Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/11/2024, 00:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8272668fbfa76540586a595a87359cc81d616b2ce38c0acb6d1261195f8c4b7b.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
8272668fbfa76540586a595a87359cc81d616b2ce38c0acb6d1261195f8c4b7b.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
8272668fbfa76540586a595a87359cc81d616b2ce38c0acb6d1261195f8c4b7b.exe
-
Size
335KB
-
MD5
e6dcd2fb4a868c2336b923e5ee226310
-
SHA1
716513a14fb436a35e55183f8db9a684209dacf7
-
SHA256
8272668fbfa76540586a595a87359cc81d616b2ce38c0acb6d1261195f8c4b7b
-
SHA512
5d9c4d128615578e3c17f30047ef29a61a2a4275ac9671a86685a411f6b87061208ac1cc968ac217fc1b39baf81dae988ca7a9bc02766bcfac1414b3415b12a4
-
SSDEEP
6144:k8TUtRcrvLvwU/4qwvwU/4qvvwevwU/4q+vwk/4qz:T
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qaflgago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dimenegi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjahlgpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Monjjgkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmblagmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpochfji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjmmepfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjlmclqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnoddcef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnbcgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gndick32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikcmbfcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nojjcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcecjmkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebdcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paeelgnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cammjakm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lebijnak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhoipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffaong32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfheof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmhocd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgjoif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihbponja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kniieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebgpad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emoadlfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmfgek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adkqoohc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpnakk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdnabjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poimpapp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkfcndce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlphbnoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohiemobf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohiemobf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afkknogn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbdoof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqafhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpgmhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fggocmhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggpbjkpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjellmbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbjmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohfami32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haaaaeim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlphbnoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiknlagg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfngdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckkiccep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqbliicp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ganldgib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lakfeodm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhndljll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkjgegae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpdhkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkeldnpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcecjmkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odoogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njedbjej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igedlh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpdoqgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llqjbhdc.exe -
Executes dropped EXE 64 IoCs
pid Process 4836 Eibfck32.exe 2020 Ealkjh32.exe 2876 Embkoi32.exe 4980 Epagkd32.exe 2740 Facqkg32.exe 2872 Faenpf32.exe 4564 Fagjfflb.exe 2356 Fmnkkg32.exe 2180 Fpmggb32.exe 348 Fggocmhf.exe 660 Gigheh32.exe 884 Gdoihpbk.exe 3388 Gnhnaf32.exe 2552 Ggpbjkpl.exe 4012 Ginnfgop.exe 2436 Hjchaf32.exe 1772 Hkbdki32.exe 3220 Hpomcp32.exe 4200 Hjjnae32.exe 2564 Haafcb32.exe 3864 Hjlkge32.exe 3868 Iafonaao.exe 552 Inmpcc32.exe 4008 Igedlh32.exe 3016 Inomhbeq.exe 1080 Ikcmbfcj.exe 1564 Ibmeoq32.exe 1784 Idkbkl32.exe 3080 Igjngh32.exe 3280 Ijhjcchb.exe 4404 Ibobdqid.exe 4576 Iqbbpm32.exe 748 Jhijqj32.exe 3848 Jglklggl.exe 2144 Jjjghcfp.exe 2236 Jbaojpgb.exe 2112 Jqdoem32.exe 1216 Jhlgfj32.exe 4824 Jkjcbe32.exe 1280 Jnhpoamf.exe 4212 Jqglkmlj.exe 3408 Jhndljll.exe 4780 Jklphekp.exe 5024 Jnkldqkc.exe 672 Jbfheo32.exe 3448 Jdedak32.exe 2888 Jgcamf32.exe 444 Jjamia32.exe 4408 Jbiejoaj.exe 3052 Jdgafjpn.exe 4752 Jgenbfoa.exe 64 Jjdjoane.exe 1976 Kqnbkl32.exe 1940 Kiejmi32.exe 3528 Kkcfid32.exe 4292 Knbbep32.exe 3648 Kqpoakco.exe 3656 Kiggbhda.exe 1632 Kkfcndce.exe 4460 Kndojobi.exe 4312 Kqbkfkal.exe 3352 Kijchhbo.exe 2608 Kkhpdcab.exe 3192 Knflpoqf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jjdejk32.dll Hpofii32.exe File opened for modification C:\Windows\SysWOW64\Ogcnmc32.exe Oaifpi32.exe File opened for modification C:\Windows\SysWOW64\Aknbkjfh.exe Aphnnafb.exe File opened for modification C:\Windows\SysWOW64\Glhimp32.exe Geoapenf.exe File created C:\Windows\SysWOW64\Bkjiao32.exe Aaohcj32.exe File opened for modification C:\Windows\SysWOW64\Jhijqj32.exe Iqbbpm32.exe File created C:\Windows\SysWOW64\Jhcnob32.dll Lbpdblmo.exe File created C:\Windows\SysWOW64\Kiljgf32.dll Cfbcke32.exe File opened for modification C:\Windows\SysWOW64\Fnbcgn32.exe Eiekog32.exe File created C:\Windows\SysWOW64\Lcnmin32.exe Lclpdncg.exe File created C:\Windows\SysWOW64\Omjpeo32.exe Odoogi32.exe File opened for modification C:\Windows\SysWOW64\Lpgmhg32.exe Lhqefjpo.exe File opened for modification C:\Windows\SysWOW64\Fbfcmhpg.exe Fpggamqc.exe File opened for modification C:\Windows\SysWOW64\Mnhdgpii.exe Mgnlkfal.exe File opened for modification C:\Windows\SysWOW64\Pmblagmf.exe Pfiddm32.exe File created C:\Windows\SysWOW64\Fcndmiqg.dll Mapppn32.exe File created C:\Windows\SysWOW64\Jjamia32.exe Jgcamf32.exe File opened for modification C:\Windows\SysWOW64\Lbkkgl32.exe Ljdceo32.exe File created C:\Windows\SysWOW64\Mckdpoji.dll Jgpmmp32.exe File created C:\Windows\SysWOW64\Npdpachh.dll Dfnbgc32.exe File created C:\Windows\SysWOW64\Ibdlakbf.dll Hoobdp32.exe File created C:\Windows\SysWOW64\Chnpamkc.dll Ahdpjn32.exe File created C:\Windows\SysWOW64\Pimfpc32.exe Omfekbdh.exe File created C:\Windows\SysWOW64\Enqjamin.dll Jnkldqkc.exe File created C:\Windows\SysWOW64\Amlogfel.exe Aknbkjfh.exe File created C:\Windows\SysWOW64\Ekppjn32.dll Cnjdpaki.exe File created C:\Windows\SysWOW64\Jadgnb32.exe Jhkbdmbg.exe File created C:\Windows\SysWOW64\Icbcjhfb.dll Ofjqihnn.exe File created C:\Windows\SysWOW64\Kkcfid32.exe Kiejmi32.exe File created C:\Windows\SysWOW64\Qfmjef32.dll Plpqil32.exe File created C:\Windows\SysWOW64\Ogakfe32.dll Pplobcpp.exe File created C:\Windows\SysWOW64\Enalem32.dll Ibgdlg32.exe File created C:\Windows\SysWOW64\Pninea32.dll Mjnnbk32.exe File opened for modification C:\Windows\SysWOW64\Meamcg32.exe Mbbagk32.exe File created C:\Windows\SysWOW64\Fnnhjlpl.dll Oklkdi32.exe File created C:\Windows\SysWOW64\Efafgifc.exe Dpgnjo32.exe File created C:\Windows\SysWOW64\Gkhkjd32.exe Gbabigfj.exe File created C:\Windows\SysWOW64\Kcjjhdjb.exe Kefiopki.exe File created C:\Windows\SysWOW64\Figfoijn.dll Mgbefe32.exe File created C:\Windows\SysWOW64\Fagjfflb.exe Faenpf32.exe File created C:\Windows\SysWOW64\Hqomopfd.dll Nojjcj32.exe File created C:\Windows\SysWOW64\Hdehni32.exe Gphphj32.exe File created C:\Windows\SysWOW64\Bdlhkf32.dll Ckeimm32.exe File opened for modification C:\Windows\SysWOW64\Eehicoel.exe Ennqfenp.exe File created C:\Windows\SysWOW64\Eemfmoce.dll Jhndljll.exe File opened for modification C:\Windows\SysWOW64\Jihbip32.exe Jocnlg32.exe File opened for modification C:\Windows\SysWOW64\Glgjlm32.exe Gmdjapgb.exe File created C:\Windows\SysWOW64\Dkceokii.exe Ddgplado.exe File created C:\Windows\SysWOW64\Njlmnj32.dll Ihkjno32.exe File created C:\Windows\SysWOW64\Jhlgfj32.exe Jqdoem32.exe File opened for modification C:\Windows\SysWOW64\Ipkdek32.exe Iefphb32.exe File created C:\Windows\SysWOW64\Nfenigce.dll Mbdiknlb.exe File opened for modification C:\Windows\SysWOW64\Mcfbkpab.exe Mlljnf32.exe File created C:\Windows\SysWOW64\Nmfcok32.exe Ngjkfd32.exe File created C:\Windows\SysWOW64\Gaagdbfm.dll Onapdl32.exe File created C:\Windows\SysWOW64\Lhgkgijg.exe Lfiokmkc.exe File created C:\Windows\SysWOW64\Mldhfpib.exe Mifljdjo.exe File created C:\Windows\SysWOW64\Fnpeoe32.dll Cfigpm32.exe File created C:\Windows\SysWOW64\Bbaffgag.dll Hgmgqc32.exe File opened for modification C:\Windows\SysWOW64\Kclgmq32.exe Knooej32.exe File opened for modification C:\Windows\SysWOW64\Loighj32.exe Kgnbdh32.exe File created C:\Windows\SysWOW64\Hnphoj32.exe Hehdfdek.exe File created C:\Windows\SysWOW64\Modpib32.exe Mhjhmhhd.exe File opened for modification C:\Windows\SysWOW64\Pocfpf32.exe Pekbga32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5032 5936 WerFault.exe 761 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Modpib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofjqihnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejkmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maodigil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oocmii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nenbjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgbefe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbocfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijdjfdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhijqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boflmdkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efafgifc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdjgha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eohmkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooibkpmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pimfpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjellmbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcddcbab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgchm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nglhld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocaebc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqiibjlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noblkqca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocgkan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpmggb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knflpoqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djcoai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lclpdncg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emmdom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngjkfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Embkoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bombmcec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlkge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbpdblmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aleckinj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoelkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaoaic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gndick32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibobdqid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbgnemjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flngfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcjjhdjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kemooo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oflmnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Micoed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckilmcgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Digehphc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iipfmggc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omopjcjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piocecgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbfpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbiado32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klfaapbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgkfnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dojqjdbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhqefjpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkjcbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pajeam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpjoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onmfimga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpbjkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkjmlaac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbofcghl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfbcke32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amcpgoem.dll" Loofnccf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkibb32.dll" Ohghgodi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpphjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooibkpmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcmhh32.dll" Dimenegi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnbcgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfpcgbim.dll" Kqphfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iepaaico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgfnagdi.dll" Njmqnobn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neoogc32.dll" Igjngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olojcl32.dll" Lghcocol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckbemgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjiffif.dll" Ipkdek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iophkojl.dll" Knooej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmfgek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcnmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikgbdnie.dll" Illfdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgenbfoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gicaifkq.dll" Ilmmni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjnnbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plpodked.dll" Mlljnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icknfcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chflphjh.dll" Ipjoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbqmiinl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdpmbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dokgdkeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjkmomfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igedlh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngjbaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojdgnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phajna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eohmkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aleckinj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mminhceb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llodgnja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoiaikp.dll" Jpnakk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmjemflb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liabph32.dll" Lfeljd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efjbcakl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkjmlaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbmhabha.dll" Cimmggfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dihlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phaahggp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiloco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilmjim32.dll" Gejopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdjokcd.dll" Kemooo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgcamf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlgcl32.dll" Qkjgegae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cimmggfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dimenegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndchiip.dll" Mjellmbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akffafgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipjoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oafcqcea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdmoohbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adkqoohc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggfglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mablfnne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icbcjhfb.dll" Ofjqihnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpdndomn.dll" Meefofek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcghka32.dll" Fpjcgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahgjejhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dndfnlpc.dll" Ocihgnam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjiipk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1360 wrote to memory of 4836 1360 8272668fbfa76540586a595a87359cc81d616b2ce38c0acb6d1261195f8c4b7b.exe 83 PID 1360 wrote to memory of 4836 1360 8272668fbfa76540586a595a87359cc81d616b2ce38c0acb6d1261195f8c4b7b.exe 83 PID 1360 wrote to memory of 4836 1360 8272668fbfa76540586a595a87359cc81d616b2ce38c0acb6d1261195f8c4b7b.exe 83 PID 4836 wrote to memory of 2020 4836 Eibfck32.exe 84 PID 4836 wrote to memory of 2020 4836 Eibfck32.exe 84 PID 4836 wrote to memory of 2020 4836 Eibfck32.exe 84 PID 2020 wrote to memory of 2876 2020 Ealkjh32.exe 85 PID 2020 wrote to memory of 2876 2020 Ealkjh32.exe 85 PID 2020 wrote to memory of 2876 2020 Ealkjh32.exe 85 PID 2876 wrote to memory of 4980 2876 Embkoi32.exe 86 PID 2876 wrote to memory of 4980 2876 Embkoi32.exe 86 PID 2876 wrote to memory of 4980 2876 Embkoi32.exe 86 PID 4980 wrote to memory of 2740 4980 Epagkd32.exe 87 PID 4980 wrote to memory of 2740 4980 Epagkd32.exe 87 PID 4980 wrote to memory of 2740 4980 Epagkd32.exe 87 PID 2740 wrote to memory of 2872 2740 Facqkg32.exe 88 PID 2740 wrote to memory of 2872 2740 Facqkg32.exe 88 PID 2740 wrote to memory of 2872 2740 Facqkg32.exe 88 PID 2872 wrote to memory of 4564 2872 Faenpf32.exe 89 PID 2872 wrote to memory of 4564 2872 Faenpf32.exe 89 PID 2872 wrote to memory of 4564 2872 Faenpf32.exe 89 PID 4564 wrote to memory of 2356 4564 Fagjfflb.exe 90 PID 4564 wrote to memory of 2356 4564 Fagjfflb.exe 90 PID 4564 wrote to memory of 2356 4564 Fagjfflb.exe 90 PID 2356 wrote to memory of 2180 2356 Fmnkkg32.exe 91 PID 2356 wrote to memory of 2180 2356 Fmnkkg32.exe 91 PID 2356 wrote to memory of 2180 2356 Fmnkkg32.exe 91 PID 2180 wrote to memory of 348 2180 Fpmggb32.exe 92 PID 2180 wrote to memory of 348 2180 Fpmggb32.exe 92 PID 2180 wrote to memory of 348 2180 Fpmggb32.exe 92 PID 348 wrote to memory of 660 348 Fggocmhf.exe 93 PID 348 wrote to memory of 660 348 Fggocmhf.exe 93 PID 348 wrote to memory of 660 348 Fggocmhf.exe 93 PID 660 wrote to memory of 884 660 Gigheh32.exe 94 PID 660 wrote to memory of 884 660 Gigheh32.exe 94 PID 660 wrote to memory of 884 660 Gigheh32.exe 94 PID 884 wrote to memory of 3388 884 Gdoihpbk.exe 95 PID 884 wrote to memory of 3388 884 Gdoihpbk.exe 95 PID 884 wrote to memory of 3388 884 Gdoihpbk.exe 95 PID 3388 wrote to memory of 2552 3388 Gnhnaf32.exe 96 PID 3388 wrote to memory of 2552 3388 Gnhnaf32.exe 96 PID 3388 wrote to memory of 2552 3388 Gnhnaf32.exe 96 PID 2552 wrote to memory of 4012 2552 Ggpbjkpl.exe 97 PID 2552 wrote to memory of 4012 2552 Ggpbjkpl.exe 97 PID 2552 wrote to memory of 4012 2552 Ggpbjkpl.exe 97 PID 4012 wrote to memory of 2436 4012 Ginnfgop.exe 98 PID 4012 wrote to memory of 2436 4012 Ginnfgop.exe 98 PID 4012 wrote to memory of 2436 4012 Ginnfgop.exe 98 PID 2436 wrote to memory of 1772 2436 Hjchaf32.exe 99 PID 2436 wrote to memory of 1772 2436 Hjchaf32.exe 99 PID 2436 wrote to memory of 1772 2436 Hjchaf32.exe 99 PID 1772 wrote to memory of 3220 1772 Hkbdki32.exe 100 PID 1772 wrote to memory of 3220 1772 Hkbdki32.exe 100 PID 1772 wrote to memory of 3220 1772 Hkbdki32.exe 100 PID 3220 wrote to memory of 4200 3220 Hpomcp32.exe 101 PID 3220 wrote to memory of 4200 3220 Hpomcp32.exe 101 PID 3220 wrote to memory of 4200 3220 Hpomcp32.exe 101 PID 4200 wrote to memory of 2564 4200 Hjjnae32.exe 102 PID 4200 wrote to memory of 2564 4200 Hjjnae32.exe 102 PID 4200 wrote to memory of 2564 4200 Hjjnae32.exe 102 PID 2564 wrote to memory of 3864 2564 Haafcb32.exe 103 PID 2564 wrote to memory of 3864 2564 Haafcb32.exe 103 PID 2564 wrote to memory of 3864 2564 Haafcb32.exe 103 PID 3864 wrote to memory of 3868 3864 Hjlkge32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\8272668fbfa76540586a595a87359cc81d616b2ce38c0acb6d1261195f8c4b7b.exe"C:\Users\Admin\AppData\Local\Temp\8272668fbfa76540586a595a87359cc81d616b2ce38c0acb6d1261195f8c4b7b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Eibfck32.exeC:\Windows\system32\Eibfck32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Ealkjh32.exeC:\Windows\system32\Ealkjh32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Embkoi32.exeC:\Windows\system32\Embkoi32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Epagkd32.exeC:\Windows\system32\Epagkd32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Facqkg32.exeC:\Windows\system32\Facqkg32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Faenpf32.exeC:\Windows\system32\Faenpf32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Fagjfflb.exeC:\Windows\system32\Fagjfflb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Fmnkkg32.exeC:\Windows\system32\Fmnkkg32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Fpmggb32.exeC:\Windows\system32\Fpmggb32.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Fggocmhf.exeC:\Windows\system32\Fggocmhf.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\SysWOW64\Gdoihpbk.exeC:\Windows\system32\Gdoihpbk.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Gnhnaf32.exeC:\Windows\system32\Gnhnaf32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\Ggpbjkpl.exeC:\Windows\system32\Ggpbjkpl.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Hjchaf32.exeC:\Windows\system32\Hjchaf32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Hkbdki32.exeC:\Windows\system32\Hkbdki32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Hpomcp32.exeC:\Windows\system32\Hpomcp32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\Hjjnae32.exeC:\Windows\system32\Hjjnae32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\Haafcb32.exeC:\Windows\system32\Haafcb32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Hjlkge32.exeC:\Windows\system32\Hjlkge32.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\Iafonaao.exeC:\Windows\system32\Iafonaao.exe23⤵
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\Inmpcc32.exeC:\Windows\system32\Inmpcc32.exe24⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Igedlh32.exeC:\Windows\system32\Igedlh32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4008 -
C:\Windows\SysWOW64\Inomhbeq.exeC:\Windows\system32\Inomhbeq.exe26⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Ikcmbfcj.exeC:\Windows\system32\Ikcmbfcj.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Ibmeoq32.exeC:\Windows\system32\Ibmeoq32.exe28⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Idkbkl32.exeC:\Windows\system32\Idkbkl32.exe29⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Igjngh32.exeC:\Windows\system32\Igjngh32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:3080 -
C:\Windows\SysWOW64\Ijhjcchb.exeC:\Windows\system32\Ijhjcchb.exe31⤵
- Executes dropped EXE
PID:3280 -
C:\Windows\SysWOW64\Ibobdqid.exeC:\Windows\system32\Ibobdqid.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4404 -
C:\Windows\SysWOW64\Iqbbpm32.exeC:\Windows\system32\Iqbbpm32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4576 -
C:\Windows\SysWOW64\Jhijqj32.exeC:\Windows\system32\Jhijqj32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:748 -
C:\Windows\SysWOW64\Jglklggl.exeC:\Windows\system32\Jglklggl.exe35⤵
- Executes dropped EXE
PID:3848 -
C:\Windows\SysWOW64\Jjjghcfp.exeC:\Windows\system32\Jjjghcfp.exe36⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe37⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Jqdoem32.exeC:\Windows\system32\Jqdoem32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Jhlgfj32.exeC:\Windows\system32\Jhlgfj32.exe39⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Jkjcbe32.exeC:\Windows\system32\Jkjcbe32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4824 -
C:\Windows\SysWOW64\Jnhpoamf.exeC:\Windows\system32\Jnhpoamf.exe41⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe42⤵
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Jhndljll.exeC:\Windows\system32\Jhndljll.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3408 -
C:\Windows\SysWOW64\Jklphekp.exeC:\Windows\system32\Jklphekp.exe44⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Jnkldqkc.exeC:\Windows\system32\Jnkldqkc.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5024 -
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe46⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Jdedak32.exeC:\Windows\system32\Jdedak32.exe47⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Jgcamf32.exeC:\Windows\system32\Jgcamf32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe49⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Jbiejoaj.exeC:\Windows\system32\Jbiejoaj.exe50⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Jdgafjpn.exeC:\Windows\system32\Jdgafjpn.exe51⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Jgenbfoa.exeC:\Windows\system32\Jgenbfoa.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:4752 -
C:\Windows\SysWOW64\Jjdjoane.exeC:\Windows\system32\Jjdjoane.exe53⤵
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\Kqnbkl32.exeC:\Windows\system32\Kqnbkl32.exe54⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Kiejmi32.exeC:\Windows\system32\Kiejmi32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1940 -
C:\Windows\SysWOW64\Kkcfid32.exeC:\Windows\system32\Kkcfid32.exe56⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Knbbep32.exeC:\Windows\system32\Knbbep32.exe57⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Kqpoakco.exeC:\Windows\system32\Kqpoakco.exe58⤵
- Executes dropped EXE
PID:3648 -
C:\Windows\SysWOW64\Kiggbhda.exeC:\Windows\system32\Kiggbhda.exe59⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Kkfcndce.exeC:\Windows\system32\Kkfcndce.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Kndojobi.exeC:\Windows\system32\Kndojobi.exe61⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Kqbkfkal.exeC:\Windows\system32\Kqbkfkal.exe62⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Kijchhbo.exeC:\Windows\system32\Kijchhbo.exe63⤵
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\Kkhpdcab.exeC:\Windows\system32\Kkhpdcab.exe64⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Knflpoqf.exeC:\Windows\system32\Knflpoqf.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3192 -
C:\Windows\SysWOW64\Kaehljpj.exeC:\Windows\system32\Kaehljpj.exe66⤵PID:2864
-
C:\Windows\SysWOW64\Kgopidgf.exeC:\Windows\system32\Kgopidgf.exe67⤵PID:3368
-
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3020 -
C:\Windows\SysWOW64\Kniieo32.exeC:\Windows\system32\Kniieo32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3804 -
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe70⤵PID:1560
-
C:\Windows\SysWOW64\Kgamnded.exeC:\Windows\system32\Kgamnded.exe71⤵PID:1236
-
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe72⤵PID:1832
-
C:\Windows\SysWOW64\Lbgalmej.exeC:\Windows\system32\Lbgalmej.exe73⤵PID:1716
-
C:\Windows\SysWOW64\Lajagj32.exeC:\Windows\system32\Lajagj32.exe74⤵PID:2008
-
C:\Windows\SysWOW64\Lgcjdd32.exeC:\Windows\system32\Lgcjdd32.exe75⤵PID:2004
-
C:\Windows\SysWOW64\Ljbfpo32.exeC:\Windows\system32\Ljbfpo32.exe76⤵
- System Location Discovery: System Language Discovery
PID:216 -
C:\Windows\SysWOW64\Lbinam32.exeC:\Windows\system32\Lbinam32.exe77⤵PID:736
-
C:\Windows\SysWOW64\Legjmh32.exeC:\Windows\system32\Legjmh32.exe78⤵PID:1156
-
C:\Windows\SysWOW64\Lgffic32.exeC:\Windows\system32\Lgffic32.exe79⤵PID:4024
-
C:\Windows\SysWOW64\Ljdceo32.exeC:\Windows\system32\Ljdceo32.exe80⤵
- Drops file in System32 directory
PID:3696 -
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe81⤵PID:1556
-
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe82⤵PID:2388
-
C:\Windows\SysWOW64\Lghcocol.exeC:\Windows\system32\Lghcocol.exe83⤵
- Modifies registry class
PID:4760 -
C:\Windows\SysWOW64\Lnbklm32.exeC:\Windows\system32\Lnbklm32.exe84⤵PID:1520
-
C:\Windows\SysWOW64\Laqhhi32.exeC:\Windows\system32\Laqhhi32.exe85⤵PID:1460
-
C:\Windows\SysWOW64\Lihpif32.exeC:\Windows\system32\Lihpif32.exe86⤵PID:2856
-
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe87⤵PID:208
-
C:\Windows\SysWOW64\Lbpdblmo.exeC:\Windows\system32\Lbpdblmo.exe88⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4368 -
C:\Windows\SysWOW64\Leopnglc.exeC:\Windows\system32\Leopnglc.exe89⤵PID:3428
-
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe90⤵PID:3228
-
C:\Windows\SysWOW64\Ljkifn32.exeC:\Windows\system32\Ljkifn32.exe91⤵PID:4560
-
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe92⤵
- Drops file in System32 directory
PID:5032 -
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe93⤵PID:4720
-
C:\Windows\SysWOW64\Mhoipb32.exeC:\Windows\system32\Mhoipb32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4208 -
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe95⤵PID:4028
-
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe96⤵PID:4528
-
C:\Windows\SysWOW64\Mecjif32.exeC:\Windows\system32\Mecjif32.exe97⤵PID:4716
-
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe98⤵PID:1720
-
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe99⤵PID:1948
-
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe100⤵
- Modifies registry class
PID:720 -
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe101⤵PID:4976
-
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe102⤵PID:5056
-
C:\Windows\SysWOW64\Malgcg32.exeC:\Windows\system32\Malgcg32.exe103⤵PID:4492
-
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe104⤵
- System Location Discovery: System Language Discovery
PID:628 -
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe106⤵
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe107⤵
- Drops file in System32 directory
PID:5128 -
C:\Windows\SysWOW64\Mldhfpib.exeC:\Windows\system32\Mldhfpib.exe108⤵PID:5176
-
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe109⤵PID:5212
-
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe110⤵PID:5260
-
C:\Windows\SysWOW64\Nhkikq32.exeC:\Windows\system32\Nhkikq32.exe111⤵PID:5292
-
C:\Windows\SysWOW64\Njiegl32.exeC:\Windows\system32\Njiegl32.exe112⤵PID:5336
-
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe113⤵
- Modifies registry class
PID:5372 -
C:\Windows\SysWOW64\Nijeec32.exeC:\Windows\system32\Nijeec32.exe114⤵PID:5416
-
C:\Windows\SysWOW64\Nliaao32.exeC:\Windows\system32\Nliaao32.exe115⤵PID:5452
-
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe116⤵PID:5492
-
C:\Windows\SysWOW64\Neafjdkn.exeC:\Windows\system32\Neafjdkn.exe117⤵PID:5532
-
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe118⤵PID:5576
-
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5612 -
C:\Windows\SysWOW64\Nahgoe32.exeC:\Windows\system32\Nahgoe32.exe120⤵PID:5660
-
C:\Windows\SysWOW64\Niooqcad.exeC:\Windows\system32\Niooqcad.exe121⤵PID:5692
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-