Analysis
-
max time kernel
105s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 12:27
Static task
static1
Behavioral task
behavioral1
Sample
345b8949f8aa37dcdde6b34af7232cc35c0c2428954d5ef30d0590406a40c149N.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
345b8949f8aa37dcdde6b34af7232cc35c0c2428954d5ef30d0590406a40c149N.exe
Resource
win10v2004-20241007-en
General
-
Target
345b8949f8aa37dcdde6b34af7232cc35c0c2428954d5ef30d0590406a40c149N.exe
-
Size
290KB
-
MD5
ed003a031bb0fee47a2801b84528a37e
-
SHA1
a85410ea635c494b1c4a6445c26457af7a406f52
-
SHA256
1bfc9cd932046a76bf4466854ee6ab4eafb6615d46db942708662c48cd85431d
-
SHA512
86999b2734aa25aaf0d2aa7cf9c5c577e7bf714dc980337816f2add73ac8d82f2c78cd525d34840a21e579d4edbb91c874bee3a7a47f1a3ed70b15499b64eceb
-
SSDEEP
6144:npkgEA95hEUmKyIxLDXXoq9FJZCUmKyIxLa:rEADa32XXf9Do3h
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkjjma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhdhif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qldhkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idfdcijh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpkompgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iediin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpqain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgbdodnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bceibfgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcnghpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldjpbign.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpebmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edoefl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ageompfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmdjkhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Koddccaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfemlpdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dinklffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjllab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blmfea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpklkgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpnmgdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbkqdepm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aclpaali.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fogibnha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohipla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooclji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbcbjlmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihpdoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkpeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edoefl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqehjecl.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2756 Pndpajgd.exe 2816 Qeohnd32.exe 2684 Qjnmlk32.exe 2280 Aecaidjl.exe 772 Achojp32.exe 632 Abphal32.exe 2120 Aijpnfif.exe 796 Bbdallnd.exe 2904 Blmfea32.exe 2292 Bhdgjb32.exe 2020 Balkchpi.exe 3068 Cilibi32.exe 2192 Cpfaocal.exe 2308 Cmlong32.exe 1216 Conkepdq.exe 2068 Dldhdc32.exe 992 Dcnqanhd.exe 1392 Dhmfod32.exe 1380 Dognlnlf.exe 1936 Dhobddbf.exe 1748 Dknoaoaj.exe 2016 Dkpkfooh.exe 1636 Eckpkamb.exe 300 Enqdhj32.exe 3048 Egiiapci.exe 1604 Efnfbl32.exe 2760 Elhnof32.exe 2916 Efqbglen.exe 2700 Efcomkcl.exe 996 Fbjpblip.exe 1220 Fdhlnhhc.exe 380 Fgiepced.exe 2848 Fncmmmma.exe 1148 Fnejbmko.exe 2980 Fpffje32.exe 2716 Fcdopc32.exe 1436 Gjngmmnp.exe 2420 Gbjlaplk.exe 2556 Glbqje32.exe 2460 Gblifo32.exe 1244 Gifaciae.exe 1100 Gbnflo32.exe 2596 Gaafhloq.exe 1964 Ghkndf32.exe 2200 Gbqbaofc.exe 1944 Gjlgfaco.exe 288 Gmjcblbb.exe 880 Hjndlqal.exe 1608 Hahlhkhi.exe 2528 Hfedqagp.exe 2792 Hmomml32.exe 2704 Hbleeb32.exe 1476 Hjcmgp32.exe 2956 Hppfog32.exe 2976 Hihjhl32.exe 2968 Hpbbdfik.exe 2944 Heokmmgb.exe 1800 Ipdojfgh.exe 2252 Ihpdoh32.exe 1084 Iknpkd32.exe 1740 Idfdcijh.exe 1696 Ilnmdgkj.exe 1940 Iajemnia.exe 920 Ihdmihpn.exe -
Loads dropped DLL 64 IoCs
pid Process 2836 345b8949f8aa37dcdde6b34af7232cc35c0c2428954d5ef30d0590406a40c149N.exe 2836 345b8949f8aa37dcdde6b34af7232cc35c0c2428954d5ef30d0590406a40c149N.exe 2756 Pndpajgd.exe 2756 Pndpajgd.exe 2816 Qeohnd32.exe 2816 Qeohnd32.exe 2684 Qjnmlk32.exe 2684 Qjnmlk32.exe 2280 Aecaidjl.exe 2280 Aecaidjl.exe 772 Achojp32.exe 772 Achojp32.exe 632 Abphal32.exe 632 Abphal32.exe 2120 Aijpnfif.exe 2120 Aijpnfif.exe 796 Bbdallnd.exe 796 Bbdallnd.exe 2904 Blmfea32.exe 2904 Blmfea32.exe 2292 Bhdgjb32.exe 2292 Bhdgjb32.exe 2020 Balkchpi.exe 2020 Balkchpi.exe 3068 Cilibi32.exe 3068 Cilibi32.exe 2192 Cpfaocal.exe 2192 Cpfaocal.exe 2308 Cmlong32.exe 2308 Cmlong32.exe 1216 Conkepdq.exe 1216 Conkepdq.exe 2068 Dldhdc32.exe 2068 Dldhdc32.exe 992 Dcnqanhd.exe 992 Dcnqanhd.exe 1392 Dhmfod32.exe 1392 Dhmfod32.exe 1380 Dognlnlf.exe 1380 Dognlnlf.exe 1936 Dhobddbf.exe 1936 Dhobddbf.exe 1748 Dknoaoaj.exe 1748 Dknoaoaj.exe 2016 Dkpkfooh.exe 2016 Dkpkfooh.exe 1636 Eckpkamb.exe 1636 Eckpkamb.exe 300 Enqdhj32.exe 300 Enqdhj32.exe 3048 Egiiapci.exe 3048 Egiiapci.exe 1604 Efnfbl32.exe 1604 Efnfbl32.exe 2760 Elhnof32.exe 2760 Elhnof32.exe 2916 Efqbglen.exe 2916 Efqbglen.exe 2700 Efcomkcl.exe 2700 Efcomkcl.exe 996 Fbjpblip.exe 996 Fbjpblip.exe 1220 Fdhlnhhc.exe 1220 Fdhlnhhc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mcacochk.exe Process not Found File created C:\Windows\SysWOW64\Mffkgl32.exe Process not Found File created C:\Windows\SysWOW64\Cmgkfh32.dll Oldpnn32.exe File created C:\Windows\SysWOW64\Bjoofhgc.exe Bfccei32.exe File opened for modification C:\Windows\SysWOW64\Cmpdgf32.exe Cdgpnqpo.exe File created C:\Windows\SysWOW64\Gncgbkki.exe Ggiofa32.exe File created C:\Windows\SysWOW64\Aphdkpjd.dll Process not Found File created C:\Windows\SysWOW64\Lnnibe32.dll Akkoig32.exe File opened for modification C:\Windows\SysWOW64\Iediin32.exe Injqmdki.exe File created C:\Windows\SysWOW64\Bbifhddh.dll Process not Found File created C:\Windows\SysWOW64\Lmfhil32.exe Leopgo32.exe File opened for modification C:\Windows\SysWOW64\Edoefl32.exe Emdmjamj.exe File created C:\Windows\SysWOW64\Nllbdp32.exe Nhpfdaml.exe File created C:\Windows\SysWOW64\Ieoeff32.dll Process not Found File created C:\Windows\SysWOW64\Oimpnc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lbicoamh.exe Liqoflfh.exe File opened for modification C:\Windows\SysWOW64\Koflgf32.exe Khldkllj.exe File created C:\Windows\SysWOW64\Jdogldmo.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mhkhgd32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Egeecf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hahlhkhi.exe Hjndlqal.exe File opened for modification C:\Windows\SysWOW64\Enkpahon.exe Edclib32.exe File created C:\Windows\SysWOW64\Kmhflfhh.dll Kkjnnn32.exe File created C:\Windows\SysWOW64\Kidjdpie.exe Jnofgg32.exe File created C:\Windows\SysWOW64\Enbogmnc.exe Ehhfjcff.exe File opened for modification C:\Windows\SysWOW64\Bhmmcjjd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jlelhe32.exe Jhjphfgi.exe File created C:\Windows\SysWOW64\Mfjaekpm.dll Jmlddeio.exe File created C:\Windows\SysWOW64\Njgpij32.exe Ncmglp32.exe File opened for modification C:\Windows\SysWOW64\Bhdhefpc.exe Bdhleh32.exe File created C:\Windows\SysWOW64\Hcmpomck.dll Nqpdcc32.exe File created C:\Windows\SysWOW64\Jbnlaqhi.exe Process not Found File created C:\Windows\SysWOW64\Jgjmoace.exe Process not Found File created C:\Windows\SysWOW64\Cocgje32.dll Process not Found File created C:\Windows\SysWOW64\Oehdan32.exe Ohcdhi32.exe File opened for modification C:\Windows\SysWOW64\Nbmaon32.exe Njfjnpgp.exe File created C:\Windows\SysWOW64\Obmnna32.exe Olbfagca.exe File created C:\Windows\SysWOW64\Hjhobagi.dll Dfinam32.exe File created C:\Windows\SysWOW64\Jdgcbgmg.dll Process not Found File created C:\Windows\SysWOW64\Kcpcho32.exe Process not Found File created C:\Windows\SysWOW64\Nmkgcloo.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mlbmem32.exe Process not Found File created C:\Windows\SysWOW64\Pbmkli32.dll Qndigd32.exe File created C:\Windows\SysWOW64\Kgkonj32.exe Kbpbmkan.exe File created C:\Windows\SysWOW64\Fhbbcail.exe Process not Found File created C:\Windows\SysWOW64\Jkbolo32.dll Qejpoi32.exe File created C:\Windows\SysWOW64\Biogkbfn.dll Cdqkifmb.exe File created C:\Windows\SysWOW64\Hegfajbc.dll Process not Found File created C:\Windows\SysWOW64\Odjoikgb.dll Abkhkgbb.exe File created C:\Windows\SysWOW64\Kbgjkn32.exe Khoebi32.exe File created C:\Windows\SysWOW64\Jbmnbl32.dll Ggkqmoma.exe File created C:\Windows\SysWOW64\Ihnijmcj.dll Kpkpadnl.exe File created C:\Windows\SysWOW64\Mcknhm32.exe Mkdffoij.exe File created C:\Windows\SysWOW64\Ghkndf32.exe Gaafhloq.exe File opened for modification C:\Windows\SysWOW64\Egjbdo32.exe Eeielfhk.exe File created C:\Windows\SysWOW64\Idcacc32.exe Iaeegh32.exe File created C:\Windows\SysWOW64\Hbiooq32.dll Lpcoeb32.exe File created C:\Windows\SysWOW64\Fjfjcdln.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gifaciae.exe Gblifo32.exe File opened for modification C:\Windows\SysWOW64\Ohdglfoj.exe Process not Found File created C:\Windows\SysWOW64\Lffohikd.exe Process not Found File created C:\Windows\SysWOW64\Pbiffmpn.dll Process not Found File created C:\Windows\SysWOW64\Pfkidj32.dll Process not Found File created C:\Windows\SysWOW64\Agpmcpfm.dll Process not Found -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbagipfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjngmmnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njgpij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnebjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmohco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nehomq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoeeolig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpcoeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mamgmofp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbflno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmogmjmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Locjhqpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lafahdcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkaoemjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpogbgmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epfhde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khiccj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfemlpdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leopgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ancefgfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpfnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmpkpbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmjcblbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldjbkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmlddeio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpfplo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlieoqgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Homdhjai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfkimhhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhbkpgbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Conkepdq.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Geeemeif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioiepeog.dll" Mlhnifmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fofbhgde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gajjhkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmlong32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkkgfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Degiggjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkbaci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnqjnhge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jebpihab.dll" Joiappkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdnmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nihcog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfchej32.dll" Nkehql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkilnbk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Galopp32.dll" Gbjlaplk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcakqmpi.dll" Lgfjggll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmogmjmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgjnhaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpigl32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cldcdi32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okojkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Loclai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcdpd32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnbopmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cqaiph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eomgdlji.dll" Enbogmnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akomon32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glneao32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffmkfifa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfebambf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmjoqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klfgipmk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfimoh32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqjbqh32.dll" Cmlong32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlqmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anafme32.dll" Iediin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhgacc32.dll" Ghaeoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gaqomeke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcenpoif.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnohgfgb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnkgjpbo.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eecpggap.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2836 wrote to memory of 2756 2836 345b8949f8aa37dcdde6b34af7232cc35c0c2428954d5ef30d0590406a40c149N.exe 30 PID 2836 wrote to memory of 2756 2836 345b8949f8aa37dcdde6b34af7232cc35c0c2428954d5ef30d0590406a40c149N.exe 30 PID 2836 wrote to memory of 2756 2836 345b8949f8aa37dcdde6b34af7232cc35c0c2428954d5ef30d0590406a40c149N.exe 30 PID 2836 wrote to memory of 2756 2836 345b8949f8aa37dcdde6b34af7232cc35c0c2428954d5ef30d0590406a40c149N.exe 30 PID 2756 wrote to memory of 2816 2756 Pndpajgd.exe 31 PID 2756 wrote to memory of 2816 2756 Pndpajgd.exe 31 PID 2756 wrote to memory of 2816 2756 Pndpajgd.exe 31 PID 2756 wrote to memory of 2816 2756 Pndpajgd.exe 31 PID 2816 wrote to memory of 2684 2816 Qeohnd32.exe 32 PID 2816 wrote to memory of 2684 2816 Qeohnd32.exe 32 PID 2816 wrote to memory of 2684 2816 Qeohnd32.exe 32 PID 2816 wrote to memory of 2684 2816 Qeohnd32.exe 32 PID 2684 wrote to memory of 2280 2684 Qjnmlk32.exe 33 PID 2684 wrote to memory of 2280 2684 Qjnmlk32.exe 33 PID 2684 wrote to memory of 2280 2684 Qjnmlk32.exe 33 PID 2684 wrote to memory of 2280 2684 Qjnmlk32.exe 33 PID 2280 wrote to memory of 772 2280 Aecaidjl.exe 34 PID 2280 wrote to memory of 772 2280 Aecaidjl.exe 34 PID 2280 wrote to memory of 772 2280 Aecaidjl.exe 34 PID 2280 wrote to memory of 772 2280 Aecaidjl.exe 34 PID 772 wrote to memory of 632 772 Achojp32.exe 35 PID 772 wrote to memory of 632 772 Achojp32.exe 35 PID 772 wrote to memory of 632 772 Achojp32.exe 35 PID 772 wrote to memory of 632 772 Achojp32.exe 35 PID 632 wrote to memory of 2120 632 Abphal32.exe 36 PID 632 wrote to memory of 2120 632 Abphal32.exe 36 PID 632 wrote to memory of 2120 632 Abphal32.exe 36 PID 632 wrote to memory of 2120 632 Abphal32.exe 36 PID 2120 wrote to memory of 796 2120 Aijpnfif.exe 37 PID 2120 wrote to memory of 796 2120 Aijpnfif.exe 37 PID 2120 wrote to memory of 796 2120 Aijpnfif.exe 37 PID 2120 wrote to memory of 796 2120 Aijpnfif.exe 37 PID 796 wrote to memory of 2904 796 Bbdallnd.exe 38 PID 796 wrote to memory of 2904 796 Bbdallnd.exe 38 PID 796 wrote to memory of 2904 796 Bbdallnd.exe 38 PID 796 wrote to memory of 2904 796 Bbdallnd.exe 38 PID 2904 wrote to memory of 2292 2904 Blmfea32.exe 39 PID 2904 wrote to memory of 2292 2904 Blmfea32.exe 39 PID 2904 wrote to memory of 2292 2904 Blmfea32.exe 39 PID 2904 wrote to memory of 2292 2904 Blmfea32.exe 39 PID 2292 wrote to memory of 2020 2292 Bhdgjb32.exe 40 PID 2292 wrote to memory of 2020 2292 Bhdgjb32.exe 40 PID 2292 wrote to memory of 2020 2292 Bhdgjb32.exe 40 PID 2292 wrote to memory of 2020 2292 Bhdgjb32.exe 40 PID 2020 wrote to memory of 3068 2020 Balkchpi.exe 41 PID 2020 wrote to memory of 3068 2020 Balkchpi.exe 41 PID 2020 wrote to memory of 3068 2020 Balkchpi.exe 41 PID 2020 wrote to memory of 3068 2020 Balkchpi.exe 41 PID 3068 wrote to memory of 2192 3068 Cilibi32.exe 42 PID 3068 wrote to memory of 2192 3068 Cilibi32.exe 42 PID 3068 wrote to memory of 2192 3068 Cilibi32.exe 42 PID 3068 wrote to memory of 2192 3068 Cilibi32.exe 42 PID 2192 wrote to memory of 2308 2192 Cpfaocal.exe 43 PID 2192 wrote to memory of 2308 2192 Cpfaocal.exe 43 PID 2192 wrote to memory of 2308 2192 Cpfaocal.exe 43 PID 2192 wrote to memory of 2308 2192 Cpfaocal.exe 43 PID 2308 wrote to memory of 1216 2308 Cmlong32.exe 44 PID 2308 wrote to memory of 1216 2308 Cmlong32.exe 44 PID 2308 wrote to memory of 1216 2308 Cmlong32.exe 44 PID 2308 wrote to memory of 1216 2308 Cmlong32.exe 44 PID 1216 wrote to memory of 2068 1216 Conkepdq.exe 45 PID 1216 wrote to memory of 2068 1216 Conkepdq.exe 45 PID 1216 wrote to memory of 2068 1216 Conkepdq.exe 45 PID 1216 wrote to memory of 2068 1216 Conkepdq.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\345b8949f8aa37dcdde6b34af7232cc35c0c2428954d5ef30d0590406a40c149N.exe"C:\Users\Admin\AppData\Local\Temp\345b8949f8aa37dcdde6b34af7232cc35c0c2428954d5ef30d0590406a40c149N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Pndpajgd.exeC:\Windows\system32\Pndpajgd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Qeohnd32.exeC:\Windows\system32\Qeohnd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Qjnmlk32.exeC:\Windows\system32\Qjnmlk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Aecaidjl.exeC:\Windows\system32\Aecaidjl.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Achojp32.exeC:\Windows\system32\Achojp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Abphal32.exeC:\Windows\system32\Abphal32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Aijpnfif.exeC:\Windows\system32\Aijpnfif.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Bbdallnd.exeC:\Windows\system32\Bbdallnd.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Blmfea32.exeC:\Windows\system32\Blmfea32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Bhdgjb32.exeC:\Windows\system32\Bhdgjb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Balkchpi.exeC:\Windows\system32\Balkchpi.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Cilibi32.exeC:\Windows\system32\Cilibi32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Cpfaocal.exeC:\Windows\system32\Cpfaocal.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Cmlong32.exeC:\Windows\system32\Cmlong32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Conkepdq.exeC:\Windows\system32\Conkepdq.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Dldhdc32.exeC:\Windows\system32\Dldhdc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Dcnqanhd.exeC:\Windows\system32\Dcnqanhd.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:992 -
C:\Windows\SysWOW64\Dhmfod32.exeC:\Windows\system32\Dhmfod32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1392 -
C:\Windows\SysWOW64\Dognlnlf.exeC:\Windows\system32\Dognlnlf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1380 -
C:\Windows\SysWOW64\Dhobddbf.exeC:\Windows\system32\Dhobddbf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936 -
C:\Windows\SysWOW64\Dknoaoaj.exeC:\Windows\system32\Dknoaoaj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Dkpkfooh.exeC:\Windows\system32\Dkpkfooh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2016 -
C:\Windows\SysWOW64\Eckpkamb.exeC:\Windows\system32\Eckpkamb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636 -
C:\Windows\SysWOW64\Enqdhj32.exeC:\Windows\system32\Enqdhj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:300 -
C:\Windows\SysWOW64\Egiiapci.exeC:\Windows\system32\Egiiapci.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Efnfbl32.exeC:\Windows\system32\Efnfbl32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Elhnof32.exeC:\Windows\system32\Elhnof32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Efqbglen.exeC:\Windows\system32\Efqbglen.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Efcomkcl.exeC:\Windows\system32\Efcomkcl.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Fbjpblip.exeC:\Windows\system32\Fbjpblip.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:996 -
C:\Windows\SysWOW64\Fdhlnhhc.exeC:\Windows\system32\Fdhlnhhc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1220 -
C:\Windows\SysWOW64\Fgiepced.exeC:\Windows\system32\Fgiepced.exe33⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Fncmmmma.exeC:\Windows\system32\Fncmmmma.exe34⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Fnejbmko.exeC:\Windows\system32\Fnejbmko.exe35⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Fpffje32.exeC:\Windows\system32\Fpffje32.exe36⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Fcdopc32.exeC:\Windows\system32\Fcdopc32.exe37⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Gjngmmnp.exeC:\Windows\system32\Gjngmmnp.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1436 -
C:\Windows\SysWOW64\Gbjlaplk.exeC:\Windows\system32\Gbjlaplk.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Glbqje32.exeC:\Windows\system32\Glbqje32.exe40⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Gblifo32.exeC:\Windows\system32\Gblifo32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2460 -
C:\Windows\SysWOW64\Gifaciae.exeC:\Windows\system32\Gifaciae.exe42⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Gbnflo32.exeC:\Windows\system32\Gbnflo32.exe43⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Gaafhloq.exeC:\Windows\system32\Gaafhloq.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Ghkndf32.exeC:\Windows\system32\Ghkndf32.exe45⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Gbqbaofc.exeC:\Windows\system32\Gbqbaofc.exe46⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Gjlgfaco.exeC:\Windows\system32\Gjlgfaco.exe47⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Gmjcblbb.exeC:\Windows\system32\Gmjcblbb.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:288 -
C:\Windows\SysWOW64\Hjndlqal.exeC:\Windows\system32\Hjndlqal.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\Hahlhkhi.exeC:\Windows\system32\Hahlhkhi.exe50⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Hfedqagp.exeC:\Windows\system32\Hfedqagp.exe51⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Hmomml32.exeC:\Windows\system32\Hmomml32.exe52⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Hbleeb32.exeC:\Windows\system32\Hbleeb32.exe53⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Hjcmgp32.exeC:\Windows\system32\Hjcmgp32.exe54⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Hppfog32.exeC:\Windows\system32\Hppfog32.exe55⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Hihjhl32.exeC:\Windows\system32\Hihjhl32.exe56⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Hpbbdfik.exeC:\Windows\system32\Hpbbdfik.exe57⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Heokmmgb.exeC:\Windows\system32\Heokmmgb.exe58⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Ipdojfgh.exeC:\Windows\system32\Ipdojfgh.exe59⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Ihpdoh32.exeC:\Windows\system32\Ihpdoh32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Iknpkd32.exeC:\Windows\system32\Iknpkd32.exe61⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Idfdcijh.exeC:\Windows\system32\Idfdcijh.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Ilnmdgkj.exeC:\Windows\system32\Ilnmdgkj.exe63⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Iajemnia.exeC:\Windows\system32\Iajemnia.exe64⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Ihdmihpn.exeC:\Windows\system32\Ihdmihpn.exe65⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Inafbooe.exeC:\Windows\system32\Inafbooe.exe66⤵PID:2540
-
C:\Windows\SysWOW64\Ihfjognl.exeC:\Windows\system32\Ihfjognl.exe67⤵PID:2100
-
C:\Windows\SysWOW64\Ikefkcmo.exeC:\Windows\system32\Ikefkcmo.exe68⤵PID:1280
-
C:\Windows\SysWOW64\Incbgnmc.exeC:\Windows\system32\Incbgnmc.exe69⤵PID:1572
-
C:\Windows\SysWOW64\Ipbocjlg.exeC:\Windows\system32\Ipbocjlg.exe70⤵PID:2884
-
C:\Windows\SysWOW64\Jglgpdcc.exeC:\Windows\system32\Jglgpdcc.exe71⤵PID:2796
-
C:\Windows\SysWOW64\Jnfomn32.exeC:\Windows\system32\Jnfomn32.exe72⤵PID:2860
-
C:\Windows\SysWOW64\Jcbhee32.exeC:\Windows\system32\Jcbhee32.exe73⤵PID:1300
-
C:\Windows\SysWOW64\Jeadap32.exeC:\Windows\system32\Jeadap32.exe74⤵PID:2988
-
C:\Windows\SysWOW64\Jlklnjoh.exeC:\Windows\system32\Jlklnjoh.exe75⤵PID:2532
-
C:\Windows\SysWOW64\Jgqpkc32.exeC:\Windows\system32\Jgqpkc32.exe76⤵PID:2196
-
C:\Windows\SysWOW64\Jhamckel.exeC:\Windows\system32\Jhamckel.exe77⤵PID:2608
-
C:\Windows\SysWOW64\Jolepe32.exeC:\Windows\system32\Jolepe32.exe78⤵PID:2276
-
C:\Windows\SysWOW64\Jfemlpdf.exeC:\Windows\system32\Jfemlpdf.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\SysWOW64\Jlpeij32.exeC:\Windows\system32\Jlpeij32.exe80⤵PID:908
-
C:\Windows\SysWOW64\Jonbee32.exeC:\Windows\system32\Jonbee32.exe81⤵PID:1924
-
C:\Windows\SysWOW64\Jdkjnl32.exeC:\Windows\system32\Jdkjnl32.exe82⤵PID:2896
-
C:\Windows\SysWOW64\Jkebjf32.exeC:\Windows\system32\Jkebjf32.exe83⤵PID:2372
-
C:\Windows\SysWOW64\Kbokgpgg.exeC:\Windows\system32\Kbokgpgg.exe84⤵PID:1996
-
C:\Windows\SysWOW64\Khiccj32.exeC:\Windows\system32\Khiccj32.exe85⤵
- System Location Discovery: System Language Discovery
PID:736 -
C:\Windows\SysWOW64\Kobkpdfa.exeC:\Windows\system32\Kobkpdfa.exe86⤵PID:2240
-
C:\Windows\SysWOW64\Kqdhhm32.exeC:\Windows\system32\Kqdhhm32.exe87⤵PID:2872
-
C:\Windows\SysWOW64\Kgnpeg32.exeC:\Windows\system32\Kgnpeg32.exe88⤵PID:2628
-
C:\Windows\SysWOW64\Kjllab32.exeC:\Windows\system32\Kjllab32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2424 -
C:\Windows\SysWOW64\Kqfdnljm.exeC:\Windows\system32\Kqfdnljm.exe90⤵PID:1012
-
C:\Windows\SysWOW64\Kceqjhiq.exeC:\Windows\system32\Kceqjhiq.exe91⤵PID:1204
-
C:\Windows\SysWOW64\Knjegqif.exeC:\Windows\system32\Knjegqif.exe92⤵PID:2728
-
C:\Windows\SysWOW64\Kcgmoggn.exeC:\Windows\system32\Kcgmoggn.exe93⤵PID:2920
-
C:\Windows\SysWOW64\Kfeikcfa.exeC:\Windows\system32\Kfeikcfa.exe94⤵PID:1756
-
C:\Windows\SysWOW64\Kmobhmnn.exeC:\Windows\system32\Kmobhmnn.exe95⤵PID:1624
-
C:\Windows\SysWOW64\Kgefefnd.exeC:\Windows\system32\Kgefefnd.exe96⤵PID:1472
-
C:\Windows\SysWOW64\Lifbmn32.exeC:\Windows\system32\Lifbmn32.exe97⤵PID:2136
-
C:\Windows\SysWOW64\Lclgjg32.exeC:\Windows\system32\Lclgjg32.exe98⤵PID:936
-
C:\Windows\SysWOW64\Lfjcfb32.exeC:\Windows\system32\Lfjcfb32.exe99⤵PID:868
-
C:\Windows\SysWOW64\Lkgkoiqc.exeC:\Windows\system32\Lkgkoiqc.exe100⤵PID:3064
-
C:\Windows\SysWOW64\Leopgo32.exeC:\Windows\system32\Leopgo32.exe101⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Lmfhil32.exeC:\Windows\system32\Lmfhil32.exe102⤵PID:2468
-
C:\Windows\SysWOW64\Lnhdqdnd.exeC:\Windows\system32\Lnhdqdnd.exe103⤵PID:2304
-
C:\Windows\SysWOW64\Lfolaang.exeC:\Windows\system32\Lfolaang.exe104⤵PID:316
-
C:\Windows\SysWOW64\Lgpiij32.exeC:\Windows\system32\Lgpiij32.exe105⤵PID:2056
-
C:\Windows\SysWOW64\Lnjafd32.exeC:\Windows\system32\Lnjafd32.exe106⤵PID:2088
-
C:\Windows\SysWOW64\Lipecm32.exeC:\Windows\system32\Lipecm32.exe107⤵PID:3000
-
C:\Windows\SysWOW64\Ljabkeaf.exeC:\Windows\system32\Ljabkeaf.exe108⤵PID:2552
-
C:\Windows\SysWOW64\Makjho32.exeC:\Windows\system32\Makjho32.exe109⤵PID:560
-
C:\Windows\SysWOW64\Mgebdipp.exeC:\Windows\system32\Mgebdipp.exe110⤵PID:1708
-
C:\Windows\SysWOW64\Mnojacgm.exeC:\Windows\system32\Mnojacgm.exe111⤵PID:1540
-
C:\Windows\SysWOW64\Mamgmofp.exeC:\Windows\system32\Mamgmofp.exe112⤵
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Mjekfd32.exeC:\Windows\system32\Mjekfd32.exe113⤵PID:2852
-
C:\Windows\SysWOW64\Mapccndn.exeC:\Windows\system32\Mapccndn.exe114⤵PID:2636
-
C:\Windows\SysWOW64\Mcnpojca.exeC:\Windows\system32\Mcnpojca.exe115⤵PID:1616
-
C:\Windows\SysWOW64\Mfllkece.exeC:\Windows\system32\Mfllkece.exe116⤵PID:572
-
C:\Windows\SysWOW64\Mabphn32.exeC:\Windows\system32\Mabphn32.exe117⤵PID:2112
-
C:\Windows\SysWOW64\Mbcmpfhi.exeC:\Windows\system32\Mbcmpfhi.exe118⤵PID:1152
-
C:\Windows\SysWOW64\Mjjdacik.exeC:\Windows\system32\Mjjdacik.exe119⤵PID:2152
-
C:\Windows\SysWOW64\Mmhamoho.exeC:\Windows\system32\Mmhamoho.exe120⤵PID:800
-
C:\Windows\SysWOW64\Mpgmijgc.exeC:\Windows\system32\Mpgmijgc.exe121⤵PID:744
-
C:\Windows\SysWOW64\Mfaefd32.exeC:\Windows\system32\Mfaefd32.exe122⤵PID:1340
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-