Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 00:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8529e98de6c33ed060c79efef0a7dd7e5a2c52f35d8f533c24a1a43eaea94e5d.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
8529e98de6c33ed060c79efef0a7dd7e5a2c52f35d8f533c24a1a43eaea94e5d.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
8529e98de6c33ed060c79efef0a7dd7e5a2c52f35d8f533c24a1a43eaea94e5d.exe
-
Size
78KB
-
MD5
5cc02d11c0c3545ca662411bb3d8668d
-
SHA1
53a979a3e3f0048c3e798d1432724829e6516b90
-
SHA256
8529e98de6c33ed060c79efef0a7dd7e5a2c52f35d8f533c24a1a43eaea94e5d
-
SHA512
ebb9a5662244822c57704eecbef5fd2855119d00e7e44afab80f3c53c7b0c3f327b8463500ce861d1798df2ed23b32763e9f463bad0fa11ffdcbbbfb93b2d88c
-
SSDEEP
1536:evOP1TAD9z6rYJr7w1yt87g5xmIBP6VQAjfBiVtN+zL20gJi1ie:eL9z6cRsnqSqAjfBiVtgzL20WKt
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnhidk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqphfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbkkgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehlkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkhjph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbjkkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elbhjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnhkbfme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opqofe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecefqnel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbfcmhpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iciaqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqikmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nknobkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emmkiclm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Albpkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmdlmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnfiplog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbkkgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amjillkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boeebnhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmohno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbelcblk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifcgion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imgicgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cncnob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkchelci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meepdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olfghg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbbnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deqcbpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dafppp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkaobnio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnldla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmdnbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibcaknbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiiicf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdoacabq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdmmeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oifeab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onnmdcjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akkffkhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdhedh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Albpkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdpaeehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiloco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpmdfonj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbinam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phganm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ackbmcjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmdfonj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oakbehfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfiplog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nacmdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdqfll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcjmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bakgoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gldglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiaael32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpiecd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcfggkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfnqklgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cimmggfl.exe -
Executes dropped EXE 64 IoCs
pid Process 3504 Lbinam32.exe 2748 Licfngjd.exe 4348 Ljdceo32.exe 32 Lbkkgl32.exe 3480 Lejgch32.exe 2792 Lldopb32.exe 4008 Lbngllob.exe 1912 Lihpif32.exe 932 Ljilqnlm.exe 3360 Lbpdblmo.exe 4580 Leopnglc.exe 4824 Lijlof32.exe 2596 Llhikacp.exe 5000 Mngegmbc.exe 4168 Mbbagk32.exe 1620 Milidebi.exe 3392 Miofjepg.exe 4364 Mlmbfqoj.exe 4468 Majjng32.exe 1344 Miaboe32.exe 964 Mnnkgl32.exe 440 Mehcdfch.exe 1688 Mjellmbp.exe 2956 Mhilfa32.exe 3048 Naaqofgj.exe 4752 Nlfelogp.exe 4868 Nacmdf32.exe 1060 Nliaao32.exe 2440 Nbcjnilj.exe 4028 Neafjdkn.exe 4416 Nknobkje.exe 1412 Neccpd32.exe 384 Nlnkmnah.exe 5060 Nbgcih32.exe 796 Niakfbpa.exe 60 Nlphbnoe.exe 468 Oondnini.exe 2160 Oehlkc32.exe 4948 Olbdhn32.exe 3748 Ooqqdi32.exe 3816 Oaompd32.exe 3632 Oifeab32.exe 2888 Okgaijaj.exe 752 Oaajed32.exe 1316 Ohkbbn32.exe 4744 Ooejohhq.exe 4696 Obafpg32.exe 236 Oiknlagg.exe 920 Oohgdhfn.exe 604 Oimkbaed.exe 1264 Pcepkfld.exe 732 Phbhcmjl.exe 3688 Pchlpfjb.exe 4084 Pefhlaie.exe 5076 Pcjiff32.exe 3428 Peieba32.exe 3536 Phganm32.exe 5064 Pkenjh32.exe 3660 Papfgbmg.exe 1676 Plejdkmm.exe 3760 Pkhjph32.exe 2452 Piijno32.exe 3764 Qadoba32.exe 1308 Qikgco32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pdnjmc32.dll Lddgmbpb.exe File created C:\Windows\SysWOW64\Olfghg32.exe Odoogi32.exe File created C:\Windows\SysWOW64\Pagbaglh.exe Pjmjdm32.exe File created C:\Windows\SysWOW64\Elkllcbh.dll Dodjjimm.exe File created C:\Windows\SysWOW64\Oaompd32.exe Ooqqdi32.exe File created C:\Windows\SysWOW64\Gengje32.dll Pehngkcg.exe File opened for modification C:\Windows\SysWOW64\Popbpqjh.exe Plbfdekd.exe File opened for modification C:\Windows\SysWOW64\Pfiddm32.exe Phfcipoo.exe File opened for modification C:\Windows\SysWOW64\Mebcop32.exe Mnhkbfme.exe File opened for modification C:\Windows\SysWOW64\Oeehkn32.exe Nnkpnclp.exe File created C:\Windows\SysWOW64\Jlgkbp32.dll Pcjiff32.exe File created C:\Windows\SysWOW64\Fbjmhh32.exe Fplpll32.exe File opened for modification C:\Windows\SysWOW64\Koaagkcb.exe Kpoalo32.exe File created C:\Windows\SysWOW64\Kpanan32.exe Kncaec32.exe File created C:\Windows\SysWOW64\Lqkqhm32.exe Lnldla32.exe File created C:\Windows\SysWOW64\Ejphhm32.dll Amlogfel.exe File created C:\Windows\SysWOW64\Mamjbp32.dll Nlfnaicd.exe File created C:\Windows\SysWOW64\Khblgpag.dll Dkokcl32.exe File created C:\Windows\SysWOW64\Aooold32.dll Lckiihok.exe File created C:\Windows\SysWOW64\Bljlpjaf.dll Bdagpnbk.exe File created C:\Windows\SysWOW64\Neiqnh32.dll Bafndi32.exe File opened for modification C:\Windows\SysWOW64\Mngegmbc.exe Llhikacp.exe File opened for modification C:\Windows\SysWOW64\Mehcdfch.exe Mnnkgl32.exe File created C:\Windows\SysWOW64\Fmpbnihe.dll Ahgjejhd.exe File created C:\Windows\SysWOW64\Dpcpem32.dll Hcpojd32.exe File opened for modification C:\Windows\SysWOW64\Hbjoeojc.exe Hlpfhe32.exe File created C:\Windows\SysWOW64\Cmflbf32.exe Cijpahho.exe File created C:\Windows\SysWOW64\Djhimica.exe Dflmlj32.exe File created C:\Windows\SysWOW64\Cocacl32.exe Chiigadc.exe File opened for modification C:\Windows\SysWOW64\Jpcapp32.exe Jiiicf32.exe File created C:\Windows\SysWOW64\Pjkakfla.dll Lcdciiec.exe File created C:\Windows\SysWOW64\Dgcaaddl.dll Neafjdkn.exe File created C:\Windows\SysWOW64\Jcikgacl.exe Jlobkg32.exe File created C:\Windows\SysWOW64\Emanjldl.exe Efgemb32.exe File created C:\Windows\SysWOW64\Hibjli32.exe Hfcnpn32.exe File created C:\Windows\SysWOW64\Kjeiodek.exe Kgflcifg.exe File opened for modification C:\Windows\SysWOW64\Nclikl32.exe Mmbanbmg.exe File created C:\Windows\SysWOW64\Bjqlnnkp.dll Eiloco32.exe File created C:\Windows\SysWOW64\Eiokinbk.exe Eecphp32.exe File created C:\Windows\SysWOW64\Cacckp32.exe Coegoe32.exe File opened for modification C:\Windows\SysWOW64\Nqmfdj32.exe Mfhbga32.exe File opened for modification C:\Windows\SysWOW64\Pcjiff32.exe Pefhlaie.exe File created C:\Windows\SysWOW64\Hgfnoiid.dll Jgbjbp32.exe File created C:\Windows\SysWOW64\Pqknpl32.dll Hfcnpn32.exe File opened for modification C:\Windows\SysWOW64\Cgnomg32.exe Cdpcal32.exe File created C:\Windows\SysWOW64\Jlmcka32.dll Hpofii32.exe File created C:\Windows\SysWOW64\Ghoqak32.dll Omgcpokp.exe File created C:\Windows\SysWOW64\Dejncidp.dll Ddnfmqng.exe File created C:\Windows\SysWOW64\Lnkapdda.dll Afinioip.exe File opened for modification C:\Windows\SysWOW64\Gpcfmkff.exe Gmdjapgb.exe File created C:\Windows\SysWOW64\Ldgccb32.exe Lmpkadnm.exe File opened for modification C:\Windows\SysWOW64\Lggldm32.exe Ldipha32.exe File created C:\Windows\SysWOW64\Apjkcadp.exe Amlogfel.exe File created C:\Windows\SysWOW64\Fnpeoe32.dll Bheffh32.exe File created C:\Windows\SysWOW64\Jofill32.dll Glcaambb.exe File opened for modification C:\Windows\SysWOW64\Lgccinoe.exe Lddgmbpb.exe File created C:\Windows\SysWOW64\Aehgnied.exe Aonoao32.exe File created C:\Windows\SysWOW64\Bakgoh32.exe Bkaobnio.exe File opened for modification C:\Windows\SysWOW64\Bphgeo32.exe Bmjkic32.exe File created C:\Windows\SysWOW64\Nliaao32.exe Nacmdf32.exe File created C:\Windows\SysWOW64\Ejbdho32.dll Neccpd32.exe File opened for modification C:\Windows\SysWOW64\Fdqfll32.exe Flinkojm.exe File created C:\Windows\SysWOW64\Fdepgkgj.exe Flngfn32.exe File opened for modification C:\Windows\SysWOW64\Cijpahho.exe Cfldelik.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14160 13964 WerFault.exe 740 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acmobchj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfnaicd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkaobnio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokdnjkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bphgeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbebj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbinam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mehcdfch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djhimica.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgqfdnah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkqpkla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phaahggp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjeiodek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oifeab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnhkbfme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qachgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjillkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cljobphg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbnmke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkdliame.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjpode32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiknlagg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hplicjok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hienlpel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nagpeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bochmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddjpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bacjdbch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddllkbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peieba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gphphj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhnbhok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbbnpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oghghb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmblagmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljdceo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qebhhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aonoao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feoodn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hffken32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iphioh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lenicahg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doaneiop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pefhlaie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gljgbllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chglab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akblfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckkiccep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlepcdoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oogpjbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pldcjeia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobhkjdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcehdod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojdgnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnoddcef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmdjapgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knhakh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eofgpikj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgbefe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onmfimga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qikgco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnmjjdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbndfl32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oakbehfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phcgcqab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbpdblmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqmkae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogekbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onapdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajndioga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfhji32.dll" Fpggamqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bedgjgkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cocacl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accimdgp.dll" Jiglnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfpcoefj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaplqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Conanfli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efepbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lejomj32.dll" Gpqjglii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aonoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphblj32.dll" Bkaobnio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nglhld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjqjajoe.dll" Miaboe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkoigdom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffmfchle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmfkhmdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imnocf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenpmnno.dll" Offnhpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbnimm32.dll" Kcpahpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfiildio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioolkncg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kncaec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbkkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikbfgppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefchq32.dll" Hdhedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nagpeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pldcjeia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effkpc32.dll" Cfkmkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbchdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgkfnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aojlaeei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmfkk32.dll" Bhamkipi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blqhpg32.dll" Omnjojpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojdgnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oklfllgp.dll" Pddhbipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifaciolc.dll" Eecphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjellmbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lenicahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fadggj32.dll" Anmfbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caojpaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aplhmakj.dll" Dbndfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcjmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eppjfgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgflcifg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olbdhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodlnfco.dll" Nhokljge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fngcmcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjpode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opqofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmfeidbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlcalieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbecoe32.dll" Qkipkani.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bklomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaiimadl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cimmggfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bakgoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oimkbaed.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2000 wrote to memory of 3504 2000 8529e98de6c33ed060c79efef0a7dd7e5a2c52f35d8f533c24a1a43eaea94e5d.exe 84 PID 2000 wrote to memory of 3504 2000 8529e98de6c33ed060c79efef0a7dd7e5a2c52f35d8f533c24a1a43eaea94e5d.exe 84 PID 2000 wrote to memory of 3504 2000 8529e98de6c33ed060c79efef0a7dd7e5a2c52f35d8f533c24a1a43eaea94e5d.exe 84 PID 3504 wrote to memory of 2748 3504 Lbinam32.exe 85 PID 3504 wrote to memory of 2748 3504 Lbinam32.exe 85 PID 3504 wrote to memory of 2748 3504 Lbinam32.exe 85 PID 2748 wrote to memory of 4348 2748 Licfngjd.exe 86 PID 2748 wrote to memory of 4348 2748 Licfngjd.exe 86 PID 2748 wrote to memory of 4348 2748 Licfngjd.exe 86 PID 4348 wrote to memory of 32 4348 Ljdceo32.exe 88 PID 4348 wrote to memory of 32 4348 Ljdceo32.exe 88 PID 4348 wrote to memory of 32 4348 Ljdceo32.exe 88 PID 32 wrote to memory of 3480 32 Lbkkgl32.exe 89 PID 32 wrote to memory of 3480 32 Lbkkgl32.exe 89 PID 32 wrote to memory of 3480 32 Lbkkgl32.exe 89 PID 3480 wrote to memory of 2792 3480 Lejgch32.exe 90 PID 3480 wrote to memory of 2792 3480 Lejgch32.exe 90 PID 3480 wrote to memory of 2792 3480 Lejgch32.exe 90 PID 2792 wrote to memory of 4008 2792 Lldopb32.exe 91 PID 2792 wrote to memory of 4008 2792 Lldopb32.exe 91 PID 2792 wrote to memory of 4008 2792 Lldopb32.exe 91 PID 4008 wrote to memory of 1912 4008 Lbngllob.exe 93 PID 4008 wrote to memory of 1912 4008 Lbngllob.exe 93 PID 4008 wrote to memory of 1912 4008 Lbngllob.exe 93 PID 1912 wrote to memory of 932 1912 Lihpif32.exe 94 PID 1912 wrote to memory of 932 1912 Lihpif32.exe 94 PID 1912 wrote to memory of 932 1912 Lihpif32.exe 94 PID 932 wrote to memory of 3360 932 Ljilqnlm.exe 95 PID 932 wrote to memory of 3360 932 Ljilqnlm.exe 95 PID 932 wrote to memory of 3360 932 Ljilqnlm.exe 95 PID 3360 wrote to memory of 4580 3360 Lbpdblmo.exe 96 PID 3360 wrote to memory of 4580 3360 Lbpdblmo.exe 96 PID 3360 wrote to memory of 4580 3360 Lbpdblmo.exe 96 PID 4580 wrote to memory of 4824 4580 Leopnglc.exe 97 PID 4580 wrote to memory of 4824 4580 Leopnglc.exe 97 PID 4580 wrote to memory of 4824 4580 Leopnglc.exe 97 PID 4824 wrote to memory of 2596 4824 Lijlof32.exe 98 PID 4824 wrote to memory of 2596 4824 Lijlof32.exe 98 PID 4824 wrote to memory of 2596 4824 Lijlof32.exe 98 PID 2596 wrote to memory of 5000 2596 Llhikacp.exe 99 PID 2596 wrote to memory of 5000 2596 Llhikacp.exe 99 PID 2596 wrote to memory of 5000 2596 Llhikacp.exe 99 PID 5000 wrote to memory of 4168 5000 Mngegmbc.exe 100 PID 5000 wrote to memory of 4168 5000 Mngegmbc.exe 100 PID 5000 wrote to memory of 4168 5000 Mngegmbc.exe 100 PID 4168 wrote to memory of 1620 4168 Mbbagk32.exe 101 PID 4168 wrote to memory of 1620 4168 Mbbagk32.exe 101 PID 4168 wrote to memory of 1620 4168 Mbbagk32.exe 101 PID 1620 wrote to memory of 3392 1620 Milidebi.exe 102 PID 1620 wrote to memory of 3392 1620 Milidebi.exe 102 PID 1620 wrote to memory of 3392 1620 Milidebi.exe 102 PID 3392 wrote to memory of 4364 3392 Miofjepg.exe 103 PID 3392 wrote to memory of 4364 3392 Miofjepg.exe 103 PID 3392 wrote to memory of 4364 3392 Miofjepg.exe 103 PID 4364 wrote to memory of 4468 4364 Mlmbfqoj.exe 104 PID 4364 wrote to memory of 4468 4364 Mlmbfqoj.exe 104 PID 4364 wrote to memory of 4468 4364 Mlmbfqoj.exe 104 PID 4468 wrote to memory of 1344 4468 Majjng32.exe 105 PID 4468 wrote to memory of 1344 4468 Majjng32.exe 105 PID 4468 wrote to memory of 1344 4468 Majjng32.exe 105 PID 1344 wrote to memory of 964 1344 Miaboe32.exe 106 PID 1344 wrote to memory of 964 1344 Miaboe32.exe 106 PID 1344 wrote to memory of 964 1344 Miaboe32.exe 106 PID 964 wrote to memory of 440 964 Mnnkgl32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\8529e98de6c33ed060c79efef0a7dd7e5a2c52f35d8f533c24a1a43eaea94e5d.exe"C:\Users\Admin\AppData\Local\Temp\8529e98de6c33ed060c79efef0a7dd7e5a2c52f35d8f533c24a1a43eaea94e5d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Lbinam32.exeC:\Windows\system32\Lbinam32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Ljdceo32.exeC:\Windows\system32\Ljdceo32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\Lihpif32.exeC:\Windows\system32\Lihpif32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Ljilqnlm.exeC:\Windows\system32\Ljilqnlm.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\Lbpdblmo.exeC:\Windows\system32\Lbpdblmo.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\Leopnglc.exeC:\Windows\system32\Leopnglc.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Mngegmbc.exeC:\Windows\system32\Mngegmbc.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Miofjepg.exeC:\Windows\system32\Miofjepg.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\Miaboe32.exeC:\Windows\system32\Miaboe32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Mehcdfch.exeC:\Windows\system32\Mehcdfch.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:440 -
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe25⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Naaqofgj.exeC:\Windows\system32\Naaqofgj.exe26⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe27⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Nacmdf32.exeC:\Windows\system32\Nacmdf32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4868 -
C:\Windows\SysWOW64\Nliaao32.exeC:\Windows\system32\Nliaao32.exe29⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Nbcjnilj.exeC:\Windows\system32\Nbcjnilj.exe30⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Neafjdkn.exeC:\Windows\system32\Neafjdkn.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4028 -
C:\Windows\SysWOW64\Nknobkje.exeC:\Windows\system32\Nknobkje.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Neccpd32.exeC:\Windows\system32\Neccpd32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1412 -
C:\Windows\SysWOW64\Nlnkmnah.exeC:\Windows\system32\Nlnkmnah.exe34⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Nbgcih32.exeC:\Windows\system32\Nbgcih32.exe35⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Niakfbpa.exeC:\Windows\system32\Niakfbpa.exe36⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Nlphbnoe.exeC:\Windows\system32\Nlphbnoe.exe37⤵
- Executes dropped EXE
PID:60 -
C:\Windows\SysWOW64\Oondnini.exeC:\Windows\system32\Oondnini.exe38⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Olbdhn32.exeC:\Windows\system32\Olbdhn32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:4948 -
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3748 -
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe42⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Oifeab32.exeC:\Windows\system32\Oifeab32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3632 -
C:\Windows\SysWOW64\Okgaijaj.exeC:\Windows\system32\Okgaijaj.exe44⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Oaajed32.exeC:\Windows\system32\Oaajed32.exe45⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Ohkbbn32.exeC:\Windows\system32\Ohkbbn32.exe46⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Ooejohhq.exeC:\Windows\system32\Ooejohhq.exe47⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe48⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Oiknlagg.exeC:\Windows\system32\Oiknlagg.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:236 -
C:\Windows\SysWOW64\Oohgdhfn.exeC:\Windows\system32\Oohgdhfn.exe50⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Oimkbaed.exeC:\Windows\system32\Oimkbaed.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:604 -
C:\Windows\SysWOW64\Pcepkfld.exeC:\Windows\system32\Pcepkfld.exe52⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Phbhcmjl.exeC:\Windows\system32\Phbhcmjl.exe53⤵
- Executes dropped EXE
PID:732 -
C:\Windows\SysWOW64\Pchlpfjb.exeC:\Windows\system32\Pchlpfjb.exe54⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Pefhlaie.exeC:\Windows\system32\Pefhlaie.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4084 -
C:\Windows\SysWOW64\Pcjiff32.exeC:\Windows\system32\Pcjiff32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5076 -
C:\Windows\SysWOW64\Peieba32.exeC:\Windows\system32\Peieba32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3428 -
C:\Windows\SysWOW64\Phganm32.exeC:\Windows\system32\Phganm32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\Pkenjh32.exeC:\Windows\system32\Pkenjh32.exe59⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe60⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Plejdkmm.exeC:\Windows\system32\Plejdkmm.exe61⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\Piijno32.exeC:\Windows\system32\Piijno32.exe63⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Qadoba32.exeC:\Windows\system32\Qadoba32.exe64⤵
- Executes dropped EXE
PID:3764 -
C:\Windows\SysWOW64\Qikgco32.exeC:\Windows\system32\Qikgco32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1308 -
C:\Windows\SysWOW64\Qljcoj32.exeC:\Windows\system32\Qljcoj32.exe66⤵PID:2844
-
C:\Windows\SysWOW64\Qcclld32.exeC:\Windows\system32\Qcclld32.exe67⤵PID:5028
-
C:\Windows\SysWOW64\Qebhhp32.exeC:\Windows\system32\Qebhhp32.exe68⤵
- System Location Discovery: System Language Discovery
PID:448 -
C:\Windows\SysWOW64\Ajndioga.exeC:\Windows\system32\Ajndioga.exe69⤵
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Aojlaeei.exeC:\Windows\system32\Aojlaeei.exe70⤵
- Modifies registry class
PID:3588 -
C:\Windows\SysWOW64\Aaiimadl.exeC:\Windows\system32\Aaiimadl.exe71⤵
- Modifies registry class
PID:3192 -
C:\Windows\SysWOW64\Alnmjjdb.exeC:\Windows\system32\Alnmjjdb.exe72⤵
- System Location Discovery: System Language Discovery
PID:2120 -
C:\Windows\SysWOW64\Aakebqbj.exeC:\Windows\system32\Aakebqbj.exe73⤵PID:2328
-
C:\Windows\SysWOW64\Ajbmdn32.exeC:\Windows\system32\Ajbmdn32.exe74⤵PID:652
-
C:\Windows\SysWOW64\Alqjpi32.exeC:\Windows\system32\Alqjpi32.exe75⤵PID:3864
-
C:\Windows\SysWOW64\Ackbmcjl.exeC:\Windows\system32\Ackbmcjl.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1504 -
C:\Windows\SysWOW64\Afinioip.exeC:\Windows\system32\Afinioip.exe77⤵
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Ahgjejhd.exeC:\Windows\system32\Ahgjejhd.exe78⤵
- Drops file in System32 directory
PID:1104 -
C:\Windows\SysWOW64\Acmobchj.exeC:\Windows\system32\Acmobchj.exe79⤵
- System Location Discovery: System Language Discovery
PID:3544 -
C:\Windows\SysWOW64\Ajggomog.exeC:\Windows\system32\Ajggomog.exe80⤵PID:4224
-
C:\Windows\SysWOW64\Acokhc32.exeC:\Windows\system32\Acokhc32.exe81⤵PID:872
-
C:\Windows\SysWOW64\Bkkple32.exeC:\Windows\system32\Bkkple32.exe82⤵PID:4372
-
C:\Windows\SysWOW64\Bbdhiojo.exeC:\Windows\system32\Bbdhiojo.exe83⤵PID:3676
-
C:\Windows\SysWOW64\Bkmmaeap.exeC:\Windows\system32\Bkmmaeap.exe84⤵PID:2184
-
C:\Windows\SysWOW64\Bhamkipi.exeC:\Windows\system32\Bhamkipi.exe85⤵
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Bkoigdom.exeC:\Windows\system32\Bkoigdom.exe86⤵
- Modifies registry class
PID:4112 -
C:\Windows\SysWOW64\Bokehc32.exeC:\Windows\system32\Bokehc32.exe87⤵PID:3928
-
C:\Windows\SysWOW64\Bhcjqinf.exeC:\Windows\system32\Bhcjqinf.exe88⤵PID:3076
-
C:\Windows\SysWOW64\Bheffh32.exeC:\Windows\system32\Bheffh32.exe89⤵
- Drops file in System32 directory
PID:1812 -
C:\Windows\SysWOW64\Cjecpkcg.exeC:\Windows\system32\Cjecpkcg.exe90⤵PID:4376
-
C:\Windows\SysWOW64\Cmcolgbj.exeC:\Windows\system32\Cmcolgbj.exe91⤵PID:4700
-
C:\Windows\SysWOW64\Ccmgiaig.exeC:\Windows\system32\Ccmgiaig.exe92⤵PID:1936
-
C:\Windows\SysWOW64\Cfldelik.exeC:\Windows\system32\Cfldelik.exe93⤵
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Cijpahho.exeC:\Windows\system32\Cijpahho.exe94⤵
- Drops file in System32 directory
PID:4332 -
C:\Windows\SysWOW64\Cmflbf32.exeC:\Windows\system32\Cmflbf32.exe95⤵PID:5012
-
C:\Windows\SysWOW64\Codhnb32.exeC:\Windows\system32\Codhnb32.exe96⤵PID:2624
-
C:\Windows\SysWOW64\Cfnqklgh.exeC:\Windows\system32\Cfnqklgh.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2068 -
C:\Windows\SysWOW64\Cimmggfl.exeC:\Windows\system32\Cimmggfl.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:100 -
C:\Windows\SysWOW64\Ckkiccep.exeC:\Windows\system32\Ckkiccep.exe99⤵
- System Location Discovery: System Language Discovery
PID:1448 -
C:\Windows\SysWOW64\Cbeapmll.exeC:\Windows\system32\Cbeapmll.exe100⤵PID:512
-
C:\Windows\SysWOW64\Cjliajmo.exeC:\Windows\system32\Cjliajmo.exe101⤵PID:4440
-
C:\Windows\SysWOW64\Cmjemflb.exeC:\Windows\system32\Cmjemflb.exe102⤵PID:3804
-
C:\Windows\SysWOW64\Coiaiakf.exeC:\Windows\system32\Coiaiakf.exe103⤵PID:2836
-
C:\Windows\SysWOW64\Cfcjfk32.exeC:\Windows\system32\Cfcjfk32.exe104⤵PID:3640
-
C:\Windows\SysWOW64\Cmmbbejp.exeC:\Windows\system32\Cmmbbejp.exe105⤵PID:5088
-
C:\Windows\SysWOW64\Coknoaic.exeC:\Windows\system32\Coknoaic.exe106⤵PID:1432
-
C:\Windows\SysWOW64\Dbjkkl32.exeC:\Windows\system32\Dbjkkl32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4036 -
C:\Windows\SysWOW64\Djqblj32.exeC:\Windows\system32\Djqblj32.exe108⤵PID:2396
-
C:\Windows\SysWOW64\Dkbocbog.exeC:\Windows\system32\Dkbocbog.exe109⤵PID:5140
-
C:\Windows\SysWOW64\Dcigeooj.exeC:\Windows\system32\Dcigeooj.exe110⤵PID:5184
-
C:\Windows\SysWOW64\Dfgcakon.exeC:\Windows\system32\Dfgcakon.exe111⤵PID:5228
-
C:\Windows\SysWOW64\Difpmfna.exeC:\Windows\system32\Difpmfna.exe112⤵PID:5272
-
C:\Windows\SysWOW64\Dkdliame.exeC:\Windows\system32\Dkdliame.exe113⤵
- System Location Discovery: System Language Discovery
PID:5316 -
C:\Windows\SysWOW64\Dbndfl32.exeC:\Windows\system32\Dbndfl32.exe114⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5360 -
C:\Windows\SysWOW64\Djelgied.exeC:\Windows\system32\Djelgied.exe115⤵PID:5404
-
C:\Windows\SysWOW64\Dmdhcddh.exeC:\Windows\system32\Dmdhcddh.exe116⤵PID:5448
-
C:\Windows\SysWOW64\Dpbdopck.exeC:\Windows\system32\Dpbdopck.exe117⤵PID:5492
-
C:\Windows\SysWOW64\Dflmlj32.exeC:\Windows\system32\Dflmlj32.exe118⤵
- Drops file in System32 directory
PID:5536 -
C:\Windows\SysWOW64\Djhimica.exeC:\Windows\system32\Djhimica.exe119⤵
- System Location Discovery: System Language Discovery
PID:5580 -
C:\Windows\SysWOW64\Dmfeidbe.exeC:\Windows\system32\Dmfeidbe.exe120⤵
- Modifies registry class
PID:5624 -
C:\Windows\SysWOW64\Dcpmen32.exeC:\Windows\system32\Dcpmen32.exe121⤵PID:5668
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-