\SysWOW64\Lanbdf32.exe Lopfhk32.exe File created C:\Windows\SysWOW64\Miglefjd.dll Baefnmml.exe File created C:\Windows\SysWOW64\Bkpglbaj.exe Bgdkkc32.exe File created C:\Windows\SysWOW64\Fppaej32.exe Fmaeho32.exe File created C:\Windows\SysWOW64\Dfcllk32.dll Ikgkei32.exe File created C:\Windows\SysWOW64\Nnleiipc.exe Ngbmlo32.exe File created C:\Windows\SysWOW64\Qjqkek32.dll Adfbpega.exe File created C:\Windows\SysWOW64\Fhdmph32.exe Fdiqpigl.exe File opened for modification C:\Windows\SysWOW64\Agglbp32.exe Apmcefmf.exe File created C:\Windows\SysWOW64\Adnjbnhn.dll Goldfelp.exe File created C:\Windows\SysWOW64\Ecfnmh32.exe Einjdb32.exe File created C:\Windows\SysWOW64\Ljigih32.exe Lgkkmm32.exe File opened for modification C:\Windows\SysWOW64\Ngbmlo32.exe Ndcapd32.exe File created C:\Windows\SysWOW64\Dhigkm32.dll Obgnhkkh.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koflgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gecpnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkbaci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kajiigba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohipla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlifadkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iphgln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnglnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmehdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekhmcelc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfnmmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apkgpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hffibceh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnmacpfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jokqnhpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iladfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kechdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgngbmjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknngo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boifga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmbgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbkqdepm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpieengb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcjmmdbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkknac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgdkkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfckcoen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkefbcmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimdcqom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnbaif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jacfidem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaecod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaglcgdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcfemmna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njgpij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmlbjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnbejb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdecea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijkocg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndcapd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngbmlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aklabp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alageg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghacfmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfehhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbjofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apmcefmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dppigchi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eimcjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnqjnhge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkfclo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opialpld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppinkcnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpbkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aobpfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgdgcfmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfibhjlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nggggoda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccbbachm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbdleol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eikfdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfmkbebl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkhibino.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggknna32.dll" Jelfdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocaadj32.dll" Lpflkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjljnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfknedh.dll" Hmlkfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcojam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhdegn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bokblhqh.dll" Klhgfq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcbfbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haqnea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glehgdkn.dll" Ikfbbjdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnmiag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbhbai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnfak32.dll" Ldmopa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaejojjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnejim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jggoqimd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpgionie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khljoh32.dll" Jimdcqom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmlkfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilcalnii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkdjglfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lopfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngdjaofc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgknkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmdbnnlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Capocbbb.dll" Jdcpkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opialpld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kenhopmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edlhqlfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pplqiiqb.dll" Fmlbjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbhccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckpckece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdbampij.dll" Efljhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnmiag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebhmb32.dll" Fibcoalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldheebad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddgloho.dll" Mnglnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icjgpj32.dll" Bhmaeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfggnkoj.dll" Fmaeho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igqhpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaimipjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggkibhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfglkheo.dll" Hbkqdepm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elbafomj.dll" Aacmij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flnlkgjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iahceq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aogfepif.dll" Ngdjaofc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aobpfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miglefjd.dll" Baefnmml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgnjqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdgoqijf.dll" Gkcekfad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibodnd32.dll" Jhenjmbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkmqd32.dll" Jfcabd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeldkonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klfjpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldmopa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aacmij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aobpfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faffik32.dll" Bkpglbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjjdhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkcilc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdecea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imodkadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ichmgl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2268 wrote to memory of 2760 2268 df388ff33b726f76c241e1da628c1bc76f0ac4139faa84f32cc0949f57f9591cN.exe 31 PID 2268 wrote to memory of 2760 2268 df388ff33b726f76c241e1da628c1bc76f0ac4139faa84f32cc0949f57f9591cN.exe 31 PID 2268 wrote to memory of 2760 2268 df388ff33b726f76c241e1da628c1bc76f0ac4139faa84f32cc0949f57f9591cN.exe 31 PID 2268 wrote to memory of 2760 2268 df388ff33b726f76c241e1da628c1bc76f0ac4139faa84f32cc0949f57f9591cN.exe 31 PID 2760 wrote to memory of 2560 2760 Dbiocd32.exe 32 PID 2760 wrote to memory of 2560 2760 Dbiocd32.exe 32 PID 2760 wrote to memory of 2560 2760 Dbiocd32.exe 32 PID 2760 wrote to memory of 2560 2760 Dbiocd32.exe 32 PID 2560 wrote to memory of 2852 2560 Eegkpo32.exe 33 PID 2560 wrote to memory of 2852 2560 Eegkpo32.exe 33 PID 2560 wrote to memory of 2852 2560 Eegkpo32.exe 33 PID 2560 wrote to memory of 2852 2560 Eegkpo32.exe 33 PID 2852 wrote to memory of 2600 2852 Elacliin.exe 34 PID 2852 wrote to memory of 2600 2852 Elacliin.exe 34 PID 2852 wrote to memory of 2600 2852 Elacliin.exe 34 PID 2852 wrote to memory of 2600 2852 Elacliin.exe 34 PID 2600 wrote to memory of 2564 2600 Elacliin.exe 35 PID 2600 wrote to memory of 2564 2600 Elacliin.exe 35 PID 2600 wrote to memory of 2564 2600 Elacliin.exe 35 PID 2600 wrote to memory of 2564 2600 Elacliin.exe 35 PID 2564 wrote to memory of 1988 2564 Ekdchf32.exe 36 PID 2564 wrote to memory of 1988 2564 Ekdchf32.exe 36 PID 2564 wrote to memory of 1988 2564 Ekdchf32.exe 36 PID 2564 wrote to memory of 1988 2564 Ekdchf32.exe 36 PID 1988 wrote to memory of 2912 1988 Edlhqlfi.exe 37 PID 1988 wrote to memory of 2912 1988 Edlhqlfi.exe 37 PID 1988 wrote to memory of 2912 1988 Edlhqlfi.exe 37 PID 1988 wrote to memory of 2912 1988 Edlhqlfi.exe 37 PID 2912 wrote to memory of 2192 2912 Eeldkonl.exe 38 PID 2912 wrote to memory of 2192 2912 Eeldkonl.exe 38 PID 2912 wrote to memory of 2192 2912 Eeldkonl.exe 38 PID 2912 wrote to memory of 2192 2912 Eeldkonl.exe 38 PID 2192 wrote to memory of 860 2192 Ekhmcelc.exe 39 PID 2192 wrote to memory of 860 2192 Ekhmcelc.exe 39 PID 2192 wrote to memory of 860 2192 Ekhmcelc.exe 39 PID 2192 wrote to memory of 860 2192 Ekhmcelc.exe 39 PID 860 wrote to memory of 856 860 Emgioakg.exe 40 PID 860 wrote to memory of 856 860 Emgioakg.exe 40 PID 860 wrote to memory of 856 860 Emgioakg.exe 40 PID 860 wrote to memory of 856 860 Emgioakg.exe 40 PID 856 wrote to memory of 1216 856 Ehlmljkm.exe 41 PID 856 wrote to memory of 1216 856 Ehlmljkm.exe 41 PID 856 wrote to memory of 1216 856 Ehlmljkm.exe 41 PID 856 wrote to memory of 1216 856 Ehlmljkm.exe 41 PID 1216 wrote to memory of 584 1216 Einjdb32.exe 42 PID 1216 wrote to memory of 584 1216 Einjdb32.exe 42 PID 1216 wrote to memory of 584 1216 Einjdb32.exe 42 PID 1216 wrote to memory of 584 1216 Einjdb32.exe 42 PID 584 wrote to memory of 340 584 Ecfnmh32.exe 43 PID 584 wrote to memory of 340 584 Ecfnmh32.exe 43 PID 584 wrote to memory of 340 584 Ecfnmh32.exe 43 PID 584 wrote to memory of 340 584 Ecfnmh32.exe 43 PID 340 wrote to memory of 2208 340 Eipgjaoi.exe 44 PID 340 wrote to memory of 2208 340 Eipgjaoi.exe 44 PID 340 wrote to memory of 2208 340 Eipgjaoi.exe 44 PID 340 wrote to memory of 2208 340 Eipgjaoi.exe 44 PID 2208 wrote to memory of 704 2208 Fmlbjq32.exe 45 PID 2208 wrote to memory of 704 2208 Fmlbjq32.exe 45 PID 2208 wrote to memory of 704 2208 Fmlbjq32.exe 45 PID 2208 wrote to memory of 704 2208 Fmlbjq32.exe 45 PID 704 wrote to memory of 2108 704 Fgdgcfmb.exe 46 PID 704 wrote to memory of 2108 704 Fgdgcfmb.exe 46 PID 704 wrote to memory of 2108 704 Fgdgcfmb.exe 46 PID 704 wrote to memory of 2108 704 Fgdgcfmb.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\df388ff33b726f76c241e1da628c1bc76f0ac4139faa84f32cc0949f57f9591cN.exe"C:\Users\Admin\AppData\Local\Temp\df388ff33b726f76c241e1da628c1bc76f0ac4139faa84f32cc0949f57f9591cN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Dbiocd32.exeC:\Windows\system32\Dbiocd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Eegkpo32.exeC:\Windows\system32\Eegkpo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Elacliin.exeC:\Windows\system32\Elacliin.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Elacliin.exeC:\Windows\system32\Elacliin.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Ekdchf32.exeC:\Windows\system32\Ekdchf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Edlhqlfi.exeC:\Windows\system32\Edlhqlfi.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Eeldkonl.exeC:\Windows\system32\Eeldkonl.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Ekhmcelc.exeC:\Windows\system32\Ekhmcelc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Emgioakg.exeC:\Windows\system32\Emgioakg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Ehlmljkm.exeC:\Windows\system32\Ehlmljkm.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Einjdb32.exeC:\Windows\system32\Einjdb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Ecfnmh32.exeC:\Windows\system32\Ecfnmh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Eipgjaoi.exeC:\Windows\system32\Eipgjaoi.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Windows\SysWOW64\Fmlbjq32.exeC:\Windows\system32\Fmlbjq32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Fgdgcfmb.exeC:\Windows\system32\Fgdgcfmb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SysWOW64\Fibcoalf.exeC:\Windows\system32\Fibcoalf.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Flapkmlj.exeC:\Windows\system32\Flapkmlj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Foolgh32.exeC:\Windows\system32\Foolgh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2416 -
C:\Windows\SysWOW64\Feiddbbj.exeC:\Windows\system32\Feiddbbj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:800 -
C:\Windows\SysWOW64\Figmjq32.exeC:\Windows\system32\Figmjq32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:784 -
C:\Windows\SysWOW64\Fkhibino.exeC:\Windows\system32\Fkhibino.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1980 -
C:\Windows\SysWOW64\Fcpacf32.exeC:\Windows\system32\Fcpacf32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Fhljkm32.exeC:\Windows\system32\Fhljkm32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Gdcjpncm.exeC:\Windows\system32\Gdcjpncm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Goiongbc.exeC:\Windows\system32\Goiongbc.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Ghacfmic.exeC:\Windows\system32\Ghacfmic.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\Ggdcbi32.exeC:\Windows\system32\Ggdcbi32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Gaihob32.exeC:\Windows\system32\Gaihob32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Gckdgjeb.exeC:\Windows\system32\Gckdgjeb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Gcmamj32.exeC:\Windows\system32\Gcmamj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Gfkmie32.exeC:\Windows\system32\Gfkmie32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1908 -
C:\Windows\SysWOW64\Gnbejb32.exeC:\Windows\system32\Gnbejb32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3024 -
C:\Windows\SysWOW64\Ggkibhjf.exeC:\Windows\system32\Ggkibhjf.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Gfnjne32.exeC:\Windows\system32\Gfnjne32.exe35⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Hofngkga.exeC:\Windows\system32\Hofngkga.exe36⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Hfpfdeon.exeC:\Windows\system32\Hfpfdeon.exe37⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Hinbppna.exeC:\Windows\system32\Hinbppna.exe38⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Hdecea32.exeC:\Windows\system32\Hdecea32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Hmlkfo32.exeC:\Windows\system32\Hmlkfo32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Hbidne32.exeC:\Windows\system32\Hbidne32.exe41⤵
- Executes dropped EXE
PID:272 -
C:\Windows\SysWOW64\Hkahgk32.exeC:\Windows\system32\Hkahgk32.exe42⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Homdhjai.exeC:\Windows\system32\Homdhjai.exe43⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Hbkqdepm.exeC:\Windows\system32\Hbkqdepm.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Hejmpqop.exeC:\Windows\system32\Hejmpqop.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Hieiqo32.exeC:\Windows\system32\Hieiqo32.exe46⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Hkdemk32.exeC:\Windows\system32\Hkdemk32.exe47⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Hnbaif32.exeC:\Windows\system32\Hnbaif32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Hnbaif32.exeC:\Windows\system32\Hnbaif32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:896 -
C:\Windows\SysWOW64\Haqnea32.exeC:\Windows\system32\Haqnea32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Hcojam32.exeC:\Windows\system32\Hcojam32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1504 -
C:\Windows\SysWOW64\Ikfbbjdj.exeC:\Windows\system32\Ikfbbjdj.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Indnnfdn.exeC:\Windows\system32\Indnnfdn.exe53⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Iacjjacb.exeC:\Windows\system32\Iacjjacb.exe54⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Ieofkp32.exeC:\Windows\system32\Ieofkp32.exe55⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Igmbgk32.exeC:\Windows\system32\Igmbgk32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\Ijkocg32.exeC:\Windows\system32\Ijkocg32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\Imjkpb32.exeC:\Windows\system32\Imjkpb32.exe58⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Iphgln32.exeC:\Windows\system32\Iphgln32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1752 -
C:\Windows\SysWOW64\Igoomk32.exeC:\Windows\system32\Igoomk32.exe60⤵
- Executes dropped EXE
PID:608 -
C:\Windows\SysWOW64\Ijnkifgp.exeC:\Windows\system32\Ijnkifgp.exe61⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Imlhebfc.exeC:\Windows\system32\Imlhebfc.exe62⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Iahceq32.exeC:\Windows\system32\Iahceq32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Ibipmiek.exeC:\Windows\system32\Ibipmiek.exe64⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Ifdlng32.exeC:\Windows\system32\Ifdlng32.exe65⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Imodkadq.exeC:\Windows\system32\Imodkadq.exe66⤵
- Drops file in System32 directory
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Iladfn32.exeC:\Windows\system32\Iladfn32.exe67⤵
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Windows\SysWOW64\Ichmgl32.exeC:\Windows\system32\Ichmgl32.exe68⤵
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Ifgicg32.exeC:\Windows\system32\Ifgicg32.exe69⤵PID:2708
-
C:\Windows\SysWOW64\Iieepbje.exeC:\Windows\system32\Iieepbje.exe70⤵PID:2552
-
C:\Windows\SysWOW64\Ilcalnii.exeC:\Windows\system32\Ilcalnii.exe71⤵
- Modifies registry class
PID:1192 -
C:\Windows\SysWOW64\Inbnhihl.exeC:\Windows\system32\Inbnhihl.exe72⤵PID:2888
-
C:\Windows\SysWOW64\Jelfdc32.exeC:\Windows\system32\Jelfdc32.exe73⤵
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Jhjbqo32.exeC:\Windows\system32\Jhjbqo32.exe74⤵PID:644
-
C:\Windows\SysWOW64\Jacfidem.exeC:\Windows\system32\Jacfidem.exe75⤵
- System Location Discovery: System Language Discovery
PID:1280 -
C:\Windows\SysWOW64\Jhmofo32.exeC:\Windows\system32\Jhmofo32.exe76⤵PID:2880
-
C:\Windows\SysWOW64\Jjkkbjln.exeC:\Windows\system32\Jjkkbjln.exe77⤵PID:1100
-
C:\Windows\SysWOW64\Jaecod32.exeC:\Windows\system32\Jaecod32.exe78⤵
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Windows\SysWOW64\Jdcpkp32.exeC:\Windows\system32\Jdcpkp32.exe79⤵
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Jlkglm32.exeC:\Windows\system32\Jlkglm32.exe80⤵PID:1708
-
C:\Windows\SysWOW64\Joidhh32.exeC:\Windows\system32\Joidhh32.exe81⤵PID:356
-
C:\Windows\SysWOW64\Jagpdd32.exeC:\Windows\system32\Jagpdd32.exe82⤵PID:1664
-
C:\Windows\SysWOW64\Jdflqo32.exeC:\Windows\system32\Jdflqo32.exe83⤵PID:2120
-
C:\Windows\SysWOW64\Jjpdmi32.exeC:\Windows\system32\Jjpdmi32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:828 -
C:\Windows\SysWOW64\Jokqnhpa.exeC:\Windows\system32\Jokqnhpa.exe85⤵
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\Jdhifooi.exeC:\Windows\system32\Jdhifooi.exe86⤵PID:2556
-
C:\Windows\SysWOW64\Jhdegn32.exeC:\Windows\system32\Jhdegn32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1384 -
C:\Windows\SysWOW64\Jkbaci32.exeC:\Windows\system32\Jkbaci32.exe88⤵
- System Location Discovery: System Language Discovery
PID:3040 -
C:\Windows\SysWOW64\Kmqmod32.exeC:\Windows\system32\Kmqmod32.exe89⤵PID:1428
-
C:\Windows\SysWOW64\Kdkelolf.exeC:\Windows\system32\Kdkelolf.exe90⤵PID:1372
-
C:\Windows\SysWOW64\Kfibhjlj.exeC:\Windows\system32\Kfibhjlj.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\Kmcjedcg.exeC:\Windows\system32\Kmcjedcg.exe92⤵PID:1888
-
C:\Windows\SysWOW64\Klfjpa32.exeC:\Windows\system32\Klfjpa32.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Kdmban32.exeC:\Windows\system32\Kdmban32.exe94⤵PID:2516
-
C:\Windows\SysWOW64\Kgkonj32.exeC:\Windows\system32\Kgkonj32.exe95⤵PID:1588
-
C:\Windows\SysWOW64\Kmegjdad.exeC:\Windows\system32\Kmegjdad.exe96⤵PID:2972
-
C:\Windows\SysWOW64\Klhgfq32.exeC:\Windows\system32\Klhgfq32.exe97⤵
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Kbbobkol.exeC:\Windows\system32\Kbbobkol.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Kgnkci32.exeC:\Windows\system32\Kgnkci32.exe99⤵
- Drops file in System32 directory
PID:468 -
C:\Windows\SysWOW64\Khohkamc.exeC:\Windows\system32\Khohkamc.exe100⤵PID:1264
-
C:\Windows\SysWOW64\Kpfplo32.exeC:\Windows\system32\Kpfplo32.exe101⤵PID:2444
-
C:\Windows\SysWOW64\Kaglcgdc.exeC:\Windows\system32\Kaglcgdc.exe102⤵
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\Kechdf32.exeC:\Windows\system32\Kechdf32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\SysWOW64\Klmqapci.exeC:\Windows\system32\Klmqapci.exe104⤵PID:2412
-
C:\Windows\SysWOW64\Kkpqlm32.exeC:\Windows\system32\Kkpqlm32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1976 -
C:\Windows\SysWOW64\Kajiigba.exeC:\Windows\system32\Kajiigba.exe106⤵
- System Location Discovery: System Language Discovery
PID:1880 -
C:\Windows\SysWOW64\Ldheebad.exeC:\Windows\system32\Ldheebad.exe107⤵
- Modifies registry class
PID:1936 -
C:\Windows\SysWOW64\Lkbmbl32.exeC:\Windows\system32\Lkbmbl32.exe108⤵PID:2792
-
C:\Windows\SysWOW64\Lnqjnhge.exeC:\Windows\system32\Lnqjnhge.exe109⤵
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Windows\SysWOW64\Legaoehg.exeC:\Windows\system32\Legaoehg.exe110⤵PID:1724
-
C:\Windows\SysWOW64\Ldjbkb32.exeC:\Windows\system32\Ldjbkb32.exe111⤵PID:1436
-
C:\Windows\SysWOW64\Lkdjglfo.exeC:\Windows\system32\Lkdjglfo.exe112⤵
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Lopfhk32.exeC:\Windows\system32\Lopfhk32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Lanbdf32.exeC:\Windows\system32\Lanbdf32.exe114⤵PID:548
-
C:\Windows\SysWOW64\Ldmopa32.exeC:\Windows\system32\Ldmopa32.exe115⤵
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Lgkkmm32.exeC:\Windows\system32\Lgkkmm32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Ljigih32.exeC:\Windows\system32\Ljigih32.exe117⤵PID:628
-
C:\Windows\SysWOW64\Laqojfli.exeC:\Windows\system32\Laqojfli.exe118⤵PID:2680
-
C:\Windows\SysWOW64\Ldokfakl.exeC:\Windows\system32\Ldokfakl.exe119⤵PID:1528
-
C:\Windows\SysWOW64\Lgngbmjp.exeC:\Windows\system32\Lgngbmjp.exe120⤵
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\Ljldnhid.exeC:\Windows\system32\Ljldnhid.exe121⤵PID:2348
-
C:\Windows\SysWOW64\Lpflkb32.exeC:\Windows\system32\Lpflkb32.exe122⤵
- Modifies registry class
PID:2028
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-