Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/08/2024, 04:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f1ce60e2e72e39bbe932ae14c53dcd46ede9703ed318e908c25b36b56fd56d92.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
f1ce60e2e72e39bbe932ae14c53dcd46ede9703ed318e908c25b36b56fd56d92.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
f1ce60e2e72e39bbe932ae14c53dcd46ede9703ed318e908c25b36b56fd56d92.exe
-
Size
176KB
-
MD5
d01ad6b27e34c55a3ebb2b5217e99f01
-
SHA1
dfca5f4368ffd981fa3f0fbd79150106995adfb4
-
SHA256
f1ce60e2e72e39bbe932ae14c53dcd46ede9703ed318e908c25b36b56fd56d92
-
SHA512
725591ca3bd5525b1725de6c69ae56ff608d53cb1dbdc4e74c613dc165cc7517c2d8edb16f377e5329abcf90ab5c54d93ab8dc5c8228707abaaba5882a98e8d5
-
SSDEEP
3072:WySLBpKBOm6GxzaEPXuhuXGQmVDeCyqOGbo92ynnbVHvzIYVrLo:WySTKH/zPXuapoaCPXbo92ynnZlVrU
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpmddp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnmek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peeonf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkgjhjdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epmkmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fihlkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hniahj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igdknmmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miicqj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mikpfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbpqdmco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejjcocdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oomkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhhchepl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nodhjoef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bklcci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glindq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gplnigpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihchhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mncocaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Negjfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epkngc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efgcjmpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glfaoanp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmmdib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhgngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knlpldhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plmkepbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoggmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmmdib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcdfmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pehldefe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkgjhjdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dibjik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gglelj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hghegh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fapkgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gndhmjjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oobdkmif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbaklana.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pognfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgehbhek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epkebi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqoecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mljlbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Magejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aolphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebdahonl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgqogiip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhicde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inndjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kggajj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nabdfjdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glbhca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgcjpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdknmmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhmknn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpohbbfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohjidbpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpjeqehf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpmddp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efhjdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kglkeihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgemkhpa.exe -
Executes dropped EXE 64 IoCs
pid Process 4432 Dcfhlj32.exe 1868 Dfedhe32.exe 4208 Dmomdpkk.exe 2352 Dajien32.exe 4596 Dcieaj32.exe 3664 Diemiqqp.exe 5072 Dppefk32.exe 4064 Dhgngh32.exe 1828 Dmcfpo32.exe 2596 Dhijmh32.exe 2692 Dmfceoec.exe 2760 Edpkbi32.exe 3052 Ejjcocdm.exe 4112 Emhpkncq.exe 1236 Ehnchgbf.exe 2276 Efqdcd32.exe 4336 Emklpn32.exe 4832 Epihli32.exe 1644 Ejomjb32.exe 1304 Emmifn32.exe 3748 Epkebi32.exe 932 Efemocel.exe 1336 Eicjkodp.exe 3564 Eakall32.exe 180 Edinhg32.exe 3340 Efhjdc32.exe 4780 Emabamkf.exe 3092 Fppomhjj.exe 1196 Fhgfnfjl.exe 1880 Fihcfn32.exe 4308 Fapkgk32.exe 4508 Fhicde32.exe 456 Fpehhh32.exe 704 Fgopebma.exe 3500 Fpgdng32.exe 3688 Fhnmoedd.exe 2996 Fkmikpcg.exe 4544 Fpiacgbo.exe 2484 Fdemdf32.exe 1936 Fgcjpa32.exe 3116 Fmmbmkqi.exe 3224 Gplnigpl.exe 1896 Ghcfjd32.exe 1852 Gakjcjgo.exe 4912 Ghecpd32.exe 808 Gifogldj.exe 1792 Ganghiel.exe 4960 Gdlcdedp.exe 488 Ggjpqpcd.exe 404 Gndhmjjq.exe 668 Gpcdifjd.exe 368 Gkhhgoij.exe 2300 Gdqmpd32.exe 1364 Ggoilp32.exe 4536 Hniahj32.exe 2672 Hkmbbn32.exe 4756 Hagjohma.exe 3860 Hdefkcle.exe 5104 Haigdh32.exe 2908 Hpodedpg.exe 1652 Hhelfapi.exe 3028 Hnbdohnq.exe 2620 Hdllkbfm.exe 1096 Hkfdhm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kiamkolf.dll Nankkk32.exe File opened for modification C:\Windows\SysWOW64\Bcnbjgej.exe Bkgjhjdg.exe File created C:\Windows\SysWOW64\Cjammp32.exe Coliog32.exe File created C:\Windows\SysWOW64\Nfmbocik.dll Emlbkg32.exe File opened for modification C:\Windows\SysWOW64\Lbjaiqpg.exe Ljcjgcpe.exe File created C:\Windows\SysWOW64\Fgcjpa32.exe Fdemdf32.exe File opened for modification C:\Windows\SysWOW64\Mbahipjo.exe Mnflia32.exe File opened for modification C:\Windows\SysWOW64\Mnhhnq32.exe Mljlbe32.exe File created C:\Windows\SysWOW64\Obfjkmhg.exe Okpbjoge.exe File opened for modification C:\Windows\SysWOW64\Dhijmh32.exe Dmcfpo32.exe File opened for modification C:\Windows\SysWOW64\Dinpnkcl.exe Cfpdbpdh.exe File created C:\Windows\SysWOW64\Poekbg32.dll Dpjeqehf.exe File created C:\Windows\SysWOW64\Dkfglnmn.dll Epchgd32.exe File created C:\Windows\SysWOW64\Ofpbncoj.dll Gihebeol.exe File created C:\Windows\SysWOW64\Ajjnecif.exe Aacfdfhd.exe File created C:\Windows\SysWOW64\Dmcfpo32.exe Dhgngh32.exe File created C:\Windows\SysWOW64\Glmecj32.dll Jjedohjg.exe File created C:\Windows\SysWOW64\Pichdd32.exe Pehldefe.exe File opened for modification C:\Windows\SysWOW64\Djpinnhl.exe Dpjeqehf.exe File opened for modification C:\Windows\SysWOW64\Dajien32.exe Dmomdpkk.exe File created C:\Windows\SysWOW64\Edldha32.dll Fhnmoedd.exe File created C:\Windows\SysWOW64\Lbhecabj.exe Ljambcag.exe File created C:\Windows\SysWOW64\Oobdkmif.exe Olchoajb.exe File created C:\Windows\SysWOW64\Bjhjfa32.exe Bfmnfbdm.exe File created C:\Windows\SysWOW64\Blggbm32.exe Bjhjfa32.exe File created C:\Windows\SysWOW64\Lhbbbj32.dll Bjmdaqha.exe File opened for modification C:\Windows\SysWOW64\Ebijcn32.exe Epkngc32.exe File created C:\Windows\SysWOW64\Eicjkodp.exe Efemocel.exe File created C:\Windows\SysWOW64\Fbggelmg.exe Fddfip32.exe File created C:\Windows\SysWOW64\Flkbbbhm.exe Filefgii.exe File created C:\Windows\SysWOW64\Himome32.exe Hgnbai32.exe File opened for modification C:\Windows\SysWOW64\Nigpbh32.exe Napgqk32.exe File created C:\Windows\SysWOW64\Llcfaffg.exe Lidjekgd.exe File created C:\Windows\SysWOW64\Ohamba32.dll Mnhhnq32.exe File created C:\Windows\SysWOW64\Pdeejjbq.dll Efgcjmpm.exe File opened for modification C:\Windows\SysWOW64\Fpfnca32.exe Flkbbbhm.exe File created C:\Windows\SysWOW64\Nckjlh32.dll Iabjjfbd.exe File opened for modification C:\Windows\SysWOW64\Inndjg32.exe Igdknmmf.exe File created C:\Windows\SysWOW64\Igfhclkd.exe Ihchhp32.exe File created C:\Windows\SysWOW64\Ghecpd32.exe Gakjcjgo.exe File created C:\Windows\SysWOW64\Jhmknn32.exe Jngfqe32.exe File opened for modification C:\Windows\SysWOW64\Lbfhna32.exe Lklpagmp.exe File opened for modification C:\Windows\SysWOW64\Aacfdfhd.exe Aoejhjiq.exe File created C:\Windows\SysWOW64\Jojghbfa.dll Bfmnfbdm.exe File opened for modification C:\Windows\SysWOW64\Dklmjgbp.exe Dinpnkcl.exe File created C:\Windows\SysWOW64\Epmkmb32.exe Emooag32.exe File created C:\Windows\SysWOW64\Fkhcmiii.dll Emklpn32.exe File created C:\Windows\SysWOW64\Onhjakke.dll Gndhmjjq.exe File opened for modification C:\Windows\SysWOW64\Oaqqghhj.exe Oobdkmif.exe File opened for modification C:\Windows\SysWOW64\Dmqbpiem.exe Dffjco32.exe File created C:\Windows\SysWOW64\Npojbnma.dll Dmfceoec.exe File created C:\Windows\SysWOW64\Mjjghfeb.dll Jqhpbq32.exe File created C:\Windows\SysWOW64\Gkhalhfo.exe Gglelj32.exe File created C:\Windows\SysWOW64\Hnbdohnq.exe Hhelfapi.exe File created C:\Windows\SysWOW64\Aheffhdh.dll Niilghel.exe File opened for modification C:\Windows\SysWOW64\Efnpcn32.exe Epchgd32.exe File created C:\Windows\SysWOW64\Cpgjaf32.dll Hldnpo32.exe File created C:\Windows\SysWOW64\Jjgeoc32.dll Lekkjl32.exe File created C:\Windows\SysWOW64\Eilejmpc.dll Jgnndk32.exe File created C:\Windows\SysWOW64\Akoegn32.dll Bbhhfcfl.exe File created C:\Windows\SysWOW64\Dklmjgbp.exe Dinpnkcl.exe File opened for modification C:\Windows\SysWOW64\Fpdana32.exe Fmeeaf32.exe File created C:\Windows\SysWOW64\Fkmikpcg.exe Fhnmoedd.exe File created C:\Windows\SysWOW64\Fmeeaf32.exe Fijiag32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9228 8936 WerFault.exe 444 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpdbpdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjelpkfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbpqdmco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihchhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpkpen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdglfmfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inndjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emabamkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpdph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfmnfbdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcoei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfglqjak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emklpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mikpfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Albmgmpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmmbmkqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbjaiqpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phaoea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikfnnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpehhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggoilp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpodedpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhjgfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mljlbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbdmfmjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plmkepbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoggmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejjcocdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efbjom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Magejl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knomadfq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obfjkmhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaecie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Indjja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epihli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ganghiel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jngfqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mncocaci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alpqbnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdcim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edinhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibgcef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keheno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blggbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dibjik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Himome32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgopebma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naealjbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhoihd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cilcil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlelnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdefkcle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kglkeihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbbqpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpdana32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpfnca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdlcdedp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhkakp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfnaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coliog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epmkmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fihlkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjnofjni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjqklilf.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpgldqkb.dll" Minmli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qieejd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbcokc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbpqdmco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpfnca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kekacnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbjnce32.dll" Lgpdph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bibabmmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dklmjgbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebdahonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhnmoedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obpepdco.dll" Jdmebp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgieil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lopgnhdf.dll" Knlpldhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikicdjfi.dll" Nhhchepl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmbfnkam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipbffm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhgngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbldgi32.dll" Iaefpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdafoo32.dll" Qkgaalcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmnmcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glindq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghecpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obfjkmhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhcjmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohjidbpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcnici32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpdmh32.dll" Bbcokc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcfhlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjemfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pimiij32.dll" Coofeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdglfmfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igfhclkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcdina32.dll" Oopgfmki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfjapcfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbnmek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dppefk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neigljah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkhhgoij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clamioea.dll" Hagjohma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oielcfko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phmejbnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aajldebl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fihlkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emabamkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gplnigpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeefghgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kglkeihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoejhjiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efemocel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdqmpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcgcbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajjnecif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbaklana.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbmkhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqndlefa.dll" Hgnbai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emhpkncq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jncmefpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lefaolam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Infgoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpniea32.dll" Dhgngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anijnh32.dll" Gdqmpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Magejl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohfoic32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2560 wrote to memory of 4432 2560 f1ce60e2e72e39bbe932ae14c53dcd46ede9703ed318e908c25b36b56fd56d92.exe 83 PID 2560 wrote to memory of 4432 2560 f1ce60e2e72e39bbe932ae14c53dcd46ede9703ed318e908c25b36b56fd56d92.exe 83 PID 2560 wrote to memory of 4432 2560 f1ce60e2e72e39bbe932ae14c53dcd46ede9703ed318e908c25b36b56fd56d92.exe 83 PID 4432 wrote to memory of 1868 4432 Dcfhlj32.exe 84 PID 4432 wrote to memory of 1868 4432 Dcfhlj32.exe 84 PID 4432 wrote to memory of 1868 4432 Dcfhlj32.exe 84 PID 1868 wrote to memory of 4208 1868 Dfedhe32.exe 85 PID 1868 wrote to memory of 4208 1868 Dfedhe32.exe 85 PID 1868 wrote to memory of 4208 1868 Dfedhe32.exe 85 PID 4208 wrote to memory of 2352 4208 Dmomdpkk.exe 86 PID 4208 wrote to memory of 2352 4208 Dmomdpkk.exe 86 PID 4208 wrote to memory of 2352 4208 Dmomdpkk.exe 86 PID 2352 wrote to memory of 4596 2352 Dajien32.exe 87 PID 2352 wrote to memory of 4596 2352 Dajien32.exe 87 PID 2352 wrote to memory of 4596 2352 Dajien32.exe 87 PID 4596 wrote to memory of 3664 4596 Dcieaj32.exe 89 PID 4596 wrote to memory of 3664 4596 Dcieaj32.exe 89 PID 4596 wrote to memory of 3664 4596 Dcieaj32.exe 89 PID 3664 wrote to memory of 5072 3664 Diemiqqp.exe 90 PID 3664 wrote to memory of 5072 3664 Diemiqqp.exe 90 PID 3664 wrote to memory of 5072 3664 Diemiqqp.exe 90 PID 5072 wrote to memory of 4064 5072 Dppefk32.exe 91 PID 5072 wrote to memory of 4064 5072 Dppefk32.exe 91 PID 5072 wrote to memory of 4064 5072 Dppefk32.exe 91 PID 4064 wrote to memory of 1828 4064 Dhgngh32.exe 92 PID 4064 wrote to memory of 1828 4064 Dhgngh32.exe 92 PID 4064 wrote to memory of 1828 4064 Dhgngh32.exe 92 PID 1828 wrote to memory of 2596 1828 Dmcfpo32.exe 93 PID 1828 wrote to memory of 2596 1828 Dmcfpo32.exe 93 PID 1828 wrote to memory of 2596 1828 Dmcfpo32.exe 93 PID 2596 wrote to memory of 2692 2596 Dhijmh32.exe 94 PID 2596 wrote to memory of 2692 2596 Dhijmh32.exe 94 PID 2596 wrote to memory of 2692 2596 Dhijmh32.exe 94 PID 2692 wrote to memory of 2760 2692 Dmfceoec.exe 95 PID 2692 wrote to memory of 2760 2692 Dmfceoec.exe 95 PID 2692 wrote to memory of 2760 2692 Dmfceoec.exe 95 PID 2760 wrote to memory of 3052 2760 Edpkbi32.exe 96 PID 2760 wrote to memory of 3052 2760 Edpkbi32.exe 96 PID 2760 wrote to memory of 3052 2760 Edpkbi32.exe 96 PID 3052 wrote to memory of 4112 3052 Ejjcocdm.exe 97 PID 3052 wrote to memory of 4112 3052 Ejjcocdm.exe 97 PID 3052 wrote to memory of 4112 3052 Ejjcocdm.exe 97 PID 4112 wrote to memory of 1236 4112 Emhpkncq.exe 98 PID 4112 wrote to memory of 1236 4112 Emhpkncq.exe 98 PID 4112 wrote to memory of 1236 4112 Emhpkncq.exe 98 PID 1236 wrote to memory of 2276 1236 Ehnchgbf.exe 99 PID 1236 wrote to memory of 2276 1236 Ehnchgbf.exe 99 PID 1236 wrote to memory of 2276 1236 Ehnchgbf.exe 99 PID 2276 wrote to memory of 4336 2276 Efqdcd32.exe 100 PID 2276 wrote to memory of 4336 2276 Efqdcd32.exe 100 PID 2276 wrote to memory of 4336 2276 Efqdcd32.exe 100 PID 4336 wrote to memory of 4832 4336 Emklpn32.exe 101 PID 4336 wrote to memory of 4832 4336 Emklpn32.exe 101 PID 4336 wrote to memory of 4832 4336 Emklpn32.exe 101 PID 4832 wrote to memory of 1644 4832 Epihli32.exe 102 PID 4832 wrote to memory of 1644 4832 Epihli32.exe 102 PID 4832 wrote to memory of 1644 4832 Epihli32.exe 102 PID 1644 wrote to memory of 1304 1644 Ejomjb32.exe 103 PID 1644 wrote to memory of 1304 1644 Ejomjb32.exe 103 PID 1644 wrote to memory of 1304 1644 Ejomjb32.exe 103 PID 1304 wrote to memory of 3748 1304 Emmifn32.exe 104 PID 1304 wrote to memory of 3748 1304 Emmifn32.exe 104 PID 1304 wrote to memory of 3748 1304 Emmifn32.exe 104 PID 3748 wrote to memory of 932 3748 Epkebi32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1ce60e2e72e39bbe932ae14c53dcd46ede9703ed318e908c25b36b56fd56d92.exe"C:\Users\Admin\AppData\Local\Temp\f1ce60e2e72e39bbe932ae14c53dcd46ede9703ed318e908c25b36b56fd56d92.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Dcfhlj32.exeC:\Windows\system32\Dcfhlj32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\Dfedhe32.exeC:\Windows\system32\Dfedhe32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Dmomdpkk.exeC:\Windows\system32\Dmomdpkk.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\Dajien32.exeC:\Windows\system32\Dajien32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Dcieaj32.exeC:\Windows\system32\Dcieaj32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Diemiqqp.exeC:\Windows\system32\Diemiqqp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\Dppefk32.exeC:\Windows\system32\Dppefk32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Dhgngh32.exeC:\Windows\system32\Dhgngh32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Dmcfpo32.exeC:\Windows\system32\Dmcfpo32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Dhijmh32.exeC:\Windows\system32\Dhijmh32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Dmfceoec.exeC:\Windows\system32\Dmfceoec.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Edpkbi32.exeC:\Windows\system32\Edpkbi32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Ejjcocdm.exeC:\Windows\system32\Ejjcocdm.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Emhpkncq.exeC:\Windows\system32\Emhpkncq.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\Ehnchgbf.exeC:\Windows\system32\Ehnchgbf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Efqdcd32.exeC:\Windows\system32\Efqdcd32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Emklpn32.exeC:\Windows\system32\Emklpn32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\Epihli32.exeC:\Windows\system32\Epihli32.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Ejomjb32.exeC:\Windows\system32\Ejomjb32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Emmifn32.exeC:\Windows\system32\Emmifn32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Epkebi32.exeC:\Windows\system32\Epkebi32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\Efemocel.exeC:\Windows\system32\Efemocel.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:932 -
C:\Windows\SysWOW64\Eicjkodp.exeC:\Windows\system32\Eicjkodp.exe24⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Eakall32.exeC:\Windows\system32\Eakall32.exe25⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Edinhg32.exeC:\Windows\system32\Edinhg32.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:180 -
C:\Windows\SysWOW64\Efhjdc32.exeC:\Windows\system32\Efhjdc32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Emabamkf.exeC:\Windows\system32\Emabamkf.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4780 -
C:\Windows\SysWOW64\Fppomhjj.exeC:\Windows\system32\Fppomhjj.exe29⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Fhgfnfjl.exeC:\Windows\system32\Fhgfnfjl.exe30⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Fihcfn32.exeC:\Windows\system32\Fihcfn32.exe31⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Fapkgk32.exeC:\Windows\system32\Fapkgk32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Fhicde32.exeC:\Windows\system32\Fhicde32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Fpehhh32.exeC:\Windows\system32\Fpehhh32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:456 -
C:\Windows\SysWOW64\Fgopebma.exeC:\Windows\system32\Fgopebma.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:704 -
C:\Windows\SysWOW64\Fpgdng32.exeC:\Windows\system32\Fpgdng32.exe36⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Fhnmoedd.exeC:\Windows\system32\Fhnmoedd.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3688 -
C:\Windows\SysWOW64\Fkmikpcg.exeC:\Windows\system32\Fkmikpcg.exe38⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Fpiacgbo.exeC:\Windows\system32\Fpiacgbo.exe39⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Fdemdf32.exeC:\Windows\system32\Fdemdf32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Fgcjpa32.exeC:\Windows\system32\Fgcjpa32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Fmmbmkqi.exeC:\Windows\system32\Fmmbmkqi.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3116 -
C:\Windows\SysWOW64\Gplnigpl.exeC:\Windows\system32\Gplnigpl.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3224 -
C:\Windows\SysWOW64\Ghcfjd32.exeC:\Windows\system32\Ghcfjd32.exe44⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Gakjcjgo.exeC:\Windows\system32\Gakjcjgo.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1852 -
C:\Windows\SysWOW64\Ghecpd32.exeC:\Windows\system32\Ghecpd32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:4912 -
C:\Windows\SysWOW64\Gifogldj.exeC:\Windows\system32\Gifogldj.exe47⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Ganghiel.exeC:\Windows\system32\Ganghiel.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1792 -
C:\Windows\SysWOW64\Gdlcdedp.exeC:\Windows\system32\Gdlcdedp.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4960 -
C:\Windows\SysWOW64\Ggjpqpcd.exeC:\Windows\system32\Ggjpqpcd.exe50⤵
- Executes dropped EXE
PID:488 -
C:\Windows\SysWOW64\Gndhmjjq.exeC:\Windows\system32\Gndhmjjq.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:404 -
C:\Windows\SysWOW64\Gpcdifjd.exeC:\Windows\system32\Gpcdifjd.exe52⤵
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Gkhhgoij.exeC:\Windows\system32\Gkhhgoij.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:368 -
C:\Windows\SysWOW64\Gdqmpd32.exeC:\Windows\system32\Gdqmpd32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Ggoilp32.exeC:\Windows\system32\Ggoilp32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1364 -
C:\Windows\SysWOW64\Hniahj32.exeC:\Windows\system32\Hniahj32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Hkmbbn32.exeC:\Windows\system32\Hkmbbn32.exe57⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Hagjohma.exeC:\Windows\system32\Hagjohma.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:4756 -
C:\Windows\SysWOW64\Hdefkcle.exeC:\Windows\system32\Hdefkcle.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3860 -
C:\Windows\SysWOW64\Haigdh32.exeC:\Windows\system32\Haigdh32.exe60⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Hpodedpg.exeC:\Windows\system32\Hpodedpg.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\Hhelfapi.exeC:\Windows\system32\Hhelfapi.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Hnbdohnq.exeC:\Windows\system32\Hnbdohnq.exe63⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Hdllkbfm.exeC:\Windows\system32\Hdllkbfm.exe64⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Hkfdhm32.exeC:\Windows\system32\Hkfdhm32.exe65⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Iapmegdg.exeC:\Windows\system32\Iapmegdg.exe66⤵PID:4760
-
C:\Windows\SysWOW64\Ingnjh32.exeC:\Windows\system32\Ingnjh32.exe67⤵PID:2632
-
C:\Windows\SysWOW64\Iabjjfbd.exeC:\Windows\system32\Iabjjfbd.exe68⤵
- Drops file in System32 directory
PID:1768 -
C:\Windows\SysWOW64\Ikknclie.exeC:\Windows\system32\Ikknclie.exe69⤵PID:4156
-
C:\Windows\SysWOW64\Iaefpf32.exeC:\Windows\system32\Iaefpf32.exe70⤵
- Modifies registry class
PID:4364 -
C:\Windows\SysWOW64\Ikmkilgb.exeC:\Windows\system32\Ikmkilgb.exe71⤵PID:3144
-
C:\Windows\SysWOW64\Ibgcef32.exeC:\Windows\system32\Ibgcef32.exe72⤵
- System Location Discovery: System Language Discovery
PID:1376 -
C:\Windows\SysWOW64\Igdknmmf.exeC:\Windows\system32\Igdknmmf.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Inndjg32.exeC:\Windows\system32\Inndjg32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4668 -
C:\Windows\SysWOW64\Ihchhp32.exeC:\Windows\system32\Ihchhp32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\Igfhclkd.exeC:\Windows\system32\Igfhclkd.exe76⤵
- Modifies registry class
PID:224 -
C:\Windows\SysWOW64\Jjedohjg.exeC:\Windows\system32\Jjedohjg.exe77⤵
- Drops file in System32 directory
PID:3292 -
C:\Windows\SysWOW64\Jdjimqjm.exeC:\Windows\system32\Jdjimqjm.exe78⤵PID:4576
-
C:\Windows\SysWOW64\Jgieil32.exeC:\Windows\system32\Jgieil32.exe79⤵
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Jncmefpn.exeC:\Windows\system32\Jncmefpn.exe80⤵
- Modifies registry class
PID:4408 -
C:\Windows\SysWOW64\Jqaiaaoa.exeC:\Windows\system32\Jqaiaaoa.exe81⤵PID:4104
-
C:\Windows\SysWOW64\Jdmebp32.exeC:\Windows\system32\Jdmebp32.exe82⤵
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Jkgnojog.exeC:\Windows\system32\Jkgnojog.exe83⤵PID:4452
-
C:\Windows\SysWOW64\Jdobhp32.exeC:\Windows\system32\Jdobhp32.exe84⤵PID:2536
-
C:\Windows\SysWOW64\Jgnndk32.exeC:\Windows\system32\Jgnndk32.exe85⤵
- Drops file in System32 directory
PID:5028 -
C:\Windows\SysWOW64\Jngfqe32.exeC:\Windows\system32\Jngfqe32.exe86⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4924 -
C:\Windows\SysWOW64\Jhmknn32.exeC:\Windows\system32\Jhmknn32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2104 -
C:\Windows\SysWOW64\Jkkgjj32.exeC:\Windows\system32\Jkkgjj32.exe88⤵PID:2956
-
C:\Windows\SysWOW64\Jqhpbq32.exeC:\Windows\system32\Jqhpbq32.exe89⤵
- Drops file in System32 directory
PID:4908 -
C:\Windows\SysWOW64\Kjqdkfpj.exeC:\Windows\system32\Kjqdkfpj.exe90⤵PID:4556
-
C:\Windows\SysWOW64\Knlpldhc.exeC:\Windows\system32\Knlpldhc.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3296 -
C:\Windows\SysWOW64\Kqklhpgg.exeC:\Windows\system32\Kqklhpgg.exe92⤵PID:3496
-
C:\Windows\SysWOW64\Kiadimhi.exeC:\Windows\system32\Kiadimhi.exe93⤵PID:3376
-
C:\Windows\SysWOW64\Kjcqqf32.exeC:\Windows\system32\Kjcqqf32.exe94⤵PID:2088
-
C:\Windows\SysWOW64\Knomadfq.exeC:\Windows\system32\Knomadfq.exe95⤵
- System Location Discovery: System Language Discovery
PID:4304 -
C:\Windows\SysWOW64\Keheno32.exeC:\Windows\system32\Keheno32.exe96⤵
- System Location Discovery: System Language Discovery
PID:2188 -
C:\Windows\SysWOW64\Kggajj32.exeC:\Windows\system32\Kggajj32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2284 -
C:\Windows\SysWOW64\Kjemfe32.exeC:\Windows\system32\Kjemfe32.exe98⤵
- Modifies registry class
PID:232 -
C:\Windows\SysWOW64\Kqoecp32.exeC:\Windows\system32\Kqoecp32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1204 -
C:\Windows\SysWOW64\Kekacnkk.exeC:\Windows\system32\Kekacnkk.exe100⤵
- Modifies registry class
PID:5000 -
C:\Windows\SysWOW64\Kginpjjo.exeC:\Windows\system32\Kginpjjo.exe101⤵PID:2340
-
C:\Windows\SysWOW64\Kncflc32.exeC:\Windows\system32\Kncflc32.exe102⤵PID:5040
-
C:\Windows\SysWOW64\Kemninih.exeC:\Windows\system32\Kemninih.exe103⤵PID:2248
-
C:\Windows\SysWOW64\Kglkeihl.exeC:\Windows\system32\Kglkeihl.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Kjjgadgp.exeC:\Windows\system32\Kjjgadgp.exe105⤵PID:5136
-
C:\Windows\SysWOW64\Kepkom32.exeC:\Windows\system32\Kepkom32.exe106⤵PID:5176
-
C:\Windows\SysWOW64\Lgngki32.exeC:\Windows\system32\Lgngki32.exe107⤵PID:5212
-
C:\Windows\SysWOW64\Ljlcgd32.exeC:\Windows\system32\Ljlcgd32.exe108⤵PID:5260
-
C:\Windows\SysWOW64\Lebhdm32.exeC:\Windows\system32\Lebhdm32.exe109⤵PID:5304
-
C:\Windows\SysWOW64\Lgpdph32.exeC:\Windows\system32\Lgpdph32.exe110⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5348 -
C:\Windows\SysWOW64\Lklpagmp.exeC:\Windows\system32\Lklpagmp.exe111⤵
- Drops file in System32 directory
PID:5380 -
C:\Windows\SysWOW64\Lbfhna32.exeC:\Windows\system32\Lbfhna32.exe112⤵PID:5432
-
C:\Windows\SysWOW64\Lgbqfhbd.exeC:\Windows\system32\Lgbqfhbd.exe113⤵PID:5476
-
C:\Windows\SysWOW64\Ljambcag.exeC:\Windows\system32\Ljambcag.exe114⤵
- Drops file in System32 directory
PID:5512 -
C:\Windows\SysWOW64\Lbhecabj.exeC:\Windows\system32\Lbhecabj.exe115⤵PID:5560
-
C:\Windows\SysWOW64\Lefaolam.exeC:\Windows\system32\Lefaolam.exe116⤵
- Modifies registry class
PID:5596 -
C:\Windows\SysWOW64\Lgemkhpa.exeC:\Windows\system32\Lgemkhpa.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5648 -
C:\Windows\SysWOW64\Ljcjgcpe.exeC:\Windows\system32\Ljcjgcpe.exe118⤵
- Drops file in System32 directory
PID:5688 -
C:\Windows\SysWOW64\Lbjaiqpg.exeC:\Windows\system32\Lbjaiqpg.exe119⤵
- System Location Discovery: System Language Discovery
PID:5732 -
C:\Windows\SysWOW64\Lidjekgd.exeC:\Windows\system32\Lidjekgd.exe120⤵
- Drops file in System32 directory
PID:5768 -
C:\Windows\SysWOW64\Llcfaffg.exeC:\Windows\system32\Llcfaffg.exe121⤵PID:5812
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-