Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23/11/2024, 05:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f95a4e9c663c9f9c0e25ae670970b146d83d983868bdfa6029fdbaf912e875f4.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
f95a4e9c663c9f9c0e25ae670970b146d83d983868bdfa6029fdbaf912e875f4.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
f95a4e9c663c9f9c0e25ae670970b146d83d983868bdfa6029fdbaf912e875f4.exe
-
Size
90KB
-
MD5
aed7102964145850199e4959fdfc802b
-
SHA1
1d9cba01e30e7fa16337d9a11a77c4d755c92653
-
SHA256
f95a4e9c663c9f9c0e25ae670970b146d83d983868bdfa6029fdbaf912e875f4
-
SHA512
a59a0e6386160787e85bab1ca86eb7af283def5ffce3d2025aaacb7d86fec89c581774d9e3f55ca4f84b2ef932d51430939f54aa5383317c135e29d6f8b3f603
-
SSDEEP
1536:g5mOW7t9Qh7Y+RFXuUki4HDJDGVu/Ub0VkVNK:kmOWMhFu5dHdGVu/Ub0+NK
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajdjin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flqdlnde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkmkkjko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bafndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkomneim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdccbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlmdbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbpchb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mehjol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bppfmigl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Legjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Biadeoce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baegibae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbepme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbgeqmjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emanjldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Palbgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbalopbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljpaqmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbekii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igjngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnicid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpdaepai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnddgjbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhjhmhhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkcge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpdfnolo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndcdmikd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iddljmpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qohpkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ponfka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dolmodpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jihbip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obgohklm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnddgjbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhlejcpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bogcgj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndgfpbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqmjog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oocmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blielbfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncpeaoih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pflplnlg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oondnini.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afgacokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojigdcll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pplobcpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbbicl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofgdcipq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ackigjmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nedjjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnmcjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mockmala.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gahcmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihphkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfqlfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgcbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbnhoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npgabc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Megljppl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akdilipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnpofnhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baannc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpmapodj.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 384 Ncdgcf32.exe 4212 Nlmllkja.exe 1624 Ndcdmikd.exe 2556 Ngbpidjh.exe 4992 Ncianepl.exe 2872 Nnneknob.exe 3728 Nckndeni.exe 852 Nnqbanmo.exe 628 Odkjng32.exe 1992 Ojgbfocc.exe 2164 Odmgcgbi.exe 788 Ofnckp32.exe 1744 Opdghh32.exe 1020 Ocbddc32.exe 5064 Ojllan32.exe 4104 Oqfdnhfk.exe 4152 Ofcmfodb.exe 4548 Oqhacgdh.exe 408 Ocgmpccl.exe 548 Ojaelm32.exe 3968 Pcijeb32.exe 5016 Pnonbk32.exe 2404 Pqmjog32.exe 1048 Pclgkb32.exe 3476 Pcncpbmd.exe 4748 Pflplnlg.exe 3004 Pqbdjfln.exe 4120 Pjjhbl32.exe 2096 Pfaigm32.exe 4764 Qmmnjfnl.exe 1928 Qgcbgo32.exe 4044 Ageolo32.exe 4312 Aclpap32.exe 4916 Agjhgngj.exe 116 Acqimo32.exe 1604 Agoabn32.exe 3740 Bmkjkd32.exe 3060 Bebblb32.exe 3504 Bmngqdpj.exe 4304 Bgcknmop.exe 2364 Bnmcjg32.exe 2744 Bfhhoi32.exe 2340 Bnpppgdj.exe 3660 Bmemac32.exe 4872 Bcoenmao.exe 1304 Cjinkg32.exe 2384 Chmndlge.exe 4544 Cjmgfgdf.exe 1364 Cnkplejl.exe 4620 Cjbpaf32.exe 1184 Dfiafg32.exe 4804 Dhhnpjmh.exe 1900 Dobfld32.exe 3112 Daqbip32.exe 5080 Dhkjej32.exe 4016 Dodbbdbb.exe 3444 Daconoae.exe 3972 Ddakjkqi.exe 3852 Dkkcge32.exe 4284 Deagdn32.exe 4980 Dgbdlf32.exe 1784 Doilmc32.exe 3248 Eecdjmfi.exe 2264 Ekpmbddq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Opdghh32.exe Ofnckp32.exe File opened for modification C:\Windows\SysWOW64\Ageolo32.exe Qgcbgo32.exe File opened for modification C:\Windows\SysWOW64\Iomcgl32.exe Iickkbje.exe File created C:\Windows\SysWOW64\Dblgpl32.exe Dkbocbog.exe File opened for modification C:\Windows\SysWOW64\Ipjoja32.exe Iedjmioj.exe File created C:\Windows\SysWOW64\Glokko32.dll Hnoklk32.exe File created C:\Windows\SysWOW64\Ciepangh.dll Llbidimc.exe File opened for modification C:\Windows\SysWOW64\Igedlh32.exe Iqklon32.exe File created C:\Windows\SysWOW64\Jbfheo32.exe Jjopcb32.exe File created C:\Windows\SysWOW64\Ohiemobf.exe Ooqqdi32.exe File created C:\Windows\SysWOW64\Pefabkej.exe Pmoiqneg.exe File opened for modification C:\Windows\SysWOW64\Ekajec32.exe Eqlfhjig.exe File created C:\Windows\SysWOW64\Dodbbdbb.exe Dhkjej32.exe File opened for modification C:\Windows\SysWOW64\Eonehbjg.exe Edhakj32.exe File created C:\Windows\SysWOW64\Pleaoa32.exe Pflibgil.exe File created C:\Windows\SysWOW64\Igbcbhgq.dll Fggocmhf.exe File created C:\Windows\SysWOW64\Hmokmkpo.dll Kjhloj32.exe File created C:\Windows\SysWOW64\Iickkbje.exe Ifdonfka.exe File created C:\Windows\SysWOW64\Ccgjopal.exe Ckpbnb32.exe File created C:\Windows\SysWOW64\Jfhepbll.dll Dkbocbog.exe File created C:\Windows\SysWOW64\Fibhpbea.exe Fdepgkgj.exe File created C:\Windows\SysWOW64\Cbbnpg32.exe Cleegp32.exe File created C:\Windows\SysWOW64\Mlkpophj.dll Hmdlmg32.exe File created C:\Windows\SysWOW64\Cpkgohbq.dll Aogbfi32.exe File opened for modification C:\Windows\SysWOW64\Nfgklkoc.exe Momcpa32.exe File created C:\Windows\SysWOW64\Glgmkm32.dll Nnqbanmo.exe File created C:\Windows\SysWOW64\Ibpiogmp.exe Ikfabm32.exe File created C:\Windows\SysWOW64\Kqjkhbpd.dll Dpnbog32.exe File opened for modification C:\Windows\SysWOW64\Nfihbk32.exe Nbnlaldg.exe File created C:\Windows\SysWOW64\Oomibind.dll Pclgkb32.exe File created C:\Windows\SysWOW64\Kkfcndce.exe Kelkaj32.exe File opened for modification C:\Windows\SysWOW64\Fndpmndl.exe Fgjhpcmo.exe File opened for modification C:\Windows\SysWOW64\Geoapenf.exe Gpaihooo.exe File opened for modification C:\Windows\SysWOW64\Mfjcnold.exe Mockmala.exe File opened for modification C:\Windows\SysWOW64\Qjlnnemp.exe Pofjpl32.exe File opened for modification C:\Windows\SysWOW64\Ihphkl32.exe Iddljmpc.exe File opened for modification C:\Windows\SysWOW64\Bhamkipi.exe Bbgeno32.exe File created C:\Windows\SysWOW64\Mlmgnn32.dll Bbgeno32.exe File created C:\Windows\SysWOW64\Igpdfb32.exe Ipflihfq.exe File opened for modification C:\Windows\SysWOW64\Idfaefkd.exe Inlihl32.exe File created C:\Windows\SysWOW64\Dfookdli.dll Nnicid32.exe File opened for modification C:\Windows\SysWOW64\Ekjded32.exe Eqdpgk32.exe File created C:\Windows\SysWOW64\Booogccm.dll Odmgcgbi.exe File opened for modification C:\Windows\SysWOW64\Dodbbdbb.exe Dhkjej32.exe File created C:\Windows\SysWOW64\Okjodami.dll Bfedoc32.exe File created C:\Windows\SysWOW64\Idhmabfb.dll Jbfheo32.exe File created C:\Windows\SysWOW64\Legjmh32.exe Lgcjdd32.exe File opened for modification C:\Windows\SysWOW64\Oqhacgdh.exe Ofcmfodb.exe File created C:\Windows\SysWOW64\Qgcbgo32.exe Qmmnjfnl.exe File opened for modification C:\Windows\SysWOW64\Khpgckkb.exe Kimghn32.exe File created C:\Windows\SysWOW64\Eplgeokq.exe Emmkiclm.exe File created C:\Windows\SysWOW64\Ojbacd32.exe Najmjokc.exe File created C:\Windows\SysWOW64\Cnnjancb.dll Glhimp32.exe File created C:\Windows\SysWOW64\Eoideh32.exe Efpomccg.exe File opened for modification C:\Windows\SysWOW64\Nhpiafnm.exe Nebmekoi.exe File opened for modification C:\Windows\SysWOW64\Fggocmhf.exe Fmnkkg32.exe File created C:\Windows\SysWOW64\Glaecb32.dll Ggahedjn.exe File created C:\Windows\SysWOW64\Qjpnpd32.dll Jnjejjgh.exe File created C:\Windows\SysWOW64\Bhpopokm.dll Ffnknafg.exe File created C:\Windows\SysWOW64\Gaaklfpn.dll Ppnenlka.exe File opened for modification C:\Windows\SysWOW64\Gaefgd32.exe Gklnjj32.exe File opened for modification C:\Windows\SysWOW64\Gpkchqdj.exe Gahcmd32.exe File created C:\Windows\SysWOW64\Gmfplibd.exe Gbalopbn.exe File created C:\Windows\SysWOW64\Lnoaaaad.exe Lomqcjie.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10208 7700 WerFault.exe 1026 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmgcgbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aompak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olanmgig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aonhghjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejchhgid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onpjichj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dooaoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbaojpgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Codhnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjjnifbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cndeii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkphhgfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edhjqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmnkkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnmaea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnhghcki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppqqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgchm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nelfeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flpmagqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enhpao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cimcan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnegbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chmndlge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqhafffk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doccpcja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfldgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibnligoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poodpmca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oonlfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekpmbddq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgjhpcmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lindkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpochfji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pflplnlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfeeimj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joahqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqdblmhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpbiip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lopmii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahmjjoig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehndnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gejhef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojhpimhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iahgad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fahaplon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbiejoaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgcjddh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnahdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppikbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agjhgngj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngcje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfaqhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhldpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofecami.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikfabm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klfjijgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcggio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbjoeojc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npiiffqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aokkahlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mldhfpib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjccdkki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bahkih32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfggbllc.dll" Pedbahod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkeaqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enigke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pclgkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agjhgngj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kelalp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckmonl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jljbeali.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lieccf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlkipgpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knfeeimj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chlflabp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klbnajqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljbnfleo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnpofnhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Niakfbpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olgncmim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lafmjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Damfao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqolaipg.dll" Njljch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aboiil32.dll" Iohjlmeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdpkflfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emmkiclm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ankkea32.dll" Ekodjiol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbhboolf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qdoacabq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eolhbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhijijbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmipblaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cibmlmeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfcabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll" f95a4e9c663c9f9c0e25ae670970b146d83d983868bdfa6029fdbaf912e875f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkhiofap.dll" Jdbhkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emhldnkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcldf32.dll" Dmhand32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoaedogc.dll" Pkegpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcdqdie.dll" Qodeajbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jldbpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Caienjfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qljcoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acokhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnofdl32.dll" Djhimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iogkekkb.dll" Cbbnpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmfplibd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfqgab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmpocjfb.dll" Mbedga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nibbqicm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnilk32.dll" Cmklglpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfhndpol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eqdpgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oakbehfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfibjl32.dll" Giljfddl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjcbkij.dll" Eolhbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flbolp32.dll" Kechmoil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpglnhad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igbcbhgq.dll" Fggocmhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgiklme.dll" Hlcjhkdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppadmq32.dll" Oogpjbbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggqecq32.dll" Emhkdmlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekjded32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocbddc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnoklk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbhamajc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgnnnnod.dll" Jbaojpgb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3216 wrote to memory of 384 3216 f95a4e9c663c9f9c0e25ae670970b146d83d983868bdfa6029fdbaf912e875f4.exe 82 PID 3216 wrote to memory of 384 3216 f95a4e9c663c9f9c0e25ae670970b146d83d983868bdfa6029fdbaf912e875f4.exe 82 PID 3216 wrote to memory of 384 3216 f95a4e9c663c9f9c0e25ae670970b146d83d983868bdfa6029fdbaf912e875f4.exe 82 PID 384 wrote to memory of 4212 384 Ncdgcf32.exe 83 PID 384 wrote to memory of 4212 384 Ncdgcf32.exe 83 PID 384 wrote to memory of 4212 384 Ncdgcf32.exe 83 PID 4212 wrote to memory of 1624 4212 Nlmllkja.exe 84 PID 4212 wrote to memory of 1624 4212 Nlmllkja.exe 84 PID 4212 wrote to memory of 1624 4212 Nlmllkja.exe 84 PID 1624 wrote to memory of 2556 1624 Ndcdmikd.exe 85 PID 1624 wrote to memory of 2556 1624 Ndcdmikd.exe 85 PID 1624 wrote to memory of 2556 1624 Ndcdmikd.exe 85 PID 2556 wrote to memory of 4992 2556 Ngbpidjh.exe 86 PID 2556 wrote to memory of 4992 2556 Ngbpidjh.exe 86 PID 2556 wrote to memory of 4992 2556 Ngbpidjh.exe 86 PID 4992 wrote to memory of 2872 4992 Ncianepl.exe 87 PID 4992 wrote to memory of 2872 4992 Ncianepl.exe 87 PID 4992 wrote to memory of 2872 4992 Ncianepl.exe 87 PID 2872 wrote to memory of 3728 2872 Nnneknob.exe 88 PID 2872 wrote to memory of 3728 2872 Nnneknob.exe 88 PID 2872 wrote to memory of 3728 2872 Nnneknob.exe 88 PID 3728 wrote to memory of 852 3728 Nckndeni.exe 89 PID 3728 wrote to memory of 852 3728 Nckndeni.exe 89 PID 3728 wrote to memory of 852 3728 Nckndeni.exe 89 PID 852 wrote to memory of 628 852 Nnqbanmo.exe 90 PID 852 wrote to memory of 628 852 Nnqbanmo.exe 90 PID 852 wrote to memory of 628 852 Nnqbanmo.exe 90 PID 628 wrote to memory of 1992 628 Odkjng32.exe 91 PID 628 wrote to memory of 1992 628 Odkjng32.exe 91 PID 628 wrote to memory of 1992 628 Odkjng32.exe 91 PID 1992 wrote to memory of 2164 1992 Ojgbfocc.exe 92 PID 1992 wrote to memory of 2164 1992 Ojgbfocc.exe 92 PID 1992 wrote to memory of 2164 1992 Ojgbfocc.exe 92 PID 2164 wrote to memory of 788 2164 Odmgcgbi.exe 93 PID 2164 wrote to memory of 788 2164 Odmgcgbi.exe 93 PID 2164 wrote to memory of 788 2164 Odmgcgbi.exe 93 PID 788 wrote to memory of 1744 788 Ofnckp32.exe 94 PID 788 wrote to memory of 1744 788 Ofnckp32.exe 94 PID 788 wrote to memory of 1744 788 Ofnckp32.exe 94 PID 1744 wrote to memory of 1020 1744 Opdghh32.exe 95 PID 1744 wrote to memory of 1020 1744 Opdghh32.exe 95 PID 1744 wrote to memory of 1020 1744 Opdghh32.exe 95 PID 1020 wrote to memory of 5064 1020 Ocbddc32.exe 96 PID 1020 wrote to memory of 5064 1020 Ocbddc32.exe 96 PID 1020 wrote to memory of 5064 1020 Ocbddc32.exe 96 PID 5064 wrote to memory of 4104 5064 Ojllan32.exe 97 PID 5064 wrote to memory of 4104 5064 Ojllan32.exe 97 PID 5064 wrote to memory of 4104 5064 Ojllan32.exe 97 PID 4104 wrote to memory of 4152 4104 Oqfdnhfk.exe 98 PID 4104 wrote to memory of 4152 4104 Oqfdnhfk.exe 98 PID 4104 wrote to memory of 4152 4104 Oqfdnhfk.exe 98 PID 4152 wrote to memory of 4548 4152 Ofcmfodb.exe 99 PID 4152 wrote to memory of 4548 4152 Ofcmfodb.exe 99 PID 4152 wrote to memory of 4548 4152 Ofcmfodb.exe 99 PID 4548 wrote to memory of 408 4548 Oqhacgdh.exe 100 PID 4548 wrote to memory of 408 4548 Oqhacgdh.exe 100 PID 4548 wrote to memory of 408 4548 Oqhacgdh.exe 100 PID 408 wrote to memory of 548 408 Ocgmpccl.exe 101 PID 408 wrote to memory of 548 408 Ocgmpccl.exe 101 PID 408 wrote to memory of 548 408 Ocgmpccl.exe 101 PID 548 wrote to memory of 3968 548 Ojaelm32.exe 102 PID 548 wrote to memory of 3968 548 Ojaelm32.exe 102 PID 548 wrote to memory of 3968 548 Ojaelm32.exe 102 PID 3968 wrote to memory of 5016 3968 Pcijeb32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\f95a4e9c663c9f9c0e25ae670970b146d83d983868bdfa6029fdbaf912e875f4.exe"C:\Users\Admin\AppData\Local\Temp\f95a4e9c663c9f9c0e25ae670970b146d83d983868bdfa6029fdbaf912e875f4.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\Ncdgcf32.exeC:\Windows\system32\Ncdgcf32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\Nlmllkja.exeC:\Windows\system32\Nlmllkja.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\Ndcdmikd.exeC:\Windows\system32\Ndcdmikd.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Ngbpidjh.exeC:\Windows\system32\Ngbpidjh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Ncianepl.exeC:\Windows\system32\Ncianepl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Nnneknob.exeC:\Windows\system32\Nnneknob.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Nckndeni.exeC:\Windows\system32\Nckndeni.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\SysWOW64\Nnqbanmo.exeC:\Windows\system32\Nnqbanmo.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Odkjng32.exeC:\Windows\system32\Odkjng32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\Ojgbfocc.exeC:\Windows\system32\Ojgbfocc.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Odmgcgbi.exeC:\Windows\system32\Odmgcgbi.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Ofnckp32.exeC:\Windows\system32\Ofnckp32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\Opdghh32.exeC:\Windows\system32\Opdghh32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Ocbddc32.exeC:\Windows\system32\Ocbddc32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Ojllan32.exeC:\Windows\system32\Ojllan32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\Oqfdnhfk.exeC:\Windows\system32\Oqfdnhfk.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\Ofcmfodb.exeC:\Windows\system32\Ofcmfodb.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\Oqhacgdh.exeC:\Windows\system32\Oqhacgdh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\Ocgmpccl.exeC:\Windows\system32\Ocgmpccl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\Ojaelm32.exeC:\Windows\system32\Ojaelm32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Pcijeb32.exeC:\Windows\system32\Pcijeb32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\Pnonbk32.exeC:\Windows\system32\Pnonbk32.exe23⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Pqmjog32.exeC:\Windows\system32\Pqmjog32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Pclgkb32.exeC:\Windows\system32\Pclgkb32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Pcncpbmd.exeC:\Windows\system32\Pcncpbmd.exe26⤵
- Executes dropped EXE
PID:3476 -
C:\Windows\SysWOW64\Pflplnlg.exeC:\Windows\system32\Pflplnlg.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4748 -
C:\Windows\SysWOW64\Pqbdjfln.exeC:\Windows\system32\Pqbdjfln.exe28⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Pjjhbl32.exeC:\Windows\system32\Pjjhbl32.exe29⤵
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Pfaigm32.exeC:\Windows\system32\Pfaigm32.exe30⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Qmmnjfnl.exeC:\Windows\system32\Qmmnjfnl.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4764 -
C:\Windows\SysWOW64\Qgcbgo32.exeC:\Windows\system32\Qgcbgo32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\Ageolo32.exeC:\Windows\system32\Ageolo32.exe33⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Aclpap32.exeC:\Windows\system32\Aclpap32.exe34⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Agjhgngj.exeC:\Windows\system32\Agjhgngj.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4916 -
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe36⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Agoabn32.exeC:\Windows\system32\Agoabn32.exe37⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Bmkjkd32.exeC:\Windows\system32\Bmkjkd32.exe38⤵
- Executes dropped EXE
PID:3740 -
C:\Windows\SysWOW64\Bebblb32.exeC:\Windows\system32\Bebblb32.exe39⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Bmngqdpj.exeC:\Windows\system32\Bmngqdpj.exe40⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe41⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Bnmcjg32.exeC:\Windows\system32\Bnmcjg32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe43⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Bnpppgdj.exeC:\Windows\system32\Bnpppgdj.exe44⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Bmemac32.exeC:\Windows\system32\Bmemac32.exe45⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe46⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Cjinkg32.exeC:\Windows\system32\Cjinkg32.exe47⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Chmndlge.exeC:\Windows\system32\Chmndlge.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Windows\SysWOW64\Cjmgfgdf.exeC:\Windows\system32\Cjmgfgdf.exe49⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe50⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe51⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe52⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe53⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe54⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe55⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5080 -
C:\Windows\SysWOW64\Dodbbdbb.exeC:\Windows\system32\Dodbbdbb.exe57⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe58⤵
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe59⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe61⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe62⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe63⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Eecdjmfi.exeC:\Windows\system32\Eecdjmfi.exe64⤵
- Executes dropped EXE
PID:3248 -
C:\Windows\SysWOW64\Ekpmbddq.exeC:\Windows\system32\Ekpmbddq.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\Eolhbc32.exeC:\Windows\system32\Eolhbc32.exe66⤵
- Modifies registry class
PID:4236 -
C:\Windows\SysWOW64\Edhakj32.exeC:\Windows\system32\Edhakj32.exe67⤵
- Drops file in System32 directory
PID:5052 -
C:\Windows\SysWOW64\Eonehbjg.exeC:\Windows\system32\Eonehbjg.exe68⤵PID:1444
-
C:\Windows\SysWOW64\Ekefmc32.exeC:\Windows\system32\Ekefmc32.exe69⤵PID:4356
-
C:\Windows\SysWOW64\Emeoooml.exeC:\Windows\system32\Emeoooml.exe70⤵PID:4028
-
C:\Windows\SysWOW64\Ehkclgmb.exeC:\Windows\system32\Ehkclgmb.exe71⤵PID:892
-
C:\Windows\SysWOW64\Emhldnkj.exeC:\Windows\system32\Emhldnkj.exe72⤵
- Modifies registry class
PID:644 -
C:\Windows\SysWOW64\Fnjhjn32.exeC:\Windows\system32\Fnjhjn32.exe73⤵PID:4288
-
C:\Windows\SysWOW64\Fknicb32.exeC:\Windows\system32\Fknicb32.exe74⤵PID:2060
-
C:\Windows\SysWOW64\Fahaplon.exeC:\Windows\system32\Fahaplon.exe75⤵
- System Location Discovery: System Language Discovery
PID:3188 -
C:\Windows\SysWOW64\Fkcboack.exeC:\Windows\system32\Fkcboack.exe76⤵PID:3928
-
C:\Windows\SysWOW64\Fnckpmql.exeC:\Windows\system32\Fnckpmql.exe77⤵PID:4724
-
C:\Windows\SysWOW64\Gochjpho.exeC:\Windows\system32\Gochjpho.exe78⤵PID:1732
-
C:\Windows\SysWOW64\Gaadfkgc.exeC:\Windows\system32\Gaadfkgc.exe79⤵PID:1224
-
C:\Windows\SysWOW64\Goedpofl.exeC:\Windows\system32\Goedpofl.exe80⤵PID:1588
-
C:\Windows\SysWOW64\Gadqlkep.exeC:\Windows\system32\Gadqlkep.exe81⤵PID:320
-
C:\Windows\SysWOW64\Gohaeo32.exeC:\Windows\system32\Gohaeo32.exe82⤵PID:2896
-
C:\Windows\SysWOW64\Ggcfja32.exeC:\Windows\system32\Ggcfja32.exe83⤵PID:2236
-
C:\Windows\SysWOW64\Gdgfce32.exeC:\Windows\system32\Gdgfce32.exe84⤵PID:3100
-
C:\Windows\SysWOW64\Hnoklk32.exeC:\Windows\system32\Hnoklk32.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:4080 -
C:\Windows\SysWOW64\Hghoeqmp.exeC:\Windows\system32\Hghoeqmp.exe86⤵PID:2904
-
C:\Windows\SysWOW64\Hdlpneli.exeC:\Windows\system32\Hdlpneli.exe87⤵PID:3892
-
C:\Windows\SysWOW64\Hnddgjbj.exeC:\Windows\system32\Hnddgjbj.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4828 -
C:\Windows\SysWOW64\Hocqam32.exeC:\Windows\system32\Hocqam32.exe89⤵PID:3228
-
C:\Windows\SysWOW64\Hbbmmi32.exeC:\Windows\system32\Hbbmmi32.exe90⤵PID:4556
-
C:\Windows\SysWOW64\Hhlejcpm.exeC:\Windows\system32\Hhlejcpm.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3416 -
C:\Windows\SysWOW64\Hbdjchgn.exeC:\Windows\system32\Hbdjchgn.exe92⤵PID:3548
-
C:\Windows\SysWOW64\Hdbfodfa.exeC:\Windows\system32\Hdbfodfa.exe93⤵PID:4376
-
C:\Windows\SysWOW64\Iohjlmeg.exeC:\Windows\system32\Iohjlmeg.exe94⤵
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Idebdcdo.exeC:\Windows\system32\Idebdcdo.exe95⤵PID:4932
-
C:\Windows\SysWOW64\Ikokan32.exeC:\Windows\system32\Ikokan32.exe96⤵PID:5012
-
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe97⤵
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe98⤵
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe99⤵PID:5128
-
C:\Windows\SysWOW64\Inpccihl.exeC:\Windows\system32\Inpccihl.exe100⤵PID:5184
-
C:\Windows\SysWOW64\Ioopml32.exeC:\Windows\system32\Ioopml32.exe101⤵PID:5232
-
C:\Windows\SysWOW64\Ibnligoc.exeC:\Windows\system32\Ibnligoc.exe102⤵
- System Location Discovery: System Language Discovery
PID:5276 -
C:\Windows\SysWOW64\Ikfabm32.exeC:\Windows\system32\Ikfabm32.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5320 -
C:\Windows\SysWOW64\Ibpiogmp.exeC:\Windows\system32\Ibpiogmp.exe104⤵PID:5364
-
C:\Windows\SysWOW64\Iijaka32.exeC:\Windows\system32\Iijaka32.exe105⤵PID:5408
-
C:\Windows\SysWOW64\Jodjhkkj.exeC:\Windows\system32\Jodjhkkj.exe106⤵PID:5456
-
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe107⤵PID:5500
-
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe108⤵PID:5548
-
C:\Windows\SysWOW64\Jbdbjf32.exeC:\Windows\system32\Jbdbjf32.exe109⤵PID:5592
-
C:\Windows\SysWOW64\Jiokfpph.exeC:\Windows\system32\Jiokfpph.exe110⤵PID:5636
-
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe111⤵PID:5680
-
C:\Windows\SysWOW64\Jeekkafl.exeC:\Windows\system32\Jeekkafl.exe112⤵PID:5724
-
C:\Windows\SysWOW64\Jpkphjeb.exeC:\Windows\system32\Jpkphjeb.exe113⤵PID:5768
-
C:\Windows\SysWOW64\Jfehed32.exeC:\Windows\system32\Jfehed32.exe114⤵PID:5812
-
C:\Windows\SysWOW64\Jicdap32.exeC:\Windows\system32\Jicdap32.exe115⤵PID:5856
-
C:\Windows\SysWOW64\Jpmlnjco.exeC:\Windows\system32\Jpmlnjco.exe116⤵PID:5900
-
C:\Windows\SysWOW64\Jieagojp.exeC:\Windows\system32\Jieagojp.exe117⤵PID:5944
-
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe118⤵PID:5988
-
C:\Windows\SysWOW64\Kelalp32.exeC:\Windows\system32\Kelalp32.exe119⤵
- Modifies registry class
PID:6032 -
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe120⤵
- System Location Discovery: System Language Discovery
PID:6076 -
C:\Windows\SysWOW64\Kflnfcgg.exeC:\Windows\system32\Kflnfcgg.exe121⤵PID:6124
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-