Analysis
-
max time kernel
137s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-10-2024 03:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a727c74a8efa96b176430ff89247c5cf42391576154e20ecf89f14809503d9ab.exe
Resource
win7-20240903-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
a727c74a8efa96b176430ff89247c5cf42391576154e20ecf89f14809503d9ab.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
a727c74a8efa96b176430ff89247c5cf42391576154e20ecf89f14809503d9ab.exe
-
Size
96KB
-
MD5
ec0ca7d59c3511670ad4caa5ac2f2027
-
SHA1
954c101d3fdfad2c54a2acf169274cc23ad42354
-
SHA256
a727c74a8efa96b176430ff89247c5cf42391576154e20ecf89f14809503d9ab
-
SHA512
3ed4a0fbfa2d25575f55c3af7bbccbf39f8b188f7fbba87c10cf0be2802074e4c7e118b55d604d524882d2fa11863118e80761a3337369ed217570a912ffe742
-
SSDEEP
1536:lgIBpdHYV4HweZ6Fvt4pHN2Lv7RZObZUUWaegPYA:S2HHYqHmFvtwHevClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edjepb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emflia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nleeqbhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioemmcno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehejfkad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knhpdhck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knhpdhck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phkahe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjnocnco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niqbeldi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gflein32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acoiab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Migpomld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oldogm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cahlmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eihlhlad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecmpfeaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iipdgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqmkglhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifdfno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phgogl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpkgke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipqbdpqk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkbfmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdpphm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mapgnpla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjicjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebpqab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggppcjgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iggokg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgfbpdhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjbddkmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlmblg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlbagd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgmopldh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahngdb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Digcaopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jojghc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alggpaqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flpkkfim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmjcfedf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffephohc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjeedmmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbnnmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cifmfeee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inqqmkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nijldmja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcclbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdglca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idclop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgpmcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhjnnbem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inqqmkgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjeedmmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mamdni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jipnkibm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajdhcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlmeniib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fifhjjed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfjnpido.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkkde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiaook32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llkcjpiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciadkf32.exe -
Executes dropped EXE 64 IoCs
pid Process 3764 Ddnedd32.exe 4744 Djhmqnnq.exe 2684 Dmgjmjnd.exe 1164 Ddqbicea.exe 4344 Dkkjfn32.exe 2212 Dmifbi32.exe 5012 Depncf32.exe 3604 Dhokpb32.exe 2964 Dohcllbd.exe 2192 Dagohgah.exe 2252 Ddekdc32.exe 4468 Dokpbl32.exe 3496 Dailng32.exe 760 Dhcdkagb.exe 3972 Ekapgmff.exe 4668 Ealhcg32.exe 1080 Edjepb32.exe 1288 Eghalnlj.exe 4564 Embihh32.exe 1748 Edlaebkd.exe 1092 Egknanjg.exe 4056 Emefng32.exe 3744 Edonkaia.exe 1004 Egmjgm32.exe 456 Ekifglpn.exe 1776 Emgbcgoa.exe 2756 Eogonj32.exe 3340 Emioigmo.exe 2220 Eeqgjdna.exe 4448 Edcgfa32.exe 2544 Fhocfpme.exe 3156 Fkmpbk32.exe 3804 Fdfdkqbi.exe 756 Fkpmhk32.exe 1732 Fnnidf32.exe 3852 Feeqec32.exe 2208 Fgfmmlpj.exe 3780 Fnqejfgg.exe 4308 Fehmkchi.exe 1996 Fhfjgogm.exe 3036 Fopbdi32.exe 2112 Fncboeed.exe 2404 Fdmjlp32.exe 1500 Fhhfmnej.exe 4516 Fkgbijdn.exe 3316 Foboih32.exe 2968 Faqkedkk.exe 4604 Gdogaojo.exe 4120 Ggncnkjb.exe 548 Goekohjd.exe 3504 Geoclb32.exe 3112 Ggppcjgp.exe 1564 Goghdhhb.exe 2484 Gnjhpd32.exe 2984 Geapabpo.exe 3548 Ghommmob.exe 2412 Goiejg32.exe 4216 Gnleedmj.exe 4320 Gdfmbn32.exe 3560 Golapg32.exe 5068 Gffjla32.exe 4648 Gonnegbj.exe 3616 Hfhfba32.exe 4896 Hdkgmnpa.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Elpjln32.dll Hkiakapm.exe File created C:\Windows\SysWOW64\Kljhkqnc.dll Jjogbk32.exe File created C:\Windows\SysWOW64\Cbjfihpb.dll Lapogbjd.exe File created C:\Windows\SysWOW64\Ckjpblig.exe Cjicjc32.exe File created C:\Windows\SysWOW64\Gbpfnmjc.dll Kdaagl32.exe File created C:\Windows\SysWOW64\Alplgmpm.dll Mkqleb32.exe File created C:\Windows\SysWOW64\Ofcgfihb.dll Nleeqbhl.exe File created C:\Windows\SysWOW64\Hdnbcqed.exe Hpbfcb32.exe File created C:\Windows\SysWOW64\Nfmbfc32.dll Hhmiokbb.exe File created C:\Windows\SysWOW64\Kghpqbfb.dll Lhjnnbem.exe File opened for modification C:\Windows\SysWOW64\Qhbocj32.exe Qfdbgo32.exe File created C:\Windows\SysWOW64\Gajkdgog.dll Hkdhpa32.exe File created C:\Windows\SysWOW64\Ikdafofp.exe Iqomiffj.exe File opened for modification C:\Windows\SysWOW64\Piakli32.exe Peeokjnm.exe File opened for modification C:\Windows\SysWOW64\Giahei32.exe Gkohjldl.exe File opened for modification C:\Windows\SysWOW64\Kdmgllkb.exe Kqakkn32.exe File created C:\Windows\SysWOW64\Oedpeg32.dll Eogonj32.exe File created C:\Windows\SysWOW64\Dmhphc32.exe Djjclgib.exe File created C:\Windows\SysWOW64\Olmkbe32.exe Ohaobfod.exe File created C:\Windows\SysWOW64\Nhoqnh32.dll Alndibij.exe File created C:\Windows\SysWOW64\Jdcden32.exe Jphieo32.exe File created C:\Windows\SysWOW64\Ngbcodij.dll Dkkjfn32.exe File opened for modification C:\Windows\SysWOW64\Jjlkmkie.exe Ihknec32.exe File opened for modification C:\Windows\SysWOW64\Jjpmnd32.exe Jkmmbhji.exe File opened for modification C:\Windows\SysWOW64\Hhioclgg.exe Hoqkkfpg.exe File created C:\Windows\SysWOW64\Gmiggjfi.dll Ljkpegnb.exe File created C:\Windows\SysWOW64\Cdpfih32.dll Elaoih32.exe File created C:\Windows\SysWOW64\Mbemogeo.dll Ffnigpok.exe File opened for modification C:\Windows\SysWOW64\Knpbib32.exe Jjefidmo.exe File created C:\Windows\SysWOW64\Ehnonf32.dll Kcmkai32.exe File created C:\Windows\SysWOW64\Fkpmhk32.exe Fdfdkqbi.exe File opened for modification C:\Windows\SysWOW64\Golapg32.exe Gdfmbn32.exe File opened for modification C:\Windows\SysWOW64\Mlabpi32.exe Mhefojgd.exe File created C:\Windows\SysWOW64\Jdnidi32.dll Qafcfj32.exe File opened for modification C:\Windows\SysWOW64\Lndfkl32.exe Lpafopeo.exe File created C:\Windows\SysWOW64\Pjeqblql.dll Iqmpcg32.exe File created C:\Windows\SysWOW64\Jdfhec32.exe Jqkleell.exe File created C:\Windows\SysWOW64\Kgkejflm.dll Icjeel32.exe File opened for modification C:\Windows\SysWOW64\Ljglea32.exe Lkeljdfo.exe File created C:\Windows\SysWOW64\Ljglea32.exe Lkeljdfo.exe File opened for modification C:\Windows\SysWOW64\Jedbjj32.exe Jbffno32.exe File opened for modification C:\Windows\SysWOW64\Ladhba32.exe Lbahfdod.exe File opened for modification C:\Windows\SysWOW64\Lbddld32.exe Lnhhkedi.exe File created C:\Windows\SysWOW64\Lioaogdq.dll Mjafffhj.exe File opened for modification C:\Windows\SysWOW64\Kcfnhh32.exe Kddnlkdj.exe File created C:\Windows\SysWOW64\Lnchfp32.exe Ljglea32.exe File created C:\Windows\SysWOW64\Mmdebjpm.exe Mnadgn32.exe File created C:\Windows\SysWOW64\Cjndpicp.exe Cgpgdndl.exe File created C:\Windows\SysWOW64\Bppfqg32.dll Gjeedmmf.exe File created C:\Windows\SysWOW64\Jkpjhghf.exe Jgdngi32.exe File opened for modification C:\Windows\SysWOW64\Jgfjmhnk.exe Jcknlj32.exe File created C:\Windows\SysWOW64\Maiamqaj.exe Mbfaad32.exe File created C:\Windows\SysWOW64\Dhppccgc.dll Okghhcfb.exe File created C:\Windows\SysWOW64\Fgfnimgd.dll Jcakfk32.exe File opened for modification C:\Windows\SysWOW64\Lkgiod32.exe Lgkmoelc.exe File opened for modification C:\Windows\SysWOW64\Ncpjedeg.exe Neniig32.exe File opened for modification C:\Windows\SysWOW64\Dfadqhnf.exe Dpgldn32.exe File created C:\Windows\SysWOW64\Ejgibo32.exe Eflmbqqm.exe File created C:\Windows\SysWOW64\Ffdhhebe.dll Ilefca32.exe File created C:\Windows\SysWOW64\Lqjnal32.exe Lmobqnbe.exe File created C:\Windows\SysWOW64\Chhkpeem.dll Hfhfba32.exe File created C:\Windows\SysWOW64\Hkknpqnj.exe Hdafcf32.exe File opened for modification C:\Windows\SysWOW64\Nlmblg32.exe Nhafkimf.exe File opened for modification C:\Windows\SysWOW64\Peeokjnm.exe Pajckl32.exe -
Program crash 1 IoCs
pid pid_target Process 19868 19764 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhcdkagb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abdohhog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjpikbma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmmdfgdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmifbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbggbabl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdnimc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbecco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbhpiodj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lljlojee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncecpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olfebf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obbjdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiafhmhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eijinlpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flmoeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljffjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgedao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palppl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpechaki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjbjcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aijedi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehlpfjkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mamdni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpjjgiha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdaagl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkkpmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpdodim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdaojdhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdafcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmcceolb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpkpoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mahkbjnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejpbbpoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oilbajjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jleahcki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocadif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poeaoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lglciloo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paaikkol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfjico32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jljpoqdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjlepqid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnqejfgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lenngfcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jggagoaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olknmeip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfhmeko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihbbjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Malnbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nonkmbbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmhimmdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdipacgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glkkfeop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eapkdpfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nalginad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbgnkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ligfho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfmlfpka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmdhjopf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkpqbnlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqpfpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabdcoio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjpqde32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqmpcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqmpcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljmmkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjajid32.dll" Mjobfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jibkqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oolnig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eakaiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eckcpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idqnloph.dll" Jloijp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcbdmioj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnebihbk.dll" Ncbfjdcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikehaejk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Logbpljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkhjjbnb.dll" Gnlnknin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jofiej32.dll" Neefdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjhaimkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icjeel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjbjcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jopkcjoi.dll" Mnohan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iglhffop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljegadn.dll" Jffljm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdccije.dll" Jidalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nadjnhdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbjhap32.dll" Fdmjlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclkoi32.dll" Pghpecfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbggbabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkeljdfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbbmga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiobik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlgjbcdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pajpdhgm.dll" Bkopfmce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nepfog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnjhpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmfcbcji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohhllhgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibafiikj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oejpplhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flkbpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdfmfn32.dll" Icfljmhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igidni32.dll" Ilnqcbnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkmpbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffmgif32.dll" Opbhmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihhapc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dplpah32.dll" Jljpoqdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcpqng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nepfog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpcaojbe.dll" Oogncajf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcbjad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hogakejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfmhmh32.dll" Oldogm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhpab32.dll" Kjhjijog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilnqcbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnqkppge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnchfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmokgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpafopeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpfeihcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elfhdhag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Innmme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmhegljj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khcfog32.dll" Njokmnho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iidoojlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfnpqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbohpe32.dll" Fiaook32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4400 wrote to memory of 3764 4400 a727c74a8efa96b176430ff89247c5cf42391576154e20ecf89f14809503d9ab.exe 84 PID 4400 wrote to memory of 3764 4400 a727c74a8efa96b176430ff89247c5cf42391576154e20ecf89f14809503d9ab.exe 84 PID 4400 wrote to memory of 3764 4400 a727c74a8efa96b176430ff89247c5cf42391576154e20ecf89f14809503d9ab.exe 84 PID 3764 wrote to memory of 4744 3764 Ddnedd32.exe 85 PID 3764 wrote to memory of 4744 3764 Ddnedd32.exe 85 PID 3764 wrote to memory of 4744 3764 Ddnedd32.exe 85 PID 4744 wrote to memory of 2684 4744 Djhmqnnq.exe 86 PID 4744 wrote to memory of 2684 4744 Djhmqnnq.exe 86 PID 4744 wrote to memory of 2684 4744 Djhmqnnq.exe 86 PID 2684 wrote to memory of 1164 2684 Dmgjmjnd.exe 87 PID 2684 wrote to memory of 1164 2684 Dmgjmjnd.exe 87 PID 2684 wrote to memory of 1164 2684 Dmgjmjnd.exe 87 PID 1164 wrote to memory of 4344 1164 Ddqbicea.exe 88 PID 1164 wrote to memory of 4344 1164 Ddqbicea.exe 88 PID 1164 wrote to memory of 4344 1164 Ddqbicea.exe 88 PID 4344 wrote to memory of 2212 4344 Dkkjfn32.exe 89 PID 4344 wrote to memory of 2212 4344 Dkkjfn32.exe 89 PID 4344 wrote to memory of 2212 4344 Dkkjfn32.exe 89 PID 2212 wrote to memory of 5012 2212 Dmifbi32.exe 90 PID 2212 wrote to memory of 5012 2212 Dmifbi32.exe 90 PID 2212 wrote to memory of 5012 2212 Dmifbi32.exe 90 PID 5012 wrote to memory of 3604 5012 Depncf32.exe 91 PID 5012 wrote to memory of 3604 5012 Depncf32.exe 91 PID 5012 wrote to memory of 3604 5012 Depncf32.exe 91 PID 3604 wrote to memory of 2964 3604 Dhokpb32.exe 92 PID 3604 wrote to memory of 2964 3604 Dhokpb32.exe 92 PID 3604 wrote to memory of 2964 3604 Dhokpb32.exe 92 PID 2964 wrote to memory of 2192 2964 Dohcllbd.exe 93 PID 2964 wrote to memory of 2192 2964 Dohcllbd.exe 93 PID 2964 wrote to memory of 2192 2964 Dohcllbd.exe 93 PID 2192 wrote to memory of 2252 2192 Dagohgah.exe 95 PID 2192 wrote to memory of 2252 2192 Dagohgah.exe 95 PID 2192 wrote to memory of 2252 2192 Dagohgah.exe 95 PID 2252 wrote to memory of 4468 2252 Ddekdc32.exe 96 PID 2252 wrote to memory of 4468 2252 Ddekdc32.exe 96 PID 2252 wrote to memory of 4468 2252 Ddekdc32.exe 96 PID 4468 wrote to memory of 3496 4468 Dokpbl32.exe 97 PID 4468 wrote to memory of 3496 4468 Dokpbl32.exe 97 PID 4468 wrote to memory of 3496 4468 Dokpbl32.exe 97 PID 3496 wrote to memory of 760 3496 Dailng32.exe 98 PID 3496 wrote to memory of 760 3496 Dailng32.exe 98 PID 3496 wrote to memory of 760 3496 Dailng32.exe 98 PID 760 wrote to memory of 3972 760 Dhcdkagb.exe 99 PID 760 wrote to memory of 3972 760 Dhcdkagb.exe 99 PID 760 wrote to memory of 3972 760 Dhcdkagb.exe 99 PID 3972 wrote to memory of 4668 3972 Ekapgmff.exe 101 PID 3972 wrote to memory of 4668 3972 Ekapgmff.exe 101 PID 3972 wrote to memory of 4668 3972 Ekapgmff.exe 101 PID 4668 wrote to memory of 1080 4668 Ealhcg32.exe 102 PID 4668 wrote to memory of 1080 4668 Ealhcg32.exe 102 PID 4668 wrote to memory of 1080 4668 Ealhcg32.exe 102 PID 1080 wrote to memory of 1288 1080 Edjepb32.exe 103 PID 1080 wrote to memory of 1288 1080 Edjepb32.exe 103 PID 1080 wrote to memory of 1288 1080 Edjepb32.exe 103 PID 1288 wrote to memory of 4564 1288 Eghalnlj.exe 104 PID 1288 wrote to memory of 4564 1288 Eghalnlj.exe 104 PID 1288 wrote to memory of 4564 1288 Eghalnlj.exe 104 PID 4564 wrote to memory of 1748 4564 Embihh32.exe 105 PID 4564 wrote to memory of 1748 4564 Embihh32.exe 105 PID 4564 wrote to memory of 1748 4564 Embihh32.exe 105 PID 1748 wrote to memory of 1092 1748 Edlaebkd.exe 106 PID 1748 wrote to memory of 1092 1748 Edlaebkd.exe 106 PID 1748 wrote to memory of 1092 1748 Edlaebkd.exe 106 PID 1092 wrote to memory of 4056 1092 Egknanjg.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\a727c74a8efa96b176430ff89247c5cf42391576154e20ecf89f14809503d9ab.exe"C:\Users\Admin\AppData\Local\Temp\a727c74a8efa96b176430ff89247c5cf42391576154e20ecf89f14809503d9ab.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\Ddnedd32.exeC:\Windows\system32\Ddnedd32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\Djhmqnnq.exeC:\Windows\system32\Djhmqnnq.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\Dmgjmjnd.exeC:\Windows\system32\Dmgjmjnd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Ddqbicea.exeC:\Windows\system32\Ddqbicea.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Dkkjfn32.exeC:\Windows\system32\Dkkjfn32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\Dmifbi32.exeC:\Windows\system32\Dmifbi32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Depncf32.exeC:\Windows\system32\Depncf32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Dhokpb32.exeC:\Windows\system32\Dhokpb32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\Dohcllbd.exeC:\Windows\system32\Dohcllbd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Dagohgah.exeC:\Windows\system32\Dagohgah.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Ddekdc32.exeC:\Windows\system32\Ddekdc32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Dokpbl32.exeC:\Windows\system32\Dokpbl32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\Dailng32.exeC:\Windows\system32\Dailng32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\Dhcdkagb.exeC:\Windows\system32\Dhcdkagb.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Ekapgmff.exeC:\Windows\system32\Ekapgmff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\Ealhcg32.exeC:\Windows\system32\Ealhcg32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\Edjepb32.exeC:\Windows\system32\Edjepb32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Eghalnlj.exeC:\Windows\system32\Eghalnlj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\Embihh32.exeC:\Windows\system32\Embihh32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Edlaebkd.exeC:\Windows\system32\Edlaebkd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Egknanjg.exeC:\Windows\system32\Egknanjg.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\Emefng32.exeC:\Windows\system32\Emefng32.exe23⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Edonkaia.exeC:\Windows\system32\Edonkaia.exe24⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Egmjgm32.exeC:\Windows\system32\Egmjgm32.exe25⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Ekifglpn.exeC:\Windows\system32\Ekifglpn.exe26⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Emgbcgoa.exeC:\Windows\system32\Emgbcgoa.exe27⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Eogonj32.exeC:\Windows\system32\Eogonj32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Emioigmo.exeC:\Windows\system32\Emioigmo.exe29⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Eeqgjdna.exeC:\Windows\system32\Eeqgjdna.exe30⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Edcgfa32.exeC:\Windows\system32\Edcgfa32.exe31⤵
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Fhocfpme.exeC:\Windows\system32\Fhocfpme.exe32⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Fkmpbk32.exeC:\Windows\system32\Fkmpbk32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:3156 -
C:\Windows\SysWOW64\Fdfdkqbi.exeC:\Windows\system32\Fdfdkqbi.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3804 -
C:\Windows\SysWOW64\Fkpmhk32.exeC:\Windows\system32\Fkpmhk32.exe35⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Fnnidf32.exeC:\Windows\system32\Fnnidf32.exe36⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Feeqec32.exeC:\Windows\system32\Feeqec32.exe37⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Fgfmmlpj.exeC:\Windows\system32\Fgfmmlpj.exe38⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Fnqejfgg.exeC:\Windows\system32\Fnqejfgg.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3780 -
C:\Windows\SysWOW64\Fehmkchi.exeC:\Windows\system32\Fehmkchi.exe40⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Fhfjgogm.exeC:\Windows\system32\Fhfjgogm.exe41⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Fopbdi32.exeC:\Windows\system32\Fopbdi32.exe42⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Fncboeed.exeC:\Windows\system32\Fncboeed.exe43⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Fdmjlp32.exeC:\Windows\system32\Fdmjlp32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Fhhfmnej.exeC:\Windows\system32\Fhhfmnej.exe45⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Fkgbijdn.exeC:\Windows\system32\Fkgbijdn.exe46⤵
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\Foboih32.exeC:\Windows\system32\Foboih32.exe47⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Faqkedkk.exeC:\Windows\system32\Faqkedkk.exe48⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Gdogaojo.exeC:\Windows\system32\Gdogaojo.exe49⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Ggncnkjb.exeC:\Windows\system32\Ggncnkjb.exe50⤵
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Goekohjd.exeC:\Windows\system32\Goekohjd.exe51⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Geoclb32.exeC:\Windows\system32\Geoclb32.exe52⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Ggppcjgp.exeC:\Windows\system32\Ggppcjgp.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\Goghdhhb.exeC:\Windows\system32\Goghdhhb.exe54⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Gnjhpd32.exeC:\Windows\system32\Gnjhpd32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Geapabpo.exeC:\Windows\system32\Geapabpo.exe56⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Ghommmob.exeC:\Windows\system32\Ghommmob.exe57⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Goiejg32.exeC:\Windows\system32\Goiejg32.exe58⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Gnleedmj.exeC:\Windows\system32\Gnleedmj.exe59⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Gdfmbn32.exeC:\Windows\system32\Gdfmbn32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4320 -
C:\Windows\SysWOW64\Golapg32.exeC:\Windows\system32\Golapg32.exe61⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Gffjla32.exeC:\Windows\system32\Gffjla32.exe62⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Gonnegbj.exeC:\Windows\system32\Gonnegbj.exe63⤵
- Executes dropped EXE
PID:4648 -
C:\Windows\SysWOW64\Hfhfba32.exeC:\Windows\system32\Hfhfba32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3616 -
C:\Windows\SysWOW64\Hdkgmnpa.exeC:\Windows\system32\Hdkgmnpa.exe65⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Hkeojh32.exeC:\Windows\system32\Hkeojh32.exe66⤵PID:1396
-
C:\Windows\SysWOW64\Hoqkkfpg.exeC:\Windows\system32\Hoqkkfpg.exe67⤵
- Drops file in System32 directory
PID:4360 -
C:\Windows\SysWOW64\Hhioclgg.exeC:\Windows\system32\Hhioclgg.exe68⤵PID:4016
-
C:\Windows\SysWOW64\Hkglpgfk.exeC:\Windows\system32\Hkglpgfk.exe69⤵PID:3964
-
C:\Windows\SysWOW64\Hbadla32.exeC:\Windows\system32\Hbadla32.exe70⤵PID:2236
-
C:\Windows\SysWOW64\Hdpphm32.exeC:\Windows\system32\Hdpphm32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:408 -
C:\Windows\SysWOW64\Hkihegdi.exeC:\Windows\system32\Hkihegdi.exe72⤵PID:1556
-
C:\Windows\SysWOW64\Hoedff32.exeC:\Windows\system32\Hoedff32.exe73⤵PID:3016
-
C:\Windows\SysWOW64\Hbcqba32.exeC:\Windows\system32\Hbcqba32.exe74⤵PID:932
-
C:\Windows\SysWOW64\Hfombpco.exeC:\Windows\system32\Hfombpco.exe75⤵PID:3540
-
C:\Windows\SysWOW64\Hhmiokbb.exeC:\Windows\system32\Hhmiokbb.exe76⤵
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Hogakejo.exeC:\Windows\system32\Hogakejo.exe77⤵
- Modifies registry class
PID:5032 -
C:\Windows\SysWOW64\Hnjagb32.exeC:\Windows\system32\Hnjagb32.exe78⤵PID:868
-
C:\Windows\SysWOW64\Hhpedk32.exeC:\Windows\system32\Hhpedk32.exe79⤵PID:3980
-
C:\Windows\SysWOW64\Hojnaehl.exeC:\Windows\system32\Hojnaehl.exe80⤵PID:392
-
C:\Windows\SysWOW64\Ifdfno32.exeC:\Windows\system32\Ifdfno32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2428 -
C:\Windows\SysWOW64\Ihbbjk32.exeC:\Windows\system32\Ihbbjk32.exe82⤵
- System Location Discovery: System Language Discovery
PID:4020 -
C:\Windows\SysWOW64\Ioljfe32.exeC:\Windows\system32\Ioljfe32.exe83⤵PID:2620
-
C:\Windows\SysWOW64\Iffbcomf.exeC:\Windows\system32\Iffbcomf.exe84⤵PID:3264
-
C:\Windows\SysWOW64\Iidoojlj.exeC:\Windows\system32\Iidoojlj.exe85⤵
- Modifies registry class
PID:4332 -
C:\Windows\SysWOW64\Iggokg32.exeC:\Windows\system32\Iggokg32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4700 -
C:\Windows\SysWOW64\Inaggaka.exeC:\Windows\system32\Inaggaka.exe87⤵PID:1680
-
C:\Windows\SysWOW64\Ifhoiokd.exeC:\Windows\system32\Ifhoiokd.exe88⤵PID:740
-
C:\Windows\SysWOW64\Ikehaejk.exeC:\Windows\system32\Ikehaejk.exe89⤵
- Modifies registry class
PID:4992 -
C:\Windows\SysWOW64\Incdma32.exeC:\Windows\system32\Incdma32.exe90⤵PID:4556
-
C:\Windows\SysWOW64\Ifklnn32.exeC:\Windows\system32\Ifklnn32.exe91⤵PID:5132
-
C:\Windows\SysWOW64\Iglhffop.exeC:\Windows\system32\Iglhffop.exe92⤵
- Modifies registry class
PID:5184 -
C:\Windows\SysWOW64\Ikgdfe32.exeC:\Windows\system32\Ikgdfe32.exe93⤵PID:5228
-
C:\Windows\SysWOW64\Infabq32.exeC:\Windows\system32\Infabq32.exe94⤵PID:5272
-
C:\Windows\SysWOW64\Ifmidn32.exeC:\Windows\system32\Ifmidn32.exe95⤵PID:5332
-
C:\Windows\SysWOW64\Ioemmcno.exeC:\Windows\system32\Ioemmcno.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5376 -
C:\Windows\SysWOW64\Jbdiio32.exeC:\Windows\system32\Jbdiio32.exe97⤵PID:5448
-
C:\Windows\SysWOW64\Jebfej32.exeC:\Windows\system32\Jebfej32.exe98⤵PID:5516
-
C:\Windows\SysWOW64\Jinaeidp.exeC:\Windows\system32\Jinaeidp.exe99⤵PID:5560
-
C:\Windows\SysWOW64\Jklnadcc.exeC:\Windows\system32\Jklnadcc.exe100⤵PID:5608
-
C:\Windows\SysWOW64\Jbffno32.exeC:\Windows\system32\Jbffno32.exe101⤵
- Drops file in System32 directory
PID:5680 -
C:\Windows\SysWOW64\Jedbjj32.exeC:\Windows\system32\Jedbjj32.exe102⤵PID:5760
-
C:\Windows\SysWOW64\Jipnkibm.exeC:\Windows\system32\Jipnkibm.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5816 -
C:\Windows\SysWOW64\Jgcofe32.exeC:\Windows\system32\Jgcofe32.exe104⤵PID:5872
-
C:\Windows\SysWOW64\Jojghc32.exeC:\Windows\system32\Jojghc32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5920 -
C:\Windows\SysWOW64\Jnmgcpqd.exeC:\Windows\system32\Jnmgcpqd.exe106⤵PID:5964
-
C:\Windows\SysWOW64\Jfdodm32.exeC:\Windows\system32\Jfdodm32.exe107⤵PID:6004
-
C:\Windows\SysWOW64\Jibkqh32.exeC:\Windows\system32\Jibkqh32.exe108⤵
- Modifies registry class
PID:6048 -
C:\Windows\SysWOW64\Jgeklege.exeC:\Windows\system32\Jgeklege.exe109⤵PID:6096
-
C:\Windows\SysWOW64\Jnocio32.exeC:\Windows\system32\Jnocio32.exe110⤵PID:5124
-
C:\Windows\SysWOW64\Jffljm32.exeC:\Windows\system32\Jffljm32.exe111⤵
- Modifies registry class
PID:5204 -
C:\Windows\SysWOW64\Jiehfh32.exeC:\Windows\system32\Jiehfh32.exe112⤵PID:5312
-
C:\Windows\SysWOW64\Jbmloneh.exeC:\Windows\system32\Jbmloneh.exe113⤵PID:5388
-
C:\Windows\SysWOW64\Jelhki32.exeC:\Windows\system32\Jelhki32.exe114⤵PID:5524
-
C:\Windows\SysWOW64\Jigdlhle.exeC:\Windows\system32\Jigdlhle.exe115⤵PID:5540
-
C:\Windows\SysWOW64\Jleahcki.exeC:\Windows\system32\Jleahcki.exe116⤵
- System Location Discovery: System Language Discovery
PID:5672 -
C:\Windows\SysWOW64\Kbpidm32.exeC:\Windows\system32\Kbpidm32.exe117⤵PID:5808
-
C:\Windows\SysWOW64\Keneqi32.exeC:\Windows\system32\Keneqi32.exe118⤵PID:5912
-
C:\Windows\SysWOW64\Klhnmcif.exeC:\Windows\system32\Klhnmcif.exe119⤵PID:5944
-
C:\Windows\SysWOW64\Knfjinhj.exeC:\Windows\system32\Knfjinhj.exe120⤵PID:6040
-
C:\Windows\SysWOW64\Kfnaklil.exeC:\Windows\system32\Kfnaklil.exe121⤵PID:6136
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-