Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/09/2024, 09:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
739d8c8052b30a0bd1181f14d1202eb0N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
739d8c8052b30a0bd1181f14d1202eb0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
739d8c8052b30a0bd1181f14d1202eb0N.exe
-
Size
49KB
-
MD5
739d8c8052b30a0bd1181f14d1202eb0
-
SHA1
80c1ef7195dd9dd7514f39735162e713d3c080ce
-
SHA256
ab31d3483102ef45676cf66a2742391e521a399296c3d25e42740f85529e81f3
-
SHA512
e67189ee003888355d93375c11198318354cc794ccb16a6f410b559e65e3fbe4477178bcdad8868b8a300e3a6b62bf88289731a9ea1a27afd3f5e991d9364408
-
SSDEEP
768:El45Cf7z28eqpozHCLG+bZmJc89Couu9HQsz+S9vbpyKZuQf/1H5R2Xdnh:ElJn2NmoLCLG+bUJc84otw2JpyOuQxA
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dflmlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoioli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enhpao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jimldogg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nndjndbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekmhejao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojomcopk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbfdekd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jllokajf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dakikoom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpaihooo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oifppdpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjmmepfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjoiil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqphfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aehgnied.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmaamn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njpdnedf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjjfdfbb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gppcmeem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gegkpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nckkfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klcekpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpanan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oehlkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hibafp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jghpbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emehdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmadco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giljfddl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlhccj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggfglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkihnmhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhpbfpka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebommi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oocmii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppnenlka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdmoohbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amjillkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqfpckhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofmdio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhbebj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkhpdcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpggamqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkpqkcpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkcfid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kenggi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pplhhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbmingjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfglfdkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofmdio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbefdijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bblnindg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdcliikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhiajmod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbajbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgmcce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lldopb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bomkcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncchae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffpicn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbiejoaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phdnngdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kabcopmg.exe -
Executes dropped EXE 64 IoCs
pid Process 1468 Epokedmj.exe 4380 Efhcbodf.exe 2740 Ejdocm32.exe 4108 Eangpgcl.exe 3328 Edmclccp.exe 972 Ejflhm32.exe 3308 Emehdh32.exe 1844 Edopabqn.exe 220 Fkihnmhj.exe 5032 Fmgejhgn.exe 3240 Fpeafcfa.exe 4264 Ffpicn32.exe 3948 Fineoi32.exe 4944 Fphnlcdo.exe 1240 Fhofmq32.exe 4760 Fgbfhmll.exe 1396 Fipbdikp.exe 4948 Fagjfflb.exe 3144 Fhabbp32.exe 1792 Fkpool32.exe 2628 Fajgkfio.exe 2632 Fdhcgaic.exe 3704 Fkbkdkpp.exe 1536 Fmqgpgoc.exe 2896 Fdkpma32.exe 2908 Ggilil32.exe 2232 Gkdhjknm.exe 396 Gmcdffmq.exe 3132 Gpaqbbld.exe 3996 Gdmmbq32.exe 4668 Ggkiol32.exe 2332 Gpcmga32.exe 3500 Ggnedlao.exe 4724 Gilapgqb.exe 1772 Gdafnpqh.exe 1056 Ghmbno32.exe 1420 Gnjjfegi.exe 2988 Gphgbafl.exe 3116 Ggbook32.exe 5116 Gknkpjfb.exe 3432 Gnlgleef.exe 4060 Gpkchqdj.exe 4568 Hhbkinel.exe 780 Hkpheidp.exe 2616 Hnodaecc.exe 2248 Hpmpnp32.exe 2536 Hhdhon32.exe 4920 Hkbdki32.exe 1472 Hnaqgd32.exe 1108 Hammhcij.exe 4716 Hdkidohn.exe 1808 Hgiepjga.exe 4140 Hjhalefe.exe 3556 Haoimcgg.exe 1832 Hpbiip32.exe 3112 Hhiajmod.exe 3728 Hkgnfhnh.exe 1568 Hnfjbdmk.exe 5036 Hpdfnolo.exe 2288 Hhknpmma.exe 1368 Hkjjlhle.exe 1680 Hnhghcki.exe 3276 Hacbhb32.exe 3516 Hpfcdojl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jlbdab32.dll Ljclki32.exe File created C:\Windows\SysWOW64\Ckmonl32.exe Chnbbqpn.exe File opened for modification C:\Windows\SysWOW64\Iijfhbhl.exe Iacngdgj.exe File created C:\Windows\SysWOW64\Injdmnab.dll Jhpqaiji.exe File created C:\Windows\SysWOW64\Lieccf32.exe Lankbigo.exe File created C:\Windows\SysWOW64\Gpaoobkd.dll Cofecami.exe File created C:\Windows\SysWOW64\Bnkbcj32.exe Blielbfi.exe File created C:\Windows\SysWOW64\Aggpfkjj.exe Adhdjpjf.exe File opened for modification C:\Windows\SysWOW64\Hemmac32.exe Haaaaeim.exe File created C:\Windows\SysWOW64\Ipbaol32.exe Hemmac32.exe File opened for modification C:\Windows\SysWOW64\Lieccf32.exe Lankbigo.exe File created C:\Windows\SysWOW64\Difpmfna.exe Dblgpl32.exe File created C:\Windows\SysWOW64\Aolblopj.exe Alnfpcag.exe File created C:\Windows\SysWOW64\Eleepoob.exe Ejchhgid.exe File opened for modification C:\Windows\SysWOW64\Jdodkebj.exe Jpdhkf32.exe File created C:\Windows\SysWOW64\Cfkmkf32.exe Cndeii32.exe File created C:\Windows\SysWOW64\Mfqlfb32.exe Mogcihaj.exe File created C:\Windows\SysWOW64\Ipdndloi.exe Iijfhbhl.exe File opened for modification C:\Windows\SysWOW64\Fhofmq32.exe Fphnlcdo.exe File created C:\Windows\SysWOW64\Hpmpnp32.exe Hnodaecc.exe File created C:\Windows\SysWOW64\Bcahmb32.exe Bjicdmmd.exe File opened for modification C:\Windows\SysWOW64\Ppdbgncl.exe Oikjkc32.exe File created C:\Windows\SysWOW64\Hblkjo32.exe Hpnoncim.exe File created C:\Windows\SysWOW64\Ibgpcd32.dll Leenhhdn.exe File created C:\Windows\SysWOW64\Aalebkhm.dll Lnbklm32.exe File created C:\Windows\SysWOW64\Iddgpk32.dll Idahjg32.exe File created C:\Windows\SysWOW64\Bgfeip32.dll Cnkkjh32.exe File created C:\Windows\SysWOW64\Qjiipk32.exe Qdoacabq.exe File opened for modification C:\Windows\SysWOW64\Pjjfdfbb.exe Pbcncibp.exe File created C:\Windows\SysWOW64\Gdcliikj.exe Glldgljg.exe File opened for modification C:\Windows\SysWOW64\Kjmfjj32.exe Kcbnnpka.exe File created C:\Windows\SysWOW64\Jfniqp32.dll Ojigdcll.exe File created C:\Windows\SysWOW64\Koajmepf.exe Klbnajqc.exe File opened for modification C:\Windows\SysWOW64\Khiofk32.exe Kapfiqoj.exe File created C:\Windows\SysWOW64\Njbgmjgl.exe Nfgklkoc.exe File created C:\Windows\SysWOW64\Hgfnoiid.dll Jcgnbaeo.exe File opened for modification C:\Windows\SysWOW64\Bkjiao32.exe Blgifbil.exe File created C:\Windows\SysWOW64\Pbegml32.dll Hmbphg32.exe File created C:\Windows\SysWOW64\Bndfbikc.dll Blielbfi.exe File created C:\Windows\SysWOW64\Efblbbqd.exe Enkdaepb.exe File opened for modification C:\Windows\SysWOW64\Fbmohmoh.exe Fooclapd.exe File opened for modification C:\Windows\SysWOW64\Jlgoek32.exe Jemfhacc.exe File created C:\Windows\SysWOW64\Mnknop32.dll Jlgoek32.exe File created C:\Windows\SysWOW64\Olhldm32.dll Jdodkebj.exe File created C:\Windows\SysWOW64\Jhghaf32.dll Ohkkhhmh.exe File opened for modification C:\Windows\SysWOW64\Aknifq32.exe Ahpmjejp.exe File created C:\Windows\SysWOW64\Pplhhm32.exe Pmmlla32.exe File created C:\Windows\SysWOW64\Qodeajbg.exe Qjiipk32.exe File opened for modification C:\Windows\SysWOW64\Klggli32.exe Kiikpnmj.exe File opened for modification C:\Windows\SysWOW64\Ocihgnam.exe Oqklkbbi.exe File opened for modification C:\Windows\SysWOW64\Jdpkflfe.exe Jnfcia32.exe File opened for modification C:\Windows\SysWOW64\Jkjcbe32.exe Jdpkflfe.exe File created C:\Windows\SysWOW64\Igafkb32.dll Pnmopk32.exe File created C:\Windows\SysWOW64\Oajpfn32.dll Hmechmip.exe File created C:\Windows\SysWOW64\Hbceobam.dll Nccokk32.exe File opened for modification C:\Windows\SysWOW64\Dmohno32.exe Ddgplado.exe File created C:\Windows\SysWOW64\Fneggdhg.exe Flfkkhid.exe File created C:\Windows\SysWOW64\Plcpgejf.dll Hkpheidp.exe File opened for modification C:\Windows\SysWOW64\Lgkpdcmi.exe Lelchgne.exe File created C:\Windows\SysWOW64\Gmdjapgb.exe Gbofcghl.exe File created C:\Windows\SysWOW64\Milcqamo.dll Kkgiimng.exe File created C:\Windows\SysWOW64\Kcbnnpka.exe Knfeeimj.exe File created C:\Windows\SysWOW64\Bdagpnbk.exe Bmhocd32.exe File created C:\Windows\SysWOW64\Icbcjhfb.dll Ocnabm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5700 2556 WerFault.exe 1063 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejdocm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcain32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iomoenej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncqlkemc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejflhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpnkdq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbabigfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjeljhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jenmcggo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kofkbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcddcbab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdcliikj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hginecde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdmqmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgiiiidd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pplobcpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oflmnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffpicn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emmkiclm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efpomccg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chnbbqpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pimfpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnifekmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkcfid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bblnindg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfoiaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpqjglii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppnenlka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kelkaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcblpdgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emehdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgehfkop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofmdio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfenglqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fagjfflb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahofoogd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aanbhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnfnlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkdhjknm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mifljdjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqhafffk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koajmepf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljclki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamamcop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joqafgni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjafok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flfkkhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klbnajqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amnlme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbefdijg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebimgcfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgelgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikndgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkpmdbfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckjbhmad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Felbnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhnojl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnaqgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgjejhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbfdekd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoobdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pififb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njjdho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iphioh32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcehifmk.dll" Jqlefl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjnmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iiopca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgamnded.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciafbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aajohjon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbqdpi32.dll" Iipfmggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnmopk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cimjkpjn.dll" Iacngdgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Legben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdhcgaic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pebndcpg.dll" Hhiajmod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnpofnhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nncccnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkikinpo.dll" Ddnobj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkpheidp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcddcbab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladfllde.dll" Hpjmnjqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhpfqcln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iefgbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnpn32.dll" Mohidbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkcckgg.dll" Ncofplba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogbdnipf.dll" Felbnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofmdio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebdlangb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceohefin.dll" Mcdeeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mifljdjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aamknj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jemfhacc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fineoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbmingjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaldccip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glhimp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnknop32.dll" Jlgoek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oifppdpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfipef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebadmmge.dll" Ffpicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggnedlao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oocmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbphdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Difpmfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhpmfbl.dll" Bdpaeehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mklbeh32.dll" Bnoknihb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnepna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kllfakij.dll" Nmbjcljl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coqncejg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhbebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khgbqkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oifppdpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmehdam.dll" Hpmpnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjogddi.dll" Piphgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimgpahk.dll" Ddgplado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Figgdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbhmbdle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmcpoedn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoobdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chkobkod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpkibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clomci32.dll" Jibmgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjellmbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dihlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlghoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aolblopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnfaohbj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3780 wrote to memory of 1468 3780 739d8c8052b30a0bd1181f14d1202eb0N.exe 83 PID 3780 wrote to memory of 1468 3780 739d8c8052b30a0bd1181f14d1202eb0N.exe 83 PID 3780 wrote to memory of 1468 3780 739d8c8052b30a0bd1181f14d1202eb0N.exe 83 PID 1468 wrote to memory of 4380 1468 Epokedmj.exe 84 PID 1468 wrote to memory of 4380 1468 Epokedmj.exe 84 PID 1468 wrote to memory of 4380 1468 Epokedmj.exe 84 PID 4380 wrote to memory of 2740 4380 Efhcbodf.exe 85 PID 4380 wrote to memory of 2740 4380 Efhcbodf.exe 85 PID 4380 wrote to memory of 2740 4380 Efhcbodf.exe 85 PID 2740 wrote to memory of 4108 2740 Ejdocm32.exe 86 PID 2740 wrote to memory of 4108 2740 Ejdocm32.exe 86 PID 2740 wrote to memory of 4108 2740 Ejdocm32.exe 86 PID 4108 wrote to memory of 3328 4108 Eangpgcl.exe 87 PID 4108 wrote to memory of 3328 4108 Eangpgcl.exe 87 PID 4108 wrote to memory of 3328 4108 Eangpgcl.exe 87 PID 3328 wrote to memory of 972 3328 Edmclccp.exe 88 PID 3328 wrote to memory of 972 3328 Edmclccp.exe 88 PID 3328 wrote to memory of 972 3328 Edmclccp.exe 88 PID 972 wrote to memory of 3308 972 Ejflhm32.exe 89 PID 972 wrote to memory of 3308 972 Ejflhm32.exe 89 PID 972 wrote to memory of 3308 972 Ejflhm32.exe 89 PID 3308 wrote to memory of 1844 3308 Emehdh32.exe 90 PID 3308 wrote to memory of 1844 3308 Emehdh32.exe 90 PID 3308 wrote to memory of 1844 3308 Emehdh32.exe 90 PID 1844 wrote to memory of 220 1844 Edopabqn.exe 91 PID 1844 wrote to memory of 220 1844 Edopabqn.exe 91 PID 1844 wrote to memory of 220 1844 Edopabqn.exe 91 PID 220 wrote to memory of 5032 220 Fkihnmhj.exe 92 PID 220 wrote to memory of 5032 220 Fkihnmhj.exe 92 PID 220 wrote to memory of 5032 220 Fkihnmhj.exe 92 PID 5032 wrote to memory of 3240 5032 Fmgejhgn.exe 93 PID 5032 wrote to memory of 3240 5032 Fmgejhgn.exe 93 PID 5032 wrote to memory of 3240 5032 Fmgejhgn.exe 93 PID 3240 wrote to memory of 4264 3240 Fpeafcfa.exe 94 PID 3240 wrote to memory of 4264 3240 Fpeafcfa.exe 94 PID 3240 wrote to memory of 4264 3240 Fpeafcfa.exe 94 PID 4264 wrote to memory of 3948 4264 Ffpicn32.exe 95 PID 4264 wrote to memory of 3948 4264 Ffpicn32.exe 95 PID 4264 wrote to memory of 3948 4264 Ffpicn32.exe 95 PID 3948 wrote to memory of 4944 3948 Fineoi32.exe 96 PID 3948 wrote to memory of 4944 3948 Fineoi32.exe 96 PID 3948 wrote to memory of 4944 3948 Fineoi32.exe 96 PID 4944 wrote to memory of 1240 4944 Fphnlcdo.exe 97 PID 4944 wrote to memory of 1240 4944 Fphnlcdo.exe 97 PID 4944 wrote to memory of 1240 4944 Fphnlcdo.exe 97 PID 1240 wrote to memory of 4760 1240 Fhofmq32.exe 98 PID 1240 wrote to memory of 4760 1240 Fhofmq32.exe 98 PID 1240 wrote to memory of 4760 1240 Fhofmq32.exe 98 PID 4760 wrote to memory of 1396 4760 Fgbfhmll.exe 100 PID 4760 wrote to memory of 1396 4760 Fgbfhmll.exe 100 PID 4760 wrote to memory of 1396 4760 Fgbfhmll.exe 100 PID 1396 wrote to memory of 4948 1396 Fipbdikp.exe 101 PID 1396 wrote to memory of 4948 1396 Fipbdikp.exe 101 PID 1396 wrote to memory of 4948 1396 Fipbdikp.exe 101 PID 4948 wrote to memory of 3144 4948 Fagjfflb.exe 102 PID 4948 wrote to memory of 3144 4948 Fagjfflb.exe 102 PID 4948 wrote to memory of 3144 4948 Fagjfflb.exe 102 PID 3144 wrote to memory of 1792 3144 Fhabbp32.exe 103 PID 3144 wrote to memory of 1792 3144 Fhabbp32.exe 103 PID 3144 wrote to memory of 1792 3144 Fhabbp32.exe 103 PID 1792 wrote to memory of 2628 1792 Fkpool32.exe 104 PID 1792 wrote to memory of 2628 1792 Fkpool32.exe 104 PID 1792 wrote to memory of 2628 1792 Fkpool32.exe 104 PID 2628 wrote to memory of 2632 2628 Fajgkfio.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\739d8c8052b30a0bd1181f14d1202eb0N.exe"C:\Users\Admin\AppData\Local\Temp\739d8c8052b30a0bd1181f14d1202eb0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\Epokedmj.exeC:\Windows\system32\Epokedmj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Efhcbodf.exeC:\Windows\system32\Efhcbodf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\Ejdocm32.exeC:\Windows\system32\Ejdocm32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Eangpgcl.exeC:\Windows\system32\Eangpgcl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\Edmclccp.exeC:\Windows\system32\Edmclccp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\Ejflhm32.exeC:\Windows\system32\Ejflhm32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\Emehdh32.exeC:\Windows\system32\Emehdh32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\Edopabqn.exeC:\Windows\system32\Edopabqn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Fkihnmhj.exeC:\Windows\system32\Fkihnmhj.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Fmgejhgn.exeC:\Windows\system32\Fmgejhgn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Fpeafcfa.exeC:\Windows\system32\Fpeafcfa.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\SysWOW64\Ffpicn32.exeC:\Windows\system32\Ffpicn32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\Fineoi32.exeC:\Windows\system32\Fineoi32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Fphnlcdo.exeC:\Windows\system32\Fphnlcdo.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\Fhofmq32.exeC:\Windows\system32\Fhofmq32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Fgbfhmll.exeC:\Windows\system32\Fgbfhmll.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Fagjfflb.exeC:\Windows\system32\Fagjfflb.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\Fhabbp32.exeC:\Windows\system32\Fhabbp32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\Fkpool32.exeC:\Windows\system32\Fkpool32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Fajgkfio.exeC:\Windows\system32\Fajgkfio.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Fdhcgaic.exeC:\Windows\system32\Fdhcgaic.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Fkbkdkpp.exeC:\Windows\system32\Fkbkdkpp.exe24⤵
- Executes dropped EXE
PID:3704 -
C:\Windows\SysWOW64\Fmqgpgoc.exeC:\Windows\system32\Fmqgpgoc.exe25⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Fdkpma32.exeC:\Windows\system32\Fdkpma32.exe26⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Ggilil32.exeC:\Windows\system32\Ggilil32.exe27⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Gkdhjknm.exeC:\Windows\system32\Gkdhjknm.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Gmcdffmq.exeC:\Windows\system32\Gmcdffmq.exe29⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Gpaqbbld.exeC:\Windows\system32\Gpaqbbld.exe30⤵
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Gdmmbq32.exeC:\Windows\system32\Gdmmbq32.exe31⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\Ggkiol32.exeC:\Windows\system32\Ggkiol32.exe32⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Gpcmga32.exeC:\Windows\system32\Gpcmga32.exe33⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Ggnedlao.exeC:\Windows\system32\Ggnedlao.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:3500 -
C:\Windows\SysWOW64\Gilapgqb.exeC:\Windows\system32\Gilapgqb.exe35⤵
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Gdafnpqh.exeC:\Windows\system32\Gdafnpqh.exe36⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Ghmbno32.exeC:\Windows\system32\Ghmbno32.exe37⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Gnjjfegi.exeC:\Windows\system32\Gnjjfegi.exe38⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Gphgbafl.exeC:\Windows\system32\Gphgbafl.exe39⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Ggbook32.exeC:\Windows\system32\Ggbook32.exe40⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Gknkpjfb.exeC:\Windows\system32\Gknkpjfb.exe41⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Gnlgleef.exeC:\Windows\system32\Gnlgleef.exe42⤵
- Executes dropped EXE
PID:3432 -
C:\Windows\SysWOW64\Gpkchqdj.exeC:\Windows\system32\Gpkchqdj.exe43⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Hhbkinel.exeC:\Windows\system32\Hhbkinel.exe44⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Hkpheidp.exeC:\Windows\system32\Hkpheidp.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:780 -
C:\Windows\SysWOW64\Hnodaecc.exeC:\Windows\system32\Hnodaecc.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Hpmpnp32.exeC:\Windows\system32\Hpmpnp32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Hhdhon32.exeC:\Windows\system32\Hhdhon32.exe48⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Hkbdki32.exeC:\Windows\system32\Hkbdki32.exe49⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Hnaqgd32.exeC:\Windows\system32\Hnaqgd32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1472 -
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe51⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Hdkidohn.exeC:\Windows\system32\Hdkidohn.exe52⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Hgiepjga.exeC:\Windows\system32\Hgiepjga.exe53⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Hjhalefe.exeC:\Windows\system32\Hjhalefe.exe54⤵
- Executes dropped EXE
PID:4140 -
C:\Windows\SysWOW64\Haoimcgg.exeC:\Windows\system32\Haoimcgg.exe55⤵
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Hpbiip32.exeC:\Windows\system32\Hpbiip32.exe56⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Hhiajmod.exeC:\Windows\system32\Hhiajmod.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3112 -
C:\Windows\SysWOW64\Hkgnfhnh.exeC:\Windows\system32\Hkgnfhnh.exe58⤵
- Executes dropped EXE
PID:3728 -
C:\Windows\SysWOW64\Hnfjbdmk.exeC:\Windows\system32\Hnfjbdmk.exe59⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Hpdfnolo.exeC:\Windows\system32\Hpdfnolo.exe60⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Hhknpmma.exeC:\Windows\system32\Hhknpmma.exe61⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Hkjjlhle.exeC:\Windows\system32\Hkjjlhle.exe62⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Hnhghcki.exeC:\Windows\system32\Hnhghcki.exe63⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Hacbhb32.exeC:\Windows\system32\Hacbhb32.exe64⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Hpfcdojl.exeC:\Windows\system32\Hpfcdojl.exe65⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Ihnkel32.exeC:\Windows\system32\Ihnkel32.exe66⤵PID:2116
-
C:\Windows\SysWOW64\Iklgah32.exeC:\Windows\system32\Iklgah32.exe67⤵PID:3348
-
C:\Windows\SysWOW64\Injcmc32.exeC:\Windows\system32\Injcmc32.exe68⤵PID:2024
-
C:\Windows\SysWOW64\Iqipio32.exeC:\Windows\system32\Iqipio32.exe69⤵PID:2796
-
C:\Windows\SysWOW64\Iddljmpc.exeC:\Windows\system32\Iddljmpc.exe70⤵PID:2316
-
C:\Windows\SysWOW64\Ikndgg32.exeC:\Windows\system32\Ikndgg32.exe71⤵
- System Location Discovery: System Language Discovery
PID:3484 -
C:\Windows\SysWOW64\Inmpcc32.exeC:\Windows\system32\Inmpcc32.exe72⤵PID:4744
-
C:\Windows\SysWOW64\Iqklon32.exeC:\Windows\system32\Iqklon32.exe73⤵PID:4028
-
C:\Windows\SysWOW64\Igedlh32.exeC:\Windows\system32\Igedlh32.exe74⤵PID:3664
-
C:\Windows\SysWOW64\Inomhbeq.exeC:\Windows\system32\Inomhbeq.exe75⤵PID:2484
-
C:\Windows\SysWOW64\Ihdafkdg.exeC:\Windows\system32\Ihdafkdg.exe76⤵PID:1364
-
C:\Windows\SysWOW64\Ijfnmc32.exeC:\Windows\system32\Ijfnmc32.exe77⤵PID:2668
-
C:\Windows\SysWOW64\Ibmeoq32.exeC:\Windows\system32\Ibmeoq32.exe78⤵PID:1840
-
C:\Windows\SysWOW64\Idkbkl32.exeC:\Windows\system32\Idkbkl32.exe79⤵PID:3756
-
C:\Windows\SysWOW64\Ikejgf32.exeC:\Windows\system32\Ikejgf32.exe80⤵PID:2300
-
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe81⤵PID:3548
-
C:\Windows\SysWOW64\Ibobdqid.exeC:\Windows\system32\Ibobdqid.exe82⤵PID:4952
-
C:\Windows\SysWOW64\Jhijqj32.exeC:\Windows\system32\Jhijqj32.exe83⤵PID:2648
-
C:\Windows\SysWOW64\Jkhgmf32.exeC:\Windows\system32\Jkhgmf32.exe84⤵PID:2800
-
C:\Windows\SysWOW64\Jnfcia32.exeC:\Windows\system32\Jnfcia32.exe85⤵
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe86⤵
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Jkjcbe32.exeC:\Windows\system32\Jkjcbe32.exe87⤵PID:1572
-
C:\Windows\SysWOW64\Jjmcnbdm.exeC:\Windows\system32\Jjmcnbdm.exe88⤵PID:1128
-
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe89⤵PID:1180
-
C:\Windows\SysWOW64\Jhndljll.exeC:\Windows\system32\Jhndljll.exe90⤵PID:4732
-
C:\Windows\SysWOW64\Jklphekp.exeC:\Windows\system32\Jklphekp.exe91⤵PID:1060
-
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe92⤵PID:1400
-
C:\Windows\SysWOW64\Jqiipljg.exeC:\Windows\system32\Jqiipljg.exe93⤵PID:4584
-
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe94⤵
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Jgcamf32.exeC:\Windows\system32\Jgcamf32.exe95⤵PID:3572
-
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe96⤵PID:5140
-
C:\Windows\SysWOW64\Jbiejoaj.exeC:\Windows\system32\Jbiejoaj.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5180 -
C:\Windows\SysWOW64\Jqlefl32.exeC:\Windows\system32\Jqlefl32.exe98⤵
- Modifies registry class
PID:5224 -
C:\Windows\SysWOW64\Jibmgi32.exeC:\Windows\system32\Jibmgi32.exe99⤵
- Modifies registry class
PID:5272 -
C:\Windows\SysWOW64\Jkaicd32.exeC:\Windows\system32\Jkaicd32.exe100⤵PID:5316
-
C:\Windows\SysWOW64\Jjdjoane.exeC:\Windows\system32\Jjdjoane.exe101⤵PID:5360
-
C:\Windows\SysWOW64\Jbkbpoog.exeC:\Windows\system32\Jbkbpoog.exe102⤵PID:5404
-
C:\Windows\SysWOW64\Kdinljnk.exeC:\Windows\system32\Kdinljnk.exe103⤵PID:5448
-
C:\Windows\SysWOW64\Kghjhemo.exeC:\Windows\system32\Kghjhemo.exe104⤵PID:5492
-
C:\Windows\SysWOW64\Kkcfid32.exeC:\Windows\system32\Kkcfid32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5536 -
C:\Windows\SysWOW64\Kjffdalb.exeC:\Windows\system32\Kjffdalb.exe106⤵PID:5580
-
C:\Windows\SysWOW64\Kbmoen32.exeC:\Windows\system32\Kbmoen32.exe107⤵PID:5624
-
C:\Windows\SysWOW64\Kelkaj32.exeC:\Windows\system32\Kelkaj32.exe108⤵
- System Location Discovery: System Language Discovery
PID:5664 -
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe109⤵PID:5708
-
C:\Windows\SysWOW64\Kndojobi.exeC:\Windows\system32\Kndojobi.exe110⤵PID:5752
-
C:\Windows\SysWOW64\Kenggi32.exeC:\Windows\system32\Kenggi32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5792 -
C:\Windows\SysWOW64\Kgmcce32.exeC:\Windows\system32\Kgmcce32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5836 -
C:\Windows\SysWOW64\Kkhpdcab.exeC:\Windows\system32\Kkhpdcab.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5880 -
C:\Windows\SysWOW64\Knflpoqf.exeC:\Windows\system32\Knflpoqf.exe114⤵PID:5940
-
C:\Windows\SysWOW64\Kaehljpj.exeC:\Windows\system32\Kaehljpj.exe115⤵PID:5984
-
C:\Windows\SysWOW64\Kilpmh32.exeC:\Windows\system32\Kilpmh32.exe116⤵PID:6036
-
C:\Windows\SysWOW64\Kgopidgf.exeC:\Windows\system32\Kgopidgf.exe117⤵PID:6092
-
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3060 -
C:\Windows\SysWOW64\Kbddfmgl.exeC:\Windows\system32\Kbddfmgl.exe119⤵PID:5220
-
C:\Windows\SysWOW64\Kageaj32.exeC:\Windows\system32\Kageaj32.exe120⤵PID:5304
-
C:\Windows\SysWOW64\Kinmcg32.exeC:\Windows\system32\Kinmcg32.exe121⤵PID:5376
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-