Analysis
-
max time kernel
72s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
30-09-2024 00:09
Behavioral task
behavioral1
Sample
8aba0c885eff336f3690c8630d1d4f77bc5de5e8b559010d492337baf08f7b83N.exe
Resource
win7-20240729-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
8aba0c885eff336f3690c8630d1d4f77bc5de5e8b559010d492337baf08f7b83N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
8aba0c885eff336f3690c8630d1d4f77bc5de5e8b559010d492337baf08f7b83N.exe
-
Size
224KB
-
MD5
d94ec5f5702e47456baa39522bd129e0
-
SHA1
86314d63ffcd7d4694cee221fc1041777d61b1d7
-
SHA256
8aba0c885eff336f3690c8630d1d4f77bc5de5e8b559010d492337baf08f7b83
-
SHA512
2317aaf08799cbd2eb6c1682d52454bc88b91e23fddad5255c3ccd5697001525383ff71e7a2530f21561950c6155c7562ce6f92129aa21a2216eab42eca223d8
-
SSDEEP
6144:ort88r8z/GH65LRlUivKvUmKyIxLDXXoq9F1:oDr8zVZoivKv32XXf9/
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccolja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbddfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebekej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmifiahi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agolpnjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alcqcjgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emnelbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fofhdidp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdbgia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdhnnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npfhjifm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lahaqm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmbiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqcomn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeokdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpbokj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnbelong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgaoec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acplpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbcnpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pinnfonh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poddphee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfghagio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohcohh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbobgfnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcjqpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfadoaih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fokaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfiofefm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lddoopbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohbmppia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiojqfdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Licpki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abpohb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eenabkfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jaaoakmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deimaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgfghodj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnlilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdpfbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbnfdpge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhakp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodjdede.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcajjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kapbmo32.exe -
Executes dropped EXE 64 IoCs
pid Process 1644 Jlgaek32.exe 2188 Joenaf32.exe 2812 Joenaf32.exe 2612 Jnhnmckc.exe 2628 Jeofnpke.exe 2616 Kkqhbf32.exe 3028 Kjfdcc32.exe 2260 Kobmkj32.exe 2456 Klfndn32.exe 2588 Kcqfahom.exe 2900 Kogffida.exe 1020 Lddoopbi.exe 2236 Lbhphdab.exe 2972 Ldfldpqf.exe 2956 Ldihjo32.exe 344 Lkcqfifp.exe 992 Lcneklck.exe 2280 Ljhngfkh.exe 2504 Lqbfdp32.exe 2080 Lcpbpk32.exe 1784 Mmifiahi.exe 1916 Mgnkfjho.exe 1848 Mpipkl32.exe 3008 Mjodhe32.exe 2336 Mcghajkq.exe 2712 Meidib32.exe 2444 Mpnifkae.exe 2828 Mlejkl32.exe 2832 Mncfgh32.exe 2604 Mbobgfnf.exe 1092 Nlgfqldf.exe 2872 Nnfbmgcj.exe 2104 Nhngem32.exe 2536 Nafknbqk.exe 2268 Nfcdfiob.exe 988 Nmmlccfp.exe 3004 Nhbqqlfe.exe 1068 Nmpiicdm.exe 1184 Nfhmai32.exe 876 Nifjnd32.exe 2092 Ofjjghik.exe 2216 Omdbdb32.exe 1920 Ooeolkff.exe 2056 Ofmgmhgh.exe 2420 Ohncdp32.exe 1288 Opekenmh.exe 3068 Obcgaill.exe 396 Oebdndlp.exe 704 Ohppjpkc.exe 2728 Okolfkjg.exe 3020 Oahdce32.exe 2788 Ohbmppia.exe 2768 Oolelj32.exe 2656 Omoehf32.exe 1708 Odimdqne.exe 1692 Pamnnemo.exe 1108 Pdljjplb.exe 2388 Pgjfflkf.exe 500 Pihbbgjj.exe 2228 Ppbkoabf.exe 2332 Pcagkmaj.exe 2568 Pkholjam.exe 2564 Plildb32.exe 1988 Ppegdapd.exe -
Loads dropped DLL 64 IoCs
pid Process 2540 8aba0c885eff336f3690c8630d1d4f77bc5de5e8b559010d492337baf08f7b83N.exe 2540 8aba0c885eff336f3690c8630d1d4f77bc5de5e8b559010d492337baf08f7b83N.exe 1644 Jlgaek32.exe 1644 Jlgaek32.exe 2188 Joenaf32.exe 2188 Joenaf32.exe 2812 Joenaf32.exe 2812 Joenaf32.exe 2612 Jnhnmckc.exe 2612 Jnhnmckc.exe 2628 Jeofnpke.exe 2628 Jeofnpke.exe 2616 Kkqhbf32.exe 2616 Kkqhbf32.exe 3028 Kjfdcc32.exe 3028 Kjfdcc32.exe 2260 Kobmkj32.exe 2260 Kobmkj32.exe 2456 Klfndn32.exe 2456 Klfndn32.exe 2588 Kcqfahom.exe 2588 Kcqfahom.exe 2900 Kogffida.exe 2900 Kogffida.exe 1020 Lddoopbi.exe 1020 Lddoopbi.exe 2236 Lbhphdab.exe 2236 Lbhphdab.exe 2972 Ldfldpqf.exe 2972 Ldfldpqf.exe 2956 Ldihjo32.exe 2956 Ldihjo32.exe 344 Lkcqfifp.exe 344 Lkcqfifp.exe 992 Lcneklck.exe 992 Lcneklck.exe 2280 Ljhngfkh.exe 2280 Ljhngfkh.exe 2504 Lqbfdp32.exe 2504 Lqbfdp32.exe 2080 Lcpbpk32.exe 2080 Lcpbpk32.exe 1784 Mmifiahi.exe 1784 Mmifiahi.exe 1916 Mgnkfjho.exe 1916 Mgnkfjho.exe 1848 Mpipkl32.exe 1848 Mpipkl32.exe 3008 Mjodhe32.exe 3008 Mjodhe32.exe 1592 Mbjhlg32.exe 1592 Mbjhlg32.exe 2712 Meidib32.exe 2712 Meidib32.exe 2444 Mpnifkae.exe 2444 Mpnifkae.exe 2828 Mlejkl32.exe 2828 Mlejkl32.exe 2832 Mncfgh32.exe 2832 Mncfgh32.exe 2604 Mbobgfnf.exe 2604 Mbobgfnf.exe 1092 Nlgfqldf.exe 1092 Nlgfqldf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Qmabnhbo.dll Mdhnnl32.exe File opened for modification C:\Windows\SysWOW64\Npkaei32.exe Niaihojk.exe File created C:\Windows\SysWOW64\Cbnhfhoc.exe Copljmpo.exe File created C:\Windows\SysWOW64\Imkbeqem.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cghkepdm.exe Cancif32.exe File created C:\Windows\SysWOW64\Lobbpg32.exe Llcfck32.exe File opened for modification C:\Windows\SysWOW64\Nqamaeii.exe Nncaejie.exe File created C:\Windows\SysWOW64\Efolib32.exe Process not Found File created C:\Windows\SysWOW64\Modieece.dll Process not Found File created C:\Windows\SysWOW64\Fondonbc.exe Fhdlbd32.exe File created C:\Windows\SysWOW64\Ohopjjqj.dll Fondonbc.exe File created C:\Windows\SysWOW64\Hndnokni.dll Eaegaaah.exe File created C:\Windows\SysWOW64\Lpjacd32.dll Process not Found File created C:\Windows\SysWOW64\Lmaadi32.dll Imidgh32.exe File created C:\Windows\SysWOW64\Ldbjfdld.dll Kcahjqfa.exe File opened for modification C:\Windows\SysWOW64\Cgfqii32.exe Cjbpoeoj.exe File opened for modification C:\Windows\SysWOW64\Kldlmqml.exe Kdmdlc32.exe File opened for modification C:\Windows\SysWOW64\Iqdbqp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gccjpb32.exe Gqendf32.exe File created C:\Windows\SysWOW64\Ncbedgke.dll Aodqok32.exe File opened for modification C:\Windows\SysWOW64\Kplhfo32.exe Process not Found File created C:\Windows\SysWOW64\Bogiic32.dll Jekoljgo.exe File created C:\Windows\SysWOW64\Lacnlhed.dll Qdieaf32.exe File created C:\Windows\SysWOW64\Mldijj32.dll Ppgfciee.exe File created C:\Windows\SysWOW64\Nfeljlqh.exe Nbjpjm32.exe File opened for modification C:\Windows\SysWOW64\Djaedbnj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nehjmppo.exe Nbinad32.exe File created C:\Windows\SysWOW64\Agilkijf.exe Qdkpomkb.exe File created C:\Windows\SysWOW64\Mlkegimk.exe Mfamko32.exe File opened for modification C:\Windows\SysWOW64\Lljolodf.exe Process not Found File created C:\Windows\SysWOW64\Fhgkqmph.exe Process not Found File created C:\Windows\SysWOW64\Oahdce32.exe Okolfkjg.exe File created C:\Windows\SysWOW64\Aimckl32.exe Afngoand.exe File created C:\Windows\SysWOW64\Dfnjqifb.exe Dbcnpk32.exe File opened for modification C:\Windows\SysWOW64\Lcignoki.exe Lpkkbcle.exe File created C:\Windows\SysWOW64\Kmphpc32.exe Process not Found File created C:\Windows\SysWOW64\Kdebqe32.dll Process not Found File created C:\Windows\SysWOW64\Bbffjdpp.dll Faikbkhj.exe File created C:\Windows\SysWOW64\Bgglmgeb.dll Bjnjfffm.exe File created C:\Windows\SysWOW64\Palkjk32.dll Bjlpjp32.exe File opened for modification C:\Windows\SysWOW64\Ehgoaiml.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dbqajk32.exe Dlfina32.exe File created C:\Windows\SysWOW64\Oclblaid.dll Opennf32.exe File created C:\Windows\SysWOW64\Ebhani32.exe Epjdbn32.exe File created C:\Windows\SysWOW64\Opjdhb32.dll Aamekk32.exe File created C:\Windows\SysWOW64\Abachg32.exe Aocgll32.exe File created C:\Windows\SysWOW64\Eckqbibe.dll Bklaepbn.exe File created C:\Windows\SysWOW64\Pifmaooo.dll Process not Found File created C:\Windows\SysWOW64\Hfnknmgo.dll Process not Found File created C:\Windows\SysWOW64\Lnemfipf.dll Gaajfi32.exe File created C:\Windows\SysWOW64\Mdkmld32.exe Mlcekgbb.exe File opened for modification C:\Windows\SysWOW64\Hifdjcif.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mmgkoe32.exe Process not Found File created C:\Windows\SysWOW64\Cnkifmfo.dll Pgopak32.exe File opened for modification C:\Windows\SysWOW64\Fmmjpoci.exe Process not Found File created C:\Windows\SysWOW64\Jbkagpjl.dll Nqamaeii.exe File opened for modification C:\Windows\SysWOW64\Fhfihd32.exe Ficilgai.exe File created C:\Windows\SysWOW64\Pfplmh32.dll Hhjhgpcn.exe File created C:\Windows\SysWOW64\Iigehk32.exe Ifiilp32.exe File created C:\Windows\SysWOW64\Gdbchd32.exe Gnhkkjbf.exe File created C:\Windows\SysWOW64\Jngdfa32.dll Process not Found File created C:\Windows\SysWOW64\Ljcbjm32.dll Hjbhgolp.exe File created C:\Windows\SysWOW64\Pnalga32.dll Qamjmh32.exe File opened for modification C:\Windows\SysWOW64\Danohi32.exe Dplbpaim.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3368 3080 Process not Found 281 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcgoolln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdhpgeeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cappnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kanfgofa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfedhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpdficc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkjeod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khkmba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pldnge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aajedn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdhlih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhopcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoijjjcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moahdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbblpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoilcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdknfiea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epbamc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkafib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncggifep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdhigo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqcomn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghkbccdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgeenb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfadoaih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnobfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agonig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccaipaho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqkmahpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Johlpoij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbodpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hchbcmlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkphmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iigehk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkgqpjch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlfina32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fokaoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gielchpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qifnjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgndnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihooog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qggoeilh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfdqpdja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdjfmolo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djqcki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boolhikf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcocnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koeeoljm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agloko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfgpgmql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfkakbpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bonenbgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aklefm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikmjnnah.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lqbfdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmafmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djcpqidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcojn32.dll" Cconcjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fomndhng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdmjfi32.dll" Bnhljnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgnemhfd.dll" Nifjnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndhlfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkaljdaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekgfkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dghjmlnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ficilgai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klfndn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkggjeg.dll" Omoehf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neekncii.dll" Dnlolhoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Foidii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oncndnlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anaeppkc.dll" Bfcnfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cifdmbib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qechqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfpjgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glhkoaij.dll" Bgqqcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbgqnm32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehonebqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acfdnmfb.dll" Gfgpgmql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpkocpjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kebdmn32.dll" Laknfmgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qhbdmeoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agolpnjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjeffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooneiddj.dll" Jplinckj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhcehngk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkchpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpmdjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llainlje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emfbgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdkcgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obdjjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pikaqppk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gcifdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pldnge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epfbbghh.dll" Ecodfogg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibbffq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gafcahil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhljlnma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jajbfeop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmhile32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbhbpk32.dll" Idepdhia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbokda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogiqoelh.dll" Ickoimie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gacdmc32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjdcdjcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effefa32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkajkoml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jijqeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jilkbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jeblgodb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2540 wrote to memory of 1644 2540 8aba0c885eff336f3690c8630d1d4f77bc5de5e8b559010d492337baf08f7b83N.exe 29 PID 2540 wrote to memory of 1644 2540 8aba0c885eff336f3690c8630d1d4f77bc5de5e8b559010d492337baf08f7b83N.exe 29 PID 2540 wrote to memory of 1644 2540 8aba0c885eff336f3690c8630d1d4f77bc5de5e8b559010d492337baf08f7b83N.exe 29 PID 2540 wrote to memory of 1644 2540 8aba0c885eff336f3690c8630d1d4f77bc5de5e8b559010d492337baf08f7b83N.exe 29 PID 1644 wrote to memory of 2188 1644 Jlgaek32.exe 30 PID 1644 wrote to memory of 2188 1644 Jlgaek32.exe 30 PID 1644 wrote to memory of 2188 1644 Jlgaek32.exe 30 PID 1644 wrote to memory of 2188 1644 Jlgaek32.exe 30 PID 2188 wrote to memory of 2812 2188 Joenaf32.exe 31 PID 2188 wrote to memory of 2812 2188 Joenaf32.exe 31 PID 2188 wrote to memory of 2812 2188 Joenaf32.exe 31 PID 2188 wrote to memory of 2812 2188 Joenaf32.exe 31 PID 2812 wrote to memory of 2612 2812 Joenaf32.exe 32 PID 2812 wrote to memory of 2612 2812 Joenaf32.exe 32 PID 2812 wrote to memory of 2612 2812 Joenaf32.exe 32 PID 2812 wrote to memory of 2612 2812 Joenaf32.exe 32 PID 2612 wrote to memory of 2628 2612 Jnhnmckc.exe 33 PID 2612 wrote to memory of 2628 2612 Jnhnmckc.exe 33 PID 2612 wrote to memory of 2628 2612 Jnhnmckc.exe 33 PID 2612 wrote to memory of 2628 2612 Jnhnmckc.exe 33 PID 2628 wrote to memory of 2616 2628 Jeofnpke.exe 34 PID 2628 wrote to memory of 2616 2628 Jeofnpke.exe 34 PID 2628 wrote to memory of 2616 2628 Jeofnpke.exe 34 PID 2628 wrote to memory of 2616 2628 Jeofnpke.exe 34 PID 2616 wrote to memory of 3028 2616 Kkqhbf32.exe 35 PID 2616 wrote to memory of 3028 2616 Kkqhbf32.exe 35 PID 2616 wrote to memory of 3028 2616 Kkqhbf32.exe 35 PID 2616 wrote to memory of 3028 2616 Kkqhbf32.exe 35 PID 3028 wrote to memory of 2260 3028 Kjfdcc32.exe 36 PID 3028 wrote to memory of 2260 3028 Kjfdcc32.exe 36 PID 3028 wrote to memory of 2260 3028 Kjfdcc32.exe 36 PID 3028 wrote to memory of 2260 3028 Kjfdcc32.exe 36 PID 2260 wrote to memory of 2456 2260 Kobmkj32.exe 37 PID 2260 wrote to memory of 2456 2260 Kobmkj32.exe 37 PID 2260 wrote to memory of 2456 2260 Kobmkj32.exe 37 PID 2260 wrote to memory of 2456 2260 Kobmkj32.exe 37 PID 2456 wrote to memory of 2588 2456 Klfndn32.exe 38 PID 2456 wrote to memory of 2588 2456 Klfndn32.exe 38 PID 2456 wrote to memory of 2588 2456 Klfndn32.exe 38 PID 2456 wrote to memory of 2588 2456 Klfndn32.exe 38 PID 2588 wrote to memory of 2900 2588 Kcqfahom.exe 39 PID 2588 wrote to memory of 2900 2588 Kcqfahom.exe 39 PID 2588 wrote to memory of 2900 2588 Kcqfahom.exe 39 PID 2588 wrote to memory of 2900 2588 Kcqfahom.exe 39 PID 2900 wrote to memory of 1020 2900 Kogffida.exe 40 PID 2900 wrote to memory of 1020 2900 Kogffida.exe 40 PID 2900 wrote to memory of 1020 2900 Kogffida.exe 40 PID 2900 wrote to memory of 1020 2900 Kogffida.exe 40 PID 1020 wrote to memory of 2236 1020 Lddoopbi.exe 41 PID 1020 wrote to memory of 2236 1020 Lddoopbi.exe 41 PID 1020 wrote to memory of 2236 1020 Lddoopbi.exe 41 PID 1020 wrote to memory of 2236 1020 Lddoopbi.exe 41 PID 2236 wrote to memory of 2972 2236 Lbhphdab.exe 42 PID 2236 wrote to memory of 2972 2236 Lbhphdab.exe 42 PID 2236 wrote to memory of 2972 2236 Lbhphdab.exe 42 PID 2236 wrote to memory of 2972 2236 Lbhphdab.exe 42 PID 2972 wrote to memory of 2956 2972 Ldfldpqf.exe 43 PID 2972 wrote to memory of 2956 2972 Ldfldpqf.exe 43 PID 2972 wrote to memory of 2956 2972 Ldfldpqf.exe 43 PID 2972 wrote to memory of 2956 2972 Ldfldpqf.exe 43 PID 2956 wrote to memory of 344 2956 Ldihjo32.exe 44 PID 2956 wrote to memory of 344 2956 Ldihjo32.exe 44 PID 2956 wrote to memory of 344 2956 Ldihjo32.exe 44 PID 2956 wrote to memory of 344 2956 Ldihjo32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\8aba0c885eff336f3690c8630d1d4f77bc5de5e8b559010d492337baf08f7b83N.exe"C:\Users\Admin\AppData\Local\Temp\8aba0c885eff336f3690c8630d1d4f77bc5de5e8b559010d492337baf08f7b83N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Jlgaek32.exeC:\Windows\system32\Jlgaek32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Joenaf32.exeC:\Windows\system32\Joenaf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Joenaf32.exeC:\Windows\system32\Joenaf32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Jnhnmckc.exeC:\Windows\system32\Jnhnmckc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Jeofnpke.exeC:\Windows\system32\Jeofnpke.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Kkqhbf32.exeC:\Windows\system32\Kkqhbf32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Kjfdcc32.exeC:\Windows\system32\Kjfdcc32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Kobmkj32.exeC:\Windows\system32\Kobmkj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Klfndn32.exeC:\Windows\system32\Klfndn32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Kcqfahom.exeC:\Windows\system32\Kcqfahom.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Kogffida.exeC:\Windows\system32\Kogffida.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Lddoopbi.exeC:\Windows\system32\Lddoopbi.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Lbhphdab.exeC:\Windows\system32\Lbhphdab.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Ldfldpqf.exeC:\Windows\system32\Ldfldpqf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Ldihjo32.exeC:\Windows\system32\Ldihjo32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Lkcqfifp.exeC:\Windows\system32\Lkcqfifp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:344 -
C:\Windows\SysWOW64\Lcneklck.exeC:\Windows\system32\Lcneklck.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:992 -
C:\Windows\SysWOW64\Ljhngfkh.exeC:\Windows\system32\Ljhngfkh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Lqbfdp32.exeC:\Windows\system32\Lqbfdp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Lcpbpk32.exeC:\Windows\system32\Lcpbpk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Mmifiahi.exeC:\Windows\system32\Mmifiahi.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\Mgnkfjho.exeC:\Windows\system32\Mgnkfjho.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1916 -
C:\Windows\SysWOW64\Mpipkl32.exeC:\Windows\system32\Mpipkl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1848 -
C:\Windows\SysWOW64\Mjodhe32.exeC:\Windows\system32\Mjodhe32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Mcghajkq.exeC:\Windows\system32\Mcghajkq.exe26⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Mbjhlg32.exeC:\Windows\system32\Mbjhlg32.exe27⤵
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Meidib32.exeC:\Windows\system32\Meidib32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Mpnifkae.exeC:\Windows\system32\Mpnifkae.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Mlejkl32.exeC:\Windows\system32\Mlejkl32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Mncfgh32.exeC:\Windows\system32\Mncfgh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Mbobgfnf.exeC:\Windows\system32\Mbobgfnf.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Nlgfqldf.exeC:\Windows\system32\Nlgfqldf.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1092 -
C:\Windows\SysWOW64\Nnfbmgcj.exeC:\Windows\system32\Nnfbmgcj.exe34⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Nhngem32.exeC:\Windows\system32\Nhngem32.exe35⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Nafknbqk.exeC:\Windows\system32\Nafknbqk.exe36⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Nfcdfiob.exeC:\Windows\system32\Nfcdfiob.exe37⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Nmmlccfp.exeC:\Windows\system32\Nmmlccfp.exe38⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Nhbqqlfe.exeC:\Windows\system32\Nhbqqlfe.exe39⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Nmpiicdm.exeC:\Windows\system32\Nmpiicdm.exe40⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Nfhmai32.exeC:\Windows\system32\Nfhmai32.exe41⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Nifjnd32.exeC:\Windows\system32\Nifjnd32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Ofjjghik.exeC:\Windows\system32\Ofjjghik.exe43⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Omdbdb32.exeC:\Windows\system32\Omdbdb32.exe44⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Ooeolkff.exeC:\Windows\system32\Ooeolkff.exe45⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Ofmgmhgh.exeC:\Windows\system32\Ofmgmhgh.exe46⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Ohncdp32.exeC:\Windows\system32\Ohncdp32.exe47⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Opekenmh.exeC:\Windows\system32\Opekenmh.exe48⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Obcgaill.exeC:\Windows\system32\Obcgaill.exe49⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Oebdndlp.exeC:\Windows\system32\Oebdndlp.exe50⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Ohppjpkc.exeC:\Windows\system32\Ohppjpkc.exe51⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Okolfkjg.exeC:\Windows\system32\Okolfkjg.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Oahdce32.exeC:\Windows\system32\Oahdce32.exe53⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Ohbmppia.exeC:\Windows\system32\Ohbmppia.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Oolelj32.exeC:\Windows\system32\Oolelj32.exe55⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Omoehf32.exeC:\Windows\system32\Omoehf32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Odimdqne.exeC:\Windows\system32\Odimdqne.exe57⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Pamnnemo.exeC:\Windows\system32\Pamnnemo.exe58⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Pdljjplb.exeC:\Windows\system32\Pdljjplb.exe59⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Pgjfflkf.exeC:\Windows\system32\Pgjfflkf.exe60⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Pihbbgjj.exeC:\Windows\system32\Pihbbgjj.exe61⤵
- Executes dropped EXE
PID:500 -
C:\Windows\SysWOW64\Ppbkoabf.exeC:\Windows\system32\Ppbkoabf.exe62⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Pcagkmaj.exeC:\Windows\system32\Pcagkmaj.exe63⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Pkholjam.exeC:\Windows\system32\Pkholjam.exe64⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Plildb32.exeC:\Windows\system32\Plildb32.exe65⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Ppegdapd.exeC:\Windows\system32\Ppegdapd.exe66⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Pgopak32.exeC:\Windows\system32\Pgopak32.exe67⤵
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Pimlmf32.exeC:\Windows\system32\Pimlmf32.exe68⤵PID:2988
-
C:\Windows\SysWOW64\Ppgdjqna.exeC:\Windows\system32\Ppgdjqna.exe69⤵PID:1572
-
C:\Windows\SysWOW64\Pgamgken.exeC:\Windows\system32\Pgamgken.exe70⤵PID:2824
-
C:\Windows\SysWOW64\Phbinc32.exeC:\Windows\system32\Phbinc32.exe71⤵PID:2836
-
C:\Windows\SysWOW64\Qchmll32.exeC:\Windows\system32\Qchmll32.exe72⤵PID:2716
-
C:\Windows\SysWOW64\Qjbehfbo.exeC:\Windows\system32\Qjbehfbo.exe73⤵PID:2660
-
C:\Windows\SysWOW64\Qlpadaac.exeC:\Windows\system32\Qlpadaac.exe74⤵PID:2452
-
C:\Windows\SysWOW64\Qamjmh32.exeC:\Windows\system32\Qamjmh32.exe75⤵
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Qfifmghc.exeC:\Windows\system32\Qfifmghc.exe76⤵PID:2592
-
C:\Windows\SysWOW64\Qlbnja32.exeC:\Windows\system32\Qlbnja32.exe77⤵PID:1364
-
C:\Windows\SysWOW64\Aoakfl32.exeC:\Windows\system32\Aoakfl32.exe78⤵PID:340
-
C:\Windows\SysWOW64\Aaogbh32.exeC:\Windows\system32\Aaogbh32.exe79⤵PID:444
-
C:\Windows\SysWOW64\Adncoc32.exeC:\Windows\system32\Adncoc32.exe80⤵PID:1696
-
C:\Windows\SysWOW64\Agloko32.exeC:\Windows\system32\Agloko32.exe81⤵
- System Location Discovery: System Language Discovery
PID:1164 -
C:\Windows\SysWOW64\Aocgll32.exeC:\Windows\system32\Aocgll32.exe82⤵
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Abachg32.exeC:\Windows\system32\Abachg32.exe83⤵PID:928
-
C:\Windows\SysWOW64\Agolpnjl.exeC:\Windows\system32\Agolpnjl.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Ajmhljip.exeC:\Windows\system32\Ajmhljip.exe85⤵PID:1588
-
C:\Windows\SysWOW64\Abdpngjb.exeC:\Windows\system32\Abdpngjb.exe86⤵PID:2200
-
C:\Windows\SysWOW64\Acemeo32.exeC:\Windows\system32\Acemeo32.exe87⤵PID:2720
-
C:\Windows\SysWOW64\Aklefm32.exeC:\Windows\system32\Aklefm32.exe88⤵
- System Location Discovery: System Language Discovery
PID:1976 -
C:\Windows\SysWOW64\Amnanefa.exeC:\Windows\system32\Amnanefa.exe89⤵PID:3048
-
C:\Windows\SysWOW64\Aqimoc32.exeC:\Windows\system32\Aqimoc32.exe90⤵PID:1728
-
C:\Windows\SysWOW64\Afffgjma.exeC:\Windows\system32\Afffgjma.exe91⤵PID:2496
-
C:\Windows\SysWOW64\Ampncd32.exeC:\Windows\system32\Ampncd32.exe92⤵PID:2040
-
C:\Windows\SysWOW64\Acjfpokk.exeC:\Windows\system32\Acjfpokk.exe93⤵PID:2168
-
C:\Windows\SysWOW64\Agebam32.exeC:\Windows\system32\Agebam32.exe94⤵PID:948
-
C:\Windows\SysWOW64\Bigohejb.exeC:\Windows\system32\Bigohejb.exe95⤵PID:2404
-
C:\Windows\SysWOW64\Bbocak32.exeC:\Windows\system32\Bbocak32.exe96⤵PID:1256
-
C:\Windows\SysWOW64\Biikne32.exeC:\Windows\system32\Biikne32.exe97⤵PID:2300
-
C:\Windows\SysWOW64\Bkghjq32.exeC:\Windows\system32\Bkghjq32.exe98⤵PID:2464
-
C:\Windows\SysWOW64\Bbapgknp.exeC:\Windows\system32\Bbapgknp.exe99⤵PID:2288
-
C:\Windows\SysWOW64\Beplcfmd.exeC:\Windows\system32\Beplcfmd.exe100⤵PID:2916
-
C:\Windows\SysWOW64\Boeppomj.exeC:\Windows\system32\Boeppomj.exe101⤵PID:2680
-
C:\Windows\SysWOW64\Bklaepbn.exeC:\Windows\system32\Bklaepbn.exe102⤵
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Bbfibj32.exeC:\Windows\system32\Bbfibj32.exe103⤵PID:2692
-
C:\Windows\SysWOW64\Bkonkpqk.exeC:\Windows\system32\Bkonkpqk.exe104⤵PID:1872
-
C:\Windows\SysWOW64\Bjanfl32.exeC:\Windows\system32\Bjanfl32.exe105⤵PID:2172
-
C:\Windows\SysWOW64\Bnmjgkpo.exeC:\Windows\system32\Bnmjgkpo.exe106⤵PID:2384
-
C:\Windows\SysWOW64\Cegbce32.exeC:\Windows\system32\Cegbce32.exe107⤵PID:684
-
C:\Windows\SysWOW64\Ckajqo32.exeC:\Windows\system32\Ckajqo32.exe108⤵PID:1536
-
C:\Windows\SysWOW64\Cnogmk32.exeC:\Windows\system32\Cnogmk32.exe109⤵PID:2148
-
C:\Windows\SysWOW64\Cancif32.exeC:\Windows\system32\Cancif32.exe110⤵
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Cghkepdm.exeC:\Windows\system32\Cghkepdm.exe111⤵PID:2708
-
C:\Windows\SysWOW64\Cfkkam32.exeC:\Windows\system32\Cfkkam32.exe112⤵PID:2640
-
C:\Windows\SysWOW64\Cappnf32.exeC:\Windows\system32\Cappnf32.exe113⤵
- System Location Discovery: System Language Discovery
PID:2012 -
C:\Windows\SysWOW64\Ccolja32.exeC:\Windows\system32\Ccolja32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1488 -
C:\Windows\SysWOW64\Cfmhfm32.exeC:\Windows\system32\Cfmhfm32.exe115⤵PID:1332
-
C:\Windows\SysWOW64\Cmgpcg32.exeC:\Windows\system32\Cmgpcg32.exe116⤵PID:2780
-
C:\Windows\SysWOW64\Ccaipaho.exeC:\Windows\system32\Ccaipaho.exe117⤵
- System Location Discovery: System Language Discovery
PID:1584 -
C:\Windows\SysWOW64\Cjkamk32.exeC:\Windows\system32\Cjkamk32.exe118⤵PID:2376
-
C:\Windows\SysWOW64\Cinahhff.exeC:\Windows\system32\Cinahhff.exe119⤵PID:2100
-
C:\Windows\SysWOW64\Cllmdcej.exeC:\Windows\system32\Cllmdcej.exe120⤵PID:2880
-
C:\Windows\SysWOW64\Cpgieb32.exeC:\Windows\system32\Cpgieb32.exe121⤵PID:2088
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-