Analysis
-
max time kernel
95s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/11/2024, 05:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bc5602744b95396c21e439b3ad07990a9861226c9176ae56a47ab0d244d29561.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
bc5602744b95396c21e439b3ad07990a9861226c9176ae56a47ab0d244d29561.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
bc5602744b95396c21e439b3ad07990a9861226c9176ae56a47ab0d244d29561.exe
-
Size
74KB
-
MD5
a97e58b9c33c9698dee94a285f981662
-
SHA1
24c24341e4e9c81603fcda3abf3b4d7cc68b1dae
-
SHA256
bc5602744b95396c21e439b3ad07990a9861226c9176ae56a47ab0d244d29561
-
SHA512
8d54f68f00bd7e4affc1cfd5eb19fb2a4b38d3d9f0cc4913a3cbb6e7723df5952b57433a8137c78d172e0d19a143b9983b880ece8f4327ed81f407bfe65dae2f
-
SSDEEP
1536:1kCB9kd8AjA2M3SDcGWjIHcCZc5mz8+QquozVV/d:1FBj8xtDcGWucwNAIzVtd
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnicid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Moaogand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgihfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfqmpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Felbnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Malgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edgbii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppikbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdpkflfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qlimed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kflide32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qodeajbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhbfff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gigaka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hoeieolb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egohdegl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obafpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edhjqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdfoio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmiclo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbepme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccqkigkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amcmpodi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpnbog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggpbjkpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpdfnolo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijcjmmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlkipgpe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loeolc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcmdaljn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jebfng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oabhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ieagmcmq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlgepanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghojbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccgajfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggpbjkpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aomifecf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Likcilhh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gokbgpeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njbgmjgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mifcejnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfkqjmdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcjjhdjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nncccnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gikkfqmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clchbqoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiaael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jiglnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfiplog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnonkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhpiafnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfjkjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dahmfpap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhfmdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dndnpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aogbfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gndick32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqpfjnba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npgabc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfcmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opqofe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdbfab32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2228 Lhfmdj32.exe 4988 Lblaabdp.exe 444 Lhijijbg.exe 1780 Lbnngbbn.exe 3464 Lhkgoiqe.exe 1552 Loeolc32.exe 2612 Likcilhh.exe 3976 Lpekef32.exe 4316 Lfodbqfa.exe 4344 Mimpolee.exe 3804 Mojhgbdl.exe 2988 Medqcmki.exe 4760 Mlnipg32.exe 5068 Mfcmmp32.exe 3744 Mlpeff32.exe 572 Mbjnbqhp.exe 2720 Midfokpm.exe 5032 Moaogand.exe 2300 Mifcejnj.exe 2476 Mleoafmn.exe 2656 Mbognp32.exe 4824 Nhlpfgbb.exe 4124 Npchgdcd.exe 2828 Nbadcpbh.exe 724 Neppokal.exe 2280 Nhnlkfpp.exe 2796 Nebmekoi.exe 4620 Nhpiafnm.exe 3500 Npgabc32.exe 3640 Nhbfff32.exe 1404 Ngdfdmdi.exe 752 Nlqomd32.exe 244 Ogfcjm32.exe 2840 Oidofh32.exe 4216 Ooagno32.exe 3320 Oekpkigo.exe 716 Olehhc32.exe 3196 Oocddono.exe 808 Ocopdn32.exe 2568 Ohlimd32.exe 1708 Oofaiokl.exe 1884 Ogmijllo.exe 2012 Oileggkb.exe 4160 Oohnonij.exe 2752 Ojnblg32.exe 2960 Ollnhb32.exe 556 Pgbbek32.exe 4740 Ploknb32.exe 1068 Pomgjn32.exe 2556 Pfgogh32.exe 4212 Plagcbdn.exe 3216 Poodpmca.exe 4640 Pjehmfch.exe 2912 Phhhhc32.exe 688 Pgihfj32.exe 1312 Pleaoa32.exe 3748 Pcpikkge.exe 3488 Plhnda32.exe 1868 Qgnbaj32.exe 1876 Qjlnnemp.exe 1632 Qcdbfk32.exe 1912 Qjnkcekm.exe 460 Qqhcpo32.exe 1196 Acgolj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ecjddk32.dll Ehjlaaig.exe File created C:\Windows\SysWOW64\Efeichoo.dll Cmhigf32.exe File opened for modification C:\Windows\SysWOW64\Ddligq32.exe Dooaoj32.exe File created C:\Windows\SysWOW64\Pnfiplog.exe Pfoann32.exe File opened for modification C:\Windows\SysWOW64\Cnjdpaki.exe Cgqlcg32.exe File opened for modification C:\Windows\SysWOW64\Oifppdpd.exe Ofgdcipq.exe File opened for modification C:\Windows\SysWOW64\Djelgied.exe Dbndfl32.exe File created C:\Windows\SysWOW64\Iaqdae32.dll Jcphab32.exe File created C:\Windows\SysWOW64\Ehqkihfg.dll Nenbjo32.exe File created C:\Windows\SysWOW64\Ghojbq32.exe Geanfelc.exe File opened for modification C:\Windows\SysWOW64\Abbkcpma.exe Aodogdmn.exe File opened for modification C:\Windows\SysWOW64\Bmabggdm.exe Bjbfklei.exe File created C:\Windows\SysWOW64\Kghfphob.dll Ilcldb32.exe File created C:\Windows\SysWOW64\Ljhnlb32.exe Lcnfohmi.exe File created C:\Windows\SysWOW64\Bhblllfo.exe Bnlhncgi.exe File created C:\Windows\SysWOW64\Hkgnfhnh.exe Haoimcgg.exe File opened for modification C:\Windows\SysWOW64\Kckqbj32.exe Klahfp32.exe File created C:\Windows\SysWOW64\Nfenigce.dll Mfpell32.exe File created C:\Windows\SysWOW64\Kebkgjkg.dll Nimmifgo.exe File created C:\Windows\SysWOW64\Aieeeflh.dll Ogfcjm32.exe File created C:\Windows\SysWOW64\Plhnda32.exe Pcpikkge.exe File created C:\Windows\SysWOW64\Kqbkfkal.exe Kjhcjq32.exe File opened for modification C:\Windows\SysWOW64\Albpkc32.exe Aehgnied.exe File created C:\Windows\SysWOW64\Ddpapmqq.dll Ddligq32.exe File created C:\Windows\SysWOW64\Cmgilf32.dll Mbibfm32.exe File created C:\Windows\SysWOW64\Kjhcjq32.exe Kiggbhda.exe File created C:\Windows\SysWOW64\Efjikc32.dll Majjng32.exe File opened for modification C:\Windows\SysWOW64\Hpabni32.exe Higjaoci.exe File opened for modification C:\Windows\SysWOW64\Meiioonj.exe Mmbanbmg.exe File opened for modification C:\Windows\SysWOW64\Jnlkedai.exe Jgbchj32.exe File created C:\Windows\SysWOW64\Komhll32.exe Jnlkedai.exe File created C:\Windows\SysWOW64\Kocgbend.exe Khiofk32.exe File created C:\Windows\SysWOW64\Pninea32.dll Mjnnbk32.exe File opened for modification C:\Windows\SysWOW64\Aqkpeopg.exe Ajqgidij.exe File opened for modification C:\Windows\SysWOW64\Ccmgiaig.exe Ckfphc32.exe File created C:\Windows\SysWOW64\Aehgnied.exe Akccap32.exe File created C:\Windows\SysWOW64\Blielbfi.exe Bdbnjdfg.exe File created C:\Windows\SysWOW64\Ljcpchlo.dll Iidphgcn.exe File opened for modification C:\Windows\SysWOW64\Hecjke32.exe Hnibokbd.exe File created C:\Windows\SysWOW64\Kpccmhdg.exe Khlklj32.exe File created C:\Windows\SysWOW64\Gigaka32.exe Gbmingjo.exe File created C:\Windows\SysWOW64\Ckgofgjn.dll Ahdged32.exe File opened for modification C:\Windows\SysWOW64\Mnjqmpgg.exe Mgphpe32.exe File opened for modification C:\Windows\SysWOW64\Ilibdmgp.exe Ieojgc32.exe File opened for modification C:\Windows\SysWOW64\Nijqcf32.exe Nbphglbe.exe File opened for modification C:\Windows\SysWOW64\Ibgdlg32.exe Ilnlom32.exe File created C:\Windows\SysWOW64\Mgaokl32.exe Maggnali.exe File created C:\Windows\SysWOW64\Hdnacn32.dll Pmcclm32.exe File opened for modification C:\Windows\SysWOW64\Qoelkp32.exe Qlgpod32.exe File opened for modification C:\Windows\SysWOW64\Nceefd32.exe Nmkmjjaa.exe File created C:\Windows\SysWOW64\Kkbdni32.dll Phhhhc32.exe File created C:\Windows\SysWOW64\Fijkdmhn.exe Fbpchb32.exe File created C:\Windows\SysWOW64\Aaenbd32.exe Aogbfi32.exe File opened for modification C:\Windows\SysWOW64\Iondqhpl.exe Iialhaad.exe File created C:\Windows\SysWOW64\Oqhoeb32.exe Ojnfihmo.exe File created C:\Windows\SysWOW64\Gdfoio32.exe Gnlgleef.exe File opened for modification C:\Windows\SysWOW64\Kjffdalb.exe Kiejmi32.exe File opened for modification C:\Windows\SysWOW64\Kilpmh32.exe Kkhpdcab.exe File created C:\Windows\SysWOW64\Kgnbdh32.exe Kcbfcigf.exe File opened for modification C:\Windows\SysWOW64\Coqncejg.exe Cdkifmjq.exe File created C:\Windows\SysWOW64\Hbihjifh.exe Hiacacpg.exe File created C:\Windows\SysWOW64\Icahfh32.dll Kqpoakco.exe File created C:\Windows\SysWOW64\Nhokljge.exe Neqopnhb.exe File created C:\Windows\SysWOW64\Fndpmndl.exe Fgjhpcmo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7440 7320 WerFault.exe 982 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimhjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjblje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpfjma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjdjoane.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkqgaol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjpbam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opclldhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eagaoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccmgiaig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlobkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcbkml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olanmgig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiaael32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogjdmbil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehndnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgaeolp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekmhejao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjaqpbkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpmomo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiildjag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paelfmaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phodcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpaqbbld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmkbfeab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlcalieg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eifaim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhifomdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdfoio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkogiikb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hckeoeno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkalplel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qodeajbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfqkddfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajdjin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adcjop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekonpckp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flinkojm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdmgfedl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jifecp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kageaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kggcnoic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meiioonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akccap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcghch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljaoeini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbndfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbabigfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqpcjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdmdnadc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgoakc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhaggp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phhhhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdinljnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocgbend.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnibokbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpdoqgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknifq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objkmkjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aflaie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmabggdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ploknb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmcclm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cndeii32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmglcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jaonbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfihbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhbfff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbbagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngjbaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eehicoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojncj32.dll" Ebnfbcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbehfom.dll" Ljnlecmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llcghg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Peieba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doepmnag.dll" Jebfng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alqjpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfplpfib.dll" Dfgcakon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djhimica.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omnjojpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhifomdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejimf32.dll" Oonlfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agiamhdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iejpiq32.dll" Aflaie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjomap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egfdnejf.dll" Jbdlop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nahffe32.dll" Jgcamf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgaemg32.dll" Kkjeomld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phaahggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphblj32.dll" Blnoga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihkjno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pognhd32.dll" Mbbagk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhmeapmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okkdic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcpka32.dll" Addaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibaeen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npakijcp.dll" Mlhqcgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gaamlecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adfnofpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpdennml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mifcejnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edhjqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbbagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Melmcj32.dll" Oondnini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjecoi32.dll" Oboijgbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kemilf32.dll" Abbkcpma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnocehc.dll" Lqbncb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockkandf.dll" Qmepam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpimlfke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmnkkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbiado32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flinkojm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgkkkcbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfoann32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahofoogd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdhdlin.dll" Ehndnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipgkjlmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kiikpnmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cabomkll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpnmbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcggio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anmfbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okehmlqi.dll" Mnmmboed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdeookg.dll" Micoed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccbakce.dll" Fjohde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlnipg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhkikq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohcegi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4060 wrote to memory of 2228 4060 bc5602744b95396c21e439b3ad07990a9861226c9176ae56a47ab0d244d29561.exe 83 PID 4060 wrote to memory of 2228 4060 bc5602744b95396c21e439b3ad07990a9861226c9176ae56a47ab0d244d29561.exe 83 PID 4060 wrote to memory of 2228 4060 bc5602744b95396c21e439b3ad07990a9861226c9176ae56a47ab0d244d29561.exe 83 PID 2228 wrote to memory of 4988 2228 Lhfmdj32.exe 84 PID 2228 wrote to memory of 4988 2228 Lhfmdj32.exe 84 PID 2228 wrote to memory of 4988 2228 Lhfmdj32.exe 84 PID 4988 wrote to memory of 444 4988 Lblaabdp.exe 85 PID 4988 wrote to memory of 444 4988 Lblaabdp.exe 85 PID 4988 wrote to memory of 444 4988 Lblaabdp.exe 85 PID 444 wrote to memory of 1780 444 Lhijijbg.exe 86 PID 444 wrote to memory of 1780 444 Lhijijbg.exe 86 PID 444 wrote to memory of 1780 444 Lhijijbg.exe 86 PID 1780 wrote to memory of 3464 1780 Lbnngbbn.exe 87 PID 1780 wrote to memory of 3464 1780 Lbnngbbn.exe 87 PID 1780 wrote to memory of 3464 1780 Lbnngbbn.exe 87 PID 3464 wrote to memory of 1552 3464 Lhkgoiqe.exe 88 PID 3464 wrote to memory of 1552 3464 Lhkgoiqe.exe 88 PID 3464 wrote to memory of 1552 3464 Lhkgoiqe.exe 88 PID 1552 wrote to memory of 2612 1552 Loeolc32.exe 89 PID 1552 wrote to memory of 2612 1552 Loeolc32.exe 89 PID 1552 wrote to memory of 2612 1552 Loeolc32.exe 89 PID 2612 wrote to memory of 3976 2612 Likcilhh.exe 90 PID 2612 wrote to memory of 3976 2612 Likcilhh.exe 90 PID 2612 wrote to memory of 3976 2612 Likcilhh.exe 90 PID 3976 wrote to memory of 4316 3976 Lpekef32.exe 91 PID 3976 wrote to memory of 4316 3976 Lpekef32.exe 91 PID 3976 wrote to memory of 4316 3976 Lpekef32.exe 91 PID 4316 wrote to memory of 4344 4316 Lfodbqfa.exe 92 PID 4316 wrote to memory of 4344 4316 Lfodbqfa.exe 92 PID 4316 wrote to memory of 4344 4316 Lfodbqfa.exe 92 PID 4344 wrote to memory of 3804 4344 Mimpolee.exe 93 PID 4344 wrote to memory of 3804 4344 Mimpolee.exe 93 PID 4344 wrote to memory of 3804 4344 Mimpolee.exe 93 PID 3804 wrote to memory of 2988 3804 Mojhgbdl.exe 95 PID 3804 wrote to memory of 2988 3804 Mojhgbdl.exe 95 PID 3804 wrote to memory of 2988 3804 Mojhgbdl.exe 95 PID 2988 wrote to memory of 4760 2988 Medqcmki.exe 96 PID 2988 wrote to memory of 4760 2988 Medqcmki.exe 96 PID 2988 wrote to memory of 4760 2988 Medqcmki.exe 96 PID 4760 wrote to memory of 5068 4760 Mlnipg32.exe 97 PID 4760 wrote to memory of 5068 4760 Mlnipg32.exe 97 PID 4760 wrote to memory of 5068 4760 Mlnipg32.exe 97 PID 5068 wrote to memory of 3744 5068 Mfcmmp32.exe 98 PID 5068 wrote to memory of 3744 5068 Mfcmmp32.exe 98 PID 5068 wrote to memory of 3744 5068 Mfcmmp32.exe 98 PID 3744 wrote to memory of 572 3744 Mlpeff32.exe 99 PID 3744 wrote to memory of 572 3744 Mlpeff32.exe 99 PID 3744 wrote to memory of 572 3744 Mlpeff32.exe 99 PID 572 wrote to memory of 2720 572 Mbjnbqhp.exe 100 PID 572 wrote to memory of 2720 572 Mbjnbqhp.exe 100 PID 572 wrote to memory of 2720 572 Mbjnbqhp.exe 100 PID 2720 wrote to memory of 5032 2720 Midfokpm.exe 101 PID 2720 wrote to memory of 5032 2720 Midfokpm.exe 101 PID 2720 wrote to memory of 5032 2720 Midfokpm.exe 101 PID 5032 wrote to memory of 2300 5032 Moaogand.exe 102 PID 5032 wrote to memory of 2300 5032 Moaogand.exe 102 PID 5032 wrote to memory of 2300 5032 Moaogand.exe 102 PID 2300 wrote to memory of 2476 2300 Mifcejnj.exe 103 PID 2300 wrote to memory of 2476 2300 Mifcejnj.exe 103 PID 2300 wrote to memory of 2476 2300 Mifcejnj.exe 103 PID 2476 wrote to memory of 2656 2476 Mleoafmn.exe 104 PID 2476 wrote to memory of 2656 2476 Mleoafmn.exe 104 PID 2476 wrote to memory of 2656 2476 Mleoafmn.exe 104 PID 2656 wrote to memory of 4824 2656 Mbognp32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc5602744b95396c21e439b3ad07990a9861226c9176ae56a47ab0d244d29561.exe"C:\Users\Admin\AppData\Local\Temp\bc5602744b95396c21e439b3ad07990a9861226c9176ae56a47ab0d244d29561.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\Lhfmdj32.exeC:\Windows\system32\Lhfmdj32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Lblaabdp.exeC:\Windows\system32\Lblaabdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\Loeolc32.exeC:\Windows\system32\Loeolc32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Lpekef32.exeC:\Windows\system32\Lpekef32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\Mfcmmp32.exeC:\Windows\system32\Mfcmmp32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Mifcejnj.exeC:\Windows\system32\Mifcejnj.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe23⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe24⤵
- Executes dropped EXE
PID:4124 -
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe25⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe26⤵
- Executes dropped EXE
PID:724 -
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe27⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Nebmekoi.exeC:\Windows\system32\Nebmekoi.exe28⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Nhbfff32.exeC:\Windows\system32\Nhbfff32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3640 -
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe32⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe33⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:244 -
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe35⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe36⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe37⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe38⤵
- Executes dropped EXE
PID:716 -
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe39⤵
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\Ocopdn32.exeC:\Windows\system32\Ocopdn32.exe40⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe41⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe42⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe43⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe44⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe45⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe46⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe47⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe48⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Ploknb32.exeC:\Windows\system32\Ploknb32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4740 -
C:\Windows\SysWOW64\Pomgjn32.exeC:\Windows\system32\Pomgjn32.exe50⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Pfgogh32.exeC:\Windows\system32\Pfgogh32.exe51⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe52⤵
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe53⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Pjehmfch.exeC:\Windows\system32\Pjehmfch.exe54⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\Pgihfj32.exeC:\Windows\system32\Pgihfj32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe57⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Pcpikkge.exeC:\Windows\system32\Pcpikkge.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3748 -
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe59⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Qgnbaj32.exeC:\Windows\system32\Qgnbaj32.exe60⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe61⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Qcdbfk32.exeC:\Windows\system32\Qcdbfk32.exe62⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Qjnkcekm.exeC:\Windows\system32\Qjnkcekm.exe63⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Qqhcpo32.exeC:\Windows\system32\Qqhcpo32.exe64⤵
- Executes dropped EXE
PID:460 -
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe65⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Ajqgidij.exeC:\Windows\system32\Ajqgidij.exe66⤵
- Drops file in System32 directory
PID:3896 -
C:\Windows\SysWOW64\Aqkpeopg.exeC:\Windows\system32\Aqkpeopg.exe67⤵PID:1696
-
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe68⤵PID:4564
-
C:\Windows\SysWOW64\Aqmlknnd.exeC:\Windows\system32\Aqmlknnd.exe69⤵PID:372
-
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe70⤵PID:1424
-
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1564 -
C:\Windows\SysWOW64\Agiamhdo.exeC:\Windows\system32\Agiamhdo.exe72⤵
- Modifies registry class
PID:4348 -
C:\Windows\SysWOW64\Aflaie32.exeC:\Windows\system32\Aflaie32.exe73⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1084 -
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe74⤵PID:1644
-
C:\Windows\SysWOW64\Aqaffn32.exeC:\Windows\system32\Aqaffn32.exe75⤵PID:4340
-
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe76⤵PID:1664
-
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe77⤵PID:1732
-
C:\Windows\SysWOW64\Bfqkddfd.exeC:\Windows\system32\Bfqkddfd.exe78⤵
- System Location Discovery: System Language Discovery
PID:3212 -
C:\Windows\SysWOW64\Bqfoamfj.exeC:\Windows\system32\Bqfoamfj.exe79⤵PID:5052
-
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe80⤵PID:3300
-
C:\Windows\SysWOW64\Biadeoce.exeC:\Windows\system32\Biadeoce.exe81⤵PID:5004
-
C:\Windows\SysWOW64\Bcghch32.exeC:\Windows\system32\Bcghch32.exe82⤵
- System Location Discovery: System Language Discovery
PID:4568 -
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe83⤵
- System Location Discovery: System Language Discovery
PID:316 -
C:\Windows\SysWOW64\Bpnihiio.exeC:\Windows\system32\Bpnihiio.exe84⤵PID:1992
-
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe85⤵PID:2532
-
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe86⤵PID:4952
-
C:\Windows\SysWOW64\Bfjnjcni.exeC:\Windows\system32\Bfjnjcni.exe87⤵PID:1040
-
C:\Windows\SysWOW64\Bjfjka32.exeC:\Windows\system32\Bjfjka32.exe88⤵PID:4884
-
C:\Windows\SysWOW64\Cqpbglno.exeC:\Windows\system32\Cqpbglno.exe89⤵PID:1596
-
C:\Windows\SysWOW64\Cgjjdf32.exeC:\Windows\system32\Cgjjdf32.exe90⤵PID:1088
-
C:\Windows\SysWOW64\Cabomkll.exeC:\Windows\system32\Cabomkll.exe91⤵
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Ccqkigkp.exeC:\Windows\system32\Ccqkigkp.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1264 -
C:\Windows\SysWOW64\Cfogeb32.exeC:\Windows\system32\Cfogeb32.exe93⤵PID:4524
-
C:\Windows\SysWOW64\Cimcan32.exeC:\Windows\system32\Cimcan32.exe94⤵PID:2112
-
C:\Windows\SysWOW64\Cadlbk32.exeC:\Windows\system32\Cadlbk32.exe95⤵PID:2944
-
C:\Windows\SysWOW64\Cfadkb32.exeC:\Windows\system32\Cfadkb32.exe96⤵PID:5132
-
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe97⤵PID:5200
-
C:\Windows\SysWOW64\Cpihcgoa.exeC:\Windows\system32\Cpihcgoa.exe98⤵PID:5252
-
C:\Windows\SysWOW64\Cgqqdeod.exeC:\Windows\system32\Cgqqdeod.exe99⤵PID:5296
-
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe100⤵
- Modifies registry class
PID:5348 -
C:\Windows\SysWOW64\Cmniml32.exeC:\Windows\system32\Cmniml32.exe101⤵PID:5384
-
C:\Windows\SysWOW64\Ccgajfeh.exeC:\Windows\system32\Ccgajfeh.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5444 -
C:\Windows\SysWOW64\Cffmfadl.exeC:\Windows\system32\Cffmfadl.exe103⤵PID:5488
-
C:\Windows\SysWOW64\Dmpfbk32.exeC:\Windows\system32\Dmpfbk32.exe104⤵PID:5548
-
C:\Windows\SysWOW64\Dpnbog32.exeC:\Windows\system32\Dpnbog32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5588 -
C:\Windows\SysWOW64\Dfhjkabi.exeC:\Windows\system32\Dfhjkabi.exe106⤵PID:5628
-
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe107⤵PID:5672
-
C:\Windows\SysWOW64\Dannij32.exeC:\Windows\system32\Dannij32.exe108⤵PID:5716
-
C:\Windows\SysWOW64\Djfcaohp.exeC:\Windows\system32\Djfcaohp.exe109⤵PID:5760
-
C:\Windows\SysWOW64\Dmdonkgc.exeC:\Windows\system32\Dmdonkgc.exe110⤵PID:5804
-
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe111⤵PID:5848
-
C:\Windows\SysWOW64\Djhpgofm.exeC:\Windows\system32\Djhpgofm.exe112⤵PID:5892
-
C:\Windows\SysWOW64\Dmglcj32.exeC:\Windows\system32\Dmglcj32.exe113⤵
- Modifies registry class
PID:5936 -
C:\Windows\SysWOW64\Dpehof32.exeC:\Windows\system32\Dpehof32.exe114⤵PID:5980
-
C:\Windows\SysWOW64\Dhlpqc32.exeC:\Windows\system32\Dhlpqc32.exe115⤵PID:6024
-
C:\Windows\SysWOW64\Dinmhkke.exeC:\Windows\system32\Dinmhkke.exe116⤵PID:6068
-
C:\Windows\SysWOW64\Dhomfc32.exeC:\Windows\system32\Dhomfc32.exe117⤵PID:6112
-
C:\Windows\SysWOW64\Djmibn32.exeC:\Windows\system32\Djmibn32.exe118⤵PID:4408
-
C:\Windows\SysWOW64\Eagaoh32.exeC:\Windows\system32\Eagaoh32.exe119⤵
- System Location Discovery: System Language Discovery
PID:5232 -
C:\Windows\SysWOW64\Edemkd32.exeC:\Windows\system32\Edemkd32.exe120⤵PID:5308
-
C:\Windows\SysWOW64\Efdjgo32.exeC:\Windows\system32\Efdjgo32.exe121⤵PID:5376
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-