Analysis
-
max time kernel
150s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
01-09-2024 04:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eb81657a4a56e74e64881fe2cc31f9a99c7e40f0a56f1dd216c3ad5a63551869.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
eb81657a4a56e74e64881fe2cc31f9a99c7e40f0a56f1dd216c3ad5a63551869.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
eb81657a4a56e74e64881fe2cc31f9a99c7e40f0a56f1dd216c3ad5a63551869.exe
-
Size
90KB
-
MD5
572abf11894fbecf7d1f0887749e65c2
-
SHA1
b9ff79283f22ed554aeee3312c07732d6b93e40c
-
SHA256
eb81657a4a56e74e64881fe2cc31f9a99c7e40f0a56f1dd216c3ad5a63551869
-
SHA512
944dacb84d06d5081f79bc4238ed4343fb208a51e157d560e879fcc497c4fd560c9e07d5656460a70040bea16e4701d86c5bd7bca31b98cb9cc37b22110c4544
-
SSDEEP
1536:d236D51rNmXWnuSwXz0ZMKPT11jmATwgHX6fOOQ/4BrGTI5Yxj:d3D/oGuSt/aATB2U/4kT0Yxj
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnmdmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iohiafag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmgfli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnqhcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epapoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkmjbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdgflbdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opaeok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmglpjak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaonfncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dncmaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Naiokhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jinmco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmaego32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oamohenq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llojpghe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jedlph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndjhmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afbpph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fddeifgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idncfdlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jokdobid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdmonf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnopdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjllobeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjehflbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcfiqgfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnnkmdfq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqjbme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdnfalea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajfanjqo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnbbpkjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nomdfjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkdbibmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Liaggk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbgmglin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfgfpoaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnfbilgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqfogp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcghcgfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfocmhcq.exe -
Executes dropped EXE 64 IoCs
pid Process 2960 Noepfkgh.exe 2792 Neohbe32.exe 2736 Nimaic32.exe 2844 Nceeaikk.exe 2804 Ndfbia32.exe 2704 Oamohenq.exe 952 Ognakk32.exe 1756 Ofcnmh32.exe 1548 Pidgnc32.exe 1680 Pfhghgie.exe 812 Pikmob32.exe 1752 Pnhegi32.exe 2400 Qakkncmi.exe 2260 Ajcpgi32.exe 2376 Algida32.exe 1668 Aeommfnf.exe 1360 Apgnpo32.exe 1620 Anlkakqa.exe 1316 Bhdpjaga.exe 996 Behpcefk.exe 2000 Bhiiepcl.exe 1812 Bkjbgk32.exe 2712 Bdbfpafn.exe 2328 Beccgi32.exe 1596 Condfo32.exe 2896 Cidhcg32.exe 2972 Cclmlm32.exe 2684 Ckgapo32.exe 1148 Caajmilh.exe 2256 Ddbbod32.exe 2592 Dnkggjpj.exe 320 Dddodd32.exe 1048 Dnmdmj32.exe 396 Dgehfodh.exe 1868 Dpnmoe32.exe 2272 Dhiacg32.exe 2984 Dbaflm32.exe 2152 Efoobkej.exe 2148 Eogckqkk.exe 824 Eddlcgjb.exe 1308 Ecnbpcje.exe 1516 Fipdci32.exe 1508 Fidmniqa.exe 928 Gapbbk32.exe 3008 Genkhidc.exe 1532 Gmipmlan.exe 2480 Ghndjd32.exe 2132 Gmklbk32.exe 2464 Gjomlp32.exe 1604 Gffmqq32.exe 2772 Hdjnje32.exe 2800 Hjdfgojp.exe 2884 Hdlkpd32.exe 2680 Hiichkog.exe 2052 Hepdml32.exe 1912 Hohhfbkl.exe 796 Hlliof32.exe 2128 Ihcidgpj.exe 1512 Idjjih32.exe 2996 Inbobn32.exe 2448 Iiiogoac.exe 2112 Ipbgci32.exe 1096 Ijklmn32.exe 1740 Iccqedfa.exe -
Loads dropped DLL 64 IoCs
pid Process 2548 eb81657a4a56e74e64881fe2cc31f9a99c7e40f0a56f1dd216c3ad5a63551869.exe 2548 eb81657a4a56e74e64881fe2cc31f9a99c7e40f0a56f1dd216c3ad5a63551869.exe 2960 Noepfkgh.exe 2960 Noepfkgh.exe 2792 Neohbe32.exe 2792 Neohbe32.exe 2736 Nimaic32.exe 2736 Nimaic32.exe 2844 Nceeaikk.exe 2844 Nceeaikk.exe 2804 Ndfbia32.exe 2804 Ndfbia32.exe 2704 Oamohenq.exe 2704 Oamohenq.exe 952 Ognakk32.exe 952 Ognakk32.exe 1756 Ofcnmh32.exe 1756 Ofcnmh32.exe 1548 Pidgnc32.exe 1548 Pidgnc32.exe 1680 Pfhghgie.exe 1680 Pfhghgie.exe 812 Pikmob32.exe 812 Pikmob32.exe 1752 Pnhegi32.exe 1752 Pnhegi32.exe 2400 Qakkncmi.exe 2400 Qakkncmi.exe 2260 Ajcpgi32.exe 2260 Ajcpgi32.exe 2376 Algida32.exe 2376 Algida32.exe 1668 Aeommfnf.exe 1668 Aeommfnf.exe 1360 Apgnpo32.exe 1360 Apgnpo32.exe 1620 Anlkakqa.exe 1620 Anlkakqa.exe 1316 Bhdpjaga.exe 1316 Bhdpjaga.exe 996 Behpcefk.exe 996 Behpcefk.exe 2000 Bhiiepcl.exe 2000 Bhiiepcl.exe 1812 Bkjbgk32.exe 1812 Bkjbgk32.exe 2712 Bdbfpafn.exe 2712 Bdbfpafn.exe 2328 Beccgi32.exe 2328 Beccgi32.exe 1596 Condfo32.exe 1596 Condfo32.exe 2896 Cidhcg32.exe 2896 Cidhcg32.exe 2972 Cclmlm32.exe 2972 Cclmlm32.exe 2684 Ckgapo32.exe 2684 Ckgapo32.exe 1148 Caajmilh.exe 1148 Caajmilh.exe 2256 Ddbbod32.exe 2256 Ddbbod32.exe 2592 Dnkggjpj.exe 2592 Dnkggjpj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dcimlnba.dll Fdlfeh32.exe File created C:\Windows\SysWOW64\Kpkaiibk.exe Process not Found File created C:\Windows\SysWOW64\Difilehg.exe Process not Found File created C:\Windows\SysWOW64\Djkemggm.dll Process not Found File created C:\Windows\SysWOW64\Hbeckb32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bigbmb32.exe Bbnjphpe.exe File opened for modification C:\Windows\SysWOW64\Oplgdk32.exe Process not Found File created C:\Windows\SysWOW64\Hmcnmk32.dll Process not Found File created C:\Windows\SysWOW64\Aefeedna.dll Mkhqnoci.exe File created C:\Windows\SysWOW64\Iebaphie.dll Efpdoqjm.exe File created C:\Windows\SysWOW64\Giabcd32.dll Process not Found File created C:\Windows\SysWOW64\Hmhppk32.exe Hbblbb32.exe File opened for modification C:\Windows\SysWOW64\Fpkfng32.exe Fddeifgj.exe File created C:\Windows\SysWOW64\Hdneohbk.exe Hjhqaobe.exe File opened for modification C:\Windows\SysWOW64\Iffggo32.exe Iolojejd.exe File created C:\Windows\SysWOW64\Okfkgiah.exe Process not Found File opened for modification C:\Windows\SysWOW64\Debclejf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Achnip32.exe Process not Found File created C:\Windows\SysWOW64\Dpqdadin.dll Process not Found File created C:\Windows\SysWOW64\Lgekae32.dll Process not Found File created C:\Windows\SysWOW64\Albhablg.dll Ceclmc32.exe File created C:\Windows\SysWOW64\Ijqklfke.dll Miqmkh32.exe File opened for modification C:\Windows\SysWOW64\Ciqdenjh.exe Ccflhc32.exe File created C:\Windows\SysWOW64\Ibibenij.exe Process not Found File created C:\Windows\SysWOW64\Opknijfg.dll Process not Found File created C:\Windows\SysWOW64\Khglga32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ppdbepon.exe Pjgjmipf.exe File opened for modification C:\Windows\SysWOW64\Lkpaja32.exe Ldfimggd.exe File created C:\Windows\SysWOW64\Fkanpk32.dll Process not Found File created C:\Windows\SysWOW64\Jhlndj32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Aeommfnf.exe Algida32.exe File created C:\Windows\SysWOW64\Hepdml32.exe Hiichkog.exe File opened for modification C:\Windows\SysWOW64\Mmolll32.exe Mcghcgfb.exe File opened for modification C:\Windows\SysWOW64\Eghcckld.exe Eomoohoi.exe File created C:\Windows\SysWOW64\Pdabmogd.dll Iamjdi32.exe File created C:\Windows\SysWOW64\Cacedd32.exe Process not Found File created C:\Windows\SysWOW64\Fhgbhcem.exe Process not Found File created C:\Windows\SysWOW64\Pjkolblf.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dejnme32.exe Dhfnca32.exe File opened for modification C:\Windows\SysWOW64\Dfnncb32.exe Cjgmoahd.exe File created C:\Windows\SysWOW64\Gdimlllq.exe Fgelbhmg.exe File created C:\Windows\SysWOW64\Bblfnhfg.dll Imgmonga.exe File opened for modification C:\Windows\SysWOW64\Kckill32.exe Process not Found File created C:\Windows\SysWOW64\Fhbdkfnk.exe Process not Found File opened for modification C:\Windows\SysWOW64\Geaghnce.exe Process not Found File created C:\Windows\SysWOW64\Gdfjjkfh.dll Mcbjfjnp.exe File created C:\Windows\SysWOW64\Cadlnk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cimplpmf.exe Process not Found File created C:\Windows\SysWOW64\Bhafgd32.dll Process not Found File created C:\Windows\SysWOW64\Damjhhne.exe Dlpbpa32.exe File opened for modification C:\Windows\SysWOW64\Gjmnmk32.exe Gpdide32.exe File created C:\Windows\SysWOW64\Hmiicj32.exe Hdneohbk.exe File created C:\Windows\SysWOW64\Iammmafn.exe Process not Found File created C:\Windows\SysWOW64\Ecfednma.exe Enjmlgoj.exe File created C:\Windows\SysWOW64\Jbhdhdhk.dll Egpfheoa.exe File opened for modification C:\Windows\SysWOW64\Lncodf32.exe Kdkkkqlk.exe File opened for modification C:\Windows\SysWOW64\Hmhppk32.exe Hbblbb32.exe File created C:\Windows\SysWOW64\Kohofh32.exe Process not Found File created C:\Windows\SysWOW64\Cdiomfmq.dll Process not Found File opened for modification C:\Windows\SysWOW64\Klakhp32.exe Kakfkg32.exe File created C:\Windows\SysWOW64\Qijffhki.exe Poaanb32.exe File created C:\Windows\SysWOW64\Cimplpmf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pdjnbebb.exe Process not Found File created C:\Windows\SysWOW64\Pgkpbo32.exe Process not Found -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqjenb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlppgihj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdlkpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obnkpafp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eklicjkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcgldc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eafmng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odpghiqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clgpckcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldbcdhng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhnkdjhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghemnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gicfeogg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhjcmcep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkqmnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faihlcnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbaflm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqapek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgfoee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neohbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjhlea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dobfhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hohhfbkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjgjmipf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jikjcikm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfhefc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjdlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhfnca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pboihm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Impdeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkelhemb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgnmao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjdfgojp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nejkam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edgkap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkmabdfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnplhm32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2684 Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgdhnhpa.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bceqol32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eefffo32.dll" Kchhholk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjeacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aenaeg32.dll" Fejomjgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poenqpah.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcoaaf32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbknjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdilpd32.dll" Cjpgnbol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bciaqnje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmpklm32.dll" Obcekq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbnflbbh.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdlkpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Biaoqqkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldmjoo32.dll" Madepihc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blmhmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ognakk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eghcckld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjfcgba.dll" Dhjhhacg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meccam32.dll" Gbakdjnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Genkhidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aojbhk32.dll" Baecgdbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbajjiml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjiemdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liidnijh.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bahkggfo.dll" Bkqnchgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djkepi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cacjebbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gicfeogg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hikppghf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbikcdn.dll" Efoobkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlhnkqba.dll" Hgdagelg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlgkocn.dll" Mnqhcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhfkhhnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ponadfim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klekpmeo.dll" Jdoblckh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bqpejh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckajf32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lglnblmj.dll" Hjglpncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddgnbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adcncabg.dll" Nohpph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjhajo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeoaflmd.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2548 wrote to memory of 2960 2548 eb81657a4a56e74e64881fe2cc31f9a99c7e40f0a56f1dd216c3ad5a63551869.exe 29 PID 2548 wrote to memory of 2960 2548 eb81657a4a56e74e64881fe2cc31f9a99c7e40f0a56f1dd216c3ad5a63551869.exe 29 PID 2548 wrote to memory of 2960 2548 eb81657a4a56e74e64881fe2cc31f9a99c7e40f0a56f1dd216c3ad5a63551869.exe 29 PID 2548 wrote to memory of 2960 2548 eb81657a4a56e74e64881fe2cc31f9a99c7e40f0a56f1dd216c3ad5a63551869.exe 29 PID 2960 wrote to memory of 2792 2960 Noepfkgh.exe 30 PID 2960 wrote to memory of 2792 2960 Noepfkgh.exe 30 PID 2960 wrote to memory of 2792 2960 Noepfkgh.exe 30 PID 2960 wrote to memory of 2792 2960 Noepfkgh.exe 30 PID 2792 wrote to memory of 2736 2792 Neohbe32.exe 31 PID 2792 wrote to memory of 2736 2792 Neohbe32.exe 31 PID 2792 wrote to memory of 2736 2792 Neohbe32.exe 31 PID 2792 wrote to memory of 2736 2792 Neohbe32.exe 31 PID 2736 wrote to memory of 2844 2736 Nimaic32.exe 32 PID 2736 wrote to memory of 2844 2736 Nimaic32.exe 32 PID 2736 wrote to memory of 2844 2736 Nimaic32.exe 32 PID 2736 wrote to memory of 2844 2736 Nimaic32.exe 32 PID 2844 wrote to memory of 2804 2844 Nceeaikk.exe 33 PID 2844 wrote to memory of 2804 2844 Nceeaikk.exe 33 PID 2844 wrote to memory of 2804 2844 Nceeaikk.exe 33 PID 2844 wrote to memory of 2804 2844 Nceeaikk.exe 33 PID 2804 wrote to memory of 2704 2804 Ndfbia32.exe 34 PID 2804 wrote to memory of 2704 2804 Ndfbia32.exe 34 PID 2804 wrote to memory of 2704 2804 Ndfbia32.exe 34 PID 2804 wrote to memory of 2704 2804 Ndfbia32.exe 34 PID 2704 wrote to memory of 952 2704 Oamohenq.exe 35 PID 2704 wrote to memory of 952 2704 Oamohenq.exe 35 PID 2704 wrote to memory of 952 2704 Oamohenq.exe 35 PID 2704 wrote to memory of 952 2704 Oamohenq.exe 35 PID 952 wrote to memory of 1756 952 Ognakk32.exe 36 PID 952 wrote to memory of 1756 952 Ognakk32.exe 36 PID 952 wrote to memory of 1756 952 Ognakk32.exe 36 PID 952 wrote to memory of 1756 952 Ognakk32.exe 36 PID 1756 wrote to memory of 1548 1756 Ofcnmh32.exe 37 PID 1756 wrote to memory of 1548 1756 Ofcnmh32.exe 37 PID 1756 wrote to memory of 1548 1756 Ofcnmh32.exe 37 PID 1756 wrote to memory of 1548 1756 Ofcnmh32.exe 37 PID 1548 wrote to memory of 1680 1548 Pidgnc32.exe 38 PID 1548 wrote to memory of 1680 1548 Pidgnc32.exe 38 PID 1548 wrote to memory of 1680 1548 Pidgnc32.exe 38 PID 1548 wrote to memory of 1680 1548 Pidgnc32.exe 38 PID 1680 wrote to memory of 812 1680 Pfhghgie.exe 39 PID 1680 wrote to memory of 812 1680 Pfhghgie.exe 39 PID 1680 wrote to memory of 812 1680 Pfhghgie.exe 39 PID 1680 wrote to memory of 812 1680 Pfhghgie.exe 39 PID 812 wrote to memory of 1752 812 Pikmob32.exe 40 PID 812 wrote to memory of 1752 812 Pikmob32.exe 40 PID 812 wrote to memory of 1752 812 Pikmob32.exe 40 PID 812 wrote to memory of 1752 812 Pikmob32.exe 40 PID 1752 wrote to memory of 2400 1752 Pnhegi32.exe 41 PID 1752 wrote to memory of 2400 1752 Pnhegi32.exe 41 PID 1752 wrote to memory of 2400 1752 Pnhegi32.exe 41 PID 1752 wrote to memory of 2400 1752 Pnhegi32.exe 41 PID 2400 wrote to memory of 2260 2400 Qakkncmi.exe 42 PID 2400 wrote to memory of 2260 2400 Qakkncmi.exe 42 PID 2400 wrote to memory of 2260 2400 Qakkncmi.exe 42 PID 2400 wrote to memory of 2260 2400 Qakkncmi.exe 42 PID 2260 wrote to memory of 2376 2260 Ajcpgi32.exe 43 PID 2260 wrote to memory of 2376 2260 Ajcpgi32.exe 43 PID 2260 wrote to memory of 2376 2260 Ajcpgi32.exe 43 PID 2260 wrote to memory of 2376 2260 Ajcpgi32.exe 43 PID 2376 wrote to memory of 1668 2376 Algida32.exe 44 PID 2376 wrote to memory of 1668 2376 Algida32.exe 44 PID 2376 wrote to memory of 1668 2376 Algida32.exe 44 PID 2376 wrote to memory of 1668 2376 Algida32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb81657a4a56e74e64881fe2cc31f9a99c7e40f0a56f1dd216c3ad5a63551869.exe"C:\Users\Admin\AppData\Local\Temp\eb81657a4a56e74e64881fe2cc31f9a99c7e40f0a56f1dd216c3ad5a63551869.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Noepfkgh.exeC:\Windows\system32\Noepfkgh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Neohbe32.exeC:\Windows\system32\Neohbe32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Nimaic32.exeC:\Windows\system32\Nimaic32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Nceeaikk.exeC:\Windows\system32\Nceeaikk.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Ndfbia32.exeC:\Windows\system32\Ndfbia32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Oamohenq.exeC:\Windows\system32\Oamohenq.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Ognakk32.exeC:\Windows\system32\Ognakk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Ofcnmh32.exeC:\Windows\system32\Ofcnmh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Pidgnc32.exeC:\Windows\system32\Pidgnc32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Pfhghgie.exeC:\Windows\system32\Pfhghgie.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Pikmob32.exeC:\Windows\system32\Pikmob32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Pnhegi32.exeC:\Windows\system32\Pnhegi32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Qakkncmi.exeC:\Windows\system32\Qakkncmi.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Ajcpgi32.exeC:\Windows\system32\Ajcpgi32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Algida32.exeC:\Windows\system32\Algida32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Aeommfnf.exeC:\Windows\system32\Aeommfnf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Apgnpo32.exeC:\Windows\system32\Apgnpo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1360 -
C:\Windows\SysWOW64\Anlkakqa.exeC:\Windows\system32\Anlkakqa.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Bhdpjaga.exeC:\Windows\system32\Bhdpjaga.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1316 -
C:\Windows\SysWOW64\Behpcefk.exeC:\Windows\system32\Behpcefk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:996 -
C:\Windows\SysWOW64\Bhiiepcl.exeC:\Windows\system32\Bhiiepcl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Bkjbgk32.exeC:\Windows\system32\Bkjbgk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Bdbfpafn.exeC:\Windows\system32\Bdbfpafn.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Beccgi32.exeC:\Windows\system32\Beccgi32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Windows\SysWOW64\Condfo32.exeC:\Windows\system32\Condfo32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Cidhcg32.exeC:\Windows\system32\Cidhcg32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Cclmlm32.exeC:\Windows\system32\Cclmlm32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Ckgapo32.exeC:\Windows\system32\Ckgapo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Caajmilh.exeC:\Windows\system32\Caajmilh.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1148 -
C:\Windows\SysWOW64\Ddbbod32.exeC:\Windows\system32\Ddbbod32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2256 -
C:\Windows\SysWOW64\Dnkggjpj.exeC:\Windows\system32\Dnkggjpj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Dddodd32.exeC:\Windows\system32\Dddodd32.exe33⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Dnmdmj32.exeC:\Windows\system32\Dnmdmj32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Dgehfodh.exeC:\Windows\system32\Dgehfodh.exe35⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Dpnmoe32.exeC:\Windows\system32\Dpnmoe32.exe36⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Dhiacg32.exeC:\Windows\system32\Dhiacg32.exe37⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Dbaflm32.exeC:\Windows\system32\Dbaflm32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\Efoobkej.exeC:\Windows\system32\Efoobkej.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Eogckqkk.exeC:\Windows\system32\Eogckqkk.exe40⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Eddlcgjb.exeC:\Windows\system32\Eddlcgjb.exe41⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Ecnbpcje.exeC:\Windows\system32\Ecnbpcje.exe42⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Fipdci32.exeC:\Windows\system32\Fipdci32.exe43⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Fidmniqa.exeC:\Windows\system32\Fidmniqa.exe44⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Gapbbk32.exeC:\Windows\system32\Gapbbk32.exe45⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Genkhidc.exeC:\Windows\system32\Genkhidc.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Gmipmlan.exeC:\Windows\system32\Gmipmlan.exe47⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Ghndjd32.exeC:\Windows\system32\Ghndjd32.exe48⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Gmklbk32.exeC:\Windows\system32\Gmklbk32.exe49⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Gjomlp32.exeC:\Windows\system32\Gjomlp32.exe50⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Gffmqq32.exeC:\Windows\system32\Gffmqq32.exe51⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Hdjnje32.exeC:\Windows\system32\Hdjnje32.exe52⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Hjdfgojp.exeC:\Windows\system32\Hjdfgojp.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Hdlkpd32.exeC:\Windows\system32\Hdlkpd32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Hiichkog.exeC:\Windows\system32\Hiichkog.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Hepdml32.exeC:\Windows\system32\Hepdml32.exe56⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Hohhfbkl.exeC:\Windows\system32\Hohhfbkl.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1912 -
C:\Windows\SysWOW64\Hlliof32.exeC:\Windows\system32\Hlliof32.exe58⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Ihcidgpj.exeC:\Windows\system32\Ihcidgpj.exe59⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Idjjih32.exeC:\Windows\system32\Idjjih32.exe60⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Inbobn32.exeC:\Windows\system32\Inbobn32.exe61⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Iiiogoac.exeC:\Windows\system32\Iiiogoac.exe62⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Ipbgci32.exeC:\Windows\system32\Ipbgci32.exe63⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Ijklmn32.exeC:\Windows\system32\Ijklmn32.exe64⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Iccqedfa.exeC:\Windows\system32\Iccqedfa.exe65⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Iniebmfg.exeC:\Windows\system32\Iniebmfg.exe66⤵PID:1472
-
C:\Windows\SysWOW64\Jgaikb32.exeC:\Windows\system32\Jgaikb32.exe67⤵PID:924
-
C:\Windows\SysWOW64\Jpjndh32.exeC:\Windows\system32\Jpjndh32.exe68⤵PID:2476
-
C:\Windows\SysWOW64\Jakjlpif.exeC:\Windows\system32\Jakjlpif.exe69⤵PID:1564
-
C:\Windows\SysWOW64\Jcjffc32.exeC:\Windows\system32\Jcjffc32.exe70⤵PID:1840
-
C:\Windows\SysWOW64\Jlckoh32.exeC:\Windows\system32\Jlckoh32.exe71⤵PID:2860
-
C:\Windows\SysWOW64\Jfkphnmj.exeC:\Windows\system32\Jfkphnmj.exe72⤵PID:2316
-
C:\Windows\SysWOW64\Jocdqc32.exeC:\Windows\system32\Jocdqc32.exe73⤵PID:2748
-
C:\Windows\SysWOW64\Kniaap32.exeC:\Windows\system32\Kniaap32.exe74⤵PID:2660
-
C:\Windows\SysWOW64\Kgaejeoc.exeC:\Windows\system32\Kgaejeoc.exe75⤵PID:3056
-
C:\Windows\SysWOW64\Knkngp32.exeC:\Windows\system32\Knkngp32.exe76⤵PID:2552
-
C:\Windows\SysWOW64\Kjbnlqld.exeC:\Windows\system32\Kjbnlqld.exe77⤵PID:2016
-
C:\Windows\SysWOW64\Kgfoee32.exeC:\Windows\system32\Kgfoee32.exe78⤵
- System Location Discovery: System Language Discovery
PID:2720 -
C:\Windows\SysWOW64\Kqncnjan.exeC:\Windows\system32\Kqncnjan.exe79⤵PID:2956
-
C:\Windows\SysWOW64\Kfklgape.exeC:\Windows\system32\Kfklgape.exe80⤵PID:1588
-
C:\Windows\SysWOW64\Kmedck32.exeC:\Windows\system32\Kmedck32.exe81⤵PID:2188
-
C:\Windows\SysWOW64\Lepihndm.exeC:\Windows\system32\Lepihndm.exe82⤵PID:1104
-
C:\Windows\SysWOW64\Lnhmqc32.exeC:\Windows\system32\Lnhmqc32.exe83⤵PID:548
-
C:\Windows\SysWOW64\Linanl32.exeC:\Windows\system32\Linanl32.exe84⤵PID:1052
-
C:\Windows\SysWOW64\Lbffga32.exeC:\Windows\system32\Lbffga32.exe85⤵PID:876
-
C:\Windows\SysWOW64\Llojpghe.exeC:\Windows\system32\Llojpghe.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1628 -
C:\Windows\SysWOW64\Lalchnfl.exeC:\Windows\system32\Lalchnfl.exe87⤵PID:884
-
C:\Windows\SysWOW64\Lanpmn32.exeC:\Windows\system32\Lanpmn32.exe88⤵PID:2444
-
C:\Windows\SysWOW64\Mjfdfcjj.exeC:\Windows\system32\Mjfdfcjj.exe89⤵PID:2784
-
C:\Windows\SysWOW64\Mhjdpgic.exeC:\Windows\system32\Mhjdpgic.exe90⤵PID:1600
-
C:\Windows\SysWOW64\Mdaedhoh.exeC:\Windows\system32\Mdaedhoh.exe91⤵PID:2676
-
C:\Windows\SysWOW64\Minnmomo.exeC:\Windows\system32\Minnmomo.exe92⤵PID:2648
-
C:\Windows\SysWOW64\Mdcbjhme.exeC:\Windows\system32\Mdcbjhme.exe93⤵PID:3032
-
C:\Windows\SysWOW64\Mmlfcn32.exeC:\Windows\system32\Mmlfcn32.exe94⤵PID:1328
-
C:\Windows\SysWOW64\Mhegckpd.exeC:\Windows\system32\Mhegckpd.exe95⤵PID:2600
-
C:\Windows\SysWOW64\Mbkladpj.exeC:\Windows\system32\Mbkladpj.exe96⤵PID:2924
-
C:\Windows\SysWOW64\Noalfe32.exeC:\Windows\system32\Noalfe32.exe97⤵PID:1268
-
C:\Windows\SysWOW64\Nlfmoidh.exeC:\Windows\system32\Nlfmoidh.exe98⤵PID:2244
-
C:\Windows\SysWOW64\Nenaho32.exeC:\Windows\system32\Nenaho32.exe99⤵PID:1376
-
C:\Windows\SysWOW64\Noffadai.exeC:\Windows\system32\Noffadai.exe100⤵PID:1260
-
C:\Windows\SysWOW64\Ndcnik32.exeC:\Windows\system32\Ndcnik32.exe101⤵PID:2168
-
C:\Windows\SysWOW64\Ocmdeg32.exeC:\Windows\system32\Ocmdeg32.exe102⤵PID:2172
-
C:\Windows\SysWOW64\Opaeok32.exeC:\Windows\system32\Opaeok32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2780 -
C:\Windows\SysWOW64\Oenngb32.exeC:\Windows\system32\Oenngb32.exe104⤵PID:2220
-
C:\Windows\SysWOW64\Oofbph32.exeC:\Windows\system32\Oofbph32.exe105⤵PID:2908
-
C:\Windows\SysWOW64\Okmceiii.exeC:\Windows\system32\Okmceiii.exe106⤵PID:672
-
C:\Windows\SysWOW64\Pokkkgpo.exeC:\Windows\system32\Pokkkgpo.exe107⤵PID:664
-
C:\Windows\SysWOW64\Pjdlkeln.exeC:\Windows\system32\Pjdlkeln.exe108⤵PID:1504
-
C:\Windows\SysWOW64\Pqodho32.exeC:\Windows\system32\Pqodho32.exe109⤵PID:2396
-
C:\Windows\SysWOW64\Pjgiad32.exeC:\Windows\system32\Pjgiad32.exe110⤵PID:2136
-
C:\Windows\SysWOW64\Pconjjql.exeC:\Windows\system32\Pconjjql.exe111⤵PID:276
-
C:\Windows\SysWOW64\Pqcncnpe.exeC:\Windows\system32\Pqcncnpe.exe112⤵PID:2284
-
C:\Windows\SysWOW64\Pfpflenm.exeC:\Windows\system32\Pfpflenm.exe113⤵PID:2344
-
C:\Windows\SysWOW64\Pqekin32.exeC:\Windows\system32\Pqekin32.exe114⤵PID:2472
-
C:\Windows\SysWOW64\Qbggqfca.exeC:\Windows\system32\Qbggqfca.exe115⤵PID:2892
-
C:\Windows\SysWOW64\Qkolil32.exeC:\Windows\system32\Qkolil32.exe116⤵PID:2504
-
C:\Windows\SysWOW64\Qegpbaqb.exeC:\Windows\system32\Qegpbaqb.exe117⤵PID:2644
-
C:\Windows\SysWOW64\Afgmldhe.exeC:\Windows\system32\Afgmldhe.exe118⤵PID:2728
-
C:\Windows\SysWOW64\Akdedkfl.exeC:\Windows\system32\Akdedkfl.exe119⤵PID:1244
-
C:\Windows\SysWOW64\Ajkokgia.exeC:\Windows\system32\Ajkokgia.exe120⤵PID:1784
-
C:\Windows\SysWOW64\Aeachphg.exeC:\Windows\system32\Aeachphg.exe121⤵PID:2104
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-