Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
52s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
01/09/2024, 16:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f898579c5a392f4ebac95e8a1df6efb0N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
f898579c5a392f4ebac95e8a1df6efb0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
f898579c5a392f4ebac95e8a1df6efb0N.exe
-
Size
59KB
-
MD5
f898579c5a392f4ebac95e8a1df6efb0
-
SHA1
5a644464ccc38b755b307269650bc5e0dd93e954
-
SHA256
5a398286e1bd7dc699456bec97b8e720e6c4a16ee8d404b99b60bb7bbae3d741
-
SHA512
c4aa97acebdfbb1a89a06dfeec6091aa3bfae55d0208bed644968d90074dc31e26d85488f15e87d146480a19cec7fcb2e92afe14563d278be7825b8501606529
-
SSDEEP
768:MZve5n/D6RsAAglqbzEo/utUjLF1Nweb2+6xYq7GXnaqakMAK3c3VtHS/1H59LMv:MveleRsvaKzJLQ7GXnaqatz3caHCh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llagegfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocmdeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekicjlai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmaedolh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmnmih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pokkkgpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhbnjpic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmkkhfmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heedbbdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knckbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqlgikcq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oekaab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhiodnob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lppgfkpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgnmjokn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hohhfbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhhhjhkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahpfoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcckjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfpebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jofhqiec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmdehgcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anigaeoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcnkemgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnleqj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmaaha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqdend32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baannfim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eligoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgkjji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfeodoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abcngkmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecnbpcje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlogojjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpiadq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enomam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbebcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpaikiig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhbakmgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nglhghgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bndjei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgpqnpjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfnpek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kefmnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbhgbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcpjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epflbbpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpfoekhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdhmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlckoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnnlfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geehcoaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckgapo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihgcof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Infhmmhi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idagdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhmdoq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmhcgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmjehe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpjlpclc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcllii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akfbjkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdmbiojc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Halkahoo.exe -
Executes dropped EXE 64 IoCs
pid Process 2224 Epkgkfmd.exe 1504 Efdohq32.exe 2492 Eqjceidf.exe 956 Ebkpma32.exe 2196 Eiehilaa.exe 2804 Epopff32.exe 2612 Ebnlba32.exe 2112 Emcqpjhh.exe 3028 Endmgb32.exe 2940 Fflehp32.exe 2684 Fgmaphdg.exe 1652 Fpdjaeei.exe 2984 Faefim32.exe 1068 Filnjk32.exe 1660 Fhonegbd.exe 2364 Fbebcp32.exe 1808 Fcfojhhh.exe 1728 Flmglfhk.exe 264 Fajpdmgb.exe 1568 Fdhlphff.exe 1088 Ffghlcei.exe 1340 Fnnpma32.exe 3060 Fpoleilj.exe 1172 Fhfdffll.exe 872 Gigano32.exe 1584 Gmcmomjc.exe 2360 Gpaikiig.exe 2760 Gijncn32.exe 2072 Gdobqgpn.exe 2852 Geqnho32.exe 2752 Giljinne.exe 2724 Gpfbfh32.exe 2172 Gbdobc32.exe 1632 Ghagjj32.exe 2036 Glmckikf.exe 2888 Gajlcp32.exe 328 Geehcoaf.exe 2976 Gbihmcqp.exe 1480 Gbihmcqp.exe 2556 Hegdinpd.exe 1872 Hmcimq32.exe 488 Hdmajkdl.exe 2088 Haqbcoce.exe 2212 Hdonpjbi.exe 1664 Hilghaqq.exe 2024 Hacoio32.exe 2084 Hpfoekhm.exe 916 Hcdkagga.exe 2700 Hgpgae32.exe 1612 Hincna32.exe 2900 Hlmpjl32.exe 1176 Hcghffen.exe 2592 Heedbbdb.exe 2644 Hjqpcq32.exe 2064 Ilolol32.exe 688 Iomhkgkb.exe 1800 Igdqmeke.exe 2904 Ijcmipjh.exe 2380 Ihfmdm32.exe 1844 Ipmeej32.exe 2456 Iejnna32.exe 2124 Ihhjjm32.exe 1004 Ilcfjkgj.exe 836 Iobbfggm.exe -
Loads dropped DLL 64 IoCs
pid Process 2524 f898579c5a392f4ebac95e8a1df6efb0N.exe 2524 f898579c5a392f4ebac95e8a1df6efb0N.exe 2224 Epkgkfmd.exe 2224 Epkgkfmd.exe 1504 Efdohq32.exe 1504 Efdohq32.exe 2492 Eqjceidf.exe 2492 Eqjceidf.exe 956 Ebkpma32.exe 956 Ebkpma32.exe 2196 Eiehilaa.exe 2196 Eiehilaa.exe 2804 Epopff32.exe 2804 Epopff32.exe 2612 Ebnlba32.exe 2612 Ebnlba32.exe 2112 Emcqpjhh.exe 2112 Emcqpjhh.exe 3028 Endmgb32.exe 3028 Endmgb32.exe 2940 Fflehp32.exe 2940 Fflehp32.exe 2684 Fgmaphdg.exe 2684 Fgmaphdg.exe 1652 Fpdjaeei.exe 1652 Fpdjaeei.exe 2984 Faefim32.exe 2984 Faefim32.exe 1068 Filnjk32.exe 1068 Filnjk32.exe 1660 Fhonegbd.exe 1660 Fhonegbd.exe 2364 Fbebcp32.exe 2364 Fbebcp32.exe 1808 Fcfojhhh.exe 1808 Fcfojhhh.exe 1728 Flmglfhk.exe 1728 Flmglfhk.exe 264 Fajpdmgb.exe 264 Fajpdmgb.exe 1568 Fdhlphff.exe 1568 Fdhlphff.exe 1088 Ffghlcei.exe 1088 Ffghlcei.exe 1340 Fnnpma32.exe 1340 Fnnpma32.exe 3060 Fpoleilj.exe 3060 Fpoleilj.exe 1172 Fhfdffll.exe 1172 Fhfdffll.exe 872 Gigano32.exe 872 Gigano32.exe 1584 Gmcmomjc.exe 1584 Gmcmomjc.exe 2360 Gpaikiig.exe 2360 Gpaikiig.exe 2760 Gijncn32.exe 2760 Gijncn32.exe 2072 Gdobqgpn.exe 2072 Gdobqgpn.exe 2852 Geqnho32.exe 2852 Geqnho32.exe 2752 Giljinne.exe 2752 Giljinne.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Qoeidfog.dll Bdpjjaiq.exe File created C:\Windows\SysWOW64\Elalei32.dll Bdbfpafn.exe File created C:\Windows\SysWOW64\Aoanbf32.dll Eogckqkk.exe File created C:\Windows\SysWOW64\Bjpgin32.dll Ihcidgpj.exe File created C:\Windows\SysWOW64\Pfneilmi.dll Jbpcgo32.exe File created C:\Windows\SysWOW64\Fhnmjmpj.dll Ejeglg32.exe File opened for modification C:\Windows\SysWOW64\Hacoio32.exe Hilghaqq.exe File created C:\Windows\SysWOW64\Nfcmbjlm.dll Nogmkk32.exe File created C:\Windows\SysWOW64\Gchfgkcp.dll Cleaebna.exe File created C:\Windows\SysWOW64\Anmbpf32.dll Gibmglep.exe File created C:\Windows\SysWOW64\Infhmmhi.exe Ijklmn32.exe File opened for modification C:\Windows\SysWOW64\Khlhiijk.exe Jqeqhlii.exe File created C:\Windows\SysWOW64\Fapdgk32.dll Lilehl32.exe File opened for modification C:\Windows\SysWOW64\Amlhmb32.exe Anigaeoh.exe File opened for modification C:\Windows\SysWOW64\Caofmc32.exe Cignlf32.exe File created C:\Windows\SysWOW64\Gpaikiig.exe Gmcmomjc.exe File created C:\Windows\SysWOW64\Ffifbijg.dll Abcngkmp.exe File created C:\Windows\SysWOW64\Pjgqkp32.dll Dhnoocab.exe File created C:\Windows\SysWOW64\Ajaimb32.dll Ghqqpd32.exe File opened for modification C:\Windows\SysWOW64\Mpmpeiqg.exe Mhegckpd.exe File opened for modification C:\Windows\SysWOW64\Aghidl32.exe Aieihpgi.exe File created C:\Windows\SysWOW64\Dbnijemn.dll Clhgnagn.exe File created C:\Windows\SysWOW64\Ddjbbbna.exe Dalffg32.exe File created C:\Windows\SysWOW64\Gjeckk32.exe Gfigkljk.exe File created C:\Windows\SysWOW64\Piondi32.dll Ghagjj32.exe File created C:\Windows\SysWOW64\Ijcmipjh.exe Igdqmeke.exe File created C:\Windows\SysWOW64\Edjdel32.dll Nlkmeo32.exe File opened for modification C:\Windows\SysWOW64\Pokkkgpo.exe Pgdcjjom.exe File created C:\Windows\SysWOW64\Cgnbepjp.exe Cdpfiekl.exe File created C:\Windows\SysWOW64\Ipedihgm.exe Infhmmhi.exe File opened for modification C:\Windows\SysWOW64\Jomnpdjb.exe Jlnadiko.exe File created C:\Windows\SysWOW64\Ebnlba32.exe Epopff32.exe File created C:\Windows\SysWOW64\Khookdof.dll Hlmpjl32.exe File created C:\Windows\SysWOW64\Nglhghgj.exe Noepfkgh.exe File created C:\Windows\SysWOW64\Hjdfgojp.exe Hfhjfp32.exe File created C:\Windows\SysWOW64\Dmlffcog.dll Bpmqom32.exe File created C:\Windows\SysWOW64\Kbedmedg.exe Jofhqiec.exe File opened for modification C:\Windows\SysWOW64\Nlmjjo32.exe Nhbnjpic.exe File created C:\Windows\SysWOW64\Qnjbmh32.exe Qjofljho.exe File opened for modification C:\Windows\SysWOW64\Hidjml32.exe Hjaiaolb.exe File created C:\Windows\SysWOW64\Noffadai.exe Ngonpgqg.exe File opened for modification C:\Windows\SysWOW64\Apjdin32.exe Amlhmb32.exe File created C:\Windows\SysWOW64\Qjnaimap.dll Ffghlcei.exe File created C:\Windows\SysWOW64\Hgpgae32.exe Hcdkagga.exe File opened for modification C:\Windows\SysWOW64\Efjklh32.exe Ebnokjpf.exe File opened for modification C:\Windows\SysWOW64\Flmglfhk.exe Fcfojhhh.exe File created C:\Windows\SysWOW64\Gijncn32.exe Gpaikiig.exe File opened for modification C:\Windows\SysWOW64\Nhmdoq32.exe Neohbe32.exe File opened for modification C:\Windows\SysWOW64\Pqaanoah.exe Pnbeacbd.exe File opened for modification C:\Windows\SysWOW64\Idcdjmao.exe Ibehna32.exe File created C:\Windows\SysWOW64\Gjiefgfh.dll Pgkqeo32.exe File created C:\Windows\SysWOW64\Dkohanoc.exe Dcgppana.exe File created C:\Windows\SysWOW64\Hdacfn32.dll Eqjceidf.exe File created C:\Windows\SysWOW64\Epaeea32.dll Filnjk32.exe File created C:\Windows\SysWOW64\Lpmjplag.exe Llbnpm32.exe File opened for modification C:\Windows\SysWOW64\Cdpfiekl.exe Caajmilh.exe File created C:\Windows\SysWOW64\Kfclji32.dll Fbhhlo32.exe File opened for modification C:\Windows\SysWOW64\Fnnpma32.exe Ffghlcei.exe File created C:\Windows\SysWOW64\Jkngbi32.dll Napibq32.exe File created C:\Windows\SysWOW64\Naebmppm.exe Noffadai.exe File created C:\Windows\SysWOW64\Ldjojl32.dll Ohjmnn32.exe File created C:\Windows\SysWOW64\Hnibonjd.dll Jijbnppi.exe File created C:\Windows\SysWOW64\Dbaflm32.exe Dcofqphi.exe File opened for modification C:\Windows\SysWOW64\Gadkmj32.exe Gnfoao32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8300 8276 WerFault.exe 838 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpcgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbpfhpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkpchmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqcncnpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opaeok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fniikj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmojcceo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haqbcoce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnebgcqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dghekobe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jchjqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jndgfqlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikibkhla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gajlcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffahgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmfpnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdhmel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebfpglkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncblo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcajpjoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgkkdnkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlkmeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igomfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdmbiojc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmhcgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpoleilj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkbbqjgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjjcqpbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlndj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkmffegm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjdkap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkfpefme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcnkemgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fajpdmgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfeegfkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnjbmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aihmhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iccqedfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chdlidjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Halkahoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbhgbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cioohh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hljljflh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpmjplag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecdhonoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfcnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffmnloih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gckknqkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpajmkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doqmjaac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hohhfbkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jookedhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmeknakn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mafmhcam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oncpmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pblkgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgllof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oadnlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihfmdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfekbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajcpgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgdjipfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbedmedg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cclmlm32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odhomb32.dll" Fqhegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkmhej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eggajb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iccqedfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckgkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olopjkfk.dll" Ckgkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qakagnfq.dll" Eqjenb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdiciboh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egedebgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdjqinld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlmqip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dphmiokb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmnmih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgdcjjom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efdohq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaqnbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbbgge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qembbg32.dll" Eqninhmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekcmkamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cignlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flmglfhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgbpfhpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffifbijg.dll" Abcngkmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iccqedfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclbnhmo.dll" Caligc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfnpek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiehilaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiolio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahiimj32.dll" Bbhgbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnijemn.dll" Clhgnagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fogipnjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maaiimhq.dll" Jndgfqlh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abnmae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmflmfpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meolcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odkkdqmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgcoal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibfkoeao.dll" Ddgljced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfoiil32.dll" Fbchfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikfokb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jomnpdjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aooaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gigano32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlckoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daqoafkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcinia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdpjjaiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecabfpff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Impblnna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkfkjemd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmaaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jimmaijo.dll" Mogqlgbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cffejk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdfchlpd.dll" Aeofcpjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffjpb32.dll" Gmcogf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node f898579c5a392f4ebac95e8a1df6efb0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afgmdl32.dll" Flmglfhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcknqicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfhial32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apddce32.dll" Ekjjebed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eddeia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkplcp32.dll" Nkfpefme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Endmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmhhdpoh.dll" Aahkhgag.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2524 wrote to memory of 2224 2524 f898579c5a392f4ebac95e8a1df6efb0N.exe 29 PID 2524 wrote to memory of 2224 2524 f898579c5a392f4ebac95e8a1df6efb0N.exe 29 PID 2524 wrote to memory of 2224 2524 f898579c5a392f4ebac95e8a1df6efb0N.exe 29 PID 2524 wrote to memory of 2224 2524 f898579c5a392f4ebac95e8a1df6efb0N.exe 29 PID 2224 wrote to memory of 1504 2224 Epkgkfmd.exe 30 PID 2224 wrote to memory of 1504 2224 Epkgkfmd.exe 30 PID 2224 wrote to memory of 1504 2224 Epkgkfmd.exe 30 PID 2224 wrote to memory of 1504 2224 Epkgkfmd.exe 30 PID 1504 wrote to memory of 2492 1504 Efdohq32.exe 31 PID 1504 wrote to memory of 2492 1504 Efdohq32.exe 31 PID 1504 wrote to memory of 2492 1504 Efdohq32.exe 31 PID 1504 wrote to memory of 2492 1504 Efdohq32.exe 31 PID 2492 wrote to memory of 956 2492 Eqjceidf.exe 32 PID 2492 wrote to memory of 956 2492 Eqjceidf.exe 32 PID 2492 wrote to memory of 956 2492 Eqjceidf.exe 32 PID 2492 wrote to memory of 956 2492 Eqjceidf.exe 32 PID 956 wrote to memory of 2196 956 Ebkpma32.exe 33 PID 956 wrote to memory of 2196 956 Ebkpma32.exe 33 PID 956 wrote to memory of 2196 956 Ebkpma32.exe 33 PID 956 wrote to memory of 2196 956 Ebkpma32.exe 33 PID 2196 wrote to memory of 2804 2196 Eiehilaa.exe 34 PID 2196 wrote to memory of 2804 2196 Eiehilaa.exe 34 PID 2196 wrote to memory of 2804 2196 Eiehilaa.exe 34 PID 2196 wrote to memory of 2804 2196 Eiehilaa.exe 34 PID 2804 wrote to memory of 2612 2804 Epopff32.exe 35 PID 2804 wrote to memory of 2612 2804 Epopff32.exe 35 PID 2804 wrote to memory of 2612 2804 Epopff32.exe 35 PID 2804 wrote to memory of 2612 2804 Epopff32.exe 35 PID 2612 wrote to memory of 2112 2612 Ebnlba32.exe 36 PID 2612 wrote to memory of 2112 2612 Ebnlba32.exe 36 PID 2612 wrote to memory of 2112 2612 Ebnlba32.exe 36 PID 2612 wrote to memory of 2112 2612 Ebnlba32.exe 36 PID 2112 wrote to memory of 3028 2112 Emcqpjhh.exe 37 PID 2112 wrote to memory of 3028 2112 Emcqpjhh.exe 37 PID 2112 wrote to memory of 3028 2112 Emcqpjhh.exe 37 PID 2112 wrote to memory of 3028 2112 Emcqpjhh.exe 37 PID 3028 wrote to memory of 2940 3028 Endmgb32.exe 38 PID 3028 wrote to memory of 2940 3028 Endmgb32.exe 38 PID 3028 wrote to memory of 2940 3028 Endmgb32.exe 38 PID 3028 wrote to memory of 2940 3028 Endmgb32.exe 38 PID 2940 wrote to memory of 2684 2940 Fflehp32.exe 39 PID 2940 wrote to memory of 2684 2940 Fflehp32.exe 39 PID 2940 wrote to memory of 2684 2940 Fflehp32.exe 39 PID 2940 wrote to memory of 2684 2940 Fflehp32.exe 39 PID 2684 wrote to memory of 1652 2684 Fgmaphdg.exe 40 PID 2684 wrote to memory of 1652 2684 Fgmaphdg.exe 40 PID 2684 wrote to memory of 1652 2684 Fgmaphdg.exe 40 PID 2684 wrote to memory of 1652 2684 Fgmaphdg.exe 40 PID 1652 wrote to memory of 2984 1652 Fpdjaeei.exe 41 PID 1652 wrote to memory of 2984 1652 Fpdjaeei.exe 41 PID 1652 wrote to memory of 2984 1652 Fpdjaeei.exe 41 PID 1652 wrote to memory of 2984 1652 Fpdjaeei.exe 41 PID 2984 wrote to memory of 1068 2984 Faefim32.exe 42 PID 2984 wrote to memory of 1068 2984 Faefim32.exe 42 PID 2984 wrote to memory of 1068 2984 Faefim32.exe 42 PID 2984 wrote to memory of 1068 2984 Faefim32.exe 42 PID 1068 wrote to memory of 1660 1068 Filnjk32.exe 43 PID 1068 wrote to memory of 1660 1068 Filnjk32.exe 43 PID 1068 wrote to memory of 1660 1068 Filnjk32.exe 43 PID 1068 wrote to memory of 1660 1068 Filnjk32.exe 43 PID 1660 wrote to memory of 2364 1660 Fhonegbd.exe 44 PID 1660 wrote to memory of 2364 1660 Fhonegbd.exe 44 PID 1660 wrote to memory of 2364 1660 Fhonegbd.exe 44 PID 1660 wrote to memory of 2364 1660 Fhonegbd.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\f898579c5a392f4ebac95e8a1df6efb0N.exe"C:\Users\Admin\AppData\Local\Temp\f898579c5a392f4ebac95e8a1df6efb0N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Epkgkfmd.exeC:\Windows\system32\Epkgkfmd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Efdohq32.exeC:\Windows\system32\Efdohq32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Eqjceidf.exeC:\Windows\system32\Eqjceidf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Ebkpma32.exeC:\Windows\system32\Ebkpma32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Eiehilaa.exeC:\Windows\system32\Eiehilaa.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Epopff32.exeC:\Windows\system32\Epopff32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Ebnlba32.exeC:\Windows\system32\Ebnlba32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Emcqpjhh.exeC:\Windows\system32\Emcqpjhh.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Endmgb32.exeC:\Windows\system32\Endmgb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Fflehp32.exeC:\Windows\system32\Fflehp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Fgmaphdg.exeC:\Windows\system32\Fgmaphdg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Fpdjaeei.exeC:\Windows\system32\Fpdjaeei.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Faefim32.exeC:\Windows\system32\Faefim32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Filnjk32.exeC:\Windows\system32\Filnjk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Fhonegbd.exeC:\Windows\system32\Fhonegbd.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Fbebcp32.exeC:\Windows\system32\Fbebcp32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Fcfojhhh.exeC:\Windows\system32\Fcfojhhh.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Flmglfhk.exeC:\Windows\system32\Flmglfhk.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Fajpdmgb.exeC:\Windows\system32\Fajpdmgb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:264 -
C:\Windows\SysWOW64\Fdhlphff.exeC:\Windows\system32\Fdhlphff.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568 -
C:\Windows\SysWOW64\Ffghlcei.exeC:\Windows\system32\Ffghlcei.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Fnnpma32.exeC:\Windows\system32\Fnnpma32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1340 -
C:\Windows\SysWOW64\Fpoleilj.exeC:\Windows\system32\Fpoleilj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Fhfdffll.exeC:\Windows\system32\Fhfdffll.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1172 -
C:\Windows\SysWOW64\Gigano32.exeC:\Windows\system32\Gigano32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Gmcmomjc.exeC:\Windows\system32\Gmcmomjc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Gpaikiig.exeC:\Windows\system32\Gpaikiig.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Gijncn32.exeC:\Windows\system32\Gijncn32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Gdobqgpn.exeC:\Windows\system32\Gdobqgpn.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Windows\SysWOW64\Geqnho32.exeC:\Windows\system32\Geqnho32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Giljinne.exeC:\Windows\system32\Giljinne.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Gpfbfh32.exeC:\Windows\system32\Gpfbfh32.exe33⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Gbdobc32.exeC:\Windows\system32\Gbdobc32.exe34⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Ghagjj32.exeC:\Windows\system32\Ghagjj32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Glmckikf.exeC:\Windows\system32\Glmckikf.exe36⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Gajlcp32.exeC:\Windows\system32\Gajlcp32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\Geehcoaf.exeC:\Windows\system32\Geehcoaf.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Gbihmcqp.exeC:\Windows\system32\Gbihmcqp.exe39⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Gbihmcqp.exeC:\Windows\system32\Gbihmcqp.exe40⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Hegdinpd.exeC:\Windows\system32\Hegdinpd.exe41⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Hmcimq32.exeC:\Windows\system32\Hmcimq32.exe42⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Hdmajkdl.exeC:\Windows\system32\Hdmajkdl.exe43⤵
- Executes dropped EXE
PID:488 -
C:\Windows\SysWOW64\Haqbcoce.exeC:\Windows\system32\Haqbcoce.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2088 -
C:\Windows\SysWOW64\Hdonpjbi.exeC:\Windows\system32\Hdonpjbi.exe45⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Hilghaqq.exeC:\Windows\system32\Hilghaqq.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Hacoio32.exeC:\Windows\system32\Hacoio32.exe47⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Hpfoekhm.exeC:\Windows\system32\Hpfoekhm.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Hcdkagga.exeC:\Windows\system32\Hcdkagga.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:916 -
C:\Windows\SysWOW64\Hgpgae32.exeC:\Windows\system32\Hgpgae32.exe50⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Hincna32.exeC:\Windows\system32\Hincna32.exe51⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Hlmpjl32.exeC:\Windows\system32\Hlmpjl32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Hcghffen.exeC:\Windows\system32\Hcghffen.exe53⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Heedbbdb.exeC:\Windows\system32\Heedbbdb.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Hjqpcq32.exeC:\Windows\system32\Hjqpcq32.exe55⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Ilolol32.exeC:\Windows\system32\Ilolol32.exe56⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Iomhkgkb.exeC:\Windows\system32\Iomhkgkb.exe57⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Igdqmeke.exeC:\Windows\system32\Igdqmeke.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Ijcmipjh.exeC:\Windows\system32\Ijcmipjh.exe59⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Ihfmdm32.exeC:\Windows\system32\Ihfmdm32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\Ipmeej32.exeC:\Windows\system32\Ipmeej32.exe61⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Iejnna32.exeC:\Windows\system32\Iejnna32.exe62⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Ihhjjm32.exeC:\Windows\system32\Ihhjjm32.exe63⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Ilcfjkgj.exeC:\Windows\system32\Ilcfjkgj.exe64⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Iobbfggm.exeC:\Windows\system32\Iobbfggm.exe65⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Iaqnbb32.exeC:\Windows\system32\Iaqnbb32.exe66⤵
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Idojon32.exeC:\Windows\system32\Idojon32.exe67⤵PID:576
-
C:\Windows\SysWOW64\Ikibkhla.exeC:\Windows\system32\Ikibkhla.exe68⤵
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Ingogcke.exeC:\Windows\system32\Ingogcke.exe69⤵PID:3056
-
C:\Windows\SysWOW64\Iackhb32.exeC:\Windows\system32\Iackhb32.exe70⤵PID:1712
-
C:\Windows\SysWOW64\Idagdm32.exeC:\Windows\system32\Idagdm32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2808 -
C:\Windows\SysWOW64\Igpcpi32.exeC:\Windows\system32\Igpcpi32.exe72⤵PID:2672
-
C:\Windows\SysWOW64\Iogkaf32.exeC:\Windows\system32\Iogkaf32.exe73⤵PID:2892
-
C:\Windows\SysWOW64\Ibehna32.exeC:\Windows\system32\Ibehna32.exe74⤵
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Idcdjmao.exeC:\Windows\system32\Idcdjmao.exe75⤵PID:1936
-
C:\Windows\SysWOW64\Jgbpfhpc.exeC:\Windows\system32\Jgbpfhpc.exe76⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Jknlfg32.exeC:\Windows\system32\Jknlfg32.exe77⤵PID:2992
-
C:\Windows\SysWOW64\Jjqlbdog.exeC:\Windows\system32\Jjqlbdog.exe78⤵PID:1836
-
C:\Windows\SysWOW64\Jbgdcapi.exeC:\Windows\system32\Jbgdcapi.exe79⤵PID:2136
-
C:\Windows\SysWOW64\Jqjdon32.exeC:\Windows\system32\Jqjdon32.exe80⤵PID:2452
-
C:\Windows\SysWOW64\Jciaki32.exeC:\Windows\system32\Jciaki32.exe81⤵PID:1684
-
C:\Windows\SysWOW64\Jgdmkhnp.exeC:\Windows\system32\Jgdmkhnp.exe82⤵PID:1700
-
C:\Windows\SysWOW64\Jjcigcmd.exeC:\Windows\system32\Jjcigcmd.exe83⤵PID:796
-
C:\Windows\SysWOW64\Jnnehb32.exeC:\Windows\system32\Jnnehb32.exe84⤵PID:2652
-
C:\Windows\SysWOW64\Jmaedolh.exeC:\Windows\system32\Jmaedolh.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2620 -
C:\Windows\SysWOW64\Jdhmel32.exeC:\Windows\system32\Jdhmel32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\SysWOW64\Jcknqicd.exeC:\Windows\system32\Jcknqicd.exe87⤵
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Jjefmc32.exeC:\Windows\system32\Jjefmc32.exe88⤵PID:2120
-
C:\Windows\SysWOW64\Jmcbio32.exeC:\Windows\system32\Jmcbio32.exe89⤵PID:2424
-
C:\Windows\SysWOW64\Jcmjfiab.exeC:\Windows\system32\Jcmjfiab.exe90⤵PID:3000
-
C:\Windows\SysWOW64\Jgiffg32.exeC:\Windows\system32\Jgiffg32.exe91⤵PID:2480
-
C:\Windows\SysWOW64\Jflfbdqe.exeC:\Windows\system32\Jflfbdqe.exe92⤵PID:904
-
C:\Windows\SysWOW64\Jijbnppi.exeC:\Windows\system32\Jijbnppi.exe93⤵
- Drops file in System32 directory
PID:324 -
C:\Windows\SysWOW64\Jodkkj32.exeC:\Windows\system32\Jodkkj32.exe94⤵PID:1848
-
C:\Windows\SysWOW64\Jbbgge32.exeC:\Windows\system32\Jbbgge32.exe95⤵
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Jjjohbgl.exeC:\Windows\system32\Jjjohbgl.exe96⤵PID:1556
-
C:\Windows\SysWOW64\Jofhqiec.exeC:\Windows\system32\Jofhqiec.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Kbedmedg.exeC:\Windows\system32\Kbedmedg.exe98⤵
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Windows\SysWOW64\Kecpipck.exeC:\Windows\system32\Kecpipck.exe99⤵PID:2832
-
C:\Windows\SysWOW64\Kiolio32.exeC:\Windows\system32\Kiolio32.exe100⤵
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Kkmhej32.exeC:\Windows\system32\Kkmhej32.exe101⤵
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Koidficq.exeC:\Windows\system32\Koidficq.exe102⤵PID:2580
-
C:\Windows\SysWOW64\Kbgqbdbd.exeC:\Windows\system32\Kbgqbdbd.exe103⤵PID:1780
-
C:\Windows\SysWOW64\Kefmnp32.exeC:\Windows\system32\Kefmnp32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:444 -
C:\Windows\SysWOW64\Kgdijk32.exeC:\Windows\system32\Kgdijk32.exe105⤵PID:2284
-
C:\Windows\SysWOW64\Kpkali32.exeC:\Windows\system32\Kpkali32.exe106⤵PID:932
-
C:\Windows\SysWOW64\Kbjmhd32.exeC:\Windows\system32\Kbjmhd32.exe107⤵PID:2068
-
C:\Windows\SysWOW64\Kamncagl.exeC:\Windows\system32\Kamncagl.exe108⤵PID:856
-
C:\Windows\SysWOW64\Kicednho.exeC:\Windows\system32\Kicednho.exe109⤵PID:2200
-
C:\Windows\SysWOW64\Kkbbqjgb.exeC:\Windows\system32\Kkbbqjgb.exe110⤵
- System Location Discovery: System Language Discovery
PID:2604 -
C:\Windows\SysWOW64\Knqnmeff.exeC:\Windows\system32\Knqnmeff.exe111⤵PID:2660
-
C:\Windows\SysWOW64\Kejfio32.exeC:\Windows\system32\Kejfio32.exe112⤵PID:1312
-
C:\Windows\SysWOW64\Kldofi32.exeC:\Windows\system32\Kldofi32.exe113⤵PID:2952
-
C:\Windows\SysWOW64\Knckbe32.exeC:\Windows\system32\Knckbe32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2472 -
C:\Windows\SysWOW64\Kmeknakn.exeC:\Windows\system32\Kmeknakn.exe115⤵
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Kemcookp.exeC:\Windows\system32\Kemcookp.exe116⤵PID:2820
-
C:\Windows\SysWOW64\Kgkokjjd.exeC:\Windows\system32\Kgkokjjd.exe117⤵PID:1864
-
C:\Windows\SysWOW64\Ljjkgfig.exeC:\Windows\system32\Ljjkgfig.exe118⤵PID:764
-
C:\Windows\SysWOW64\Lneghd32.exeC:\Windows\system32\Lneghd32.exe119⤵PID:2496
-
C:\Windows\SysWOW64\Lmhhcaik.exeC:\Windows\system32\Lmhhcaik.exe120⤵PID:2144
-
C:\Windows\SysWOW64\Lpfdpmho.exeC:\Windows\system32\Lpfdpmho.exe121⤵PID:236
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-