Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 01:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4eb25b5f0f7653fb85de8d4f6833dcf0N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
4eb25b5f0f7653fb85de8d4f6833dcf0N.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
4eb25b5f0f7653fb85de8d4f6833dcf0N.exe
-
Size
63KB
-
MD5
4eb25b5f0f7653fb85de8d4f6833dcf0
-
SHA1
773a7d20202d28c3554b2d3c1fa08c69aafb3854
-
SHA256
22969ecb0f9b126882acbebaaf034ec85be672edf93b938e7466d7cc896517e9
-
SHA512
bb28bf53f9d8d526a3dbdf98f57ac19154df30570ee3af40d901b922b9e6634624ee4baa3c9613c9287578ee7b11de7ada1bd2007c153c7d01b58c31d0912989
-
SSDEEP
1536:KhW6ofRFUkDtPhzZ6KcRQck0WV7CTH1juIZo:KhMRFU05bcRQkWV7CTH1juIZo
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcflko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpdeoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgkiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghbhhnhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgfiocfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Malmllfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nikkkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfgcieii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abfoll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejklan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnnjfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goocenaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjneoeeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkbnap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nljhhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aicfgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdnkkmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phcleoho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkdfmoha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fichqckn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejadibmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgfooe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bemkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Einebddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afpapcnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djicmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahcjmkbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjofjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcdmbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjpkbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnlphh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgfmep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aadobccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqnhmgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnmmidhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Admgglep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Innbde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ainkcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgqmpkfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idbnmgll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neblqoel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oekmceaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnmjpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llebnfpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnfipm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlmnogkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajdcofop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmkfqind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dchpnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nommodjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmiljb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkkgfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clkicbfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkjkcfjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnlnpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jafmngde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nphbfplf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojpomh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bphooc32.exe -
Executes dropped EXE 64 IoCs
pid Process 2860 Mclgklel.exe 2272 Mdldeo32.exe 2732 Mlgiiaij.exe 2612 Mcaafk32.exe 2068 Mjkibehc.exe 2508 Nqeapo32.exe 2356 Nbfnggeo.exe 2924 Nhpfdaml.exe 2900 Nllbdp32.exe 2816 Nbhkmg32.exe 1748 Nhbciaki.exe 2332 Nkaoemjm.exe 2156 Nbkgbg32.exe 2052 Ndicnb32.exe 1096 Nghpjn32.exe 2164 Nnahgh32.exe 1616 Nqpdcc32.exe 1472 Ndlpdbnj.exe 2384 Njhilimb.exe 1560 Nndemg32.exe 1468 Nqbaic32.exe 2312 Okhefl32.exe 1448 Oqennbbl.exe 2984 Oninhgae.exe 2088 Opjkpo32.exe 2604 Ojpomh32.exe 2396 Omnkicen.exe 2588 Ochcem32.exe 584 Offpbi32.exe 1632 Oekmceaf.exe 2100 Oighcd32.exe 3016 Opaqpn32.exe 1144 Pndalkgf.exe 1408 Plhaeofp.exe 2636 Ppcmfn32.exe 2440 Pbajbi32.exe 1712 Phobjp32.exe 2428 Pnhjgj32.exe 3060 Paggce32.exe 1764 Phaoppja.exe 2448 Pjoklkie.exe 864 Pnkglj32.exe 2372 Phcleoho.exe 1612 Pfflql32.exe 1524 Palpneop.exe 2008 Phehko32.exe 1104 Qjddgj32.exe 2684 Qmbqcf32.exe 1876 Qpamoa32.exe 2568 Qdlipplq.exe 2624 Qfkelkkd.exe 1816 Qiiahgjh.exe 3008 Qmenhe32.exe 1580 Qpcjeaad.exe 1136 Qbafalph.exe 2628 Aepbmhpl.exe 2496 Aiknnf32.exe 2420 Aljjjb32.exe 2336 Aohgfm32.exe 944 Afpogk32.exe 1688 Ainkcf32.exe 2548 Allgoa32.exe 1484 Aphcppmo.exe 2444 Abfoll32.exe -
Loads dropped DLL 64 IoCs
pid Process 2672 4eb25b5f0f7653fb85de8d4f6833dcf0N.exe 2672 4eb25b5f0f7653fb85de8d4f6833dcf0N.exe 2860 Mclgklel.exe 2860 Mclgklel.exe 2272 Mdldeo32.exe 2272 Mdldeo32.exe 2732 Mlgiiaij.exe 2732 Mlgiiaij.exe 2612 Mcaafk32.exe 2612 Mcaafk32.exe 2068 Mjkibehc.exe 2068 Mjkibehc.exe 2508 Nqeapo32.exe 2508 Nqeapo32.exe 2356 Nbfnggeo.exe 2356 Nbfnggeo.exe 2924 Nhpfdaml.exe 2924 Nhpfdaml.exe 2900 Nllbdp32.exe 2900 Nllbdp32.exe 2816 Nbhkmg32.exe 2816 Nbhkmg32.exe 1748 Nhbciaki.exe 1748 Nhbciaki.exe 2332 Nkaoemjm.exe 2332 Nkaoemjm.exe 2156 Nbkgbg32.exe 2156 Nbkgbg32.exe 2052 Ndicnb32.exe 2052 Ndicnb32.exe 1096 Nghpjn32.exe 1096 Nghpjn32.exe 2164 Nnahgh32.exe 2164 Nnahgh32.exe 1616 Nqpdcc32.exe 1616 Nqpdcc32.exe 1472 Ndlpdbnj.exe 1472 Ndlpdbnj.exe 2384 Njhilimb.exe 2384 Njhilimb.exe 1560 Nndemg32.exe 1560 Nndemg32.exe 1468 Nqbaic32.exe 1468 Nqbaic32.exe 2312 Okhefl32.exe 2312 Okhefl32.exe 1448 Oqennbbl.exe 1448 Oqennbbl.exe 2984 Oninhgae.exe 2984 Oninhgae.exe 2088 Opjkpo32.exe 2088 Opjkpo32.exe 2604 Ojpomh32.exe 2604 Ojpomh32.exe 2396 Omnkicen.exe 2396 Omnkicen.exe 2588 Ochcem32.exe 2588 Ochcem32.exe 584 Offpbi32.exe 584 Offpbi32.exe 1632 Oekmceaf.exe 1632 Oekmceaf.exe 2100 Oighcd32.exe 2100 Oighcd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kcajceke.exe Kbpnkm32.exe File opened for modification C:\Windows\SysWOW64\Ipabfcdm.exe Imcfjg32.exe File opened for modification C:\Windows\SysWOW64\Jcdadhjb.exe Jaeehmko.exe File created C:\Windows\SysWOW64\Kjmihjfj.dll Immjnj32.exe File created C:\Windows\SysWOW64\Joppeeif.exe Jkdcdf32.exe File created C:\Windows\SysWOW64\Afgnkilf.exe Apnfno32.exe File created C:\Windows\SysWOW64\Ebofcd32.exe Elbmkm32.exe File created C:\Windows\SysWOW64\Akmbepcb.dll Fgjkmijh.exe File created C:\Windows\SysWOW64\Clfnfl32.dll Hdefnjkj.exe File created C:\Windows\SysWOW64\Mmmlmc32.dll Blniinac.exe File created C:\Windows\SysWOW64\Lkbgjc32.dll Idghhf32.exe File created C:\Windows\SysWOW64\Obnbpb32.exe Ooofcg32.exe File opened for modification C:\Windows\SysWOW64\Kaholp32.exe Koibpd32.exe File opened for modification C:\Windows\SysWOW64\Cpidai32.exe Cipleo32.exe File created C:\Windows\SysWOW64\Mhlmhiho.dll Dndndbnl.exe File created C:\Windows\SysWOW64\Moeodd32.dll Liboodmk.exe File opened for modification C:\Windows\SysWOW64\Mffkgl32.exe Majcoepi.exe File created C:\Windows\SysWOW64\Fbpfll32.dll Hclhjpjc.exe File opened for modification C:\Windows\SysWOW64\Lfilnh32.exe Lckpbm32.exe File opened for modification C:\Windows\SysWOW64\Iockhigl.exe Ileoknhh.exe File created C:\Windows\SysWOW64\Aghijlbj.dll Mgfiocfl.exe File opened for modification C:\Windows\SysWOW64\Gajjhkgh.exe Gmnngl32.exe File created C:\Windows\SysWOW64\Oiihig32.dll Kelmbifm.exe File created C:\Windows\SysWOW64\Igjeji32.dll Ohjkcile.exe File opened for modification C:\Windows\SysWOW64\Ioheci32.exe Idcqep32.exe File created C:\Windows\SysWOW64\Ohmkac32.dll Fpjaodmj.exe File created C:\Windows\SysWOW64\Nhkbmo32.exe Nflfad32.exe File created C:\Windows\SysWOW64\Danpld32.dll Ghddnnfi.exe File created C:\Windows\SysWOW64\Lnapncmc.dll Goddjc32.exe File opened for modification C:\Windows\SysWOW64\Ldbjdj32.exe Llkbcl32.exe File opened for modification C:\Windows\SysWOW64\Dglpdomh.exe Dfkclf32.exe File opened for modification C:\Windows\SysWOW64\Flabdecn.exe Ficehj32.exe File opened for modification C:\Windows\SysWOW64\Gfabkl32.exe Gdcfoq32.exe File created C:\Windows\SysWOW64\Clinfk32.exe Cglfndaa.exe File created C:\Windows\SysWOW64\Fmaobq32.dll Laodmoep.exe File opened for modification C:\Windows\SysWOW64\Caokmd32.exe Cjhckg32.exe File created C:\Windows\SysWOW64\Qfldmeci.dll Jqeomfgc.exe File created C:\Windows\SysWOW64\Egoibpnb.dll Bedcembk.exe File created C:\Windows\SysWOW64\Nilndfgl.exe Ndoelpid.exe File created C:\Windows\SysWOW64\Lolofd32.exe Kjpceebh.exe File opened for modification C:\Windows\SysWOW64\Flhhed32.exe Fdapcg32.exe File created C:\Windows\SysWOW64\Kggedf32.dll Jajocl32.exe File created C:\Windows\SysWOW64\Lajkbp32.exe Lolofd32.exe File created C:\Windows\SysWOW64\Gifjbd32.dll Aplkah32.exe File created C:\Windows\SysWOW64\Caqfiloi.exe Process not Found File created C:\Windows\SysWOW64\Dmomnlne.exe Process not Found File created C:\Windows\SysWOW64\Dnkhfnck.exe Dkmljcdh.exe File created C:\Windows\SysWOW64\Cpaeljha.dll Omnmal32.exe File created C:\Windows\SysWOW64\Kfopdk32.exe Kodghqop.exe File opened for modification C:\Windows\SysWOW64\Chgimh32.exe Cppakj32.exe File opened for modification C:\Windows\SysWOW64\Figocipe.exe Fapgblob.exe File created C:\Windows\SysWOW64\Ailboh32.exe Process not Found File created C:\Windows\SysWOW64\Clkicbfa.exe Cfaqfh32.exe File created C:\Windows\SysWOW64\Ilmlfcel.exe Igpdnlgd.exe File created C:\Windows\SysWOW64\Ceipknjl.dll Hbnpbm32.exe File created C:\Windows\SysWOW64\Dgfmep32.exe Ddhaie32.exe File created C:\Windows\SysWOW64\Fjglncdn.dll Jnlbgq32.exe File created C:\Windows\SysWOW64\Agacff32.dll Pjofjm32.exe File created C:\Windows\SysWOW64\Hhimephj.dll 4eb25b5f0f7653fb85de8d4f6833dcf0N.exe File created C:\Windows\SysWOW64\Ifadmn32.dll Khglkqfj.exe File created C:\Windows\SysWOW64\Oaeghhnb.dll Eoecbheg.exe File created C:\Windows\SysWOW64\Lijepc32.exe Lenioenj.exe File created C:\Windows\SysWOW64\Jpnkep32.exe Jkabmi32.exe File opened for modification C:\Windows\SysWOW64\Ogdhik32.exe Oqkpmaif.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4648 3836 Process not Found 1162 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oomjng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Holldk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpengf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdcnhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipabfcdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljcbcngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mehpga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ailqfooi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfjihdcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqeapo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miiofn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollqllod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gieaef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dndndbnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmmnkglp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdgcaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Negeln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnpcpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaholp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbdagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clhecl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hffjng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omhkcnfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkelme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjpceebh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgfiocfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebofcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhalngad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnlnpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcdfdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgdqpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmfmkjdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gahpkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nggkipci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njhilimb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqbaic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opjkpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gagmbkik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oggeokoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caokmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fabmmejd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omnkicen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbafalph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjdnne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jempcgad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceqjla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idohdhbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joblkegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clkicbfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aicfgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cipleo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqleifna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efmckpko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgqion32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhelghol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcjmcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffgfancd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fapgblob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmikpngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iencdc32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chgimh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmnhgjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqncib32.dll" Igeddb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpengf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fegjgkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llkbcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhbpahan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmmdpala.dll" Okinik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhgceh32.dll" Biiiempl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omopkm32.dll" Dchpnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjmmcgha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nflfad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eikimeff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgfdgq32.dll" Ijqjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgalk32.dll" Laaabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejapnc32.dll" Mkibjgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccgnelll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gindjqnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idgjqook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfkjgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecogodlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dijfch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igaegm32.dll" Hlmnogkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bojkib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlhjll32.dll" Ebofcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdhfdffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhjdcghg.dll" Ollqllod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kodghqop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njhilimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpmpji32.dll" Gdcmig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Docjne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chabmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpinbk32.dll" Bdgcaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbpclofe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpdhegcc.dll" Pfchqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhdcojaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqkjmcmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kghmhegc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 4eb25b5f0f7653fb85de8d4f6833dcf0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aphcppmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caokmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgcnnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqmmbqgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denlga32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdlipplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqekiefo.dll" Iblola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iajpndmp.dll" Epfhde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Piadma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnhncclq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlekja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epfopk32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdldeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnmik32.dll" Akdafn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cofaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nljjqbfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plhaeofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iifghk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2672 wrote to memory of 2860 2672 4eb25b5f0f7653fb85de8d4f6833dcf0N.exe 30 PID 2672 wrote to memory of 2860 2672 4eb25b5f0f7653fb85de8d4f6833dcf0N.exe 30 PID 2672 wrote to memory of 2860 2672 4eb25b5f0f7653fb85de8d4f6833dcf0N.exe 30 PID 2672 wrote to memory of 2860 2672 4eb25b5f0f7653fb85de8d4f6833dcf0N.exe 30 PID 2860 wrote to memory of 2272 2860 Mclgklel.exe 31 PID 2860 wrote to memory of 2272 2860 Mclgklel.exe 31 PID 2860 wrote to memory of 2272 2860 Mclgklel.exe 31 PID 2860 wrote to memory of 2272 2860 Mclgklel.exe 31 PID 2272 wrote to memory of 2732 2272 Mdldeo32.exe 32 PID 2272 wrote to memory of 2732 2272 Mdldeo32.exe 32 PID 2272 wrote to memory of 2732 2272 Mdldeo32.exe 32 PID 2272 wrote to memory of 2732 2272 Mdldeo32.exe 32 PID 2732 wrote to memory of 2612 2732 Mlgiiaij.exe 33 PID 2732 wrote to memory of 2612 2732 Mlgiiaij.exe 33 PID 2732 wrote to memory of 2612 2732 Mlgiiaij.exe 33 PID 2732 wrote to memory of 2612 2732 Mlgiiaij.exe 33 PID 2612 wrote to memory of 2068 2612 Mcaafk32.exe 34 PID 2612 wrote to memory of 2068 2612 Mcaafk32.exe 34 PID 2612 wrote to memory of 2068 2612 Mcaafk32.exe 34 PID 2612 wrote to memory of 2068 2612 Mcaafk32.exe 34 PID 2068 wrote to memory of 2508 2068 Mjkibehc.exe 35 PID 2068 wrote to memory of 2508 2068 Mjkibehc.exe 35 PID 2068 wrote to memory of 2508 2068 Mjkibehc.exe 35 PID 2068 wrote to memory of 2508 2068 Mjkibehc.exe 35 PID 2508 wrote to memory of 2356 2508 Nqeapo32.exe 36 PID 2508 wrote to memory of 2356 2508 Nqeapo32.exe 36 PID 2508 wrote to memory of 2356 2508 Nqeapo32.exe 36 PID 2508 wrote to memory of 2356 2508 Nqeapo32.exe 36 PID 2356 wrote to memory of 2924 2356 Nbfnggeo.exe 37 PID 2356 wrote to memory of 2924 2356 Nbfnggeo.exe 37 PID 2356 wrote to memory of 2924 2356 Nbfnggeo.exe 37 PID 2356 wrote to memory of 2924 2356 Nbfnggeo.exe 37 PID 2924 wrote to memory of 2900 2924 Nhpfdaml.exe 38 PID 2924 wrote to memory of 2900 2924 Nhpfdaml.exe 38 PID 2924 wrote to memory of 2900 2924 Nhpfdaml.exe 38 PID 2924 wrote to memory of 2900 2924 Nhpfdaml.exe 38 PID 2900 wrote to memory of 2816 2900 Nllbdp32.exe 39 PID 2900 wrote to memory of 2816 2900 Nllbdp32.exe 39 PID 2900 wrote to memory of 2816 2900 Nllbdp32.exe 39 PID 2900 wrote to memory of 2816 2900 Nllbdp32.exe 39 PID 2816 wrote to memory of 1748 2816 Nbhkmg32.exe 40 PID 2816 wrote to memory of 1748 2816 Nbhkmg32.exe 40 PID 2816 wrote to memory of 1748 2816 Nbhkmg32.exe 40 PID 2816 wrote to memory of 1748 2816 Nbhkmg32.exe 40 PID 1748 wrote to memory of 2332 1748 Nhbciaki.exe 41 PID 1748 wrote to memory of 2332 1748 Nhbciaki.exe 41 PID 1748 wrote to memory of 2332 1748 Nhbciaki.exe 41 PID 1748 wrote to memory of 2332 1748 Nhbciaki.exe 41 PID 2332 wrote to memory of 2156 2332 Nkaoemjm.exe 42 PID 2332 wrote to memory of 2156 2332 Nkaoemjm.exe 42 PID 2332 wrote to memory of 2156 2332 Nkaoemjm.exe 42 PID 2332 wrote to memory of 2156 2332 Nkaoemjm.exe 42 PID 2156 wrote to memory of 2052 2156 Nbkgbg32.exe 43 PID 2156 wrote to memory of 2052 2156 Nbkgbg32.exe 43 PID 2156 wrote to memory of 2052 2156 Nbkgbg32.exe 43 PID 2156 wrote to memory of 2052 2156 Nbkgbg32.exe 43 PID 2052 wrote to memory of 1096 2052 Ndicnb32.exe 44 PID 2052 wrote to memory of 1096 2052 Ndicnb32.exe 44 PID 2052 wrote to memory of 1096 2052 Ndicnb32.exe 44 PID 2052 wrote to memory of 1096 2052 Ndicnb32.exe 44 PID 1096 wrote to memory of 2164 1096 Nghpjn32.exe 45 PID 1096 wrote to memory of 2164 1096 Nghpjn32.exe 45 PID 1096 wrote to memory of 2164 1096 Nghpjn32.exe 45 PID 1096 wrote to memory of 2164 1096 Nghpjn32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4eb25b5f0f7653fb85de8d4f6833dcf0N.exe"C:\Users\Admin\AppData\Local\Temp\4eb25b5f0f7653fb85de8d4f6833dcf0N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Mclgklel.exeC:\Windows\system32\Mclgklel.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Mdldeo32.exeC:\Windows\system32\Mdldeo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Mlgiiaij.exeC:\Windows\system32\Mlgiiaij.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Mcaafk32.exeC:\Windows\system32\Mcaafk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Mjkibehc.exeC:\Windows\system32\Mjkibehc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Nqeapo32.exeC:\Windows\system32\Nqeapo32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Nbfnggeo.exeC:\Windows\system32\Nbfnggeo.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Nhpfdaml.exeC:\Windows\system32\Nhpfdaml.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Nllbdp32.exeC:\Windows\system32\Nllbdp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Nbhkmg32.exeC:\Windows\system32\Nbhkmg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Nhbciaki.exeC:\Windows\system32\Nhbciaki.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Nkaoemjm.exeC:\Windows\system32\Nkaoemjm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Nbkgbg32.exeC:\Windows\system32\Nbkgbg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Ndicnb32.exeC:\Windows\system32\Ndicnb32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Nghpjn32.exeC:\Windows\system32\Nghpjn32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Nnahgh32.exeC:\Windows\system32\Nnahgh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Nqpdcc32.exeC:\Windows\system32\Nqpdcc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Windows\SysWOW64\Ndlpdbnj.exeC:\Windows\system32\Ndlpdbnj.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1472 -
C:\Windows\SysWOW64\Njhilimb.exeC:\Windows\system32\Njhilimb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Nndemg32.exeC:\Windows\system32\Nndemg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Nqbaic32.exeC:\Windows\system32\Nqbaic32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1468 -
C:\Windows\SysWOW64\Okhefl32.exeC:\Windows\system32\Okhefl32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Oqennbbl.exeC:\Windows\system32\Oqennbbl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1448 -
C:\Windows\SysWOW64\Oninhgae.exeC:\Windows\system32\Oninhgae.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Opjkpo32.exeC:\Windows\system32\Opjkpo32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2088 -
C:\Windows\SysWOW64\Ojpomh32.exeC:\Windows\system32\Ojpomh32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Omnkicen.exeC:\Windows\system32\Omnkicen.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Windows\SysWOW64\Ochcem32.exeC:\Windows\system32\Ochcem32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Offpbi32.exeC:\Windows\system32\Offpbi32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:584 -
C:\Windows\SysWOW64\Oekmceaf.exeC:\Windows\system32\Oekmceaf.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1632 -
C:\Windows\SysWOW64\Oighcd32.exeC:\Windows\system32\Oighcd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Windows\SysWOW64\Opaqpn32.exeC:\Windows\system32\Opaqpn32.exe33⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Pndalkgf.exeC:\Windows\system32\Pndalkgf.exe34⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Plhaeofp.exeC:\Windows\system32\Plhaeofp.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1408 -
C:\Windows\SysWOW64\Ppcmfn32.exeC:\Windows\system32\Ppcmfn32.exe36⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Pbajbi32.exeC:\Windows\system32\Pbajbi32.exe37⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Phobjp32.exeC:\Windows\system32\Phobjp32.exe38⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Pnhjgj32.exeC:\Windows\system32\Pnhjgj32.exe39⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Paggce32.exeC:\Windows\system32\Paggce32.exe40⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Phaoppja.exeC:\Windows\system32\Phaoppja.exe41⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Pjoklkie.exeC:\Windows\system32\Pjoklkie.exe42⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Pnkglj32.exeC:\Windows\system32\Pnkglj32.exe43⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Phcleoho.exeC:\Windows\system32\Phcleoho.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Pfflql32.exeC:\Windows\system32\Pfflql32.exe45⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Palpneop.exeC:\Windows\system32\Palpneop.exe46⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Phehko32.exeC:\Windows\system32\Phehko32.exe47⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Qjddgj32.exeC:\Windows\system32\Qjddgj32.exe48⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Qmbqcf32.exeC:\Windows\system32\Qmbqcf32.exe49⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Qpamoa32.exeC:\Windows\system32\Qpamoa32.exe50⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Qdlipplq.exeC:\Windows\system32\Qdlipplq.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Qfkelkkd.exeC:\Windows\system32\Qfkelkkd.exe52⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Qiiahgjh.exeC:\Windows\system32\Qiiahgjh.exe53⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Qmenhe32.exeC:\Windows\system32\Qmenhe32.exe54⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Qpcjeaad.exeC:\Windows\system32\Qpcjeaad.exe55⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Qbafalph.exeC:\Windows\system32\Qbafalph.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1136 -
C:\Windows\SysWOW64\Aepbmhpl.exeC:\Windows\system32\Aepbmhpl.exe57⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Aiknnf32.exeC:\Windows\system32\Aiknnf32.exe58⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Aljjjb32.exeC:\Windows\system32\Aljjjb32.exe59⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Aohgfm32.exeC:\Windows\system32\Aohgfm32.exe60⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Afpogk32.exeC:\Windows\system32\Afpogk32.exe61⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Ainkcf32.exeC:\Windows\system32\Ainkcf32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Allgoa32.exeC:\Windows\system32\Allgoa32.exe63⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Aphcppmo.exeC:\Windows\system32\Aphcppmo.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Abfoll32.exeC:\Windows\system32\Abfoll32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Aedlhg32.exeC:\Windows\system32\Aedlhg32.exe66⤵PID:2540
-
C:\Windows\SysWOW64\Aipgifcp.exeC:\Windows\system32\Aipgifcp.exe67⤵PID:2216
-
C:\Windows\SysWOW64\Alodeacc.exeC:\Windows\system32\Alodeacc.exe68⤵PID:1916
-
C:\Windows\SysWOW64\Aompambg.exeC:\Windows\system32\Aompambg.exe69⤵PID:1040
-
C:\Windows\SysWOW64\Aaklmhak.exeC:\Windows\system32\Aaklmhak.exe70⤵PID:1092
-
C:\Windows\SysWOW64\Adjhicpo.exeC:\Windows\system32\Adjhicpo.exe71⤵PID:2616
-
C:\Windows\SysWOW64\Alaqjaaa.exeC:\Windows\system32\Alaqjaaa.exe72⤵PID:2572
-
C:\Windows\SysWOW64\Akdafn32.exeC:\Windows\system32\Akdafn32.exe73⤵
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Anbmbi32.exeC:\Windows\system32\Anbmbi32.exe74⤵PID:2184
-
C:\Windows\SysWOW64\Aanibhoh.exeC:\Windows\system32\Aanibhoh.exe75⤵PID:2064
-
C:\Windows\SysWOW64\Agkako32.exeC:\Windows\system32\Agkako32.exe76⤵PID:760
-
C:\Windows\SysWOW64\Andjgidl.exeC:\Windows\system32\Andjgidl.exe77⤵PID:1124
-
C:\Windows\SysWOW64\Bpcfcddp.exeC:\Windows\system32\Bpcfcddp.exe78⤵PID:3000
-
C:\Windows\SysWOW64\Bhjneadb.exeC:\Windows\system32\Bhjneadb.exe79⤵PID:1004
-
C:\Windows\SysWOW64\Bgmnpn32.exeC:\Windows\system32\Bgmnpn32.exe80⤵PID:1508
-
C:\Windows\SysWOW64\Bikjmj32.exeC:\Windows\system32\Bikjmj32.exe81⤵PID:1540
-
C:\Windows\SysWOW64\Babbng32.exeC:\Windows\system32\Babbng32.exe82⤵PID:2284
-
C:\Windows\SysWOW64\Bdaojbjf.exeC:\Windows\system32\Bdaojbjf.exe83⤵PID:1928
-
C:\Windows\SysWOW64\Bccoeo32.exeC:\Windows\system32\Bccoeo32.exe84⤵PID:2580
-
C:\Windows\SysWOW64\Bkkgfm32.exeC:\Windows\system32\Bkkgfm32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1404 -
C:\Windows\SysWOW64\Bnicbh32.exeC:\Windows\system32\Bnicbh32.exe86⤵PID:2876
-
C:\Windows\SysWOW64\Bphooc32.exeC:\Windows\system32\Bphooc32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2916 -
C:\Windows\SysWOW64\Bcflko32.exeC:\Windows\system32\Bcflko32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2436 -
C:\Windows\SysWOW64\Bedhgj32.exeC:\Windows\system32\Bedhgj32.exe89⤵PID:2800
-
C:\Windows\SysWOW64\Bnlphh32.exeC:\Windows\system32\Bnlphh32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:332 -
C:\Windows\SysWOW64\Bpjldc32.exeC:\Windows\system32\Bpjldc32.exe91⤵PID:1892
-
C:\Windows\SysWOW64\Bomlppdb.exeC:\Windows\system32\Bomlppdb.exe92⤵PID:1252
-
C:\Windows\SysWOW64\Bgddam32.exeC:\Windows\system32\Bgddam32.exe93⤵PID:296
-
C:\Windows\SysWOW64\Bjbqmi32.exeC:\Windows\system32\Bjbqmi32.exe94⤵PID:2764
-
C:\Windows\SysWOW64\Blqmid32.exeC:\Windows\system32\Blqmid32.exe95⤵PID:2576
-
C:\Windows\SysWOW64\Bckefnki.exeC:\Windows\system32\Bckefnki.exe96⤵PID:2880
-
C:\Windows\SysWOW64\Bfiabjjm.exeC:\Windows\system32\Bfiabjjm.exe97⤵PID:2756
-
C:\Windows\SysWOW64\Chgnneiq.exeC:\Windows\system32\Chgnneiq.exe98⤵PID:2828
-
C:\Windows\SysWOW64\Clciod32.exeC:\Windows\system32\Clciod32.exe99⤵PID:2804
-
C:\Windows\SysWOW64\Ccmblnif.exeC:\Windows\system32\Ccmblnif.exe100⤵PID:2012
-
C:\Windows\SysWOW64\Cbpbgk32.exeC:\Windows\system32\Cbpbgk32.exe101⤵PID:2360
-
C:\Windows\SysWOW64\Cdnncfoe.exeC:\Windows\system32\Cdnncfoe.exe102⤵PID:1652
-
C:\Windows\SysWOW64\Chjjde32.exeC:\Windows\system32\Chjjde32.exe103⤵PID:2476
-
C:\Windows\SysWOW64\Ckhfpp32.exeC:\Windows\system32\Ckhfpp32.exe104⤵PID:1148
-
C:\Windows\SysWOW64\Cngcll32.exeC:\Windows\system32\Cngcll32.exe105⤵PID:1776
-
C:\Windows\SysWOW64\Cbbomjnn.exeC:\Windows\system32\Cbbomjnn.exe106⤵PID:2700
-
C:\Windows\SysWOW64\Cdqkifmb.exeC:\Windows\system32\Cdqkifmb.exe107⤵PID:352
-
C:\Windows\SysWOW64\Chlgid32.exeC:\Windows\system32\Chlgid32.exe108⤵PID:2884
-
C:\Windows\SysWOW64\Ckkcep32.exeC:\Windows\system32\Ckkcep32.exe109⤵PID:2200
-
C:\Windows\SysWOW64\Cnipak32.exeC:\Windows\system32\Cnipak32.exe110⤵PID:2536
-
C:\Windows\SysWOW64\Cqglng32.exeC:\Windows\system32\Cqglng32.exe111⤵PID:1924
-
C:\Windows\SysWOW64\Cdchneko.exeC:\Windows\system32\Cdchneko.exe112⤵PID:2744
-
C:\Windows\SysWOW64\Chocodch.exeC:\Windows\system32\Chocodch.exe113⤵PID:3056
-
C:\Windows\SysWOW64\Ckmpkpbl.exeC:\Windows\system32\Ckmpkpbl.exe114⤵PID:2968
-
C:\Windows\SysWOW64\Cjppfl32.exeC:\Windows\system32\Cjppfl32.exe115⤵PID:676
-
C:\Windows\SysWOW64\Cbghhj32.exeC:\Windows\system32\Cbghhj32.exe116⤵PID:1912
-
C:\Windows\SysWOW64\Cqjhcfpc.exeC:\Windows\system32\Cqjhcfpc.exe117⤵PID:1728
-
C:\Windows\SysWOW64\Cchdpbog.exeC:\Windows\system32\Cchdpbog.exe118⤵PID:1724
-
C:\Windows\SysWOW64\Cgdqpq32.exeC:\Windows\system32\Cgdqpq32.exe119⤵
- System Location Discovery: System Language Discovery
PID:880 -
C:\Windows\SysWOW64\Ckomqopi.exeC:\Windows\system32\Ckomqopi.exe120⤵PID:1220
-
C:\Windows\SysWOW64\Cnnimkom.exeC:\Windows\system32\Cnnimkom.exe121⤵PID:2808
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-