Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414.exe
-
Size
96KB
-
MD5
9ed50d6ec6ff5e28245b59ff4c2ba058
-
SHA1
412e3cf66d65719cda4d456a1c1fd2598f02d95b
-
SHA256
a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414
-
SHA512
cfab59986c240a99a3c37f7ebe9461b81449e14590504c404ade170676dfe0bee117690fdd1a7047c4be242210237a05a843b2d01c5cb0ab597311c3f12b9bea
-
SSDEEP
1536:M9FbQJGZV2SicCKo4cqW2L+ZS/FCb4noaJSNzJOH:IFbQ8wS/T7+ZSs4noakXOH
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbpajgmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dokgdkeh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nflkbanj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kechmoil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fibojhim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idhnkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdaniq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djhpgofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Offnhpfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjadje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niklpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdcoim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boklbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpihcgoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjpijpdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqbdldnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nomncpcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihqoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piphgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnmdme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onpjichj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnldla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhmpagkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ploknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Allpejfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njmqnobn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afhohlbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnnpdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikcmbfcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idcepgmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmlkhofd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feocelll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnlkfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nflkbanj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jinboekc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aimkjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jddnfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcbnnpka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oalipoiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akqfkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffnknafg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opeiadfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfaigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdkifmjq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajndioga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpmdfonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmeandma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhkikq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddonekbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nebmekoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcgnbaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iedjmioj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akkffkhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjmnoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhmofj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jinboekc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlegnjbm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcbnnpka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbgoof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjmcnbdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljbfpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffnknafg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkndie32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4716 Klqcioba.exe 2480 Kdgljmcd.exe 4168 Lmppcbjd.exe 720 Llcpoo32.exe 632 Ldjhpl32.exe 5116 Lfhdlh32.exe 5032 Lmbmibhb.exe 4852 Lboeaifi.exe 1276 Liimncmf.exe 4084 Lpcfkm32.exe 4296 Lgmngglp.exe 3720 Lljfpnjg.exe 3908 Ldanqkki.exe 776 Lebkhc32.exe 4540 Lphoelqn.exe 4512 Mgagbf32.exe 2256 Mpjlklok.exe 2968 Mgddhf32.exe 4628 Mibpda32.exe 4256 Mdhdajea.exe 3188 Miemjaci.exe 2944 Mpoefk32.exe 4368 Mgimcebb.exe 1452 Mlefklpj.exe 4420 Mdmnlj32.exe 1164 Mgkjhe32.exe 1508 Mlhbal32.exe 2288 Npcoakfp.exe 2372 Ngmgne32.exe 2084 Nngokoej.exe 1704 Npfkgjdn.exe 4228 Ncdgcf32.exe 2360 Nebdoa32.exe 4312 Nlmllkja.exe 4396 Ncfdie32.exe 4656 Nloiakho.exe 944 Ndfqbhia.exe 2340 Ngdmod32.exe 3156 Nlaegk32.exe 4180 Ndhmhh32.exe 3320 Ognpebpj.exe 2864 Odapnf32.exe 2604 Ogpmjb32.exe 1388 Onjegled.exe 2236 Ofeilobp.exe 4048 Pmoahijl.exe 2408 Pfhfan32.exe 2960 Pggbkagp.exe 1332 Pnakhkol.exe 2888 Pgioqq32.exe 4912 Pncgmkmj.exe 1928 Pdmpje32.exe 3400 Pjjhbl32.exe 3548 Pcbmka32.exe 112 Pfaigm32.exe 4372 Qqfmde32.exe 1128 Qnjnnj32.exe 3488 Qcgffqei.exe 2572 Ajanck32.exe 2292 Afhohlbj.exe 3200 Afjlnk32.exe 444 Amddjegd.exe 4260 Afmhck32.exe 1812 Andqdh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ikaggmii.exe Igfkfo32.exe File opened for modification C:\Windows\SysWOW64\Ooagno32.exe Opogbbig.exe File opened for modification C:\Windows\SysWOW64\Fpeafcfa.exe Filiii32.exe File created C:\Windows\SysWOW64\Pofkjd32.dll Gfkbde32.exe File opened for modification C:\Windows\SysWOW64\Fhdohp32.exe Fajgkfio.exe File opened for modification C:\Windows\SysWOW64\Hammhcij.exe Hjedffig.exe File created C:\Windows\SysWOW64\Iknmla32.exe Idcepgmg.exe File created C:\Windows\SysWOW64\Bchign32.dll Lnadagbm.exe File opened for modification C:\Windows\SysWOW64\Efblbbqd.exe Enkdaepb.exe File created C:\Windows\SysWOW64\Iocbnhog.dll Mjaabq32.exe File created C:\Windows\SysWOW64\Nefped32.exe Nolgijpk.exe File opened for modification C:\Windows\SysWOW64\Qaflgago.exe Qkmdkgob.exe File created C:\Windows\SysWOW64\Ncfdie32.exe Nlmllkja.exe File created C:\Windows\SysWOW64\Pialao32.dll Mpqkad32.exe File opened for modification C:\Windows\SysWOW64\Opadhb32.exe Olehhc32.exe File created C:\Windows\SysWOW64\Qeapfm32.dll Amcmpodi.exe File created C:\Windows\SysWOW64\Chembclp.dll Fhmigagd.exe File created C:\Windows\SysWOW64\Mnphmkji.exe Mhfppabl.exe File created C:\Windows\SysWOW64\Onpjichj.exe Oalipoiq.exe File created C:\Windows\SysWOW64\Fechok32.dll Omgcpokp.exe File opened for modification C:\Windows\SysWOW64\Cdecgbfa.exe Cljobphg.exe File created C:\Windows\SysWOW64\Iedjmioj.exe Ibfnqmpf.exe File created C:\Windows\SysWOW64\Opcqnb32.exe Ohlimd32.exe File created C:\Windows\SysWOW64\Mehcdfch.exe Mbighjdd.exe File created C:\Windows\SysWOW64\Pakllc32.exe Polppg32.exe File opened for modification C:\Windows\SysWOW64\Lgbloglj.exe Lqhdbm32.exe File created C:\Windows\SysWOW64\Ppolhcnm.exe Phcgcqab.exe File created C:\Windows\SysWOW64\Qgaeof32.dll Afbgkl32.exe File opened for modification C:\Windows\SysWOW64\Beihma32.exe Bjddphlq.exe File created C:\Windows\SysWOW64\Mojhgbdl.exe Mlklkgei.exe File created C:\Windows\SysWOW64\Ncjginjn.exe Nlqomd32.exe File created C:\Windows\SysWOW64\Npbgmepl.dll Bfhadc32.exe File created C:\Windows\SysWOW64\Idkbkl32.exe Iqpfjnba.exe File created C:\Windows\SysWOW64\Bogkmgba.exe Bklomh32.exe File opened for modification C:\Windows\SysWOW64\Gojnko32.exe Gddinf32.exe File opened for modification C:\Windows\SysWOW64\Klfjijgq.exe Kihnmohm.exe File created C:\Windows\SysWOW64\Bihjjl32.dll Agiamhdo.exe File created C:\Windows\SysWOW64\Cippgm32.exe Cjmpkqqj.exe File created C:\Windows\SysWOW64\Cdnmfclj.exe Cbpajgmf.exe File created C:\Windows\SysWOW64\Hkfoel32.dll Omgmeigd.exe File opened for modification C:\Windows\SysWOW64\Mgkjhe32.exe Mdmnlj32.exe File created C:\Windows\SysWOW64\Effama32.dll Oigllh32.exe File opened for modification C:\Windows\SysWOW64\Gmggfp32.exe Gfmojenc.exe File created C:\Windows\SysWOW64\Mmkdcm32.exe Mgnlkfal.exe File created C:\Windows\SysWOW64\Jnifigpa.exe Jkkjmlan.exe File created C:\Windows\SysWOW64\Lijlof32.exe Leopnglc.exe File created C:\Windows\SysWOW64\Papdfone.dll Mhilfa32.exe File created C:\Windows\SysWOW64\Pidabppl.exe Pcjiff32.exe File created C:\Windows\SysWOW64\Obnbpa32.dll Mepfiq32.exe File opened for modification C:\Windows\SysWOW64\Jlgepanl.exe Jiiicf32.exe File created C:\Windows\SysWOW64\Hcjccj32.dll Calhnpgn.exe File created C:\Windows\SysWOW64\Gjjpbg32.dll Eobocb32.exe File created C:\Windows\SysWOW64\Jofbdcmb.dll Polppg32.exe File created C:\Windows\SysWOW64\Pabblb32.exe Pcobaedj.exe File created C:\Windows\SysWOW64\Dfglfdkb.exe Dmohno32.exe File created C:\Windows\SysWOW64\Gfkcaoef.dll Njfkmphe.exe File created C:\Windows\SysWOW64\Bfkedibe.exe Beihma32.exe File created C:\Windows\SysWOW64\Iaejbl32.dll Kgopidgf.exe File created C:\Windows\SysWOW64\Mhfppabl.exe Mehcdfch.exe File created C:\Windows\SysWOW64\Glcaambb.exe Fjadje32.exe File opened for modification C:\Windows\SysWOW64\Nhahaiec.exe Nagpeo32.exe File created C:\Windows\SysWOW64\Hmlephen.dll Cbpajgmf.exe File created C:\Windows\SysWOW64\Mioaanec.dll Bdmmeo32.exe File created C:\Windows\SysWOW64\Hbceobam.dll Naecop32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8244 7968 WerFault.exe 1054 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flfkkhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hemdlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkhngl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnpofnhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkadoiip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcgffqei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjddphlq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dafppp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhdfbfdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogkmgba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhknpmma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpjgaoqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljhnlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdfmlhna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeqbpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmnoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcbfcigf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aolblopj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdhdajea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agbkmijg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkqaoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjpijpdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aehgnied.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gikdkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbebj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqilgmdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkkpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pedlgbkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnoklk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idieem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plejdkmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbbnpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgddhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooagno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmehb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjadje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clgbmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpffeaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhmigagd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkkeclfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Offnhpfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgelgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajpqnneo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njkkbehl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnckpmql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcmpodi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eibfck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbmoen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lclpdncg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afoeiklb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eopbnbhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miofjepg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dijbno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amddjegd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaamlecg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onjegled.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhgloc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqipio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlkngo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojbacd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijadbdoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjmcnbdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qljjjqlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpleig32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nngokoej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjmoag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfipef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pncgmkmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpleig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpbiip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkhpdcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkljb32.dll" Lknojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqhfnd32.dll" Hiipmhmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfjehbcf.dll" Iepaaico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmlephen.dll" Cbpajgmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jejefqaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llgcph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajhniccb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djhpgofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghdi32.dll" Hpbiip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efccmidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcggio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fligqhga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Holfoqcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgimcebb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjmkqm32.dll" Fonnop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnhcelbo.dll" Hdlpneli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llbidimc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nibbqicm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lghcocol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inagcf32.dll" Leopnglc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opadhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbpajgmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaagdbfm.dll" Ocohmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npcoakfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaamlecg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffclcgfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klbjgbff.dll" Pfandnla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqokaeco.dll" Mlnipg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oenlqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohqbhdpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phfjcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minqeaad.dll" Lqhdbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlobem32.dll" Cdimqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olehhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pemomqcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnlbojee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hidgai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kffonkgk.dll" Kpmdfonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpmdfonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnihkq32.dll" Mfeeabda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eipinkib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aleckinj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nagpeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefklj32.dll" Hblkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocohmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibpiogmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbpkkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhhpnaf.dll" Glengm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbceobam.dll" Naecop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhahaiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffnknafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfiop32.dll" Iebngial.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncfdie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkdnhmdp.dll" Opcqnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impjjbmh.dll" Aimkjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfpecg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nainbl32.dll" Jiokfpph.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2104 wrote to memory of 4716 2104 a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414.exe 85 PID 2104 wrote to memory of 4716 2104 a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414.exe 85 PID 2104 wrote to memory of 4716 2104 a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414.exe 85 PID 4716 wrote to memory of 2480 4716 Klqcioba.exe 86 PID 4716 wrote to memory of 2480 4716 Klqcioba.exe 86 PID 4716 wrote to memory of 2480 4716 Klqcioba.exe 86 PID 2480 wrote to memory of 4168 2480 Kdgljmcd.exe 87 PID 2480 wrote to memory of 4168 2480 Kdgljmcd.exe 87 PID 2480 wrote to memory of 4168 2480 Kdgljmcd.exe 87 PID 4168 wrote to memory of 720 4168 Lmppcbjd.exe 88 PID 4168 wrote to memory of 720 4168 Lmppcbjd.exe 88 PID 4168 wrote to memory of 720 4168 Lmppcbjd.exe 88 PID 720 wrote to memory of 632 720 Llcpoo32.exe 89 PID 720 wrote to memory of 632 720 Llcpoo32.exe 89 PID 720 wrote to memory of 632 720 Llcpoo32.exe 89 PID 632 wrote to memory of 5116 632 Ldjhpl32.exe 90 PID 632 wrote to memory of 5116 632 Ldjhpl32.exe 90 PID 632 wrote to memory of 5116 632 Ldjhpl32.exe 90 PID 5116 wrote to memory of 5032 5116 Lfhdlh32.exe 91 PID 5116 wrote to memory of 5032 5116 Lfhdlh32.exe 91 PID 5116 wrote to memory of 5032 5116 Lfhdlh32.exe 91 PID 5032 wrote to memory of 4852 5032 Lmbmibhb.exe 92 PID 5032 wrote to memory of 4852 5032 Lmbmibhb.exe 92 PID 5032 wrote to memory of 4852 5032 Lmbmibhb.exe 92 PID 4852 wrote to memory of 1276 4852 Lboeaifi.exe 93 PID 4852 wrote to memory of 1276 4852 Lboeaifi.exe 93 PID 4852 wrote to memory of 1276 4852 Lboeaifi.exe 93 PID 1276 wrote to memory of 4084 1276 Liimncmf.exe 94 PID 1276 wrote to memory of 4084 1276 Liimncmf.exe 94 PID 1276 wrote to memory of 4084 1276 Liimncmf.exe 94 PID 4084 wrote to memory of 4296 4084 Lpcfkm32.exe 95 PID 4084 wrote to memory of 4296 4084 Lpcfkm32.exe 95 PID 4084 wrote to memory of 4296 4084 Lpcfkm32.exe 95 PID 4296 wrote to memory of 3720 4296 Lgmngglp.exe 96 PID 4296 wrote to memory of 3720 4296 Lgmngglp.exe 96 PID 4296 wrote to memory of 3720 4296 Lgmngglp.exe 96 PID 3720 wrote to memory of 3908 3720 Lljfpnjg.exe 97 PID 3720 wrote to memory of 3908 3720 Lljfpnjg.exe 97 PID 3720 wrote to memory of 3908 3720 Lljfpnjg.exe 97 PID 3908 wrote to memory of 776 3908 Ldanqkki.exe 98 PID 3908 wrote to memory of 776 3908 Ldanqkki.exe 98 PID 3908 wrote to memory of 776 3908 Ldanqkki.exe 98 PID 776 wrote to memory of 4540 776 Lebkhc32.exe 99 PID 776 wrote to memory of 4540 776 Lebkhc32.exe 99 PID 776 wrote to memory of 4540 776 Lebkhc32.exe 99 PID 4540 wrote to memory of 4512 4540 Lphoelqn.exe 100 PID 4540 wrote to memory of 4512 4540 Lphoelqn.exe 100 PID 4540 wrote to memory of 4512 4540 Lphoelqn.exe 100 PID 4512 wrote to memory of 2256 4512 Mgagbf32.exe 101 PID 4512 wrote to memory of 2256 4512 Mgagbf32.exe 101 PID 4512 wrote to memory of 2256 4512 Mgagbf32.exe 101 PID 2256 wrote to memory of 2968 2256 Mpjlklok.exe 102 PID 2256 wrote to memory of 2968 2256 Mpjlklok.exe 102 PID 2256 wrote to memory of 2968 2256 Mpjlklok.exe 102 PID 2968 wrote to memory of 4628 2968 Mgddhf32.exe 103 PID 2968 wrote to memory of 4628 2968 Mgddhf32.exe 103 PID 2968 wrote to memory of 4628 2968 Mgddhf32.exe 103 PID 4628 wrote to memory of 4256 4628 Mibpda32.exe 104 PID 4628 wrote to memory of 4256 4628 Mibpda32.exe 104 PID 4628 wrote to memory of 4256 4628 Mibpda32.exe 104 PID 4256 wrote to memory of 3188 4256 Mdhdajea.exe 105 PID 4256 wrote to memory of 3188 4256 Mdhdajea.exe 105 PID 4256 wrote to memory of 3188 4256 Mdhdajea.exe 105 PID 3188 wrote to memory of 2944 3188 Miemjaci.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414.exe"C:\Users\Admin\AppData\Local\Temp\a995113b7eb4f6c216bd7a9c915864f730b35e6368758654b92a9b506683c414.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Klqcioba.exeC:\Windows\system32\Klqcioba.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Kdgljmcd.exeC:\Windows\system32\Kdgljmcd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Lmppcbjd.exeC:\Windows\system32\Lmppcbjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\Llcpoo32.exeC:\Windows\system32\Llcpoo32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Windows\SysWOW64\Ldjhpl32.exeC:\Windows\system32\Ldjhpl32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Lfhdlh32.exeC:\Windows\system32\Lfhdlh32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\Lmbmibhb.exeC:\Windows\system32\Lmbmibhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Lboeaifi.exeC:\Windows\system32\Lboeaifi.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Liimncmf.exeC:\Windows\system32\Liimncmf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\Lpcfkm32.exeC:\Windows\system32\Lpcfkm32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\Lgmngglp.exeC:\Windows\system32\Lgmngglp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\Lljfpnjg.exeC:\Windows\system32\Lljfpnjg.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\Ldanqkki.exeC:\Windows\system32\Ldanqkki.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\Lebkhc32.exeC:\Windows\system32\Lebkhc32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Lphoelqn.exeC:\Windows\system32\Lphoelqn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Mgagbf32.exeC:\Windows\system32\Mgagbf32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Mpjlklok.exeC:\Windows\system32\Mpjlklok.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Mgddhf32.exeC:\Windows\system32\Mgddhf32.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Mibpda32.exeC:\Windows\system32\Mibpda32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\Mdhdajea.exeC:\Windows\system32\Mdhdajea.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SysWOW64\Miemjaci.exeC:\Windows\system32\Miemjaci.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\Mpoefk32.exeC:\Windows\system32\Mpoefk32.exe23⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Mgimcebb.exeC:\Windows\system32\Mgimcebb.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:4368 -
C:\Windows\SysWOW64\Mlefklpj.exeC:\Windows\system32\Mlefklpj.exe25⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Mdmnlj32.exeC:\Windows\system32\Mdmnlj32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4420 -
C:\Windows\SysWOW64\Mgkjhe32.exeC:\Windows\system32\Mgkjhe32.exe27⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Mlhbal32.exeC:\Windows\system32\Mlhbal32.exe28⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Npcoakfp.exeC:\Windows\system32\Npcoakfp.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Ngmgne32.exeC:\Windows\system32\Ngmgne32.exe30⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Nngokoej.exeC:\Windows\system32\Nngokoej.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Npfkgjdn.exeC:\Windows\system32\Npfkgjdn.exe32⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Ncdgcf32.exeC:\Windows\system32\Ncdgcf32.exe33⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Nebdoa32.exeC:\Windows\system32\Nebdoa32.exe34⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Nlmllkja.exeC:\Windows\system32\Nlmllkja.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4312 -
C:\Windows\SysWOW64\Ncfdie32.exeC:\Windows\system32\Ncfdie32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:4396 -
C:\Windows\SysWOW64\Nloiakho.exeC:\Windows\system32\Nloiakho.exe37⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Ndfqbhia.exeC:\Windows\system32\Ndfqbhia.exe38⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Ngdmod32.exeC:\Windows\system32\Ngdmod32.exe39⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Nlaegk32.exeC:\Windows\system32\Nlaegk32.exe40⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Ndhmhh32.exeC:\Windows\system32\Ndhmhh32.exe41⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Ognpebpj.exeC:\Windows\system32\Ognpebpj.exe42⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Odapnf32.exeC:\Windows\system32\Odapnf32.exe43⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Ogpmjb32.exeC:\Windows\system32\Ogpmjb32.exe44⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Onjegled.exeC:\Windows\system32\Onjegled.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1388 -
C:\Windows\SysWOW64\Ofeilobp.exeC:\Windows\system32\Ofeilobp.exe46⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Pmoahijl.exeC:\Windows\system32\Pmoahijl.exe47⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Pfhfan32.exeC:\Windows\system32\Pfhfan32.exe48⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Pggbkagp.exeC:\Windows\system32\Pggbkagp.exe49⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Pnakhkol.exeC:\Windows\system32\Pnakhkol.exe50⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Pgioqq32.exeC:\Windows\system32\Pgioqq32.exe51⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Pncgmkmj.exeC:\Windows\system32\Pncgmkmj.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:4912 -
C:\Windows\SysWOW64\Pdmpje32.exeC:\Windows\system32\Pdmpje32.exe53⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Pjjhbl32.exeC:\Windows\system32\Pjjhbl32.exe54⤵
- Executes dropped EXE
PID:3400 -
C:\Windows\SysWOW64\Pcbmka32.exeC:\Windows\system32\Pcbmka32.exe55⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Pfaigm32.exeC:\Windows\system32\Pfaigm32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Qqfmde32.exeC:\Windows\system32\Qqfmde32.exe57⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Qnjnnj32.exeC:\Windows\system32\Qnjnnj32.exe58⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3488 -
C:\Windows\SysWOW64\Ajanck32.exeC:\Windows\system32\Ajanck32.exe60⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Afhohlbj.exeC:\Windows\system32\Afhohlbj.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Afjlnk32.exeC:\Windows\system32\Afjlnk32.exe62⤵
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:444 -
C:\Windows\SysWOW64\Afmhck32.exeC:\Windows\system32\Afmhck32.exe64⤵
- Executes dropped EXE
PID:4260 -
C:\Windows\SysWOW64\Andqdh32.exeC:\Windows\system32\Andqdh32.exe65⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe66⤵
- System Location Discovery: System Language Discovery
PID:372 -
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe67⤵PID:2496
-
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\Bcebhoii.exeC:\Windows\system32\Bcebhoii.exe69⤵PID:4872
-
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe70⤵PID:4480
-
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe71⤵PID:4664
-
C:\Windows\SysWOW64\Bjddphlq.exeC:\Windows\system32\Bjddphlq.exe72⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe73⤵
- Drops file in System32 directory
PID:996 -
C:\Windows\SysWOW64\Bfkedibe.exeC:\Windows\system32\Bfkedibe.exe74⤵PID:1212
-
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe75⤵PID:1296
-
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe76⤵PID:2164
-
C:\Windows\SysWOW64\Cjinkg32.exeC:\Windows\system32\Cjinkg32.exe77⤵PID:2376
-
C:\Windows\SysWOW64\Cabfga32.exeC:\Windows\system32\Cabfga32.exe78⤵PID:1384
-
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe79⤵PID:3120
-
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2616 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe81⤵PID:2692
-
C:\Windows\SysWOW64\Cdfkolkf.exeC:\Windows\system32\Cdfkolkf.exe82⤵PID:1064
-
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe83⤵PID:4404
-
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe84⤵PID:1476
-
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe85⤵PID:5064
-
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe86⤵
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe87⤵PID:1536
-
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe88⤵PID:364
-
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe89⤵PID:3444
-
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4604 -
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe91⤵PID:2160
-
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe92⤵PID:4984
-
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe93⤵PID:4616
-
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe94⤵PID:2352
-
C:\Windows\SysWOW64\Dmjocp32.exeC:\Windows\system32\Dmjocp32.exe95⤵PID:3608
-
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe96⤵PID:4076
-
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe97⤵PID:1448
-
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe98⤵PID:1628
-
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe99⤵PID:1800
-
C:\Windows\SysWOW64\Ehapfiem.exeC:\Windows\system32\Ehapfiem.exe100⤵PID:1856
-
C:\Windows\SysWOW64\Emoinpcd.exeC:\Windows\system32\Emoinpcd.exe101⤵PID:3264
-
C:\Windows\SysWOW64\Eefaomcg.exeC:\Windows\system32\Eefaomcg.exe102⤵PID:1636
-
C:\Windows\SysWOW64\Eggmge32.exeC:\Windows\system32\Eggmge32.exe103⤵PID:4620
-
C:\Windows\SysWOW64\Ealadnik.exeC:\Windows\system32\Ealadnik.exe104⤵PID:5128
-
C:\Windows\SysWOW64\Ehfjah32.exeC:\Windows\system32\Ehfjah32.exe105⤵PID:5172
-
C:\Windows\SysWOW64\Eopbnbhd.exeC:\Windows\system32\Eopbnbhd.exe106⤵
- System Location Discovery: System Language Discovery
PID:5216 -
C:\Windows\SysWOW64\Eaonjngh.exeC:\Windows\system32\Eaonjngh.exe107⤵PID:5260
-
C:\Windows\SysWOW64\Ehiffh32.exeC:\Windows\system32\Ehiffh32.exe108⤵PID:5304
-
C:\Windows\SysWOW64\Eobocb32.exeC:\Windows\system32\Eobocb32.exe109⤵
- Drops file in System32 directory
PID:5344 -
C:\Windows\SysWOW64\Eemgplno.exeC:\Windows\system32\Eemgplno.exe110⤵PID:5388
-
C:\Windows\SysWOW64\Edpgli32.exeC:\Windows\system32\Edpgli32.exe111⤵PID:5432
-
C:\Windows\SysWOW64\Eoekia32.exeC:\Windows\system32\Eoekia32.exe112⤵PID:5472
-
C:\Windows\SysWOW64\Feocelll.exeC:\Windows\system32\Feocelll.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5516 -
C:\Windows\SysWOW64\Fhmpagkp.exeC:\Windows\system32\Fhmpagkp.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5560 -
C:\Windows\SysWOW64\Foghnabl.exeC:\Windows\system32\Foghnabl.exe115⤵PID:5604
-
C:\Windows\SysWOW64\Feapkk32.exeC:\Windows\system32\Feapkk32.exe116⤵PID:5648
-
C:\Windows\SysWOW64\Fgbmccpg.exeC:\Windows\system32\Fgbmccpg.exe117⤵PID:5692
-
C:\Windows\SysWOW64\Fnmepn32.exeC:\Windows\system32\Fnmepn32.exe118⤵PID:5736
-
C:\Windows\SysWOW64\Fdfmlhna.exeC:\Windows\system32\Fdfmlhna.exe119⤵
- System Location Discovery: System Language Discovery
PID:5776 -
C:\Windows\SysWOW64\Fkqeib32.exeC:\Windows\system32\Fkqeib32.exe120⤵PID:5820
-
C:\Windows\SysWOW64\Fajnfl32.exeC:\Windows\system32\Fajnfl32.exe121⤵PID:5864
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-