Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21/08/2024, 13:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f76a12df6c61f689766aaea181017330N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
f76a12df6c61f689766aaea181017330N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
f76a12df6c61f689766aaea181017330N.exe
-
Size
416KB
-
MD5
f76a12df6c61f689766aaea181017330
-
SHA1
d9f1468564b597d733e94ca2b0e13bd93f7660d6
-
SHA256
c7a053cdcdeb65a3ca1741aca358a8b79f6a49ef5f2851d37e5f03b5e5d0e7de
-
SHA512
7c00e5112051c8d04b61b360bced9bf620c1fff046d19fd8d855734e43bc50afcc00749d7c8321ad01ec53b917614f333bf712c86ac75a80cb8ce157391839b3
-
SSDEEP
3072:aDgSPMs7I8RoNiVAURfE+HAokWmvEie0RFz3yE2ZwVh16Mz7GFD0AlWP:mEs88RoNiRs+HLlD0rN2ZwVht740PP
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jajocl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgpfpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epqgopbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oomjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooofcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgpock32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bggjjlnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gipngg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmlbaqfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpohhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhfmbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlpngd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngqeha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mneaacno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnodgbed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghidcceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geaofc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihdmld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jldbgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbhmok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npppaejj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kabngjla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nchipb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pigklmqc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bodhjdcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kimlqfeq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mejoei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbpoebgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpjklo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfceom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhoeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bknmok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aejglo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehfhgogp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilkpac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lncgollm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkqjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqochjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndfpnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppdfimji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cniajdkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfnlcnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhnemdbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekghcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmibmhoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kepgmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcgqbq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlbgkgcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbcgeilh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogdhik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blipno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bedamd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blniinac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fefcmehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfabkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncdpdcfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flhhed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdjcjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdefnjkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdepmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oapcfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehfhgogp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqkalenn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbcgeilh.exe -
Executes dropped EXE 64 IoCs
pid Process 2764 Djgfgkbo.exe 2540 Docopbaf.exe 2832 Dcokpa32.exe 2644 Dphhka32.exe 2960 Dgcmod32.exe 1156 Eegmhhie.exe 2100 Enpban32.exe 2512 Eejjnhgc.exe 2628 Eaqkcimg.exe 2028 Efmckpko.exe 1704 Efppqoil.exe 576 Eaednh32.exe 1336 Fiqibj32.exe 2184 Fdfmpc32.exe 2916 Fpmned32.exe 2976 Fejfmk32.exe 2128 Figocipe.exe 2376 Fbpclofe.exe 2016 Flhhed32.exe 528 Gmidlmcd.exe 2380 Gdcmig32.exe 2500 Ggbieb32.exe 1868 Gpjmnh32.exe 1672 Ghaeoe32.exe 2788 Gajjhkgh.exe 1596 Gckfpc32.exe 2812 Gmqkml32.exe 2620 Gdjcjf32.exe 2596 Geloanjg.exe 2576 Gpacogjm.exe 444 Hijhhl32.exe 1928 Hlhddh32.exe 2244 Hofqpc32.exe 1236 Hhoeii32.exe 316 Hecebm32.exe 2372 Hdefnjkj.exe 2152 Hkpnjd32.exe 1276 Hfebhmbm.exe 2208 Hkbkpcpd.exe 1992 Hnpgloog.exe 1360 Hqochjnk.exe 644 Hkdgecna.exe 1640 Hnbcaome.exe 1748 Iqapnjli.exe 1308 Icplje32.exe 1688 Ikfdkc32.exe 2220 Idohdhbo.exe 2104 Igmepdbc.exe 2680 Iqfiii32.exe 2808 Igpaec32.exe 2696 Iianmlfn.exe 2952 Iqhfnifq.exe 2204 Ibibfa32.exe 1488 Ijqjgo32.exe 300 Imogcj32.exe 2428 Iciopdca.exe 2044 Ifgklp32.exe 1292 Imacijjb.exe 1252 Jbnlaqhi.exe 1724 Jelhmlgm.exe 1988 Joblkegc.exe 1364 Jacibm32.exe 2020 Jgmaog32.exe 2572 Jjlmkb32.exe -
Loads dropped DLL 64 IoCs
pid Process 3020 f76a12df6c61f689766aaea181017330N.exe 3020 f76a12df6c61f689766aaea181017330N.exe 2764 Djgfgkbo.exe 2764 Djgfgkbo.exe 2540 Docopbaf.exe 2540 Docopbaf.exe 2832 Dcokpa32.exe 2832 Dcokpa32.exe 2644 Dphhka32.exe 2644 Dphhka32.exe 2960 Dgcmod32.exe 2960 Dgcmod32.exe 1156 Eegmhhie.exe 1156 Eegmhhie.exe 2100 Enpban32.exe 2100 Enpban32.exe 2512 Eejjnhgc.exe 2512 Eejjnhgc.exe 2628 Eaqkcimg.exe 2628 Eaqkcimg.exe 2028 Efmckpko.exe 2028 Efmckpko.exe 1704 Efppqoil.exe 1704 Efppqoil.exe 576 Eaednh32.exe 576 Eaednh32.exe 1336 Fiqibj32.exe 1336 Fiqibj32.exe 2184 Fdfmpc32.exe 2184 Fdfmpc32.exe 2916 Fpmned32.exe 2916 Fpmned32.exe 2976 Fejfmk32.exe 2976 Fejfmk32.exe 2128 Figocipe.exe 2128 Figocipe.exe 2376 Fbpclofe.exe 2376 Fbpclofe.exe 2016 Flhhed32.exe 2016 Flhhed32.exe 528 Gmidlmcd.exe 528 Gmidlmcd.exe 2380 Gdcmig32.exe 2380 Gdcmig32.exe 2500 Ggbieb32.exe 2500 Ggbieb32.exe 1868 Gpjmnh32.exe 1868 Gpjmnh32.exe 1672 Ghaeoe32.exe 1672 Ghaeoe32.exe 2788 Gajjhkgh.exe 2788 Gajjhkgh.exe 1596 Gckfpc32.exe 1596 Gckfpc32.exe 2812 Gmqkml32.exe 2812 Gmqkml32.exe 2620 Gdjcjf32.exe 2620 Gdjcjf32.exe 2596 Geloanjg.exe 2596 Geloanjg.exe 2576 Gpacogjm.exe 2576 Gpacogjm.exe 444 Hijhhl32.exe 444 Hijhhl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dldbfo32.dll Jajocl32.exe File opened for modification C:\Windows\SysWOW64\Ncnjeh32.exe Nldahn32.exe File created C:\Windows\SysWOW64\Qedehamj.dll Adiaommc.exe File opened for modification C:\Windows\SysWOW64\Pmfjmake.exe Pflbpg32.exe File opened for modification C:\Windows\SysWOW64\Bhkghqpb.exe Bemkle32.exe File opened for modification C:\Windows\SysWOW64\Egpena32.exe Eebibf32.exe File created C:\Windows\SysWOW64\Chobmj32.dll Gipngg32.exe File created C:\Windows\SysWOW64\Amglgn32.exe Ajipkb32.exe File opened for modification C:\Windows\SysWOW64\Hhadgakg.exe Hiockd32.exe File created C:\Windows\SysWOW64\Koibpd32.exe Khojcj32.exe File opened for modification C:\Windows\SysWOW64\Mhflcm32.exe Miclhpjp.exe File opened for modification C:\Windows\SysWOW64\Lpckce32.exe Lenffl32.exe File created C:\Windows\SysWOW64\Egikbd32.dll Pmecbkgj.exe File created C:\Windows\SysWOW64\Qjgcecja.exe Qpaohjkk.exe File opened for modification C:\Windows\SysWOW64\Fijnabef.exe Feobac32.exe File created C:\Windows\SysWOW64\Hfebhmbm.exe Hkpnjd32.exe File created C:\Windows\SysWOW64\Igpaec32.exe Iqfiii32.exe File opened for modification C:\Windows\SysWOW64\Meljbqna.exe Mneaacno.exe File opened for modification C:\Windows\SysWOW64\Eqkjmcmq.exe Enmnahnm.exe File created C:\Windows\SysWOW64\Efmlqigc.exe Ecnpdnho.exe File created C:\Windows\SysWOW64\Cbjcpc32.dll Ncfmjc32.exe File created C:\Windows\SysWOW64\Qadkkc32.dll Lbgkfbbj.exe File opened for modification C:\Windows\SysWOW64\Ndafcmci.exe Macjgadf.exe File opened for modification C:\Windows\SysWOW64\Cffjagko.exe Coladm32.exe File created C:\Windows\SysWOW64\Dcmpcjcf.exe Dlchfp32.exe File created C:\Windows\SysWOW64\Iciaim32.exe Iloilcci.exe File created C:\Windows\SysWOW64\Cfdiko32.dll Mejoei32.exe File created C:\Windows\SysWOW64\Qnekmihd.dll Iloilcci.exe File opened for modification C:\Windows\SysWOW64\Jaonji32.exe Jclnnmic.exe File created C:\Windows\SysWOW64\Befnbd32.exe Bakaaepk.exe File opened for modification C:\Windows\SysWOW64\Gfoeel32.exe Gbcien32.exe File created C:\Windows\SysWOW64\Gfabkl32.exe Gdcfoq32.exe File opened for modification C:\Windows\SysWOW64\Hclhjpjc.exe Hlbpme32.exe File opened for modification C:\Windows\SysWOW64\Lpanne32.exe Llebnfpe.exe File opened for modification C:\Windows\SysWOW64\Hhdqma32.exe Hdhdlbpk.exe File created C:\Windows\SysWOW64\Mkfojakp.exe Mcofid32.exe File created C:\Windows\SysWOW64\Nlldmimi.exe Nhqhmj32.exe File created C:\Windows\SysWOW64\Leegbnan.exe Lbgkfbbj.exe File opened for modification C:\Windows\SysWOW64\Nldahn32.exe Nfjildbp.exe File created C:\Windows\SysWOW64\Ogaceogh.dll Ajldkhjh.exe File created C:\Windows\SysWOW64\Dhiphb32.exe Ddmchcnd.exe File created C:\Windows\SysWOW64\Adndofcl.dll Meemgk32.exe File created C:\Windows\SysWOW64\Ddhjpejc.dll Mgfiocfl.exe File created C:\Windows\SysWOW64\Fpmpnmck.exe Fladmn32.exe File created C:\Windows\SysWOW64\Ecipfpcm.dll Fmddgg32.exe File created C:\Windows\SysWOW64\Fnahibcg.dll Gibkmgcj.exe File created C:\Windows\SysWOW64\Hpgfmeag.exe Hadfah32.exe File created C:\Windows\SysWOW64\Fejifdab.exe Ffghjg32.exe File opened for modification C:\Windows\SysWOW64\Jnjhjj32.exe Jkllnn32.exe File created C:\Windows\SysWOW64\Pjlncjhk.dll Mdgmbhgh.exe File created C:\Windows\SysWOW64\Pgcnnh32.exe Pajeanhf.exe File created C:\Windows\SysWOW64\Llpaha32.exe Lgdfgbhf.exe File created C:\Windows\SysWOW64\Dodahk32.exe Dpaqmnap.exe File created C:\Windows\SysWOW64\Gdjcjf32.exe Gmqkml32.exe File created C:\Windows\SysWOW64\Icplje32.exe Iqapnjli.exe File opened for modification C:\Windows\SysWOW64\Amafgc32.exe Aejnfe32.exe File opened for modification C:\Windows\SysWOW64\Ladgkmlj.exe Lofkoamf.exe File opened for modification C:\Windows\SysWOW64\Bfmqigba.exe Beldao32.exe File created C:\Windows\SysWOW64\Dkblohek.exe Dckcnj32.exe File created C:\Windows\SysWOW64\Olgpff32.exe Oemhjlha.exe File created C:\Windows\SysWOW64\Bldainid.dll Ofobgc32.exe File opened for modification C:\Windows\SysWOW64\Qldjdlgb.exe Qekbgbpf.exe File created C:\Windows\SysWOW64\Bgjond32.dll Dnhefh32.exe File opened for modification C:\Windows\SysWOW64\Ghddnnfi.exe Gpmllpef.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7476 7448 WerFault.exe 783 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flhhed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efhcej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojkhjabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pajeanhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doijcjde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djgfgkbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpacogjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amhcad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddmchcnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpicbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbkaoalg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bopknhjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodahk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcfohlmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgdfgbhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gckfpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aejnfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bemkle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipbhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmfmkjdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgbfcjag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehaolpke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jflgph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lglmefcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpfpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcbookpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajipkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpaqmnap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmamfddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhklha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nejkdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iklfia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhfjadim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geloanjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbnlaqhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kecjmodq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gminbfoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kccgheib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpqjmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neibanod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kihbfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npppaejj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffjagko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbjpem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dncdqcbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmlglb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcngcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkkoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnhhge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjfmem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdgmbhgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngoleb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfmbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idmnga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmdofebo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpaec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padccpal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofdeeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chhpgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlchfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdhdlbpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chbihc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peqhgmdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmoppefc.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijfqfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lggbmbfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpbhjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmibmhoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkohjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pigklmqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfnnlboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmfmkjdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmpeljkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghddnnfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okkkoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihlnhffh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnkiebib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoemceeo.dll" Ehclbpic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgdiho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cojeomee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eikimeff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgfpp32.dll" Almihjlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miclhpjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfdgjene.dll" Nnjklb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okpdjjil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cidcinlc.dll" Qlggjlep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dochelmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpjmnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hijhhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpanne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adhglggg.dll" Ckmbdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nldcagaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlbgkgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iajpndmp.dll" Efmckpko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkbbinig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aphehidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpmgao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gahpkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnkffi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeojifki.dll" Mdjihgef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qijdqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmdofebo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlggjlep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdgmbhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngonaccp.dll" Ncdpdcfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfpmog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmhimhb.dll" Bopknhjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Codeih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coladm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmkjgfmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkhaooec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbkaoalg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igpfoieh.dll" Ojbnkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhleaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkilgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkjdcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffffpb32.dll" Hiockd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kioiffcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ockinl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adgein32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkqiek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkogpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnbbkodn.dll" Fqffgapf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngencpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooicngen.dll" Nldcagaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igmepdbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leegbnan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amhcad32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3020 wrote to memory of 2764 3020 f76a12df6c61f689766aaea181017330N.exe 30 PID 3020 wrote to memory of 2764 3020 f76a12df6c61f689766aaea181017330N.exe 30 PID 3020 wrote to memory of 2764 3020 f76a12df6c61f689766aaea181017330N.exe 30 PID 3020 wrote to memory of 2764 3020 f76a12df6c61f689766aaea181017330N.exe 30 PID 2764 wrote to memory of 2540 2764 Djgfgkbo.exe 31 PID 2764 wrote to memory of 2540 2764 Djgfgkbo.exe 31 PID 2764 wrote to memory of 2540 2764 Djgfgkbo.exe 31 PID 2764 wrote to memory of 2540 2764 Djgfgkbo.exe 31 PID 2540 wrote to memory of 2832 2540 Docopbaf.exe 32 PID 2540 wrote to memory of 2832 2540 Docopbaf.exe 32 PID 2540 wrote to memory of 2832 2540 Docopbaf.exe 32 PID 2540 wrote to memory of 2832 2540 Docopbaf.exe 32 PID 2832 wrote to memory of 2644 2832 Dcokpa32.exe 33 PID 2832 wrote to memory of 2644 2832 Dcokpa32.exe 33 PID 2832 wrote to memory of 2644 2832 Dcokpa32.exe 33 PID 2832 wrote to memory of 2644 2832 Dcokpa32.exe 33 PID 2644 wrote to memory of 2960 2644 Dphhka32.exe 34 PID 2644 wrote to memory of 2960 2644 Dphhka32.exe 34 PID 2644 wrote to memory of 2960 2644 Dphhka32.exe 34 PID 2644 wrote to memory of 2960 2644 Dphhka32.exe 34 PID 2960 wrote to memory of 1156 2960 Dgcmod32.exe 35 PID 2960 wrote to memory of 1156 2960 Dgcmod32.exe 35 PID 2960 wrote to memory of 1156 2960 Dgcmod32.exe 35 PID 2960 wrote to memory of 1156 2960 Dgcmod32.exe 35 PID 1156 wrote to memory of 2100 1156 Eegmhhie.exe 36 PID 1156 wrote to memory of 2100 1156 Eegmhhie.exe 36 PID 1156 wrote to memory of 2100 1156 Eegmhhie.exe 36 PID 1156 wrote to memory of 2100 1156 Eegmhhie.exe 36 PID 2100 wrote to memory of 2512 2100 Enpban32.exe 37 PID 2100 wrote to memory of 2512 2100 Enpban32.exe 37 PID 2100 wrote to memory of 2512 2100 Enpban32.exe 37 PID 2100 wrote to memory of 2512 2100 Enpban32.exe 37 PID 2512 wrote to memory of 2628 2512 Eejjnhgc.exe 38 PID 2512 wrote to memory of 2628 2512 Eejjnhgc.exe 38 PID 2512 wrote to memory of 2628 2512 Eejjnhgc.exe 38 PID 2512 wrote to memory of 2628 2512 Eejjnhgc.exe 38 PID 2628 wrote to memory of 2028 2628 Eaqkcimg.exe 39 PID 2628 wrote to memory of 2028 2628 Eaqkcimg.exe 39 PID 2628 wrote to memory of 2028 2628 Eaqkcimg.exe 39 PID 2628 wrote to memory of 2028 2628 Eaqkcimg.exe 39 PID 2028 wrote to memory of 1704 2028 Efmckpko.exe 40 PID 2028 wrote to memory of 1704 2028 Efmckpko.exe 40 PID 2028 wrote to memory of 1704 2028 Efmckpko.exe 40 PID 2028 wrote to memory of 1704 2028 Efmckpko.exe 40 PID 1704 wrote to memory of 576 1704 Efppqoil.exe 41 PID 1704 wrote to memory of 576 1704 Efppqoil.exe 41 PID 1704 wrote to memory of 576 1704 Efppqoil.exe 41 PID 1704 wrote to memory of 576 1704 Efppqoil.exe 41 PID 576 wrote to memory of 1336 576 Eaednh32.exe 42 PID 576 wrote to memory of 1336 576 Eaednh32.exe 42 PID 576 wrote to memory of 1336 576 Eaednh32.exe 42 PID 576 wrote to memory of 1336 576 Eaednh32.exe 42 PID 1336 wrote to memory of 2184 1336 Fiqibj32.exe 43 PID 1336 wrote to memory of 2184 1336 Fiqibj32.exe 43 PID 1336 wrote to memory of 2184 1336 Fiqibj32.exe 43 PID 1336 wrote to memory of 2184 1336 Fiqibj32.exe 43 PID 2184 wrote to memory of 2916 2184 Fdfmpc32.exe 44 PID 2184 wrote to memory of 2916 2184 Fdfmpc32.exe 44 PID 2184 wrote to memory of 2916 2184 Fdfmpc32.exe 44 PID 2184 wrote to memory of 2916 2184 Fdfmpc32.exe 44 PID 2916 wrote to memory of 2976 2916 Fpmned32.exe 45 PID 2916 wrote to memory of 2976 2916 Fpmned32.exe 45 PID 2916 wrote to memory of 2976 2916 Fpmned32.exe 45 PID 2916 wrote to memory of 2976 2916 Fpmned32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f76a12df6c61f689766aaea181017330N.exe"C:\Users\Admin\AppData\Local\Temp\f76a12df6c61f689766aaea181017330N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Djgfgkbo.exeC:\Windows\system32\Djgfgkbo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Docopbaf.exeC:\Windows\system32\Docopbaf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Dcokpa32.exeC:\Windows\system32\Dcokpa32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Dphhka32.exeC:\Windows\system32\Dphhka32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Dgcmod32.exeC:\Windows\system32\Dgcmod32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Eegmhhie.exeC:\Windows\system32\Eegmhhie.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Enpban32.exeC:\Windows\system32\Enpban32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Eejjnhgc.exeC:\Windows\system32\Eejjnhgc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Eaqkcimg.exeC:\Windows\system32\Eaqkcimg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Efmckpko.exeC:\Windows\system32\Efmckpko.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Efppqoil.exeC:\Windows\system32\Efppqoil.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Eaednh32.exeC:\Windows\system32\Eaednh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Fiqibj32.exeC:\Windows\system32\Fiqibj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Fdfmpc32.exeC:\Windows\system32\Fdfmpc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Fpmned32.exeC:\Windows\system32\Fpmned32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Fejfmk32.exeC:\Windows\system32\Fejfmk32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Windows\SysWOW64\Figocipe.exeC:\Windows\system32\Figocipe.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Fbpclofe.exeC:\Windows\system32\Fbpclofe.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Flhhed32.exeC:\Windows\system32\Flhhed32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Windows\SysWOW64\Gmidlmcd.exeC:\Windows\system32\Gmidlmcd.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:528 -
C:\Windows\SysWOW64\Gdcmig32.exeC:\Windows\system32\Gdcmig32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Ggbieb32.exeC:\Windows\system32\Ggbieb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Gpjmnh32.exeC:\Windows\system32\Gpjmnh32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Ghaeoe32.exeC:\Windows\system32\Ghaeoe32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\Gajjhkgh.exeC:\Windows\system32\Gajjhkgh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Gckfpc32.exeC:\Windows\system32\Gckfpc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\Gmqkml32.exeC:\Windows\system32\Gmqkml32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Gdjcjf32.exeC:\Windows\system32\Gdjcjf32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Geloanjg.exeC:\Windows\system32\Geloanjg.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\Gpacogjm.exeC:\Windows\system32\Gpacogjm.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\Hijhhl32.exeC:\Windows\system32\Hijhhl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:444 -
C:\Windows\SysWOW64\Hlhddh32.exeC:\Windows\system32\Hlhddh32.exe33⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Hofqpc32.exeC:\Windows\system32\Hofqpc32.exe34⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Hhoeii32.exeC:\Windows\system32\Hhoeii32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Hecebm32.exeC:\Windows\system32\Hecebm32.exe36⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Hdefnjkj.exeC:\Windows\system32\Hdefnjkj.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Hkpnjd32.exeC:\Windows\system32\Hkpnjd32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Hfebhmbm.exeC:\Windows\system32\Hfebhmbm.exe39⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Hkbkpcpd.exeC:\Windows\system32\Hkbkpcpd.exe40⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Hnpgloog.exeC:\Windows\system32\Hnpgloog.exe41⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Hqochjnk.exeC:\Windows\system32\Hqochjnk.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Hkdgecna.exeC:\Windows\system32\Hkdgecna.exe43⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Hnbcaome.exeC:\Windows\system32\Hnbcaome.exe44⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Iqapnjli.exeC:\Windows\system32\Iqapnjli.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Icplje32.exeC:\Windows\system32\Icplje32.exe46⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Ikfdkc32.exeC:\Windows\system32\Ikfdkc32.exe47⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Idohdhbo.exeC:\Windows\system32\Idohdhbo.exe48⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Igmepdbc.exeC:\Windows\system32\Igmepdbc.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Iqfiii32.exeC:\Windows\system32\Iqfiii32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Igpaec32.exeC:\Windows\system32\Igpaec32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Windows\SysWOW64\Iianmlfn.exeC:\Windows\system32\Iianmlfn.exe52⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Iqhfnifq.exeC:\Windows\system32\Iqhfnifq.exe53⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Ibibfa32.exeC:\Windows\system32\Ibibfa32.exe54⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Ijqjgo32.exeC:\Windows\system32\Ijqjgo32.exe55⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Imogcj32.exeC:\Windows\system32\Imogcj32.exe56⤵
- Executes dropped EXE
PID:300 -
C:\Windows\SysWOW64\Iciopdca.exeC:\Windows\system32\Iciopdca.exe57⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Ifgklp32.exeC:\Windows\system32\Ifgklp32.exe58⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Imacijjb.exeC:\Windows\system32\Imacijjb.exe59⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Jbnlaqhi.exeC:\Windows\system32\Jbnlaqhi.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1252 -
C:\Windows\SysWOW64\Jelhmlgm.exeC:\Windows\system32\Jelhmlgm.exe61⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Joblkegc.exeC:\Windows\system32\Joblkegc.exe62⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Jacibm32.exeC:\Windows\system32\Jacibm32.exe63⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Jgmaog32.exeC:\Windows\system32\Jgmaog32.exe64⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Jjlmkb32.exeC:\Windows\system32\Jjlmkb32.exe65⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Jbcelp32.exeC:\Windows\system32\Jbcelp32.exe66⤵PID:2148
-
C:\Windows\SysWOW64\Jcdadhjb.exeC:\Windows\system32\Jcdadhjb.exe67⤵PID:2292
-
C:\Windows\SysWOW64\Jjnjqb32.exeC:\Windows\system32\Jjnjqb32.exe68⤵PID:2636
-
C:\Windows\SysWOW64\Jahbmlil.exeC:\Windows\system32\Jahbmlil.exe69⤵PID:2692
-
C:\Windows\SysWOW64\Jecnnk32.exeC:\Windows\system32\Jecnnk32.exe70⤵PID:2584
-
C:\Windows\SysWOW64\Jfekec32.exeC:\Windows\system32\Jfekec32.exe71⤵PID:2604
-
C:\Windows\SysWOW64\Jajocl32.exeC:\Windows\system32\Jajocl32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Kgdgpfnf.exeC:\Windows\system32\Kgdgpfnf.exe73⤵PID:2480
-
C:\Windows\SysWOW64\Kiecgo32.exeC:\Windows\system32\Kiecgo32.exe74⤵PID:2172
-
C:\Windows\SysWOW64\Kppldhla.exeC:\Windows\system32\Kppldhla.exe75⤵PID:620
-
C:\Windows\SysWOW64\Kbnhpdke.exeC:\Windows\system32\Kbnhpdke.exe76⤵PID:2352
-
C:\Windows\SysWOW64\Kmclmm32.exeC:\Windows\system32\Kmclmm32.exe77⤵PID:2360
-
C:\Windows\SysWOW64\Kpbhjh32.exeC:\Windows\system32\Kpbhjh32.exe78⤵
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Kflafbak.exeC:\Windows\system32\Kflafbak.exe79⤵PID:2492
-
C:\Windows\SysWOW64\Kijmbnpo.exeC:\Windows\system32\Kijmbnpo.exe80⤵PID:1796
-
C:\Windows\SysWOW64\Kpdeoh32.exeC:\Windows\system32\Kpdeoh32.exe81⤵PID:1768
-
C:\Windows\SysWOW64\Kfnnlboi.exeC:\Windows\system32\Kfnnlboi.exe82⤵
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Khojcj32.exeC:\Windows\system32\Khojcj32.exe83⤵
- Drops file in System32 directory
PID:1304 -
C:\Windows\SysWOW64\Koibpd32.exeC:\Windows\system32\Koibpd32.exe84⤵PID:2672
-
C:\Windows\SysWOW64\Kbenacdm.exeC:\Windows\system32\Kbenacdm.exe85⤵PID:2560
-
C:\Windows\SysWOW64\Kecjmodq.exeC:\Windows\system32\Kecjmodq.exe86⤵
- System Location Discovery: System Language Discovery
PID:2544 -
C:\Windows\SysWOW64\Klmbjh32.exeC:\Windows\system32\Klmbjh32.exe87⤵PID:2548
-
C:\Windows\SysWOW64\Lbgkfbbj.exeC:\Windows\system32\Lbgkfbbj.exe88⤵
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Leegbnan.exeC:\Windows\system32\Leegbnan.exe89⤵
- Modifies registry class
PID:1300 -
C:\Windows\SysWOW64\Llpoohik.exeC:\Windows\system32\Llpoohik.exe90⤵PID:1808
-
C:\Windows\SysWOW64\Lalhgogb.exeC:\Windows\system32\Lalhgogb.exe91⤵PID:1388
-
C:\Windows\SysWOW64\Ldkdckff.exeC:\Windows\system32\Ldkdckff.exe92⤵PID:3040
-
C:\Windows\SysWOW64\Lkelpd32.exeC:\Windows\system32\Lkelpd32.exe93⤵PID:2924
-
C:\Windows\SysWOW64\Lmcilp32.exeC:\Windows\system32\Lmcilp32.exe94⤵PID:2124
-
C:\Windows\SysWOW64\Ldmaijdc.exeC:\Windows\system32\Ldmaijdc.exe95⤵PID:1660
-
C:\Windows\SysWOW64\Lglmefcg.exeC:\Windows\system32\Lglmefcg.exe96⤵
- System Location Discovery: System Language Discovery
PID:1932 -
C:\Windows\SysWOW64\Lijiaabk.exeC:\Windows\system32\Lijiaabk.exe97⤵PID:1072
-
C:\Windows\SysWOW64\Lmeebpkd.exeC:\Windows\system32\Lmeebpkd.exe98⤵PID:1000
-
C:\Windows\SysWOW64\Lbbnjgik.exeC:\Windows\system32\Lbbnjgik.exe99⤵PID:2568
-
C:\Windows\SysWOW64\Lilfgq32.exeC:\Windows\system32\Lilfgq32.exe100⤵PID:2200
-
C:\Windows\SysWOW64\Lpfnckhe.exeC:\Windows\system32\Lpfnckhe.exe101⤵PID:1736
-
C:\Windows\SysWOW64\Lgpfpe32.exeC:\Windows\system32\Lgpfpe32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1576 -
C:\Windows\SysWOW64\Mmjomogn.exeC:\Windows\system32\Mmjomogn.exe103⤵PID:2336
-
C:\Windows\SysWOW64\Mlmoilni.exeC:\Windows\system32\Mlmoilni.exe104⤵PID:2348
-
C:\Windows\SysWOW64\Mcggef32.exeC:\Windows\system32\Mcggef32.exe105⤵PID:1256
-
C:\Windows\SysWOW64\Mhdpnm32.exeC:\Windows\system32\Mhdpnm32.exe106⤵PID:1524
-
C:\Windows\SysWOW64\Mpkhoj32.exeC:\Windows\system32\Mpkhoj32.exe107⤵PID:2316
-
C:\Windows\SysWOW64\Mehpga32.exeC:\Windows\system32\Mehpga32.exe108⤵PID:2944
-
C:\Windows\SysWOW64\Miclhpjp.exeC:\Windows\system32\Miclhpjp.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:568 -
C:\Windows\SysWOW64\Mhflcm32.exeC:\Windows\system32\Mhflcm32.exe110⤵PID:2248
-
C:\Windows\SysWOW64\Mopdpg32.exeC:\Windows\system32\Mopdpg32.exe111⤵PID:1568
-
C:\Windows\SysWOW64\Maoalb32.exeC:\Windows\system32\Maoalb32.exe112⤵PID:2580
-
C:\Windows\SysWOW64\Mdmmhn32.exeC:\Windows\system32\Mdmmhn32.exe113⤵PID:1456
-
C:\Windows\SysWOW64\Mneaacno.exeC:\Windows\system32\Mneaacno.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Meljbqna.exeC:\Windows\system32\Meljbqna.exe115⤵PID:536
-
C:\Windows\SysWOW64\Mgnfji32.exeC:\Windows\system32\Mgnfji32.exe116⤵PID:1772
-
C:\Windows\SysWOW64\Moenkf32.exeC:\Windows\system32\Moenkf32.exe117⤵PID:2876
-
C:\Windows\SysWOW64\Macjgadf.exeC:\Windows\system32\Macjgadf.exe118⤵
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Ndafcmci.exeC:\Windows\system32\Ndafcmci.exe119⤵PID:1612
-
C:\Windows\SysWOW64\Nklopg32.exeC:\Windows\system32\Nklopg32.exe120⤵PID:1620
-
C:\Windows\SysWOW64\Nnjklb32.exeC:\Windows\system32\Nnjklb32.exe121⤵
- Modifies registry class
PID:2792
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-