Analysis
-
max time kernel
141s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 00:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6df728aaa74aa8c9e027b60f1f8d85526284b9dee3925de62ff6bd3bda81d83a.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
6df728aaa74aa8c9e027b60f1f8d85526284b9dee3925de62ff6bd3bda81d83a.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
6df728aaa74aa8c9e027b60f1f8d85526284b9dee3925de62ff6bd3bda81d83a.exe
-
Size
512KB
-
MD5
02379118435b02c07852e3a69fe6e054
-
SHA1
e6407deddcf86ace4c5368affc5e165837da4f70
-
SHA256
6df728aaa74aa8c9e027b60f1f8d85526284b9dee3925de62ff6bd3bda81d83a
-
SHA512
1ddc24680604dd02854f71f1207aa80f862ad2559f06202462a3dab0a60bcb7c2f774c155dcdc4eb0ab93b0278c825de1f5dd23eb226543757b42a848d55772e
-
SSDEEP
12288:m/pC66NUfGyXu1jGG1ws5iETdqvZNemWrsiLk6mqgSg9:uNfGyXsGG1ws5ipr
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noffadai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgkkdnkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jflikm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kogjib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acqpdgni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhbnjpic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqninhmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdefdjnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cffnpdip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djokgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kigkmmql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijnbpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blplkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjdlkeln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gaokhdja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcjodiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iihhmhng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpqlmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glhjpjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knldaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebkibk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmlfcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlbcgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mafmhcam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Noepfkgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hepdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mahlgkgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aendjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbflfomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Infhmmhi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kolcdahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kamncagl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfegakmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jocdqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdpqhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okjoec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akldhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcmgdpid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcpecdio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppkahi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aapkdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipkhpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojojmfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pemdic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkpckeek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Makhlkel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkebig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkheh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjhjlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcdkmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfflal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jciaki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofnok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khonbhch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnllppfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eebnqcjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npbpjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afjplj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edbonh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Donijk32.exe -
Executes dropped EXE 64 IoCs
pid Process 1616 Jbandfkj.exe 2780 Jccjln32.exe 2740 Jjmchhhe.exe 3044 Kakdpb32.exe 2340 Kcjqlm32.exe 1584 Kjdiigbm.exe 2344 Kpqaanqd.exe 2652 Lafgdfbm.exe 2380 Lhqpqp32.exe 2472 Lojhmjag.exe 1560 Ledpjdid.exe 2924 Lmpdoffo.exe 3016 Lghigl32.exe 816 Lmbadfdl.exe 2148 Lhgeao32.exe 2272 Liibigjq.exe 1620 Mapjjdjb.exe 980 Momqbm32.exe 2244 Mlqakaqi.exe 1144 Mcjihk32.exe 632 Meiedg32.exe 1796 Nlcnaaog.exe 580 Nndjhi32.exe 356 Nekbjf32.exe 1548 Nhjofbdk.exe 3028 Nnfgnibb.exe 2296 Nabcog32.exe 2696 Nnidchqp.exe 2620 Npgppdpc.exe 3040 Nkmdmm32.exe 2724 Nnkqih32.exe 2788 Nqjmec32.exe 1088 Ngcebnen.exe 1076 Nlpmjdce.exe 2776 Noojfpbi.exe 2844 Ofibcj32.exe 1724 Ohgnoeii.exe 796 Ooaflp32.exe 2680 Ojgkih32.exe 2912 Obbonk32.exe 1252 Obdlcjkd.exe 1468 Odbhofjh.exe 2024 Ogadkajl.exe 2200 Oohmmojn.exe 1308 Obfiijia.exe 2128 Pbienj32.exe 2236 Pegaje32.exe 2160 Pgfnfq32.exe 2600 Pjdjbl32.exe 1704 Pmbfoh32.exe 1732 Pejnpe32.exe 1920 Pclolakk.exe 2744 Pfkkhmjn.exe 2984 Pnbcij32.exe 1676 Paqoef32.exe 2092 Pcokaa32.exe 2708 Pfmgmm32.exe 1416 Pmgpjgph.exe 2304 Ppelfbol.exe 2404 Pbdhbnnp.exe 456 Pjkpckob.exe 1680 Pphilb32.exe 1760 Pbfehn32.exe 1072 Qeeadi32.exe -
Loads dropped DLL 64 IoCs
pid Process 400 6df728aaa74aa8c9e027b60f1f8d85526284b9dee3925de62ff6bd3bda81d83a.exe 400 6df728aaa74aa8c9e027b60f1f8d85526284b9dee3925de62ff6bd3bda81d83a.exe 1616 Jbandfkj.exe 1616 Jbandfkj.exe 2780 Jccjln32.exe 2780 Jccjln32.exe 2740 Jjmchhhe.exe 2740 Jjmchhhe.exe 3044 Kakdpb32.exe 3044 Kakdpb32.exe 2340 Kcjqlm32.exe 2340 Kcjqlm32.exe 1584 Kjdiigbm.exe 1584 Kjdiigbm.exe 2344 Kpqaanqd.exe 2344 Kpqaanqd.exe 2652 Lafgdfbm.exe 2652 Lafgdfbm.exe 2380 Lhqpqp32.exe 2380 Lhqpqp32.exe 2472 Lojhmjag.exe 2472 Lojhmjag.exe 1560 Ledpjdid.exe 1560 Ledpjdid.exe 2924 Lmpdoffo.exe 2924 Lmpdoffo.exe 3016 Lghigl32.exe 3016 Lghigl32.exe 816 Lmbadfdl.exe 816 Lmbadfdl.exe 2148 Lhgeao32.exe 2148 Lhgeao32.exe 2272 Liibigjq.exe 2272 Liibigjq.exe 1620 Mapjjdjb.exe 1620 Mapjjdjb.exe 980 Momqbm32.exe 980 Momqbm32.exe 2244 Mlqakaqi.exe 2244 Mlqakaqi.exe 1144 Mcjihk32.exe 1144 Mcjihk32.exe 632 Meiedg32.exe 632 Meiedg32.exe 1796 Nlcnaaog.exe 1796 Nlcnaaog.exe 580 Nndjhi32.exe 580 Nndjhi32.exe 356 Nekbjf32.exe 356 Nekbjf32.exe 1548 Nhjofbdk.exe 1548 Nhjofbdk.exe 3028 Nnfgnibb.exe 3028 Nnfgnibb.exe 2296 Nabcog32.exe 2296 Nabcog32.exe 2696 Nnidchqp.exe 2696 Nnidchqp.exe 2620 Npgppdpc.exe 2620 Npgppdpc.exe 3040 Nkmdmm32.exe 3040 Nkmdmm32.exe 2724 Nnkqih32.exe 2724 Nnkqih32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dhkbak32.dll Leebcm32.exe File opened for modification C:\Windows\SysWOW64\Nhjofbdk.exe Nekbjf32.exe File created C:\Windows\SysWOW64\Hepdml32.exe Hmdohj32.exe File created C:\Windows\SysWOW64\Dlgjie32.exe Dhknigfq.exe File opened for modification C:\Windows\SysWOW64\Mpcmojia.exe Lcllii32.exe File opened for modification C:\Windows\SysWOW64\Iihhmhng.exe Iaaqkkme.exe File created C:\Windows\SysWOW64\Hhobbqkc.exe Process not Found File created C:\Windows\SysWOW64\Omfjkg32.dll Nhjofbdk.exe File created C:\Windows\SysWOW64\Pnbcij32.exe Pfkkhmjn.exe File created C:\Windows\SysWOW64\Eained32.exe Eojbii32.exe File opened for modification C:\Windows\SysWOW64\Knnmeh32.exe Process not Found File created C:\Windows\SysWOW64\Hdoklgbo.dll Glefpd32.exe File opened for modification C:\Windows\SysWOW64\Kbhckm32.exe Koifob32.exe File created C:\Windows\SysWOW64\Iljjabfh.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ikfffh32.exe Iejnna32.exe File opened for modification C:\Windows\SysWOW64\Pqekin32.exe Pfpflenm.exe File opened for modification C:\Windows\SysWOW64\Dkafofde.exe Dgfkoh32.exe File opened for modification C:\Windows\SysWOW64\Fmffhi32.exe Fjhjlm32.exe File created C:\Windows\SysWOW64\Gkgfkl32.dll Kfflal32.exe File created C:\Windows\SysWOW64\Gigjch32.exe Gekncjfe.exe File opened for modification C:\Windows\SysWOW64\Gjpodhfi.exe Process not Found File created C:\Windows\SysWOW64\Limobelk.dll Process not Found File created C:\Windows\SysWOW64\Dldgme32.dll Dlokegib.exe File created C:\Windows\SysWOW64\Ijahed32.dll Fhfdffll.exe File created C:\Windows\SysWOW64\Hebhog32.dll Eepakc32.exe File opened for modification C:\Windows\SysWOW64\Edokna32.exe Daqoafkh.exe File created C:\Windows\SysWOW64\Nifmqm32.exe Mheqie32.exe File created C:\Windows\SysWOW64\Mjdicq32.dll Iniebmfg.exe File created C:\Windows\SysWOW64\Ljfkai32.dll Joijpo32.exe File created C:\Windows\SysWOW64\Eepakc32.exe Eoeiniea.exe File created C:\Windows\SysWOW64\Fecado32.dll Pcokaa32.exe File created C:\Windows\SysWOW64\Lgodphlm.dll Oqdioaqf.exe File opened for modification C:\Windows\SysWOW64\Lpiqel32.exe Lafpipoa.exe File created C:\Windows\SysWOW64\Mmjqhd32.exe Mkldli32.exe File created C:\Windows\SysWOW64\Kbpgehhj.dll Linanl32.exe File created C:\Windows\SysWOW64\Gajlcp32.exe Gbglgcbc.exe File created C:\Windows\SysWOW64\Idoaigpm.dll Ifljcanj.exe File created C:\Windows\SysWOW64\Jhchlcjj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Llefld32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hpcbol32.exe Haqbcoce.exe File opened for modification C:\Windows\SysWOW64\Momckfid.exe Mmlfcn32.exe File created C:\Windows\SysWOW64\Ffmnloih.exe Ecnbpcje.exe File created C:\Windows\SysWOW64\Bchmolkm.exe Bmndbb32.exe File opened for modification C:\Windows\SysWOW64\Gmqlgppo.exe Process not Found File created C:\Windows\SysWOW64\Amglij32.exe Alfpab32.exe File created C:\Windows\SysWOW64\Ihjfolmn.exe Ifljcanj.exe File opened for modification C:\Windows\SysWOW64\Pkglenej.exe Pgkqeo32.exe File created C:\Windows\SysWOW64\Ppepdplg.dll Gepgni32.exe File created C:\Windows\SysWOW64\Mndgpjek.dll Pgfnfq32.exe File created C:\Windows\SysWOW64\Noepfkgh.exe Npbpjn32.exe File created C:\Windows\SysWOW64\Dkohanoc.exe Dgclpp32.exe File created C:\Windows\SysWOW64\Badbapio.dll Qnmaka32.exe File created C:\Windows\SysWOW64\Pidnhdck.dll Lpiqel32.exe File created C:\Windows\SysWOW64\Camkkbdo.dll Process not Found File opened for modification C:\Windows\SysWOW64\Gapbbk32.exe Gnaffpoi.exe File created C:\Windows\SysWOW64\Anedfn32.dll Fbeeliin.exe File created C:\Windows\SysWOW64\Hllkhoaj.exe Process not Found File created C:\Windows\SysWOW64\Ipkhpk32.exe Hnllcoed.exe File opened for modification C:\Windows\SysWOW64\Kaagnp32.exe Knckbe32.exe File opened for modification C:\Windows\SysWOW64\Eickdlcd.exe Efdohq32.exe File created C:\Windows\SysWOW64\Mjlgdaad.exe Mlifie32.exe File created C:\Windows\SysWOW64\Dhgehheg.dll Process not Found File created C:\Windows\SysWOW64\Hchcmnlj.exe Process not Found File created C:\Windows\SysWOW64\Kjdiigbm.exe Kcjqlm32.exe -
Program crash 1 IoCs
pid pid_target Process 3660 3208 Process not Found -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhmhpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clphjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmlfcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hddjcbfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqfbbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfehpobj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiehilaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cefpmiji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgqokp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agkfil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhklibbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlpmjdce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnoaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmehlibq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnifbaja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jciaki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidjml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfoeqmfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmkipb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahhgkdfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffokan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iehcajjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boakgapg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knnagehi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgbfen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhiacg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glkinb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgclpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcbbidgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eained32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhjofbdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpenkgfq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooiepnen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Docjpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbdiabcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hldldq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkafofde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odiagj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eepakc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkfoikl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eloimcca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkpgdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenhfqle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obbonk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jndgfqlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlndj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeofcpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bggohi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dibjec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Momqbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbgqbdbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odkkdqmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pemdic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpnhhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjdjbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmabaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chkbjc32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdnmda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfoeei32.dll" Jqeqhlii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnidchqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqeqhlii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkdjec32.dll" Nikflm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pifcdbhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehhenpj.dll" Nlnlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngmeiaa.dll" Knocpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdgoff32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lldkem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfgpnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhnpih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bggohi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kheeallp.dll" Behpcefk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbbonl32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlpmjdce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpmjplag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckgapo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbaboaj.dll" Jkcoee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmloeec.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdjedk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Liaggk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbcjfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofbgbaio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Micnbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmlcbafa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcbcah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pemdic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qiclcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mppiod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfgmjh32.dll" Mapjjdjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilfeidmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odeiddnh.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmppmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcaiqfib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mafmhcam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iniebmfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phcpdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odiagj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phplhddp.dll" Chafpfqp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmfdfpih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iegjnkod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pneiaidn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgijop32.dll" Kkmhej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llpajmkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qjofljho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilgcjijc.dll" Gbgnpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljnebe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipkhpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijlagpq.dll" Qcgkeonp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjmchhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kiolio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cadfbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meieho32.dll" Hikpnkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omfoko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhidjd32.dll" Nkmdmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkbhjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gciejn32.dll" Nlibhhme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcohih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahhgkdfo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 400 wrote to memory of 1616 400 6df728aaa74aa8c9e027b60f1f8d85526284b9dee3925de62ff6bd3bda81d83a.exe 29 PID 400 wrote to memory of 1616 400 6df728aaa74aa8c9e027b60f1f8d85526284b9dee3925de62ff6bd3bda81d83a.exe 29 PID 400 wrote to memory of 1616 400 6df728aaa74aa8c9e027b60f1f8d85526284b9dee3925de62ff6bd3bda81d83a.exe 29 PID 400 wrote to memory of 1616 400 6df728aaa74aa8c9e027b60f1f8d85526284b9dee3925de62ff6bd3bda81d83a.exe 29 PID 1616 wrote to memory of 2780 1616 Jbandfkj.exe 30 PID 1616 wrote to memory of 2780 1616 Jbandfkj.exe 30 PID 1616 wrote to memory of 2780 1616 Jbandfkj.exe 30 PID 1616 wrote to memory of 2780 1616 Jbandfkj.exe 30 PID 2780 wrote to memory of 2740 2780 Jccjln32.exe 31 PID 2780 wrote to memory of 2740 2780 Jccjln32.exe 31 PID 2780 wrote to memory of 2740 2780 Jccjln32.exe 31 PID 2780 wrote to memory of 2740 2780 Jccjln32.exe 31 PID 2740 wrote to memory of 3044 2740 Jjmchhhe.exe 32 PID 2740 wrote to memory of 3044 2740 Jjmchhhe.exe 32 PID 2740 wrote to memory of 3044 2740 Jjmchhhe.exe 32 PID 2740 wrote to memory of 3044 2740 Jjmchhhe.exe 32 PID 3044 wrote to memory of 2340 3044 Kakdpb32.exe 33 PID 3044 wrote to memory of 2340 3044 Kakdpb32.exe 33 PID 3044 wrote to memory of 2340 3044 Kakdpb32.exe 33 PID 3044 wrote to memory of 2340 3044 Kakdpb32.exe 33 PID 2340 wrote to memory of 1584 2340 Kcjqlm32.exe 34 PID 2340 wrote to memory of 1584 2340 Kcjqlm32.exe 34 PID 2340 wrote to memory of 1584 2340 Kcjqlm32.exe 34 PID 2340 wrote to memory of 1584 2340 Kcjqlm32.exe 34 PID 1584 wrote to memory of 2344 1584 Kjdiigbm.exe 35 PID 1584 wrote to memory of 2344 1584 Kjdiigbm.exe 35 PID 1584 wrote to memory of 2344 1584 Kjdiigbm.exe 35 PID 1584 wrote to memory of 2344 1584 Kjdiigbm.exe 35 PID 2344 wrote to memory of 2652 2344 Kpqaanqd.exe 36 PID 2344 wrote to memory of 2652 2344 Kpqaanqd.exe 36 PID 2344 wrote to memory of 2652 2344 Kpqaanqd.exe 36 PID 2344 wrote to memory of 2652 2344 Kpqaanqd.exe 36 PID 2652 wrote to memory of 2380 2652 Lafgdfbm.exe 37 PID 2652 wrote to memory of 2380 2652 Lafgdfbm.exe 37 PID 2652 wrote to memory of 2380 2652 Lafgdfbm.exe 37 PID 2652 wrote to memory of 2380 2652 Lafgdfbm.exe 37 PID 2380 wrote to memory of 2472 2380 Lhqpqp32.exe 38 PID 2380 wrote to memory of 2472 2380 Lhqpqp32.exe 38 PID 2380 wrote to memory of 2472 2380 Lhqpqp32.exe 38 PID 2380 wrote to memory of 2472 2380 Lhqpqp32.exe 38 PID 2472 wrote to memory of 1560 2472 Lojhmjag.exe 39 PID 2472 wrote to memory of 1560 2472 Lojhmjag.exe 39 PID 2472 wrote to memory of 1560 2472 Lojhmjag.exe 39 PID 2472 wrote to memory of 1560 2472 Lojhmjag.exe 39 PID 1560 wrote to memory of 2924 1560 Ledpjdid.exe 40 PID 1560 wrote to memory of 2924 1560 Ledpjdid.exe 40 PID 1560 wrote to memory of 2924 1560 Ledpjdid.exe 40 PID 1560 wrote to memory of 2924 1560 Ledpjdid.exe 40 PID 2924 wrote to memory of 3016 2924 Lmpdoffo.exe 41 PID 2924 wrote to memory of 3016 2924 Lmpdoffo.exe 41 PID 2924 wrote to memory of 3016 2924 Lmpdoffo.exe 41 PID 2924 wrote to memory of 3016 2924 Lmpdoffo.exe 41 PID 3016 wrote to memory of 816 3016 Lghigl32.exe 42 PID 3016 wrote to memory of 816 3016 Lghigl32.exe 42 PID 3016 wrote to memory of 816 3016 Lghigl32.exe 42 PID 3016 wrote to memory of 816 3016 Lghigl32.exe 42 PID 816 wrote to memory of 2148 816 Lmbadfdl.exe 43 PID 816 wrote to memory of 2148 816 Lmbadfdl.exe 43 PID 816 wrote to memory of 2148 816 Lmbadfdl.exe 43 PID 816 wrote to memory of 2148 816 Lmbadfdl.exe 43 PID 2148 wrote to memory of 2272 2148 Lhgeao32.exe 44 PID 2148 wrote to memory of 2272 2148 Lhgeao32.exe 44 PID 2148 wrote to memory of 2272 2148 Lhgeao32.exe 44 PID 2148 wrote to memory of 2272 2148 Lhgeao32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\6df728aaa74aa8c9e027b60f1f8d85526284b9dee3925de62ff6bd3bda81d83a.exe"C:\Users\Admin\AppData\Local\Temp\6df728aaa74aa8c9e027b60f1f8d85526284b9dee3925de62ff6bd3bda81d83a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Jbandfkj.exeC:\Windows\system32\Jbandfkj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Jccjln32.exeC:\Windows\system32\Jccjln32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Jjmchhhe.exeC:\Windows\system32\Jjmchhhe.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Kakdpb32.exeC:\Windows\system32\Kakdpb32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Kcjqlm32.exeC:\Windows\system32\Kcjqlm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Kjdiigbm.exeC:\Windows\system32\Kjdiigbm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Kpqaanqd.exeC:\Windows\system32\Kpqaanqd.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Lafgdfbm.exeC:\Windows\system32\Lafgdfbm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Lhqpqp32.exeC:\Windows\system32\Lhqpqp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Lojhmjag.exeC:\Windows\system32\Lojhmjag.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Ledpjdid.exeC:\Windows\system32\Ledpjdid.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Lmpdoffo.exeC:\Windows\system32\Lmpdoffo.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Lghigl32.exeC:\Windows\system32\Lghigl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Lmbadfdl.exeC:\Windows\system32\Lmbadfdl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\Lhgeao32.exeC:\Windows\system32\Lhgeao32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Liibigjq.exeC:\Windows\system32\Liibigjq.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Mapjjdjb.exeC:\Windows\system32\Mapjjdjb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Momqbm32.exeC:\Windows\system32\Momqbm32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:980 -
C:\Windows\SysWOW64\Mlqakaqi.exeC:\Windows\system32\Mlqakaqi.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244 -
C:\Windows\SysWOW64\Mcjihk32.exeC:\Windows\system32\Mcjihk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1144 -
C:\Windows\SysWOW64\Meiedg32.exeC:\Windows\system32\Meiedg32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:632 -
C:\Windows\SysWOW64\Nlcnaaog.exeC:\Windows\system32\Nlcnaaog.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1796 -
C:\Windows\SysWOW64\Nndjhi32.exeC:\Windows\system32\Nndjhi32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:580 -
C:\Windows\SysWOW64\Nekbjf32.exeC:\Windows\system32\Nekbjf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:356 -
C:\Windows\SysWOW64\Nhjofbdk.exeC:\Windows\system32\Nhjofbdk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1548 -
C:\Windows\SysWOW64\Nnfgnibb.exeC:\Windows\system32\Nnfgnibb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Nabcog32.exeC:\Windows\system32\Nabcog32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Nnidchqp.exeC:\Windows\system32\Nnidchqp.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Npgppdpc.exeC:\Windows\system32\Npgppdpc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Nkmdmm32.exeC:\Windows\system32\Nkmdmm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Nnkqih32.exeC:\Windows\system32\Nnkqih32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Nqjmec32.exeC:\Windows\system32\Nqjmec32.exe33⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Ngcebnen.exeC:\Windows\system32\Ngcebnen.exe34⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Nlpmjdce.exeC:\Windows\system32\Nlpmjdce.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\Noojfpbi.exeC:\Windows\system32\Noojfpbi.exe36⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Ofibcj32.exeC:\Windows\system32\Ofibcj32.exe37⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Ohgnoeii.exeC:\Windows\system32\Ohgnoeii.exe38⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Ooaflp32.exeC:\Windows\system32\Ooaflp32.exe39⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Ojgkih32.exeC:\Windows\system32\Ojgkih32.exe40⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Obbonk32.exeC:\Windows\system32\Obbonk32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\Obdlcjkd.exeC:\Windows\system32\Obdlcjkd.exe42⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Odbhofjh.exeC:\Windows\system32\Odbhofjh.exe43⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Ogadkajl.exeC:\Windows\system32\Ogadkajl.exe44⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Oohmmojn.exeC:\Windows\system32\Oohmmojn.exe45⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Obfiijia.exeC:\Windows\system32\Obfiijia.exe46⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Pbienj32.exeC:\Windows\system32\Pbienj32.exe47⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Pegaje32.exeC:\Windows\system32\Pegaje32.exe48⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Pgfnfq32.exeC:\Windows\system32\Pgfnfq32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Pjdjbl32.exeC:\Windows\system32\Pjdjbl32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\Pmbfoh32.exeC:\Windows\system32\Pmbfoh32.exe51⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Pejnpe32.exeC:\Windows\system32\Pejnpe32.exe52⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Pclolakk.exeC:\Windows\system32\Pclolakk.exe53⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Pfkkhmjn.exeC:\Windows\system32\Pfkkhmjn.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Pnbcij32.exeC:\Windows\system32\Pnbcij32.exe55⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Paqoef32.exeC:\Windows\system32\Paqoef32.exe56⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Pcokaa32.exeC:\Windows\system32\Pcokaa32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Pfmgmm32.exeC:\Windows\system32\Pfmgmm32.exe58⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Pmgpjgph.exeC:\Windows\system32\Pmgpjgph.exe59⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Ppelfbol.exeC:\Windows\system32\Ppelfbol.exe60⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Pbdhbnnp.exeC:\Windows\system32\Pbdhbnnp.exe61⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Pjkpckob.exeC:\Windows\system32\Pjkpckob.exe62⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Pphilb32.exeC:\Windows\system32\Pphilb32.exe63⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Pbfehn32.exeC:\Windows\system32\Pbfehn32.exe64⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Qeeadi32.exeC:\Windows\system32\Qeeadi32.exe65⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Qmlief32.exeC:\Windows\system32\Qmlief32.exe66⤵PID:2716
-
C:\Windows\SysWOW64\Qbiamm32.exeC:\Windows\system32\Qbiamm32.exe67⤵PID:2928
-
C:\Windows\SysWOW64\Qegnii32.exeC:\Windows\system32\Qegnii32.exe68⤵PID:1292
-
C:\Windows\SysWOW64\Qhejed32.exeC:\Windows\system32\Qhejed32.exe69⤵PID:2316
-
C:\Windows\SysWOW64\Qlaffbqk.exeC:\Windows\system32\Qlaffbqk.exe70⤵PID:948
-
C:\Windows\SysWOW64\Qnpbbn32.exeC:\Windows\system32\Qnpbbn32.exe71⤵PID:3004
-
C:\Windows\SysWOW64\Aeikohgk.exeC:\Windows\system32\Aeikohgk.exe72⤵PID:2260
-
C:\Windows\SysWOW64\Ahhgkdfo.exeC:\Windows\system32\Ahhgkdfo.exe73⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1180 -
C:\Windows\SysWOW64\Ajfcgoec.exeC:\Windows\system32\Ajfcgoec.exe74⤵PID:2408
-
C:\Windows\SysWOW64\Anbohn32.exeC:\Windows\system32\Anbohn32.exe75⤵PID:2328
-
C:\Windows\SysWOW64\Aapkdi32.exeC:\Windows\system32\Aapkdi32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1520 -
C:\Windows\SysWOW64\Adohpe32.exeC:\Windows\system32\Adohpe32.exe77⤵PID:2080
-
C:\Windows\SysWOW64\Alfpab32.exeC:\Windows\system32\Alfpab32.exe78⤵
- Drops file in System32 directory
PID:968 -
C:\Windows\SysWOW64\Amglij32.exeC:\Windows\system32\Amglij32.exe79⤵PID:1932
-
C:\Windows\SysWOW64\Aendjh32.exeC:\Windows\system32\Aendjh32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2192 -
C:\Windows\SysWOW64\Ahmpfc32.exeC:\Windows\system32\Ahmpfc32.exe81⤵PID:272
-
C:\Windows\SysWOW64\Ajmihn32.exeC:\Windows\system32\Ajmihn32.exe82⤵PID:1152
-
C:\Windows\SysWOW64\Aipickfe.exeC:\Windows\system32\Aipickfe.exe83⤵PID:2828
-
C:\Windows\SysWOW64\Apjbpemb.exeC:\Windows\system32\Apjbpemb.exe84⤵PID:2668
-
C:\Windows\SysWOW64\Abhnlqlf.exeC:\Windows\system32\Abhnlqlf.exe85⤵PID:2832
-
C:\Windows\SysWOW64\Akpfmnmh.exeC:\Windows\system32\Akpfmnmh.exe86⤵PID:2904
-
C:\Windows\SysWOW64\Bmnbjill.exeC:\Windows\system32\Bmnbjill.exe87⤵PID:284
-
C:\Windows\SysWOW64\Blabef32.exeC:\Windows\system32\Blabef32.exe88⤵PID:2464
-
C:\Windows\SysWOW64\Bbkkbpjc.exeC:\Windows\system32\Bbkkbpjc.exe89⤵PID:2976
-
C:\Windows\SysWOW64\Beignlig.exeC:\Windows\system32\Beignlig.exe90⤵PID:2416
-
C:\Windows\SysWOW64\Bmpooiji.exeC:\Windows\system32\Bmpooiji.exe91⤵PID:1692
-
C:\Windows\SysWOW64\Boakgapg.exeC:\Windows\system32\Boakgapg.exe92⤵
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\SysWOW64\Bgichoqj.exeC:\Windows\system32\Bgichoqj.exe93⤵PID:2792
-
C:\Windows\SysWOW64\Belcck32.exeC:\Windows\system32\Belcck32.exe94⤵PID:2588
-
C:\Windows\SysWOW64\Bhjppg32.exeC:\Windows\system32\Bhjppg32.exe95⤵PID:1820
-
C:\Windows\SysWOW64\Bpahad32.exeC:\Windows\system32\Bpahad32.exe96⤵PID:1712
-
C:\Windows\SysWOW64\Bodhlane.exeC:\Windows\system32\Bodhlane.exe97⤵PID:2456
-
C:\Windows\SysWOW64\Babdhlmh.exeC:\Windows\system32\Babdhlmh.exe98⤵PID:2452
-
C:\Windows\SysWOW64\Bhlmef32.exeC:\Windows\system32\Bhlmef32.exe99⤵PID:1900
-
C:\Windows\SysWOW64\Bkkiab32.exeC:\Windows\system32\Bkkiab32.exe100⤵PID:1452
-
C:\Windows\SysWOW64\Boiagp32.exeC:\Windows\system32\Boiagp32.exe101⤵PID:1268
-
C:\Windows\SysWOW64\Bagncl32.exeC:\Windows\system32\Bagncl32.exe102⤵PID:2320
-
C:\Windows\SysWOW64\Chafpfqp.exeC:\Windows\system32\Chafpfqp.exe103⤵
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Coknmp32.exeC:\Windows\system32\Coknmp32.exe104⤵PID:1644
-
C:\Windows\SysWOW64\Caijik32.exeC:\Windows\system32\Caijik32.exe105⤵PID:2088
-
C:\Windows\SysWOW64\Cdhgegfd.exeC:\Windows\system32\Cdhgegfd.exe106⤵PID:2868
-
C:\Windows\SysWOW64\Ckboba32.exeC:\Windows\system32\Ckboba32.exe107⤵PID:1568
-
C:\Windows\SysWOW64\Cjdonndl.exeC:\Windows\system32\Cjdonndl.exe108⤵PID:2760
-
C:\Windows\SysWOW64\Cpogjh32.exeC:\Windows\system32\Cpogjh32.exe109⤵PID:2348
-
C:\Windows\SysWOW64\Ccmcfc32.exeC:\Windows\system32\Ccmcfc32.exe110⤵PID:2664
-
C:\Windows\SysWOW64\Cnbhcl32.exeC:\Windows\system32\Cnbhcl32.exe111⤵PID:2884
-
C:\Windows\SysWOW64\Cpadpg32.exeC:\Windows\system32\Cpadpg32.exe112⤵PID:2920
-
C:\Windows\SysWOW64\Ccoplcii.exeC:\Windows\system32\Ccoplcii.exe113⤵PID:2144
-
C:\Windows\SysWOW64\Cfnmhnhm.exeC:\Windows\system32\Cfnmhnhm.exe114⤵PID:2180
-
C:\Windows\SysWOW64\Cnedilio.exeC:\Windows\system32\Cnedilio.exe115⤵PID:3032
-
C:\Windows\SysWOW64\Cpcaeghc.exeC:\Windows\system32\Cpcaeghc.exe116⤵PID:912
-
C:\Windows\SysWOW64\Cofaad32.exeC:\Windows\system32\Cofaad32.exe117⤵PID:2292
-
C:\Windows\SysWOW64\Cfpinnfj.exeC:\Windows\system32\Cfpinnfj.exe118⤵PID:2988
-
C:\Windows\SysWOW64\Choejien.exeC:\Windows\system32\Choejien.exe119⤵PID:2660
-
C:\Windows\SysWOW64\Dpenkgfq.exeC:\Windows\system32\Dpenkgfq.exe120⤵
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\Dllnphkd.exeC:\Windows\system32\Dllnphkd.exe121⤵PID:1428
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-