Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/09/2024, 03:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ac68a28c63c9eed8f077b517d2b8d370N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
ac68a28c63c9eed8f077b517d2b8d370N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
ac68a28c63c9eed8f077b517d2b8d370N.exe
-
Size
64KB
-
MD5
ac68a28c63c9eed8f077b517d2b8d370
-
SHA1
f4cb602f62e8227efc77da13fa5cad4434a36aa7
-
SHA256
45e20d4e2c4f718f16e731b7065d3b7df45a344c8bdaf27f42dce84eccc7392a
-
SHA512
0d939121c57667b59645daf0d52393834b2a79a777b9167b132a7575bdf9f157b37c2314061374de7497285c536ca75efa5cbc8f47faede2a6ab5d769ee0fa2c
-
SSDEEP
1536:U2HwlmnYoYJjgYQhrWiuYSUk4pK8N0weO6XKhbMbt2:/H6mnsjkFPzk4pKeQO6Xjt2
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kplpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Melnob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnqbanmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkkhqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daqbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgmngglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekhjmiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecoangbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdegandp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcagkdba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiidgeki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmdina32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdckfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olkhmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anadoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcebhoii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecandfpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdeqhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hflcbngh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icifbang.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifjodl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dejacond.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jifhaenk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfmepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofnckp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqkgpedc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndikf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcfhof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gomakdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldoaklml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlcifmbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnebeogl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glebhjlg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcddpdpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbgmcnhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngmgne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdifoehl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmjdjgjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipbdmaah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieolehop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deagdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcddpdpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mplhql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aadifclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjinkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cenahpha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ednaqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hckjacjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liddbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lekehdgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqhacgdh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipknlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onjegled.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmcibama.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad ac68a28c63c9eed8f077b517d2b8d370N.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fakdpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghaliknf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgagbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdfkolkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icifbang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojjolnaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofeilobp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqkgpedc.exe -
Executes dropped EXE 64 IoCs
pid Process 1784 Ecmeig32.exe 4820 Ednaqo32.exe 4312 Ekhjmiad.exe 2472 Ecoangbg.exe 4848 Eemnjbaj.exe 1888 Ehljfnpn.exe 684 Ekjfcipa.exe 5100 Ecandfpd.exe 3956 Eadopc32.exe 4512 Ehnglm32.exe 3344 Fkmchi32.exe 2292 Fafkecel.exe 2296 Fdegandp.exe 5040 Fkopnh32.exe 4748 Fcfhof32.exe 2764 Ffddka32.exe 4916 Fhcpgmjf.exe 3156 Fomhdg32.exe 2788 Fakdpb32.exe 4500 Fdialn32.exe 5068 Flqimk32.exe 2516 Fckajehi.exe 1256 Ffimfqgm.exe 440 Fkffog32.exe 3112 Fbpnkama.exe 3160 Fdnjgmle.exe 1616 Glebhjlg.exe 4616 Gcojed32.exe 3632 Glhonj32.exe 964 Gcagkdba.exe 4396 Gfpcgpae.exe 2420 Gdcdbl32.exe 1520 Gmjlcj32.exe 2180 Gohhpe32.exe 4884 Gcddpdpo.exe 1468 Gdeqhl32.exe 2400 Ghaliknf.exe 1152 Gkoiefmj.exe 4860 Gcfqfc32.exe 2228 Gfembo32.exe 408 Gicinj32.exe 1620 Gkaejf32.exe 4740 Gomakdcp.exe 2368 Gcimkc32.exe 1144 Gdjjckag.exe 3920 Hmabdibj.exe 1632 Hkdbpe32.exe 4216 Hckjacjg.exe 224 Hfifmnij.exe 428 Hihbijhn.exe 3128 Hkfoeega.exe 3280 Hbpgbo32.exe 2560 Hflcbngh.exe 4796 Hijooifk.exe 2848 Hodgkc32.exe 924 Hbbdholl.exe 3396 Heapdjlp.exe 3184 Hmhhehlb.exe 3780 Hkkhqd32.exe 388 Hcbpab32.exe 4436 Hfqlnm32.exe 3448 Hmjdjgjo.exe 2096 Hkmefd32.exe 3108 Hbgmcnhf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ceqnmpfo.exe Cmiflbel.exe File created C:\Windows\SysWOW64\Hbbhclmi.dll Gomakdcp.exe File created C:\Windows\SysWOW64\Hckjacjg.exe Hkdbpe32.exe File opened for modification C:\Windows\SysWOW64\Iiaephpc.exe Hfcicmqp.exe File opened for modification C:\Windows\SysWOW64\Lpcfkm32.exe Lmdina32.exe File created C:\Windows\SysWOW64\Kmcjho32.dll Npmagine.exe File created C:\Windows\SysWOW64\Chmhoe32.dll Ojjolnaq.exe File created C:\Windows\SysWOW64\Bmpcfdmg.exe Bgcknmop.exe File created C:\Windows\SysWOW64\Dmjocp32.exe Dkkcge32.exe File created C:\Windows\SysWOW64\Cdfkolkf.exe Cagobalc.exe File opened for modification C:\Windows\SysWOW64\Ekjfcipa.exe Ehljfnpn.exe File opened for modification C:\Windows\SysWOW64\Gcagkdba.exe Glhonj32.exe File created C:\Windows\SysWOW64\Lpcqcc32.dll Hflcbngh.exe File created C:\Windows\SysWOW64\Jefbfgig.exe Jpijnqkp.exe File opened for modification C:\Windows\SysWOW64\Ogpmjb32.exe Olkhmi32.exe File opened for modification C:\Windows\SysWOW64\Bjfaeh32.exe Bjddphlq.exe File created C:\Windows\SysWOW64\Dnieoofh.dll Ceqnmpfo.exe File opened for modification C:\Windows\SysWOW64\Dmcibama.exe Djdmffnn.exe File created C:\Windows\SysWOW64\Qghlmgij.dll Ghaliknf.exe File opened for modification C:\Windows\SysWOW64\Hkdbpe32.exe Hmabdibj.exe File created C:\Windows\SysWOW64\Kbceejpf.exe Kpeiioac.exe File opened for modification C:\Windows\SysWOW64\Ldjhpl32.exe Llcpoo32.exe File created C:\Windows\SysWOW64\Lgokmgjm.exe Ldanqkki.exe File created C:\Windows\SysWOW64\Mchqfb32.dll Mlcifmbl.exe File opened for modification C:\Windows\SysWOW64\Bnkgeg32.exe Bcebhoii.exe File opened for modification C:\Windows\SysWOW64\Heapdjlp.exe Hbbdholl.exe File created C:\Windows\SysWOW64\Kfankifm.exe Kpgfooop.exe File created C:\Windows\SysWOW64\Lljfpnjg.exe Likjcbkc.exe File created C:\Windows\SysWOW64\Nljofl32.exe Ngmgne32.exe File opened for modification C:\Windows\SysWOW64\Bcebhoii.exe Bjmnoi32.exe File created C:\Windows\SysWOW64\Ildkgc32.exe Iifokh32.exe File opened for modification C:\Windows\SysWOW64\Kpeiioac.exe Kmfmmcbo.exe File opened for modification C:\Windows\SysWOW64\Pjmehkqk.exe Pnfdcjkg.exe File created C:\Windows\SysWOW64\Qeobam32.dll Qffbbldm.exe File opened for modification C:\Windows\SysWOW64\Aqkgpedc.exe Ajanck32.exe File created C:\Windows\SysWOW64\Jdipdgch.dll Djgjlelk.exe File opened for modification C:\Windows\SysWOW64\Iemppiab.exe Ifjodl32.exe File opened for modification C:\Windows\SysWOW64\Ibqpimpl.exe Ipbdmaah.exe File opened for modification C:\Windows\SysWOW64\Lfkaag32.exe Ldleel32.exe File created C:\Windows\SysWOW64\Gfpcgpae.exe Gcagkdba.exe File created C:\Windows\SysWOW64\Jgbcdnbb.dll Gfembo32.exe File created C:\Windows\SysWOW64\Pjcbnbmg.dll Nggjdc32.exe File created C:\Windows\SysWOW64\Flgehc32.dll Chmndlge.exe File created C:\Windows\SysWOW64\Cfpnph32.exe Chmndlge.exe File opened for modification C:\Windows\SysWOW64\Eemnjbaj.exe Ecoangbg.exe File created C:\Windows\SysWOW64\Ffddka32.exe Fcfhof32.exe File created C:\Windows\SysWOW64\Hmabdibj.exe Gdjjckag.exe File created C:\Windows\SysWOW64\Lejfpelg.dll Hckjacjg.exe File created C:\Windows\SysWOW64\Dkcfedla.dll Heapdjlp.exe File created C:\Windows\SysWOW64\Qjkmdp32.dll Ndaggimg.exe File created C:\Windows\SysWOW64\Qffbbldm.exe Qddfkd32.exe File created C:\Windows\SysWOW64\Pnfdcjkg.exe Pdmpje32.exe File created C:\Windows\SysWOW64\Lfkgaokd.dll Fdegandp.exe File opened for modification C:\Windows\SysWOW64\Fcfhof32.exe Fkopnh32.exe File created C:\Windows\SysWOW64\Memcpg32.dll Jehokgge.exe File opened for modification C:\Windows\SysWOW64\Kbceejpf.exe Kpeiioac.exe File opened for modification C:\Windows\SysWOW64\Kmkfhc32.exe Kfankifm.exe File opened for modification C:\Windows\SysWOW64\Liddbc32.exe Lffhfh32.exe File created C:\Windows\SysWOW64\Opakbi32.exe Oncofm32.exe File created C:\Windows\SysWOW64\Lnlden32.dll Pdmpje32.exe File created C:\Windows\SysWOW64\Aoglcqao.dll Cenahpha.exe File created C:\Windows\SysWOW64\Poahbe32.dll Ddonekbl.exe File opened for modification C:\Windows\SysWOW64\Ednaqo32.exe Ecmeig32.exe File opened for modification C:\Windows\SysWOW64\Hkmefd32.exe Hmjdjgjo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7904 7768 WerFault.exe 332 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glebhjlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfhlejnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgfooop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojjolnaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chokikeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkifae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gomakdcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdmpje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekhjmiad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdnjgmle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heapdjlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imoneg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcioiood.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpebpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkdbpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iifokh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mibpda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdifoehl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajanck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcagkdba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cagobalc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmhhehlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfankifm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lffhfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nggjdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afmhck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibcmom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpeiioac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfkaag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Melnob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjmehkqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcojed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlednamo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcebhoii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecoangbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jefbfgig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnlhfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpnph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fakdpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbgmcnhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkmefd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lekehdgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqhacgdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dejacond.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkaejf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldoaklml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qffbbldm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcbpab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgmngglp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mplhql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opakbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anogiicl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gicinj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jedeph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmiciaaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqkgpedc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipknlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icifbang.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlbgha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lllcen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnfdcjkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qceiaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chmndlge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecmeig32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epbahkcp.dll" Fkopnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hihbijhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkfoeega.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anogiicl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll" Onjegled.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll" Afmhck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cagobalc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 ac68a28c63c9eed8f077b517d2b8d370N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmenjlfh.dll" Hbpgbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Heapdjlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llemdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkfoeega.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dndgjk32.dll" Iikhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djdmffnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcagkdba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkkhqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdifoehl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceqnmpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdialn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfpcgpae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofnckp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofeilobp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oncofm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opakbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmjlcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbbdholl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlcifmbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Melnob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibqpimpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lllcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnebeogl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acnlgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djhgpa32.dll" Ecmeig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ednaqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpnaemnl.dll" Hkmefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laapnj32.dll" Ippggbck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfdhkhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajanck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afmhck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffimfqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gicinj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfofiig.dll" Ndcdmikd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onjegled.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndfqbhia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdmpje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddonekbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhcpgmjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhcpgmjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejckel32.dll" Jedeph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmlpoqpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngmgne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qceiaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll" Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dknpmdfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehljfnpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eadopc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lffhfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpebpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll" Aqncedbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anadoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll" Cagobalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bagplp32.dll" Jcioiood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhmkaf32.dll" Mpjlklok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opdghh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2728 wrote to memory of 1784 2728 ac68a28c63c9eed8f077b517d2b8d370N.exe 83 PID 2728 wrote to memory of 1784 2728 ac68a28c63c9eed8f077b517d2b8d370N.exe 83 PID 2728 wrote to memory of 1784 2728 ac68a28c63c9eed8f077b517d2b8d370N.exe 83 PID 1784 wrote to memory of 4820 1784 Ecmeig32.exe 84 PID 1784 wrote to memory of 4820 1784 Ecmeig32.exe 84 PID 1784 wrote to memory of 4820 1784 Ecmeig32.exe 84 PID 4820 wrote to memory of 4312 4820 Ednaqo32.exe 85 PID 4820 wrote to memory of 4312 4820 Ednaqo32.exe 85 PID 4820 wrote to memory of 4312 4820 Ednaqo32.exe 85 PID 4312 wrote to memory of 2472 4312 Ekhjmiad.exe 86 PID 4312 wrote to memory of 2472 4312 Ekhjmiad.exe 86 PID 4312 wrote to memory of 2472 4312 Ekhjmiad.exe 86 PID 2472 wrote to memory of 4848 2472 Ecoangbg.exe 87 PID 2472 wrote to memory of 4848 2472 Ecoangbg.exe 87 PID 2472 wrote to memory of 4848 2472 Ecoangbg.exe 87 PID 4848 wrote to memory of 1888 4848 Eemnjbaj.exe 88 PID 4848 wrote to memory of 1888 4848 Eemnjbaj.exe 88 PID 4848 wrote to memory of 1888 4848 Eemnjbaj.exe 88 PID 1888 wrote to memory of 684 1888 Ehljfnpn.exe 89 PID 1888 wrote to memory of 684 1888 Ehljfnpn.exe 89 PID 1888 wrote to memory of 684 1888 Ehljfnpn.exe 89 PID 684 wrote to memory of 5100 684 Ekjfcipa.exe 90 PID 684 wrote to memory of 5100 684 Ekjfcipa.exe 90 PID 684 wrote to memory of 5100 684 Ekjfcipa.exe 90 PID 5100 wrote to memory of 3956 5100 Ecandfpd.exe 92 PID 5100 wrote to memory of 3956 5100 Ecandfpd.exe 92 PID 5100 wrote to memory of 3956 5100 Ecandfpd.exe 92 PID 3956 wrote to memory of 4512 3956 Eadopc32.exe 93 PID 3956 wrote to memory of 4512 3956 Eadopc32.exe 93 PID 3956 wrote to memory of 4512 3956 Eadopc32.exe 93 PID 4512 wrote to memory of 3344 4512 Ehnglm32.exe 94 PID 4512 wrote to memory of 3344 4512 Ehnglm32.exe 94 PID 4512 wrote to memory of 3344 4512 Ehnglm32.exe 94 PID 3344 wrote to memory of 2292 3344 Fkmchi32.exe 95 PID 3344 wrote to memory of 2292 3344 Fkmchi32.exe 95 PID 3344 wrote to memory of 2292 3344 Fkmchi32.exe 95 PID 2292 wrote to memory of 2296 2292 Fafkecel.exe 96 PID 2292 wrote to memory of 2296 2292 Fafkecel.exe 96 PID 2292 wrote to memory of 2296 2292 Fafkecel.exe 96 PID 2296 wrote to memory of 5040 2296 Fdegandp.exe 97 PID 2296 wrote to memory of 5040 2296 Fdegandp.exe 97 PID 2296 wrote to memory of 5040 2296 Fdegandp.exe 97 PID 5040 wrote to memory of 4748 5040 Fkopnh32.exe 99 PID 5040 wrote to memory of 4748 5040 Fkopnh32.exe 99 PID 5040 wrote to memory of 4748 5040 Fkopnh32.exe 99 PID 4748 wrote to memory of 2764 4748 Fcfhof32.exe 100 PID 4748 wrote to memory of 2764 4748 Fcfhof32.exe 100 PID 4748 wrote to memory of 2764 4748 Fcfhof32.exe 100 PID 2764 wrote to memory of 4916 2764 Ffddka32.exe 101 PID 2764 wrote to memory of 4916 2764 Ffddka32.exe 101 PID 2764 wrote to memory of 4916 2764 Ffddka32.exe 101 PID 4916 wrote to memory of 3156 4916 Fhcpgmjf.exe 102 PID 4916 wrote to memory of 3156 4916 Fhcpgmjf.exe 102 PID 4916 wrote to memory of 3156 4916 Fhcpgmjf.exe 102 PID 3156 wrote to memory of 2788 3156 Fomhdg32.exe 103 PID 3156 wrote to memory of 2788 3156 Fomhdg32.exe 103 PID 3156 wrote to memory of 2788 3156 Fomhdg32.exe 103 PID 2788 wrote to memory of 4500 2788 Fakdpb32.exe 104 PID 2788 wrote to memory of 4500 2788 Fakdpb32.exe 104 PID 2788 wrote to memory of 4500 2788 Fakdpb32.exe 104 PID 4500 wrote to memory of 5068 4500 Fdialn32.exe 106 PID 4500 wrote to memory of 5068 4500 Fdialn32.exe 106 PID 4500 wrote to memory of 5068 4500 Fdialn32.exe 106 PID 5068 wrote to memory of 2516 5068 Flqimk32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac68a28c63c9eed8f077b517d2b8d370N.exe"C:\Users\Admin\AppData\Local\Temp\ac68a28c63c9eed8f077b517d2b8d370N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Ecmeig32.exeC:\Windows\system32\Ecmeig32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\Ekhjmiad.exeC:\Windows\system32\Ekhjmiad.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\Ecoangbg.exeC:\Windows\system32\Ecoangbg.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Eemnjbaj.exeC:\Windows\system32\Eemnjbaj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Ehljfnpn.exeC:\Windows\system32\Ehljfnpn.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\Ecandfpd.exeC:\Windows\system32\Ecandfpd.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Fkmchi32.exeC:\Windows\system32\Fkmchi32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\Fafkecel.exeC:\Windows\system32\Fafkecel.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Fdegandp.exeC:\Windows\system32\Fdegandp.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Fkopnh32.exeC:\Windows\system32\Fkopnh32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Ffddka32.exeC:\Windows\system32\Ffddka32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Fhcpgmjf.exeC:\Windows\system32\Fhcpgmjf.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\Fomhdg32.exeC:\Windows\system32\Fomhdg32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\Fakdpb32.exeC:\Windows\system32\Fakdpb32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Fdialn32.exeC:\Windows\system32\Fdialn32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Flqimk32.exeC:\Windows\system32\Flqimk32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Fckajehi.exeC:\Windows\system32\Fckajehi.exe23⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Ffimfqgm.exeC:\Windows\system32\Ffimfqgm.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:1256 -
C:\Windows\SysWOW64\Fkffog32.exeC:\Windows\system32\Fkffog32.exe25⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Fbpnkama.exeC:\Windows\system32\Fbpnkama.exe26⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\Fdnjgmle.exeC:\Windows\system32\Fdnjgmle.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3160 -
C:\Windows\SysWOW64\Glebhjlg.exeC:\Windows\system32\Glebhjlg.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\Gcojed32.exeC:\Windows\system32\Gcojed32.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4616 -
C:\Windows\SysWOW64\Glhonj32.exeC:\Windows\system32\Glhonj32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3632 -
C:\Windows\SysWOW64\Gcagkdba.exeC:\Windows\system32\Gcagkdba.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Gfpcgpae.exeC:\Windows\system32\Gfpcgpae.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:4396 -
C:\Windows\SysWOW64\Gdcdbl32.exeC:\Windows\system32\Gdcdbl32.exe33⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Gmjlcj32.exeC:\Windows\system32\Gmjlcj32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe35⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Gcddpdpo.exeC:\Windows\system32\Gcddpdpo.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Gdeqhl32.exeC:\Windows\system32\Gdeqhl32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Gkoiefmj.exeC:\Windows\system32\Gkoiefmj.exe39⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Gcfqfc32.exeC:\Windows\system32\Gcfqfc32.exe40⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Gfembo32.exeC:\Windows\system32\Gfembo32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\Gicinj32.exeC:\Windows\system32\Gicinj32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:408 -
C:\Windows\SysWOW64\Gkaejf32.exeC:\Windows\system32\Gkaejf32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Windows\SysWOW64\Gomakdcp.exeC:\Windows\system32\Gomakdcp.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4740 -
C:\Windows\SysWOW64\Gcimkc32.exeC:\Windows\system32\Gcimkc32.exe45⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Gdjjckag.exeC:\Windows\system32\Gdjjckag.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1144 -
C:\Windows\SysWOW64\Hmabdibj.exeC:\Windows\system32\Hmabdibj.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3920 -
C:\Windows\SysWOW64\Hkdbpe32.exeC:\Windows\system32\Hkdbpe32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\Hckjacjg.exeC:\Windows\system32\Hckjacjg.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4216 -
C:\Windows\SysWOW64\Hfifmnij.exeC:\Windows\system32\Hfifmnij.exe50⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Hihbijhn.exeC:\Windows\system32\Hihbijhn.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:428 -
C:\Windows\SysWOW64\Hkfoeega.exeC:\Windows\system32\Hkfoeega.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:3128 -
C:\Windows\SysWOW64\Hbpgbo32.exeC:\Windows\system32\Hbpgbo32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:3280 -
C:\Windows\SysWOW64\Hflcbngh.exeC:\Windows\system32\Hflcbngh.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Hijooifk.exeC:\Windows\system32\Hijooifk.exe55⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Hodgkc32.exeC:\Windows\system32\Hodgkc32.exe56⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Hbbdholl.exeC:\Windows\system32\Hbbdholl.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:924 -
C:\Windows\SysWOW64\Heapdjlp.exeC:\Windows\system32\Heapdjlp.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3396 -
C:\Windows\SysWOW64\Hmhhehlb.exeC:\Windows\system32\Hmhhehlb.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3184 -
C:\Windows\SysWOW64\Hkkhqd32.exeC:\Windows\system32\Hkkhqd32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3780 -
C:\Windows\SysWOW64\Hcbpab32.exeC:\Windows\system32\Hcbpab32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:388 -
C:\Windows\SysWOW64\Hfqlnm32.exeC:\Windows\system32\Hfqlnm32.exe62⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Hmjdjgjo.exeC:\Windows\system32\Hmjdjgjo.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3448 -
C:\Windows\SysWOW64\Hkmefd32.exeC:\Windows\system32\Hkmefd32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Hbgmcnhf.exeC:\Windows\system32\Hbgmcnhf.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3108 -
C:\Windows\SysWOW64\Hfcicmqp.exeC:\Windows\system32\Hfcicmqp.exe66⤵
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Iiaephpc.exeC:\Windows\system32\Iiaephpc.exe67⤵PID:1704
-
C:\Windows\SysWOW64\Ipknlb32.exeC:\Windows\system32\Ipknlb32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3360 -
C:\Windows\SysWOW64\Ibjjhn32.exeC:\Windows\system32\Ibjjhn32.exe69⤵PID:1080
-
C:\Windows\SysWOW64\Iehfdi32.exeC:\Windows\system32\Iehfdi32.exe70⤵PID:2220
-
C:\Windows\SysWOW64\Imoneg32.exeC:\Windows\system32\Imoneg32.exe71⤵
- System Location Discovery: System Language Discovery
PID:1344 -
C:\Windows\SysWOW64\Icifbang.exeC:\Windows\system32\Icifbang.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3592 -
C:\Windows\SysWOW64\Iifokh32.exeC:\Windows\system32\Iifokh32.exe73⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3840 -
C:\Windows\SysWOW64\Ildkgc32.exeC:\Windows\system32\Ildkgc32.exe74⤵PID:992
-
C:\Windows\SysWOW64\Ippggbck.exeC:\Windows\system32\Ippggbck.exe75⤵
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Ifjodl32.exeC:\Windows\system32\Ifjodl32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:464 -
C:\Windows\SysWOW64\Iemppiab.exeC:\Windows\system32\Iemppiab.exe77⤵PID:5104
-
C:\Windows\SysWOW64\Ipbdmaah.exeC:\Windows\system32\Ipbdmaah.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Ibqpimpl.exeC:\Windows\system32\Ibqpimpl.exe79⤵
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Ieolehop.exeC:\Windows\system32\Ieolehop.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4336 -
C:\Windows\SysWOW64\Iikhfg32.exeC:\Windows\system32\Iikhfg32.exe81⤵
- Modifies registry class
PID:4656 -
C:\Windows\SysWOW64\Ilidbbgl.exeC:\Windows\system32\Ilidbbgl.exe82⤵PID:4852
-
C:\Windows\SysWOW64\Ibcmom32.exeC:\Windows\system32\Ibcmom32.exe83⤵
- System Location Discovery: System Language Discovery
PID:4364 -
C:\Windows\SysWOW64\Jfoiokfb.exeC:\Windows\system32\Jfoiokfb.exe84⤵PID:3492
-
C:\Windows\SysWOW64\Jimekgff.exeC:\Windows\system32\Jimekgff.exe85⤵PID:1064
-
C:\Windows\SysWOW64\Jcbihpel.exeC:\Windows\system32\Jcbihpel.exe86⤵PID:2900
-
C:\Windows\SysWOW64\Jedeph32.exeC:\Windows\system32\Jedeph32.exe87⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4936 -
C:\Windows\SysWOW64\Jpijnqkp.exeC:\Windows\system32\Jpijnqkp.exe88⤵
- Drops file in System32 directory
PID:4912 -
C:\Windows\SysWOW64\Jefbfgig.exeC:\Windows\system32\Jefbfgig.exe89⤵
- System Location Discovery: System Language Discovery
PID:4524 -
C:\Windows\SysWOW64\Jmmjgejj.exeC:\Windows\system32\Jmmjgejj.exe90⤵PID:2000
-
C:\Windows\SysWOW64\Jcgbco32.exeC:\Windows\system32\Jcgbco32.exe91⤵PID:3104
-
C:\Windows\SysWOW64\Jehokgge.exeC:\Windows\system32\Jehokgge.exe92⤵
- Drops file in System32 directory
PID:4520 -
C:\Windows\SysWOW64\Jlbgha32.exeC:\Windows\system32\Jlbgha32.exe93⤵
- System Location Discovery: System Language Discovery
PID:1844 -
C:\Windows\SysWOW64\Jcioiood.exeC:\Windows\system32\Jcioiood.exe94⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:816 -
C:\Windows\SysWOW64\Jfhlejnh.exeC:\Windows\system32\Jfhlejnh.exe95⤵
- System Location Discovery: System Language Discovery
PID:5144 -
C:\Windows\SysWOW64\Jifhaenk.exeC:\Windows\system32\Jifhaenk.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5192 -
C:\Windows\SysWOW64\Jlednamo.exeC:\Windows\system32\Jlednamo.exe97⤵
- System Location Discovery: System Language Discovery
PID:5236 -
C:\Windows\SysWOW64\Kboljk32.exeC:\Windows\system32\Kboljk32.exe98⤵PID:5280
-
C:\Windows\SysWOW64\Kiidgeki.exeC:\Windows\system32\Kiidgeki.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5324 -
C:\Windows\SysWOW64\Kpbmco32.exeC:\Windows\system32\Kpbmco32.exe100⤵PID:5368
-
C:\Windows\SysWOW64\Kfmepi32.exeC:\Windows\system32\Kfmepi32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5412 -
C:\Windows\SysWOW64\Kmfmmcbo.exeC:\Windows\system32\Kmfmmcbo.exe102⤵
- Drops file in System32 directory
PID:5456 -
C:\Windows\SysWOW64\Kpeiioac.exeC:\Windows\system32\Kpeiioac.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5500 -
C:\Windows\SysWOW64\Kbceejpf.exeC:\Windows\system32\Kbceejpf.exe104⤵PID:5536
-
C:\Windows\SysWOW64\Kpgfooop.exeC:\Windows\system32\Kpgfooop.exe105⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5588 -
C:\Windows\SysWOW64\Kfankifm.exeC:\Windows\system32\Kfankifm.exe106⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5632 -
C:\Windows\SysWOW64\Kmkfhc32.exeC:\Windows\system32\Kmkfhc32.exe107⤵PID:5680
-
C:\Windows\SysWOW64\Kpjcdn32.exeC:\Windows\system32\Kpjcdn32.exe108⤵PID:5724
-
C:\Windows\SysWOW64\Kbhoqj32.exeC:\Windows\system32\Kbhoqj32.exe109⤵PID:5768
-
C:\Windows\SysWOW64\Kfckahdj.exeC:\Windows\system32\Kfckahdj.exe110⤵PID:5812
-
C:\Windows\SysWOW64\Kmncnb32.exeC:\Windows\system32\Kmncnb32.exe111⤵PID:5856
-
C:\Windows\SysWOW64\Kplpjn32.exeC:\Windows\system32\Kplpjn32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5900 -
C:\Windows\SysWOW64\Lffhfh32.exeC:\Windows\system32\Lffhfh32.exe113⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5944 -
C:\Windows\SysWOW64\Liddbc32.exeC:\Windows\system32\Liddbc32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5988 -
C:\Windows\SysWOW64\Llcpoo32.exeC:\Windows\system32\Llcpoo32.exe115⤵
- Drops file in System32 directory
PID:6032 -
C:\Windows\SysWOW64\Ldjhpl32.exeC:\Windows\system32\Ldjhpl32.exe116⤵PID:6076
-
C:\Windows\SysWOW64\Lekehdgp.exeC:\Windows\system32\Lekehdgp.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:6120 -
C:\Windows\SysWOW64\Llemdo32.exeC:\Windows\system32\Llemdo32.exe118⤵
- Modifies registry class
PID:5172 -
C:\Windows\SysWOW64\Ldleel32.exeC:\Windows\system32\Ldleel32.exe119⤵
- Drops file in System32 directory
PID:5276 -
C:\Windows\SysWOW64\Lfkaag32.exeC:\Windows\system32\Lfkaag32.exe120⤵
- System Location Discovery: System Language Discovery
PID:5376 -
C:\Windows\SysWOW64\Liimncmf.exeC:\Windows\system32\Liimncmf.exe121⤵PID:5464
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-