Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 02:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fef1b9a8981575e8b92a7b5b61a97a9dd5872e6712350a0f2e85e787ee66a784.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
fef1b9a8981575e8b92a7b5b61a97a9dd5872e6712350a0f2e85e787ee66a784.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
fef1b9a8981575e8b92a7b5b61a97a9dd5872e6712350a0f2e85e787ee66a784.exe
-
Size
451KB
-
MD5
e1d0b56802a72885466955302e37b01e
-
SHA1
046ce6563cf23ffb3737ab06c417b1c063ef76fc
-
SHA256
fef1b9a8981575e8b92a7b5b61a97a9dd5872e6712350a0f2e85e787ee66a784
-
SHA512
3b4e770d2802aa8e195f667f0ed3cf861b022aa5e642d58848fafdf0dac3fceee4f3e3149eb0a2061a65762bb829b6d41212ac84d65a597054223a8aef75e189
-
SSDEEP
6144:ktUujH1pPQ///NR5fLYG3eujPQ///NR5fqZo4tjS6Y:ktUuG/NcZ7/NC64tm6Y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkonbamc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bndjfjhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Googaaej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icakofel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdbnmbhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbalaoda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdagbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgkaip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gllajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjpkjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfhhml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maaoaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfhnme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gklnem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoefgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hakidd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmepcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lijlii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kceoppmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oileakbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmhofbma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qffoejkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhefmjlp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjfmminc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igpkok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecanojgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmijf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfhofnpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdlhgpag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpodkdll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgpbhmna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbfema32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmnpfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edakimoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glqkefff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifnbph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oileakbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epaemojk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fljlom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maaoaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngifef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqombb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdklebje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcikfcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dekapfke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdffah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foakpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljoboloa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdgckg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdmngm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geipnl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnfkgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhefmjlp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqfcbahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npjnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjomldfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndlacapp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddqejni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhadgmge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpqgjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjafoapj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjkiephp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfcoblfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdnpeh32.exe -
Executes dropped EXE 64 IoCs
pid Process 4128 Mekdffee.exe 4564 Maaekg32.exe 1004 Mkjjdmaj.exe 3188 Mdbnmbhj.exe 2744 Mlifnphl.exe 2352 Mebkge32.exe 2540 Nlnpio32.exe 3372 Nefdbekh.exe 1448 Ndlacapp.exe 5108 Napameoi.exe 828 Nkhfek32.exe 3704 Nhlfoodc.exe 2004 Ohncdobq.exe 3092 Odedipge.exe 4900 Ofdqcc32.exe 1516 Obkahddl.exe 4308 Oheienli.exe 2060 Omcbkl32.exe 4088 Ooangh32.exe 3216 Podkmgop.exe 1688 Pfncia32.exe 2032 Pmjhlklg.exe 2960 Pokanf32.exe 1772 Pcijce32.exe 2612 Qmanljfo.exe 1020 Qpbgnecp.exe 4776 Aflpkpjm.exe 4804 Afnlpohj.exe 4976 Aimhmkgn.exe 3992 Abemep32.exe 3688 Apimodmh.exe 3744 Aiabhj32.exe 4732 Afeban32.exe 4156 Amoknh32.exe 4544 Bcicjbal.exe 2024 Bfhofnpp.exe 2184 Bifkcioc.exe 4160 Bclppboi.exe 4760 Bboplo32.exe 4380 Bemlhj32.exe 4500 Bmddihfj.exe 1372 Bcnleb32.exe 876 Bbalaoda.exe 1092 Beoimjce.exe 3192 Bliajd32.exe 4872 Bcpika32.exe 3000 Bimach32.exe 4964 Bpgjpb32.exe 3468 Bedbhi32.exe 1888 Blnjecfl.exe 1228 Cfcoblfb.exe 3616 Clpgkcdj.exe 3104 Cffkhl32.exe 1784 Cpnpqakp.exe 372 Cdjlap32.exe 860 Cfhhml32.exe 1568 Cifdjg32.exe 464 Cdlhgpag.exe 1116 Cfjeckpj.exe 5132 Cmdmpe32.exe 5172 Cbaehl32.exe 5212 Ciknefmk.exe 5252 Clijablo.exe 5292 Ddqbbo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Aiabhj32.exe Apimodmh.exe File opened for modification C:\Windows\SysWOW64\Fbnmkk32.exe Flddoa32.exe File created C:\Windows\SysWOW64\Bifkcioc.exe Bfhofnpp.exe File opened for modification C:\Windows\SysWOW64\Ephlnn32.exe Ellpmolj.exe File created C:\Windows\SysWOW64\Bbbada32.dll Pbdmdlie.exe File created C:\Windows\SysWOW64\Dbjade32.exe Defajqko.exe File opened for modification C:\Windows\SysWOW64\Hakidd32.exe Hommhi32.exe File created C:\Windows\SysWOW64\Eennefib.exe Ecoaijio.exe File created C:\Windows\SysWOW64\Apjhleik.dll Dpihbjmg.exe File created C:\Windows\SysWOW64\Oenlmopg.dll Omcbkl32.exe File created C:\Windows\SysWOW64\Debnjgcp.exe Ddqbbo32.exe File created C:\Windows\SysWOW64\Nnabladg.exe Nhdicjfp.exe File created C:\Windows\SysWOW64\Pjfioj32.dll Kiaqnagj.exe File created C:\Windows\SysWOW64\Cjbnqa32.dll Pjlnhi32.exe File opened for modification C:\Windows\SysWOW64\Lfbgmj32.exe Laeoec32.exe File opened for modification C:\Windows\SysWOW64\Pnmjomlg.exe Pkonbamc.exe File created C:\Windows\SysWOW64\Npgmdnlj.dll Ifqoehhl.exe File opened for modification C:\Windows\SysWOW64\Dgmpkg32.exe Dabhomea.exe File created C:\Windows\SysWOW64\Ejiiippb.exe Ehklmd32.exe File created C:\Windows\SysWOW64\Kpjlgn32.dll Imdgljil.exe File opened for modification C:\Windows\SysWOW64\Mjfoja32.exe Mdlgmgdh.exe File created C:\Windows\SysWOW64\Lapncl32.dll Bhennm32.exe File opened for modification C:\Windows\SysWOW64\Lfnmcnjn.exe Lkiiee32.exe File created C:\Windows\SysWOW64\Ddegbipa.dll Igjlibib.exe File created C:\Windows\SysWOW64\Oklifdmi.exe Ohnljine.exe File created C:\Windows\SysWOW64\Qhghge32.exe Qfilkj32.exe File created C:\Windows\SysWOW64\Edcfml32.dll Eldbbjof.exe File created C:\Windows\SysWOW64\Gjghdj32.exe Ggilgn32.exe File created C:\Windows\SysWOW64\Hifaic32.exe Glbapoqh.exe File created C:\Windows\SysWOW64\Ileflmpb.exe Ieknpb32.exe File created C:\Windows\SysWOW64\Icfhqeeg.dll Pdklebje.exe File created C:\Windows\SysWOW64\Hkpigk32.dll Ileflmpb.exe File created C:\Windows\SysWOW64\Plbggp32.dll Dfqdid32.exe File created C:\Windows\SysWOW64\Hcfcmnce.exe Hllkqdli.exe File created C:\Windows\SysWOW64\Deidjf32.exe Dgfdojfm.exe File opened for modification C:\Windows\SysWOW64\Glabolja.exe Gcimfg32.exe File created C:\Windows\SysWOW64\Pbdmdlie.exe Poeahaib.exe File created C:\Windows\SysWOW64\Eocfgq32.dll Ifihdi32.exe File created C:\Windows\SysWOW64\Qjcdih32.exe Qgehml32.exe File created C:\Windows\SysWOW64\Dccjlblm.dll Agcdnjcl.exe File created C:\Windows\SysWOW64\Hafpiehg.exe Hohcmjic.exe File opened for modification C:\Windows\SysWOW64\Jlafhkfe.exe Jfgnka32.exe File created C:\Windows\SysWOW64\Fplceabf.dll Mdagbl32.exe File created C:\Windows\SysWOW64\Pmaece32.dll Bkjpkg32.exe File created C:\Windows\SysWOW64\Gjgmjh32.dll Bmddihfj.exe File created C:\Windows\SysWOW64\Laeoec32.exe Ljkghi32.exe File created C:\Windows\SysWOW64\Cgaqphgl.exe Cbdhgaid.exe File created C:\Windows\SysWOW64\Ldbeqlcg.dll Dbhlikpf.exe File opened for modification C:\Windows\SysWOW64\Mdmngm32.exe Mejnlpai.exe File opened for modification C:\Windows\SysWOW64\Abipfifn.exe Aiqkmd32.exe File opened for modification C:\Windows\SysWOW64\Dbhlikpf.exe Dlncla32.exe File opened for modification C:\Windows\SysWOW64\Mhppik32.exe Meadlo32.exe File created C:\Windows\SysWOW64\Nehjmnei.exe Nnabladg.exe File opened for modification C:\Windows\SysWOW64\Aiqkmd32.exe Afboah32.exe File opened for modification C:\Windows\SysWOW64\Cegnol32.exe Cbiabq32.exe File created C:\Windows\SysWOW64\Kkckgd32.dll Fbggkl32.exe File created C:\Windows\SysWOW64\Nlbkfqkc.dll Hkgnalep.exe File created C:\Windows\SysWOW64\Ehbihj32.exe Eedmlo32.exe File created C:\Windows\SysWOW64\Hohcmjic.exe Hligqnjp.exe File created C:\Windows\SysWOW64\Cklqlb32.dll Qoocnpag.exe File opened for modification C:\Windows\SysWOW64\Fgfmeg32.exe Flaiho32.exe File opened for modification C:\Windows\SysWOW64\Hgnlmdcp.exe Hdppaidl.exe File created C:\Windows\SysWOW64\Pkonbamc.exe Phpbffnp.exe File created C:\Windows\SysWOW64\Cdbhncfq.dll Dbbdip32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13396 5080 WerFault.exe 659 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnocakfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biljib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiaqnagj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfmpob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohkijc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oileakbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieknpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmepcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecoaijio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cemndbci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iodjcnca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajmgof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgeadjai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dngobghg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pklkbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agnkck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ephlnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Incdem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jclljaei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dimcppgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgedjjki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pncanhaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abemep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cifdjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dllffa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlkplk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eflceb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qggebl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifaepolg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndpcdjho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hllkqdli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljoiibbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odfcjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdodbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdklebje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dagajlal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eblgon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clpgkcdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmmkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Googaaej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imhjlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkghqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdihfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgjjoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihgnfnjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egbdjhlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfbgmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leedqa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igieoleg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcqgahoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbfema32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciknefmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddhhbngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kceoppmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaflio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aamipe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgejkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbqiak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbdmdlie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glqkefff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioppho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epjhcnbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phpbffnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qffoejkg.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negpqn32.dll" Ngemjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhckeeam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbppnnac.dll" Jgbhdkml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkppikoe.dll" Kjipmoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moqknklp.dll" Jjefao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfhhml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkkoggp.dll" Glabolja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjdgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Foakpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glbapoqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqmqih32.dll" Hohcmjic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfhnme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmbkm32.dll" Faopah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jflgfpkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nehjmnei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfgqec32.dll" Hdbmfhbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhefmjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bknbbenh.dll" Gddqejni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcofdpfp.dll" Pncanhaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobgiafa.dll" Dlnlak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fplnogmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icfhqeeg.dll" Pdklebje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifqoehhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agnkck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcoioabf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcdjba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpgnmlep.dll" Cdjlap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijomapp.dll" Mejnlpai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kinhljen.dll" Cpbbak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfngcdhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcfnqccd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcjfjoi.dll" Ffnglc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glabolja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddmqp32.dll" Moiheebb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjobokkl.dll" Kgemahmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjafoapj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjfoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onighcgh.dll" Afboah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdihfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eejcki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Janpnfee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fplnogmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpqgjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dehgejep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfjeckpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnaphbnj.dll" Npjnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okpkgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phhjdncl.dll" Lcdjba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcimfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knnicgle.dll" Hpcmfchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npjnbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aamipe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmldpop.dll" Jcfejfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfemmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaflio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hepoddcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmbiackg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhfjkmma.dll" Gjghdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjefao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnabladg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qgehml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hipdpbgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddhhbngi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fljedg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 408 wrote to memory of 4128 408 fef1b9a8981575e8b92a7b5b61a97a9dd5872e6712350a0f2e85e787ee66a784.exe 91 PID 408 wrote to memory of 4128 408 fef1b9a8981575e8b92a7b5b61a97a9dd5872e6712350a0f2e85e787ee66a784.exe 91 PID 408 wrote to memory of 4128 408 fef1b9a8981575e8b92a7b5b61a97a9dd5872e6712350a0f2e85e787ee66a784.exe 91 PID 4128 wrote to memory of 4564 4128 Mekdffee.exe 92 PID 4128 wrote to memory of 4564 4128 Mekdffee.exe 92 PID 4128 wrote to memory of 4564 4128 Mekdffee.exe 92 PID 4564 wrote to memory of 1004 4564 Maaekg32.exe 93 PID 4564 wrote to memory of 1004 4564 Maaekg32.exe 93 PID 4564 wrote to memory of 1004 4564 Maaekg32.exe 93 PID 1004 wrote to memory of 3188 1004 Mkjjdmaj.exe 94 PID 1004 wrote to memory of 3188 1004 Mkjjdmaj.exe 94 PID 1004 wrote to memory of 3188 1004 Mkjjdmaj.exe 94 PID 3188 wrote to memory of 2744 3188 Mdbnmbhj.exe 95 PID 3188 wrote to memory of 2744 3188 Mdbnmbhj.exe 95 PID 3188 wrote to memory of 2744 3188 Mdbnmbhj.exe 95 PID 2744 wrote to memory of 2352 2744 Mlifnphl.exe 96 PID 2744 wrote to memory of 2352 2744 Mlifnphl.exe 96 PID 2744 wrote to memory of 2352 2744 Mlifnphl.exe 96 PID 2352 wrote to memory of 2540 2352 Mebkge32.exe 97 PID 2352 wrote to memory of 2540 2352 Mebkge32.exe 97 PID 2352 wrote to memory of 2540 2352 Mebkge32.exe 97 PID 2540 wrote to memory of 3372 2540 Nlnpio32.exe 99 PID 2540 wrote to memory of 3372 2540 Nlnpio32.exe 99 PID 2540 wrote to memory of 3372 2540 Nlnpio32.exe 99 PID 3372 wrote to memory of 1448 3372 Nefdbekh.exe 101 PID 3372 wrote to memory of 1448 3372 Nefdbekh.exe 101 PID 3372 wrote to memory of 1448 3372 Nefdbekh.exe 101 PID 1448 wrote to memory of 5108 1448 Ndlacapp.exe 102 PID 1448 wrote to memory of 5108 1448 Ndlacapp.exe 102 PID 1448 wrote to memory of 5108 1448 Ndlacapp.exe 102 PID 5108 wrote to memory of 828 5108 Napameoi.exe 104 PID 5108 wrote to memory of 828 5108 Napameoi.exe 104 PID 5108 wrote to memory of 828 5108 Napameoi.exe 104 PID 828 wrote to memory of 3704 828 Nkhfek32.exe 105 PID 828 wrote to memory of 3704 828 Nkhfek32.exe 105 PID 828 wrote to memory of 3704 828 Nkhfek32.exe 105 PID 3704 wrote to memory of 2004 3704 Nhlfoodc.exe 106 PID 3704 wrote to memory of 2004 3704 Nhlfoodc.exe 106 PID 3704 wrote to memory of 2004 3704 Nhlfoodc.exe 106 PID 2004 wrote to memory of 3092 2004 Ohncdobq.exe 107 PID 2004 wrote to memory of 3092 2004 Ohncdobq.exe 107 PID 2004 wrote to memory of 3092 2004 Ohncdobq.exe 107 PID 3092 wrote to memory of 4900 3092 Odedipge.exe 108 PID 3092 wrote to memory of 4900 3092 Odedipge.exe 108 PID 3092 wrote to memory of 4900 3092 Odedipge.exe 108 PID 4900 wrote to memory of 1516 4900 Ofdqcc32.exe 109 PID 4900 wrote to memory of 1516 4900 Ofdqcc32.exe 109 PID 4900 wrote to memory of 1516 4900 Ofdqcc32.exe 109 PID 1516 wrote to memory of 4308 1516 Obkahddl.exe 110 PID 1516 wrote to memory of 4308 1516 Obkahddl.exe 110 PID 1516 wrote to memory of 4308 1516 Obkahddl.exe 110 PID 4308 wrote to memory of 2060 4308 Oheienli.exe 111 PID 4308 wrote to memory of 2060 4308 Oheienli.exe 111 PID 4308 wrote to memory of 2060 4308 Oheienli.exe 111 PID 2060 wrote to memory of 4088 2060 Omcbkl32.exe 112 PID 2060 wrote to memory of 4088 2060 Omcbkl32.exe 112 PID 2060 wrote to memory of 4088 2060 Omcbkl32.exe 112 PID 4088 wrote to memory of 3216 4088 Ooangh32.exe 113 PID 4088 wrote to memory of 3216 4088 Ooangh32.exe 113 PID 4088 wrote to memory of 3216 4088 Ooangh32.exe 113 PID 3216 wrote to memory of 1688 3216 Podkmgop.exe 114 PID 3216 wrote to memory of 1688 3216 Podkmgop.exe 114 PID 3216 wrote to memory of 1688 3216 Podkmgop.exe 114 PID 1688 wrote to memory of 2032 1688 Pfncia32.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\fef1b9a8981575e8b92a7b5b61a97a9dd5872e6712350a0f2e85e787ee66a784.exe"C:\Users\Admin\AppData\Local\Temp\fef1b9a8981575e8b92a7b5b61a97a9dd5872e6712350a0f2e85e787ee66a784.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\Mekdffee.exeC:\Windows\system32\Mekdffee.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\Maaekg32.exeC:\Windows\system32\Maaekg32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Mkjjdmaj.exeC:\Windows\system32\Mkjjdmaj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Mdbnmbhj.exeC:\Windows\system32\Mdbnmbhj.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\Mlifnphl.exeC:\Windows\system32\Mlifnphl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Mebkge32.exeC:\Windows\system32\Mebkge32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Nlnpio32.exeC:\Windows\system32\Nlnpio32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Nefdbekh.exeC:\Windows\system32\Nefdbekh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\Ndlacapp.exeC:\Windows\system32\Ndlacapp.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Napameoi.exeC:\Windows\system32\Napameoi.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\Nkhfek32.exeC:\Windows\system32\Nkhfek32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\Nhlfoodc.exeC:\Windows\system32\Nhlfoodc.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\Ohncdobq.exeC:\Windows\system32\Ohncdobq.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Odedipge.exeC:\Windows\system32\Odedipge.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\Ofdqcc32.exeC:\Windows\system32\Ofdqcc32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Obkahddl.exeC:\Windows\system32\Obkahddl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Oheienli.exeC:\Windows\system32\Oheienli.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\Omcbkl32.exeC:\Windows\system32\Omcbkl32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Ooangh32.exeC:\Windows\system32\Ooangh32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\Podkmgop.exeC:\Windows\system32\Podkmgop.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\Pfncia32.exeC:\Windows\system32\Pfncia32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Pmjhlklg.exeC:\Windows\system32\Pmjhlklg.exe23⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Pokanf32.exeC:\Windows\system32\Pokanf32.exe24⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Pcijce32.exeC:\Windows\system32\Pcijce32.exe25⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Qmanljfo.exeC:\Windows\system32\Qmanljfo.exe26⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Qpbgnecp.exeC:\Windows\system32\Qpbgnecp.exe27⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Aflpkpjm.exeC:\Windows\system32\Aflpkpjm.exe28⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Afnlpohj.exeC:\Windows\system32\Afnlpohj.exe29⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Aimhmkgn.exeC:\Windows\system32\Aimhmkgn.exe30⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\Abemep32.exeC:\Windows\system32\Abemep32.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3992 -
C:\Windows\SysWOW64\Apimodmh.exeC:\Windows\system32\Apimodmh.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3688 -
C:\Windows\SysWOW64\Aiabhj32.exeC:\Windows\system32\Aiabhj32.exe33⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Afeban32.exeC:\Windows\system32\Afeban32.exe34⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Amoknh32.exeC:\Windows\system32\Amoknh32.exe35⤵
- Executes dropped EXE
PID:4156 -
C:\Windows\SysWOW64\Bcicjbal.exeC:\Windows\system32\Bcicjbal.exe36⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Bfhofnpp.exeC:\Windows\system32\Bfhofnpp.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\Bifkcioc.exeC:\Windows\system32\Bifkcioc.exe38⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Bclppboi.exeC:\Windows\system32\Bclppboi.exe39⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Bboplo32.exeC:\Windows\system32\Bboplo32.exe40⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Bemlhj32.exeC:\Windows\system32\Bemlhj32.exe41⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Bmddihfj.exeC:\Windows\system32\Bmddihfj.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4500 -
C:\Windows\SysWOW64\Bcnleb32.exeC:\Windows\system32\Bcnleb32.exe43⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Bbalaoda.exeC:\Windows\system32\Bbalaoda.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Beoimjce.exeC:\Windows\system32\Beoimjce.exe45⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Bliajd32.exeC:\Windows\system32\Bliajd32.exe46⤵
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\Bcpika32.exeC:\Windows\system32\Bcpika32.exe47⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Bimach32.exeC:\Windows\system32\Bimach32.exe48⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Bmimdg32.exeC:\Windows\system32\Bmimdg32.exe49⤵PID:4708
-
C:\Windows\SysWOW64\Bpgjpb32.exeC:\Windows\system32\Bpgjpb32.exe50⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Bedbhi32.exeC:\Windows\system32\Bedbhi32.exe51⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Blnjecfl.exeC:\Windows\system32\Blnjecfl.exe52⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Cfcoblfb.exeC:\Windows\system32\Cfcoblfb.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Clpgkcdj.exeC:\Windows\system32\Clpgkcdj.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3616 -
C:\Windows\SysWOW64\Cffkhl32.exeC:\Windows\system32\Cffkhl32.exe55⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Cpnpqakp.exeC:\Windows\system32\Cpnpqakp.exe56⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Cdjlap32.exeC:\Windows\system32\Cdjlap32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:372 -
C:\Windows\SysWOW64\Cfhhml32.exeC:\Windows\system32\Cfhhml32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:860 -
C:\Windows\SysWOW64\Cifdjg32.exeC:\Windows\system32\Cifdjg32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1568 -
C:\Windows\SysWOW64\Cdlhgpag.exeC:\Windows\system32\Cdlhgpag.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Cfjeckpj.exeC:\Windows\system32\Cfjeckpj.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1116 -
C:\Windows\SysWOW64\Cmdmpe32.exeC:\Windows\system32\Cmdmpe32.exe62⤵
- Executes dropped EXE
PID:5132 -
C:\Windows\SysWOW64\Cbaehl32.exeC:\Windows\system32\Cbaehl32.exe63⤵
- Executes dropped EXE
PID:5172 -
C:\Windows\SysWOW64\Ciknefmk.exeC:\Windows\system32\Ciknefmk.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5212 -
C:\Windows\SysWOW64\Clijablo.exeC:\Windows\system32\Clijablo.exe65⤵
- Executes dropped EXE
PID:5252 -
C:\Windows\SysWOW64\Ddqbbo32.exeC:\Windows\system32\Ddqbbo32.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5292 -
C:\Windows\SysWOW64\Debnjgcp.exeC:\Windows\system32\Debnjgcp.exe67⤵PID:5332
-
C:\Windows\SysWOW64\Dllffa32.exeC:\Windows\system32\Dllffa32.exe68⤵
- System Location Discovery: System Language Discovery
PID:5372 -
C:\Windows\SysWOW64\Dbfoclai.exeC:\Windows\system32\Dbfoclai.exe69⤵PID:5412
-
C:\Windows\SysWOW64\Dfakcj32.exeC:\Windows\system32\Dfakcj32.exe70⤵PID:5452
-
C:\Windows\SysWOW64\Dlncla32.exeC:\Windows\system32\Dlncla32.exe71⤵
- Drops file in System32 directory
PID:5488 -
C:\Windows\SysWOW64\Dbhlikpf.exeC:\Windows\system32\Dbhlikpf.exe72⤵
- Drops file in System32 directory
PID:5532 -
C:\Windows\SysWOW64\Defheg32.exeC:\Windows\system32\Defheg32.exe73⤵PID:5572
-
C:\Windows\SysWOW64\Dmnpfd32.exeC:\Windows\system32\Dmnpfd32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5612 -
C:\Windows\SysWOW64\Ddhhbngi.exeC:\Windows\system32\Ddhhbngi.exe75⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5664 -
C:\Windows\SysWOW64\Dgfdojfm.exeC:\Windows\system32\Dgfdojfm.exe76⤵
- Drops file in System32 directory
PID:5708 -
C:\Windows\SysWOW64\Deidjf32.exeC:\Windows\system32\Deidjf32.exe77⤵PID:5748
-
C:\Windows\SysWOW64\Dmplkd32.exeC:\Windows\system32\Dmplkd32.exe78⤵PID:5804
-
C:\Windows\SysWOW64\Dcmedk32.exeC:\Windows\system32\Dcmedk32.exe79⤵PID:5840
-
C:\Windows\SysWOW64\Dekapfke.exeC:\Windows\system32\Dekapfke.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5884 -
C:\Windows\SysWOW64\Dmbiackg.exeC:\Windows\system32\Dmbiackg.exe81⤵
- Modifies registry class
PID:5928 -
C:\Windows\SysWOW64\Epaemojk.exeC:\Windows\system32\Epaemojk.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5960 -
C:\Windows\SysWOW64\Ecoaijio.exeC:\Windows\system32\Ecoaijio.exe83⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6024 -
C:\Windows\SysWOW64\Eennefib.exeC:\Windows\system32\Eennefib.exe84⤵PID:6068
-
C:\Windows\SysWOW64\Elhfbp32.exeC:\Windows\system32\Elhfbp32.exe85⤵PID:6104
-
C:\Windows\SysWOW64\Ecanojgl.exeC:\Windows\system32\Ecanojgl.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5164 -
C:\Windows\SysWOW64\Emgblc32.exeC:\Windows\system32\Emgblc32.exe87⤵PID:5300
-
C:\Windows\SysWOW64\Edakimoo.exeC:\Windows\system32\Edakimoo.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5360 -
C:\Windows\SysWOW64\Egpgehnb.exeC:\Windows\system32\Egpgehnb.exe89⤵PID:5436
-
C:\Windows\SysWOW64\Eincadmf.exeC:\Windows\system32\Eincadmf.exe90⤵PID:5524
-
C:\Windows\SysWOW64\Ellpmolj.exeC:\Windows\system32\Ellpmolj.exe91⤵
- Drops file in System32 directory
PID:5656 -
C:\Windows\SysWOW64\Ephlnn32.exeC:\Windows\system32\Ephlnn32.exe92⤵
- System Location Discovery: System Language Discovery
PID:5788 -
C:\Windows\SysWOW64\Ecfhji32.exeC:\Windows\system32\Ecfhji32.exe93⤵PID:5908
-
C:\Windows\SysWOW64\Egbdjhlp.exeC:\Windows\system32\Egbdjhlp.exe94⤵
- System Location Discovery: System Language Discovery
PID:6008 -
C:\Windows\SysWOW64\Eippgckc.exeC:\Windows\system32\Eippgckc.exe95⤵PID:6088
-
C:\Windows\SysWOW64\Enllgbcl.exeC:\Windows\system32\Enllgbcl.exe96⤵PID:5180
-
C:\Windows\SysWOW64\Epjhcnbp.exeC:\Windows\system32\Epjhcnbp.exe97⤵
- System Location Discovery: System Language Discovery
PID:5356 -
C:\Windows\SysWOW64\Edfddl32.exeC:\Windows\system32\Edfddl32.exe98⤵PID:5512
-
C:\Windows\SysWOW64\Flaiho32.exeC:\Windows\system32\Flaiho32.exe99⤵
- Drops file in System32 directory
PID:5684 -
C:\Windows\SysWOW64\Fgfmeg32.exeC:\Windows\system32\Fgfmeg32.exe100⤵PID:5972
-
C:\Windows\SysWOW64\Fdjnolfd.exeC:\Windows\system32\Fdjnolfd.exe101⤵PID:6056
-
C:\Windows\SysWOW64\Fjgfgbek.exeC:\Windows\system32\Fjgfgbek.exe102⤵PID:6136
-
C:\Windows\SysWOW64\Fpandm32.exeC:\Windows\system32\Fpandm32.exe103⤵PID:5368
-
C:\Windows\SysWOW64\Ffnglc32.exeC:\Windows\system32\Ffnglc32.exe104⤵
- Modifies registry class
PID:5660 -
C:\Windows\SysWOW64\Fdogjk32.exeC:\Windows\system32\Fdogjk32.exe105⤵PID:5924
-
C:\Windows\SysWOW64\Fljlom32.exeC:\Windows\system32\Fljlom32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5328 -
C:\Windows\SysWOW64\Ffcpgcfj.exeC:\Windows\system32\Ffcpgcfj.exe107⤵PID:5608
-
C:\Windows\SysWOW64\Gddqejni.exeC:\Windows\system32\Gddqejni.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6100 -
C:\Windows\SysWOW64\Gfemmb32.exeC:\Windows\system32\Gfemmb32.exe109⤵
- Modifies registry class
PID:5560 -
C:\Windows\SysWOW64\Gdfmkjlg.exeC:\Windows\system32\Gdfmkjlg.exe110⤵PID:5140
-
C:\Windows\SysWOW64\Gcimfg32.exeC:\Windows\system32\Gcimfg32.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:5520 -
C:\Windows\SysWOW64\Glabolja.exeC:\Windows\system32\Glabolja.exe112⤵
- Modifies registry class
PID:6152 -
C:\Windows\SysWOW64\Gjebiq32.exeC:\Windows\system32\Gjebiq32.exe113⤵PID:6196
-
C:\Windows\SysWOW64\Gqokekph.exeC:\Windows\system32\Gqokekph.exe114⤵PID:6240
-
C:\Windows\SysWOW64\Gcngafol.exeC:\Windows\system32\Gcngafol.exe115⤵PID:6284
-
C:\Windows\SysWOW64\Gqagkjne.exeC:\Windows\system32\Gqagkjne.exe116⤵PID:6328
-
C:\Windows\SysWOW64\Hjjldpdf.exeC:\Windows\system32\Hjjldpdf.exe117⤵PID:6372
-
C:\Windows\SysWOW64\Hdppaidl.exeC:\Windows\system32\Hdppaidl.exe118⤵
- Drops file in System32 directory
PID:6420 -
C:\Windows\SysWOW64\Hgnlmdcp.exeC:\Windows\system32\Hgnlmdcp.exe119⤵PID:6464
-
C:\Windows\SysWOW64\Hnhdjn32.exeC:\Windows\system32\Hnhdjn32.exe120⤵PID:6504
-
C:\Windows\SysWOW64\Hdbmfhbi.exeC:\Windows\system32\Hdbmfhbi.exe121⤵
- Modifies registry class
PID:6548
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-