Analysis
-
max time kernel
110s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2024 06:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f8aa10010dfec55ade1891ac52f649c618237a7ad38794d67e90bf0a70526798N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
f8aa10010dfec55ade1891ac52f649c618237a7ad38794d67e90bf0a70526798N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
f8aa10010dfec55ade1891ac52f649c618237a7ad38794d67e90bf0a70526798N.exe
-
Size
96KB
-
MD5
fda1bb1c24e64fd0b65d34a3b4d719d0
-
SHA1
b7c5050f5ee4e595ae587435d6408b7a2041a6ba
-
SHA256
f8aa10010dfec55ade1891ac52f649c618237a7ad38794d67e90bf0a70526798
-
SHA512
911b1e698c870059baf71173a39c8ed9fe23c584e9010736d3dbfb14d2a04975a58478d937f83530ea56901c4319d89d2aa9514891b462ed0983605766a72e5a
-
SSDEEP
1536:j3/xbdhICTF886cXDV2LaZS/FCb4noaJSNzJO/:rxdWyaaZSs4noakXO/
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaokac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgcmdqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gknhgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glgeki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbcdigih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaqall32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmfnef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfokpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpgakghi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oogmag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nalkiaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehkpcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdhbknbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hidcinmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkaqnlfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oifahggl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmkea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdidhi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiofkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aanplj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojnocl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnblicli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cofkppem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjbdan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baiphhcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifkkldmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmiglf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bepkca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnenbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfcfmqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkmkbcin.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipajiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nikigoee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbmalm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eppfmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mncbgdeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmahdjak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bojkdbok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aefgpnbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laelad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngfpabng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehcchg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjdnie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oekmbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnhgei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikcjil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egmidc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlmab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfbnfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cinoif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnkjeobb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdkcnlel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djhlnd32.exe -
Executes dropped EXE 64 IoCs
pid Process 4072 Kmgjdi32.exe 5028 Kabfegeh.exe 6128 Kdqbacdl.exe 5152 Kinkijcc.exe 3944 Kpgcfd32.exe 1384 Kdcofbbi.exe 3144 Kipgoiqa.exe 964 Kagopg32.exe 5536 Kbhlgoga.exe 4684 Kibddi32.exe 2288 Kailef32.exe 4396 Kbjhmoeo.exe 6048 Lkaqnlfa.exe 4412 Lalikfmn.exe 6100 Ldjegala.exe 5872 Ligmohki.exe 5956 Laneqekk.exe 5144 Ldlamajo.exe 5828 Lkfjik32.exe 5500 Lmefeg32.exe 4544 Lpcbabpc.exe 456 Lkifokpi.exe 3496 Lmgckfom.exe 3940 Lpeoganq.exe 3032 Lkkcdjnf.exe 3376 Laelad32.exe 4784 Ldchmpdg.exe 5220 Mippegbn.exe 404 Mcienm32.exe 1292 Mkpmpj32.exe 5360 Mdhahppa.exe 5544 Mkbieihn.exe 4920 Malabc32.exe 5004 Mcmnilei.exe 2992 Mkdfkiel.exe 3460 Mncbgdeo.exe 640 Mpaocpdc.exe 1316 Mjjclejc.exe 5436 Maqkmckf.exe 2736 Ngncejim.exe 5632 Nnglbd32.exe 1344 Npfhno32.exe 4736 Nkklkhpc.exe 5756 Naedhb32.exe 5468 Ngbmpi32.exe 2900 Npkaiolh.exe 1588 Nkpffgkn.exe 3604 Nnobbc32.exe 1116 Nqmnon32.exe 4336 Njebgdpf.exe 1672 Nalkiaah.exe 1540 Odkgempl.exe 1824 Oncknb32.exe 2040 Oaogna32.exe 2460 Ocpdfied.exe 5476 Ojjlbc32.exe 3480 Odpppl32.exe 3568 Okihmfcc.exe 4012 Obcaip32.exe 2056 Ocemah32.exe 4732 Obfnopin.exe 2228 Oknbhe32.exe 6136 Pqkjpl32.exe 5172 Pbjgjo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jehehf32.exe Jfedliho.exe File created C:\Windows\SysWOW64\Kjmbaono.exe Kgnfecok.exe File opened for modification C:\Windows\SysWOW64\Ccagqo32.exe Cofkppem.exe File opened for modification C:\Windows\SysWOW64\Fndmdcpl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cfcfmqnc.exe Ccdjqeoo.exe File created C:\Windows\SysWOW64\Mbbofflg.dll Aiofkm32.exe File created C:\Windows\SysWOW64\Lghmjimd.dll Process not Found File created C:\Windows\SysWOW64\Qlfohpee.dll Qedbbi32.exe File opened for modification C:\Windows\SysWOW64\Doeoii32.exe Dhkglo32.exe File created C:\Windows\SysWOW64\Cdpnmjan.dll Hbpmonfc.exe File created C:\Windows\SysWOW64\Alqdko32.dll Pdmfgdlk.exe File created C:\Windows\SysWOW64\Gpbffooa.dll Process not Found File created C:\Windows\SysWOW64\Caoihc32.dll Kmhpob32.exe File opened for modification C:\Windows\SysWOW64\Hfokpf32.exe Hnhcoh32.exe File created C:\Windows\SysWOW64\Loefflma.dll Fbcldgjn.exe File created C:\Windows\SysWOW64\Dlqina32.dll Gldccl32.exe File created C:\Windows\SysWOW64\Onbccb32.dll Egnbbakh.exe File created C:\Windows\SysWOW64\Eepmmqen.dll Ipmoamli.exe File opened for modification C:\Windows\SysWOW64\Lkaqnlfa.exe Kbjhmoeo.exe File created C:\Windows\SysWOW64\Pgdnhf32.dll Ngfpabng.exe File created C:\Windows\SysWOW64\Pqfqdnhp.dll Fkpkeqmb.exe File created C:\Windows\SysWOW64\Gmnodojk.dll Lejcjmkh.exe File created C:\Windows\SysWOW64\Lkfkqmcq.dll Anlpphmc.exe File opened for modification C:\Windows\SysWOW64\Injpdhdf.exe Ikldhm32.exe File opened for modification C:\Windows\SysWOW64\Dpenld32.exe Dmfapi32.exe File created C:\Windows\SysWOW64\Gohnldoj.exe Gliapi32.exe File created C:\Windows\SysWOW64\Hldkgbal.dll Pommfmmi.exe File created C:\Windows\SysWOW64\Caijkala.dll Process not Found File opened for modification C:\Windows\SysWOW64\Efjfdm32.exe Edlihaje.exe File opened for modification C:\Windows\SysWOW64\Mgcamjig.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lppoal32.exe Lekkdcod.exe File created C:\Windows\SysWOW64\Linhdf32.dll Hgfngiah.exe File created C:\Windows\SysWOW64\Kpgdklbf.dll Process not Found File opened for modification C:\Windows\SysWOW64\Gpccdp32.exe Gmeghe32.exe File created C:\Windows\SysWOW64\Knollo32.exe Jkqopc32.exe File opened for modification C:\Windows\SysWOW64\Hmkfnnio.exe Gfanac32.exe File opened for modification C:\Windows\SysWOW64\Kmgjdi32.exe f8aa10010dfec55ade1891ac52f649c618237a7ad38794d67e90bf0a70526798N.exe File created C:\Windows\SysWOW64\Kabfegeh.exe Kmgjdi32.exe File opened for modification C:\Windows\SysWOW64\Pommfmmi.exe Plnqjane.exe File opened for modification C:\Windows\SysWOW64\Pcmbbkam.exe Ppnffobi.exe File opened for modification C:\Windows\SysWOW64\Nplgdhfj.exe Nnnkhmgf.exe File created C:\Windows\SysWOW64\Dkplee32.dll Egkmoc32.exe File created C:\Windows\SysWOW64\Enhonimf.dll Cjlfhp32.exe File opened for modification C:\Windows\SysWOW64\Ckgkplkk.exe Process not Found File created C:\Windows\SysWOW64\Mmppokfo.dll Ngbmpi32.exe File created C:\Windows\SysWOW64\Gkinlpeh.exe Gdofoe32.exe File created C:\Windows\SysWOW64\Hmnjnc32.exe Hibnnebo.exe File created C:\Windows\SysWOW64\Qlmdjn32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pjpcaanh.exe Process not Found File created C:\Windows\SysWOW64\Hlpled32.exe Process not Found File created C:\Windows\SysWOW64\Eacdlboc.exe Elgldkpl.exe File created C:\Windows\SysWOW64\Eecjflmn.exe Emlbeoml.exe File opened for modification C:\Windows\SysWOW64\Gdoodojo.exe Gpccdp32.exe File created C:\Windows\SysWOW64\Fedgcn32.dll Lenfjf32.exe File opened for modification C:\Windows\SysWOW64\Hkmkbcin.exe Hinofhik.exe File opened for modification C:\Windows\SysWOW64\Ppnffobi.exe Pjdnie32.exe File opened for modification C:\Windows\SysWOW64\Boieii32.exe Bmjimm32.exe File opened for modification C:\Windows\SysWOW64\Olacjf32.exe Process not Found File created C:\Windows\SysWOW64\Gdmege32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kdqbacdl.exe Kabfegeh.exe File created C:\Windows\SysWOW64\Gcffbb32.exe Gllnfhnc.exe File created C:\Windows\SysWOW64\Edlihaje.exe Eanmlfka.exe File opened for modification C:\Windows\SysWOW64\Iljfei32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bnpmglpj.exe Blaqkqaf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7140 10520 Process not Found 1367 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aciiho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlgcqpfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqiomk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbeijg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjcjlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fabfge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkohkaho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aamheo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbokng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opaqog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Empkpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjpna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkgcbgel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppnffobi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bemmqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcnpgghd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbieiilc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eldonl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdblkbnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injpdhdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmdpmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaigajaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppjcef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgldqkoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hajmihfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bomodhqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehibiqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpiiam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdpofcph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbjbefcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjjmlbln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjnlci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikoghcfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leejon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahjdao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknfmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhbjbog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmboopef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aflged32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naccae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Necilc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fchjadaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgeki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndoqohfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oieknacq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqmibc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiegcnad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meajjleq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqigdici.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aefgpnbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalfgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paolca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkkcdjnf.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgddelbf.dll" Gomggcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nplgdhfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjccaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiaeec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paleepoa.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmmpccan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ienjpi32.dll" Bjccaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heiaon32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gindbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmgcmdqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kinboffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhgcdlbf.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acllhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpbkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plmjdbpl.dll" Mplnmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfoqie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkkgahme.dll" Pnqqdjga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llakcm32.dll" Gpafoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaakfhbh.dll" Bjiial32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kncegnjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbhdgfof.dll" Pqpdkliq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcijfblm.dll" Elgldkpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpkgopdj.dll" Gcopbclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apkiil32.dll" Kmklea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpgebkhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkpjhe32.dll" Jiqmho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffbdod32.dll" Fkodkjjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmncio32.dll" Ppjcef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gopaaoaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngaffc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nikbli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hidcinmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adgeco32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okpnni32.dll" Gcamgcif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifkkldmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifkkldmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcmeei32.dll" Kbgnbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcfnog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qedbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnqano32.dll" Phikkapd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlljnmbo.dll" Hnqfcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gllnfhnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfcnggao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqkmldlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdiiedfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbeckn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpkkfp32.dll" Cjglmpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebidimkf.dll" Lkkcdjnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpmkeim.dll" Flkeok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibpfel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfjgnffg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hggeaped.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lciaao32.dll" Oghellhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glampq32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgqbhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijbbpi32.dll" Akcdjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgldqkoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdflpdhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbhink32.dll" Fdcpiqdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oicnha32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4992 wrote to memory of 4072 4992 f8aa10010dfec55ade1891ac52f649c618237a7ad38794d67e90bf0a70526798N.exe 84 PID 4992 wrote to memory of 4072 4992 f8aa10010dfec55ade1891ac52f649c618237a7ad38794d67e90bf0a70526798N.exe 84 PID 4992 wrote to memory of 4072 4992 f8aa10010dfec55ade1891ac52f649c618237a7ad38794d67e90bf0a70526798N.exe 84 PID 4072 wrote to memory of 5028 4072 Kmgjdi32.exe 85 PID 4072 wrote to memory of 5028 4072 Kmgjdi32.exe 85 PID 4072 wrote to memory of 5028 4072 Kmgjdi32.exe 85 PID 5028 wrote to memory of 6128 5028 Kabfegeh.exe 86 PID 5028 wrote to memory of 6128 5028 Kabfegeh.exe 86 PID 5028 wrote to memory of 6128 5028 Kabfegeh.exe 86 PID 6128 wrote to memory of 5152 6128 Kdqbacdl.exe 87 PID 6128 wrote to memory of 5152 6128 Kdqbacdl.exe 87 PID 6128 wrote to memory of 5152 6128 Kdqbacdl.exe 87 PID 5152 wrote to memory of 3944 5152 Kinkijcc.exe 88 PID 5152 wrote to memory of 3944 5152 Kinkijcc.exe 88 PID 5152 wrote to memory of 3944 5152 Kinkijcc.exe 88 PID 3944 wrote to memory of 1384 3944 Kpgcfd32.exe 89 PID 3944 wrote to memory of 1384 3944 Kpgcfd32.exe 89 PID 3944 wrote to memory of 1384 3944 Kpgcfd32.exe 89 PID 1384 wrote to memory of 3144 1384 Kdcofbbi.exe 90 PID 1384 wrote to memory of 3144 1384 Kdcofbbi.exe 90 PID 1384 wrote to memory of 3144 1384 Kdcofbbi.exe 90 PID 3144 wrote to memory of 964 3144 Kipgoiqa.exe 91 PID 3144 wrote to memory of 964 3144 Kipgoiqa.exe 91 PID 3144 wrote to memory of 964 3144 Kipgoiqa.exe 91 PID 964 wrote to memory of 5536 964 Kagopg32.exe 92 PID 964 wrote to memory of 5536 964 Kagopg32.exe 92 PID 964 wrote to memory of 5536 964 Kagopg32.exe 92 PID 5536 wrote to memory of 4684 5536 Kbhlgoga.exe 93 PID 5536 wrote to memory of 4684 5536 Kbhlgoga.exe 93 PID 5536 wrote to memory of 4684 5536 Kbhlgoga.exe 93 PID 4684 wrote to memory of 2288 4684 Kibddi32.exe 94 PID 4684 wrote to memory of 2288 4684 Kibddi32.exe 94 PID 4684 wrote to memory of 2288 4684 Kibddi32.exe 94 PID 2288 wrote to memory of 4396 2288 Kailef32.exe 95 PID 2288 wrote to memory of 4396 2288 Kailef32.exe 95 PID 2288 wrote to memory of 4396 2288 Kailef32.exe 95 PID 4396 wrote to memory of 6048 4396 Kbjhmoeo.exe 96 PID 4396 wrote to memory of 6048 4396 Kbjhmoeo.exe 96 PID 4396 wrote to memory of 6048 4396 Kbjhmoeo.exe 96 PID 6048 wrote to memory of 4412 6048 Lkaqnlfa.exe 97 PID 6048 wrote to memory of 4412 6048 Lkaqnlfa.exe 97 PID 6048 wrote to memory of 4412 6048 Lkaqnlfa.exe 97 PID 4412 wrote to memory of 6100 4412 Lalikfmn.exe 98 PID 4412 wrote to memory of 6100 4412 Lalikfmn.exe 98 PID 4412 wrote to memory of 6100 4412 Lalikfmn.exe 98 PID 6100 wrote to memory of 5872 6100 Ldjegala.exe 99 PID 6100 wrote to memory of 5872 6100 Ldjegala.exe 99 PID 6100 wrote to memory of 5872 6100 Ldjegala.exe 99 PID 5872 wrote to memory of 5956 5872 Ligmohki.exe 100 PID 5872 wrote to memory of 5956 5872 Ligmohki.exe 100 PID 5872 wrote to memory of 5956 5872 Ligmohki.exe 100 PID 5956 wrote to memory of 5144 5956 Laneqekk.exe 101 PID 5956 wrote to memory of 5144 5956 Laneqekk.exe 101 PID 5956 wrote to memory of 5144 5956 Laneqekk.exe 101 PID 5144 wrote to memory of 5828 5144 Ldlamajo.exe 102 PID 5144 wrote to memory of 5828 5144 Ldlamajo.exe 102 PID 5144 wrote to memory of 5828 5144 Ldlamajo.exe 102 PID 5828 wrote to memory of 5500 5828 Lkfjik32.exe 103 PID 5828 wrote to memory of 5500 5828 Lkfjik32.exe 103 PID 5828 wrote to memory of 5500 5828 Lkfjik32.exe 103 PID 5500 wrote to memory of 4544 5500 Lmefeg32.exe 104 PID 5500 wrote to memory of 4544 5500 Lmefeg32.exe 104 PID 5500 wrote to memory of 4544 5500 Lmefeg32.exe 104 PID 4544 wrote to memory of 456 4544 Lpcbabpc.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8aa10010dfec55ade1891ac52f649c618237a7ad38794d67e90bf0a70526798N.exe"C:\Users\Admin\AppData\Local\Temp\f8aa10010dfec55ade1891ac52f649c618237a7ad38794d67e90bf0a70526798N.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Kmgjdi32.exeC:\Windows\system32\Kmgjdi32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\Kabfegeh.exeC:\Windows\system32\Kabfegeh.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Kdqbacdl.exeC:\Windows\system32\Kdqbacdl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6128 -
C:\Windows\SysWOW64\Kinkijcc.exeC:\Windows\system32\Kinkijcc.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5152 -
C:\Windows\SysWOW64\Kpgcfd32.exeC:\Windows\system32\Kpgcfd32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\Kdcofbbi.exeC:\Windows\system32\Kdcofbbi.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Kipgoiqa.exeC:\Windows\system32\Kipgoiqa.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\Kagopg32.exeC:\Windows\system32\Kagopg32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Kbhlgoga.exeC:\Windows\system32\Kbhlgoga.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5536 -
C:\Windows\SysWOW64\Kibddi32.exeC:\Windows\system32\Kibddi32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\Kailef32.exeC:\Windows\system32\Kailef32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Kbjhmoeo.exeC:\Windows\system32\Kbjhmoeo.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\Lkaqnlfa.exeC:\Windows\system32\Lkaqnlfa.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6048 -
C:\Windows\SysWOW64\Lalikfmn.exeC:\Windows\system32\Lalikfmn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Ldjegala.exeC:\Windows\system32\Ldjegala.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6100 -
C:\Windows\SysWOW64\Ligmohki.exeC:\Windows\system32\Ligmohki.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5872 -
C:\Windows\SysWOW64\Laneqekk.exeC:\Windows\system32\Laneqekk.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5956 -
C:\Windows\SysWOW64\Ldlamajo.exeC:\Windows\system32\Ldlamajo.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5144 -
C:\Windows\SysWOW64\Lkfjik32.exeC:\Windows\system32\Lkfjik32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5828 -
C:\Windows\SysWOW64\Lmefeg32.exeC:\Windows\system32\Lmefeg32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5500 -
C:\Windows\SysWOW64\Lpcbabpc.exeC:\Windows\system32\Lpcbabpc.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\Lkifokpi.exeC:\Windows\system32\Lkifokpi.exe23⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Lmgckfom.exeC:\Windows\system32\Lmgckfom.exe24⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Lpeoganq.exeC:\Windows\system32\Lpeoganq.exe25⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Lkkcdjnf.exeC:\Windows\system32\Lkkcdjnf.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Laelad32.exeC:\Windows\system32\Laelad32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3376 -
C:\Windows\SysWOW64\Ldchmpdg.exeC:\Windows\system32\Ldchmpdg.exe28⤵
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\Mippegbn.exeC:\Windows\system32\Mippegbn.exe29⤵
- Executes dropped EXE
PID:5220 -
C:\Windows\SysWOW64\Mcienm32.exeC:\Windows\system32\Mcienm32.exe30⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Mkpmpj32.exeC:\Windows\system32\Mkpmpj32.exe31⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Mdhahppa.exeC:\Windows\system32\Mdhahppa.exe32⤵
- Executes dropped EXE
PID:5360 -
C:\Windows\SysWOW64\Mkbieihn.exeC:\Windows\system32\Mkbieihn.exe33⤵
- Executes dropped EXE
PID:5544 -
C:\Windows\SysWOW64\Malabc32.exeC:\Windows\system32\Malabc32.exe34⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Mcmnilei.exeC:\Windows\system32\Mcmnilei.exe35⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Mkdfkiel.exeC:\Windows\system32\Mkdfkiel.exe36⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Mncbgdeo.exeC:\Windows\system32\Mncbgdeo.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Mpaocpdc.exeC:\Windows\system32\Mpaocpdc.exe38⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Mjjclejc.exeC:\Windows\system32\Mjjclejc.exe39⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Maqkmckf.exeC:\Windows\system32\Maqkmckf.exe40⤵
- Executes dropped EXE
PID:5436 -
C:\Windows\SysWOW64\Ngncejim.exeC:\Windows\system32\Ngncejim.exe41⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Nnglbd32.exeC:\Windows\system32\Nnglbd32.exe42⤵
- Executes dropped EXE
PID:5632 -
C:\Windows\SysWOW64\Npfhno32.exeC:\Windows\system32\Npfhno32.exe43⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Nkklkhpc.exeC:\Windows\system32\Nkklkhpc.exe44⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Naedhb32.exeC:\Windows\system32\Naedhb32.exe45⤵
- Executes dropped EXE
PID:5756 -
C:\Windows\SysWOW64\Ngbmpi32.exeC:\Windows\system32\Ngbmpi32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5468 -
C:\Windows\SysWOW64\Npkaiolh.exeC:\Windows\system32\Npkaiolh.exe47⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Nkpffgkn.exeC:\Windows\system32\Nkpffgkn.exe48⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Nnobbc32.exeC:\Windows\system32\Nnobbc32.exe49⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Nqmnon32.exeC:\Windows\system32\Nqmnon32.exe50⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Njebgdpf.exeC:\Windows\system32\Njebgdpf.exe51⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Nalkiaah.exeC:\Windows\system32\Nalkiaah.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Odkgempl.exeC:\Windows\system32\Odkgempl.exe53⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Oncknb32.exeC:\Windows\system32\Oncknb32.exe54⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Oaogna32.exeC:\Windows\system32\Oaogna32.exe55⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Ocpdfied.exeC:\Windows\system32\Ocpdfied.exe56⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Ojjlbc32.exeC:\Windows\system32\Ojjlbc32.exe57⤵
- Executes dropped EXE
PID:5476 -
C:\Windows\SysWOW64\Odpppl32.exeC:\Windows\system32\Odpppl32.exe58⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\Okihmfcc.exeC:\Windows\system32\Okihmfcc.exe59⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Obcaip32.exeC:\Windows\system32\Obcaip32.exe60⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Ocemah32.exeC:\Windows\system32\Ocemah32.exe61⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Obfnopin.exeC:\Windows\system32\Obfnopin.exe62⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Oknbhe32.exeC:\Windows\system32\Oknbhe32.exe63⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Pqkjpl32.exeC:\Windows\system32\Pqkjpl32.exe64⤵
- Executes dropped EXE
PID:6136 -
C:\Windows\SysWOW64\Pbjgjo32.exeC:\Windows\system32\Pbjgjo32.exe65⤵
- Executes dropped EXE
PID:5172 -
C:\Windows\SysWOW64\Pggobf32.exeC:\Windows\system32\Pggobf32.exe66⤵PID:3172
-
C:\Windows\SysWOW64\Pjflna32.exeC:\Windows\system32\Pjflna32.exe67⤵PID:1500
-
C:\Windows\SysWOW64\Pqpdkliq.exeC:\Windows\system32\Pqpdkliq.exe68⤵
- Modifies registry class
PID:4868 -
C:\Windows\SysWOW64\Pcnpgghd.exeC:\Windows\system32\Pcnpgghd.exe69⤵
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Pncddp32.exeC:\Windows\system32\Pncddp32.exe70⤵PID:2172
-
C:\Windows\SysWOW64\Pbopeoqc.exeC:\Windows\system32\Pbopeoqc.exe71⤵PID:3028
-
C:\Windows\SysWOW64\Pdnmajpg.exeC:\Windows\system32\Pdnmajpg.exe72⤵PID:2156
-
C:\Windows\SysWOW64\Pjjeiann.exeC:\Windows\system32\Pjjeiann.exe73⤵PID:1952
-
C:\Windows\SysWOW64\Pqdmfk32.exeC:\Windows\system32\Pqdmfk32.exe74⤵PID:5020
-
C:\Windows\SysWOW64\Pccibf32.exeC:\Windows\system32\Pccibf32.exe75⤵PID:5864
-
C:\Windows\SysWOW64\Pjmaoq32.exeC:\Windows\system32\Pjmaoq32.exe76⤵PID:2644
-
C:\Windows\SysWOW64\Qbdjpn32.exeC:\Windows\system32\Qbdjpn32.exe77⤵PID:5012
-
C:\Windows\SysWOW64\Qqgjlkch.exeC:\Windows\system32\Qqgjlkch.exe78⤵PID:5812
-
C:\Windows\SysWOW64\Qgqbhe32.exeC:\Windows\system32\Qgqbhe32.exe79⤵
- Modifies registry class
PID:808 -
C:\Windows\SysWOW64\Qnkjeobb.exeC:\Windows\system32\Qnkjeobb.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5792 -
C:\Windows\SysWOW64\Qaigajaf.exeC:\Windows\system32\Qaigajaf.exe81⤵
- System Location Discovery: System Language Discovery
PID:3336 -
C:\Windows\SysWOW64\Qedbbi32.exeC:\Windows\system32\Qedbbi32.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:3180 -
C:\Windows\SysWOW64\Anmgko32.exeC:\Windows\system32\Anmgko32.exe83⤵PID:2656
-
C:\Windows\SysWOW64\Aakcgj32.exeC:\Windows\system32\Aakcgj32.exe84⤵PID:5612
-
C:\Windows\SysWOW64\Agelcdgp.exeC:\Windows\system32\Agelcdgp.exe85⤵PID:5304
-
C:\Windows\SysWOW64\Ajdhppfc.exeC:\Windows\system32\Ajdhppfc.exe86⤵PID:3644
-
C:\Windows\SysWOW64\Abkpamff.exeC:\Windows\system32\Abkpamff.exe87⤵PID:1920
-
C:\Windows\SysWOW64\Aanplj32.exeC:\Windows\system32\Aanplj32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5644 -
C:\Windows\SysWOW64\Acllhe32.exeC:\Windows\system32\Acllhe32.exe89⤵
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Akcdjb32.exeC:\Windows\system32\Akcdjb32.exe90⤵
- Modifies registry class
PID:3664 -
C:\Windows\SysWOW64\Anaqfnlj.exeC:\Windows\system32\Anaqfnlj.exe91⤵PID:4600
-
C:\Windows\SysWOW64\Aapmbikn.exeC:\Windows\system32\Aapmbikn.exe92⤵PID:688
-
C:\Windows\SysWOW64\Aelibh32.exeC:\Windows\system32\Aelibh32.exe93⤵PID:5312
-
C:\Windows\SysWOW64\Agjeoc32.exeC:\Windows\system32\Agjeoc32.exe94⤵PID:2896
-
C:\Windows\SysWOW64\Aenehh32.exeC:\Windows\system32\Aenehh32.exe95⤵PID:1232
-
C:\Windows\SysWOW64\Alhnebia.exeC:\Windows\system32\Alhnebia.exe96⤵PID:3352
-
C:\Windows\SysWOW64\Ajknpo32.exeC:\Windows\system32\Ajknpo32.exe97⤵PID:2452
-
C:\Windows\SysWOW64\Aaefmi32.exeC:\Windows\system32\Aaefmi32.exe98⤵PID:3088
-
C:\Windows\SysWOW64\Aljjja32.exeC:\Windows\system32\Aljjja32.exe99⤵PID:864
-
C:\Windows\SysWOW64\Bbdbglnk.exeC:\Windows\system32\Bbdbglnk.exe100⤵PID:2132
-
C:\Windows\SysWOW64\Blmgpa32.exeC:\Windows\system32\Blmgpa32.exe101⤵PID:4228
-
C:\Windows\SysWOW64\Baiphhcc.exeC:\Windows\system32\Baiphhcc.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5196 -
C:\Windows\SysWOW64\Bjbdan32.exeC:\Windows\system32\Bjbdan32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5560 -
C:\Windows\SysWOW64\Blaqkqaf.exeC:\Windows\system32\Blaqkqaf.exe104⤵
- Drops file in System32 directory
PID:5408 -
C:\Windows\SysWOW64\Bnpmglpj.exeC:\Windows\system32\Bnpmglpj.exe105⤵PID:5008
-
C:\Windows\SysWOW64\Banicgon.exeC:\Windows\system32\Banicgon.exe106⤵PID:5588
-
C:\Windows\SysWOW64\Bejedfgg.exeC:\Windows\system32\Bejedfgg.exe107⤵PID:5880
-
C:\Windows\SysWOW64\Bnbiml32.exeC:\Windows\system32\Bnbiml32.exe108⤵PID:5852
-
C:\Windows\SysWOW64\Baqfig32.exeC:\Windows\system32\Baqfig32.exe109⤵PID:2324
-
C:\Windows\SysWOW64\Cjijamcl.exeC:\Windows\system32\Cjijamcl.exe110⤵PID:1200
-
C:\Windows\SysWOW64\Cndfbk32.exeC:\Windows\system32\Cndfbk32.exe111⤵PID:1696
-
C:\Windows\SysWOW64\Cenooeca.exeC:\Windows\system32\Cenooeca.exe112⤵PID:1180
-
C:\Windows\SysWOW64\Chmkka32.exeC:\Windows\system32\Chmkka32.exe113⤵PID:2832
-
C:\Windows\SysWOW64\Cjkggl32.exeC:\Windows\system32\Cjkggl32.exe114⤵PID:3632
-
C:\Windows\SysWOW64\Caeodfif.exeC:\Windows\system32\Caeodfif.exe115⤵PID:2944
-
C:\Windows\SysWOW64\Chogqq32.exeC:\Windows\system32\Chogqq32.exe116⤵PID:2532
-
C:\Windows\SysWOW64\Coipmkho.exeC:\Windows\system32\Coipmkho.exe117⤵PID:4636
-
C:\Windows\SysWOW64\Caglifgc.exeC:\Windows\system32\Caglifgc.exe118⤵PID:4996
-
C:\Windows\SysWOW64\Chadfp32.exeC:\Windows\system32\Chadfp32.exe119⤵PID:732
-
C:\Windows\SysWOW64\Coklcj32.exeC:\Windows\system32\Coklcj32.exe120⤵PID:2996
-
C:\Windows\SysWOW64\Ceedpdmi.exeC:\Windows\system32\Ceedpdmi.exe121⤵PID:2920
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-