Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
01/09/2024, 20:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
222cc165faa8657083e038ed7a36742bf12a352dac55c7589cc59874cf5358c7.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
222cc165faa8657083e038ed7a36742bf12a352dac55c7589cc59874cf5358c7.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
222cc165faa8657083e038ed7a36742bf12a352dac55c7589cc59874cf5358c7.exe
-
Size
89KB
-
MD5
3fb8837b4b638abcc1e49b5aa453723c
-
SHA1
a6b5d9030f930bf29fb37d86da0e93a0412ec4b9
-
SHA256
222cc165faa8657083e038ed7a36742bf12a352dac55c7589cc59874cf5358c7
-
SHA512
82307267b48e0da3ba6bcb81e96f49971da31839cf658cc91c5aab568b64c85e452a835e4ca81cdae3f93448b9414f4043befae70cd54c2369a5777b1c7afc1f
-
SSDEEP
1536:V/Wh1rAnEf6+1AWsScjroFfa4UUQ8NwyKmlo+xsRQKD68a+VMKKTRVGFtUhQfR1p:96B8aLMScjroFiEQ8/lo+ierr4MKy3Gn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnedfljc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fianpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjlpjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nimaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Acfpilmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhmpmcaq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqdjge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdfifg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfjdmggb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqdong32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Okhboc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdpgai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eedjfchi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkblghdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppelfbol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckbakiee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plnhbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efglmpbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oqfeda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekndpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdhlmhgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfknpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gabpco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amglij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghcdpjqj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckeekp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmecdgbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpaikiig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpafhpaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhfnca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oficoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oldajoho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnlpmiog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbmdig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfcqkafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Poegde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ldngqqjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbefbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcofqphi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgnmjokn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nppemgjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qnkdeagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfobndnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnkedemc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdghpggf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Emeoojfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Conbmfif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feiamj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pldnge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmmgafjh.exe -
Executes dropped EXE 64 IoCs
pid Process 1848 Djffihmp.exe 2800 Dcojbm32.exe 2184 Dhmchljg.exe 2724 Epjdbn32.exe 2780 Edhmhl32.exe 2768 Eeijpdbd.exe 2568 Eodknifb.exe 1884 Fbdpjgjf.exe 2968 Fdemap32.exe 1480 Faimkd32.exe 1400 Ggkoojip.exe 1620 Glhhgahg.exe 1328 Geeekf32.exe 2236 Gdjblboj.exe 1152 Hnbgdh32.exe 2420 Hqemlbqi.exe 1852 Hnimeg32.exe 1364 Imaglc32.exe 1660 Ickoimie.exe 1136 Iijdfc32.exe 3040 Ibbioilj.exe 2028 Ibeeeijg.exe 2268 Iionacad.exe 1276 Jehklc32.exe 1592 Jaolad32.exe 396 Jpfehq32.exe 2732 Kiojqfdp.exe 2772 Kononm32.exe 2664 Klapha32.exe 2700 Kdoaackf.exe 2988 Lhmjha32.exe 1204 Legcjjjm.exe 2876 Lielphqc.exe 2864 Laqadknn.exe 1460 Mkiemqdo.exe 1572 Mlhbgc32.exe 2060 Maejpj32.exe 2584 Moikinib.exe 1776 Mdfcaegj.exe 2228 Majdkifd.exe 2208 Mckpba32.exe 2084 Mdkmld32.exe 2180 Njgeel32.exe 2096 Ncpjnahm.exe 1528 Nqdjge32.exe 816 Nfqbol32.exe 2016 Nkmkgc32.exe 3032 Nbgcdmjb.exe 2176 Nmmgafjh.exe 1588 Nbjpjm32.exe 2292 Ngfhbd32.exe 2616 Oifelfni.exe 2644 Ojgado32.exe 2828 Ogkbmcba.exe 2520 Omhjejai.exe 780 Ofqonp32.exe 3016 Ogpkhb32.exe 584 Ocglmcdp.exe 852 Picdejbg.exe 2024 Pfgeoo32.exe 2592 Pldnge32.exe 1832 Phknlfem.exe 2192 Pbqbioeb.exe 2020 Pbcooo32.exe -
Loads dropped DLL 64 IoCs
pid Process 2476 222cc165faa8657083e038ed7a36742bf12a352dac55c7589cc59874cf5358c7.exe 2476 222cc165faa8657083e038ed7a36742bf12a352dac55c7589cc59874cf5358c7.exe 1848 Djffihmp.exe 1848 Djffihmp.exe 2800 Dcojbm32.exe 2800 Dcojbm32.exe 2184 Dhmchljg.exe 2184 Dhmchljg.exe 2724 Epjdbn32.exe 2724 Epjdbn32.exe 2780 Edhmhl32.exe 2780 Edhmhl32.exe 2768 Eeijpdbd.exe 2768 Eeijpdbd.exe 2568 Eodknifb.exe 2568 Eodknifb.exe 1884 Fbdpjgjf.exe 1884 Fbdpjgjf.exe 2968 Fdemap32.exe 2968 Fdemap32.exe 1480 Faimkd32.exe 1480 Faimkd32.exe 1400 Ggkoojip.exe 1400 Ggkoojip.exe 1620 Glhhgahg.exe 1620 Glhhgahg.exe 1328 Geeekf32.exe 1328 Geeekf32.exe 2236 Gdjblboj.exe 2236 Gdjblboj.exe 1152 Hnbgdh32.exe 1152 Hnbgdh32.exe 2420 Hqemlbqi.exe 2420 Hqemlbqi.exe 1852 Hnimeg32.exe 1852 Hnimeg32.exe 1364 Imaglc32.exe 1364 Imaglc32.exe 1660 Ickoimie.exe 1660 Ickoimie.exe 1136 Iijdfc32.exe 1136 Iijdfc32.exe 3040 Ibbioilj.exe 3040 Ibbioilj.exe 2028 Ibeeeijg.exe 2028 Ibeeeijg.exe 2268 Iionacad.exe 2268 Iionacad.exe 1276 Jehklc32.exe 1276 Jehklc32.exe 1592 Jaolad32.exe 1592 Jaolad32.exe 396 Jpfehq32.exe 396 Jpfehq32.exe 2732 Kiojqfdp.exe 2732 Kiojqfdp.exe 2772 Kononm32.exe 2772 Kononm32.exe 2664 Klapha32.exe 2664 Klapha32.exe 2700 Kdoaackf.exe 2700 Kdoaackf.exe 2988 Lhmjha32.exe 2988 Lhmjha32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bmacqj32.exe Bblocaik.exe File created C:\Windows\SysWOW64\Offlpgfp.dll Nmmgafjh.exe File created C:\Windows\SysWOW64\Mddilm32.dll Qnkdeagl.exe File created C:\Windows\SysWOW64\Gkclcm32.exe Fbkgjgqi.exe File created C:\Windows\SysWOW64\Kkmdmp32.dll Jpnffoci.exe File created C:\Windows\SysWOW64\Mggoli32.exe Mpmfoodb.exe File opened for modification C:\Windows\SysWOW64\Ghdfhc32.exe Gbgnpl32.exe File created C:\Windows\SysWOW64\Jopkbala.dll Ibigeojp.exe File opened for modification C:\Windows\SysWOW64\Ghjkki32.exe Gndgmq32.exe File opened for modification C:\Windows\SysWOW64\Mmepboin.exe Lanpmn32.exe File created C:\Windows\SysWOW64\Qpdnfk32.dll Dmcidqlf.exe File created C:\Windows\SysWOW64\Ionkmdop.dll Ahfmjafa.exe File created C:\Windows\SysWOW64\Bgbkhnja.dll Hnbgdh32.exe File created C:\Windows\SysWOW64\Dgenpi32.dll Kcgdgnmc.exe File created C:\Windows\SysWOW64\Dhimmamn.dll Ckdnpicb.exe File created C:\Windows\SysWOW64\Fpffianh.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hmpemkkf.exe Gaiehjfb.exe File opened for modification C:\Windows\SysWOW64\Nagobp32.exe Nhojjjhj.exe File created C:\Windows\SysWOW64\Jggafj32.dll Ockhpgbf.exe File created C:\Windows\SysWOW64\Obbbbhkf.exe Ohmneokp.exe File created C:\Windows\SysWOW64\Pbaebh32.exe Pgkqeo32.exe File created C:\Windows\SysWOW64\Bhiiepcl.exe Bmdehgcf.exe File created C:\Windows\SysWOW64\Apnlee32.exe Ajddik32.exe File created C:\Windows\SysWOW64\Gpfbfh32.exe Gpdfph32.exe File created C:\Windows\SysWOW64\Ibbbhe32.dll Bdkpob32.exe File created C:\Windows\SysWOW64\Flmgnbcl.exe Process not Found File created C:\Windows\SysWOW64\Nmmgafjh.exe Nbgcdmjb.exe File created C:\Windows\SysWOW64\Hlfoqm32.dll Foencfda.exe File created C:\Windows\SysWOW64\Hbblbb32.exe Hmecjk32.exe File created C:\Windows\SysWOW64\Qeenmc32.dll Process not Found File created C:\Windows\SysWOW64\Imdhqhfm.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fgojdj32.exe Fjkije32.exe File opened for modification C:\Windows\SysWOW64\Gqbaqccn.exe Ggjmhn32.exe File opened for modification C:\Windows\SysWOW64\Ejcjfgbk.exe Eomfiobe.exe File created C:\Windows\SysWOW64\Fkphcg32.exe Fdfpfm32.exe File created C:\Windows\SysWOW64\Acabmpem.exe Ahlnpg32.exe File created C:\Windows\SysWOW64\Nbhjnbgh.dll Fchigcab.exe File created C:\Windows\SysWOW64\Okmnol32.dll Lnnkmdfq.exe File created C:\Windows\SysWOW64\Fmbpaf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ogpkhb32.exe Ofqonp32.exe File created C:\Windows\SysWOW64\Pdonbeon.dll Qmlknocg.exe File created C:\Windows\SysWOW64\Eqpifq32.exe Process not Found File created C:\Windows\SysWOW64\Hoeigi32.exe Hjhaob32.exe File created C:\Windows\SysWOW64\Amidmldj.exe Acqpdgni.exe File created C:\Windows\SysWOW64\Bklahkeo.dll Dpifln32.exe File created C:\Windows\SysWOW64\Eiclop32.exe Elolfl32.exe File opened for modification C:\Windows\SysWOW64\Eadpig32.exe Process not Found File created C:\Windows\SysWOW64\Lpofehne.dll Pjbnmm32.exe File created C:\Windows\SysWOW64\Daedpf32.dll Peandcih.exe File created C:\Windows\SysWOW64\Igmalekk.dll Ceiadj32.exe File opened for modification C:\Windows\SysWOW64\Eajcgf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Amkbmlci.exe Process not Found File created C:\Windows\SysWOW64\Enajgllm.exe Eggajb32.exe File created C:\Windows\SysWOW64\Jajcaj32.exe Jhboidoj.exe File created C:\Windows\SysWOW64\Pnqfmmgh.dll Oifelfni.exe File created C:\Windows\SysWOW64\Nnkjca32.dll Dgefmf32.exe File created C:\Windows\SysWOW64\Mooanijf.dll Oogdiqki.exe File opened for modification C:\Windows\SysWOW64\Ddkdkk32.exe Dbihccpg.exe File created C:\Windows\SysWOW64\Iajfin32.exe Iohiafag.exe File created C:\Windows\SysWOW64\Nnkpkdio.exe Process not Found File created C:\Windows\SysWOW64\Bmohgoao.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fbpihafp.exe Eiheok32.exe File created C:\Windows\SysWOW64\Kloggici.dll Clnmmlkm.exe File created C:\Windows\SysWOW64\Gdciej32.exe Ggohlf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 584 1504 Process not Found 1397 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfemdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaamobdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hojbbiae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egaoldnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgnnicpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppcplg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlmcaijm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geeekf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecggmfde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhbaam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajddik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjimafji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Medggj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlafmcpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlfahgpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgpfdoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibigeojp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kolcdahb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgojdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jngfei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbfndggh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbqbioeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkojjgfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhkffl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmhppk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dciekjhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbpmin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoflpbmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dffmgqcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qibjjgag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehilgikj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phdiglap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bclbhkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnnecoah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lielphqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlmjjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocjfgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiiono32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbfalpab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fchigcab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggqamh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpfojp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhabemgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doclijgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjepib32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgagdp32.dll" Kpmkjlbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amfcfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lfbibfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hncnfo32.dll" Gbeakllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Akdgmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehgnffj.dll" Bngicb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njhhiiok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnflmc32.dll" Ihmcelkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nblmfl32.dll" Koacjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckalkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fchigcab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlnlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aalbhdko.dll" Cfimnmoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gpfbfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nlnlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aabiiacc.dll" Pgfnfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhfgnc32.dll" Iklajp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmldbk32.dll" Dlbcgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Elgmbnfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lcooinfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mflnoine.dll" Amjmpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mljnoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhlkbbnm.dll" Nmlgcbei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhnpih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjgobo32.dll" Hebqbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ighihc32.dll" Dciekjhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ibqmen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addgcj32.dll" Idofmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cehaip32.dll" Dlmcaijm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbjaappg.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckebbgoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Babdhlmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mfdklc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gcpdip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Coofoghn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Minpeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Acafnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lbdljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lofafhck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfplgpp.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mdkmld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gajlcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fdadbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dlmcaijm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkneko32.dll" Ojojmfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocibno32.dll" Jhboidoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Diifph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Digipn32.dll" Ekofijic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oichhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpbpgch.dll" Qpfojp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fianpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpmfoodb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hoflpbmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Loicnemp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cmlpjhlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ponfcl32.dll" Kiojqfdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilfjcpff.dll" Djkcgpaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dokccf32.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2476 wrote to memory of 1848 2476 222cc165faa8657083e038ed7a36742bf12a352dac55c7589cc59874cf5358c7.exe 28 PID 2476 wrote to memory of 1848 2476 222cc165faa8657083e038ed7a36742bf12a352dac55c7589cc59874cf5358c7.exe 28 PID 2476 wrote to memory of 1848 2476 222cc165faa8657083e038ed7a36742bf12a352dac55c7589cc59874cf5358c7.exe 28 PID 2476 wrote to memory of 1848 2476 222cc165faa8657083e038ed7a36742bf12a352dac55c7589cc59874cf5358c7.exe 28 PID 1848 wrote to memory of 2800 1848 Djffihmp.exe 29 PID 1848 wrote to memory of 2800 1848 Djffihmp.exe 29 PID 1848 wrote to memory of 2800 1848 Djffihmp.exe 29 PID 1848 wrote to memory of 2800 1848 Djffihmp.exe 29 PID 2800 wrote to memory of 2184 2800 Dcojbm32.exe 30 PID 2800 wrote to memory of 2184 2800 Dcojbm32.exe 30 PID 2800 wrote to memory of 2184 2800 Dcojbm32.exe 30 PID 2800 wrote to memory of 2184 2800 Dcojbm32.exe 30 PID 2184 wrote to memory of 2724 2184 Dhmchljg.exe 31 PID 2184 wrote to memory of 2724 2184 Dhmchljg.exe 31 PID 2184 wrote to memory of 2724 2184 Dhmchljg.exe 31 PID 2184 wrote to memory of 2724 2184 Dhmchljg.exe 31 PID 2724 wrote to memory of 2780 2724 Epjdbn32.exe 32 PID 2724 wrote to memory of 2780 2724 Epjdbn32.exe 32 PID 2724 wrote to memory of 2780 2724 Epjdbn32.exe 32 PID 2724 wrote to memory of 2780 2724 Epjdbn32.exe 32 PID 2780 wrote to memory of 2768 2780 Edhmhl32.exe 33 PID 2780 wrote to memory of 2768 2780 Edhmhl32.exe 33 PID 2780 wrote to memory of 2768 2780 Edhmhl32.exe 33 PID 2780 wrote to memory of 2768 2780 Edhmhl32.exe 33 PID 2768 wrote to memory of 2568 2768 Eeijpdbd.exe 34 PID 2768 wrote to memory of 2568 2768 Eeijpdbd.exe 34 PID 2768 wrote to memory of 2568 2768 Eeijpdbd.exe 34 PID 2768 wrote to memory of 2568 2768 Eeijpdbd.exe 34 PID 2568 wrote to memory of 1884 2568 Eodknifb.exe 35 PID 2568 wrote to memory of 1884 2568 Eodknifb.exe 35 PID 2568 wrote to memory of 1884 2568 Eodknifb.exe 35 PID 2568 wrote to memory of 1884 2568 Eodknifb.exe 35 PID 1884 wrote to memory of 2968 1884 Fbdpjgjf.exe 36 PID 1884 wrote to memory of 2968 1884 Fbdpjgjf.exe 36 PID 1884 wrote to memory of 2968 1884 Fbdpjgjf.exe 36 PID 1884 wrote to memory of 2968 1884 Fbdpjgjf.exe 36 PID 2968 wrote to memory of 1480 2968 Fdemap32.exe 37 PID 2968 wrote to memory of 1480 2968 Fdemap32.exe 37 PID 2968 wrote to memory of 1480 2968 Fdemap32.exe 37 PID 2968 wrote to memory of 1480 2968 Fdemap32.exe 37 PID 1480 wrote to memory of 1400 1480 Faimkd32.exe 38 PID 1480 wrote to memory of 1400 1480 Faimkd32.exe 38 PID 1480 wrote to memory of 1400 1480 Faimkd32.exe 38 PID 1480 wrote to memory of 1400 1480 Faimkd32.exe 38 PID 1400 wrote to memory of 1620 1400 Ggkoojip.exe 39 PID 1400 wrote to memory of 1620 1400 Ggkoojip.exe 39 PID 1400 wrote to memory of 1620 1400 Ggkoojip.exe 39 PID 1400 wrote to memory of 1620 1400 Ggkoojip.exe 39 PID 1620 wrote to memory of 1328 1620 Glhhgahg.exe 40 PID 1620 wrote to memory of 1328 1620 Glhhgahg.exe 40 PID 1620 wrote to memory of 1328 1620 Glhhgahg.exe 40 PID 1620 wrote to memory of 1328 1620 Glhhgahg.exe 40 PID 1328 wrote to memory of 2236 1328 Geeekf32.exe 41 PID 1328 wrote to memory of 2236 1328 Geeekf32.exe 41 PID 1328 wrote to memory of 2236 1328 Geeekf32.exe 41 PID 1328 wrote to memory of 2236 1328 Geeekf32.exe 41 PID 2236 wrote to memory of 1152 2236 Gdjblboj.exe 42 PID 2236 wrote to memory of 1152 2236 Gdjblboj.exe 42 PID 2236 wrote to memory of 1152 2236 Gdjblboj.exe 42 PID 2236 wrote to memory of 1152 2236 Gdjblboj.exe 42 PID 1152 wrote to memory of 2420 1152 Hnbgdh32.exe 43 PID 1152 wrote to memory of 2420 1152 Hnbgdh32.exe 43 PID 1152 wrote to memory of 2420 1152 Hnbgdh32.exe 43 PID 1152 wrote to memory of 2420 1152 Hnbgdh32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\222cc165faa8657083e038ed7a36742bf12a352dac55c7589cc59874cf5358c7.exe"C:\Users\Admin\AppData\Local\Temp\222cc165faa8657083e038ed7a36742bf12a352dac55c7589cc59874cf5358c7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Djffihmp.exeC:\Windows\system32\Djffihmp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Dcojbm32.exeC:\Windows\system32\Dcojbm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Dhmchljg.exeC:\Windows\system32\Dhmchljg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Epjdbn32.exeC:\Windows\system32\Epjdbn32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Edhmhl32.exeC:\Windows\system32\Edhmhl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Eeijpdbd.exeC:\Windows\system32\Eeijpdbd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Eodknifb.exeC:\Windows\system32\Eodknifb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Fbdpjgjf.exeC:\Windows\system32\Fbdpjgjf.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Fdemap32.exeC:\Windows\system32\Fdemap32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Faimkd32.exeC:\Windows\system32\Faimkd32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Ggkoojip.exeC:\Windows\system32\Ggkoojip.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Glhhgahg.exeC:\Windows\system32\Glhhgahg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Geeekf32.exeC:\Windows\system32\Geeekf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\Gdjblboj.exeC:\Windows\system32\Gdjblboj.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Hnbgdh32.exeC:\Windows\system32\Hnbgdh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Hqemlbqi.exeC:\Windows\system32\Hqemlbqi.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2420 -
C:\Windows\SysWOW64\Hnimeg32.exeC:\Windows\system32\Hnimeg32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1852 -
C:\Windows\SysWOW64\Imaglc32.exeC:\Windows\system32\Imaglc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1364 -
C:\Windows\SysWOW64\Ickoimie.exeC:\Windows\system32\Ickoimie.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\Iijdfc32.exeC:\Windows\system32\Iijdfc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1136 -
C:\Windows\SysWOW64\Ibbioilj.exeC:\Windows\system32\Ibbioilj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Ibeeeijg.exeC:\Windows\system32\Ibeeeijg.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2028 -
C:\Windows\SysWOW64\Iionacad.exeC:\Windows\system32\Iionacad.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Jehklc32.exeC:\Windows\system32\Jehklc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1276 -
C:\Windows\SysWOW64\Jaolad32.exeC:\Windows\system32\Jaolad32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Jpfehq32.exeC:\Windows\system32\Jpfehq32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:396 -
C:\Windows\SysWOW64\Kiojqfdp.exeC:\Windows\system32\Kiojqfdp.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Kononm32.exeC:\Windows\system32\Kononm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Klapha32.exeC:\Windows\system32\Klapha32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Kdoaackf.exeC:\Windows\system32\Kdoaackf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Lhmjha32.exeC:\Windows\system32\Lhmjha32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Legcjjjm.exeC:\Windows\system32\Legcjjjm.exe33⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Lielphqc.exeC:\Windows\system32\Lielphqc.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\Laqadknn.exeC:\Windows\system32\Laqadknn.exe35⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Mkiemqdo.exeC:\Windows\system32\Mkiemqdo.exe36⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Mlhbgc32.exeC:\Windows\system32\Mlhbgc32.exe37⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Maejpj32.exeC:\Windows\system32\Maejpj32.exe38⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Moikinib.exeC:\Windows\system32\Moikinib.exe39⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Mdfcaegj.exeC:\Windows\system32\Mdfcaegj.exe40⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Majdkifd.exeC:\Windows\system32\Majdkifd.exe41⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Mckpba32.exeC:\Windows\system32\Mckpba32.exe42⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Mdkmld32.exeC:\Windows\system32\Mdkmld32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Njgeel32.exeC:\Windows\system32\Njgeel32.exe44⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Ncpjnahm.exeC:\Windows\system32\Ncpjnahm.exe45⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Nqdjge32.exeC:\Windows\system32\Nqdjge32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Nfqbol32.exeC:\Windows\system32\Nfqbol32.exe47⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Nkmkgc32.exeC:\Windows\system32\Nkmkgc32.exe48⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Nbgcdmjb.exeC:\Windows\system32\Nbgcdmjb.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Nmmgafjh.exeC:\Windows\system32\Nmmgafjh.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Nbjpjm32.exeC:\Windows\system32\Nbjpjm32.exe51⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Ngfhbd32.exeC:\Windows\system32\Ngfhbd32.exe52⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Oifelfni.exeC:\Windows\system32\Oifelfni.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Ojgado32.exeC:\Windows\system32\Ojgado32.exe54⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Ogkbmcba.exeC:\Windows\system32\Ogkbmcba.exe55⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Omhjejai.exeC:\Windows\system32\Omhjejai.exe56⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Ofqonp32.exeC:\Windows\system32\Ofqonp32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:780 -
C:\Windows\SysWOW64\Ogpkhb32.exeC:\Windows\system32\Ogpkhb32.exe58⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Ocglmcdp.exeC:\Windows\system32\Ocglmcdp.exe59⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Picdejbg.exeC:\Windows\system32\Picdejbg.exe60⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Pfgeoo32.exeC:\Windows\system32\Pfgeoo32.exe61⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Pldnge32.exeC:\Windows\system32\Pldnge32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Phknlfem.exeC:\Windows\system32\Phknlfem.exe63⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Pbqbioeb.exeC:\Windows\system32\Pbqbioeb.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\Pbcooo32.exeC:\Windows\system32\Pbcooo32.exe65⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Phphgf32.exeC:\Windows\system32\Phphgf32.exe66⤵PID:2008
-
C:\Windows\SysWOW64\Pmmppm32.exeC:\Windows\system32\Pmmppm32.exe67⤵PID:236
-
C:\Windows\SysWOW64\Qfedhb32.exeC:\Windows\system32\Qfedhb32.exe68⤵PID:108
-
C:\Windows\SysWOW64\Qpmiahlp.exeC:\Windows\system32\Qpmiahlp.exe69⤵PID:2044
-
C:\Windows\SysWOW64\Qfganb32.exeC:\Windows\system32\Qfganb32.exe70⤵PID:2076
-
C:\Windows\SysWOW64\Appfggjm.exeC:\Windows\system32\Appfggjm.exe71⤵PID:2956
-
C:\Windows\SysWOW64\Amcfpl32.exeC:\Windows\system32\Amcfpl32.exe72⤵PID:2360
-
C:\Windows\SysWOW64\Amfcfk32.exeC:\Windows\system32\Amfcfk32.exe73⤵
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Abbknb32.exeC:\Windows\system32\Abbknb32.exe74⤵PID:2752
-
C:\Windows\SysWOW64\Ahpdficc.exeC:\Windows\system32\Ahpdficc.exe75⤵PID:2984
-
C:\Windows\SysWOW64\Aahhoo32.exeC:\Windows\system32\Aahhoo32.exe76⤵PID:2556
-
C:\Windows\SysWOW64\Abgeiaaf.exeC:\Windows\system32\Abgeiaaf.exe77⤵PID:3020
-
C:\Windows\SysWOW64\Bhdmahpn.exeC:\Windows\system32\Bhdmahpn.exe78⤵PID:2832
-
C:\Windows\SysWOW64\Bnafjo32.exeC:\Windows\system32\Bnafjo32.exe79⤵PID:1780
-
C:\Windows\SysWOW64\Bhfjgh32.exeC:\Windows\system32\Bhfjgh32.exe80⤵PID:1868
-
C:\Windows\SysWOW64\Baoopndk.exeC:\Windows\system32\Baoopndk.exe81⤵PID:2860
-
C:\Windows\SysWOW64\Bglghdbc.exeC:\Windows\system32\Bglghdbc.exe82⤵PID:872
-
C:\Windows\SysWOW64\Bdpgai32.exeC:\Windows\system32\Bdpgai32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1084 -
C:\Windows\SysWOW64\Bjlpjp32.exeC:\Windows\system32\Bjlpjp32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1380 -
C:\Windows\SysWOW64\Bfcqoqeh.exeC:\Windows\system32\Bfcqoqeh.exe85⤵PID:1320
-
C:\Windows\SysWOW64\Bpieli32.exeC:\Windows\system32\Bpieli32.exe86⤵PID:2496
-
C:\Windows\SysWOW64\Cfemdp32.exeC:\Windows\system32\Cfemdp32.exe87⤵
- System Location Discovery: System Language Discovery
PID:972 -
C:\Windows\SysWOW64\Conbmfif.exeC:\Windows\system32\Conbmfif.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2384 -
C:\Windows\SysWOW64\Cfhjjp32.exeC:\Windows\system32\Cfhjjp32.exe89⤵PID:2040
-
C:\Windows\SysWOW64\Ckebbgoj.exeC:\Windows\system32\Ckebbgoj.exe90⤵
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Chickknc.exeC:\Windows\system32\Chickknc.exe91⤵PID:2636
-
C:\Windows\SysWOW64\Cbagdq32.exeC:\Windows\system32\Cbagdq32.exe92⤵PID:2748
-
C:\Windows\SysWOW64\Ckilmfke.exeC:\Windows\system32\Ckilmfke.exe93⤵PID:2320
-
C:\Windows\SysWOW64\Cdbqflae.exeC:\Windows\system32\Cdbqflae.exe94⤵PID:2564
-
C:\Windows\SysWOW64\Djoinbpm.exeC:\Windows\system32\Djoinbpm.exe95⤵PID:1956
-
C:\Windows\SysWOW64\Dddmkkpb.exeC:\Windows\system32\Dddmkkpb.exe96⤵PID:844
-
C:\Windows\SysWOW64\Djaedbnj.exeC:\Windows\system32\Djaedbnj.exe97⤵PID:2436
-
C:\Windows\SysWOW64\Dgefmf32.exeC:\Windows\system32\Dgefmf32.exe98⤵
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Diklpn32.exeC:\Windows\system32\Diklpn32.exe99⤵PID:568
-
C:\Windows\SysWOW64\Emieflec.exeC:\Windows\system32\Emieflec.exe100⤵PID:1972
-
C:\Windows\SysWOW64\Ebhjdc32.exeC:\Windows\system32\Ebhjdc32.exe101⤵PID:2388
-
C:\Windows\SysWOW64\Elpnmhgh.exeC:\Windows\system32\Elpnmhgh.exe102⤵PID:1640
-
C:\Windows\SysWOW64\Eamgeo32.exeC:\Windows\system32\Eamgeo32.exe103⤵PID:848
-
C:\Windows\SysWOW64\Emdgjpkd.exeC:\Windows\system32\Emdgjpkd.exe104⤵PID:768
-
C:\Windows\SysWOW64\Ehilgikj.exeC:\Windows\system32\Ehilgikj.exe105⤵
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\Ejhhcdjm.exeC:\Windows\system32\Ejhhcdjm.exe106⤵PID:2604
-
C:\Windows\SysWOW64\Fpdqlkhe.exeC:\Windows\system32\Fpdqlkhe.exe107⤵PID:2668
-
C:\Windows\SysWOW64\Ffoihepa.exeC:\Windows\system32\Ffoihepa.exe108⤵PID:1968
-
C:\Windows\SysWOW64\Fmhaep32.exeC:\Windows\system32\Fmhaep32.exe109⤵PID:2764
-
C:\Windows\SysWOW64\Fjlaod32.exeC:\Windows\system32\Fjlaod32.exe110⤵PID:2980
-
C:\Windows\SysWOW64\Fianpp32.exeC:\Windows\system32\Fianpp32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Fbjchfaq.exeC:\Windows\system32\Fbjchfaq.exe112⤵PID:432
-
C:\Windows\SysWOW64\Flbgak32.exeC:\Windows\system32\Flbgak32.exe113⤵PID:2304
-
C:\Windows\SysWOW64\Faopib32.exeC:\Windows\system32\Faopib32.exe114⤵PID:1332
-
C:\Windows\SysWOW64\Gledgkfn.exeC:\Windows\system32\Gledgkfn.exe115⤵PID:1220
-
C:\Windows\SysWOW64\Gaamobdf.exeC:\Windows\system32\Gaamobdf.exe116⤵
- System Location Discovery: System Language Discovery
PID:1040 -
C:\Windows\SysWOW64\Gkjahg32.exeC:\Windows\system32\Gkjahg32.exe117⤵PID:3048
-
C:\Windows\SysWOW64\Gdbeqmag.exeC:\Windows\system32\Gdbeqmag.exe118⤵PID:1792
-
C:\Windows\SysWOW64\Ggqamh32.exeC:\Windows\system32\Ggqamh32.exe119⤵
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\SysWOW64\Gaffja32.exeC:\Windows\system32\Gaffja32.exe120⤵PID:2704
-
C:\Windows\SysWOW64\Ggcnbh32.exeC:\Windows\system32\Ggcnbh32.exe121⤵PID:2580
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-