Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/10/2024, 05:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7a9f0269c000b26a44ee4ef961fb5c0c0ac81ff6110d13dd93b91514056a8451N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
7a9f0269c000b26a44ee4ef961fb5c0c0ac81ff6110d13dd93b91514056a8451N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
7a9f0269c000b26a44ee4ef961fb5c0c0ac81ff6110d13dd93b91514056a8451N.exe
-
Size
78KB
-
MD5
513e63e7d832cb5daf116d64a3772e40
-
SHA1
acd105c09af9637a49e68341450253df6d5234ff
-
SHA256
7a9f0269c000b26a44ee4ef961fb5c0c0ac81ff6110d13dd93b91514056a8451
-
SHA512
6d98865774f4ec535ee0e38f2215c082474c45374f56287bb1822c9fdcf32096878c5744aa9af4cb8092da40f79eea483554700e07dcd95e027aa756a5b35359
-
SSDEEP
1536:rZpVRTn75BmdAGrhRmv/R/JmbEE75nJju1i96yf5oAnqDM+4yyF:dpLzlEdAMmv/R/JmbEE75JEi9Cuq4cyF
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbbpmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlolpq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdcliikj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqknkedi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njfagf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onpjichj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpgnjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckjbhmad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncchae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aopemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nijeec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljclki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phodcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anmfbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amqhbe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bacjdbch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cggimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaiimadl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfokoelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blqllqqa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ondljl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcnmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohhnbhok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojhpimhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhbolp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkdjfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjjiej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lknojl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbcjnilj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijegcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alkijdci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bakgoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkjnfkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olicnfco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gflhoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pabblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhamkipi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdlfhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hienlpel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgadgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeaoab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfpdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmhlgmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bepmoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfhgkmpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfdjinjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bknlbhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okedcjcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjhloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oobfob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phfjcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckebcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Addaif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gldglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifomll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onapdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmnqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glkmmefl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgaijaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmoohe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpaleglc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkhapk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbphdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jncoikmp.exe -
Executes dropped EXE 64 IoCs
pid Process 2784 Igqkqiai.exe 4920 Iafonaao.exe 532 Ihphkl32.exe 3916 Ijadbdoj.exe 4560 Iqklon32.exe 1768 Igedlh32.exe 4556 Iakiia32.exe 4480 Idieem32.exe 1960 Ikcmbfcj.exe 4624 Ibmeoq32.exe 2228 Idkbkl32.exe 4324 Indfca32.exe 2092 Jglklggl.exe 3804 Jbaojpgb.exe 1284 Jhlgfj32.exe 5088 Jjmcnbdm.exe 5072 Jnhpoamf.exe 1804 Jgadgf32.exe 4940 Jnkldqkc.exe 3788 Jbfheo32.exe 396 Jgcamf32.exe 1672 Jjamia32.exe 1896 Jbiejoaj.exe 3944 Jgenbfoa.exe 4176 Jjdjoane.exe 372 Kiejmi32.exe 1796 Kbmoen32.exe 3604 Kelkaj32.exe 4724 Kjhcjq32.exe 408 Kenggi32.exe 392 Knflpoqf.exe 112 Keqdmihc.exe 4180 Kjmmepfj.exe 3576 Kecabifp.exe 4268 Kjpijpdg.exe 3452 Liqihglg.exe 692 Lnnbqnjn.exe 444 Legjmh32.exe 4152 Lnpofnhk.exe 4600 Lieccf32.exe 4356 Ljgpkonp.exe 4996 Laqhhi32.exe 1560 Lgkpdcmi.exe 2776 Lndham32.exe 2236 Leopnglc.exe 4836 Llhikacp.exe 704 Mbbagk32.exe 548 Milidebi.exe 2828 Mjneln32.exe 4300 Mhafeb32.exe 5048 Mnlnbl32.exe 3228 Majjng32.exe 2896 Mlpokp32.exe 3180 Mnnkgl32.exe 3672 Mehcdfch.exe 2656 Mhfppabl.exe 776 Mblcnj32.exe 1404 Mejpje32.exe 2816 Njghbl32.exe 1752 Nbnpcj32.exe 1324 Nemmoe32.exe 2416 Njiegl32.exe 5060 Nijeec32.exe 2684 Nliaao32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Njfagf32.exe Nghekkmn.exe File created C:\Windows\SysWOW64\Jjgobjmp.dll Nmgjia32.exe File created C:\Windows\SysWOW64\Peaggfjj.dll Modgdicm.exe File opened for modification C:\Windows\SysWOW64\Mnlnbl32.exe Mhafeb32.exe File created C:\Windows\SysWOW64\Nbcpja32.dll Bkdcbd32.exe File created C:\Windows\SysWOW64\Ikpjbq32.exe Iciaqc32.exe File created C:\Windows\SysWOW64\Epgkpagl.dll Kjhloj32.exe File opened for modification C:\Windows\SysWOW64\Jgcamf32.exe Jbfheo32.exe File created C:\Windows\SysWOW64\Oqadgkdb.dll Chqogq32.exe File created C:\Windows\SysWOW64\Pnpkdp32.dll Opeiadfg.exe File created C:\Windows\SysWOW64\Mjfmcmai.dll Cnkkjh32.exe File opened for modification C:\Windows\SysWOW64\Aaenbd32.exe Aogbfi32.exe File opened for modification C:\Windows\SysWOW64\Bljlfh32.exe Bhoqeibl.exe File opened for modification C:\Windows\SysWOW64\Ejchhgid.exe Eblpgjha.exe File created C:\Windows\SysWOW64\Apmhiq32.exe Amnlme32.exe File created C:\Windows\SysWOW64\Cjpekc32.dll Plmmif32.exe File opened for modification C:\Windows\SysWOW64\Cnkkjh32.exe Ckmonl32.exe File created C:\Windows\SysWOW64\Ckjinf32.dll Gldglf32.exe File opened for modification C:\Windows\SysWOW64\Njmqnobn.exe Ncchae32.exe File opened for modification C:\Windows\SysWOW64\Cbphdn32.exe Ckfphc32.exe File opened for modification C:\Windows\SysWOW64\Gmggfp32.exe Gkhkjd32.exe File created C:\Windows\SysWOW64\Hcpojd32.exe Hpabni32.exe File created C:\Windows\SysWOW64\Hlfpph32.dll Bdojjo32.exe File created C:\Windows\SysWOW64\Mieced32.dll Mehcdfch.exe File created C:\Windows\SysWOW64\Imkbnf32.exe Iedjmioj.exe File created C:\Windows\SysWOW64\Mhegobpi.dll Ilqoobdd.exe File opened for modification C:\Windows\SysWOW64\Lljklo32.exe Kjlopc32.exe File created C:\Windows\SysWOW64\Oelolmnd.exe Oobfob32.exe File created C:\Windows\SysWOW64\Bheplb32.exe Bdickcpo.exe File created C:\Windows\SysWOW64\Bhamkipi.exe Bjnmpl32.exe File created C:\Windows\SysWOW64\Nklinjmj.dll Dfiildio.exe File created C:\Windows\SysWOW64\Lnjgfb32.exe Lfbped32.exe File created C:\Windows\SysWOW64\Oingap32.dll Afpjel32.exe File created C:\Windows\SysWOW64\Mcbpjg32.exe Mmhgmmbf.exe File created C:\Windows\SysWOW64\Nlljlela.dll Emkndc32.exe File opened for modification C:\Windows\SysWOW64\Glcaambb.exe Fideeaco.exe File created C:\Windows\SysWOW64\Jdmgfedl.exe Jpaleglc.exe File created C:\Windows\SysWOW64\Kgiiiidd.exe Kpoalo32.exe File opened for modification C:\Windows\SysWOW64\Pkbjjbda.exe Phdnngdn.exe File created C:\Windows\SysWOW64\Fkcocace.dll Mblcnj32.exe File created C:\Windows\SysWOW64\Ijqmhnko.exe Igbalblk.exe File opened for modification C:\Windows\SysWOW64\Lnldla32.exe Ljqhkckn.exe File created C:\Windows\SysWOW64\Ijilflah.dll Caageq32.exe File opened for modification C:\Windows\SysWOW64\Dahmfpap.exe Dojqjdbl.exe File opened for modification C:\Windows\SysWOW64\Aaiimadl.exe Aojlaeei.exe File created C:\Windows\SysWOW64\Anmfbl32.exe Alkijdci.exe File opened for modification C:\Windows\SysWOW64\Fihnomjp.exe Ebnfbcbc.exe File created C:\Windows\SysWOW64\Ngjkfd32.exe Npbceggm.exe File opened for modification C:\Windows\SysWOW64\Mgphpe32.exe Moipoh32.exe File created C:\Windows\SysWOW64\Pmikmcgp.dll Oanokhdb.exe File opened for modification C:\Windows\SysWOW64\Ackbmcjl.exe Aoofle32.exe File created C:\Windows\SysWOW64\Dcnqpo32.exe Dlghoa32.exe File created C:\Windows\SysWOW64\Cfnjpfcl.exe Ckhecmcf.exe File opened for modification C:\Windows\SysWOW64\Lcdciiec.exe Lljklo32.exe File created C:\Windows\SysWOW64\Ondljl32.exe Ojhpimhp.exe File created C:\Windows\SysWOW64\Ckebcg32.exe Cdkifmjq.exe File created C:\Windows\SysWOW64\Cmjemflb.exe Cioilg32.exe File opened for modification C:\Windows\SysWOW64\Flqdlnde.exe Ffclcgfn.exe File created C:\Windows\SysWOW64\Hdjgko32.dll Kkpbin32.exe File created C:\Windows\SysWOW64\Ogpoeg32.dll Anmfbl32.exe File created C:\Windows\SysWOW64\Cqnnno32.dll Kelkaj32.exe File opened for modification C:\Windows\SysWOW64\Mejpje32.exe Mblcnj32.exe File created C:\Windows\SysWOW64\Mejpje32.exe Mblcnj32.exe File opened for modification C:\Windows\SysWOW64\Jgbchj32.exe Jokkgl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14648 14344 WerFault.exe 806 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgkpdcmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhigf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hloqml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alkijdci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilnbicff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhnikc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqofe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiejmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknobkje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpdaepai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcdala32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcbnnpka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oodcdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmblagmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cklhcfle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbfheo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkoigdom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gipdap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmaopfjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidgai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bacjdbch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njpdnedf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eicedn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iepaaico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Majjng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geaepk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgiiiidd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqbpojnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnkldqkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmbphg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpmdfonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qacameaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckebcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkhapk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkjnfkma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oelolmnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paoollik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifmqfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefgbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinqbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poliea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddjpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfjola32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaiimadl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djqblj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmjmjnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Conanfli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhnbhok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anclbkbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caageq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohiemobf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbpmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnnjmbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbjena32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lggejg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nagiji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqmmmmph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amlogfel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijadbdoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idieem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmabggdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclmamod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgipcogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eecphp32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cclnpmna.dll" Kenggi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apddkmko.dll" Lnpofnhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoong32.dll" Epndknin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnmmboed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpcecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbphdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cndeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kffonkgk.dll" Koodbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbehfom.dll" Lnjgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmiag32.dll" Ohiemobf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpabni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdphngfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flkkjnjg.dll" Bdgged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckjinf32.dll" Gldglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edqnimdf.dll" Kjgeedch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmjob32.dll" Lgibpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohiemobf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggahedjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Najmjokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opeiadfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmeigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngmeal32.dll" Nbnpcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhpbfpka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glcaambb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbflncid.dll" Hgfapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gikdkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akhcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhffmd32.dll" Nhmofj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnogj32.dll" Olanmgig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glipgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlglidlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgdpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pahpfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pabblb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciafbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhikb32.dll" Fideeaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekpped32.dll" Aogiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnhenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akcoajfm.dll" Hlpfhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hffken32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddgibkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nonlon32.dll" Njiegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmaopfjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knhakh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqdkac32.dll" Anclbkbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnqfcbnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iliinc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgcihgaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgnqgqan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flkdfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdenmbkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkbjjbda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nclbpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qodeajbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgnomg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djpphb32.dll" Piijno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpbmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecgflaec.dll" Gfheof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Manmoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hicpnnio.dll" Dbpjaeoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oclknk32.dll" Fiaael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npgmpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fimodc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdjibj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3652 wrote to memory of 2784 3652 7a9f0269c000b26a44ee4ef961fb5c0c0ac81ff6110d13dd93b91514056a8451N.exe 82 PID 3652 wrote to memory of 2784 3652 7a9f0269c000b26a44ee4ef961fb5c0c0ac81ff6110d13dd93b91514056a8451N.exe 82 PID 3652 wrote to memory of 2784 3652 7a9f0269c000b26a44ee4ef961fb5c0c0ac81ff6110d13dd93b91514056a8451N.exe 82 PID 2784 wrote to memory of 4920 2784 Igqkqiai.exe 83 PID 2784 wrote to memory of 4920 2784 Igqkqiai.exe 83 PID 2784 wrote to memory of 4920 2784 Igqkqiai.exe 83 PID 4920 wrote to memory of 532 4920 Iafonaao.exe 84 PID 4920 wrote to memory of 532 4920 Iafonaao.exe 84 PID 4920 wrote to memory of 532 4920 Iafonaao.exe 84 PID 532 wrote to memory of 3916 532 Ihphkl32.exe 85 PID 532 wrote to memory of 3916 532 Ihphkl32.exe 85 PID 532 wrote to memory of 3916 532 Ihphkl32.exe 85 PID 3916 wrote to memory of 4560 3916 Ijadbdoj.exe 86 PID 3916 wrote to memory of 4560 3916 Ijadbdoj.exe 86 PID 3916 wrote to memory of 4560 3916 Ijadbdoj.exe 86 PID 4560 wrote to memory of 1768 4560 Iqklon32.exe 87 PID 4560 wrote to memory of 1768 4560 Iqklon32.exe 87 PID 4560 wrote to memory of 1768 4560 Iqklon32.exe 87 PID 1768 wrote to memory of 4556 1768 Igedlh32.exe 88 PID 1768 wrote to memory of 4556 1768 Igedlh32.exe 88 PID 1768 wrote to memory of 4556 1768 Igedlh32.exe 88 PID 4556 wrote to memory of 4480 4556 Iakiia32.exe 89 PID 4556 wrote to memory of 4480 4556 Iakiia32.exe 89 PID 4556 wrote to memory of 4480 4556 Iakiia32.exe 89 PID 4480 wrote to memory of 1960 4480 Idieem32.exe 90 PID 4480 wrote to memory of 1960 4480 Idieem32.exe 90 PID 4480 wrote to memory of 1960 4480 Idieem32.exe 90 PID 1960 wrote to memory of 4624 1960 Ikcmbfcj.exe 91 PID 1960 wrote to memory of 4624 1960 Ikcmbfcj.exe 91 PID 1960 wrote to memory of 4624 1960 Ikcmbfcj.exe 91 PID 4624 wrote to memory of 2228 4624 Ibmeoq32.exe 92 PID 4624 wrote to memory of 2228 4624 Ibmeoq32.exe 92 PID 4624 wrote to memory of 2228 4624 Ibmeoq32.exe 92 PID 2228 wrote to memory of 4324 2228 Idkbkl32.exe 93 PID 2228 wrote to memory of 4324 2228 Idkbkl32.exe 93 PID 2228 wrote to memory of 4324 2228 Idkbkl32.exe 93 PID 4324 wrote to memory of 2092 4324 Indfca32.exe 94 PID 4324 wrote to memory of 2092 4324 Indfca32.exe 94 PID 4324 wrote to memory of 2092 4324 Indfca32.exe 94 PID 2092 wrote to memory of 3804 2092 Jglklggl.exe 95 PID 2092 wrote to memory of 3804 2092 Jglklggl.exe 95 PID 2092 wrote to memory of 3804 2092 Jglklggl.exe 95 PID 3804 wrote to memory of 1284 3804 Jbaojpgb.exe 96 PID 3804 wrote to memory of 1284 3804 Jbaojpgb.exe 96 PID 3804 wrote to memory of 1284 3804 Jbaojpgb.exe 96 PID 1284 wrote to memory of 5088 1284 Jhlgfj32.exe 97 PID 1284 wrote to memory of 5088 1284 Jhlgfj32.exe 97 PID 1284 wrote to memory of 5088 1284 Jhlgfj32.exe 97 PID 5088 wrote to memory of 5072 5088 Jjmcnbdm.exe 98 PID 5088 wrote to memory of 5072 5088 Jjmcnbdm.exe 98 PID 5088 wrote to memory of 5072 5088 Jjmcnbdm.exe 98 PID 5072 wrote to memory of 1804 5072 Jnhpoamf.exe 99 PID 5072 wrote to memory of 1804 5072 Jnhpoamf.exe 99 PID 5072 wrote to memory of 1804 5072 Jnhpoamf.exe 99 PID 1804 wrote to memory of 4940 1804 Jgadgf32.exe 100 PID 1804 wrote to memory of 4940 1804 Jgadgf32.exe 100 PID 1804 wrote to memory of 4940 1804 Jgadgf32.exe 100 PID 4940 wrote to memory of 3788 4940 Jnkldqkc.exe 101 PID 4940 wrote to memory of 3788 4940 Jnkldqkc.exe 101 PID 4940 wrote to memory of 3788 4940 Jnkldqkc.exe 101 PID 3788 wrote to memory of 396 3788 Jbfheo32.exe 102 PID 3788 wrote to memory of 396 3788 Jbfheo32.exe 102 PID 3788 wrote to memory of 396 3788 Jbfheo32.exe 102 PID 396 wrote to memory of 1672 396 Jgcamf32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a9f0269c000b26a44ee4ef961fb5c0c0ac81ff6110d13dd93b91514056a8451N.exe"C:\Users\Admin\AppData\Local\Temp\7a9f0269c000b26a44ee4ef961fb5c0c0ac81ff6110d13dd93b91514056a8451N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\Igqkqiai.exeC:\Windows\system32\Igqkqiai.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Iafonaao.exeC:\Windows\system32\Iafonaao.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Ihphkl32.exeC:\Windows\system32\Ihphkl32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\Ijadbdoj.exeC:\Windows\system32\Ijadbdoj.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\Iqklon32.exeC:\Windows\system32\Iqklon32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Igedlh32.exeC:\Windows\system32\Igedlh32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Iakiia32.exeC:\Windows\system32\Iakiia32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\Idieem32.exeC:\Windows\system32\Idieem32.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Ikcmbfcj.exeC:\Windows\system32\Ikcmbfcj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Ibmeoq32.exeC:\Windows\system32\Ibmeoq32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\Idkbkl32.exeC:\Windows\system32\Idkbkl32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\Jglklggl.exeC:\Windows\system32\Jglklggl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\Jhlgfj32.exeC:\Windows\system32\Jhlgfj32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Jjmcnbdm.exeC:\Windows\system32\Jjmcnbdm.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\Jnhpoamf.exeC:\Windows\system32\Jnhpoamf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Jgadgf32.exeC:\Windows\system32\Jgadgf32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Jnkldqkc.exeC:\Windows\system32\Jnkldqkc.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\SysWOW64\Jgcamf32.exeC:\Windows\system32\Jgcamf32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe23⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Jbiejoaj.exeC:\Windows\system32\Jbiejoaj.exe24⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Jgenbfoa.exeC:\Windows\system32\Jgenbfoa.exe25⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Jjdjoane.exeC:\Windows\system32\Jjdjoane.exe26⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Kiejmi32.exeC:\Windows\system32\Kiejmi32.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:372 -
C:\Windows\SysWOW64\Kbmoen32.exeC:\Windows\system32\Kbmoen32.exe28⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Kelkaj32.exeC:\Windows\system32\Kelkaj32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3604 -
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe30⤵
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Kenggi32.exeC:\Windows\system32\Kenggi32.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:408 -
C:\Windows\SysWOW64\Knflpoqf.exeC:\Windows\system32\Knflpoqf.exe32⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe33⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe34⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe35⤵
- Executes dropped EXE
PID:3576 -
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe36⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Liqihglg.exeC:\Windows\system32\Liqihglg.exe37⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe38⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Legjmh32.exeC:\Windows\system32\Legjmh32.exe39⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Lnpofnhk.exeC:\Windows\system32\Lnpofnhk.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:4152 -
C:\Windows\SysWOW64\Lieccf32.exeC:\Windows\system32\Lieccf32.exe41⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Ljgpkonp.exeC:\Windows\system32\Ljgpkonp.exe42⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Laqhhi32.exeC:\Windows\system32\Laqhhi32.exe43⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Lgkpdcmi.exeC:\Windows\system32\Lgkpdcmi.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\SysWOW64\Lndham32.exeC:\Windows\system32\Lndham32.exe45⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Leopnglc.exeC:\Windows\system32\Leopnglc.exe46⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe47⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe48⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe49⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Mjneln32.exeC:\Windows\system32\Mjneln32.exe50⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4300 -
C:\Windows\SysWOW64\Mnlnbl32.exeC:\Windows\system32\Mnlnbl32.exe52⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3228 -
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe54⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe55⤵
- Executes dropped EXE
PID:3180 -
C:\Windows\SysWOW64\Mehcdfch.exeC:\Windows\system32\Mehcdfch.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3672 -
C:\Windows\SysWOW64\Mhfppabl.exeC:\Windows\system32\Mhfppabl.exe57⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Mblcnj32.exeC:\Windows\system32\Mblcnj32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:776 -
C:\Windows\SysWOW64\Mejpje32.exeC:\Windows\system32\Mejpje32.exe59⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Njghbl32.exeC:\Windows\system32\Njghbl32.exe60⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe62⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Njiegl32.exeC:\Windows\system32\Njiegl32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Nijeec32.exeC:\Windows\system32\Nijeec32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Nliaao32.exeC:\Windows\system32\Nliaao32.exe65⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Nbcjnilj.exeC:\Windows\system32\Nbcjnilj.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:912 -
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe67⤵
- Modifies registry class
PID:4416 -
C:\Windows\SysWOW64\Nknobkje.exeC:\Windows\system32\Nknobkje.exe68⤵
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\Nbefdijg.exeC:\Windows\system32\Nbefdijg.exe69⤵PID:3460
-
C:\Windows\SysWOW64\Nhbolp32.exeC:\Windows\system32\Nhbolp32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1904 -
C:\Windows\SysWOW64\Nolgijpk.exeC:\Windows\system32\Nolgijpk.exe71⤵PID:2652
-
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe72⤵PID:3956
-
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe73⤵PID:1688
-
C:\Windows\SysWOW64\Objpoh32.exeC:\Windows\system32\Objpoh32.exe74⤵PID:3156
-
C:\Windows\SysWOW64\Ohghgodi.exeC:\Windows\system32\Ohghgodi.exe75⤵PID:1308
-
C:\Windows\SysWOW64\Okedcjcm.exeC:\Windows\system32\Okedcjcm.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2556 -
C:\Windows\SysWOW64\Oekiqccc.exeC:\Windows\system32\Oekiqccc.exe77⤵PID:4776
-
C:\Windows\SysWOW64\Ohiemobf.exeC:\Windows\system32\Ohiemobf.exe78⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Okgaijaj.exeC:\Windows\system32\Okgaijaj.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4736 -
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe80⤵PID:1052
-
C:\Windows\SysWOW64\Okjnnj32.exeC:\Windows\system32\Okjnnj32.exe81⤵PID:2480
-
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe82⤵PID:4128
-
C:\Windows\SysWOW64\Oklkdi32.exeC:\Windows\system32\Oklkdi32.exe83⤵PID:1056
-
C:\Windows\SysWOW64\Oohgdhfn.exeC:\Windows\system32\Oohgdhfn.exe84⤵PID:3280
-
C:\Windows\SysWOW64\Oeaoab32.exeC:\Windows\system32\Oeaoab32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1396 -
C:\Windows\SysWOW64\Pahpfc32.exeC:\Windows\system32\Pahpfc32.exe86⤵
- Modifies registry class
PID:4740 -
C:\Windows\SysWOW64\Pedlgbkh.exeC:\Windows\system32\Pedlgbkh.exe87⤵PID:3836
-
C:\Windows\SysWOW64\Polppg32.exeC:\Windows\system32\Polppg32.exe88⤵PID:3420
-
C:\Windows\SysWOW64\Pefhlaie.exeC:\Windows\system32\Pefhlaie.exe89⤵PID:1580
-
C:\Windows\SysWOW64\Plpqil32.exeC:\Windows\system32\Plpqil32.exe90⤵PID:4576
-
C:\Windows\SysWOW64\Poomegpf.exeC:\Windows\system32\Poomegpf.exe91⤵PID:3996
-
C:\Windows\SysWOW64\Peieba32.exeC:\Windows\system32\Peieba32.exe92⤵PID:424
-
C:\Windows\SysWOW64\Plbmokop.exeC:\Windows\system32\Plbmokop.exe93⤵PID:4144
-
C:\Windows\SysWOW64\Poajkgnc.exeC:\Windows\system32\Poajkgnc.exe94⤵PID:1184
-
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe95⤵PID:3000
-
C:\Windows\SysWOW64\Phincl32.exeC:\Windows\system32\Phincl32.exe96⤵PID:2280
-
C:\Windows\SysWOW64\Pocfpf32.exeC:\Windows\system32\Pocfpf32.exe97⤵PID:232
-
C:\Windows\SysWOW64\Pabblb32.exeC:\Windows\system32\Pabblb32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4100 -
C:\Windows\SysWOW64\Piijno32.exeC:\Windows\system32\Piijno32.exe99⤵
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Qcaofebg.exeC:\Windows\system32\Qcaofebg.exe100⤵PID:4524
-
C:\Windows\SysWOW64\Qikgco32.exeC:\Windows\system32\Qikgco32.exe101⤵PID:1336
-
C:\Windows\SysWOW64\Qhngolpo.exeC:\Windows\system32\Qhngolpo.exe102⤵PID:1012
-
C:\Windows\SysWOW64\Qkmdkgob.exeC:\Windows\system32\Qkmdkgob.exe103⤵PID:2068
-
C:\Windows\SysWOW64\Qebhhp32.exeC:\Windows\system32\Qebhhp32.exe104⤵PID:4456
-
C:\Windows\SysWOW64\Ahqddk32.exeC:\Windows\system32\Ahqddk32.exe105⤵PID:4820
-
C:\Windows\SysWOW64\Aojlaeei.exeC:\Windows\system32\Aojlaeei.exe106⤵
- Drops file in System32 directory
PID:3868 -
C:\Windows\SysWOW64\Aaiimadl.exeC:\Windows\system32\Aaiimadl.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4932 -
C:\Windows\SysWOW64\Ahcajk32.exeC:\Windows\system32\Ahcajk32.exe108⤵PID:636
-
C:\Windows\SysWOW64\Alnmjjdb.exeC:\Windows\system32\Alnmjjdb.exe109⤵PID:1496
-
C:\Windows\SysWOW64\Aomifecf.exeC:\Windows\system32\Aomifecf.exe110⤵PID:4732
-
C:\Windows\SysWOW64\Aakebqbj.exeC:\Windows\system32\Aakebqbj.exe111⤵PID:2024
-
C:\Windows\SysWOW64\Ahenokjf.exeC:\Windows\system32\Ahenokjf.exe112⤵PID:4972
-
C:\Windows\SysWOW64\Aoofle32.exeC:\Windows\system32\Aoofle32.exe113⤵
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\Ackbmcjl.exeC:\Windows\system32\Ackbmcjl.exe114⤵PID:224
-
C:\Windows\SysWOW64\Ajdjin32.exeC:\Windows\system32\Ajdjin32.exe115⤵PID:2444
-
C:\Windows\SysWOW64\Aoabad32.exeC:\Windows\system32\Aoabad32.exe116⤵PID:2420
-
C:\Windows\SysWOW64\Acmobchj.exeC:\Windows\system32\Acmobchj.exe117⤵PID:3848
-
C:\Windows\SysWOW64\Afkknogn.exeC:\Windows\system32\Afkknogn.exe118⤵PID:4408
-
C:\Windows\SysWOW64\Akhcfe32.exeC:\Windows\system32\Akhcfe32.exe119⤵
- Modifies registry class
PID:4092 -
C:\Windows\SysWOW64\Acokhc32.exeC:\Windows\system32\Acokhc32.exe120⤵PID:400
-
C:\Windows\SysWOW64\Bjicdmmd.exeC:\Windows\system32\Bjicdmmd.exe121⤵PID:3372
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-