Analysis
-
max time kernel
93s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 23:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7084193c4af2a00a57c69a81647109b21b7501ac9cb704a7662677355e1218f9.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
7084193c4af2a00a57c69a81647109b21b7501ac9cb704a7662677355e1218f9.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
7084193c4af2a00a57c69a81647109b21b7501ac9cb704a7662677355e1218f9.exe
-
Size
96KB
-
MD5
fad09b6f8691f9b1c3f9ccbc64a8094e
-
SHA1
f372160cbb95cae4f594f8d09fe47dfde4e59529
-
SHA256
7084193c4af2a00a57c69a81647109b21b7501ac9cb704a7662677355e1218f9
-
SHA512
bfae049163a7449dfb7a7a313b9ec654ec6f90867a0f2c5afbdab7426442923d0a479b5d20af1cb3a53ff24797dc97d42a1ec068fa2e0adb0214780ad909b410
-
SSDEEP
3072:cTzU4XJL8+qzqVjECkhxF8n5OmECMyELiAHONd+:Ez7Zg+1jQIYmEbBum
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfnqklgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdnmfclj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnmhpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akoqpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnlhncgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adndoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfhndpol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omnjojpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amqhbe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iidphgcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmiikh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oocmii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaajed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnadagbm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgdejd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lclpdncg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnbakghm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjjkaabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnfpinmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Poomegpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkenjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iojbpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgdidgjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnoaaaad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpdgqmnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oekiqccc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kqfngd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnfnlf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnmhpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlmdbh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmkqpkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jniood32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjaabq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pakllc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbbdjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcnqpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpaleglc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgphpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfmmplad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oklkdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pibdmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpphjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdpaeehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljnlecmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojcjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffobhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdala32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmgabcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lqmmmmph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkicaahi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgninn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjahlgpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bddjpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lclpdncg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kegpifod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gipdap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipflihfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icdheded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkqkhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikkpgafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnhidk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phonha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pagbaglh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpiplm32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4084 Mblcnj32.exe 4152 Mhilfa32.exe 4200 Njghbl32.exe 4908 Nemmoe32.exe 4216 Nlfelogp.exe 1380 Neoieenp.exe 3972 Nhmeapmd.exe 3688 Nklbmllg.exe 1540 Nognnj32.exe 4292 Nhpbfpka.exe 3584 Nojjcj32.exe 4504 Nahgoe32.exe 3484 Nhbolp32.exe 4876 Nkqkhk32.exe 220 Niakfbpa.exe 3728 Oondnini.exe 2920 Oehlkc32.exe 4296 Ohghgodi.exe 1312 Ooqqdi32.exe 1776 Oaompd32.exe 1772 Oekiqccc.exe 2996 Oldamm32.exe 2604 Oocmii32.exe 3748 Oboijgbl.exe 3240 Oaajed32.exe 4076 Oihagaji.exe 4924 Ohkbbn32.exe 512 Olgncmim.exe 4252 Ooejohhq.exe 3532 Obafpg32.exe 2700 Oadfkdgd.exe 1600 Oiknlagg.exe 4116 Ohnohn32.exe 4872 Oklkdi32.exe 1524 Oohgdhfn.exe 2344 Obcceg32.exe 5084 Oafcqcea.exe 2648 Oimkbaed.exe 4424 Ohpkmn32.exe 3220 Pkogiikb.exe 3208 Pojcjh32.exe 1340 Pahpfc32.exe 3516 Pedlgbkh.exe 336 Phbhcmjl.exe 4284 Plndcl32.exe 2328 Pkadoiip.exe 1084 Pchlpfjb.exe 1784 Pakllc32.exe 912 Pibdmp32.exe 2096 Plpqil32.exe 8 Poomegpf.exe 804 Pcjiff32.exe 5068 Peieba32.exe 4820 Pidabppl.exe 732 Phganm32.exe 368 Pkenjh32.exe 1364 Poajkgnc.exe 536 Papfgbmg.exe 2076 Pekbga32.exe 1824 Phincl32.exe 3944 Pkhjph32.exe 744 Pocfpf32.exe 1780 Pcobaedj.exe 3672 Pemomqcn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fmndpq32.exe Ffclcgfn.exe File created C:\Windows\SysWOW64\Lhnjoi32.dll Fmhdkknd.exe File created C:\Windows\SysWOW64\Cjijid32.dll Njhgbp32.exe File opened for modification C:\Windows\SysWOW64\Bmeandma.exe Bkgeainn.exe File created C:\Windows\SysWOW64\Iikmbh32.exe Ibaeen32.exe File opened for modification C:\Windows\SysWOW64\Agimkk32.exe Adkqoohc.exe File created C:\Windows\SysWOW64\Lpmkebjc.dll Bgkiaj32.exe File opened for modification C:\Windows\SysWOW64\Nhmeapmd.exe Neoieenp.exe File created C:\Windows\SysWOW64\Ooqqdi32.exe Ohghgodi.exe File created C:\Windows\SysWOW64\Ddpapmqq.dll Ddligq32.exe File created C:\Windows\SysWOW64\Qaqegecm.exe Pdmdnadc.exe File opened for modification C:\Windows\SysWOW64\Ohnohn32.exe Oiknlagg.exe File created C:\Windows\SysWOW64\Ppihoe32.dll Gpgind32.exe File created C:\Windows\SysWOW64\Lggejg32.exe Lqmmmmph.exe File created C:\Windows\SysWOW64\Amnlme32.exe Agdcpkll.exe File created C:\Windows\SysWOW64\Oehlkc32.exe Oondnini.exe File created C:\Windows\SysWOW64\Ipjoja32.exe Iipfmggc.exe File created C:\Windows\SysWOW64\Ndoell32.dll Glipgf32.exe File created C:\Windows\SysWOW64\Ooejohhq.exe Olgncmim.exe File created C:\Windows\SysWOW64\Hejkiial.dll Pkadoiip.exe File opened for modification C:\Windows\SysWOW64\Jlkipgpe.exe Jnhidk32.exe File opened for modification C:\Windows\SysWOW64\Kmdlffhj.exe Kkconn32.exe File created C:\Windows\SysWOW64\Ankkea32.dll Eokqkh32.exe File created C:\Windows\SysWOW64\Akoqpg32.exe Ajndioga.exe File created C:\Windows\SysWOW64\Ioqgiibk.dll Hpcodihc.exe File created C:\Windows\SysWOW64\Knchpiom.exe Kgipcogp.exe File created C:\Windows\SysWOW64\Mfbhmo32.dll Bkjiao32.exe File opened for modification C:\Windows\SysWOW64\Pdmdnadc.exe Ppahmb32.exe File created C:\Windows\SysWOW64\Apmhinni.dll Jcdala32.exe File created C:\Windows\SysWOW64\Nfcconde.dll Knchpiom.exe File opened for modification C:\Windows\SysWOW64\Npbceggm.exe Nclbpf32.exe File created C:\Windows\SysWOW64\Omdppiif.exe Ofkgcobj.exe File created C:\Windows\SysWOW64\Ehojko32.dll Bknlbhhe.exe File created C:\Windows\SysWOW64\Cbgpnkdm.dll Nemmoe32.exe File created C:\Windows\SysWOW64\Oaompd32.exe Ooqqdi32.exe File created C:\Windows\SysWOW64\Bkaobnio.exe Bhbcfbjk.exe File opened for modification C:\Windows\SysWOW64\Chglab32.exe Cdlqqcnl.exe File created C:\Windows\SysWOW64\Phonha32.exe Ppgegd32.exe File opened for modification C:\Windows\SysWOW64\Papfgbmg.exe Poajkgnc.exe File created C:\Windows\SysWOW64\Iipfmggc.exe Igajal32.exe File created C:\Windows\SysWOW64\Jnifpf32.dll Mgphpe32.exe File created C:\Windows\SysWOW64\Jcgmgn32.dll Pmnbfhal.exe File created C:\Windows\SysWOW64\Iophkojl.dll Kqmkae32.exe File created C:\Windows\SysWOW64\Liabph32.dll Lfeljd32.exe File created C:\Windows\SysWOW64\Cnffoibg.dll Ojhpimhp.exe File created C:\Windows\SysWOW64\Pmnbfhal.exe Pjpfjl32.exe File opened for modification C:\Windows\SysWOW64\Cohkokgj.exe Cljobphg.exe File created C:\Windows\SysWOW64\Oaabap32.dll Imgicgca.exe File opened for modification C:\Windows\SysWOW64\Aogbfi32.exe Afpjel32.exe File created C:\Windows\SysWOW64\Aogbfi32.exe Afpjel32.exe File created C:\Windows\SysWOW64\Adkqoohc.exe Aaldccip.exe File created C:\Windows\SysWOW64\Hahohdla.dll Nahgoe32.exe File created C:\Windows\SysWOW64\Aoofle32.exe Achegd32.exe File created C:\Windows\SysWOW64\Fpejlmcf.exe Fpbmfn32.exe File created C:\Windows\SysWOW64\Jebiel32.dll Nmigoagp.exe File created C:\Windows\SysWOW64\Eopjfnlo.dll Pmiikh32.exe File created C:\Windows\SysWOW64\Qljcoj32.exe Qlggjk32.exe File opened for modification C:\Windows\SysWOW64\Jenmcggo.exe Jcoaglhk.exe File opened for modification C:\Windows\SysWOW64\Hienlpel.exe Hgfapd32.exe File created C:\Windows\SysWOW64\Jcdala32.exe Jlkipgpe.exe File created C:\Windows\SysWOW64\Hhbdbmfg.dll Pmaffnce.exe File created C:\Windows\SysWOW64\Abjfai32.dll Adndoe32.exe File opened for modification C:\Windows\SysWOW64\Oafcqcea.exe Obcceg32.exe File created C:\Windows\SysWOW64\Cmcgolla.dll Gejopl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12840 7392 WerFault.exe 668 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkhjph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbofcghl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeokal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmbqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poajkgnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbbnpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbnoiqdq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jekqmhia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apmhiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcggio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkicaahi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onpjichj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhenj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcahmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllbaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Camddhoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnmopk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjmoag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bombmcec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpphjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmbaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cohkokgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fligqhga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gldglf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcanll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiknlagg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opeiadfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgibpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfjpfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkhapk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neqopnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjeljhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igajal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdgglfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jebfng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajpqnneo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aphnnafb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjaabq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebhglj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bblnindg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpnmbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gljgbllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iibccgep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lggejg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngqagcag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdoacabq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Achegd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omdppiif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpeahb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcgpni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoofle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgehfkop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmigoagp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pocpfphe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jedccfqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpdnjple.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhoqeibl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmmfmhll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcmdaljn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpnfge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffclcgfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmmmfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nclbpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgkiaj32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcjiff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phaahggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhbdbmfg.dll" Pmaffnce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fefedmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljlpjaf.dll" Bhmbqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcmmhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcjkqlam.dll" Olgncmim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efepbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckdpoji.dll" Jlmfeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnkpnclp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mblcnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ooqqdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbgnemjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccledea.dll" Cbgnemjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enkdaepb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmigpf32.dll" Qhkdof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Innfnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qhkdof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opcefi32.dll" Ogekbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giidol32.dll" Pagbaglh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpchib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gldglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcigeooj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqhejb32.dll" Gikdkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgpoihnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pecellgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdcliikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmanjof.dll" Qemhbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljaoeini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgfoqnae.dll" Lmgabcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obnbpa32.dll" Mgobel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphblj32.dll" Bkaobnio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgphpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhclmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oadfkdgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjhgac32.dll" Pkhjph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faikapbo.dll" Aoofle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlkipgpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdkdgchl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmmcnn32.dll" Lklbdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knnhjcog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefklj32.dll" Hfhgkmpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Poomegpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afkknogn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljaoeini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cohkokgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llmhaold.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bombmcec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akepfpcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 7084193c4af2a00a57c69a81647109b21b7501ac9cb704a7662677355e1218f9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oldjcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njhgbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adkqoohc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lobjni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdeelde.dll" Bokehc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cohkokgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnjoi32.dll" Fmhdkknd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bohgljdl.dll" Kgkfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkjaopom.dll" Gfmojenc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Neclenfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpofk32.dll" Dpiplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eicedn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahbohd32.dll" Gidnkkpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkhapk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4448 wrote to memory of 4084 4448 7084193c4af2a00a57c69a81647109b21b7501ac9cb704a7662677355e1218f9.exe 82 PID 4448 wrote to memory of 4084 4448 7084193c4af2a00a57c69a81647109b21b7501ac9cb704a7662677355e1218f9.exe 82 PID 4448 wrote to memory of 4084 4448 7084193c4af2a00a57c69a81647109b21b7501ac9cb704a7662677355e1218f9.exe 82 PID 4084 wrote to memory of 4152 4084 Mblcnj32.exe 83 PID 4084 wrote to memory of 4152 4084 Mblcnj32.exe 83 PID 4084 wrote to memory of 4152 4084 Mblcnj32.exe 83 PID 4152 wrote to memory of 4200 4152 Mhilfa32.exe 84 PID 4152 wrote to memory of 4200 4152 Mhilfa32.exe 84 PID 4152 wrote to memory of 4200 4152 Mhilfa32.exe 84 PID 4200 wrote to memory of 4908 4200 Njghbl32.exe 85 PID 4200 wrote to memory of 4908 4200 Njghbl32.exe 85 PID 4200 wrote to memory of 4908 4200 Njghbl32.exe 85 PID 4908 wrote to memory of 4216 4908 Nemmoe32.exe 86 PID 4908 wrote to memory of 4216 4908 Nemmoe32.exe 86 PID 4908 wrote to memory of 4216 4908 Nemmoe32.exe 86 PID 4216 wrote to memory of 1380 4216 Nlfelogp.exe 87 PID 4216 wrote to memory of 1380 4216 Nlfelogp.exe 87 PID 4216 wrote to memory of 1380 4216 Nlfelogp.exe 87 PID 1380 wrote to memory of 3972 1380 Neoieenp.exe 88 PID 1380 wrote to memory of 3972 1380 Neoieenp.exe 88 PID 1380 wrote to memory of 3972 1380 Neoieenp.exe 88 PID 3972 wrote to memory of 3688 3972 Nhmeapmd.exe 89 PID 3972 wrote to memory of 3688 3972 Nhmeapmd.exe 89 PID 3972 wrote to memory of 3688 3972 Nhmeapmd.exe 89 PID 3688 wrote to memory of 1540 3688 Nklbmllg.exe 90 PID 3688 wrote to memory of 1540 3688 Nklbmllg.exe 90 PID 3688 wrote to memory of 1540 3688 Nklbmllg.exe 90 PID 1540 wrote to memory of 4292 1540 Nognnj32.exe 91 PID 1540 wrote to memory of 4292 1540 Nognnj32.exe 91 PID 1540 wrote to memory of 4292 1540 Nognnj32.exe 91 PID 4292 wrote to memory of 3584 4292 Nhpbfpka.exe 92 PID 4292 wrote to memory of 3584 4292 Nhpbfpka.exe 92 PID 4292 wrote to memory of 3584 4292 Nhpbfpka.exe 92 PID 3584 wrote to memory of 4504 3584 Nojjcj32.exe 93 PID 3584 wrote to memory of 4504 3584 Nojjcj32.exe 93 PID 3584 wrote to memory of 4504 3584 Nojjcj32.exe 93 PID 4504 wrote to memory of 3484 4504 Nahgoe32.exe 94 PID 4504 wrote to memory of 3484 4504 Nahgoe32.exe 94 PID 4504 wrote to memory of 3484 4504 Nahgoe32.exe 94 PID 3484 wrote to memory of 4876 3484 Nhbolp32.exe 95 PID 3484 wrote to memory of 4876 3484 Nhbolp32.exe 95 PID 3484 wrote to memory of 4876 3484 Nhbolp32.exe 95 PID 4876 wrote to memory of 220 4876 Nkqkhk32.exe 96 PID 4876 wrote to memory of 220 4876 Nkqkhk32.exe 96 PID 4876 wrote to memory of 220 4876 Nkqkhk32.exe 96 PID 220 wrote to memory of 3728 220 Niakfbpa.exe 97 PID 220 wrote to memory of 3728 220 Niakfbpa.exe 97 PID 220 wrote to memory of 3728 220 Niakfbpa.exe 97 PID 3728 wrote to memory of 2920 3728 Oondnini.exe 98 PID 3728 wrote to memory of 2920 3728 Oondnini.exe 98 PID 3728 wrote to memory of 2920 3728 Oondnini.exe 98 PID 2920 wrote to memory of 4296 2920 Oehlkc32.exe 99 PID 2920 wrote to memory of 4296 2920 Oehlkc32.exe 99 PID 2920 wrote to memory of 4296 2920 Oehlkc32.exe 99 PID 4296 wrote to memory of 1312 4296 Ohghgodi.exe 100 PID 4296 wrote to memory of 1312 4296 Ohghgodi.exe 100 PID 4296 wrote to memory of 1312 4296 Ohghgodi.exe 100 PID 1312 wrote to memory of 1776 1312 Ooqqdi32.exe 101 PID 1312 wrote to memory of 1776 1312 Ooqqdi32.exe 101 PID 1312 wrote to memory of 1776 1312 Ooqqdi32.exe 101 PID 1776 wrote to memory of 1772 1776 Oaompd32.exe 102 PID 1776 wrote to memory of 1772 1776 Oaompd32.exe 102 PID 1776 wrote to memory of 1772 1776 Oaompd32.exe 102 PID 1772 wrote to memory of 2996 1772 Oekiqccc.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\7084193c4af2a00a57c69a81647109b21b7501ac9cb704a7662677355e1218f9.exe"C:\Users\Admin\AppData\Local\Temp\7084193c4af2a00a57c69a81647109b21b7501ac9cb704a7662677355e1218f9.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\Mblcnj32.exeC:\Windows\system32\Mblcnj32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\Njghbl32.exeC:\Windows\system32\Njghbl32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\Neoieenp.exeC:\Windows\system32\Neoieenp.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Nhmeapmd.exeC:\Windows\system32\Nhmeapmd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\Nahgoe32.exeC:\Windows\system32\Nahgoe32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Nhbolp32.exeC:\Windows\system32\Nhbolp32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Nkqkhk32.exeC:\Windows\system32\Nkqkhk32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\Niakfbpa.exeC:\Windows\system32\Niakfbpa.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Oondnini.exeC:\Windows\system32\Oondnini.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Ohghgodi.exeC:\Windows\system32\Ohghgodi.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Oekiqccc.exeC:\Windows\system32\Oekiqccc.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe23⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Oocmii32.exeC:\Windows\system32\Oocmii32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Oboijgbl.exeC:\Windows\system32\Oboijgbl.exe25⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Oaajed32.exeC:\Windows\system32\Oaajed32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\Oihagaji.exeC:\Windows\system32\Oihagaji.exe27⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Ohkbbn32.exeC:\Windows\system32\Ohkbbn32.exe28⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Olgncmim.exeC:\Windows\system32\Olgncmim.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:512 -
C:\Windows\SysWOW64\Ooejohhq.exeC:\Windows\system32\Ooejohhq.exe30⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe31⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Oadfkdgd.exeC:\Windows\system32\Oadfkdgd.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Oiknlagg.exeC:\Windows\system32\Oiknlagg.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\Ohnohn32.exeC:\Windows\system32\Ohnohn32.exe34⤵
- Executes dropped EXE
PID:4116 -
C:\Windows\SysWOW64\Oklkdi32.exeC:\Windows\system32\Oklkdi32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Oohgdhfn.exeC:\Windows\system32\Oohgdhfn.exe36⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Obcceg32.exeC:\Windows\system32\Obcceg32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Oafcqcea.exeC:\Windows\system32\Oafcqcea.exe38⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Oimkbaed.exeC:\Windows\system32\Oimkbaed.exe39⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Ohpkmn32.exeC:\Windows\system32\Ohpkmn32.exe40⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Pkogiikb.exeC:\Windows\system32\Pkogiikb.exe41⤵
- Executes dropped EXE
PID:3220 -
C:\Windows\SysWOW64\Pojcjh32.exeC:\Windows\system32\Pojcjh32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\Pahpfc32.exeC:\Windows\system32\Pahpfc32.exe43⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Pedlgbkh.exeC:\Windows\system32\Pedlgbkh.exe44⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Phbhcmjl.exeC:\Windows\system32\Phbhcmjl.exe45⤵
- Executes dropped EXE
PID:336 -
C:\Windows\SysWOW64\Plndcl32.exeC:\Windows\system32\Plndcl32.exe46⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\Pkadoiip.exeC:\Windows\system32\Pkadoiip.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Pchlpfjb.exeC:\Windows\system32\Pchlpfjb.exe48⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Pibdmp32.exeC:\Windows\system32\Pibdmp32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Plpqil32.exeC:\Windows\system32\Plpqil32.exe51⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Poomegpf.exeC:\Windows\system32\Poomegpf.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:8 -
C:\Windows\SysWOW64\Pcjiff32.exeC:\Windows\system32\Pcjiff32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:804 -
C:\Windows\SysWOW64\Peieba32.exeC:\Windows\system32\Peieba32.exe54⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Pidabppl.exeC:\Windows\system32\Pidabppl.exe55⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Phganm32.exeC:\Windows\system32\Phganm32.exe56⤵
- Executes dropped EXE
PID:732 -
C:\Windows\SysWOW64\Pkenjh32.exeC:\Windows\system32\Pkenjh32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\Poajkgnc.exeC:\Windows\system32\Poajkgnc.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1364 -
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe59⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe60⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Phincl32.exeC:\Windows\system32\Phincl32.exe61⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3944 -
C:\Windows\SysWOW64\Pocfpf32.exeC:\Windows\system32\Pocfpf32.exe63⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Pcobaedj.exeC:\Windows\system32\Pcobaedj.exe64⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Pemomqcn.exeC:\Windows\system32\Pemomqcn.exe65⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Qhlkilba.exeC:\Windows\system32\Qhlkilba.exe66⤵PID:2556
-
C:\Windows\SysWOW64\Qlggjk32.exeC:\Windows\system32\Qlggjk32.exe67⤵
- Drops file in System32 directory
PID:4348 -
C:\Windows\SysWOW64\Qljcoj32.exeC:\Windows\system32\Qljcoj32.exe68⤵PID:832
-
C:\Windows\SysWOW64\Ajndioga.exeC:\Windows\system32\Ajndioga.exe69⤵
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Akoqpg32.exeC:\Windows\system32\Akoqpg32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4520 -
C:\Windows\SysWOW64\Acfhad32.exeC:\Windows\system32\Acfhad32.exe71⤵PID:3612
-
C:\Windows\SysWOW64\Ajpqnneo.exeC:\Windows\system32\Ajpqnneo.exe72⤵
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\Achegd32.exeC:\Windows\system32\Achegd32.exe73⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:972 -
C:\Windows\SysWOW64\Aoofle32.exeC:\Windows\system32\Aoofle32.exe74⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3692 -
C:\Windows\SysWOW64\Ajdjin32.exeC:\Windows\system32\Ajdjin32.exe75⤵PID:1432
-
C:\Windows\SysWOW64\Afkknogn.exeC:\Windows\system32\Afkknogn.exe76⤵
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Ahjgjj32.exeC:\Windows\system32\Ahjgjj32.exe77⤵PID:3032
-
C:\Windows\SysWOW64\Aodogdmn.exeC:\Windows\system32\Aodogdmn.exe78⤵PID:5060
-
C:\Windows\SysWOW64\Acokhc32.exeC:\Windows\system32\Acokhc32.exe79⤵PID:3180
-
C:\Windows\SysWOW64\Bfngdn32.exeC:\Windows\system32\Bfngdn32.exe80⤵PID:1840
-
C:\Windows\SysWOW64\Bcahmb32.exeC:\Windows\system32\Bcahmb32.exe81⤵
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Windows\SysWOW64\Bjlpjm32.exeC:\Windows\system32\Bjlpjm32.exe82⤵PID:4436
-
C:\Windows\SysWOW64\Bhoqeibl.exeC:\Windows\system32\Bhoqeibl.exe83⤵
- System Location Discovery: System Language Discovery
PID:4376 -
C:\Windows\SysWOW64\Bcddcbab.exeC:\Windows\system32\Bcddcbab.exe84⤵PID:1276
-
C:\Windows\SysWOW64\Bbgeno32.exeC:\Windows\system32\Bbgeno32.exe85⤵PID:2224
-
C:\Windows\SysWOW64\Bokehc32.exeC:\Windows\system32\Bokehc32.exe86⤵
- Modifies registry class
PID:3600 -
C:\Windows\SysWOW64\Bfendmoc.exeC:\Windows\system32\Bfendmoc.exe87⤵PID:1940
-
C:\Windows\SysWOW64\Bmofagfp.exeC:\Windows\system32\Bmofagfp.exe88⤵PID:312
-
C:\Windows\SysWOW64\Bombmcec.exeC:\Windows\system32\Bombmcec.exe89⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4892 -
C:\Windows\SysWOW64\Bblnindg.exeC:\Windows\system32\Bblnindg.exe90⤵
- System Location Discovery: System Language Discovery
PID:4960 -
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe91⤵PID:3708
-
C:\Windows\SysWOW64\Cjecpkcg.exeC:\Windows\system32\Cjecpkcg.exe92⤵PID:4748
-
C:\Windows\SysWOW64\Ccmgiaig.exeC:\Windows\system32\Ccmgiaig.exe93⤵PID:660
-
C:\Windows\SysWOW64\Cjgpfk32.exeC:\Windows\system32\Cjgpfk32.exe94⤵PID:228
-
C:\Windows\SysWOW64\Cbbdjm32.exeC:\Windows\system32\Cbbdjm32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:316 -
C:\Windows\SysWOW64\Cfnqklgh.exeC:\Windows\system32\Cfnqklgh.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4564 -
C:\Windows\SysWOW64\Ckkiccep.exeC:\Windows\system32\Ckkiccep.exe97⤵PID:3760
-
C:\Windows\SysWOW64\Cfqmpl32.exeC:\Windows\system32\Cfqmpl32.exe98⤵PID:3824
-
C:\Windows\SysWOW64\Cmjemflb.exeC:\Windows\system32\Cmjemflb.exe99⤵PID:3196
-
C:\Windows\SysWOW64\Cbgnemjj.exeC:\Windows\system32\Cbgnemjj.exe100⤵
- Modifies registry class
PID:4220 -
C:\Windows\SysWOW64\Cmmbbejp.exeC:\Windows\system32\Cmmbbejp.exe101⤵PID:4476
-
C:\Windows\SysWOW64\Dbjkkl32.exeC:\Windows\system32\Dbjkkl32.exe102⤵PID:5040
-
C:\Windows\SysWOW64\Dmoohe32.exeC:\Windows\system32\Dmoohe32.exe103⤵PID:1584
-
C:\Windows\SysWOW64\Dcigeooj.exeC:\Windows\system32\Dcigeooj.exe104⤵
- Modifies registry class
PID:4512 -
C:\Windows\SysWOW64\Djcoai32.exeC:\Windows\system32\Djcoai32.exe105⤵PID:3368
-
C:\Windows\SysWOW64\Dpphjp32.exeC:\Windows\system32\Dpphjp32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4460 -
C:\Windows\SysWOW64\Dfjpfj32.exeC:\Windows\system32\Dfjpfj32.exe107⤵
- System Location Discovery: System Language Discovery
PID:532 -
C:\Windows\SysWOW64\Djelgied.exeC:\Windows\system32\Djelgied.exe108⤵PID:4260
-
C:\Windows\SysWOW64\Dcnqpo32.exeC:\Windows\system32\Dcnqpo32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:400 -
C:\Windows\SysWOW64\Dbqqkkbo.exeC:\Windows\system32\Dbqqkkbo.exe110⤵PID:2692
-
C:\Windows\SysWOW64\Dmfeidbe.exeC:\Windows\system32\Dmfeidbe.exe111⤵PID:1856
-
C:\Windows\SysWOW64\Dcpmen32.exeC:\Windows\system32\Dcpmen32.exe112⤵PID:1152
-
C:\Windows\SysWOW64\Dmhand32.exeC:\Windows\system32\Dmhand32.exe113⤵PID:1652
-
C:\Windows\SysWOW64\Efafgifc.exeC:\Windows\system32\Efafgifc.exe114⤵PID:1952
-
C:\Windows\SysWOW64\Epikpo32.exeC:\Windows\system32\Epikpo32.exe115⤵PID:2208
-
C:\Windows\SysWOW64\Ebhglj32.exeC:\Windows\system32\Ebhglj32.exe116⤵
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Windows\SysWOW64\Eplgeokq.exeC:\Windows\system32\Eplgeokq.exe117⤵PID:5064
-
C:\Windows\SysWOW64\Efepbi32.exeC:\Windows\system32\Efepbi32.exe118⤵
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Epndknin.exeC:\Windows\system32\Epndknin.exe119⤵PID:2840
-
C:\Windows\SysWOW64\Eifhdd32.exeC:\Windows\system32\Eifhdd32.exe120⤵PID:5132
-
C:\Windows\SysWOW64\Efjimhnh.exeC:\Windows\system32\Efjimhnh.exe121⤵PID:5176
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-