Analysis
-
max time kernel
126s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09/09/2024, 21:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
50428d7f1a7e37ba9620337630cd8da11132cec32868a8d8af31cd84a8392051.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
50428d7f1a7e37ba9620337630cd8da11132cec32868a8d8af31cd84a8392051.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
50428d7f1a7e37ba9620337630cd8da11132cec32868a8d8af31cd84a8392051.exe
-
Size
123KB
-
MD5
09a9acb52451b7222b475ccb29b559e4
-
SHA1
61784b71435905615d1e0e85742193be6d27b56d
-
SHA256
50428d7f1a7e37ba9620337630cd8da11132cec32868a8d8af31cd84a8392051
-
SHA512
7de11635e0b9a888ec5aeeb3c0891a3efe2eff4c6b4a7f76208edc03565e2fb5cb262959448a3bec0c3a6ca0cf8884c600b1deaea7ec624b931ef51ea723e1d1
-
SSDEEP
1536:/iHQSinmxLxd2xLq7106AlYIG5/jp34FO5ZRYSw1mir8CAjXoiDEuGg0opGCR98:/sXxltI+Lp1ZRYSa9rR85DEn5k7r8
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdllhdco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dicbfhni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lacihleo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mddbjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajdbmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcgbmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phpklp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbhnga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldiiio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjapfjnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjalpida.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbggkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihndgmdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbamcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejfeij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdaonmdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kemhpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfjgbapo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjmhie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqpcdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbcaemdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idljll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgpaqbcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnlfqngm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aemqdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbbnbkpe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhppap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fafkoiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abmhbplf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggjgofkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnjqhcno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkfookmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iejcco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnnoip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcgcaq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hapancai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncenga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icdmqg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfiiggpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcaefo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obcled32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqopqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jikojcaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhjgoga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkdbik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqdeefpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdlncn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biigildg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnmgni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lohggm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijdbofo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdkmgali.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aonhblad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kphmbjhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcccom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkjocm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igkmbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjklcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adapqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajaqjfbp.exe -
Executes dropped EXE 64 IoCs
pid Process 4708 Mhjpceko.exe 2236 Mmghklif.exe 1020 Mpedgghj.exe 4356 Mhmmieil.exe 3040 Mdcmnfop.exe 4512 Nagngjmj.exe 1464 Npjnbg32.exe 1484 Nmnnlk32.exe 4452 Nhcbidcd.exe 4360 Nalgbi32.exe 4416 Nhfoocaa.exe 2244 Npadcfnl.exe 2884 Nmedmj32.exe 1644 Ndomiddc.exe 1332 Oacmchcl.exe 4844 Okkalnjm.exe 4748 Ophjdehd.exe 5088 Odcfdc32.exe 4588 Oiqomj32.exe 1800 Omlkmign.exe 4280 Opjgidfa.exe 4728 Odfcjc32.exe 448 Ogdofo32.exe 4316 Okpkgm32.exe 4020 Oickbjmb.exe 1456 Oajccgmd.exe 3716 Opmcod32.exe 680 Ohdlpa32.exe 2268 Oggllnkl.exe 3124 Oiehhjjp.exe 4448 Onqdhh32.exe 1280 Opopdd32.exe 4864 Pdklebje.exe 3680 Phfhfa32.exe 2228 Pkedbmab.exe 4248 Pjgemi32.exe 2164 Paomog32.exe 5068 Ppamjcpj.exe 1600 Phiekaql.exe 2972 Pkgaglpp.exe 1384 Pjjaci32.exe 452 Paaidf32.exe 4876 Ppdjpcng.exe 764 Phkaqqoi.exe 2924 Pkinmlnm.exe 4116 Pnhjig32.exe 1320 Pacfjfej.exe 440 Pdbbfadn.exe 2828 Pgpobmca.exe 4104 Pklkbl32.exe 3564 Pnjgog32.exe 3080 Pafcofcg.exe 920 Pddokabk.exe 4900 Phpklp32.exe 3304 Pknghk32.exe 2496 Pahpee32.exe 4872 Qpkppbho.exe 4008 Qhbhapha.exe 4528 Qgehml32.exe 1372 Qjcdih32.exe 2664 Qnopjfgi.exe 2024 Qpmmfbfl.exe 5144 Qdihfq32.exe 5176 Qggebl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dklomnmf.exe Debfpd32.exe File created C:\Windows\SysWOW64\Plbfohbl.exe Pbjbfclk.exe File opened for modification C:\Windows\SysWOW64\Fanbll32.exe Fjcjpb32.exe File opened for modification C:\Windows\SysWOW64\Hameic32.exe Hcidoo32.exe File created C:\Windows\SysWOW64\Gdbphinj.dll Hflclcle.exe File created C:\Windows\SysWOW64\Fanbll32.exe Fjcjpb32.exe File opened for modification C:\Windows\SysWOW64\Icedkn32.exe Imklncch.exe File created C:\Windows\SysWOW64\Lpocciba.exe Lkbkkbdj.exe File created C:\Windows\SysWOW64\Mibpng32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ahgamo32.exe Adkelplc.exe File created C:\Windows\SysWOW64\Aekkkmac.dll Opcjno32.exe File opened for modification C:\Windows\SysWOW64\Ekeacmel.exe Ejfeij32.exe File created C:\Windows\SysWOW64\Dfcjogeh.dll Gnhifonl.exe File opened for modification C:\Windows\SysWOW64\Libggiik.exe Lbhojo32.exe File created C:\Windows\SysWOW64\Qidimpef.dll Abdoqd32.exe File opened for modification C:\Windows\SysWOW64\Bhppap32.exe Bimoecio.exe File created C:\Windows\SysWOW64\Mnfdkm32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fgqehgco.exe Fpimgjbm.exe File created C:\Windows\SysWOW64\Mcfqjihp.dll Gmpcmkaa.exe File created C:\Windows\SysWOW64\Pofebf32.dll Hhmmkcko.exe File created C:\Windows\SysWOW64\Lhbggd32.dll Mhenpk32.exe File created C:\Windows\SysWOW64\Fpikla32.dll Gokdoj32.exe File created C:\Windows\SysWOW64\Fkbkoo32.exe Fiaogfai.exe File opened for modification C:\Windows\SysWOW64\Gajpmg32.exe Gkqhpmkg.exe File created C:\Windows\SysWOW64\Jeoiagbk.dll Fhchhm32.exe File created C:\Windows\SysWOW64\Cebaafpc.dll Hnfehm32.exe File created C:\Windows\SysWOW64\Gegilj32.dll Opgloh32.exe File opened for modification C:\Windows\SysWOW64\Dendok32.exe Dndlba32.exe File opened for modification C:\Windows\SysWOW64\Bqokhi32.exe Bnaolm32.exe File created C:\Windows\SysWOW64\Jcdian32.dll Lbhojo32.exe File created C:\Windows\SysWOW64\Fijbhpbc.dll Anjpeelk.exe File created C:\Windows\SysWOW64\Dpcdmick.dll Cddjofbj.exe File opened for modification C:\Windows\SysWOW64\Kdllhdco.exe Kifhkkci.exe File created C:\Windows\SysWOW64\Opopdd32.exe Onqdhh32.exe File created C:\Windows\SysWOW64\Bqokhi32.exe Bnaolm32.exe File created C:\Windows\SysWOW64\Mpjleadh.exe Process not Found File created C:\Windows\SysWOW64\Bdcmfkde.exe Baepjpea.exe File opened for modification C:\Windows\SysWOW64\Cgaqphgl.exe Cinpdl32.exe File created C:\Windows\SysWOW64\Dlhlleeh.exe Dgmpkg32.exe File created C:\Windows\SysWOW64\Ifkfgiph.dll Llngmeja.exe File opened for modification C:\Windows\SysWOW64\Npabeq32.exe Process not Found File created C:\Windows\SysWOW64\Kbnckjif.dll Pgknlg32.exe File created C:\Windows\SysWOW64\Bjhpqn32.exe Bcngddao.exe File created C:\Windows\SysWOW64\Gmlngkld.dll Mhbakk32.exe File opened for modification C:\Windows\SysWOW64\Fmjjqhpn.exe Fjlmdmqj.exe File created C:\Windows\SysWOW64\Gjmgjm32.dll Bqkigp32.exe File opened for modification C:\Windows\SysWOW64\Dfqogfjo.exe Dqdgop32.exe File opened for modification C:\Windows\SysWOW64\Ecpomiok.exe Eodclj32.exe File created C:\Windows\SysWOW64\Ofijifbj.exe Process not Found File created C:\Windows\SysWOW64\Igehifaa.dll Npjnbg32.exe File created C:\Windows\SysWOW64\Fdmlgcnh.dll Cohkinob.exe File created C:\Windows\SysWOW64\Mcfkkmeo.exe Process not Found File created C:\Windows\SysWOW64\Elnipj32.dll Jlblcdpf.exe File opened for modification C:\Windows\SysWOW64\Lmhnea32.exe Ldqfddml.exe File opened for modification C:\Windows\SysWOW64\Jmmjpjpg.exe Jbgfca32.exe File opened for modification C:\Windows\SysWOW64\Ekhjgoga.exe Ednajepe.exe File opened for modification C:\Windows\SysWOW64\Mdcmnfop.exe Mhmmieil.exe File created C:\Windows\SysWOW64\Bdhiofpj.dll Canocm32.exe File created C:\Windows\SysWOW64\Gbkkfg32.dll Dalkek32.exe File opened for modification C:\Windows\SysWOW64\Iodaikfl.exe Ihkila32.exe File opened for modification C:\Windows\SysWOW64\Peljha32.exe Pghiomqi.exe File created C:\Windows\SysWOW64\Ceeaim32.exe Cbfema32.exe File opened for modification C:\Windows\SysWOW64\Gaoihfoo.exe Gammbfqa.exe File opened for modification C:\Windows\SysWOW64\Kphmbjhi.exe Kmiqfoie.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10604 15020 Process not Found 1182 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mieeka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qecgcfmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiqomj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Angleokb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofooqinh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pllppnnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opefdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajnmjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjfgealk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcdifdem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfiffd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ababkdij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daeddlco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnmjkahi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkaadebl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbceoped.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnkbcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geabbfoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibmmbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjnece32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khimhefk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meobeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqdeefpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfemkdbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbjbfclk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqpcdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlmopqdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oajccgmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaekkfcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dalkek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njljnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlfniafa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aified32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffpjihee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlmegd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljglnmdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mndjhhjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djjobedk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfhkop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldqfddml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcccom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnniopcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbbjhini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obcled32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkioojpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oickbjmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anffje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djeegf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liabjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnpmkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eolpfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnghhqdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfdcbiol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knenffqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbnknpqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdmjmqjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimoecio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjpoio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oecnmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elojej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafcofcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjjjghg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbqeonfj.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 9304 Iempingp.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Peddhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppoijn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfeoip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljjicl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cckaddao.dll" Llemnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oianmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfckpa32.dll" Bkjpkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 50428d7f1a7e37ba9620337630cd8da11132cec32868a8d8af31cd84a8392051.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oendaipn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmdcap32.dll" Ikpjmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpodqahl.dll" Dekobaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hikfbeod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfgnka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cikkga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnjjmmkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dememj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpkkeehd.dll" Bnlfqngm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkjah32.dll" Aocamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naamoolh.dll" Nbbldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkioojpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomgmanl.dll" Doeifpkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekngqqol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbhojo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkhceh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojnhdjoc.dll" Egeemiml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bafgdfim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjalkblo.dll" Cpedckdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Echbad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkinmlnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlcnoajl.dll" Eodclj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lajfbmmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kodeje32.dll" Onjmjegg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqpjdj32.dll" Npgjbabk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alplfpbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qiclhh32.dll" Pnmhqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfngke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgagnd32.dll" Icmbcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opefdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcglfjgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmmbbodp.dll" Ajjjjghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idqogkic.dll" Ckoifgmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miikdm32.dll" Kfggbope.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gakahfoj.dll" Nfpled32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnhppa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aamipe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Komhkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcgemhic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmncghf.dll" Kifhkkci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmdqai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhmchd32.dll" Jfgnka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpmdabfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbbldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfkcec32.dll" Jikojcaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifbbld32.dll" Fmmmqnaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eodlad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbnckjif.dll" Pgknlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmmem32.dll" Kpccgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibpgnl32.dll" Hjjbmhfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpagbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkfeeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggdhmo32.dll" Aqbfaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Diafqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgqedh32.dll" Mkcjlf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1504 wrote to memory of 4708 1504 50428d7f1a7e37ba9620337630cd8da11132cec32868a8d8af31cd84a8392051.exe 92 PID 1504 wrote to memory of 4708 1504 50428d7f1a7e37ba9620337630cd8da11132cec32868a8d8af31cd84a8392051.exe 92 PID 1504 wrote to memory of 4708 1504 50428d7f1a7e37ba9620337630cd8da11132cec32868a8d8af31cd84a8392051.exe 92 PID 4708 wrote to memory of 2236 4708 Mhjpceko.exe 93 PID 4708 wrote to memory of 2236 4708 Mhjpceko.exe 93 PID 4708 wrote to memory of 2236 4708 Mhjpceko.exe 93 PID 2236 wrote to memory of 1020 2236 Mmghklif.exe 94 PID 2236 wrote to memory of 1020 2236 Mmghklif.exe 94 PID 2236 wrote to memory of 1020 2236 Mmghklif.exe 94 PID 1020 wrote to memory of 4356 1020 Mpedgghj.exe 95 PID 1020 wrote to memory of 4356 1020 Mpedgghj.exe 95 PID 1020 wrote to memory of 4356 1020 Mpedgghj.exe 95 PID 4356 wrote to memory of 3040 4356 Mhmmieil.exe 96 PID 4356 wrote to memory of 3040 4356 Mhmmieil.exe 96 PID 4356 wrote to memory of 3040 4356 Mhmmieil.exe 96 PID 3040 wrote to memory of 4512 3040 Mdcmnfop.exe 98 PID 3040 wrote to memory of 4512 3040 Mdcmnfop.exe 98 PID 3040 wrote to memory of 4512 3040 Mdcmnfop.exe 98 PID 4512 wrote to memory of 1464 4512 Nagngjmj.exe 99 PID 4512 wrote to memory of 1464 4512 Nagngjmj.exe 99 PID 4512 wrote to memory of 1464 4512 Nagngjmj.exe 99 PID 1464 wrote to memory of 1484 1464 Npjnbg32.exe 100 PID 1464 wrote to memory of 1484 1464 Npjnbg32.exe 100 PID 1464 wrote to memory of 1484 1464 Npjnbg32.exe 100 PID 1484 wrote to memory of 4452 1484 Nmnnlk32.exe 101 PID 1484 wrote to memory of 4452 1484 Nmnnlk32.exe 101 PID 1484 wrote to memory of 4452 1484 Nmnnlk32.exe 101 PID 4452 wrote to memory of 4360 4452 Nhcbidcd.exe 102 PID 4452 wrote to memory of 4360 4452 Nhcbidcd.exe 102 PID 4452 wrote to memory of 4360 4452 Nhcbidcd.exe 102 PID 4360 wrote to memory of 4416 4360 Nalgbi32.exe 103 PID 4360 wrote to memory of 4416 4360 Nalgbi32.exe 103 PID 4360 wrote to memory of 4416 4360 Nalgbi32.exe 103 PID 4416 wrote to memory of 2244 4416 Nhfoocaa.exe 104 PID 4416 wrote to memory of 2244 4416 Nhfoocaa.exe 104 PID 4416 wrote to memory of 2244 4416 Nhfoocaa.exe 104 PID 2244 wrote to memory of 2884 2244 Npadcfnl.exe 105 PID 2244 wrote to memory of 2884 2244 Npadcfnl.exe 105 PID 2244 wrote to memory of 2884 2244 Npadcfnl.exe 105 PID 2884 wrote to memory of 1644 2884 Nmedmj32.exe 106 PID 2884 wrote to memory of 1644 2884 Nmedmj32.exe 106 PID 2884 wrote to memory of 1644 2884 Nmedmj32.exe 106 PID 1644 wrote to memory of 1332 1644 Ndomiddc.exe 107 PID 1644 wrote to memory of 1332 1644 Ndomiddc.exe 107 PID 1644 wrote to memory of 1332 1644 Ndomiddc.exe 107 PID 1332 wrote to memory of 4844 1332 Oacmchcl.exe 108 PID 1332 wrote to memory of 4844 1332 Oacmchcl.exe 108 PID 1332 wrote to memory of 4844 1332 Oacmchcl.exe 108 PID 4844 wrote to memory of 4748 4844 Okkalnjm.exe 109 PID 4844 wrote to memory of 4748 4844 Okkalnjm.exe 109 PID 4844 wrote to memory of 4748 4844 Okkalnjm.exe 109 PID 4748 wrote to memory of 5088 4748 Ophjdehd.exe 110 PID 4748 wrote to memory of 5088 4748 Ophjdehd.exe 110 PID 4748 wrote to memory of 5088 4748 Ophjdehd.exe 110 PID 5088 wrote to memory of 4588 5088 Odcfdc32.exe 111 PID 5088 wrote to memory of 4588 5088 Odcfdc32.exe 111 PID 5088 wrote to memory of 4588 5088 Odcfdc32.exe 111 PID 4588 wrote to memory of 1800 4588 Oiqomj32.exe 112 PID 4588 wrote to memory of 1800 4588 Oiqomj32.exe 112 PID 4588 wrote to memory of 1800 4588 Oiqomj32.exe 112 PID 1800 wrote to memory of 4280 1800 Omlkmign.exe 113 PID 1800 wrote to memory of 4280 1800 Omlkmign.exe 113 PID 1800 wrote to memory of 4280 1800 Omlkmign.exe 113 PID 4280 wrote to memory of 4728 4280 Opjgidfa.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\50428d7f1a7e37ba9620337630cd8da11132cec32868a8d8af31cd84a8392051.exe"C:\Users\Admin\AppData\Local\Temp\50428d7f1a7e37ba9620337630cd8da11132cec32868a8d8af31cd84a8392051.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Mhjpceko.exeC:\Windows\system32\Mhjpceko.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\Mmghklif.exeC:\Windows\system32\Mmghklif.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Mpedgghj.exeC:\Windows\system32\Mpedgghj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Mhmmieil.exeC:\Windows\system32\Mhmmieil.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\Mdcmnfop.exeC:\Windows\system32\Mdcmnfop.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Nagngjmj.exeC:\Windows\system32\Nagngjmj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Npjnbg32.exeC:\Windows\system32\Npjnbg32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Nmnnlk32.exeC:\Windows\system32\Nmnnlk32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Nhcbidcd.exeC:\Windows\system32\Nhcbidcd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\Nalgbi32.exeC:\Windows\system32\Nalgbi32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\SysWOW64\Nhfoocaa.exeC:\Windows\system32\Nhfoocaa.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\Npadcfnl.exeC:\Windows\system32\Npadcfnl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Nmedmj32.exeC:\Windows\system32\Nmedmj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Ndomiddc.exeC:\Windows\system32\Ndomiddc.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Oacmchcl.exeC:\Windows\system32\Oacmchcl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Okkalnjm.exeC:\Windows\system32\Okkalnjm.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Ophjdehd.exeC:\Windows\system32\Ophjdehd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Odcfdc32.exeC:\Windows\system32\Odcfdc32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\Oiqomj32.exeC:\Windows\system32\Oiqomj32.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Omlkmign.exeC:\Windows\system32\Omlkmign.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Opjgidfa.exeC:\Windows\system32\Opjgidfa.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\Odfcjc32.exeC:\Windows\system32\Odfcjc32.exe23⤵
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Ogdofo32.exeC:\Windows\system32\Ogdofo32.exe24⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Okpkgm32.exeC:\Windows\system32\Okpkgm32.exe25⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Oickbjmb.exeC:\Windows\system32\Oickbjmb.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4020 -
C:\Windows\SysWOW64\Oajccgmd.exeC:\Windows\system32\Oajccgmd.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1456 -
C:\Windows\SysWOW64\Opmcod32.exeC:\Windows\system32\Opmcod32.exe28⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Ohdlpa32.exeC:\Windows\system32\Ohdlpa32.exe29⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Oggllnkl.exeC:\Windows\system32\Oggllnkl.exe30⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Oiehhjjp.exeC:\Windows\system32\Oiehhjjp.exe31⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Onqdhh32.exeC:\Windows\system32\Onqdhh32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4448 -
C:\Windows\SysWOW64\Opopdd32.exeC:\Windows\system32\Opopdd32.exe33⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Pdklebje.exeC:\Windows\system32\Pdklebje.exe34⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Phfhfa32.exeC:\Windows\system32\Phfhfa32.exe35⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Pkedbmab.exeC:\Windows\system32\Pkedbmab.exe36⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Pjgemi32.exeC:\Windows\system32\Pjgemi32.exe37⤵
- Executes dropped EXE
PID:4248 -
C:\Windows\SysWOW64\Paomog32.exeC:\Windows\system32\Paomog32.exe38⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Ppamjcpj.exeC:\Windows\system32\Ppamjcpj.exe39⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Phiekaql.exeC:\Windows\system32\Phiekaql.exe40⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Pkgaglpp.exeC:\Windows\system32\Pkgaglpp.exe41⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Pjjaci32.exeC:\Windows\system32\Pjjaci32.exe42⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Paaidf32.exeC:\Windows\system32\Paaidf32.exe43⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Ppdjpcng.exeC:\Windows\system32\Ppdjpcng.exe44⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Phkaqqoi.exeC:\Windows\system32\Phkaqqoi.exe45⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Pkinmlnm.exeC:\Windows\system32\Pkinmlnm.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Pnhjig32.exeC:\Windows\system32\Pnhjig32.exe47⤵
- Executes dropped EXE
PID:4116 -
C:\Windows\SysWOW64\Pacfjfej.exeC:\Windows\system32\Pacfjfej.exe48⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Pdbbfadn.exeC:\Windows\system32\Pdbbfadn.exe49⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Pgpobmca.exeC:\Windows\system32\Pgpobmca.exe50⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Pklkbl32.exeC:\Windows\system32\Pklkbl32.exe51⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Pnjgog32.exeC:\Windows\system32\Pnjgog32.exe52⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Pafcofcg.exeC:\Windows\system32\Pafcofcg.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3080 -
C:\Windows\SysWOW64\Pddokabk.exeC:\Windows\system32\Pddokabk.exe54⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Phpklp32.exeC:\Windows\system32\Phpklp32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Pknghk32.exeC:\Windows\system32\Pknghk32.exe56⤵
- Executes dropped EXE
PID:3304 -
C:\Windows\SysWOW64\Pjahchpb.exeC:\Windows\system32\Pjahchpb.exe57⤵PID:752
-
C:\Windows\SysWOW64\Pahpee32.exeC:\Windows\system32\Pahpee32.exe58⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Qpkppbho.exeC:\Windows\system32\Qpkppbho.exe59⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Qhbhapha.exeC:\Windows\system32\Qhbhapha.exe60⤵
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\Qgehml32.exeC:\Windows\system32\Qgehml32.exe61⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Qjcdih32.exeC:\Windows\system32\Qjcdih32.exe62⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Qnopjfgi.exeC:\Windows\system32\Qnopjfgi.exe63⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Qpmmfbfl.exeC:\Windows\system32\Qpmmfbfl.exe64⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Qdihfq32.exeC:\Windows\system32\Qdihfq32.exe65⤵
- Executes dropped EXE
PID:5144 -
C:\Windows\SysWOW64\Qggebl32.exeC:\Windows\system32\Qggebl32.exe66⤵
- Executes dropped EXE
PID:5176 -
C:\Windows\SysWOW64\Qkcackeb.exeC:\Windows\system32\Qkcackeb.exe67⤵PID:5216
-
C:\Windows\SysWOW64\Qjeaog32.exeC:\Windows\system32\Qjeaog32.exe68⤵PID:5264
-
C:\Windows\SysWOW64\Aamipe32.exeC:\Windows\system32\Aamipe32.exe69⤵
- Modifies registry class
PID:5300 -
C:\Windows\SysWOW64\Adkelplc.exeC:\Windows\system32\Adkelplc.exe70⤵
- Drops file in System32 directory
PID:5344 -
C:\Windows\SysWOW64\Ahgamo32.exeC:\Windows\system32\Ahgamo32.exe71⤵PID:5376
-
C:\Windows\SysWOW64\Akenij32.exeC:\Windows\system32\Akenij32.exe72⤵PID:5420
-
C:\Windows\SysWOW64\Ajhndgjj.exeC:\Windows\system32\Ajhndgjj.exe73⤵PID:5456
-
C:\Windows\SysWOW64\Aaofedkl.exeC:\Windows\system32\Aaofedkl.exe74⤵PID:5500
-
C:\Windows\SysWOW64\Aqbfaa32.exeC:\Windows\system32\Aqbfaa32.exe75⤵
- Modifies registry class
PID:5536 -
C:\Windows\SysWOW64\Ahinbo32.exeC:\Windows\system32\Ahinbo32.exe76⤵PID:5580
-
C:\Windows\SysWOW64\Aglnnkid.exeC:\Windows\system32\Aglnnkid.exe77⤵PID:5624
-
C:\Windows\SysWOW64\Ajjjjghg.exeC:\Windows\system32\Ajjjjghg.exe78⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5664 -
C:\Windows\SysWOW64\Anffje32.exeC:\Windows\system32\Anffje32.exe79⤵
- System Location Discovery: System Language Discovery
PID:5696 -
C:\Windows\SysWOW64\Ababkdij.exeC:\Windows\system32\Ababkdij.exe80⤵
- System Location Discovery: System Language Discovery
PID:5736 -
C:\Windows\SysWOW64\Adpogp32.exeC:\Windows\system32\Adpogp32.exe81⤵PID:5784
-
C:\Windows\SysWOW64\Ahkkhnpg.exeC:\Windows\system32\Ahkkhnpg.exe82⤵PID:5824
-
C:\Windows\SysWOW64\Akjgdjoj.exeC:\Windows\system32\Akjgdjoj.exe83⤵PID:5856
-
C:\Windows\SysWOW64\Ajmgof32.exeC:\Windows\system32\Ajmgof32.exe84⤵PID:5904
-
C:\Windows\SysWOW64\Abdoqd32.exeC:\Windows\system32\Abdoqd32.exe85⤵
- Drops file in System32 directory
PID:5936 -
C:\Windows\SysWOW64\Aqfolqna.exeC:\Windows\system32\Aqfolqna.exe86⤵PID:5976
-
C:\Windows\SysWOW64\Ahngmnnd.exeC:\Windows\system32\Ahngmnnd.exe87⤵PID:6020
-
C:\Windows\SysWOW64\Agqhik32.exeC:\Windows\system32\Agqhik32.exe88⤵PID:6056
-
C:\Windows\SysWOW64\Ajodef32.exeC:\Windows\system32\Ajodef32.exe89⤵PID:6104
-
C:\Windows\SysWOW64\Anjpeelk.exeC:\Windows\system32\Anjpeelk.exe90⤵
- Drops file in System32 directory
PID:6136 -
C:\Windows\SysWOW64\Aqilaplo.exeC:\Windows\system32\Aqilaplo.exe91⤵PID:4796
-
C:\Windows\SysWOW64\Addhbo32.exeC:\Windows\system32\Addhbo32.exe92⤵PID:4388
-
C:\Windows\SysWOW64\Agcdnjcl.exeC:\Windows\system32\Agcdnjcl.exe93⤵PID:2688
-
C:\Windows\SysWOW64\Akopoi32.exeC:\Windows\system32\Akopoi32.exe94⤵PID:1532
-
C:\Windows\SysWOW64\Ajaqjfbp.exeC:\Windows\system32\Ajaqjfbp.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1824 -
C:\Windows\SysWOW64\Bbhhlccb.exeC:\Windows\system32\Bbhhlccb.exe96⤵PID:5224
-
C:\Windows\SysWOW64\Bqkigp32.exeC:\Windows\system32\Bqkigp32.exe97⤵
- Drops file in System32 directory
PID:5292 -
C:\Windows\SysWOW64\Bhbahm32.exeC:\Windows\system32\Bhbahm32.exe98⤵PID:5364
-
C:\Windows\SysWOW64\Bkamdi32.exeC:\Windows\system32\Bkamdi32.exe99⤵PID:5440
-
C:\Windows\SysWOW64\Bnoiqd32.exeC:\Windows\system32\Bnoiqd32.exe100⤵PID:3988
-
C:\Windows\SysWOW64\Bjfjee32.exeC:\Windows\system32\Bjfjee32.exe101⤵PID:5572
-
C:\Windows\SysWOW64\Bnaffdfc.exeC:\Windows\system32\Bnaffdfc.exe102⤵PID:5644
-
C:\Windows\SysWOW64\Bqpbboeg.exeC:\Windows\system32\Bqpbboeg.exe103⤵PID:5724
-
C:\Windows\SysWOW64\Bdlncn32.exeC:\Windows\system32\Bdlncn32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5768 -
C:\Windows\SysWOW64\Bgjjoi32.exeC:\Windows\system32\Bgjjoi32.exe105⤵PID:5840
-
C:\Windows\SysWOW64\Bjhgke32.exeC:\Windows\system32\Bjhgke32.exe106⤵PID:5888
-
C:\Windows\SysWOW64\Bbpolb32.exeC:\Windows\system32\Bbpolb32.exe107⤵PID:5948
-
C:\Windows\SysWOW64\Bqbohocd.exeC:\Windows\system32\Bqbohocd.exe108⤵PID:6008
-
C:\Windows\SysWOW64\Biigildg.exeC:\Windows\system32\Biigildg.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6068 -
C:\Windows\SysWOW64\Bkhceh32.exeC:\Windows\system32\Bkhceh32.exe110⤵
- Modifies registry class
PID:6124 -
C:\Windows\SysWOW64\Bjkcqdje.exeC:\Windows\system32\Bjkcqdje.exe111⤵PID:2028
-
C:\Windows\SysWOW64\Bdphnmjk.exeC:\Windows\system32\Bdphnmjk.exe112⤵PID:1648
-
C:\Windows\SysWOW64\Bgodjiio.exeC:\Windows\system32\Bgodjiio.exe113⤵PID:2208
-
C:\Windows\SysWOW64\Bkjpkg32.exeC:\Windows\system32\Bkjpkg32.exe114⤵
- Modifies registry class
PID:3320 -
C:\Windows\SysWOW64\Cnhlgc32.exeC:\Windows\system32\Cnhlgc32.exe115⤵PID:5428
-
C:\Windows\SysWOW64\Cqghcn32.exeC:\Windows\system32\Cqghcn32.exe116⤵PID:5352
-
C:\Windows\SysWOW64\Cinpdl32.exeC:\Windows\system32\Cinpdl32.exe117⤵
- Drops file in System32 directory
PID:5488 -
C:\Windows\SysWOW64\Cgaqphgl.exeC:\Windows\system32\Cgaqphgl.exe118⤵PID:5640
-
C:\Windows\SysWOW64\Cjomldfp.exeC:\Windows\system32\Cjomldfp.exe119⤵PID:5732
-
C:\Windows\SysWOW64\Cbfema32.exeC:\Windows\system32\Cbfema32.exe120⤵
- Drops file in System32 directory
PID:5852 -
C:\Windows\SysWOW64\Ceeaim32.exeC:\Windows\system32\Ceeaim32.exe121⤵PID:5924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-