Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/09/2024, 22:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7baf908c20c425e6d4a071b4a1a3e5c58508c49c421fafb2f3b9ab4e410fecb7.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
7baf908c20c425e6d4a071b4a1a3e5c58508c49c421fafb2f3b9ab4e410fecb7.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
7baf908c20c425e6d4a071b4a1a3e5c58508c49c421fafb2f3b9ab4e410fecb7.exe
-
Size
80KB
-
MD5
3c3dd09a8e96961fc91772229a802fab
-
SHA1
68c0246d2d8e700ab248d35a1879b2891b1e003b
-
SHA256
7baf908c20c425e6d4a071b4a1a3e5c58508c49c421fafb2f3b9ab4e410fecb7
-
SHA512
5851bdcd3a8d887f6c7fc5b63f4028c52a7cbd5b849a9d3449ace2437cab7c8c30815298eb678aa7579d7c095f1c1f006415f2556699b753149943275fd1212a
-
SSDEEP
1536:uY9peePkJ0EREg9JcS2LXqaIZTJ+7LhkiB0:uY9sRn9Jcf6aMU7ui
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqehjecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mngjeamd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnnhngjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lclicpkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nibqqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdjjag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnnhngjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Homdhjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mejlalji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiljam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boidnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aknngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pincfpoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgfjhcge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbpfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajeeeblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Accqnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeehln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Einjdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ingkdeak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkoobhhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qejpoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeehln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmhnkfpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggagmjbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajmijmnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldahkaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nggggoda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imiigiab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njdqka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gepafc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biolanld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jehlkhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeindm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jialfgcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkolakkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jelfdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcoce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifpke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jokqnhpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fapeic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jliaac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpbglhjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boljgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odjdmjgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjebdfnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clmdmm32.exe -
Executes dropped EXE 64 IoCs
pid Process 1772 Eccpoo32.exe 2784 Ekjgpm32.exe 2728 Ekjgpm32.exe 3016 Edclib32.exe 1152 Egahen32.exe 2772 Elnqmd32.exe 2664 Fchijone.exe 536 Flqmbd32.exe 2916 Fbmfkkbm.exe 2908 Fkejcq32.exe 2912 Foafdoag.exe 2500 Fhikme32.exe 1800 Fkhgip32.exe 2080 Filgbdfd.exe 2584 Fofpoo32.exe 2264 Fqglggcp.exe 3064 Fgadda32.exe 2224 Gqiimfam.exe 2368 Gcheib32.exe 1820 Gcjbna32.exe 1384 Gfhnjm32.exe 1972 Gjdjklek.exe 2164 Gpabcbdb.exe 1808 Gjfgqk32.exe 2708 Gmecmg32.exe 2732 Gbaken32.exe 1616 Gfmgelil.exe 2656 Gpelnb32.exe 2648 Hfpdkl32.exe 2156 Hmjlhfof.exe 2008 Hphidanj.exe 1560 Hloiib32.exe 2668 Hpjeialg.exe 1052 Hegnahjo.exe 2188 Hhejnc32.exe 2696 Hbknkl32.exe 1156 Heikgh32.exe 2400 Hhhgcc32.exe 1272 Hlccdboi.exe 1700 Hapklimq.exe 952 Helgmg32.exe 2064 Hhjcic32.exe 560 Hjipenda.exe 1888 Hndlem32.exe 1504 Iabhah32.exe 2340 Ipehmebh.exe 2260 Ihmpobck.exe 2812 Iinmfk32.exe 2716 Imiigiab.exe 2836 Iaeegh32.exe 2712 Idcacc32.exe 2184 Ibfaopoi.exe 1084 Ijmipn32.exe 2952 Imleli32.exe 2844 Ilofhffj.exe 760 Ibhndp32.exe 1324 Iegjqk32.exe 2096 Iibfajdc.exe 2132 Ilabmedg.exe 2144 Ibkkjp32.exe 704 Ifffkncm.exe 816 Iiecgjba.exe 3036 Ilcoce32.exe 2100 Ipokcdjn.exe -
Loads dropped DLL 64 IoCs
pid Process 1736 7baf908c20c425e6d4a071b4a1a3e5c58508c49c421fafb2f3b9ab4e410fecb7.exe 1736 7baf908c20c425e6d4a071b4a1a3e5c58508c49c421fafb2f3b9ab4e410fecb7.exe 1772 Eccpoo32.exe 1772 Eccpoo32.exe 2784 Ekjgpm32.exe 2784 Ekjgpm32.exe 2728 Ekjgpm32.exe 2728 Ekjgpm32.exe 3016 Edclib32.exe 3016 Edclib32.exe 1152 Egahen32.exe 1152 Egahen32.exe 2772 Elnqmd32.exe 2772 Elnqmd32.exe 2664 Fchijone.exe 2664 Fchijone.exe 536 Flqmbd32.exe 536 Flqmbd32.exe 2916 Fbmfkkbm.exe 2916 Fbmfkkbm.exe 2908 Fkejcq32.exe 2908 Fkejcq32.exe 2912 Foafdoag.exe 2912 Foafdoag.exe 2500 Fhikme32.exe 2500 Fhikme32.exe 1800 Fkhgip32.exe 1800 Fkhgip32.exe 2080 Filgbdfd.exe 2080 Filgbdfd.exe 2584 Fofpoo32.exe 2584 Fofpoo32.exe 2264 Fqglggcp.exe 2264 Fqglggcp.exe 3064 Fgadda32.exe 3064 Fgadda32.exe 2224 Gqiimfam.exe 2224 Gqiimfam.exe 2368 Gcheib32.exe 2368 Gcheib32.exe 1820 Gcjbna32.exe 1820 Gcjbna32.exe 1384 Gfhnjm32.exe 1384 Gfhnjm32.exe 1972 Gjdjklek.exe 1972 Gjdjklek.exe 2164 Gpabcbdb.exe 2164 Gpabcbdb.exe 1808 Gjfgqk32.exe 1808 Gjfgqk32.exe 2708 Gmecmg32.exe 2708 Gmecmg32.exe 2732 Gbaken32.exe 2732 Gbaken32.exe 1616 Gfmgelil.exe 1616 Gfmgelil.exe 2656 Gpelnb32.exe 2656 Gpelnb32.exe 2648 Hfpdkl32.exe 2648 Hfpdkl32.exe 2156 Hmjlhfof.exe 2156 Hmjlhfof.exe 2008 Hphidanj.exe 2008 Hphidanj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jabdql32.exe Jodhdp32.exe File opened for modification C:\Windows\SysWOW64\Injndk32.exe Ijnbcmkk.exe File created C:\Windows\SysWOW64\Haqnea32.exe Hbnmienj.exe File created C:\Windows\SysWOW64\Mblbnj32.exe Momfan32.exe File created C:\Windows\SysWOW64\Anljck32.exe Aknngo32.exe File opened for modification C:\Windows\SysWOW64\Kllnhg32.exe Kfbfkmeh.exe File created C:\Windows\SysWOW64\Nhfpnk32.dll Kffldlne.exe File opened for modification C:\Windows\SysWOW64\Cepipm32.exe Cfmhdpnc.exe File opened for modification C:\Windows\SysWOW64\Ppfafcpb.exe Pmhejhao.exe File created C:\Windows\SysWOW64\Hjlioj32.exe Hkiicmdh.exe File created C:\Windows\SysWOW64\Kkeecogo.exe Khghgchk.exe File created C:\Windows\SysWOW64\Jenpajfb.exe Jabdql32.exe File created C:\Windows\SysWOW64\Gqdefddb.exe Gneijien.exe File created C:\Windows\SysWOW64\Gaokcb32.dll Nfoghakb.exe File created C:\Windows\SysWOW64\Hbnmienj.exe Hjgehgnh.exe File created C:\Windows\SysWOW64\Qhihii32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Hfcjdkpg.exe Hcdnhoac.exe File created C:\Windows\SysWOW64\Gpidki32.exe Process not Found File created C:\Windows\SysWOW64\Ohpbbo32.dll Jdejhfig.exe File created C:\Windows\SysWOW64\Kfnmpn32.exe Kcopdb32.exe File opened for modification C:\Windows\SysWOW64\Daacecfc.exe Dbncjf32.exe File opened for modification C:\Windows\SysWOW64\Hblgnkdh.exe Hakkgc32.exe File created C:\Windows\SysWOW64\Jdpjba32.exe Jliaac32.exe File created C:\Windows\SysWOW64\Gcheib32.exe Gqiimfam.exe File created C:\Windows\SysWOW64\Amfognic.exe Ajgbkbjp.exe File created C:\Windows\SysWOW64\Jendoajo.dll Adifpk32.exe File created C:\Windows\SysWOW64\Fmiogi32.dll Ajckilei.exe File created C:\Windows\SysWOW64\Cbgklp32.dll Process not Found File created C:\Windows\SysWOW64\Opihgfop.exe Omklkkpl.exe File opened for modification C:\Windows\SysWOW64\Plmbkd32.exe Pioeoi32.exe File created C:\Windows\SysWOW64\Engeeehn.dll Process not Found File created C:\Windows\SysWOW64\Ibfaopoi.exe Idcacc32.exe File opened for modification C:\Windows\SysWOW64\Gncldi32.exe Gkephn32.exe File opened for modification C:\Windows\SysWOW64\Pdakniag.exe Pljcllqe.exe File created C:\Windows\SysWOW64\Jhebgh32.dll Khghgchk.exe File opened for modification C:\Windows\SysWOW64\Micklk32.exe Mjpkqonj.exe File created C:\Windows\SysWOW64\Omefkplm.exe Okgjodmi.exe File created C:\Windows\SysWOW64\Kgigbp32.dll Fjlmpfhg.exe File opened for modification C:\Windows\SysWOW64\Neiaeiii.exe Nbjeinje.exe File created C:\Windows\SysWOW64\Kqojbd32.dll Hakkgc32.exe File opened for modification C:\Windows\SysWOW64\Iedfqeka.exe Iahkpg32.exe File created C:\Windows\SysWOW64\Jaoqqflp.exe Jmdepg32.exe File opened for modification C:\Windows\SysWOW64\Kpdjaecc.exe Knfndjdp.exe File created C:\Windows\SysWOW64\Ckbjaopk.dll Bkbaii32.exe File created C:\Windows\SysWOW64\Hneeilgj.exe Hpbdmo32.exe File opened for modification C:\Windows\SysWOW64\Mbcoio32.exe Mcqombic.exe File created C:\Windows\SysWOW64\Ajfjbh32.dll Fepjea32.exe File opened for modification C:\Windows\SysWOW64\Jnofgg32.exe Process not Found File created C:\Windows\SysWOW64\Idkhmgco.dll Pphkbj32.exe File opened for modification C:\Windows\SysWOW64\Laqojfli.exe Ljigih32.exe File opened for modification C:\Windows\SysWOW64\Cmfmojcb.exe Process not Found File created C:\Windows\SysWOW64\Pbmmpj32.dll Dokfme32.exe File created C:\Windows\SysWOW64\Phoogg32.dll Process not Found File created C:\Windows\SysWOW64\Jkmeoa32.exe Jgaiobjn.exe File created C:\Windows\SysWOW64\Lmjnak32.exe Lngnfnji.exe File created C:\Windows\SysWOW64\Fdpcbceo.dll Mhcmedli.exe File opened for modification C:\Windows\SysWOW64\Omckoi32.exe Onqkclni.exe File created C:\Windows\SysWOW64\Pljcllqe.exe Pilfpqaa.exe File opened for modification C:\Windows\SysWOW64\Bbbgod32.exe Aodkci32.exe File opened for modification C:\Windows\SysWOW64\Hakkgc32.exe Hmoofdea.exe File created C:\Windows\SysWOW64\Ofcqcp32.exe Odedge32.exe File created C:\Windows\SysWOW64\Nmcopebh.exe Njeccjcd.exe File opened for modification C:\Windows\SysWOW64\Oemgplgo.exe Obokcqhk.exe File created C:\Windows\SysWOW64\Qkibcg32.exe Qhjfgl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1028 2260 Process not Found 1292 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hldlga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nenkqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhahanie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dipjkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcpacf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iflmjihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfoojj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odchbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acicla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbaken32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqalaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcbabpcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anljck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidmfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcjcme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdjqamme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cblfdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iafnjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peefcjlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gceailog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aficjnpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkdnhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgqocoin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkfocaki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qndkpmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Popgboae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijibng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpmmfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcbncfjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmcnqama.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calcpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paocnkph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Addfkeid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfihkoal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bajqfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbgfkje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfnmpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgeaoinb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knnkpobc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkeecogo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kalipcmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpabcbdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fckhhgcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aognbnkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalhqohl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oopijc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecbhdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldjpbign.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jikeeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbbgdjj.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohpbbo32.dll" Jdejhfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikdngobg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jenpajfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alnalh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljigih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjcbk32.dll" Ljghjpfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imleli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghakg32.dll" Mlkjne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnckjddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miidam32.dll" Cpfdhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeldkonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fidfcc32.dll" Edclib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhakcfab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlphbbbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjcaimgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahqmla32.dll" Kbgjkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojomdoof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phnpagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnqjnhge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jimbkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pepcelel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll" Bfdenafn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdmkoepk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqhepeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lepiko32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldjpbign.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gncldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifgpnmom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlphbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjbklf32.dll" Nfdddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdaehcom.dll" Aaimopli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfhkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kenoifpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcblan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmijfmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hffhec32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iimfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoplfhc.dll" Bmlael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igphon32.dll" Ggagmjbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nggggoda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnjofo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngpjpqe.dll" Bniajoic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ichmgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddgloho.dll" Modlbmmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iiecgjba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmkeke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbqmhnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qndkpmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eabepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acejfl32.dll" Kpfplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obgkpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbagipfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kblikadd.dll" Pkaehb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Accqnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodmepdn.dll" Aoojnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggfpgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ponklpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgdekc32.dll" Qhilkege.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hapklimq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1736 wrote to memory of 1772 1736 7baf908c20c425e6d4a071b4a1a3e5c58508c49c421fafb2f3b9ab4e410fecb7.exe 30 PID 1736 wrote to memory of 1772 1736 7baf908c20c425e6d4a071b4a1a3e5c58508c49c421fafb2f3b9ab4e410fecb7.exe 30 PID 1736 wrote to memory of 1772 1736 7baf908c20c425e6d4a071b4a1a3e5c58508c49c421fafb2f3b9ab4e410fecb7.exe 30 PID 1736 wrote to memory of 1772 1736 7baf908c20c425e6d4a071b4a1a3e5c58508c49c421fafb2f3b9ab4e410fecb7.exe 30 PID 1772 wrote to memory of 2784 1772 Eccpoo32.exe 31 PID 1772 wrote to memory of 2784 1772 Eccpoo32.exe 31 PID 1772 wrote to memory of 2784 1772 Eccpoo32.exe 31 PID 1772 wrote to memory of 2784 1772 Eccpoo32.exe 31 PID 2784 wrote to memory of 2728 2784 Ekjgpm32.exe 32 PID 2784 wrote to memory of 2728 2784 Ekjgpm32.exe 32 PID 2784 wrote to memory of 2728 2784 Ekjgpm32.exe 32 PID 2784 wrote to memory of 2728 2784 Ekjgpm32.exe 32 PID 2728 wrote to memory of 3016 2728 Ekjgpm32.exe 33 PID 2728 wrote to memory of 3016 2728 Ekjgpm32.exe 33 PID 2728 wrote to memory of 3016 2728 Ekjgpm32.exe 33 PID 2728 wrote to memory of 3016 2728 Ekjgpm32.exe 33 PID 3016 wrote to memory of 1152 3016 Edclib32.exe 34 PID 3016 wrote to memory of 1152 3016 Edclib32.exe 34 PID 3016 wrote to memory of 1152 3016 Edclib32.exe 34 PID 3016 wrote to memory of 1152 3016 Edclib32.exe 34 PID 1152 wrote to memory of 2772 1152 Egahen32.exe 35 PID 1152 wrote to memory of 2772 1152 Egahen32.exe 35 PID 1152 wrote to memory of 2772 1152 Egahen32.exe 35 PID 1152 wrote to memory of 2772 1152 Egahen32.exe 35 PID 2772 wrote to memory of 2664 2772 Elnqmd32.exe 36 PID 2772 wrote to memory of 2664 2772 Elnqmd32.exe 36 PID 2772 wrote to memory of 2664 2772 Elnqmd32.exe 36 PID 2772 wrote to memory of 2664 2772 Elnqmd32.exe 36 PID 2664 wrote to memory of 536 2664 Fchijone.exe 37 PID 2664 wrote to memory of 536 2664 Fchijone.exe 37 PID 2664 wrote to memory of 536 2664 Fchijone.exe 37 PID 2664 wrote to memory of 536 2664 Fchijone.exe 37 PID 536 wrote to memory of 2916 536 Flqmbd32.exe 38 PID 536 wrote to memory of 2916 536 Flqmbd32.exe 38 PID 536 wrote to memory of 2916 536 Flqmbd32.exe 38 PID 536 wrote to memory of 2916 536 Flqmbd32.exe 38 PID 2916 wrote to memory of 2908 2916 Fbmfkkbm.exe 39 PID 2916 wrote to memory of 2908 2916 Fbmfkkbm.exe 39 PID 2916 wrote to memory of 2908 2916 Fbmfkkbm.exe 39 PID 2916 wrote to memory of 2908 2916 Fbmfkkbm.exe 39 PID 2908 wrote to memory of 2912 2908 Fkejcq32.exe 40 PID 2908 wrote to memory of 2912 2908 Fkejcq32.exe 40 PID 2908 wrote to memory of 2912 2908 Fkejcq32.exe 40 PID 2908 wrote to memory of 2912 2908 Fkejcq32.exe 40 PID 2912 wrote to memory of 2500 2912 Foafdoag.exe 41 PID 2912 wrote to memory of 2500 2912 Foafdoag.exe 41 PID 2912 wrote to memory of 2500 2912 Foafdoag.exe 41 PID 2912 wrote to memory of 2500 2912 Foafdoag.exe 41 PID 2500 wrote to memory of 1800 2500 Fhikme32.exe 42 PID 2500 wrote to memory of 1800 2500 Fhikme32.exe 42 PID 2500 wrote to memory of 1800 2500 Fhikme32.exe 42 PID 2500 wrote to memory of 1800 2500 Fhikme32.exe 42 PID 1800 wrote to memory of 2080 1800 Fkhgip32.exe 43 PID 1800 wrote to memory of 2080 1800 Fkhgip32.exe 43 PID 1800 wrote to memory of 2080 1800 Fkhgip32.exe 43 PID 1800 wrote to memory of 2080 1800 Fkhgip32.exe 43 PID 2080 wrote to memory of 2584 2080 Filgbdfd.exe 44 PID 2080 wrote to memory of 2584 2080 Filgbdfd.exe 44 PID 2080 wrote to memory of 2584 2080 Filgbdfd.exe 44 PID 2080 wrote to memory of 2584 2080 Filgbdfd.exe 44 PID 2584 wrote to memory of 2264 2584 Fofpoo32.exe 45 PID 2584 wrote to memory of 2264 2584 Fofpoo32.exe 45 PID 2584 wrote to memory of 2264 2584 Fofpoo32.exe 45 PID 2584 wrote to memory of 2264 2584 Fofpoo32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\7baf908c20c425e6d4a071b4a1a3e5c58508c49c421fafb2f3b9ab4e410fecb7.exe"C:\Users\Admin\AppData\Local\Temp\7baf908c20c425e6d4a071b4a1a3e5c58508c49c421fafb2f3b9ab4e410fecb7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Eccpoo32.exeC:\Windows\system32\Eccpoo32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Ekjgpm32.exeC:\Windows\system32\Ekjgpm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Ekjgpm32.exeC:\Windows\system32\Ekjgpm32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Edclib32.exeC:\Windows\system32\Edclib32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Egahen32.exeC:\Windows\system32\Egahen32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Elnqmd32.exeC:\Windows\system32\Elnqmd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Fchijone.exeC:\Windows\system32\Fchijone.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Fkejcq32.exeC:\Windows\system32\Fkejcq32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Foafdoag.exeC:\Windows\system32\Foafdoag.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Fhikme32.exeC:\Windows\system32\Fhikme32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Fkhgip32.exeC:\Windows\system32\Fkhgip32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Filgbdfd.exeC:\Windows\system32\Filgbdfd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Fofpoo32.exeC:\Windows\system32\Fofpoo32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Fqglggcp.exeC:\Windows\system32\Fqglggcp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Gcjbna32.exeC:\Windows\system32\Gcjbna32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1820 -
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1384 -
C:\Windows\SysWOW64\Gjdjklek.exeC:\Windows\system32\Gjdjklek.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Windows\SysWOW64\Gpabcbdb.exeC:\Windows\system32\Gpabcbdb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Windows\SysWOW64\Gmecmg32.exeC:\Windows\system32\Gmecmg32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Gbaken32.exeC:\Windows\system32\Gbaken32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Hfpdkl32.exeC:\Windows\system32\Hfpdkl32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Hmjlhfof.exeC:\Windows\system32\Hmjlhfof.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Hphidanj.exeC:\Windows\system32\Hphidanj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe33⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe34⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe35⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe36⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe37⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe38⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe39⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Hlccdboi.exeC:\Windows\system32\Hlccdboi.exe40⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Hapklimq.exeC:\Windows\system32\Hapklimq.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe42⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe43⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Hjipenda.exeC:\Windows\system32\Hjipenda.exe44⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Hndlem32.exeC:\Windows\system32\Hndlem32.exe45⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Iabhah32.exeC:\Windows\system32\Iabhah32.exe46⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe47⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Ihmpobck.exeC:\Windows\system32\Ihmpobck.exe48⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Iinmfk32.exeC:\Windows\system32\Iinmfk32.exe49⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe51⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe53⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Ijmipn32.exeC:\Windows\system32\Ijmipn32.exe54⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Imleli32.exeC:\Windows\system32\Imleli32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe56⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe57⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe58⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Iibfajdc.exeC:\Windows\system32\Iibfajdc.exe59⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Ilabmedg.exeC:\Windows\system32\Ilabmedg.exe60⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Ibkkjp32.exeC:\Windows\system32\Ibkkjp32.exe61⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe62⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:816 -
C:\Windows\SysWOW64\Ilcoce32.exeC:\Windows\system32\Ilcoce32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Ipokcdjn.exeC:\Windows\system32\Ipokcdjn.exe65⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe66⤵PID:1040
-
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe67⤵PID:108
-
C:\Windows\SysWOW64\Jhjphfgi.exeC:\Windows\system32\Jhjphfgi.exe68⤵PID:2740
-
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe69⤵
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Jabdql32.exeC:\Windows\system32\Jabdql32.exe70⤵
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe71⤵
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe72⤵PID:2672
-
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe73⤵PID:2984
-
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe74⤵PID:1120
-
C:\Windows\SysWOW64\Jniefm32.exeC:\Windows\system32\Jniefm32.exe75⤵PID:636
-
C:\Windows\SysWOW64\Jepmgj32.exeC:\Windows\system32\Jepmgj32.exe76⤵PID:912
-
C:\Windows\SysWOW64\Jgaiobjn.exeC:\Windows\system32\Jgaiobjn.exe77⤵
- Drops file in System32 directory
PID:1328 -
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe78⤵PID:2032
-
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe79⤵PID:2316
-
C:\Windows\SysWOW64\Jagnlkjd.exeC:\Windows\system32\Jagnlkjd.exe80⤵PID:2472
-
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Jgdfdbhk.exeC:\Windows\system32\Jgdfdbhk.exe82⤵PID:908
-
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe83⤵PID:1748
-
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe84⤵PID:2544
-
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe85⤵PID:2508
-
C:\Windows\SysWOW64\Jjdofm32.exeC:\Windows\system32\Jjdofm32.exe86⤵PID:2540
-
C:\Windows\SysWOW64\Jlckbh32.exeC:\Windows\system32\Jlckbh32.exe87⤵PID:2556
-
C:\Windows\SysWOW64\Kdjccf32.exeC:\Windows\system32\Kdjccf32.exe88⤵PID:2752
-
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe89⤵PID:2800
-
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe90⤵PID:2832
-
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe91⤵PID:1484
-
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe92⤵PID:2860
-
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe93⤵PID:1028
-
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe94⤵
- Drops file in System32 directory
PID:1492 -
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe95⤵
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe96⤵PID:3032
-
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe97⤵PID:2228
-
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe98⤵PID:2232
-
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe99⤵PID:1752
-
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe100⤵PID:2052
-
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe101⤵PID:2840
-
C:\Windows\SysWOW64\Kohnoc32.exeC:\Windows\system32\Kohnoc32.exe102⤵PID:1576
-
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe103⤵
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe104⤵
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe105⤵PID:2020
-
C:\Windows\SysWOW64\Kokjdb32.exeC:\Windows\system32\Kokjdb32.exe106⤵PID:2948
-
C:\Windows\SysWOW64\Knnkpobc.exeC:\Windows\system32\Knnkpobc.exe107⤵
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Khcomhbi.exeC:\Windows\system32\Khcomhbi.exe108⤵PID:1036
-
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe109⤵PID:628
-
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe110⤵PID:1840
-
C:\Windows\SysWOW64\Ldjpbign.exeC:\Windows\system32\Ldjpbign.exe111⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Lhelbh32.exeC:\Windows\system32\Lhelbh32.exe112⤵PID:2480
-
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe113⤵PID:2880
-
C:\Windows\SysWOW64\Ljghjpfe.exeC:\Windows\system32\Ljghjpfe.exe114⤵
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Lqqpgj32.exeC:\Windows\system32\Lqqpgj32.exe115⤵PID:2596
-
C:\Windows\SysWOW64\Lcomce32.exeC:\Windows\system32\Lcomce32.exe116⤵PID:992
-
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe117⤵PID:1816
-
C:\Windows\SysWOW64\Lneaqn32.exeC:\Windows\system32\Lneaqn32.exe118⤵PID:2208
-
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe119⤵PID:2868
-
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe120⤵PID:448
-
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe121⤵PID:1488
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-