Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27/07/2024, 06:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a1611a5fa2c5f7161e18c4af9aed7dd0N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
a1611a5fa2c5f7161e18c4af9aed7dd0N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
a1611a5fa2c5f7161e18c4af9aed7dd0N.exe
-
Size
56KB
-
MD5
a1611a5fa2c5f7161e18c4af9aed7dd0
-
SHA1
9939ddfc298a7b2edccc0cab271f1bb30a2f305c
-
SHA256
6f2f80458e639545515707aa0a77d41c4ca56b301a77bab5485c0eb20c9cb49b
-
SHA512
aaa2fde9b281acedea19be9914d934a750accfa348aadb872902977f1e379a2d7b507968bc1470e1e7e14c3bc37f633a81c2d410ae9e918b08662dd01640e236
-
SSDEEP
768:li9PcwT66xQP2SesGs18UiEiPDPUHt2+NXBpO+tPBHktrSt/1H5eXdnh:lGcs6oQGzs1iE2OxpOqBNnK
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhqefjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcobaedj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkfglb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nndjndbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plkpcfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqojclne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdenmbkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egaejeej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmeede32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjgeedch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caojpaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neccpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bopocbcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebejfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idkkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmpkadnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbbicl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggkqgaol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnlkfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpolbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eclmamod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkeekk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anmfbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noblkqca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nognnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gphphj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gimqajgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oabhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpnjah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjedh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lddgmbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jedccfqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjjbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqmfdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbhpch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjokgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khiofk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqklkbbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdmein32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgipcogp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibjli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omdppiif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bklomh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcfbkpab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbeapmll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmbbejp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Higjaoci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bochmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imnocf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kemooo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgehfkop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jinboekc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbdiknlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqmojd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljfhqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbgihaji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcelpggq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omnjojpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnlhncgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aanbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfbaonae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plkpcfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gihgfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glipgf32.exe -
Executes dropped EXE 64 IoCs
pid Process 384 Gmcdffmq.exe 4204 Ggkiol32.exe 3916 Gpcmga32.exe 1280 Gnhnaf32.exe 2140 Ginnfgop.exe 2828 Gahcmd32.exe 4644 Hgghjjid.exe 3604 Hpomcp32.exe 4596 Hdmein32.exe 1828 Hgnoki32.exe 2872 Ihnkel32.exe 2936 Iqipio32.exe 3912 Iqmidndd.exe 4016 Indfca32.exe 2888 Jnfcia32.exe 2220 Jhndljll.exe 2176 Jdedak32.exe 4436 Nihipdhl.exe 1928 Nognnj32.exe 1324 Neccpd32.exe 1632 Objpoh32.exe 1416 Oifeab32.exe 2492 Obafpg32.exe 4900 Oohgdhfn.exe 3528 Pllgnl32.exe 4568 Pcepkfld.exe 3288 Pakllc32.exe 4816 Phganm32.exe 4792 Pifnhpmi.exe 4328 Pcobaedj.exe 4992 Qepkbpak.exe 4044 Qebhhp32.exe 1340 Alnmjjdb.exe 1784 Aanbhp32.exe 1368 Acmobchj.exe 3292 Bhldpj32.exe 3408 Bfbaonae.exe 2236 Bcfahbpo.exe 3988 Bopocbcq.exe 4388 Codhnb32.exe 4896 Cbeapmll.exe 4856 Cmmbbejp.exe 1028 Dbjkkl32.exe 4012 Difpmfna.exe 1260 Dfjpfj32.exe 748 Djhimica.exe 1556 Ebejfk32.exe 1308 Elpkep32.exe 4444 Epndknin.exe 2060 Eclmamod.exe 3484 Fjhacf32.exe 3892 Fimodc32.exe 2508 Fbhpch32.exe 4412 Fideeaco.exe 4176 Gmbmkpie.exe 2796 Gmdjapgb.exe 4404 Gljgbllj.exe 3184 Gphphj32.exe 2400 Hdehni32.exe 2152 Hckeoeno.exe 932 Higjaoci.exe 3560 Hkfglb32.exe 3544 Hkicaahi.exe 3056 Icdheded.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Khfclo32.dll Cnindhpg.exe File created C:\Windows\SysWOW64\Gabfbmnl.dll Mcelpggq.exe File opened for modification C:\Windows\SysWOW64\Omdppiif.exe Ofhknodl.exe File opened for modification C:\Windows\SysWOW64\Gbbajjlp.exe Geoapenf.exe File created C:\Windows\SysWOW64\Noblkqca.exe Nfihbk32.exe File opened for modification C:\Windows\SysWOW64\Qepkbpak.exe Pcobaedj.exe File created C:\Windows\SysWOW64\Icdheded.exe Hkicaahi.exe File opened for modification C:\Windows\SysWOW64\Kpnjah32.exe Keifdpif.exe File opened for modification C:\Windows\SysWOW64\Hgghjjid.exe Gahcmd32.exe File created C:\Windows\SysWOW64\Fogmlp32.dll Hpnoncim.exe File created C:\Windows\SysWOW64\Oppceehj.dll Nncccnol.exe File created C:\Windows\SysWOW64\Amjbbfgo.exe Qacameaj.exe File created C:\Windows\SysWOW64\Qepkbpak.exe Pcobaedj.exe File created C:\Windows\SysWOW64\Jhglpo32.dll Cnahdi32.exe File created C:\Windows\SysWOW64\Pjdpelnc.exe Palklf32.exe File created C:\Windows\SysWOW64\Qpcecb32.exe Qfkqjmdg.exe File opened for modification C:\Windows\SysWOW64\Gphphj32.exe Gljgbllj.exe File opened for modification C:\Windows\SysWOW64\Kqmkae32.exe Jqknkedi.exe File created C:\Windows\SysWOW64\Odepdabi.dll Lkeekk32.exe File created C:\Windows\SysWOW64\Hmcldf32.dll Djhimica.exe File created C:\Windows\SysWOW64\Enmjlojd.exe Edeeci32.exe File opened for modification C:\Windows\SysWOW64\Gmcdffmq.exe a1611a5fa2c5f7161e18c4af9aed7dd0N.exe File created C:\Windows\SysWOW64\Fjjdgc32.dll Ihnkel32.exe File created C:\Windows\SysWOW64\Ecgamkhq.dll Ipjedh32.exe File created C:\Windows\SysWOW64\Dcgmfg32.dll Ljfhqh32.exe File created C:\Windows\SysWOW64\Fgjhpcmo.exe Fbmohmoh.exe File opened for modification C:\Windows\SysWOW64\Oqklkbbi.exe Ookoaokf.exe File created C:\Windows\SysWOW64\Aaopkj32.dll Acmobchj.exe File created C:\Windows\SysWOW64\Jcgnbaeo.exe Jjoiil32.exe File created C:\Windows\SysWOW64\Iigkob32.dll Lmbhgd32.exe File created C:\Windows\SysWOW64\Bohgljdl.dll Kcpjnjii.exe File created C:\Windows\SysWOW64\Edeeci32.exe Egaejeej.exe File opened for modification C:\Windows\SysWOW64\Jadgnb32.exe Jbojlfdp.exe File opened for modification C:\Windows\SysWOW64\Fjhacf32.exe Eclmamod.exe File created C:\Windows\SysWOW64\Efjbcakl.exe Eicedn32.exe File opened for modification C:\Windows\SysWOW64\Opnbae32.exe Omnjojpo.exe File opened for modification C:\Windows\SysWOW64\Dggbcf32.exe Dolmodpi.exe File opened for modification C:\Windows\SysWOW64\Cdpjlb32.exe Cleegp32.exe File created C:\Windows\SysWOW64\Kpnjah32.exe Keifdpif.exe File created C:\Windows\SysWOW64\Pbjddh32.exe Pfccogfc.exe File created C:\Windows\SysWOW64\Chalkm32.dll Obafpg32.exe File opened for modification C:\Windows\SysWOW64\Iolhkh32.exe Iiopca32.exe File opened for modification C:\Windows\SysWOW64\Pififb32.exe Pmphaaln.exe File created C:\Windows\SysWOW64\Bcjppk32.dll Hgnoki32.exe File created C:\Windows\SysWOW64\Dnpdegjp.exe Dbicpfdk.exe File created C:\Windows\SysWOW64\Imnocf32.exe Imkbnf32.exe File opened for modification C:\Windows\SysWOW64\Imnocf32.exe Imkbnf32.exe File created C:\Windows\SysWOW64\Aokkahlo.exe Aoioli32.exe File created C:\Windows\SysWOW64\Dggbcf32.exe Dolmodpi.exe File created C:\Windows\SysWOW64\Hkfglb32.exe Higjaoci.exe File created C:\Windows\SysWOW64\Gfqnichl.dll Bkaobnio.exe File created C:\Windows\SysWOW64\Lqojclne.exe Lopmii32.exe File opened for modification C:\Windows\SysWOW64\Keifdpif.exe Kakmna32.exe File created C:\Windows\SysWOW64\Ggkiol32.exe Gmcdffmq.exe File created C:\Windows\SysWOW64\Ecqieiii.dll Qebhhp32.exe File created C:\Windows\SysWOW64\Hdehni32.exe Gphphj32.exe File created C:\Windows\SysWOW64\Gckoph32.dll Hdehni32.exe File opened for modification C:\Windows\SysWOW64\Fbbicl32.exe Fgjhpcmo.exe File opened for modification C:\Windows\SysWOW64\Hkicaahi.exe Hkfglb32.exe File created C:\Windows\SysWOW64\Iddgpk32.dll Hkicaahi.exe File created C:\Windows\SysWOW64\Nqmfdj32.exe Mgbefe32.exe File created C:\Windows\SysWOW64\Ddnfmqng.exe Dfiildio.exe File created C:\Windows\SysWOW64\Ggqecq32.dll Dodjjimm.exe File created C:\Windows\SysWOW64\Eqncnj32.exe Ekajec32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3428 1628 WerFault.exe 383 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfglb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdmgfedl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmkigh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heegad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiopca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpomcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddgmbpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpkibf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opnbae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibjqaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmphaaln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnlhncgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caageq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqipio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnmjjdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbhpch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Higjaoci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmonl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklomh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmhbqbae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfccogfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lopmii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoobdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehlhih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hejqldci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jedccfqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlbejloe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ginnfgop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aanbhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnicid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmfbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gimqajgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jinboekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjnnbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kegpifod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqmfdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hckeoeno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjjbjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hehdfdek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebejfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdphngfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjbcakl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiodpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kakmna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqcejcha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oohgdhfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfbaonae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfjpfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imkbnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqojclne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmqnobn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gppcmeem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcfbkpab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkgpbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjdebfnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjdpelnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cklhcfle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibcjqgnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgbefe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmhocd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cndeii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chqogq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodjjimm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imnocf32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgbefe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accailfj.dll" Ijcjmmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgehfkop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fideeaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Higjaoci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqmfdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnbepb32.dll" Dqbcbkab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkfglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ackekpfe.dll" Anaomkdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gppcmeem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qacameaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbcncibp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfbaonae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibingd32.dll" Fealin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpcecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggkiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jedohked.dll" Hgghjjid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojidbohn.dll" Edeeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfccogfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggmgbckd.dll" Nognnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhahaiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Balenlhn.dll" Ojdnid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjjbjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbmohmoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kakmna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noblkqca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkbofaoj.dll" Ebejfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epndknin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bebjdgmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anmfbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anobgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lddgmbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmamhbhe.dll" Caageq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqbcbkab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Focanl32.dll" Eqncnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Difpmfna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcgnbaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojpmg32.dll" Omjpeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqcejcha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeddnh32.dll" Gmbmkpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpcblj32.dll" Jpdhkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eclmamod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anaomkdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jinboekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfqedp32.dll" Lhqefjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjigamma.dll" Indfca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbjkkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chgnfq32.dll" Kemooo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aanbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acmobchj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aablof32.dll" Knqepc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekamnhne.dll" Kjjbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmfhkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlfcoqpl.dll" Mjahlgpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opnaqk32.dll" Gpolbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeapcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkgpbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfkqjmdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdlfcb32.dll" Akblfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjpknni.dll" Gmdjapgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gljgbllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nblolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egaejeej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgjhpcmo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2840 wrote to memory of 384 2840 a1611a5fa2c5f7161e18c4af9aed7dd0N.exe 84 PID 2840 wrote to memory of 384 2840 a1611a5fa2c5f7161e18c4af9aed7dd0N.exe 84 PID 2840 wrote to memory of 384 2840 a1611a5fa2c5f7161e18c4af9aed7dd0N.exe 84 PID 384 wrote to memory of 4204 384 Gmcdffmq.exe 85 PID 384 wrote to memory of 4204 384 Gmcdffmq.exe 85 PID 384 wrote to memory of 4204 384 Gmcdffmq.exe 85 PID 4204 wrote to memory of 3916 4204 Ggkiol32.exe 86 PID 4204 wrote to memory of 3916 4204 Ggkiol32.exe 86 PID 4204 wrote to memory of 3916 4204 Ggkiol32.exe 86 PID 3916 wrote to memory of 1280 3916 Gpcmga32.exe 87 PID 3916 wrote to memory of 1280 3916 Gpcmga32.exe 87 PID 3916 wrote to memory of 1280 3916 Gpcmga32.exe 87 PID 1280 wrote to memory of 2140 1280 Gnhnaf32.exe 88 PID 1280 wrote to memory of 2140 1280 Gnhnaf32.exe 88 PID 1280 wrote to memory of 2140 1280 Gnhnaf32.exe 88 PID 2140 wrote to memory of 2828 2140 Ginnfgop.exe 89 PID 2140 wrote to memory of 2828 2140 Ginnfgop.exe 89 PID 2140 wrote to memory of 2828 2140 Ginnfgop.exe 89 PID 2828 wrote to memory of 4644 2828 Gahcmd32.exe 90 PID 2828 wrote to memory of 4644 2828 Gahcmd32.exe 90 PID 2828 wrote to memory of 4644 2828 Gahcmd32.exe 90 PID 4644 wrote to memory of 3604 4644 Hgghjjid.exe 92 PID 4644 wrote to memory of 3604 4644 Hgghjjid.exe 92 PID 4644 wrote to memory of 3604 4644 Hgghjjid.exe 92 PID 3604 wrote to memory of 4596 3604 Hpomcp32.exe 93 PID 3604 wrote to memory of 4596 3604 Hpomcp32.exe 93 PID 3604 wrote to memory of 4596 3604 Hpomcp32.exe 93 PID 4596 wrote to memory of 1828 4596 Hdmein32.exe 94 PID 4596 wrote to memory of 1828 4596 Hdmein32.exe 94 PID 4596 wrote to memory of 1828 4596 Hdmein32.exe 94 PID 1828 wrote to memory of 2872 1828 Hgnoki32.exe 95 PID 1828 wrote to memory of 2872 1828 Hgnoki32.exe 95 PID 1828 wrote to memory of 2872 1828 Hgnoki32.exe 95 PID 2872 wrote to memory of 2936 2872 Ihnkel32.exe 97 PID 2872 wrote to memory of 2936 2872 Ihnkel32.exe 97 PID 2872 wrote to memory of 2936 2872 Ihnkel32.exe 97 PID 2936 wrote to memory of 3912 2936 Iqipio32.exe 98 PID 2936 wrote to memory of 3912 2936 Iqipio32.exe 98 PID 2936 wrote to memory of 3912 2936 Iqipio32.exe 98 PID 3912 wrote to memory of 4016 3912 Iqmidndd.exe 99 PID 3912 wrote to memory of 4016 3912 Iqmidndd.exe 99 PID 3912 wrote to memory of 4016 3912 Iqmidndd.exe 99 PID 4016 wrote to memory of 2888 4016 Indfca32.exe 100 PID 4016 wrote to memory of 2888 4016 Indfca32.exe 100 PID 4016 wrote to memory of 2888 4016 Indfca32.exe 100 PID 2888 wrote to memory of 2220 2888 Jnfcia32.exe 101 PID 2888 wrote to memory of 2220 2888 Jnfcia32.exe 101 PID 2888 wrote to memory of 2220 2888 Jnfcia32.exe 101 PID 2220 wrote to memory of 2176 2220 Jhndljll.exe 102 PID 2220 wrote to memory of 2176 2220 Jhndljll.exe 102 PID 2220 wrote to memory of 2176 2220 Jhndljll.exe 102 PID 2176 wrote to memory of 4436 2176 Jdedak32.exe 103 PID 2176 wrote to memory of 4436 2176 Jdedak32.exe 103 PID 2176 wrote to memory of 4436 2176 Jdedak32.exe 103 PID 4436 wrote to memory of 1928 4436 Nihipdhl.exe 105 PID 4436 wrote to memory of 1928 4436 Nihipdhl.exe 105 PID 4436 wrote to memory of 1928 4436 Nihipdhl.exe 105 PID 1928 wrote to memory of 1324 1928 Nognnj32.exe 106 PID 1928 wrote to memory of 1324 1928 Nognnj32.exe 106 PID 1928 wrote to memory of 1324 1928 Nognnj32.exe 106 PID 1324 wrote to memory of 1632 1324 Neccpd32.exe 107 PID 1324 wrote to memory of 1632 1324 Neccpd32.exe 107 PID 1324 wrote to memory of 1632 1324 Neccpd32.exe 107 PID 1632 wrote to memory of 1416 1632 Objpoh32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1611a5fa2c5f7161e18c4af9aed7dd0N.exe"C:\Users\Admin\AppData\Local\Temp\a1611a5fa2c5f7161e18c4af9aed7dd0N.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Gmcdffmq.exeC:\Windows\system32\Gmcdffmq.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\Ggkiol32.exeC:\Windows\system32\Ggkiol32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\Gpcmga32.exeC:\Windows\system32\Gpcmga32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\Gnhnaf32.exeC:\Windows\system32\Gnhnaf32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Gahcmd32.exeC:\Windows\system32\Gahcmd32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Hgghjjid.exeC:\Windows\system32\Hgghjjid.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\Hpomcp32.exeC:\Windows\system32\Hpomcp32.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\Hdmein32.exeC:\Windows\system32\Hdmein32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Hgnoki32.exeC:\Windows\system32\Hgnoki32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Ihnkel32.exeC:\Windows\system32\Ihnkel32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Iqipio32.exeC:\Windows\system32\Iqipio32.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Iqmidndd.exeC:\Windows\system32\Iqmidndd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\Jnfcia32.exeC:\Windows\system32\Jnfcia32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Jhndljll.exeC:\Windows\system32\Jhndljll.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Jdedak32.exeC:\Windows\system32\Jdedak32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Neccpd32.exeC:\Windows\system32\Neccpd32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Objpoh32.exeC:\Windows\system32\Objpoh32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Oifeab32.exeC:\Windows\system32\Oifeab32.exe23⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Oohgdhfn.exeC:\Windows\system32\Oohgdhfn.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4900 -
C:\Windows\SysWOW64\Pllgnl32.exeC:\Windows\system32\Pllgnl32.exe26⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Pcepkfld.exeC:\Windows\system32\Pcepkfld.exe27⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe28⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Phganm32.exeC:\Windows\system32\Phganm32.exe29⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Pifnhpmi.exeC:\Windows\system32\Pifnhpmi.exe30⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Pcobaedj.exeC:\Windows\system32\Pcobaedj.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4328 -
C:\Windows\SysWOW64\Qepkbpak.exeC:\Windows\system32\Qepkbpak.exe32⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Qebhhp32.exeC:\Windows\system32\Qebhhp32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4044 -
C:\Windows\SysWOW64\Alnmjjdb.exeC:\Windows\system32\Alnmjjdb.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1340 -
C:\Windows\SysWOW64\Aanbhp32.exeC:\Windows\system32\Aanbhp32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Acmobchj.exeC:\Windows\system32\Acmobchj.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\Bhldpj32.exeC:\Windows\system32\Bhldpj32.exe37⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Bfbaonae.exeC:\Windows\system32\Bfbaonae.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3408 -
C:\Windows\SysWOW64\Bcfahbpo.exeC:\Windows\system32\Bcfahbpo.exe39⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Bopocbcq.exeC:\Windows\system32\Bopocbcq.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Codhnb32.exeC:\Windows\system32\Codhnb32.exe41⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Cbeapmll.exeC:\Windows\system32\Cbeapmll.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Cmmbbejp.exeC:\Windows\system32\Cmmbbejp.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Dbjkkl32.exeC:\Windows\system32\Dbjkkl32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Difpmfna.exeC:\Windows\system32\Difpmfna.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:4012 -
C:\Windows\SysWOW64\Dfjpfj32.exeC:\Windows\system32\Dfjpfj32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1260 -
C:\Windows\SysWOW64\Djhimica.exeC:\Windows\system32\Djhimica.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:748 -
C:\Windows\SysWOW64\Ebejfk32.exeC:\Windows\system32\Ebejfk32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Elpkep32.exeC:\Windows\system32\Elpkep32.exe49⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Epndknin.exeC:\Windows\system32\Epndknin.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:4444 -
C:\Windows\SysWOW64\Eclmamod.exeC:\Windows\system32\Eclmamod.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Fjhacf32.exeC:\Windows\system32\Fjhacf32.exe52⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Fimodc32.exeC:\Windows\system32\Fimodc32.exe53⤵
- Executes dropped EXE
PID:3892 -
C:\Windows\SysWOW64\Fbhpch32.exeC:\Windows\system32\Fbhpch32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Windows\SysWOW64\Fideeaco.exeC:\Windows\system32\Fideeaco.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:4412 -
C:\Windows\SysWOW64\Gmbmkpie.exeC:\Windows\system32\Gmbmkpie.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:4176 -
C:\Windows\SysWOW64\Gmdjapgb.exeC:\Windows\system32\Gmdjapgb.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Gljgbllj.exeC:\Windows\system32\Gljgbllj.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4404 -
C:\Windows\SysWOW64\Gphphj32.exeC:\Windows\system32\Gphphj32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3184 -
C:\Windows\SysWOW64\Hdehni32.exeC:\Windows\system32\Hdehni32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Hckeoeno.exeC:\Windows\system32\Hckeoeno.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Windows\SysWOW64\Higjaoci.exeC:\Windows\system32\Higjaoci.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:932 -
C:\Windows\SysWOW64\Hkfglb32.exeC:\Windows\system32\Hkfglb32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3560 -
C:\Windows\SysWOW64\Hkicaahi.exeC:\Windows\system32\Hkicaahi.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3544 -
C:\Windows\SysWOW64\Icdheded.exeC:\Windows\system32\Icdheded.exe65⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Idcepgmg.exeC:\Windows\system32\Idcepgmg.exe66⤵PID:1672
-
C:\Windows\SysWOW64\Ipjedh32.exeC:\Windows\system32\Ipjedh32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4232 -
C:\Windows\SysWOW64\Ijcjmmil.exeC:\Windows\system32\Ijcjmmil.exe68⤵
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Ijegcm32.exeC:\Windows\system32\Ijegcm32.exe69⤵PID:2004
-
C:\Windows\SysWOW64\Idkkpf32.exeC:\Windows\system32\Idkkpf32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:884 -
C:\Windows\SysWOW64\Jdmgfedl.exeC:\Windows\system32\Jdmgfedl.exe71⤵
- System Location Discovery: System Language Discovery
PID:3656 -
C:\Windows\SysWOW64\Jkgpbp32.exeC:\Windows\system32\Jkgpbp32.exe72⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:812 -
C:\Windows\SysWOW64\Jpdhkf32.exeC:\Windows\system32\Jpdhkf32.exe73⤵
- Modifies registry class
PID:5004 -
C:\Windows\SysWOW64\Jnhidk32.exeC:\Windows\system32\Jnhidk32.exe74⤵PID:3320
-
C:\Windows\SysWOW64\Jjoiil32.exeC:\Windows\system32\Jjoiil32.exe75⤵
- Drops file in System32 directory
PID:4344 -
C:\Windows\SysWOW64\Jcgnbaeo.exeC:\Windows\system32\Jcgnbaeo.exe76⤵
- Modifies registry class
PID:3536 -
C:\Windows\SysWOW64\Jqknkedi.exeC:\Windows\system32\Jqknkedi.exe77⤵
- Drops file in System32 directory
PID:3984 -
C:\Windows\SysWOW64\Kqmkae32.exeC:\Windows\system32\Kqmkae32.exe78⤵PID:4664
-
C:\Windows\SysWOW64\Kgipcogp.exeC:\Windows\system32\Kgipcogp.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3448 -
C:\Windows\SysWOW64\Kmfhkf32.exeC:\Windows\system32\Kmfhkf32.exe80⤵
- Modifies registry class
PID:4868 -
C:\Windows\SysWOW64\Kkgiimng.exeC:\Windows\system32\Kkgiimng.exe81⤵PID:1304
-
C:\Windows\SysWOW64\Kmkbfeab.exeC:\Windows\system32\Kmkbfeab.exe82⤵PID:900
-
C:\Windows\SysWOW64\Lddgmbpb.exeC:\Windows\system32\Lddgmbpb.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Lmpkadnm.exeC:\Windows\system32\Lmpkadnm.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3212 -
C:\Windows\SysWOW64\Lcjcnoej.exeC:\Windows\system32\Lcjcnoej.exe85⤵PID:1168
-
C:\Windows\SysWOW64\Lmbhgd32.exeC:\Windows\system32\Lmbhgd32.exe86⤵
- Drops file in System32 directory
PID:5180 -
C:\Windows\SysWOW64\Ljfhqh32.exeC:\Windows\system32\Ljfhqh32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5252 -
C:\Windows\SysWOW64\Lkeekk32.exeC:\Windows\system32\Lkeekk32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5308 -
C:\Windows\SysWOW64\Lqbncb32.exeC:\Windows\system32\Lqbncb32.exe89⤵PID:5352
-
C:\Windows\SysWOW64\Mjkblhfo.exeC:\Windows\system32\Mjkblhfo.exe90⤵PID:5396
-
C:\Windows\SysWOW64\Mnhkbfme.exeC:\Windows\system32\Mnhkbfme.exe91⤵PID:5440
-
C:\Windows\SysWOW64\Mjokgg32.exeC:\Windows\system32\Mjokgg32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5484 -
C:\Windows\SysWOW64\Mjahlgpf.exeC:\Windows\system32\Mjahlgpf.exe93⤵
- Modifies registry class
PID:5532 -
C:\Windows\SysWOW64\Mgehfkop.exeC:\Windows\system32\Mgehfkop.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5580 -
C:\Windows\SysWOW64\Mjdebfnd.exeC:\Windows\system32\Mjdebfnd.exe95⤵
- System Location Discovery: System Language Discovery
PID:5620 -
C:\Windows\SysWOW64\Nnbnhedj.exeC:\Windows\system32\Nnbnhedj.exe96⤵PID:5672
-
C:\Windows\SysWOW64\Nndjndbh.exeC:\Windows\system32\Nndjndbh.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5724 -
C:\Windows\SysWOW64\Nnfgcd32.exeC:\Windows\system32\Nnfgcd32.exe98⤵PID:5772
-
C:\Windows\SysWOW64\Nnicid32.exeC:\Windows\system32\Nnicid32.exe99⤵
- System Location Discovery: System Language Discovery
PID:5828 -
C:\Windows\SysWOW64\Nhahaiec.exeC:\Windows\system32\Nhahaiec.exe100⤵
- Modifies registry class
PID:5876 -
C:\Windows\SysWOW64\Odhifjkg.exeC:\Windows\system32\Odhifjkg.exe101⤵PID:5920
-
C:\Windows\SysWOW64\Oalipoiq.exeC:\Windows\system32\Oalipoiq.exe102⤵PID:5964
-
C:\Windows\SysWOW64\Ojdnid32.exeC:\Windows\system32\Ojdnid32.exe103⤵
- Modifies registry class
PID:6012 -
C:\Windows\SysWOW64\Ohhnbhok.exeC:\Windows\system32\Ohhnbhok.exe104⤵PID:6056
-
C:\Windows\SysWOW64\Oaqbkn32.exeC:\Windows\system32\Oaqbkn32.exe105⤵PID:6104
-
C:\Windows\SysWOW64\Oeokal32.exeC:\Windows\system32\Oeokal32.exe106⤵PID:5128
-
C:\Windows\SysWOW64\Omjpeo32.exeC:\Windows\system32\Omjpeo32.exe107⤵
- Modifies registry class
PID:5248 -
C:\Windows\SysWOW64\Plkpcfal.exeC:\Windows\system32\Plkpcfal.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5360 -
C:\Windows\SysWOW64\Poliea32.exeC:\Windows\system32\Poliea32.exe109⤵PID:5456
-
C:\Windows\SysWOW64\Pmaffnce.exeC:\Windows\system32\Pmaffnce.exe110⤵PID:5520
-
C:\Windows\SysWOW64\Paoollik.exeC:\Windows\system32\Paoollik.exe111⤵PID:5616
-
C:\Windows\SysWOW64\Qdphngfl.exeC:\Windows\system32\Qdphngfl.exe112⤵
- System Location Discovery: System Language Discovery
PID:5696 -
C:\Windows\SysWOW64\Qdbdcg32.exeC:\Windows\system32\Qdbdcg32.exe113⤵PID:5760
-
C:\Windows\SysWOW64\Aafemk32.exeC:\Windows\system32\Aafemk32.exe114⤵PID:5840
-
C:\Windows\SysWOW64\Anmfbl32.exeC:\Windows\system32\Anmfbl32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5912 -
C:\Windows\SysWOW64\Anobgl32.exeC:\Windows\system32\Anobgl32.exe116⤵
- Modifies registry class
PID:6004 -
C:\Windows\SysWOW64\Anaomkdb.exeC:\Windows\system32\Anaomkdb.exe117⤵
- Modifies registry class
PID:6064 -
C:\Windows\SysWOW64\Akepfpcl.exeC:\Windows\system32\Akepfpcl.exe118⤵PID:6124
-
C:\Windows\SysWOW64\Bochmn32.exeC:\Windows\system32\Bochmn32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5264 -
C:\Windows\SysWOW64\Bnhenj32.exeC:\Windows\system32\Bnhenj32.exe120⤵PID:5436
-
C:\Windows\SysWOW64\Bebjdgmj.exeC:\Windows\system32\Bebjdgmj.exe121⤵
- Modifies registry class
PID:5508
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-