Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/09/2024, 20:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
374e71f730d0bd89d9ef4b9b4aa02d0dafcb3c694a08b197b7292f9ed75191c2.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
374e71f730d0bd89d9ef4b9b4aa02d0dafcb3c694a08b197b7292f9ed75191c2.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
374e71f730d0bd89d9ef4b9b4aa02d0dafcb3c694a08b197b7292f9ed75191c2.exe
-
Size
95KB
-
MD5
f24f9c1ca366044229920b99889e0861
-
SHA1
be92933ef017ff39731e2da3d1ce61504bf872d9
-
SHA256
374e71f730d0bd89d9ef4b9b4aa02d0dafcb3c694a08b197b7292f9ed75191c2
-
SHA512
7911d756e058d79c5fb9d841cb1d701bc2ac8242970a3055e27f426128a7c10b6fa6ec4af3fa04d2b5b6ca3e012cb93d13b037944a2ae2cc7927063b532179f7
-
SSDEEP
1536:7HcavILCZgMjWDrBxJo8uROBP5tIfRGBsBNbhefBTiPxEJ/YzYOM6bOLXi8PmCo+:4avcCZNjGrBxJo8uetaGBsBNbheZTiPs
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pblcbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldmopa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmdgipkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocefpnom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obmnna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgmdapml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bckefnki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmkplgnq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppcmfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iakino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qpamoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adlcfjgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojeobm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dblhmoio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajehnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cehhdkjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnchhllf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adaiee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kenhopmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kilgoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glklejoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paocnkph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apmcefmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icncgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojmpooah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iejiodbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjjdhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjnhhjjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmclmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdpcokdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijiaabk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqbdkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjdldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkpglbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aclpaali.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmkihbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqhepeai.exe -
Executes dropped EXE 64 IoCs
pid Process 2340 Lbcbjlmb.exe 2480 Ldbofgme.exe 568 Lohccp32.exe 2856 Lqipkhbj.exe 2980 Lddlkg32.exe 2836 Mdghaf32.exe 2588 Mkqqnq32.exe 2628 Mnomjl32.exe 1964 Mdiefffn.exe 1680 Mggabaea.exe 1892 Mnaiol32.exe 2116 Mqpflg32.exe 1336 Mcnbhb32.exe 2812 Mfmndn32.exe 2416 Mikjpiim.exe 1696 Mpebmc32.exe 1204 Mbcoio32.exe 1584 Mjkgjl32.exe 1712 Mmicfh32.exe 736 Mpgobc32.exe 1796 Mcckcbgp.exe 2088 Nfahomfd.exe 344 Nmkplgnq.exe 872 Npjlhcmd.exe 1184 Nfdddm32.exe 2972 Nefdpjkl.exe 1568 Ngealejo.exe 2668 Nameek32.exe 2396 Nidmfh32.exe 2580 Nlcibc32.exe 3060 Njfjnpgp.exe 2844 Neknki32.exe 1064 Nhjjgd32.exe 1604 Nabopjmj.exe 856 Ndqkleln.exe 2840 Njjcip32.exe 3040 Omioekbo.exe 1660 Ojmpooah.exe 600 Opihgfop.exe 1804 Odedge32.exe 1708 Ojomdoof.exe 1792 Omnipjni.exe 2460 Oplelf32.exe 1068 Offmipej.exe 2160 Ompefj32.exe 1764 Opnbbe32.exe 2092 Obmnna32.exe 1932 Ofhjopbg.exe 2792 Ohiffh32.exe 2772 Olebgfao.exe 1060 Oococb32.exe 2620 Oabkom32.exe 2584 Phlclgfc.exe 1784 Plgolf32.exe 2044 Pofkha32.exe 1980 Padhdm32.exe 1664 Pepcelel.exe 2176 Pljlbf32.exe 1640 Pkmlmbcd.exe 3020 Pafdjmkq.exe 2420 Pebpkk32.exe 876 Phqmgg32.exe 2236 Pkoicb32.exe 2192 Pmmeon32.exe -
Loads dropped DLL 64 IoCs
pid Process 264 374e71f730d0bd89d9ef4b9b4aa02d0dafcb3c694a08b197b7292f9ed75191c2.exe 264 374e71f730d0bd89d9ef4b9b4aa02d0dafcb3c694a08b197b7292f9ed75191c2.exe 2340 Lbcbjlmb.exe 2340 Lbcbjlmb.exe 2480 Ldbofgme.exe 2480 Ldbofgme.exe 568 Lohccp32.exe 568 Lohccp32.exe 2856 Lqipkhbj.exe 2856 Lqipkhbj.exe 2980 Lddlkg32.exe 2980 Lddlkg32.exe 2836 Mdghaf32.exe 2836 Mdghaf32.exe 2588 Mkqqnq32.exe 2588 Mkqqnq32.exe 2628 Mnomjl32.exe 2628 Mnomjl32.exe 1964 Mdiefffn.exe 1964 Mdiefffn.exe 1680 Mggabaea.exe 1680 Mggabaea.exe 1892 Mnaiol32.exe 1892 Mnaiol32.exe 2116 Mqpflg32.exe 2116 Mqpflg32.exe 1336 Mcnbhb32.exe 1336 Mcnbhb32.exe 2812 Mfmndn32.exe 2812 Mfmndn32.exe 2416 Mikjpiim.exe 2416 Mikjpiim.exe 1696 Mpebmc32.exe 1696 Mpebmc32.exe 1204 Mbcoio32.exe 1204 Mbcoio32.exe 1584 Mjkgjl32.exe 1584 Mjkgjl32.exe 1712 Mmicfh32.exe 1712 Mmicfh32.exe 736 Mpgobc32.exe 736 Mpgobc32.exe 1796 Mcckcbgp.exe 1796 Mcckcbgp.exe 2088 Nfahomfd.exe 2088 Nfahomfd.exe 344 Nmkplgnq.exe 344 Nmkplgnq.exe 872 Npjlhcmd.exe 872 Npjlhcmd.exe 1184 Nfdddm32.exe 1184 Nfdddm32.exe 2972 Nefdpjkl.exe 2972 Nefdpjkl.exe 1568 Ngealejo.exe 1568 Ngealejo.exe 2668 Nameek32.exe 2668 Nameek32.exe 2396 Nidmfh32.exe 2396 Nidmfh32.exe 2580 Nlcibc32.exe 2580 Nlcibc32.exe 3060 Njfjnpgp.exe 3060 Njfjnpgp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Epnhpglg.exe Eakhdj32.exe File opened for modification C:\Windows\SysWOW64\Fmaeho32.exe Fooembgb.exe File created C:\Windows\SysWOW64\Njfaognh.dll Fmaeho32.exe File opened for modification C:\Windows\SysWOW64\Ghibjjnk.exe Gdnfjl32.exe File created C:\Windows\SysWOW64\Flabdecn.exe Fbimkpmm.exe File opened for modification C:\Windows\SysWOW64\Lkbpke32.exe Lajkbp32.exe File opened for modification C:\Windows\SysWOW64\Ppkmjlca.exe Process not Found File created C:\Windows\SysWOW64\Qhihii32.dll Cdmepgce.exe File created C:\Windows\SysWOW64\Ipghcl32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Geinjapb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nacmpj32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ncfalqpm.exe Ndcapd32.exe File created C:\Windows\SysWOW64\Odcimipf.exe Process not Found File created C:\Windows\SysWOW64\Oqlfhjch.exe Process not Found File created C:\Windows\SysWOW64\Nokcbm32.exe Process not Found File created C:\Windows\SysWOW64\Mbqkiind.exe Mneohj32.exe File created C:\Windows\SysWOW64\Lmjqcd32.dll Dcageqgm.exe File created C:\Windows\SysWOW64\Famcbf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Alaccj32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jagpdd32.exe Jmlddeio.exe File created C:\Windows\SysWOW64\Dhopbilb.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kqcqpc32.exe Process not Found File created C:\Windows\SysWOW64\Cehhdkjf.exe Cfehhn32.exe File created C:\Windows\SysWOW64\Ehnjfg32.dll Ingkdeak.exe File created C:\Windows\SysWOW64\Cfanmogq.exe Cgnnab32.exe File opened for modification C:\Windows\SysWOW64\Gfiaojkq.exe Process not Found File opened for modification C:\Windows\SysWOW64\Amplklmj.exe Process not Found File created C:\Windows\SysWOW64\Opnbbe32.exe Ompefj32.exe File created C:\Windows\SysWOW64\Kkjpggkn.exe Khldkllj.exe File created C:\Windows\SysWOW64\Malopkam.dll Aeiecfga.exe File opened for modification C:\Windows\SysWOW64\Bemmenhb.exe Process not Found File created C:\Windows\SysWOW64\Bhdhefpc.exe Bdhleh32.exe File created C:\Windows\SysWOW64\Lgingm32.exe Lhfnkqgk.exe File opened for modification C:\Windows\SysWOW64\Laogfg32.exe Process not Found File created C:\Windows\SysWOW64\Mloecb32.dll Process not Found File created C:\Windows\SysWOW64\Nedeohin.dll Process not Found File created C:\Windows\SysWOW64\Igiani32.dll Gkoobhhg.exe File opened for modification C:\Windows\SysWOW64\Daplkmbg.exe Diidjpbe.exe File created C:\Windows\SysWOW64\Edcnakpa.exe Emifeqid.exe File created C:\Windows\SysWOW64\Kfibhjlj.exe Kbmfgk32.exe File created C:\Windows\SysWOW64\Mloiec32.exe Mjqmig32.exe File opened for modification C:\Windows\SysWOW64\Ngdjaofc.exe Ncinap32.exe File opened for modification C:\Windows\SysWOW64\Aklabp32.exe Agpeaa32.exe File created C:\Windows\SysWOW64\Nhqhmj32.exe Process not Found File created C:\Windows\SysWOW64\Bgllgedi.exe Aqbdkk32.exe File opened for modification C:\Windows\SysWOW64\Qfhddn32.exe Process not Found File created C:\Windows\SysWOW64\Ifpjem32.dll Process not Found File created C:\Windows\SysWOW64\Lijiaabk.exe Ldmaijdc.exe File created C:\Windows\SysWOW64\Goigjpaa.dll Process not Found File opened for modification C:\Windows\SysWOW64\Glnkcc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fbipdi32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mgcjpkak.exe Mebnic32.exe File created C:\Windows\SysWOW64\Lkbpke32.exe Lajkbp32.exe File opened for modification C:\Windows\SysWOW64\Dboglhna.exe Process not Found File created C:\Windows\SysWOW64\Mdehcgni.dll Process not Found File created C:\Windows\SysWOW64\Kcimhpma.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kkckblgq.exe Process not Found File opened for modification C:\Windows\SysWOW64\Leqeed32.exe Process not Found File created C:\Windows\SysWOW64\Mnglnj32.exe Mkipao32.exe File opened for modification C:\Windows\SysWOW64\Ohbikbkb.exe Oioipf32.exe File created C:\Windows\SysWOW64\Idhdck32.dll Feddombd.exe File created C:\Windows\SysWOW64\Hhnnnbaj.exe Process not Found File created C:\Windows\SysWOW64\Aeenapck.exe Process not Found File opened for modification C:\Windows\SysWOW64\Elnoff32.dll Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 9332 7816 Process not Found 1932 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llmmpcfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkfclo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijaaae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoaill32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjmbaba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpcoeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lilfgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahmefdcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjhgbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkhhhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfdfmfle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnlkgjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njjcip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhjcec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paknelgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghoijebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbkfdba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edlafebn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjddgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpbmkan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofnpnkgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbhbai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Floeof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcnbhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbbccgmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhdnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Allgoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nefdpjkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiaoclgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggdekbgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncinap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgeelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhbkpgbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpnladjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jieaofmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kofcbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbemboof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibcphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpaphegf.dll" Mgcjpkak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cocphf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgdgcfmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fabaocfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pepfnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfdddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mflgih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qemldifo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heobhfnp.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adifpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdekpjbk.dll" Kcginj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gonnhc32.dll" Mdogedmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijaaae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjdkjpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckohkhoi.dll" Jenbjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncpdbohb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdbpekam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiefbk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cceell32.dll" Qgmpibam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkbaci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlfqea32.dll" Pmjaohol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbogaqb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cillnojb.dll" Fdqnkoep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcdlhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjknge32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmglihnc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoicpqbb.dll" Floeof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehbgahjb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnfdm32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apidjmhc.dll" Gjgiidkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhbdleol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fefqdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kejjjbbm.dll" Ppinkcnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kneoni32.dll" Dnefhpma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkmmlgik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jajocl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Calcpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blfapfpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kekkiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgioeh32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojmpooah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jagcgk32.dll" Mjcjog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oaogognm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 264 wrote to memory of 2340 264 374e71f730d0bd89d9ef4b9b4aa02d0dafcb3c694a08b197b7292f9ed75191c2.exe 31 PID 264 wrote to memory of 2340 264 374e71f730d0bd89d9ef4b9b4aa02d0dafcb3c694a08b197b7292f9ed75191c2.exe 31 PID 264 wrote to memory of 2340 264 374e71f730d0bd89d9ef4b9b4aa02d0dafcb3c694a08b197b7292f9ed75191c2.exe 31 PID 264 wrote to memory of 2340 264 374e71f730d0bd89d9ef4b9b4aa02d0dafcb3c694a08b197b7292f9ed75191c2.exe 31 PID 2340 wrote to memory of 2480 2340 Lbcbjlmb.exe 32 PID 2340 wrote to memory of 2480 2340 Lbcbjlmb.exe 32 PID 2340 wrote to memory of 2480 2340 Lbcbjlmb.exe 32 PID 2340 wrote to memory of 2480 2340 Lbcbjlmb.exe 32 PID 2480 wrote to memory of 568 2480 Ldbofgme.exe 33 PID 2480 wrote to memory of 568 2480 Ldbofgme.exe 33 PID 2480 wrote to memory of 568 2480 Ldbofgme.exe 33 PID 2480 wrote to memory of 568 2480 Ldbofgme.exe 33 PID 568 wrote to memory of 2856 568 Lohccp32.exe 34 PID 568 wrote to memory of 2856 568 Lohccp32.exe 34 PID 568 wrote to memory of 2856 568 Lohccp32.exe 34 PID 568 wrote to memory of 2856 568 Lohccp32.exe 34 PID 2856 wrote to memory of 2980 2856 Lqipkhbj.exe 35 PID 2856 wrote to memory of 2980 2856 Lqipkhbj.exe 35 PID 2856 wrote to memory of 2980 2856 Lqipkhbj.exe 35 PID 2856 wrote to memory of 2980 2856 Lqipkhbj.exe 35 PID 2980 wrote to memory of 2836 2980 Lddlkg32.exe 36 PID 2980 wrote to memory of 2836 2980 Lddlkg32.exe 36 PID 2980 wrote to memory of 2836 2980 Lddlkg32.exe 36 PID 2980 wrote to memory of 2836 2980 Lddlkg32.exe 36 PID 2836 wrote to memory of 2588 2836 Mdghaf32.exe 37 PID 2836 wrote to memory of 2588 2836 Mdghaf32.exe 37 PID 2836 wrote to memory of 2588 2836 Mdghaf32.exe 37 PID 2836 wrote to memory of 2588 2836 Mdghaf32.exe 37 PID 2588 wrote to memory of 2628 2588 Mkqqnq32.exe 38 PID 2588 wrote to memory of 2628 2588 Mkqqnq32.exe 38 PID 2588 wrote to memory of 2628 2588 Mkqqnq32.exe 38 PID 2588 wrote to memory of 2628 2588 Mkqqnq32.exe 38 PID 2628 wrote to memory of 1964 2628 Mnomjl32.exe 39 PID 2628 wrote to memory of 1964 2628 Mnomjl32.exe 39 PID 2628 wrote to memory of 1964 2628 Mnomjl32.exe 39 PID 2628 wrote to memory of 1964 2628 Mnomjl32.exe 39 PID 1964 wrote to memory of 1680 1964 Mdiefffn.exe 40 PID 1964 wrote to memory of 1680 1964 Mdiefffn.exe 40 PID 1964 wrote to memory of 1680 1964 Mdiefffn.exe 40 PID 1964 wrote to memory of 1680 1964 Mdiefffn.exe 40 PID 1680 wrote to memory of 1892 1680 Mggabaea.exe 41 PID 1680 wrote to memory of 1892 1680 Mggabaea.exe 41 PID 1680 wrote to memory of 1892 1680 Mggabaea.exe 41 PID 1680 wrote to memory of 1892 1680 Mggabaea.exe 41 PID 1892 wrote to memory of 2116 1892 Mnaiol32.exe 42 PID 1892 wrote to memory of 2116 1892 Mnaiol32.exe 42 PID 1892 wrote to memory of 2116 1892 Mnaiol32.exe 42 PID 1892 wrote to memory of 2116 1892 Mnaiol32.exe 42 PID 2116 wrote to memory of 1336 2116 Mqpflg32.exe 43 PID 2116 wrote to memory of 1336 2116 Mqpflg32.exe 43 PID 2116 wrote to memory of 1336 2116 Mqpflg32.exe 43 PID 2116 wrote to memory of 1336 2116 Mqpflg32.exe 43 PID 1336 wrote to memory of 2812 1336 Mcnbhb32.exe 44 PID 1336 wrote to memory of 2812 1336 Mcnbhb32.exe 44 PID 1336 wrote to memory of 2812 1336 Mcnbhb32.exe 44 PID 1336 wrote to memory of 2812 1336 Mcnbhb32.exe 44 PID 2812 wrote to memory of 2416 2812 Mfmndn32.exe 45 PID 2812 wrote to memory of 2416 2812 Mfmndn32.exe 45 PID 2812 wrote to memory of 2416 2812 Mfmndn32.exe 45 PID 2812 wrote to memory of 2416 2812 Mfmndn32.exe 45 PID 2416 wrote to memory of 1696 2416 Mikjpiim.exe 46 PID 2416 wrote to memory of 1696 2416 Mikjpiim.exe 46 PID 2416 wrote to memory of 1696 2416 Mikjpiim.exe 46 PID 2416 wrote to memory of 1696 2416 Mikjpiim.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\374e71f730d0bd89d9ef4b9b4aa02d0dafcb3c694a08b197b7292f9ed75191c2.exe"C:\Users\Admin\AppData\Local\Temp\374e71f730d0bd89d9ef4b9b4aa02d0dafcb3c694a08b197b7292f9ed75191c2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Lbcbjlmb.exeC:\Windows\system32\Lbcbjlmb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Ldbofgme.exeC:\Windows\system32\Ldbofgme.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Lohccp32.exeC:\Windows\system32\Lohccp32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\Lqipkhbj.exeC:\Windows\system32\Lqipkhbj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Lddlkg32.exeC:\Windows\system32\Lddlkg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Mdghaf32.exeC:\Windows\system32\Mdghaf32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Mkqqnq32.exeC:\Windows\system32\Mkqqnq32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Mnomjl32.exeC:\Windows\system32\Mnomjl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Mdiefffn.exeC:\Windows\system32\Mdiefffn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Mggabaea.exeC:\Windows\system32\Mggabaea.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Mnaiol32.exeC:\Windows\system32\Mnaiol32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Mqpflg32.exeC:\Windows\system32\Mqpflg32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Mcnbhb32.exeC:\Windows\system32\Mcnbhb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Mfmndn32.exeC:\Windows\system32\Mfmndn32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Mikjpiim.exeC:\Windows\system32\Mikjpiim.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Mpebmc32.exeC:\Windows\system32\Mpebmc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Mbcoio32.exeC:\Windows\system32\Mbcoio32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1204 -
C:\Windows\SysWOW64\Mjkgjl32.exeC:\Windows\system32\Mjkgjl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Mmicfh32.exeC:\Windows\system32\Mmicfh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Mpgobc32.exeC:\Windows\system32\Mpgobc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:736 -
C:\Windows\SysWOW64\Mcckcbgp.exeC:\Windows\system32\Mcckcbgp.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1796 -
C:\Windows\SysWOW64\Nfahomfd.exeC:\Windows\system32\Nfahomfd.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Nmkplgnq.exeC:\Windows\system32\Nmkplgnq.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:344 -
C:\Windows\SysWOW64\Npjlhcmd.exeC:\Windows\system32\Npjlhcmd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:872 -
C:\Windows\SysWOW64\Nfdddm32.exeC:\Windows\system32\Nfdddm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1184 -
C:\Windows\SysWOW64\Nefdpjkl.exeC:\Windows\system32\Nefdpjkl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\Ngealejo.exeC:\Windows\system32\Ngealejo.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568 -
C:\Windows\SysWOW64\Nameek32.exeC:\Windows\system32\Nameek32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Nidmfh32.exeC:\Windows\system32\Nidmfh32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Nlcibc32.exeC:\Windows\system32\Nlcibc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Njfjnpgp.exeC:\Windows\system32\Njfjnpgp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Neknki32.exeC:\Windows\system32\Neknki32.exe33⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Nhjjgd32.exeC:\Windows\system32\Nhjjgd32.exe34⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Nabopjmj.exeC:\Windows\system32\Nabopjmj.exe35⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Ndqkleln.exeC:\Windows\system32\Ndqkleln.exe36⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Njjcip32.exeC:\Windows\system32\Njjcip32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Omioekbo.exeC:\Windows\system32\Omioekbo.exe38⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Ojmpooah.exeC:\Windows\system32\Ojmpooah.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Opihgfop.exeC:\Windows\system32\Opihgfop.exe40⤵
- Executes dropped EXE
PID:600 -
C:\Windows\SysWOW64\Odedge32.exeC:\Windows\system32\Odedge32.exe41⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Ojomdoof.exeC:\Windows\system32\Ojomdoof.exe42⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Omnipjni.exeC:\Windows\system32\Omnipjni.exe43⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Oplelf32.exeC:\Windows\system32\Oplelf32.exe44⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Offmipej.exeC:\Windows\system32\Offmipej.exe45⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Ompefj32.exeC:\Windows\system32\Ompefj32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Opnbbe32.exeC:\Windows\system32\Opnbbe32.exe47⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Obmnna32.exeC:\Windows\system32\Obmnna32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Ofhjopbg.exeC:\Windows\system32\Ofhjopbg.exe49⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Ohiffh32.exeC:\Windows\system32\Ohiffh32.exe50⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Olebgfao.exeC:\Windows\system32\Olebgfao.exe51⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Oococb32.exeC:\Windows\system32\Oococb32.exe52⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Oabkom32.exeC:\Windows\system32\Oabkom32.exe53⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Phlclgfc.exeC:\Windows\system32\Phlclgfc.exe54⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Plgolf32.exeC:\Windows\system32\Plgolf32.exe55⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Pofkha32.exeC:\Windows\system32\Pofkha32.exe56⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Padhdm32.exeC:\Windows\system32\Padhdm32.exe57⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Pepcelel.exeC:\Windows\system32\Pepcelel.exe58⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Pljlbf32.exeC:\Windows\system32\Pljlbf32.exe59⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Pkmlmbcd.exeC:\Windows\system32\Pkmlmbcd.exe60⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Pafdjmkq.exeC:\Windows\system32\Pafdjmkq.exe61⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Pebpkk32.exeC:\Windows\system32\Pebpkk32.exe62⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Phqmgg32.exeC:\Windows\system32\Phqmgg32.exe63⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Pkoicb32.exeC:\Windows\system32\Pkoicb32.exe64⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Pmmeon32.exeC:\Windows\system32\Pmmeon32.exe65⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Pplaki32.exeC:\Windows\system32\Pplaki32.exe66⤵PID:988
-
C:\Windows\SysWOW64\Pdgmlhha.exeC:\Windows\system32\Pdgmlhha.exe67⤵PID:2688
-
C:\Windows\SysWOW64\Pgfjhcge.exeC:\Windows\system32\Pgfjhcge.exe68⤵PID:1924
-
C:\Windows\SysWOW64\Pkaehb32.exeC:\Windows\system32\Pkaehb32.exe69⤵PID:1096
-
C:\Windows\SysWOW64\Pmpbdm32.exeC:\Windows\system32\Pmpbdm32.exe70⤵PID:2788
-
C:\Windows\SysWOW64\Paknelgk.exeC:\Windows\system32\Paknelgk.exe71⤵
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Windows\SysWOW64\Pdjjag32.exeC:\Windows\system32\Pdjjag32.exe72⤵PID:2144
-
C:\Windows\SysWOW64\Pghfnc32.exeC:\Windows\system32\Pghfnc32.exe73⤵PID:2752
-
C:\Windows\SysWOW64\Pifbjn32.exeC:\Windows\system32\Pifbjn32.exe74⤵PID:2172
-
C:\Windows\SysWOW64\Pleofj32.exeC:\Windows\system32\Pleofj32.exe75⤵PID:1852
-
C:\Windows\SysWOW64\Qppkfhlc.exeC:\Windows\system32\Qppkfhlc.exe76⤵PID:1752
-
C:\Windows\SysWOW64\Qcogbdkg.exeC:\Windows\system32\Qcogbdkg.exe77⤵PID:2432
-
C:\Windows\SysWOW64\Qkfocaki.exeC:\Windows\system32\Qkfocaki.exe78⤵PID:1748
-
C:\Windows\SysWOW64\Qlgkki32.exeC:\Windows\system32\Qlgkki32.exe79⤵PID:1240
-
C:\Windows\SysWOW64\Qdncmgbj.exeC:\Windows\system32\Qdncmgbj.exe80⤵PID:1984
-
C:\Windows\SysWOW64\Qgmpibam.exeC:\Windows\system32\Qgmpibam.exe81⤵
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Qjklenpa.exeC:\Windows\system32\Qjklenpa.exe82⤵PID:2748
-
C:\Windows\SysWOW64\Alihaioe.exeC:\Windows\system32\Alihaioe.exe83⤵PID:2028
-
C:\Windows\SysWOW64\Aohdmdoh.exeC:\Windows\system32\Aohdmdoh.exe84⤵PID:1772
-
C:\Windows\SysWOW64\Aebmjo32.exeC:\Windows\system32\Aebmjo32.exe85⤵PID:1220
-
C:\Windows\SysWOW64\Acfmcc32.exeC:\Windows\system32\Acfmcc32.exe86⤵PID:1900
-
C:\Windows\SysWOW64\Afdiondb.exeC:\Windows\system32\Afdiondb.exe87⤵PID:2548
-
C:\Windows\SysWOW64\Ahbekjcf.exeC:\Windows\system32\Ahbekjcf.exe88⤵PID:1300
-
C:\Windows\SysWOW64\Achjibcl.exeC:\Windows\system32\Achjibcl.exe89⤵PID:2952
-
C:\Windows\SysWOW64\Aakjdo32.exeC:\Windows\system32\Aakjdo32.exe90⤵PID:1672
-
C:\Windows\SysWOW64\Adifpk32.exeC:\Windows\system32\Adifpk32.exe91⤵
- Modifies registry class
PID:1272 -
C:\Windows\SysWOW64\Aoojnc32.exeC:\Windows\system32\Aoojnc32.exe92⤵PID:2544
-
C:\Windows\SysWOW64\Adlcfjgh.exeC:\Windows\system32\Adlcfjgh.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1128 -
C:\Windows\SysWOW64\Ahgofi32.exeC:\Windows\system32\Ahgofi32.exe94⤵PID:2608
-
C:\Windows\SysWOW64\Andgop32.exeC:\Windows\system32\Andgop32.exe95⤵PID:924
-
C:\Windows\SysWOW64\Aqbdkk32.exeC:\Windows\system32\Aqbdkk32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2932 -
C:\Windows\SysWOW64\Bgllgedi.exeC:\Windows\system32\Bgllgedi.exe97⤵PID:2988
-
C:\Windows\SysWOW64\Bkhhhd32.exeC:\Windows\system32\Bkhhhd32.exe98⤵
- System Location Discovery: System Language Discovery
PID:2004 -
C:\Windows\SysWOW64\Bnfddp32.exeC:\Windows\system32\Bnfddp32.exe99⤵PID:2448
-
C:\Windows\SysWOW64\Bqeqqk32.exeC:\Windows\system32\Bqeqqk32.exe100⤵PID:2928
-
C:\Windows\SysWOW64\Bccmmf32.exeC:\Windows\system32\Bccmmf32.exe101⤵PID:660
-
C:\Windows\SysWOW64\Bgoime32.exeC:\Windows\system32\Bgoime32.exe102⤵PID:1592
-
C:\Windows\SysWOW64\Bjmeiq32.exeC:\Windows\system32\Bjmeiq32.exe103⤵PID:1960
-
C:\Windows\SysWOW64\Bmlael32.exeC:\Windows\system32\Bmlael32.exe104⤵PID:2328
-
C:\Windows\SysWOW64\Bceibfgj.exeC:\Windows\system32\Bceibfgj.exe105⤵PID:2344
-
C:\Windows\SysWOW64\Bfdenafn.exeC:\Windows\system32\Bfdenafn.exe106⤵PID:2716
-
C:\Windows\SysWOW64\Bqijljfd.exeC:\Windows\system32\Bqijljfd.exe107⤵PID:2824
-
C:\Windows\SysWOW64\Boljgg32.exeC:\Windows\system32\Boljgg32.exe108⤵PID:2204
-
C:\Windows\SysWOW64\Bffbdadk.exeC:\Windows\system32\Bffbdadk.exe109⤵PID:288
-
C:\Windows\SysWOW64\Bjbndpmd.exeC:\Windows\system32\Bjbndpmd.exe110⤵PID:2852
-
C:\Windows\SysWOW64\Bmpkqklh.exeC:\Windows\system32\Bmpkqklh.exe111⤵PID:3052
-
C:\Windows\SysWOW64\Boogmgkl.exeC:\Windows\system32\Boogmgkl.exe112⤵PID:2096
-
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe113⤵PID:2256
-
C:\Windows\SysWOW64\Bjdkjpkb.exeC:\Windows\system32\Bjdkjpkb.exe114⤵
- Modifies registry class
PID:1276 -
C:\Windows\SysWOW64\Bkegah32.exeC:\Windows\system32\Bkegah32.exe115⤵PID:2700
-
C:\Windows\SysWOW64\Ccmpce32.exeC:\Windows\system32\Ccmpce32.exe116⤵PID:2552
-
C:\Windows\SysWOW64\Cbppnbhm.exeC:\Windows\system32\Cbppnbhm.exe117⤵PID:2680
-
C:\Windows\SysWOW64\Cenljmgq.exeC:\Windows\system32\Cenljmgq.exe118⤵PID:2828
-
C:\Windows\SysWOW64\Ciihklpj.exeC:\Windows\system32\Ciihklpj.exe119⤵PID:1940
-
C:\Windows\SysWOW64\Cocphf32.exeC:\Windows\system32\Cocphf32.exe120⤵
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Cnfqccna.exeC:\Windows\system32\Cnfqccna.exe121⤵PID:3036
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-