Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 20:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
29c7a5e792165576da6bd417e4e59e10dbf8eae33f110986fc0a7de21e651790.exe
Resource
win7-20240903-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
29c7a5e792165576da6bd417e4e59e10dbf8eae33f110986fc0a7de21e651790.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
29c7a5e792165576da6bd417e4e59e10dbf8eae33f110986fc0a7de21e651790.exe
-
Size
42KB
-
MD5
8ca6b6f180f5dfd1a5b3f9e5430db026
-
SHA1
9a4d508efcf4d68d5985519899a45750f304ff1e
-
SHA256
29c7a5e792165576da6bd417e4e59e10dbf8eae33f110986fc0a7de21e651790
-
SHA512
9d0feb1c7b44bd8cf1125df81c1d3e086a2cfc225d0a5647d107bfa9a71e742d5a6add5117cce92f937c44d4c50969bff3728e7a81309ed846423ce1e53a1a2d
-
SSDEEP
768:yYo0jt1H+Sco58vH3StFIbfK6EitN5w8WyvGsrMoF1bWOp706GhT/1H5K:00jt1e7o0Him2opwtsoS16hF
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgqfdnah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lndagg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piijno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqmkae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcclld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgkkkcbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikndgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oimkbaed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Camddhoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcbfakec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idieem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eidlnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibfnqmpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgnbaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olijhmgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fibhpbea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjlmclqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddgplado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbkqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdcjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcpmen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlpfhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfamapjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oldamm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keimof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aehgnied.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojomcopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdickcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iomoenej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhpfqcln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodogdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdkdgchl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbhboolf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgibkpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqmlknnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poimpapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhamkipi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnjgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmpfbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnhghcki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjokgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmnqjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdgglfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpaekqhh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjlopc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njjdho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkcqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpglnhad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efblbbqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfoann32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhdckaeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doaneiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aojefobm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iliinc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfqlfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkgnfhnh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijhjcchb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iplkpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlpaoaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgdejd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngjbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoalgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fielph32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2308 Ohlimd32.exe 5028 Opcqnb32.exe 4480 Oofaiokl.exe 3452 Oepifi32.exe 1540 Oljaccjf.exe 4888 Oohnonij.exe 3920 Oebflhaf.exe 2508 Ollnhb32.exe 4808 Ookjdn32.exe 1460 Pedbahod.exe 3628 Phcomcng.exe 2476 Pomgjn32.exe 4796 Pgdokkfg.exe 116 Pjbkgfej.exe 4028 Pckppl32.exe 3932 Pfillg32.exe 4332 Plcdiabk.exe 4812 Poaqemao.exe 3656 Pgihfj32.exe 896 Pjgebf32.exe 2224 Ppamophb.exe 3804 Pcpikkge.exe 2264 Qcbfakec.exe 4424 Qgnbaj32.exe 2220 Qfpbmfdf.exe 1312 Qqffjo32.exe 1420 Qgpogili.exe 2352 Qlmgopjq.exe 3180 Acgolj32.exe 1852 Ahchda32.exe 4568 Agdhbi32.exe 4392 Aqmlknnd.exe 4396 Ackigjmh.exe 3032 Aihaoqlp.exe 4992 Acnemi32.exe 5000 Amfjeobf.exe 1600 Aglnbhal.exe 2120 Ajjjocap.exe 1760 Bqdblmhl.exe 4180 Bogcgj32.exe 3152 Bjlgdc32.exe 1132 Bmkcqn32.exe 1324 Bcelmhen.exe 4352 Bjodjb32.exe 1932 Biadeoce.exe 3576 Bcghch32.exe 4312 Bgbdcgld.exe 1608 Bmomlnjk.exe 1872 Bciehh32.exe 1256 Bgeaifia.exe 1692 Bifmqo32.exe 4856 Bjfjka32.exe 2992 Cmdfgm32.exe 1172 Ccnncgmc.exe 3416 Cjhfpa32.exe 1040 Cabomkll.exe 2956 Cglgjeci.exe 3096 Cjjcfabm.exe 1092 Cmipblaq.exe 1100 Cpglnhad.exe 2180 Cjmpkqqj.exe 3868 Cippgm32.exe 3156 Cpihcgoa.exe 4660 Cfcqpa32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nmnpml32.dll Eplgeokq.exe File created C:\Windows\SysWOW64\Amlkko32.dll Kdbjhbbd.exe File created C:\Windows\SysWOW64\Lmafqb32.dll Mccfdmmo.exe File created C:\Windows\SysWOW64\Oodcdb32.exe Olfghg32.exe File created C:\Windows\SysWOW64\Lfklem32.dll Aehgnied.exe File created C:\Windows\SysWOW64\Fflohaij.exe Fpbflg32.exe File created C:\Windows\SysWOW64\Nmocfo32.dll Pdmdnadc.exe File created C:\Windows\SysWOW64\Maodigil.exe Mnphmkji.exe File created C:\Windows\SysWOW64\Kioghlbd.dll Qpeahb32.exe File opened for modification C:\Windows\SysWOW64\Cpihcgoa.exe Cippgm32.exe File opened for modification C:\Windows\SysWOW64\Hloqml32.exe Hmlpaoaj.exe File opened for modification C:\Windows\SysWOW64\Odhifjkg.exe Nmnqjp32.exe File opened for modification C:\Windows\SysWOW64\Dmadco32.exe Ddjmba32.exe File created C:\Windows\SysWOW64\Gdaklmfn.dll Fijkdmhn.exe File created C:\Windows\SysWOW64\Loighj32.exe Lljklo32.exe File opened for modification C:\Windows\SysWOW64\Ffaong32.exe Fpggamqc.exe File created C:\Windows\SysWOW64\Mmddqemj.dll Oodcdb32.exe File opened for modification C:\Windows\SysWOW64\Popbpqjh.exe Phfjcf32.exe File created C:\Windows\SysWOW64\Ogjdmbil.exe Opclldhj.exe File created C:\Windows\SysWOW64\Pedbahod.exe Ookjdn32.exe File created C:\Windows\SysWOW64\Imjfmjln.dll Jnfcia32.exe File created C:\Windows\SysWOW64\Oklkdi32.exe Olijhmgj.exe File created C:\Windows\SysWOW64\Nmenca32.exe Nnbnhedj.exe File opened for modification C:\Windows\SysWOW64\Edmclccp.exe Embkoi32.exe File opened for modification C:\Windows\SysWOW64\Emmdom32.exe Eiahnnph.exe File opened for modification C:\Windows\SysWOW64\Qqffjo32.exe Qfpbmfdf.exe File created C:\Windows\SysWOW64\Bgbdcgld.exe Bcghch32.exe File opened for modification C:\Windows\SysWOW64\Bhcjqinf.exe Bjpjel32.exe File opened for modification C:\Windows\SysWOW64\Dbndfl32.exe Dmalne32.exe File opened for modification C:\Windows\SysWOW64\Fijkdmhn.exe Fflohaij.exe File created C:\Windows\SysWOW64\Ddipic32.dll Hefnkkkj.exe File created C:\Windows\SysWOW64\Kmmmic32.dll Opcqnb32.exe File created C:\Windows\SysWOW64\Epjajeqo.exe Dfamapjo.exe File opened for modification C:\Windows\SysWOW64\Jcgnbaeo.exe Jddnfd32.exe File created C:\Windows\SysWOW64\Fklenm32.dll Pdhbmh32.exe File opened for modification C:\Windows\SysWOW64\Efblbbqd.exe Eoideh32.exe File created C:\Windows\SysWOW64\Qeekll32.dll Epjajeqo.exe File created C:\Windows\SysWOW64\Bgbfaeek.dll Gpfjma32.exe File created C:\Windows\SysWOW64\Kifona32.dll Pocfpf32.exe File opened for modification C:\Windows\SysWOW64\Mnkggfkb.exe Mjokgg32.exe File opened for modification C:\Windows\SysWOW64\Dbicpfdk.exe Dkokcl32.exe File opened for modification C:\Windows\SysWOW64\Ebdcld32.exe Eofgpikj.exe File created C:\Windows\SysWOW64\Fmplqd32.dll Lfeljd32.exe File opened for modification C:\Windows\SysWOW64\Lqkqhm32.exe Lnldla32.exe File created C:\Windows\SysWOW64\Comjoclk.dll Jddnfd32.exe File opened for modification C:\Windows\SysWOW64\Kfnfjehl.exe Kcpjnjii.exe File created C:\Windows\SysWOW64\Pfoann32.exe Ohlqcagj.exe File created C:\Windows\SysWOW64\Malgcg32.exe Mnnkgl32.exe File created C:\Windows\SysWOW64\Iophfi32.dll Hfaajnfb.exe File created C:\Windows\SysWOW64\Jlllhigk.dll Lncjlq32.exe File opened for modification C:\Windows\SysWOW64\Nagiji32.exe Nmkmjjaa.exe File opened for modification C:\Windows\SysWOW64\Pnplfj32.exe Phfcipoo.exe File opened for modification C:\Windows\SysWOW64\Ahchda32.exe Acgolj32.exe File created C:\Windows\SysWOW64\Efkphnbd.exe Edmclccp.exe File created C:\Windows\SysWOW64\Imjekecm.dll Gahcmd32.exe File created C:\Windows\SysWOW64\Ghdief32.dll Lkeekk32.exe File created C:\Windows\SysWOW64\Eppjfgcp.exe Emanjldl.exe File created C:\Windows\SysWOW64\Lncjlq32.exe Lflbkcll.exe File created C:\Windows\SysWOW64\Njfkmphe.exe Nclbpf32.exe File opened for modification C:\Windows\SysWOW64\Njfkmphe.exe Nclbpf32.exe File created C:\Windows\SysWOW64\Ggbook32.exe Gphgbafl.exe File created C:\Windows\SysWOW64\Nhpbfpka.exe Neafjdkn.exe File opened for modification C:\Windows\SysWOW64\Hpofii32.exe Hmpjmn32.exe File opened for modification C:\Windows\SysWOW64\Lndagg32.exe Lkeekk32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1092 4324 WerFault.exe 1007 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnaaib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Albpkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loighj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adndoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjmba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebhglj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pknqoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpaqbbld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anobgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocacl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpiecd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpaekqhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddcenpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mecjif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maiccajf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bomkcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpenfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oakbehfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjlic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bohbhmfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfpdin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmbanbmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efhcbodf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohiemobf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gikdkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njpdnedf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmonl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gigaka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acgolj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhoipb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqknkedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nclikl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhboolf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobhkjdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfgcakon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Embddb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckpbnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdkdgchl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmaffnce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdimqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfpbmfdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkpool32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glbjggof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfillg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omegjomb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akccap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgnbdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Filiii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbabigfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdamgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkgkapm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilccoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdaaaeqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onpjichj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Impliekg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agdhbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgbdcgld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkmgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnmmboed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgkpdcmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhahaiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjopcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejoomhmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kflide32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pikcfnkf.dll" Ghhhcomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbbffdlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oanokhdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bddcenpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccgajfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfoplpla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkjcgjio.dll" Jgkmgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjlopc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkjlic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mniallpq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fllkqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gemkelcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jedccfqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnoaaaad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqfpckhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efmmmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplbgk32.dll" Lbinam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jklinohd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnkkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohofdmkm.dll" Ebnfbcbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmkqpkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onapdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkndie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bifmqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnkapdda.dll" Ajdjin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdbpmock.dll" Cfqmpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmbfbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddjmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibfnqmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojnkocdc.dll" Mcbpjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkkgmlcm.dll" Ggbook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njiekege.dll" Bjicdmmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njpdnedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eodolnaf.dll" Fflohaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omgmeigd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aqmlknnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmpdfl32.dll" Cglgjeci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbmhabha.dll" Cjjlkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhjoabm.dll" Hmlpaoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cocjiehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlnkmnah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcpeei32.dll" Dmalne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfkbf32.dll" Lbngllob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coknoaic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paelfmaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blciboie.dll" Phigif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amjillkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffangg32.dll" Pedbahod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmehdam.dll" Hnodaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlghoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejlbhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eblimcdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgpfbjlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Logooemi.dll" Jbkbpoog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohkbbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mknjbg32.dll" Hmbfbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jddnfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kioghlbd.dll" Qpeahb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpojkp32.dll" Bhblllfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnmaea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gphgbafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifona32.dll" Pocfpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okjnnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clgbmp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5076 wrote to memory of 2308 5076 29c7a5e792165576da6bd417e4e59e10dbf8eae33f110986fc0a7de21e651790.exe 82 PID 5076 wrote to memory of 2308 5076 29c7a5e792165576da6bd417e4e59e10dbf8eae33f110986fc0a7de21e651790.exe 82 PID 5076 wrote to memory of 2308 5076 29c7a5e792165576da6bd417e4e59e10dbf8eae33f110986fc0a7de21e651790.exe 82 PID 2308 wrote to memory of 5028 2308 Ohlimd32.exe 83 PID 2308 wrote to memory of 5028 2308 Ohlimd32.exe 83 PID 2308 wrote to memory of 5028 2308 Ohlimd32.exe 83 PID 5028 wrote to memory of 4480 5028 Opcqnb32.exe 84 PID 5028 wrote to memory of 4480 5028 Opcqnb32.exe 84 PID 5028 wrote to memory of 4480 5028 Opcqnb32.exe 84 PID 4480 wrote to memory of 3452 4480 Oofaiokl.exe 85 PID 4480 wrote to memory of 3452 4480 Oofaiokl.exe 85 PID 4480 wrote to memory of 3452 4480 Oofaiokl.exe 85 PID 3452 wrote to memory of 1540 3452 Oepifi32.exe 86 PID 3452 wrote to memory of 1540 3452 Oepifi32.exe 86 PID 3452 wrote to memory of 1540 3452 Oepifi32.exe 86 PID 1540 wrote to memory of 4888 1540 Oljaccjf.exe 87 PID 1540 wrote to memory of 4888 1540 Oljaccjf.exe 87 PID 1540 wrote to memory of 4888 1540 Oljaccjf.exe 87 PID 4888 wrote to memory of 3920 4888 Oohnonij.exe 88 PID 4888 wrote to memory of 3920 4888 Oohnonij.exe 88 PID 4888 wrote to memory of 3920 4888 Oohnonij.exe 88 PID 3920 wrote to memory of 2508 3920 Oebflhaf.exe 89 PID 3920 wrote to memory of 2508 3920 Oebflhaf.exe 89 PID 3920 wrote to memory of 2508 3920 Oebflhaf.exe 89 PID 2508 wrote to memory of 4808 2508 Ollnhb32.exe 90 PID 2508 wrote to memory of 4808 2508 Ollnhb32.exe 90 PID 2508 wrote to memory of 4808 2508 Ollnhb32.exe 90 PID 4808 wrote to memory of 1460 4808 Ookjdn32.exe 91 PID 4808 wrote to memory of 1460 4808 Ookjdn32.exe 91 PID 4808 wrote to memory of 1460 4808 Ookjdn32.exe 91 PID 1460 wrote to memory of 3628 1460 Pedbahod.exe 92 PID 1460 wrote to memory of 3628 1460 Pedbahod.exe 92 PID 1460 wrote to memory of 3628 1460 Pedbahod.exe 92 PID 3628 wrote to memory of 2476 3628 Phcomcng.exe 93 PID 3628 wrote to memory of 2476 3628 Phcomcng.exe 93 PID 3628 wrote to memory of 2476 3628 Phcomcng.exe 93 PID 2476 wrote to memory of 4796 2476 Pomgjn32.exe 94 PID 2476 wrote to memory of 4796 2476 Pomgjn32.exe 94 PID 2476 wrote to memory of 4796 2476 Pomgjn32.exe 94 PID 4796 wrote to memory of 116 4796 Pgdokkfg.exe 95 PID 4796 wrote to memory of 116 4796 Pgdokkfg.exe 95 PID 4796 wrote to memory of 116 4796 Pgdokkfg.exe 95 PID 116 wrote to memory of 4028 116 Pjbkgfej.exe 96 PID 116 wrote to memory of 4028 116 Pjbkgfej.exe 96 PID 116 wrote to memory of 4028 116 Pjbkgfej.exe 96 PID 4028 wrote to memory of 3932 4028 Pckppl32.exe 97 PID 4028 wrote to memory of 3932 4028 Pckppl32.exe 97 PID 4028 wrote to memory of 3932 4028 Pckppl32.exe 97 PID 3932 wrote to memory of 4332 3932 Pfillg32.exe 98 PID 3932 wrote to memory of 4332 3932 Pfillg32.exe 98 PID 3932 wrote to memory of 4332 3932 Pfillg32.exe 98 PID 4332 wrote to memory of 4812 4332 Plcdiabk.exe 99 PID 4332 wrote to memory of 4812 4332 Plcdiabk.exe 99 PID 4332 wrote to memory of 4812 4332 Plcdiabk.exe 99 PID 4812 wrote to memory of 3656 4812 Poaqemao.exe 100 PID 4812 wrote to memory of 3656 4812 Poaqemao.exe 100 PID 4812 wrote to memory of 3656 4812 Poaqemao.exe 100 PID 3656 wrote to memory of 896 3656 Pgihfj32.exe 101 PID 3656 wrote to memory of 896 3656 Pgihfj32.exe 101 PID 3656 wrote to memory of 896 3656 Pgihfj32.exe 101 PID 896 wrote to memory of 2224 896 Pjgebf32.exe 102 PID 896 wrote to memory of 2224 896 Pjgebf32.exe 102 PID 896 wrote to memory of 2224 896 Pjgebf32.exe 102 PID 2224 wrote to memory of 3804 2224 Ppamophb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\29c7a5e792165576da6bd417e4e59e10dbf8eae33f110986fc0a7de21e651790.exe"C:\Users\Admin\AppData\Local\Temp\29c7a5e792165576da6bd417e4e59e10dbf8eae33f110986fc0a7de21e651790.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Opcqnb32.exeC:\Windows\system32\Opcqnb32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Oepifi32.exeC:\Windows\system32\Oepifi32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Phcomcng.exeC:\Windows\system32\Phcomcng.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\Pomgjn32.exeC:\Windows\system32\Pomgjn32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Pgdokkfg.exeC:\Windows\system32\Pgdokkfg.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\Pfillg32.exeC:\Windows\system32\Pfillg32.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\Poaqemao.exeC:\Windows\system32\Poaqemao.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\Pgihfj32.exeC:\Windows\system32\Pgihfj32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Pjgebf32.exeC:\Windows\system32\Pjgebf32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\Ppamophb.exeC:\Windows\system32\Ppamophb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Pcpikkge.exeC:\Windows\system32\Pcpikkge.exe23⤵
- Executes dropped EXE
PID:3804 -
C:\Windows\SysWOW64\Qcbfakec.exeC:\Windows\system32\Qcbfakec.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Qgnbaj32.exeC:\Windows\system32\Qgnbaj32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Qfpbmfdf.exeC:\Windows\system32\Qfpbmfdf.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2220 -
C:\Windows\SysWOW64\Qqffjo32.exeC:\Windows\system32\Qqffjo32.exe27⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Qgpogili.exeC:\Windows\system32\Qgpogili.exe28⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Qlmgopjq.exeC:\Windows\system32\Qlmgopjq.exe29⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3180 -
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe31⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Agdhbi32.exeC:\Windows\system32\Agdhbi32.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4568 -
C:\Windows\SysWOW64\Aqmlknnd.exeC:\Windows\system32\Aqmlknnd.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4392 -
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe34⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe35⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe36⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe37⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Aglnbhal.exeC:\Windows\system32\Aglnbhal.exe38⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe39⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe40⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe41⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Bjlgdc32.exeC:\Windows\system32\Bjlgdc32.exe42⤵
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\Bmkcqn32.exeC:\Windows\system32\Bmkcqn32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe44⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Bjodjb32.exeC:\Windows\system32\Bjodjb32.exe45⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Biadeoce.exeC:\Windows\system32\Biadeoce.exe46⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Bcghch32.exeC:\Windows\system32\Bcghch32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3576 -
C:\Windows\SysWOW64\Bgbdcgld.exeC:\Windows\system32\Bgbdcgld.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4312 -
C:\Windows\SysWOW64\Bmomlnjk.exeC:\Windows\system32\Bmomlnjk.exe49⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Bciehh32.exeC:\Windows\system32\Bciehh32.exe50⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe51⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Bifmqo32.exeC:\Windows\system32\Bifmqo32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Bjfjka32.exeC:\Windows\system32\Bjfjka32.exe53⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Cmdfgm32.exeC:\Windows\system32\Cmdfgm32.exe54⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe55⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Cjhfpa32.exeC:\Windows\system32\Cjhfpa32.exe56⤵
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\Cabomkll.exeC:\Windows\system32\Cabomkll.exe57⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Cglgjeci.exeC:\Windows\system32\Cglgjeci.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe59⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Cmipblaq.exeC:\Windows\system32\Cmipblaq.exe60⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Cjmpkqqj.exeC:\Windows\system32\Cjmpkqqj.exe62⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Cippgm32.exeC:\Windows\system32\Cippgm32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3868 -
C:\Windows\SysWOW64\Cpihcgoa.exeC:\Windows\system32\Cpihcgoa.exe64⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Cfcqpa32.exeC:\Windows\system32\Cfcqpa32.exe65⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Cmniml32.exeC:\Windows\system32\Cmniml32.exe66⤵PID:4012
-
C:\Windows\SysWOW64\Ccgajfeh.exeC:\Windows\system32\Ccgajfeh.exe67⤵
- Modifies registry class
PID:400 -
C:\Windows\SysWOW64\Cjaifp32.exeC:\Windows\system32\Cjaifp32.exe68⤵PID:1260
-
C:\Windows\SysWOW64\Dmpfbk32.exeC:\Windows\system32\Dmpfbk32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2092 -
C:\Windows\SysWOW64\Dcjnoece.exeC:\Windows\system32\Dcjnoece.exe70⤵PID:528
-
C:\Windows\SysWOW64\Djdflp32.exeC:\Windows\system32\Djdflp32.exe71⤵PID:744
-
C:\Windows\SysWOW64\Dmbbhkjf.exeC:\Windows\system32\Dmbbhkjf.exe72⤵PID:2528
-
C:\Windows\SysWOW64\Dpqodfij.exeC:\Windows\system32\Dpqodfij.exe73⤵PID:2740
-
C:\Windows\SysWOW64\Dfjgaq32.exeC:\Windows\system32\Dfjgaq32.exe74⤵PID:4944
-
C:\Windows\SysWOW64\Dmdonkgc.exeC:\Windows\system32\Dmdonkgc.exe75⤵PID:2988
-
C:\Windows\SysWOW64\Dpckjfgg.exeC:\Windows\system32\Dpckjfgg.exe76⤵PID:2608
-
C:\Windows\SysWOW64\Dfmcfp32.exeC:\Windows\system32\Dfmcfp32.exe77⤵PID:4940
-
C:\Windows\SysWOW64\Dmglcj32.exeC:\Windows\system32\Dmglcj32.exe78⤵PID:608
-
C:\Windows\SysWOW64\Dabhdinj.exeC:\Windows\system32\Dabhdinj.exe79⤵PID:4764
-
C:\Windows\SysWOW64\Dfoplpla.exeC:\Windows\system32\Dfoplpla.exe80⤵
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Dmihij32.exeC:\Windows\system32\Dmihij32.exe81⤵PID:2232
-
C:\Windows\SysWOW64\Ddcqedkk.exeC:\Windows\system32\Ddcqedkk.exe82⤵PID:1616
-
C:\Windows\SysWOW64\Dfamapjo.exeC:\Windows\system32\Dfamapjo.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1344 -
C:\Windows\SysWOW64\Epjajeqo.exeC:\Windows\system32\Epjajeqo.exe84⤵
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Ejpfhnpe.exeC:\Windows\system32\Ejpfhnpe.exe85⤵PID:3588
-
C:\Windows\SysWOW64\Eplnpeol.exeC:\Windows\system32\Eplnpeol.exe86⤵PID:1648
-
C:\Windows\SysWOW64\Efffmo32.exeC:\Windows\system32\Efffmo32.exe87⤵PID:2596
-
C:\Windows\SysWOW64\Empoiimf.exeC:\Windows\system32\Empoiimf.exe88⤵PID:2780
-
C:\Windows\SysWOW64\Ehfcfb32.exeC:\Windows\system32\Ehfcfb32.exe89⤵PID:2776
-
C:\Windows\SysWOW64\Efhcbodf.exeC:\Windows\system32\Efhcbodf.exe90⤵
- System Location Discovery: System Language Discovery
PID:4328 -
C:\Windows\SysWOW64\Embkoi32.exeC:\Windows\system32\Embkoi32.exe91⤵
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Edmclccp.exeC:\Windows\system32\Edmclccp.exe92⤵
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Efkphnbd.exeC:\Windows\system32\Efkphnbd.exe93⤵PID:3320
-
C:\Windows\SysWOW64\Emehdh32.exeC:\Windows\system32\Emehdh32.exe94⤵PID:4236
-
C:\Windows\SysWOW64\Eaqdegaj.exeC:\Windows\system32\Eaqdegaj.exe95⤵PID:2868
-
C:\Windows\SysWOW64\Efmmmn32.exeC:\Windows\system32\Efmmmn32.exe96⤵
- Modifies registry class
PID:4912 -
C:\Windows\SysWOW64\Filiii32.exeC:\Windows\system32\Filiii32.exe97⤵
- System Location Discovery: System Language Discovery
PID:4360 -
C:\Windows\SysWOW64\Facqkg32.exeC:\Windows\system32\Facqkg32.exe98⤵PID:1084
-
C:\Windows\SysWOW64\Fdamgb32.exeC:\Windows\system32\Fdamgb32.exe99⤵
- System Location Discovery: System Language Discovery
PID:1360 -
C:\Windows\SysWOW64\Fineoi32.exeC:\Windows\system32\Fineoi32.exe100⤵PID:3740
-
C:\Windows\SysWOW64\Faenpf32.exeC:\Windows\system32\Faenpf32.exe101⤵PID:4408
-
C:\Windows\SysWOW64\Fdcjlb32.exeC:\Windows\system32\Fdcjlb32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:736 -
C:\Windows\SysWOW64\Fknbil32.exeC:\Windows\system32\Fknbil32.exe103⤵PID:1592
-
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe104⤵PID:4892
-
C:\Windows\SysWOW64\Fagjfflb.exeC:\Windows\system32\Fagjfflb.exe105⤵PID:1580
-
C:\Windows\SysWOW64\Fgdbnmji.exeC:\Windows\system32\Fgdbnmji.exe106⤵PID:3744
-
C:\Windows\SysWOW64\Fkpool32.exeC:\Windows\system32\Fkpool32.exe107⤵
- System Location Discovery: System Language Discovery
PID:1088 -
C:\Windows\SysWOW64\Fmnkkg32.exeC:\Windows\system32\Fmnkkg32.exe108⤵PID:4336
-
C:\Windows\SysWOW64\Fajgkfio.exeC:\Windows\system32\Fajgkfio.exe109⤵PID:4100
-
C:\Windows\SysWOW64\Fdhcgaic.exeC:\Windows\system32\Fdhcgaic.exe110⤵PID:4452
-
C:\Windows\SysWOW64\Fhdohp32.exeC:\Windows\system32\Fhdohp32.exe111⤵PID:4140
-
C:\Windows\SysWOW64\Fkbkdkpp.exeC:\Windows\system32\Fkbkdkpp.exe112⤵PID:4552
-
C:\Windows\SysWOW64\Fielph32.exeC:\Windows\system32\Fielph32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2128 -
C:\Windows\SysWOW64\Fdkpma32.exeC:\Windows\system32\Fdkpma32.exe114⤵PID:3640
-
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe115⤵PID:4256
-
C:\Windows\SysWOW64\Gpaqbbld.exeC:\Windows\system32\Gpaqbbld.exe116⤵
- System Location Discovery: System Language Discovery
PID:3448 -
C:\Windows\SysWOW64\Ghhhcomg.exeC:\Windows\system32\Ghhhcomg.exe117⤵
- Modifies registry class
PID:1056 -
C:\Windows\SysWOW64\Gkgeoklj.exeC:\Windows\system32\Gkgeoklj.exe118⤵PID:4260
-
C:\Windows\SysWOW64\Gaamlecg.exeC:\Windows\system32\Gaamlecg.exe119⤵PID:2632
-
C:\Windows\SysWOW64\Gdoihpbk.exeC:\Windows\system32\Gdoihpbk.exe120⤵PID:3436
-
C:\Windows\SysWOW64\Gkiaej32.exeC:\Windows\system32\Gkiaej32.exe121⤵PID:5132
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-