Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26/07/2024, 23:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
78a29de73ba72d923588d40d87357fef6d228d779d4f1b99df434dd827f5533f.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
78a29de73ba72d923588d40d87357fef6d228d779d4f1b99df434dd827f5533f.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
78a29de73ba72d923588d40d87357fef6d228d779d4f1b99df434dd827f5533f.exe
-
Size
59KB
-
MD5
65c99de1f85576751bd69eca83ef3d08
-
SHA1
a2778dc78c81a844174bc61cc469456adae297ba
-
SHA256
78a29de73ba72d923588d40d87357fef6d228d779d4f1b99df434dd827f5533f
-
SHA512
19a41fb49a5b9d537d7fb228d900fe7d64f995e3f31f152fb2b31ef406eae09172fcccbff50dc775a18ab0c54f3ef89e62e7ed483a51161a07f625737bb956f4
-
SSDEEP
768:sfLyOHETrZ65Hpbt6CJnA3s/9PS2esOq6zCyWk0LxZ/1H5g95nf1fZMEBFELvkVB:SymETlMpbQi9VECrVm3NCyVso
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heakcjcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bncaekhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnmifk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Najpll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npojdpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cophko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekfndmfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anjlebjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpjjeim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihbcmaje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnpgeopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikfmfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkaghg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eppcmncq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmfod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpfhoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijdqna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Danmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okpcoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcldhnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okfgfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfgngh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmhamoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmlgfnal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhakcfab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inafbooe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djgkii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phbgcnig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohkaco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qoeeolig.exe -
Executes dropped EXE 64 IoCs
pid Process 2832 Hhckpk32.exe 2852 Hbhomd32.exe 2732 Heglio32.exe 2616 Hdildlie.exe 2160 Hoopae32.exe 576 Hhgdkjol.exe 1116 Hkfagfop.exe 2428 Hmdmcanc.exe 1584 Hhjapjmi.exe 2504 Hiknhbcg.exe 1076 Habfipdj.exe 3036 Igonafba.exe 2580 Ikkjbe32.exe 2340 Illgimph.exe 840 Igakgfpn.exe 2188 Inkccpgk.exe 572 Ipjoplgo.exe 1668 Igchlf32.exe 1316 Ijbdha32.exe 1092 Ilqpdm32.exe 1372 Icjhagdp.exe 2488 Ijdqna32.exe 1752 Ilcmjl32.exe 2976 Ikfmfi32.exe 2052 Ifkacb32.exe 2804 Idnaoohk.exe 2872 Ikhjki32.exe 2612 Jkjfah32.exe 2596 Jnicmdli.exe 2228 Jbdonb32.exe 604 Jdbkjn32.exe 1504 Jqilooij.exe 2300 Jmplcp32.exe 2208 Jdgdempa.exe 2044 Jjdmmdnh.exe 348 Jmbiipml.exe 1788 Jghmfhmb.exe 1836 Kmefooki.exe 1676 Kconkibf.exe 1408 Kfmjgeaj.exe 1532 Kcakaipc.exe 2336 Kmjojo32.exe 2016 Knklagmb.exe 2476 Kgcpjmcb.exe 1632 Kpjhkjde.exe 1776 Kbidgeci.exe 2800 Kaldcb32.exe 1912 Kjdilgpc.exe 1720 Leimip32.exe 2624 Lclnemgd.exe 2860 Ljffag32.exe 2652 Lmebnb32.exe 2768 Leljop32.exe 3020 Lfmffhde.exe 832 Lndohedg.exe 2296 Labkdack.exe 2776 Lcagpl32.exe 2356 Lfpclh32.exe 628 Linphc32.exe 2992 Laegiq32.exe 1276 Lphhenhc.exe 2032 Lbfdaigg.exe 2056 Lfbpag32.exe 1204 Liplnc32.exe -
Loads dropped DLL 64 IoCs
pid Process 2744 78a29de73ba72d923588d40d87357fef6d228d779d4f1b99df434dd827f5533f.exe 2744 78a29de73ba72d923588d40d87357fef6d228d779d4f1b99df434dd827f5533f.exe 2832 Hhckpk32.exe 2832 Hhckpk32.exe 2852 Hbhomd32.exe 2852 Hbhomd32.exe 2732 Heglio32.exe 2732 Heglio32.exe 2616 Hdildlie.exe 2616 Hdildlie.exe 2160 Hoopae32.exe 2160 Hoopae32.exe 576 Hhgdkjol.exe 576 Hhgdkjol.exe 1116 Hkfagfop.exe 1116 Hkfagfop.exe 2428 Hmdmcanc.exe 2428 Hmdmcanc.exe 1584 Hhjapjmi.exe 1584 Hhjapjmi.exe 2504 Hiknhbcg.exe 2504 Hiknhbcg.exe 1076 Habfipdj.exe 1076 Habfipdj.exe 3036 Igonafba.exe 3036 Igonafba.exe 2580 Ikkjbe32.exe 2580 Ikkjbe32.exe 2340 Illgimph.exe 2340 Illgimph.exe 840 Igakgfpn.exe 840 Igakgfpn.exe 2188 Inkccpgk.exe 2188 Inkccpgk.exe 572 Ipjoplgo.exe 572 Ipjoplgo.exe 1668 Igchlf32.exe 1668 Igchlf32.exe 1316 Ijbdha32.exe 1316 Ijbdha32.exe 1092 Ilqpdm32.exe 1092 Ilqpdm32.exe 1372 Icjhagdp.exe 1372 Icjhagdp.exe 2488 Ijdqna32.exe 2488 Ijdqna32.exe 1752 Ilcmjl32.exe 1752 Ilcmjl32.exe 2976 Ikfmfi32.exe 2976 Ikfmfi32.exe 2052 Ifkacb32.exe 2052 Ifkacb32.exe 2804 Idnaoohk.exe 2804 Idnaoohk.exe 2872 Ikhjki32.exe 2872 Ikhjki32.exe 2612 Jkjfah32.exe 2612 Jkjfah32.exe 2596 Jnicmdli.exe 2596 Jnicmdli.exe 2228 Jbdonb32.exe 2228 Jbdonb32.exe 604 Jdbkjn32.exe 604 Jdbkjn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Npngheao.dll Ebefgm32.exe File created C:\Windows\SysWOW64\Ihmgiiff.exe Hflkaq32.exe File opened for modification C:\Windows\SysWOW64\Flclam32.exe Process not Found File created C:\Windows\SysWOW64\Ljhcccai.dll Aecaidjl.exe File created C:\Windows\SysWOW64\Jhpondph.dll Cfpldf32.exe File created C:\Windows\SysWOW64\Bhjneadb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mgedmb32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mneohj32.exe Process not Found File created C:\Windows\SysWOW64\Gmojdiin.dll Process not Found File created C:\Windows\SysWOW64\Qcpfnk32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Emeobj32.exe Process not Found File created C:\Windows\SysWOW64\Dpbffcca.dll Process not Found File created C:\Windows\SysWOW64\Jcedkd32.exe Jpfhoi32.exe File created C:\Windows\SysWOW64\Ooqpdj32.exe Opnpimdf.exe File created C:\Windows\SysWOW64\Oiggco32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Onoqfehp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Daacecfc.exe Dbncjf32.exe File created C:\Windows\SysWOW64\Jhfhec32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bobhal32.exe Bfkpqn32.exe File created C:\Windows\SysWOW64\Dlnipl32.dll Mbpipp32.exe File created C:\Windows\SysWOW64\Pnjofo32.exe Pincfpoo.exe File opened for modification C:\Windows\SysWOW64\Mbcoio32.exe Process not Found File created C:\Windows\SysWOW64\Egmpofck.dll Process not Found File created C:\Windows\SysWOW64\Abhkfg32.exe Aojojl32.exe File opened for modification C:\Windows\SysWOW64\Eqjmncna.exe Enkpahon.exe File created C:\Windows\SysWOW64\Kainfp32.dll Bbbgod32.exe File created C:\Windows\SysWOW64\Jjfkmdlg.exe Process not Found File created C:\Windows\SysWOW64\Ibckfa32.exe Ilicig32.exe File created C:\Windows\SysWOW64\Pojbkh32.exe Pgckjk32.exe File created C:\Windows\SysWOW64\Dkfbfjdf.exe Dbojdmcd.exe File created C:\Windows\SysWOW64\Gddgejcp.dll Process not Found File created C:\Windows\SysWOW64\Obgneo32.dll Imnbbi32.exe File opened for modification C:\Windows\SysWOW64\Gfkkpmko.exe Gcmoda32.exe File created C:\Windows\SysWOW64\Kklkcn32.exe Process not Found File created C:\Windows\SysWOW64\Ljfogake.exe Lbogfcjc.exe File opened for modification C:\Windows\SysWOW64\Jojkco32.exe Process not Found File created C:\Windows\SysWOW64\Ficfbkij.dll Process not Found File created C:\Windows\SysWOW64\Ndmjqgdd.dll Baadng32.exe File created C:\Windows\SysWOW64\Ideimcdd.dll Elcdcgcc.exe File opened for modification C:\Windows\SysWOW64\Gnaooi32.exe Gkbcbn32.exe File opened for modification C:\Windows\SysWOW64\Kdklfe32.exe Process not Found File created C:\Windows\SysWOW64\Bndlbd32.dll Process not Found File created C:\Windows\SysWOW64\Idneibad.dll Process not Found File created C:\Windows\SysWOW64\Gbmhafee.dll Process not Found File created C:\Windows\SysWOW64\Lmglihnc.dll Process not Found File created C:\Windows\SysWOW64\Ejaekc32.dll Qgoapp32.exe File created C:\Windows\SysWOW64\Modcdaml.dll Findhdcb.exe File created C:\Windows\SysWOW64\Ipehmebh.exe Iabhah32.exe File created C:\Windows\SysWOW64\Cnnppecd.dll Aodkci32.exe File opened for modification C:\Windows\SysWOW64\Cnimiblo.exe Process not Found File opened for modification C:\Windows\SysWOW64\Djafaf32.exe Process not Found File created C:\Windows\SysWOW64\Epgphcqd.exe Eniclh32.exe File created C:\Windows\SysWOW64\Pmainh32.dll Process not Found File created C:\Windows\SysWOW64\Ciajik32.dll Hhhgcc32.exe File created C:\Windows\SysWOW64\Libmpn32.dll Jhjphfgi.exe File opened for modification C:\Windows\SysWOW64\Iakgefqe.exe Process not Found File created C:\Windows\SysWOW64\Kkpqlm32.exe Process not Found File created C:\Windows\SysWOW64\Ifengpdh.exe Process not Found File created C:\Windows\SysWOW64\Eibkmp32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cjonncab.exe Process not Found File created C:\Windows\SysWOW64\Pajhnb32.dll Process not Found File created C:\Windows\SysWOW64\Kjdilgpc.exe Kaldcb32.exe File created C:\Windows\SysWOW64\Abfoll32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lmcilp32.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 1692 9916 Process not Found 2367 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Modkfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knhhaaki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cllkin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnnhbjnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danmmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhglq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpjqiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akkoig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icjhagdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgjednf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbnoliap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djqoll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhjapjmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Affdle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbgqjdce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pilfpqaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aijpnfif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahifbpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeohkeoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoiiijcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcnkhmdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnpbjnpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlhnifmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgcpjmcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfpclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nefbga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odbeilbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peedka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odoloalf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohnaik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnkion32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baohhgnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjihalag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epmfgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmegncpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbeainng.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elcdcgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfopbgif.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qqfkln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpblmp32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Micfag32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmebnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjmopkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bafple32.dll" Hpjeialg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgbipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meccmfen.dll" Comdkipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqkfag32.dll" Onocmadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agjmim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikbifcpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offqpg32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfppiho.dll" Mponel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alinabdk.dll" Dedlag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbkjl32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njbdea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cljoegei.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onoflapg.dll" Gnbjlpom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhgkj32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkfalhjp.dll" Kjdilgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maigcgee.dll" Gcglec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hldchikb.dll" Ilicig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfmacf32.dll" Hnpbjnpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkgpnd32.dll" Ldoimh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pljcllqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eppcmncq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmhideol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2744 wrote to memory of 2832 2744 78a29de73ba72d923588d40d87357fef6d228d779d4f1b99df434dd827f5533f.exe 30 PID 2744 wrote to memory of 2832 2744 78a29de73ba72d923588d40d87357fef6d228d779d4f1b99df434dd827f5533f.exe 30 PID 2744 wrote to memory of 2832 2744 78a29de73ba72d923588d40d87357fef6d228d779d4f1b99df434dd827f5533f.exe 30 PID 2744 wrote to memory of 2832 2744 78a29de73ba72d923588d40d87357fef6d228d779d4f1b99df434dd827f5533f.exe 30 PID 2832 wrote to memory of 2852 2832 Hhckpk32.exe 31 PID 2832 wrote to memory of 2852 2832 Hhckpk32.exe 31 PID 2832 wrote to memory of 2852 2832 Hhckpk32.exe 31 PID 2832 wrote to memory of 2852 2832 Hhckpk32.exe 31 PID 2852 wrote to memory of 2732 2852 Hbhomd32.exe 32 PID 2852 wrote to memory of 2732 2852 Hbhomd32.exe 32 PID 2852 wrote to memory of 2732 2852 Hbhomd32.exe 32 PID 2852 wrote to memory of 2732 2852 Hbhomd32.exe 32 PID 2732 wrote to memory of 2616 2732 Heglio32.exe 33 PID 2732 wrote to memory of 2616 2732 Heglio32.exe 33 PID 2732 wrote to memory of 2616 2732 Heglio32.exe 33 PID 2732 wrote to memory of 2616 2732 Heglio32.exe 33 PID 2616 wrote to memory of 2160 2616 Hdildlie.exe 34 PID 2616 wrote to memory of 2160 2616 Hdildlie.exe 34 PID 2616 wrote to memory of 2160 2616 Hdildlie.exe 34 PID 2616 wrote to memory of 2160 2616 Hdildlie.exe 34 PID 2160 wrote to memory of 576 2160 Hoopae32.exe 35 PID 2160 wrote to memory of 576 2160 Hoopae32.exe 35 PID 2160 wrote to memory of 576 2160 Hoopae32.exe 35 PID 2160 wrote to memory of 576 2160 Hoopae32.exe 35 PID 576 wrote to memory of 1116 576 Hhgdkjol.exe 36 PID 576 wrote to memory of 1116 576 Hhgdkjol.exe 36 PID 576 wrote to memory of 1116 576 Hhgdkjol.exe 36 PID 576 wrote to memory of 1116 576 Hhgdkjol.exe 36 PID 1116 wrote to memory of 2428 1116 Hkfagfop.exe 37 PID 1116 wrote to memory of 2428 1116 Hkfagfop.exe 37 PID 1116 wrote to memory of 2428 1116 Hkfagfop.exe 37 PID 1116 wrote to memory of 2428 1116 Hkfagfop.exe 37 PID 2428 wrote to memory of 1584 2428 Hmdmcanc.exe 38 PID 2428 wrote to memory of 1584 2428 Hmdmcanc.exe 38 PID 2428 wrote to memory of 1584 2428 Hmdmcanc.exe 38 PID 2428 wrote to memory of 1584 2428 Hmdmcanc.exe 38 PID 1584 wrote to memory of 2504 1584 Hhjapjmi.exe 39 PID 1584 wrote to memory of 2504 1584 Hhjapjmi.exe 39 PID 1584 wrote to memory of 2504 1584 Hhjapjmi.exe 39 PID 1584 wrote to memory of 2504 1584 Hhjapjmi.exe 39 PID 2504 wrote to memory of 1076 2504 Hiknhbcg.exe 40 PID 2504 wrote to memory of 1076 2504 Hiknhbcg.exe 40 PID 2504 wrote to memory of 1076 2504 Hiknhbcg.exe 40 PID 2504 wrote to memory of 1076 2504 Hiknhbcg.exe 40 PID 1076 wrote to memory of 3036 1076 Habfipdj.exe 41 PID 1076 wrote to memory of 3036 1076 Habfipdj.exe 41 PID 1076 wrote to memory of 3036 1076 Habfipdj.exe 41 PID 1076 wrote to memory of 3036 1076 Habfipdj.exe 41 PID 3036 wrote to memory of 2580 3036 Igonafba.exe 42 PID 3036 wrote to memory of 2580 3036 Igonafba.exe 42 PID 3036 wrote to memory of 2580 3036 Igonafba.exe 42 PID 3036 wrote to memory of 2580 3036 Igonafba.exe 42 PID 2580 wrote to memory of 2340 2580 Ikkjbe32.exe 43 PID 2580 wrote to memory of 2340 2580 Ikkjbe32.exe 43 PID 2580 wrote to memory of 2340 2580 Ikkjbe32.exe 43 PID 2580 wrote to memory of 2340 2580 Ikkjbe32.exe 43 PID 2340 wrote to memory of 840 2340 Illgimph.exe 44 PID 2340 wrote to memory of 840 2340 Illgimph.exe 44 PID 2340 wrote to memory of 840 2340 Illgimph.exe 44 PID 2340 wrote to memory of 840 2340 Illgimph.exe 44 PID 840 wrote to memory of 2188 840 Igakgfpn.exe 45 PID 840 wrote to memory of 2188 840 Igakgfpn.exe 45 PID 840 wrote to memory of 2188 840 Igakgfpn.exe 45 PID 840 wrote to memory of 2188 840 Igakgfpn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\78a29de73ba72d923588d40d87357fef6d228d779d4f1b99df434dd827f5533f.exe"C:\Users\Admin\AppData\Local\Temp\78a29de73ba72d923588d40d87357fef6d228d779d4f1b99df434dd827f5533f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Hhckpk32.exeC:\Windows\system32\Hhckpk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Hbhomd32.exeC:\Windows\system32\Hbhomd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Heglio32.exeC:\Windows\system32\Heglio32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Hdildlie.exeC:\Windows\system32\Hdildlie.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Hoopae32.exeC:\Windows\system32\Hoopae32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Hhgdkjol.exeC:\Windows\system32\Hhgdkjol.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Hkfagfop.exeC:\Windows\system32\Hkfagfop.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\Hmdmcanc.exeC:\Windows\system32\Hmdmcanc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Hhjapjmi.exeC:\Windows\system32\Hhjapjmi.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Hiknhbcg.exeC:\Windows\system32\Hiknhbcg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Habfipdj.exeC:\Windows\system32\Habfipdj.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\Igonafba.exeC:\Windows\system32\Igonafba.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Ikkjbe32.exeC:\Windows\system32\Ikkjbe32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Illgimph.exeC:\Windows\system32\Illgimph.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Igakgfpn.exeC:\Windows\system32\Igakgfpn.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Inkccpgk.exeC:\Windows\system32\Inkccpgk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Ipjoplgo.exeC:\Windows\system32\Ipjoplgo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:572 -
C:\Windows\SysWOW64\Igchlf32.exeC:\Windows\system32\Igchlf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Ijbdha32.exeC:\Windows\system32\Ijbdha32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1316 -
C:\Windows\SysWOW64\Ilqpdm32.exeC:\Windows\system32\Ilqpdm32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1092 -
C:\Windows\SysWOW64\Icjhagdp.exeC:\Windows\system32\Icjhagdp.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1372 -
C:\Windows\SysWOW64\Ijdqna32.exeC:\Windows\system32\Ijdqna32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2488 -
C:\Windows\SysWOW64\Ilcmjl32.exeC:\Windows\system32\Ilcmjl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Ikfmfi32.exeC:\Windows\system32\Ikfmfi32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Windows\SysWOW64\Ifkacb32.exeC:\Windows\system32\Ifkacb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Idnaoohk.exeC:\Windows\system32\Idnaoohk.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Ikhjki32.exeC:\Windows\system32\Ikhjki32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Jkjfah32.exeC:\Windows\system32\Jkjfah32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Jnicmdli.exeC:\Windows\system32\Jnicmdli.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Jbdonb32.exeC:\Windows\system32\Jbdonb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2228 -
C:\Windows\SysWOW64\Jdbkjn32.exeC:\Windows\system32\Jdbkjn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:604 -
C:\Windows\SysWOW64\Jqilooij.exeC:\Windows\system32\Jqilooij.exe33⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Jmplcp32.exeC:\Windows\system32\Jmplcp32.exe34⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Jdgdempa.exeC:\Windows\system32\Jdgdempa.exe35⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Jjdmmdnh.exeC:\Windows\system32\Jjdmmdnh.exe36⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Jmbiipml.exeC:\Windows\system32\Jmbiipml.exe37⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Jghmfhmb.exeC:\Windows\system32\Jghmfhmb.exe38⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Kmefooki.exeC:\Windows\system32\Kmefooki.exe39⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Kconkibf.exeC:\Windows\system32\Kconkibf.exe40⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Kfmjgeaj.exeC:\Windows\system32\Kfmjgeaj.exe41⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Kcakaipc.exeC:\Windows\system32\Kcakaipc.exe42⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Kmjojo32.exeC:\Windows\system32\Kmjojo32.exe43⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Knklagmb.exeC:\Windows\system32\Knklagmb.exe44⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Kgcpjmcb.exeC:\Windows\system32\Kgcpjmcb.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2476 -
C:\Windows\SysWOW64\Kpjhkjde.exeC:\Windows\system32\Kpjhkjde.exe46⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Kbidgeci.exeC:\Windows\system32\Kbidgeci.exe47⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Kaldcb32.exeC:\Windows\system32\Kaldcb32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Kjdilgpc.exeC:\Windows\system32\Kjdilgpc.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Leimip32.exeC:\Windows\system32\Leimip32.exe50⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Lclnemgd.exeC:\Windows\system32\Lclnemgd.exe51⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Ljffag32.exeC:\Windows\system32\Ljffag32.exe52⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Lmebnb32.exeC:\Windows\system32\Lmebnb32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Leljop32.exeC:\Windows\system32\Leljop32.exe54⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Lfmffhde.exeC:\Windows\system32\Lfmffhde.exe55⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Lndohedg.exeC:\Windows\system32\Lndohedg.exe56⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Labkdack.exeC:\Windows\system32\Labkdack.exe57⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Lcagpl32.exeC:\Windows\system32\Lcagpl32.exe58⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Lfpclh32.exeC:\Windows\system32\Lfpclh32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\SysWOW64\Linphc32.exeC:\Windows\system32\Linphc32.exe60⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Laegiq32.exeC:\Windows\system32\Laegiq32.exe61⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Lphhenhc.exeC:\Windows\system32\Lphhenhc.exe62⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Lbfdaigg.exeC:\Windows\system32\Lbfdaigg.exe63⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Lfbpag32.exeC:\Windows\system32\Lfbpag32.exe64⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Liplnc32.exeC:\Windows\system32\Liplnc32.exe65⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Llohjo32.exeC:\Windows\system32\Llohjo32.exe66⤵PID:2184
-
C:\Windows\SysWOW64\Lpjdjmfp.exeC:\Windows\system32\Lpjdjmfp.exe67⤵PID:1096
-
C:\Windows\SysWOW64\Lcfqkl32.exeC:\Windows\system32\Lcfqkl32.exe68⤵PID:968
-
C:\Windows\SysWOW64\Lfdmggnm.exeC:\Windows\system32\Lfdmggnm.exe69⤵PID:916
-
C:\Windows\SysWOW64\Libicbma.exeC:\Windows\system32\Libicbma.exe70⤵PID:1744
-
C:\Windows\SysWOW64\Mmneda32.exeC:\Windows\system32\Mmneda32.exe71⤵PID:1612
-
C:\Windows\SysWOW64\Mlaeonld.exeC:\Windows\system32\Mlaeonld.exe72⤵PID:2672
-
C:\Windows\SysWOW64\Mpmapm32.exeC:\Windows\system32\Mpmapm32.exe73⤵PID:2764
-
C:\Windows\SysWOW64\Mbkmlh32.exeC:\Windows\system32\Mbkmlh32.exe74⤵PID:2460
-
C:\Windows\SysWOW64\Mieeibkn.exeC:\Windows\system32\Mieeibkn.exe75⤵PID:1656
-
C:\Windows\SysWOW64\Mlcbenjb.exeC:\Windows\system32\Mlcbenjb.exe76⤵PID:2564
-
C:\Windows\SysWOW64\Mponel32.exeC:\Windows\system32\Mponel32.exe77⤵
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Mbmjah32.exeC:\Windows\system32\Mbmjah32.exe78⤵PID:2028
-
C:\Windows\SysWOW64\Melfncqb.exeC:\Windows\system32\Melfncqb.exe79⤵PID:2192
-
C:\Windows\SysWOW64\Mlfojn32.exeC:\Windows\system32\Mlfojn32.exe80⤵PID:2244
-
C:\Windows\SysWOW64\Modkfi32.exeC:\Windows\system32\Modkfi32.exe81⤵
- System Location Discovery: System Language Discovery
PID:1356 -
C:\Windows\SysWOW64\Mabgcd32.exeC:\Windows\system32\Mabgcd32.exe82⤵PID:620
-
C:\Windows\SysWOW64\Mdacop32.exeC:\Windows\system32\Mdacop32.exe83⤵PID:2928
-
C:\Windows\SysWOW64\Mkklljmg.exeC:\Windows\system32\Mkklljmg.exe84⤵PID:1040
-
C:\Windows\SysWOW64\Maedhd32.exeC:\Windows\system32\Maedhd32.exe85⤵PID:2620
-
C:\Windows\SysWOW64\Meppiblm.exeC:\Windows\system32\Meppiblm.exe86⤵PID:592
-
C:\Windows\SysWOW64\Mholen32.exeC:\Windows\system32\Mholen32.exe87⤵PID:2568
-
C:\Windows\SysWOW64\Moidahcn.exeC:\Windows\system32\Moidahcn.exe88⤵PID:2584
-
C:\Windows\SysWOW64\Magqncba.exeC:\Windows\system32\Magqncba.exe89⤵PID:1292
-
C:\Windows\SysWOW64\Mpjqiq32.exeC:\Windows\system32\Mpjqiq32.exe90⤵
- System Location Discovery: System Language Discovery
PID:1260 -
C:\Windows\SysWOW64\Nhaikn32.exeC:\Windows\system32\Nhaikn32.exe91⤵PID:2524
-
C:\Windows\SysWOW64\Nkpegi32.exeC:\Windows\system32\Nkpegi32.exe92⤵PID:1772
-
C:\Windows\SysWOW64\Naimccpo.exeC:\Windows\system32\Naimccpo.exe93⤵PID:1320
-
C:\Windows\SysWOW64\Nckjkl32.exeC:\Windows\system32\Nckjkl32.exe94⤵PID:1660
-
C:\Windows\SysWOW64\Ngfflj32.exeC:\Windows\system32\Ngfflj32.exe95⤵PID:2728
-
C:\Windows\SysWOW64\Nmpnhdfc.exeC:\Windows\system32\Nmpnhdfc.exe96⤵PID:1856
-
C:\Windows\SysWOW64\Npojdpef.exeC:\Windows\system32\Npojdpef.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2660 -
C:\Windows\SysWOW64\Ngibaj32.exeC:\Windows\system32\Ngibaj32.exe98⤵PID:1492
-
C:\Windows\SysWOW64\Nekbmgcn.exeC:\Windows\system32\Nekbmgcn.exe99⤵PID:1036
-
C:\Windows\SysWOW64\Nmbknddp.exeC:\Windows\system32\Nmbknddp.exe100⤵PID:2100
-
C:\Windows\SysWOW64\Nlekia32.exeC:\Windows\system32\Nlekia32.exe101⤵PID:2136
-
C:\Windows\SysWOW64\Nodgel32.exeC:\Windows\system32\Nodgel32.exe102⤵PID:2912
-
C:\Windows\SysWOW64\Ncpcfkbg.exeC:\Windows\system32\Ncpcfkbg.exe103⤵PID:2956
-
C:\Windows\SysWOW64\Nenobfak.exeC:\Windows\system32\Nenobfak.exe104⤵PID:2772
-
C:\Windows\SysWOW64\Nhllob32.exeC:\Windows\system32\Nhllob32.exe105⤵PID:1028
-
C:\Windows\SysWOW64\Nofdklgl.exeC:\Windows\system32\Nofdklgl.exe106⤵PID:2164
-
C:\Windows\SysWOW64\Nhohda32.exeC:\Windows\system32\Nhohda32.exe107⤵PID:2496
-
C:\Windows\SysWOW64\Nkmdpm32.exeC:\Windows\system32\Nkmdpm32.exe108⤵PID:2484
-
C:\Windows\SysWOW64\Oohqqlei.exeC:\Windows\system32\Oohqqlei.exe109⤵PID:2308
-
C:\Windows\SysWOW64\Oebimf32.exeC:\Windows\system32\Oebimf32.exe110⤵PID:2812
-
C:\Windows\SysWOW64\Ollajp32.exeC:\Windows\system32\Ollajp32.exe111⤵PID:1176
-
C:\Windows\SysWOW64\Oaiibg32.exeC:\Windows\system32\Oaiibg32.exe112⤵PID:600
-
C:\Windows\SysWOW64\Odhfob32.exeC:\Windows\system32\Odhfob32.exe113⤵PID:1792
-
C:\Windows\SysWOW64\Oomjlk32.exeC:\Windows\system32\Oomjlk32.exe114⤵PID:772
-
C:\Windows\SysWOW64\Onpjghhn.exeC:\Windows\system32\Onpjghhn.exe115⤵PID:1848
-
C:\Windows\SysWOW64\Odjbdb32.exeC:\Windows\system32\Odjbdb32.exe116⤵PID:580
-
C:\Windows\SysWOW64\Ohendqhd.exeC:\Windows\system32\Ohendqhd.exe117⤵PID:1760
-
C:\Windows\SysWOW64\Okdkal32.exeC:\Windows\system32\Okdkal32.exe118⤵PID:2932
-
C:\Windows\SysWOW64\Oopfakpa.exeC:\Windows\system32\Oopfakpa.exe119⤵PID:2604
-
C:\Windows\SysWOW64\Odlojanh.exeC:\Windows\system32\Odlojanh.exe120⤵PID:996
-
C:\Windows\SysWOW64\Okfgfl32.exeC:\Windows\system32\Okfgfl32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2220
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-