Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/10/2024, 15:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
05008a8d82772828d6fe2eb07289ef9008cd3eb3d11f4169fb06ee5fe315bed6N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
05008a8d82772828d6fe2eb07289ef9008cd3eb3d11f4169fb06ee5fe315bed6N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
05008a8d82772828d6fe2eb07289ef9008cd3eb3d11f4169fb06ee5fe315bed6N.exe
-
Size
87KB
-
MD5
3cda06dd3b62a928a17bc4a441d31b00
-
SHA1
a14c9f0dcddceb102ef879571a936f1a960af169
-
SHA256
05008a8d82772828d6fe2eb07289ef9008cd3eb3d11f4169fb06ee5fe315bed6
-
SHA512
1912eee949ce8127f9bcf8df7848f0f849a8998465a09f87be79b33ed1a084b93145541a0ec1208bff2ff6337673753052c7fe7bd4ae916da8bdb365524506ef
-
SSDEEP
1536:4fFPD8D1aYWmQxLFi4ZrstIm8pZ6VlyA3w9kCuRQ4MRSRBDNrR0RVe7R6R8RPD2d:+crGLFZItIUry39kvepAnDlmbGcGFDex
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgkdigfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keoabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aaejojjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhfpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nopaoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnnmeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Elgfkhpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfjolf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkjkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chocodch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkehql32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofobgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbfilffm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flabdecn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcdifa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inepgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnlhab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jijokbfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgmmfjip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aljjjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjgkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcdgmimg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llmmpcfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbeedh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afliclij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leegbnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llmmpcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omckoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Glnhjjml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kadica32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djdjalea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbbnjgik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dnqlmq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfmkbebl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lafahdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dinpnged.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfabnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnahgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egfjdchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kbpefc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Paiche32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gagmbkik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioiidfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcdhgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njnmbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahpbkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbkpgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nccnlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhjneadb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kijmbnpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpepkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnhjgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffdilo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kecjmodq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eogolc32.exe -
Executes dropped EXE 64 IoCs
pid Process 2824 Ddaemh32.exe 2676 Debadpeg.exe 2576 Dbfbnddq.exe 2820 Dlofgj32.exe 3032 Domccejd.exe 2036 Ekdchf32.exe 2908 Eanldqgf.exe 2368 Eoblnd32.exe 2064 Eaphjp32.exe 1840 Eabepp32.exe 2856 Ehlmljkm.exe 1436 Ephbal32.exe 2144 Ecfnmh32.exe 2212 Fgdgcfmb.exe 440 Fmnopp32.exe 1320 Fckhhgcf.exe 952 Fgfdie32.exe 1288 Fcmdnfad.exe 2392 Felajbpg.exe 2468 Fcpacf32.exe 2232 Fennoa32.exe 1988 Flhflleb.exe 1504 Ggagmjbq.exe 1736 Gagkjbaf.exe 480 Gjbpne32.exe 2108 Gaihob32.exe 2536 Gdhdkn32.exe 1020 Ggfpgi32.exe 2720 Glchpp32.exe 2892 Gqodqodl.exe 1400 Gjgiidkl.exe 2604 Gmeeepjp.exe 1756 Gfnjne32.exe 2884 Hofngkga.exe 1008 Hinbppna.exe 1928 Hmjoqo32.exe 2768 Hcdgmimg.exe 2672 Hfbcidmk.exe 2116 Hiqoeplo.exe 1264 Hmlkfo32.exe 2344 Hnnhngjf.exe 1772 Hfepod32.exe 1616 Hgflflqg.exe 1844 Homdhjai.exe 1700 Hbkqdepm.exe 2052 Hqnapb32.exe 1612 Hghillnd.exe 2756 Hkdemk32.exe 2804 Hnbaif32.exe 3056 Haqnea32.exe 2360 Heliepmn.exe 2276 Hgkfal32.exe 2876 Ijibng32.exe 768 Indnnfdn.exe 1628 Iacjjacb.exe 1656 Ieofkp32.exe 1496 Igmbgk32.exe 2072 Ijkocg32.exe 1300 Iaegpaao.exe 1228 Iphgln32.exe 268 Igoomk32.exe 1776 Ijnkifgp.exe 2332 Iiqldc32.exe 760 Iahceq32.exe -
Loads dropped DLL 64 IoCs
pid Process 2684 05008a8d82772828d6fe2eb07289ef9008cd3eb3d11f4169fb06ee5fe315bed6N.exe 2684 05008a8d82772828d6fe2eb07289ef9008cd3eb3d11f4169fb06ee5fe315bed6N.exe 2824 Ddaemh32.exe 2824 Ddaemh32.exe 2676 Debadpeg.exe 2676 Debadpeg.exe 2576 Dbfbnddq.exe 2576 Dbfbnddq.exe 2820 Dlofgj32.exe 2820 Dlofgj32.exe 3032 Domccejd.exe 3032 Domccejd.exe 2036 Ekdchf32.exe 2036 Ekdchf32.exe 2908 Eanldqgf.exe 2908 Eanldqgf.exe 2368 Eoblnd32.exe 2368 Eoblnd32.exe 2064 Eaphjp32.exe 2064 Eaphjp32.exe 1840 Eabepp32.exe 1840 Eabepp32.exe 2856 Ehlmljkm.exe 2856 Ehlmljkm.exe 1436 Ephbal32.exe 1436 Ephbal32.exe 2144 Ecfnmh32.exe 2144 Ecfnmh32.exe 2212 Fgdgcfmb.exe 2212 Fgdgcfmb.exe 440 Fmnopp32.exe 440 Fmnopp32.exe 1320 Fckhhgcf.exe 1320 Fckhhgcf.exe 952 Fgfdie32.exe 952 Fgfdie32.exe 1288 Fcmdnfad.exe 1288 Fcmdnfad.exe 2392 Felajbpg.exe 2392 Felajbpg.exe 2468 Fcpacf32.exe 2468 Fcpacf32.exe 2232 Fennoa32.exe 2232 Fennoa32.exe 2416 Gdcjpncm.exe 2416 Gdcjpncm.exe 1504 Ggagmjbq.exe 1504 Ggagmjbq.exe 1736 Gagkjbaf.exe 1736 Gagkjbaf.exe 480 Gjbpne32.exe 480 Gjbpne32.exe 2108 Gaihob32.exe 2108 Gaihob32.exe 2536 Gdhdkn32.exe 2536 Gdhdkn32.exe 1020 Ggfpgi32.exe 1020 Ggfpgi32.exe 2720 Glchpp32.exe 2720 Glchpp32.exe 2892 Gqodqodl.exe 2892 Gqodqodl.exe 1400 Gjgiidkl.exe 1400 Gjgiidkl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jkbaci32.exe Jhdegn32.exe File created C:\Windows\SysWOW64\Mhqnpqce.dll Cehhdkjf.exe File opened for modification C:\Windows\SysWOW64\Ndnmialh.exe Nqbaic32.exe File created C:\Windows\SysWOW64\Gmeeepjp.exe Gjgiidkl.exe File created C:\Windows\SysWOW64\Jmlddeio.exe Joidhh32.exe File created C:\Windows\SysWOW64\Lcjmleem.dll Hfebhmbm.exe File created C:\Windows\SysWOW64\Aebobgmi.exe Abdbflnf.exe File created C:\Windows\SysWOW64\Hnbaif32.exe Hkdemk32.exe File created C:\Windows\SysWOW64\Iiobie32.dll Jgmaog32.exe File opened for modification C:\Windows\SysWOW64\Fijbco32.exe Fglfgd32.exe File created C:\Windows\SysWOW64\Oibohdmd.exe Ofdclinq.exe File created C:\Windows\SysWOW64\Mafick32.dll Nobndj32.exe File created C:\Windows\SysWOW64\Ldokfakl.exe Lnecigcp.exe File created C:\Windows\SysWOW64\Onfabgch.exe Okhefl32.exe File created C:\Windows\SysWOW64\Klkfdi32.exe Kimjhnnl.exe File created C:\Windows\SysWOW64\Dbadagln.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hnbaif32.exe Hkdemk32.exe File created C:\Windows\SysWOW64\Nedmma32.dll Aejlnmkm.exe File opened for modification C:\Windows\SysWOW64\Nhbciaki.exe Nfdfmfle.exe File created C:\Windows\SysWOW64\Lmmqln32.dll Cdqkifmb.exe File opened for modification C:\Windows\SysWOW64\Efmckpko.exe Eelgcg32.exe File created C:\Windows\SysWOW64\Dljfocan.dll Process not Found File created C:\Windows\SysWOW64\Eafkhn32.exe Eogolc32.exe File created C:\Windows\SysWOW64\Hhfdfc32.dll Mlmoilni.exe File created C:\Windows\SysWOW64\Lgpdglhn.exe Lcdhgn32.exe File created C:\Windows\SysWOW64\Dfcgbb32.exe Dhpgfeao.exe File opened for modification C:\Windows\SysWOW64\Nbhkmg32.exe Nojnql32.exe File created C:\Windows\SysWOW64\Alodeacc.exe Ahchdb32.exe File created C:\Windows\SysWOW64\Iladfn32.exe Imodkadq.exe File created C:\Windows\SysWOW64\Mclqqeaq.exe Mkdioh32.exe File opened for modification C:\Windows\SysWOW64\Bikcbc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bafhff32.exe Process not Found File created C:\Windows\SysWOW64\Jdgcbgmg.dll Hhmhcigh.exe File opened for modification C:\Windows\SysWOW64\Oknhdjko.exe Oiokholk.exe File opened for modification C:\Windows\SysWOW64\Llomfpag.exe Ldheebad.exe File created C:\Windows\SysWOW64\Gcedad32.exe Gpggei32.exe File opened for modification C:\Windows\SysWOW64\Pmmqmpdm.exe Piadma32.exe File created C:\Windows\SysWOW64\Ppmgfb32.exe Plbkfdba.exe File opened for modification C:\Windows\SysWOW64\Eldiehbk.exe Emaijk32.exe File opened for modification C:\Windows\SysWOW64\Nkclkl32.exe Nghpjn32.exe File created C:\Windows\SysWOW64\Ggfpgi32.exe Gdhdkn32.exe File created C:\Windows\SysWOW64\Hnpgloog.exe Honfqb32.exe File created C:\Windows\SysWOW64\Ojoligof.dll Plndcmmj.exe File created C:\Windows\SysWOW64\Bbqkeioh.exe Process not Found File created C:\Windows\SysWOW64\Kablnadm.exe Kmfpmc32.exe File created C:\Windows\SysWOW64\Nlohmonb.exe Nnlhab32.exe File created C:\Windows\SysWOW64\Iddiakkl.dll Honnki32.exe File created C:\Windows\SysWOW64\Lgfjggll.exe Ldgnklmi.exe File opened for modification C:\Windows\SysWOW64\Mclgklel.exe Mpnkopeh.exe File opened for modification C:\Windows\SysWOW64\Dlpbna32.exe Process not Found File created C:\Windows\SysWOW64\Ngbpoo32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Gaihob32.exe Gjbpne32.exe File created C:\Windows\SysWOW64\Ebnabb32.exe Edlafebn.exe File opened for modification C:\Windows\SysWOW64\Nnahgh32.exe Nkclkl32.exe File created C:\Windows\SysWOW64\Jlqogi32.dll Jnbpqb32.exe File created C:\Windows\SysWOW64\Ajjgei32.exe Process not Found File created C:\Windows\SysWOW64\Ddbdimmi.dll Process not Found File created C:\Windows\SysWOW64\Epcddopf.exe Process not Found File created C:\Windows\SysWOW64\Ioljnm32.dll Mloiec32.exe File opened for modification C:\Windows\SysWOW64\Mdmkoepk.exe Mbnocipg.exe File created C:\Windows\SysWOW64\Cekfoolj.dll Docopbaf.exe File opened for modification C:\Windows\SysWOW64\Ammmlcgi.exe Process not Found File created C:\Windows\SysWOW64\Hmdkip32.dll Process not Found File created C:\Windows\SysWOW64\Qmbqcf32.exe Qjddgj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10856 10792 Process not Found 1187 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palpneop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdmepgce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onfabgch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcdadhjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpdcfoph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpfplo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkicbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnmbme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ockinl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omcngamh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofnpnkgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqolji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igebkiof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknkeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mopbgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gefmcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcnoejch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nggipg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imaapa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hklhae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpfnckhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddaemh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhhbif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaeqmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdhdkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogliemkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfdhmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgiaefgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgciff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alageg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igqhpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcgmfgfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdcjpncm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlafkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghibjjnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgddam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cngcll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmnahilc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkbnap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmeebpkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekdchf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgfdie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldmopa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbdfgilj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdofep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aokckm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmjoqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddjlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lofifi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miapbpmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obhpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Momfan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfckcoen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnmiag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndnmialh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmbqcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmaog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmaphmln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ifdlng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pbemboof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pbgjgomc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fiebnjbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnbppmob.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hadcipbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmbndmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfipe32.dll" Fbpclofe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ngpcohbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhpgfeao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dphhka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gpmjcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epjecp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdbnboph.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikeebbaa.dll" Gncnmane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nfbjhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qiiahgjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bjedmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bgokfnij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mihgebkh.dll" Clefdcog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lklfipaq.dll" Joggci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nknimnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cdnncfoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlohmonb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bfcodkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Emoldlmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmainh32.dll" Mnmbme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cmqihg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pfchqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gqodqodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anhdpd32.dll" Bolcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gmhkin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oielnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnnln32.dll" Alaqjaaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nopaoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jmdgipkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdckobhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gdcjpncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iacjjacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogqoale.dll" Oefjdgjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohipla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bieepc32.dll" Efhqmadd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jpmooind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmekdl32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebnabb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fefqdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghodpb32.dll" Ckfjjqhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qdofep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dilchhgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ingmmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Deakjjbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dcjaeamd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dijfch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ggfbpaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dmmpolof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnhnhd32.dll" Nnokahip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Omnkicen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bckefnki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iladfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jbhebfck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgclj32.dll" Ifpelq32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2684 wrote to memory of 2824 2684 05008a8d82772828d6fe2eb07289ef9008cd3eb3d11f4169fb06ee5fe315bed6N.exe 31 PID 2684 wrote to memory of 2824 2684 05008a8d82772828d6fe2eb07289ef9008cd3eb3d11f4169fb06ee5fe315bed6N.exe 31 PID 2684 wrote to memory of 2824 2684 05008a8d82772828d6fe2eb07289ef9008cd3eb3d11f4169fb06ee5fe315bed6N.exe 31 PID 2684 wrote to memory of 2824 2684 05008a8d82772828d6fe2eb07289ef9008cd3eb3d11f4169fb06ee5fe315bed6N.exe 31 PID 2824 wrote to memory of 2676 2824 Ddaemh32.exe 32 PID 2824 wrote to memory of 2676 2824 Ddaemh32.exe 32 PID 2824 wrote to memory of 2676 2824 Ddaemh32.exe 32 PID 2824 wrote to memory of 2676 2824 Ddaemh32.exe 32 PID 2676 wrote to memory of 2576 2676 Debadpeg.exe 33 PID 2676 wrote to memory of 2576 2676 Debadpeg.exe 33 PID 2676 wrote to memory of 2576 2676 Debadpeg.exe 33 PID 2676 wrote to memory of 2576 2676 Debadpeg.exe 33 PID 2576 wrote to memory of 2820 2576 Dbfbnddq.exe 34 PID 2576 wrote to memory of 2820 2576 Dbfbnddq.exe 34 PID 2576 wrote to memory of 2820 2576 Dbfbnddq.exe 34 PID 2576 wrote to memory of 2820 2576 Dbfbnddq.exe 34 PID 2820 wrote to memory of 3032 2820 Dlofgj32.exe 35 PID 2820 wrote to memory of 3032 2820 Dlofgj32.exe 35 PID 2820 wrote to memory of 3032 2820 Dlofgj32.exe 35 PID 2820 wrote to memory of 3032 2820 Dlofgj32.exe 35 PID 3032 wrote to memory of 2036 3032 Domccejd.exe 36 PID 3032 wrote to memory of 2036 3032 Domccejd.exe 36 PID 3032 wrote to memory of 2036 3032 Domccejd.exe 36 PID 3032 wrote to memory of 2036 3032 Domccejd.exe 36 PID 2036 wrote to memory of 2908 2036 Ekdchf32.exe 37 PID 2036 wrote to memory of 2908 2036 Ekdchf32.exe 37 PID 2036 wrote to memory of 2908 2036 Ekdchf32.exe 37 PID 2036 wrote to memory of 2908 2036 Ekdchf32.exe 37 PID 2908 wrote to memory of 2368 2908 Eanldqgf.exe 38 PID 2908 wrote to memory of 2368 2908 Eanldqgf.exe 38 PID 2908 wrote to memory of 2368 2908 Eanldqgf.exe 38 PID 2908 wrote to memory of 2368 2908 Eanldqgf.exe 38 PID 2368 wrote to memory of 2064 2368 Eoblnd32.exe 39 PID 2368 wrote to memory of 2064 2368 Eoblnd32.exe 39 PID 2368 wrote to memory of 2064 2368 Eoblnd32.exe 39 PID 2368 wrote to memory of 2064 2368 Eoblnd32.exe 39 PID 2064 wrote to memory of 1840 2064 Eaphjp32.exe 40 PID 2064 wrote to memory of 1840 2064 Eaphjp32.exe 40 PID 2064 wrote to memory of 1840 2064 Eaphjp32.exe 40 PID 2064 wrote to memory of 1840 2064 Eaphjp32.exe 40 PID 1840 wrote to memory of 2856 1840 Eabepp32.exe 41 PID 1840 wrote to memory of 2856 1840 Eabepp32.exe 41 PID 1840 wrote to memory of 2856 1840 Eabepp32.exe 41 PID 1840 wrote to memory of 2856 1840 Eabepp32.exe 41 PID 2856 wrote to memory of 1436 2856 Ehlmljkm.exe 42 PID 2856 wrote to memory of 1436 2856 Ehlmljkm.exe 42 PID 2856 wrote to memory of 1436 2856 Ehlmljkm.exe 42 PID 2856 wrote to memory of 1436 2856 Ehlmljkm.exe 42 PID 1436 wrote to memory of 2144 1436 Ephbal32.exe 43 PID 1436 wrote to memory of 2144 1436 Ephbal32.exe 43 PID 1436 wrote to memory of 2144 1436 Ephbal32.exe 43 PID 1436 wrote to memory of 2144 1436 Ephbal32.exe 43 PID 2144 wrote to memory of 2212 2144 Ecfnmh32.exe 44 PID 2144 wrote to memory of 2212 2144 Ecfnmh32.exe 44 PID 2144 wrote to memory of 2212 2144 Ecfnmh32.exe 44 PID 2144 wrote to memory of 2212 2144 Ecfnmh32.exe 44 PID 2212 wrote to memory of 440 2212 Fgdgcfmb.exe 45 PID 2212 wrote to memory of 440 2212 Fgdgcfmb.exe 45 PID 2212 wrote to memory of 440 2212 Fgdgcfmb.exe 45 PID 2212 wrote to memory of 440 2212 Fgdgcfmb.exe 45 PID 440 wrote to memory of 1320 440 Fmnopp32.exe 46 PID 440 wrote to memory of 1320 440 Fmnopp32.exe 46 PID 440 wrote to memory of 1320 440 Fmnopp32.exe 46 PID 440 wrote to memory of 1320 440 Fmnopp32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\05008a8d82772828d6fe2eb07289ef9008cd3eb3d11f4169fb06ee5fe315bed6N.exe"C:\Users\Admin\AppData\Local\Temp\05008a8d82772828d6fe2eb07289ef9008cd3eb3d11f4169fb06ee5fe315bed6N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Ddaemh32.exeC:\Windows\system32\Ddaemh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Debadpeg.exeC:\Windows\system32\Debadpeg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Dbfbnddq.exeC:\Windows\system32\Dbfbnddq.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Dlofgj32.exeC:\Windows\system32\Dlofgj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Domccejd.exeC:\Windows\system32\Domccejd.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Ekdchf32.exeC:\Windows\system32\Ekdchf32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Eanldqgf.exeC:\Windows\system32\Eanldqgf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Eoblnd32.exeC:\Windows\system32\Eoblnd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Eaphjp32.exeC:\Windows\system32\Eaphjp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Eabepp32.exeC:\Windows\system32\Eabepp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Ehlmljkm.exeC:\Windows\system32\Ehlmljkm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Ephbal32.exeC:\Windows\system32\Ephbal32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Ecfnmh32.exeC:\Windows\system32\Ecfnmh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Fgdgcfmb.exeC:\Windows\system32\Fgdgcfmb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Fmnopp32.exeC:\Windows\system32\Fmnopp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\Fckhhgcf.exeC:\Windows\system32\Fckhhgcf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1320 -
C:\Windows\SysWOW64\Fgfdie32.exeC:\Windows\system32\Fgfdie32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:952 -
C:\Windows\SysWOW64\Fcmdnfad.exeC:\Windows\system32\Fcmdnfad.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288 -
C:\Windows\SysWOW64\Felajbpg.exeC:\Windows\system32\Felajbpg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Fcpacf32.exeC:\Windows\system32\Fcpacf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Fennoa32.exeC:\Windows\system32\Fennoa32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Flhflleb.exeC:\Windows\system32\Flhflleb.exe23⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Gdcjpncm.exeC:\Windows\system32\Gdcjpncm.exe24⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Ggagmjbq.exeC:\Windows\system32\Ggagmjbq.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504 -
C:\Windows\SysWOW64\Gagkjbaf.exeC:\Windows\system32\Gagkjbaf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Gjbpne32.exeC:\Windows\system32\Gjbpne32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:480 -
C:\Windows\SysWOW64\Gaihob32.exeC:\Windows\system32\Gaihob32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Gdhdkn32.exeC:\Windows\system32\Gdhdkn32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Windows\SysWOW64\Ggfpgi32.exeC:\Windows\system32\Ggfpgi32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1020 -
C:\Windows\SysWOW64\Glchpp32.exeC:\Windows\system32\Glchpp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Gqodqodl.exeC:\Windows\system32\Gqodqodl.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Gjgiidkl.exeC:\Windows\system32\Gjgiidkl.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1400 -
C:\Windows\SysWOW64\Gmeeepjp.exeC:\Windows\system32\Gmeeepjp.exe34⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Gfnjne32.exeC:\Windows\system32\Gfnjne32.exe35⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Hofngkga.exeC:\Windows\system32\Hofngkga.exe36⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Hinbppna.exeC:\Windows\system32\Hinbppna.exe37⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Hmjoqo32.exeC:\Windows\system32\Hmjoqo32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Windows\SysWOW64\Hcdgmimg.exeC:\Windows\system32\Hcdgmimg.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Hfbcidmk.exeC:\Windows\system32\Hfbcidmk.exe40⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Hiqoeplo.exeC:\Windows\system32\Hiqoeplo.exe41⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Hmlkfo32.exeC:\Windows\system32\Hmlkfo32.exe42⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Hnnhngjf.exeC:\Windows\system32\Hnnhngjf.exe43⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Hfepod32.exeC:\Windows\system32\Hfepod32.exe44⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Hgflflqg.exeC:\Windows\system32\Hgflflqg.exe45⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Homdhjai.exeC:\Windows\system32\Homdhjai.exe46⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Hbkqdepm.exeC:\Windows\system32\Hbkqdepm.exe47⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Hqnapb32.exeC:\Windows\system32\Hqnapb32.exe48⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Hghillnd.exeC:\Windows\system32\Hghillnd.exe49⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Hkdemk32.exeC:\Windows\system32\Hkdemk32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Hnbaif32.exeC:\Windows\system32\Hnbaif32.exe51⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Haqnea32.exeC:\Windows\system32\Haqnea32.exe52⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Heliepmn.exeC:\Windows\system32\Heliepmn.exe53⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Hgkfal32.exeC:\Windows\system32\Hgkfal32.exe54⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Ijibng32.exeC:\Windows\system32\Ijibng32.exe55⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Indnnfdn.exeC:\Windows\system32\Indnnfdn.exe56⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Iacjjacb.exeC:\Windows\system32\Iacjjacb.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Ieofkp32.exeC:\Windows\system32\Ieofkp32.exe58⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Igmbgk32.exeC:\Windows\system32\Igmbgk32.exe59⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Ijkocg32.exeC:\Windows\system32\Ijkocg32.exe60⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Iaegpaao.exeC:\Windows\system32\Iaegpaao.exe61⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Iphgln32.exeC:\Windows\system32\Iphgln32.exe62⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Igoomk32.exeC:\Windows\system32\Igoomk32.exe63⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\Ijnkifgp.exeC:\Windows\system32\Ijnkifgp.exe64⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Iiqldc32.exeC:\Windows\system32\Iiqldc32.exe65⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Iahceq32.exeC:\Windows\system32\Iahceq32.exe66⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Icfpbl32.exeC:\Windows\system32\Icfpbl32.exe67⤵PID:236
-
C:\Windows\SysWOW64\Ibipmiek.exeC:\Windows\system32\Ibipmiek.exe68⤵PID:1824
-
C:\Windows\SysWOW64\Ifdlng32.exeC:\Windows\system32\Ifdlng32.exe69⤵
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Imodkadq.exeC:\Windows\system32\Imodkadq.exe70⤵
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Iladfn32.exeC:\Windows\system32\Iladfn32.exe71⤵
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Ichmgl32.exeC:\Windows\system32\Ichmgl32.exe72⤵PID:3036
-
C:\Windows\SysWOW64\Iejiodbl.exeC:\Windows\system32\Iejiodbl.exe73⤵PID:1116
-
C:\Windows\SysWOW64\Imaapa32.exeC:\Windows\system32\Imaapa32.exe74⤵
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\Ipomlm32.exeC:\Windows\system32\Ipomlm32.exe75⤵PID:2284
-
C:\Windows\SysWOW64\Jbnjhh32.exeC:\Windows\system32\Jbnjhh32.exe76⤵PID:1280
-
C:\Windows\SysWOW64\Jfieigio.exeC:\Windows\system32\Jfieigio.exe77⤵PID:1056
-
C:\Windows\SysWOW64\Jigbebhb.exeC:\Windows\system32\Jigbebhb.exe78⤵PID:2644
-
C:\Windows\SysWOW64\Jpajbl32.exeC:\Windows\system32\Jpajbl32.exe79⤵PID:2976
-
C:\Windows\SysWOW64\Jbpfnh32.exeC:\Windows\system32\Jbpfnh32.exe80⤵PID:2188
-
C:\Windows\SysWOW64\Jacfidem.exeC:\Windows\system32\Jacfidem.exe81⤵PID:1620
-
C:\Windows\SysWOW64\Jijokbfp.exeC:\Windows\system32\Jijokbfp.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2348 -
C:\Windows\SysWOW64\Jhmofo32.exeC:\Windows\system32\Jhmofo32.exe83⤵PID:696
-
C:\Windows\SysWOW64\Joggci32.exeC:\Windows\system32\Joggci32.exe84⤵
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Jaecod32.exeC:\Windows\system32\Jaecod32.exe85⤵PID:280
-
C:\Windows\SysWOW64\Jeqopcld.exeC:\Windows\system32\Jeqopcld.exe86⤵PID:2648
-
C:\Windows\SysWOW64\Jhoklnkg.exeC:\Windows\system32\Jhoklnkg.exe87⤵PID:2744
-
C:\Windows\SysWOW64\Jlkglm32.exeC:\Windows\system32\Jlkglm32.exe88⤵PID:2716
-
C:\Windows\SysWOW64\Joidhh32.exeC:\Windows\system32\Joidhh32.exe89⤵
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Jmlddeio.exeC:\Windows\system32\Jmlddeio.exe90⤵PID:2916
-
C:\Windows\SysWOW64\Jeclebja.exeC:\Windows\system32\Jeclebja.exe91⤵PID:1432
-
C:\Windows\SysWOW64\Jhahanie.exeC:\Windows\system32\Jhahanie.exe92⤵PID:1428
-
C:\Windows\SysWOW64\Jfdhmk32.exeC:\Windows\system32\Jfdhmk32.exe93⤵
- System Location Discovery: System Language Discovery
PID:316 -
C:\Windows\SysWOW64\Jokqnhpa.exeC:\Windows\system32\Jokqnhpa.exe94⤵PID:2524
-
C:\Windows\SysWOW64\Jpmmfp32.exeC:\Windows\system32\Jpmmfp32.exe95⤵PID:2204
-
C:\Windows\SysWOW64\Jhdegn32.exeC:\Windows\system32\Jhdegn32.exe96⤵
- Drops file in System32 directory
PID:1372 -
C:\Windows\SysWOW64\Jkbaci32.exeC:\Windows\system32\Jkbaci32.exe97⤵PID:832
-
C:\Windows\SysWOW64\Jieaofmp.exeC:\Windows\system32\Jieaofmp.exe98⤵PID:1636
-
C:\Windows\SysWOW64\Kalipcmb.exeC:\Windows\system32\Kalipcmb.exe99⤵PID:596
-
C:\Windows\SysWOW64\Kpojkp32.exeC:\Windows\system32\Kpojkp32.exe100⤵PID:2968
-
C:\Windows\SysWOW64\Kfibhjlj.exeC:\Windows\system32\Kfibhjlj.exe101⤵PID:2748
-
C:\Windows\SysWOW64\Kkdnhi32.exeC:\Windows\system32\Kkdnhi32.exe102⤵PID:2552
-
C:\Windows\SysWOW64\Kmcjedcg.exeC:\Windows\system32\Kmcjedcg.exe103⤵PID:1924
-
C:\Windows\SysWOW64\Klfjpa32.exeC:\Windows\system32\Klfjpa32.exe104⤵PID:2016
-
C:\Windows\SysWOW64\Kdmban32.exeC:\Windows\system32\Kdmban32.exe105⤵PID:2632
-
C:\Windows\SysWOW64\Kgkonj32.exeC:\Windows\system32\Kgkonj32.exe106⤵PID:1912
-
C:\Windows\SysWOW64\Kijkje32.exeC:\Windows\system32\Kijkje32.exe107⤵PID:2904
-
C:\Windows\SysWOW64\Kmegjdad.exeC:\Windows\system32\Kmegjdad.exe108⤵PID:748
-
C:\Windows\SysWOW64\Kpdcfoph.exeC:\Windows\system32\Kpdcfoph.exe109⤵
- System Location Discovery: System Language Discovery
PID:904 -
C:\Windows\SysWOW64\Kbbobkol.exeC:\Windows\system32\Kbbobkol.exe110⤵PID:2952
-
C:\Windows\SysWOW64\Keqkofno.exeC:\Windows\system32\Keqkofno.exe111⤵PID:1456
-
C:\Windows\SysWOW64\Kljdkpfl.exeC:\Windows\system32\Kljdkpfl.exe112⤵PID:2992
-
C:\Windows\SysWOW64\Kpfplo32.exeC:\Windows\system32\Kpfplo32.exe113⤵
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Koipglep.exeC:\Windows\system32\Koipglep.exe114⤵PID:2896
-
C:\Windows\SysWOW64\Kaglcgdc.exeC:\Windows\system32\Kaglcgdc.exe115⤵PID:2272
-
C:\Windows\SysWOW64\Kindeddf.exeC:\Windows\system32\Kindeddf.exe116⤵PID:1708
-
C:\Windows\SysWOW64\Klmqapci.exeC:\Windows\system32\Klmqapci.exe117⤵PID:1780
-
C:\Windows\SysWOW64\Kokmmkcm.exeC:\Windows\system32\Kokmmkcm.exe118⤵PID:2304
-
C:\Windows\SysWOW64\Kcginj32.exeC:\Windows\system32\Kcginj32.exe119⤵PID:372
-
C:\Windows\SysWOW64\Keeeje32.exeC:\Windows\system32\Keeeje32.exe120⤵PID:1444
-
C:\Windows\SysWOW64\Ldheebad.exeC:\Windows\system32\Ldheebad.exe121⤵
- Drops file in System32 directory
PID:2492
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-