Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
56s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
01/09/2024, 13:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c9217b32b3909b5162eb4006e1a34060N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
c9217b32b3909b5162eb4006e1a34060N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
c9217b32b3909b5162eb4006e1a34060N.exe
-
Size
93KB
-
MD5
c9217b32b3909b5162eb4006e1a34060
-
SHA1
263c9bc3c7df69811423205027f2c8f0745bc28e
-
SHA256
0eba62d3cccea54df60ffeb6508eb4a4653e9973251e163135dbde8dc8a6d8a0
-
SHA512
f9fa0239a9e1badd882e0f17a8b5c6c78ac98b62b511c8337e8b2ab9b1ad93767dbf151faf055ea11dd326698be7179941a16d62d92622530e8832bf75c791ac
-
SSDEEP
1536:jJy8jXD+k7l0xlgrPcxJo+MxisRQ8RkRLJzeLD9N0iQGRNQR8RyV+32rR:rFGb/ote8SJdEN0s4WE+3K
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opodknco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bklpjlmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejabqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ilifndlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nohaklfk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bihgmdih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghidcceo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mneaacno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Blipno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaklmhak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bplijcle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmgoif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpanne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clfhml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkojbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Padccpal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmnhgjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbclgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cchdpbog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hecebm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gigkbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckkenikc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mnmbme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gajjhkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oqmmbqgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebialmjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omnmal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lemdncoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omiand32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phaoppja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbkjap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnqjkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdoccg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phaoppja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpfkeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Enpban32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icdeee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkaeob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Halcmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpokjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jelhmlgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfmkbebl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ochcem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bckefnki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmbgageq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clclhmin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjppfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fapgblob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikfdkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbfnchfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amjiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Enhaeldn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikapdqoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkfghh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beldao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Elaeeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gckfpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lehdhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikagogco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oddphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mebpakbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eikimeff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfoeel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kbnhpdke.exe -
Executes dropped EXE 64 IoCs
pid Process 2376 Jfmkbebl.exe 2776 Jikhnaao.exe 2444 Jabponba.exe 2720 Jbclgf32.exe 2596 Jpgmpk32.exe 1776 Jipaip32.exe 2436 Jlnmel32.exe 2208 Jefbnacn.exe 1884 Jlqjkk32.exe 2812 Koaclfgl.exe 1140 Kdnkdmec.exe 328 Kablnadm.exe 1688 Kkjpggkn.exe 1164 Kpgionie.exe 600 Kkmmlgik.exe 1432 Kkojbf32.exe 1584 Lmmfnb32.exe 1556 Ldgnklmi.exe 1592 Lgfjggll.exe 2472 Lidgcclp.exe 2428 Lhiddoph.exe 2112 Llepen32.exe 2120 Laahme32.exe 1492 Lemdncoa.exe 2856 Liipnb32.exe 2864 Lljipmdl.exe 2636 Lohelidp.exe 1980 Mgcjpkak.exe 1580 Mkofaj32.exe 2884 Mnmbme32.exe 1680 Mploiq32.exe 2832 Mhcfjnhm.exe 2248 Mgegfk32.exe 2956 Mjdcbf32.exe 1548 Mnpobefe.exe 324 Mpnkopeh.exe 1524 Mdigoo32.exe 924 Mkcplien.exe 892 Mnblhddb.exe 1696 Mlelda32.exe 2244 Mpphdpcf.exe 1536 Mfmqmgbm.exe 988 Mjilmejf.exe 3012 Mlgiiaij.exe 2384 Moeeelhn.exe 2728 Mgmmfjip.exe 2520 Mfpmbf32.exe 2616 Mlieoqgg.exe 3004 Nohaklfk.exe 2580 Njmfhe32.exe 1516 Nllbdp32.exe 1572 Nojnql32.exe 1564 Ncfjajma.exe 1520 Ndggib32.exe 1000 Nkaoemjm.exe 2680 Nnokahip.exe 2844 Nffccejb.exe 1528 Nhepoaif.exe 2328 Nghpjn32.exe 2092 Noohlkpc.exe 1276 Nbmdhfog.exe 1732 Ngjlpmnn.exe 828 Njhilimb.exe 1724 Nbpqmfmd.exe -
Loads dropped DLL 64 IoCs
pid Process 2188 c9217b32b3909b5162eb4006e1a34060N.exe 2188 c9217b32b3909b5162eb4006e1a34060N.exe 2376 Jfmkbebl.exe 2376 Jfmkbebl.exe 2776 Jikhnaao.exe 2776 Jikhnaao.exe 2444 Jabponba.exe 2444 Jabponba.exe 2720 Jbclgf32.exe 2720 Jbclgf32.exe 2596 Jpgmpk32.exe 2596 Jpgmpk32.exe 1776 Jipaip32.exe 1776 Jipaip32.exe 2436 Jlnmel32.exe 2436 Jlnmel32.exe 2208 Jefbnacn.exe 2208 Jefbnacn.exe 1884 Jlqjkk32.exe 1884 Jlqjkk32.exe 2812 Koaclfgl.exe 2812 Koaclfgl.exe 1140 Kdnkdmec.exe 1140 Kdnkdmec.exe 328 Kablnadm.exe 328 Kablnadm.exe 1688 Kkjpggkn.exe 1688 Kkjpggkn.exe 1164 Kpgionie.exe 1164 Kpgionie.exe 600 Kkmmlgik.exe 600 Kkmmlgik.exe 1432 Kkojbf32.exe 1432 Kkojbf32.exe 1584 Lmmfnb32.exe 1584 Lmmfnb32.exe 1556 Ldgnklmi.exe 1556 Ldgnklmi.exe 1592 Lgfjggll.exe 1592 Lgfjggll.exe 2472 Lidgcclp.exe 2472 Lidgcclp.exe 2428 Lhiddoph.exe 2428 Lhiddoph.exe 2112 Llepen32.exe 2112 Llepen32.exe 2120 Laahme32.exe 2120 Laahme32.exe 1492 Lemdncoa.exe 1492 Lemdncoa.exe 2856 Liipnb32.exe 2856 Liipnb32.exe 2864 Lljipmdl.exe 2864 Lljipmdl.exe 2636 Lohelidp.exe 2636 Lohelidp.exe 1980 Mgcjpkak.exe 1980 Mgcjpkak.exe 1580 Mkofaj32.exe 1580 Mkofaj32.exe 2884 Mnmbme32.exe 2884 Mnmbme32.exe 1680 Mploiq32.exe 1680 Mploiq32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pnfnajed.exe Plhaeofp.exe File created C:\Windows\SysWOW64\Fpflghlp.dll Gdjcjf32.exe File created C:\Windows\SysWOW64\Apnjbhgo.dll Gbffjmmp.exe File opened for modification C:\Windows\SysWOW64\Gpjfcali.exe Glnkcc32.exe File created C:\Windows\SysWOW64\Cbkgog32.exe Bopknhjd.exe File created C:\Windows\SysWOW64\Mnblhddb.exe Mkcplien.exe File created C:\Windows\SysWOW64\Fnadkjlc.exe Ffjljmla.exe File created C:\Windows\SysWOW64\Niedol32.dll Jbfkeo32.exe File created C:\Windows\SysWOW64\Bpgkpogp.dll Felcbk32.exe File opened for modification C:\Windows\SysWOW64\Hoimecmb.exe Hkmaed32.exe File created C:\Windows\SysWOW64\Fogiamne.dll Lhfpdi32.exe File created C:\Windows\SysWOW64\Cpoodc32.dll Mhdpnm32.exe File opened for modification C:\Windows\SysWOW64\Ablbjj32.exe Apnfno32.exe File created C:\Windows\SysWOW64\Nakikpin.exe Nommodjj.exe File created C:\Windows\SysWOW64\Onebep32.dll Gajjhkgh.exe File opened for modification C:\Windows\SysWOW64\Meecaa32.exe Mgbcfdmo.exe File opened for modification C:\Windows\SysWOW64\Lbkaoalg.exe Lchqcd32.exe File opened for modification C:\Windows\SysWOW64\Ncamen32.exe Nqbaic32.exe File created C:\Windows\SysWOW64\Fogdap32.exe Fkkhpadq.exe File created C:\Windows\SysWOW64\Nlobbi32.dll Hdjoii32.exe File created C:\Windows\SysWOW64\Obcffefa.exe Ocpfkh32.exe File created C:\Windows\SysWOW64\Jnbppmob.dll Donojm32.exe File created C:\Windows\SysWOW64\Mhefgd32.dll Gidhbgag.exe File opened for modification C:\Windows\SysWOW64\Bkhjamcf.exe Bhjneadb.exe File opened for modification C:\Windows\SysWOW64\Imogcj32.exe Ijqjgo32.exe File created C:\Windows\SysWOW64\Lcdjpfgh.exe Lpfnckhe.exe File created C:\Windows\SysWOW64\Aadobccg.exe Qaablcej.exe File created C:\Windows\SysWOW64\Dbmkfh32.exe Donojm32.exe File opened for modification C:\Windows\SysWOW64\Fnadkjlc.exe Ffjljmla.exe File created C:\Windows\SysWOW64\Fpokjd32.exe Fhhbif32.exe File created C:\Windows\SysWOW64\Gnklmfhi.dll Fbimkpmm.exe File created C:\Windows\SysWOW64\Djpjjl32.dll Fhbbcail.exe File opened for modification C:\Windows\SysWOW64\Ihpgce32.exe Ifbkgj32.exe File created C:\Windows\SysWOW64\Lnbibolf.dll Mjdcbf32.exe File opened for modification C:\Windows\SysWOW64\Halcmn32.exe Honfqb32.exe File opened for modification C:\Windows\SysWOW64\Dglpdomh.exe Ddmchcnd.exe File created C:\Windows\SysWOW64\Hpnlndkp.exe Hlbpme32.exe File created C:\Windows\SysWOW64\Jlmock32.dll Mmbnam32.exe File opened for modification C:\Windows\SysWOW64\Pmqffonj.exe Pnnfkb32.exe File created C:\Windows\SysWOW64\Mfljkiok.dll Hkmaed32.exe File created C:\Windows\SysWOW64\Gaeddino.dll Koibpd32.exe File created C:\Windows\SysWOW64\Aopbmapo.dll Lilfgq32.exe File created C:\Windows\SysWOW64\Ocpfkh32.exe Okinik32.exe File created C:\Windows\SysWOW64\Bceeqi32.exe Bknmok32.exe File created C:\Windows\SysWOW64\Lbogaf32.dll Cbjnqh32.exe File created C:\Windows\SysWOW64\Efhcej32.exe Ecjgio32.exe File opened for modification C:\Windows\SysWOW64\Jikhnaao.exe Jfmkbebl.exe File opened for modification C:\Windows\SysWOW64\Dinpnged.exe Dfpcblfp.exe File created C:\Windows\SysWOW64\Pimkbbpi.exe Pfnoegaf.exe File created C:\Windows\SysWOW64\Geiilj32.dll Kigibh32.exe File created C:\Windows\SysWOW64\Nepokogo.exe Mdoccg32.exe File created C:\Windows\SysWOW64\Bnipnnpb.dll Ofdeeb32.exe File opened for modification C:\Windows\SysWOW64\Ccnddg32.exe Cpohhk32.exe File created C:\Windows\SysWOW64\Cgmofa32.dll Paggce32.exe File created C:\Windows\SysWOW64\Oqbejojq.dll Aoomflpd.exe File created C:\Windows\SysWOW64\Iqcmcj32.exe Imhqbkbm.exe File opened for modification C:\Windows\SysWOW64\Lgpfpe32.exe Lcdjpfgh.exe File opened for modification C:\Windows\SysWOW64\Glpgibbn.exe Gibkmgcj.exe File created C:\Windows\SysWOW64\Mhcfjnhm.exe Mploiq32.exe File created C:\Windows\SysWOW64\Ppipdl32.exe Pmkdhq32.exe File created C:\Windows\SysWOW64\Fgpcof32.dll Jndflk32.exe File created C:\Windows\SysWOW64\Meemgk32.exe Mmndfnpl.exe File opened for modification C:\Windows\SysWOW64\Abinjdad.exe Apkbnibq.exe File opened for modification C:\Windows\SysWOW64\Lohelidp.exe Lljipmdl.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hekefkig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aljmbknm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jefbnacn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njalacon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fakglf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lchqcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pflbpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpqjfnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chofhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqennbbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gigkbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghidcceo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omnkicen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chggdoee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moeeelhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chgnneiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhjhdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckiiiine.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpnkopeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhhiiloh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhhkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qijdqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmjekahk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpgmpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omiand32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmqihg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqleifna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mneaacno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nakikpin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecmjid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Donojm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncfmjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pigklmqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfinam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbobaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfmqigba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nojnql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piohgbng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ammmlcgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijimli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejabqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfhiepbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfmqmgbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elaeeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jahbmlil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldpnoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmqmpdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qekbgbpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blaobmkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbglpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceickb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naegmabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oomjng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahcjmkbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpohhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcfngde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obecld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befnbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbkaoalg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kenjgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laahme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohelidp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnpobefe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgcmod32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jipaip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kpdeoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Comhgndh.dll" Ojceef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Befnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cceapl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Clclhmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eacghhkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjnjqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Moenkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hmijajbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agcmideg.dll" Bknfeege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnmbihjf.dll" Iadbqlmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oonmbkfe.dll" Jmlobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcce32.dll" Liibgkoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lilfgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nldahn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Copjlmfa.dll" Ocpfkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dnhefh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oepcmgbf.dll" Gekhgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mldeik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alakfjbc.dll" Bkcfjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kmiolk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djgfgkbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fhjoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbokp32.dll" Fbpclofe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgclj32.dll" Ijlaloaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hipnaoog.dll" Lkbpke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ghidcceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olemefec.dll" Ojndpqpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gagmbkik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hoimecmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mlmoilni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jacgio32.dll" Empomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmhgcfd.dll" Fpbqcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjjpag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oqlfhjch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcigjjli.dll" Apkbnibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mamipckp.dll" Gncgbkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jkdcdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llkbcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qaablcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffemqioj.dll" Albjnplq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eebibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmjekahk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Liipnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anldhe32.dll" Lljipmdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Limaha32.dll" Dphhka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fiqibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefccdhf.dll" Jgkdigfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaocdi32.dll" Apclnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oibohdmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkimmgco.dll" Ikfdkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blcajboa.dll" Jmlfmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jckenobm.dll" Nlohmonb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Neibanod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iojopp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mkdbea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmgifa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ncfjajma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqbejojq.dll" Aoomflpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhmhcigh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pmfjmake.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cppobaeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhalngad.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2376 2188 c9217b32b3909b5162eb4006e1a34060N.exe 30 PID 2188 wrote to memory of 2376 2188 c9217b32b3909b5162eb4006e1a34060N.exe 30 PID 2188 wrote to memory of 2376 2188 c9217b32b3909b5162eb4006e1a34060N.exe 30 PID 2188 wrote to memory of 2376 2188 c9217b32b3909b5162eb4006e1a34060N.exe 30 PID 2376 wrote to memory of 2776 2376 Jfmkbebl.exe 31 PID 2376 wrote to memory of 2776 2376 Jfmkbebl.exe 31 PID 2376 wrote to memory of 2776 2376 Jfmkbebl.exe 31 PID 2376 wrote to memory of 2776 2376 Jfmkbebl.exe 31 PID 2776 wrote to memory of 2444 2776 Jikhnaao.exe 32 PID 2776 wrote to memory of 2444 2776 Jikhnaao.exe 32 PID 2776 wrote to memory of 2444 2776 Jikhnaao.exe 32 PID 2776 wrote to memory of 2444 2776 Jikhnaao.exe 32 PID 2444 wrote to memory of 2720 2444 Jabponba.exe 33 PID 2444 wrote to memory of 2720 2444 Jabponba.exe 33 PID 2444 wrote to memory of 2720 2444 Jabponba.exe 33 PID 2444 wrote to memory of 2720 2444 Jabponba.exe 33 PID 2720 wrote to memory of 2596 2720 Jbclgf32.exe 34 PID 2720 wrote to memory of 2596 2720 Jbclgf32.exe 34 PID 2720 wrote to memory of 2596 2720 Jbclgf32.exe 34 PID 2720 wrote to memory of 2596 2720 Jbclgf32.exe 34 PID 2596 wrote to memory of 1776 2596 Jpgmpk32.exe 35 PID 2596 wrote to memory of 1776 2596 Jpgmpk32.exe 35 PID 2596 wrote to memory of 1776 2596 Jpgmpk32.exe 35 PID 2596 wrote to memory of 1776 2596 Jpgmpk32.exe 35 PID 1776 wrote to memory of 2436 1776 Jipaip32.exe 36 PID 1776 wrote to memory of 2436 1776 Jipaip32.exe 36 PID 1776 wrote to memory of 2436 1776 Jipaip32.exe 36 PID 1776 wrote to memory of 2436 1776 Jipaip32.exe 36 PID 2436 wrote to memory of 2208 2436 Jlnmel32.exe 37 PID 2436 wrote to memory of 2208 2436 Jlnmel32.exe 37 PID 2436 wrote to memory of 2208 2436 Jlnmel32.exe 37 PID 2436 wrote to memory of 2208 2436 Jlnmel32.exe 37 PID 2208 wrote to memory of 1884 2208 Jefbnacn.exe 38 PID 2208 wrote to memory of 1884 2208 Jefbnacn.exe 38 PID 2208 wrote to memory of 1884 2208 Jefbnacn.exe 38 PID 2208 wrote to memory of 1884 2208 Jefbnacn.exe 38 PID 1884 wrote to memory of 2812 1884 Jlqjkk32.exe 39 PID 1884 wrote to memory of 2812 1884 Jlqjkk32.exe 39 PID 1884 wrote to memory of 2812 1884 Jlqjkk32.exe 39 PID 1884 wrote to memory of 2812 1884 Jlqjkk32.exe 39 PID 2812 wrote to memory of 1140 2812 Koaclfgl.exe 40 PID 2812 wrote to memory of 1140 2812 Koaclfgl.exe 40 PID 2812 wrote to memory of 1140 2812 Koaclfgl.exe 40 PID 2812 wrote to memory of 1140 2812 Koaclfgl.exe 40 PID 1140 wrote to memory of 328 1140 Kdnkdmec.exe 41 PID 1140 wrote to memory of 328 1140 Kdnkdmec.exe 41 PID 1140 wrote to memory of 328 1140 Kdnkdmec.exe 41 PID 1140 wrote to memory of 328 1140 Kdnkdmec.exe 41 PID 328 wrote to memory of 1688 328 Kablnadm.exe 42 PID 328 wrote to memory of 1688 328 Kablnadm.exe 42 PID 328 wrote to memory of 1688 328 Kablnadm.exe 42 PID 328 wrote to memory of 1688 328 Kablnadm.exe 42 PID 1688 wrote to memory of 1164 1688 Kkjpggkn.exe 43 PID 1688 wrote to memory of 1164 1688 Kkjpggkn.exe 43 PID 1688 wrote to memory of 1164 1688 Kkjpggkn.exe 43 PID 1688 wrote to memory of 1164 1688 Kkjpggkn.exe 43 PID 1164 wrote to memory of 600 1164 Kpgionie.exe 44 PID 1164 wrote to memory of 600 1164 Kpgionie.exe 44 PID 1164 wrote to memory of 600 1164 Kpgionie.exe 44 PID 1164 wrote to memory of 600 1164 Kpgionie.exe 44 PID 600 wrote to memory of 1432 600 Kkmmlgik.exe 45 PID 600 wrote to memory of 1432 600 Kkmmlgik.exe 45 PID 600 wrote to memory of 1432 600 Kkmmlgik.exe 45 PID 600 wrote to memory of 1432 600 Kkmmlgik.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9217b32b3909b5162eb4006e1a34060N.exe"C:\Users\Admin\AppData\Local\Temp\c9217b32b3909b5162eb4006e1a34060N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Jfmkbebl.exeC:\Windows\system32\Jfmkbebl.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Jikhnaao.exeC:\Windows\system32\Jikhnaao.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Jabponba.exeC:\Windows\system32\Jabponba.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Jbclgf32.exeC:\Windows\system32\Jbclgf32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Jpgmpk32.exeC:\Windows\system32\Jpgmpk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Jipaip32.exeC:\Windows\system32\Jipaip32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Jlnmel32.exeC:\Windows\system32\Jlnmel32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Jefbnacn.exeC:\Windows\system32\Jefbnacn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Jlqjkk32.exeC:\Windows\system32\Jlqjkk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Koaclfgl.exeC:\Windows\system32\Koaclfgl.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Kdnkdmec.exeC:\Windows\system32\Kdnkdmec.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Kablnadm.exeC:\Windows\system32\Kablnadm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\Kkjpggkn.exeC:\Windows\system32\Kkjpggkn.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Kpgionie.exeC:\Windows\system32\Kpgionie.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Kkmmlgik.exeC:\Windows\system32\Kkmmlgik.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\SysWOW64\Kkojbf32.exeC:\Windows\system32\Kkojbf32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1432 -
C:\Windows\SysWOW64\Lmmfnb32.exeC:\Windows\system32\Lmmfnb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Ldgnklmi.exeC:\Windows\system32\Ldgnklmi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Lgfjggll.exeC:\Windows\system32\Lgfjggll.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Lidgcclp.exeC:\Windows\system32\Lidgcclp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Windows\SysWOW64\Lhiddoph.exeC:\Windows\system32\Lhiddoph.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Llepen32.exeC:\Windows\system32\Llepen32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Laahme32.exeC:\Windows\system32\Laahme32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2120 -
C:\Windows\SysWOW64\Lemdncoa.exeC:\Windows\system32\Lemdncoa.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Liipnb32.exeC:\Windows\system32\Liipnb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Lljipmdl.exeC:\Windows\system32\Lljipmdl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Lohelidp.exeC:\Windows\system32\Lohelidp.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\Mgcjpkak.exeC:\Windows\system32\Mgcjpkak.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Mkofaj32.exeC:\Windows\system32\Mkofaj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\Mnmbme32.exeC:\Windows\system32\Mnmbme32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Mploiq32.exeC:\Windows\system32\Mploiq32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Mhcfjnhm.exeC:\Windows\system32\Mhcfjnhm.exe33⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Mgegfk32.exeC:\Windows\system32\Mgegfk32.exe34⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Mjdcbf32.exeC:\Windows\system32\Mjdcbf32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Mnpobefe.exeC:\Windows\system32\Mnpobefe.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1548 -
C:\Windows\SysWOW64\Mpnkopeh.exeC:\Windows\system32\Mpnkopeh.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:324 -
C:\Windows\SysWOW64\Mdigoo32.exeC:\Windows\system32\Mdigoo32.exe38⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Mkcplien.exeC:\Windows\system32\Mkcplien.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:924 -
C:\Windows\SysWOW64\Mnblhddb.exeC:\Windows\system32\Mnblhddb.exe40⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Mlelda32.exeC:\Windows\system32\Mlelda32.exe41⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Mpphdpcf.exeC:\Windows\system32\Mpphdpcf.exe42⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Mfmqmgbm.exeC:\Windows\system32\Mfmqmgbm.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Windows\SysWOW64\Mjilmejf.exeC:\Windows\system32\Mjilmejf.exe44⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Mlgiiaij.exeC:\Windows\system32\Mlgiiaij.exe45⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Moeeelhn.exeC:\Windows\system32\Moeeelhn.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Windows\SysWOW64\Mgmmfjip.exeC:\Windows\system32\Mgmmfjip.exe47⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Mfpmbf32.exeC:\Windows\system32\Mfpmbf32.exe48⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Mlieoqgg.exeC:\Windows\system32\Mlieoqgg.exe49⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Nohaklfk.exeC:\Windows\system32\Nohaklfk.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Njmfhe32.exeC:\Windows\system32\Njmfhe32.exe51⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Nllbdp32.exeC:\Windows\system32\Nllbdp32.exe52⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Nojnql32.exeC:\Windows\system32\Nojnql32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Windows\SysWOW64\Ncfjajma.exeC:\Windows\system32\Ncfjajma.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Ndggib32.exeC:\Windows\system32\Ndggib32.exe55⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Nkaoemjm.exeC:\Windows\system32\Nkaoemjm.exe56⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Nnokahip.exeC:\Windows\system32\Nnokahip.exe57⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Nffccejb.exeC:\Windows\system32\Nffccejb.exe58⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Nhepoaif.exeC:\Windows\system32\Nhepoaif.exe59⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Nghpjn32.exeC:\Windows\system32\Nghpjn32.exe60⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Noohlkpc.exeC:\Windows\system32\Noohlkpc.exe61⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Nbmdhfog.exeC:\Windows\system32\Nbmdhfog.exe62⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Ngjlpmnn.exeC:\Windows\system32\Ngjlpmnn.exe63⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Njhilimb.exeC:\Windows\system32\Njhilimb.exe64⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Nbpqmfmd.exeC:\Windows\system32\Nbpqmfmd.exe65⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Nqbaic32.exeC:\Windows\system32\Nqbaic32.exe66⤵
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Ncamen32.exeC:\Windows\system32\Ncamen32.exe67⤵PID:2304
-
C:\Windows\SysWOW64\Ojkeah32.exeC:\Windows\system32\Ojkeah32.exe68⤵PID:1364
-
C:\Windows\SysWOW64\Omiand32.exeC:\Windows\system32\Omiand32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Oqennbbl.exeC:\Windows\system32\Oqennbbl.exe70⤵
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\Occjjnap.exeC:\Windows\system32\Occjjnap.exe71⤵PID:2656
-
C:\Windows\SysWOW64\Ogofkm32.exeC:\Windows\system32\Ogofkm32.exe72⤵PID:2644
-
C:\Windows\SysWOW64\Oninhgae.exeC:\Windows\system32\Oninhgae.exe73⤵PID:1004
-
C:\Windows\SysWOW64\Oqgjdbpi.exeC:\Windows\system32\Oqgjdbpi.exe74⤵PID:1588
-
C:\Windows\SysWOW64\Ocefpnom.exeC:\Windows\system32\Ocefpnom.exe75⤵PID:540
-
C:\Windows\SysWOW64\Ofdclinq.exeC:\Windows\system32\Ofdclinq.exe76⤵PID:2060
-
C:\Windows\SysWOW64\Oibohdmd.exeC:\Windows\system32\Oibohdmd.exe77⤵
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Omnkicen.exeC:\Windows\system32\Omnkicen.exe78⤵
- System Location Discovery: System Language Discovery
PID:628 -
C:\Windows\SysWOW64\Ochcem32.exeC:\Windows\system32\Ochcem32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2204 -
C:\Windows\SysWOW64\Obkcajde.exeC:\Windows\system32\Obkcajde.exe80⤵PID:1668
-
C:\Windows\SysWOW64\Ojblbgdg.exeC:\Windows\system32\Ojblbgdg.exe81⤵PID:1396
-
C:\Windows\SysWOW64\Omphocck.exeC:\Windows\system32\Omphocck.exe82⤵PID:1436
-
C:\Windows\SysWOW64\Opodknco.exeC:\Windows\system32\Opodknco.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:380 -
C:\Windows\SysWOW64\Obmpgjbb.exeC:\Windows\system32\Obmpgjbb.exe84⤵PID:1720
-
C:\Windows\SysWOW64\Ofilgh32.exeC:\Windows\system32\Ofilgh32.exe85⤵PID:1924
-
C:\Windows\SysWOW64\Oighcd32.exeC:\Windows\system32\Oighcd32.exe86⤵PID:2404
-
C:\Windows\SysWOW64\Ombddbah.exeC:\Windows\system32\Ombddbah.exe87⤵PID:2872
-
C:\Windows\SysWOW64\Pndalkgf.exeC:\Windows\system32\Pndalkgf.exe88⤵PID:2704
-
C:\Windows\SysWOW64\Pbomli32.exeC:\Windows\system32\Pbomli32.exe89⤵PID:2260
-
C:\Windows\SysWOW64\Penihe32.exeC:\Windows\system32\Penihe32.exe90⤵PID:2892
-
C:\Windows\SysWOW64\Phledp32.exeC:\Windows\system32\Phledp32.exe91⤵PID:2460
-
C:\Windows\SysWOW64\Plhaeofp.exeC:\Windows\system32\Plhaeofp.exe92⤵
- Drops file in System32 directory
PID:804 -
C:\Windows\SysWOW64\Pnfnajed.exeC:\Windows\system32\Pnfnajed.exe93⤵PID:2456
-
C:\Windows\SysWOW64\Padjmfdg.exeC:\Windows\system32\Padjmfdg.exe94⤵PID:332
-
C:\Windows\SysWOW64\Pilbocej.exeC:\Windows\system32\Pilbocej.exe95⤵PID:856
-
C:\Windows\SysWOW64\Phobjp32.exeC:\Windows\system32\Phobjp32.exe96⤵PID:1704
-
C:\Windows\SysWOW64\Pnhjgj32.exeC:\Windows\system32\Pnhjgj32.exe97⤵PID:288
-
C:\Windows\SysWOW64\Paggce32.exeC:\Windows\system32\Paggce32.exe98⤵
- Drops file in System32 directory
PID:1852 -
C:\Windows\SysWOW64\Pebbcdkn.exeC:\Windows\system32\Pebbcdkn.exe99⤵PID:2148
-
C:\Windows\SysWOW64\Phaoppja.exeC:\Windows\system32\Phaoppja.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1456 -
C:\Windows\SysWOW64\Pjoklkie.exeC:\Windows\system32\Pjoklkie.exe101⤵PID:2744
-
C:\Windows\SysWOW64\Pmnghfhi.exeC:\Windows\system32\Pmnghfhi.exe102⤵PID:2608
-
C:\Windows\SysWOW64\Peeoidik.exeC:\Windows\system32\Peeoidik.exe103⤵PID:2624
-
C:\Windows\SysWOW64\Phcleoho.exeC:\Windows\system32\Phcleoho.exe104⤵PID:2560
-
C:\Windows\SysWOW64\Pfflql32.exeC:\Windows\system32\Pfflql32.exe105⤵PID:2640
-
C:\Windows\SysWOW64\Pnmdbi32.exeC:\Windows\system32\Pnmdbi32.exe106⤵PID:2480
-
C:\Windows\SysWOW64\Palpneop.exeC:\Windows\system32\Palpneop.exe107⤵PID:1192
-
C:\Windows\SysWOW64\Ppopja32.exeC:\Windows\system32\Ppopja32.exe108⤵PID:2368
-
C:\Windows\SysWOW64\Phehko32.exeC:\Windows\system32\Phehko32.exe109⤵PID:1244
-
C:\Windows\SysWOW64\Qjddgj32.exeC:\Windows\system32\Qjddgj32.exe110⤵PID:796
-
C:\Windows\SysWOW64\Qmbqcf32.exeC:\Windows\system32\Qmbqcf32.exe111⤵PID:2664
-
C:\Windows\SysWOW64\Qpamoa32.exeC:\Windows\system32\Qpamoa32.exe112⤵PID:1460
-
C:\Windows\SysWOW64\Qboikm32.exeC:\Windows\system32\Qboikm32.exe113⤵PID:2132
-
C:\Windows\SysWOW64\Qfkelkkd.exeC:\Windows\system32\Qfkelkkd.exe114⤵PID:2996
-
C:\Windows\SysWOW64\Qiiahgjh.exeC:\Windows\system32\Qiiahgjh.exe115⤵PID:2348
-
C:\Windows\SysWOW64\Qlgndbil.exeC:\Windows\system32\Qlgndbil.exe116⤵PID:1872
-
C:\Windows\SysWOW64\Qdofep32.exeC:\Windows\system32\Qdofep32.exe117⤵PID:1496
-
C:\Windows\SysWOW64\Qbafalph.exeC:\Windows\system32\Qbafalph.exe118⤵PID:2220
-
C:\Windows\SysWOW64\Aepbmhpl.exeC:\Windows\system32\Aepbmhpl.exe119⤵PID:1392
-
C:\Windows\SysWOW64\Amgjnepn.exeC:\Windows\system32\Amgjnepn.exe120⤵PID:1608
-
C:\Windows\SysWOW64\Apefjqob.exeC:\Windows\system32\Apefjqob.exe121⤵PID:1612
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-