Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:59
Behavioral task
behavioral1
Sample
44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe
Resource
win10v2004-20241007-en
General
-
Target
44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe
-
Size
128KB
-
MD5
c5c83fbca254cbfc57cf48f2ae172de0
-
SHA1
1782f1588b408fcb9e4654ef0bbc4a6fc7e0f8cb
-
SHA256
44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5
-
SHA512
98266b3ecfbd6f42b62ebb10f89fffe9a0f036d0be9f6935ca63ecdd34939c22af060f8001a7cd9a2f7efc3cb2517b9dafd2e1612c1da201adbd6ea8e85d08d2
-
SSDEEP
3072:mZS/mgLVUYSQIrx0kWzdH13+EE+RaZ6r+GDZnr:mZS/mgLdSQKZWzd5IF6rfBr
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bagflcje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojoign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmannhhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcncpbmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qqfmde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeniabfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogkcpbam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojoign32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjhlml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgqeappe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqpgdfnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqkgpedc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agglboim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afhohlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjagjhnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cajlhqjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Calhnpgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjcbbmif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgnilpah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnkplejl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daconoae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opdghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgcknmop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjagjhnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceckcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Accfbokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfabnjjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqncedbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhjohkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beeoaapl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocnjidkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojgbfocc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odapnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcgffqei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnjafap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cndikf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfdhkhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmnpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocnjidkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmidog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjoankoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajanck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npmagine.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmannhhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfolbmje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfdhkhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amddjegd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdabcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmqmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfknkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onhhamgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogpmjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qqijje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajkaii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njefqo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajkaii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfdodjhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Beeoaapl.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3600 Npmagine.exe 3440 Nggjdc32.exe 2440 Njefqo32.exe 4828 Olcbmj32.exe 1264 Ocnjidkf.exe 4984 Oflgep32.exe 864 Ojgbfocc.exe 2552 Opakbi32.exe 4776 Ogkcpbam.exe 3888 Ofnckp32.exe 4044 Oneklm32.exe 3356 Opdghh32.exe 400 Ognpebpj.exe 412 Onhhamgg.exe 876 Odapnf32.exe 5028 Ogpmjb32.exe 3280 Ojoign32.exe 1772 Oqhacgdh.exe 2548 Ogbipa32.exe 2956 Ojaelm32.exe 1944 Pnlaml32.exe 2128 Pqknig32.exe 3348 Pfhfan32.exe 408 Pjcbbmif.exe 4328 Pmannhhj.exe 3036 Pggbkagp.exe 2556 Pjeoglgc.exe 2800 Pqpgdfnp.exe 2516 Pcncpbmd.exe 3964 Pjhlml32.exe 676 Pqbdjfln.exe 4860 Pdmpje32.exe 4988 Pfolbmje.exe 2264 Pjjhbl32.exe 5008 Pmidog32.exe 1784 Pdpmpdbd.exe 3164 Pgnilpah.exe 4224 Pfaigm32.exe 1812 Qmkadgpo.exe 1012 Qqfmde32.exe 2520 Qceiaa32.exe 3996 Qgqeappe.exe 2072 Qjoankoi.exe 1192 Qnjnnj32.exe 2660 Qqijje32.exe 5016 Qcgffqei.exe 4120 Qffbbldm.exe 3304 Ajanck32.exe 4052 Ampkof32.exe 4752 Aqkgpedc.exe 4420 Acjclpcf.exe 3060 Afhohlbj.exe 4660 Anogiicl.exe 2044 Aqncedbp.exe 1084 Aeiofcji.exe 1996 Agglboim.exe 5068 Afjlnk32.exe 4792 Anadoi32.exe 1580 Amddjegd.exe 3244 Acnlgp32.exe 3004 Ajhddjfn.exe 1956 Amgapeea.exe 628 Aeniabfd.exe 4992 Aglemn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cnkplejl.exe Cfdhkhjj.exe File opened for modification C:\Windows\SysWOW64\Pmannhhj.exe Pjcbbmif.exe File opened for modification C:\Windows\SysWOW64\Qjoankoi.exe Qgqeappe.exe File created C:\Windows\SysWOW64\Afhohlbj.exe Acjclpcf.exe File opened for modification C:\Windows\SysWOW64\Acnlgp32.exe Amddjegd.exe File created C:\Windows\SysWOW64\Cmiflbel.exe Cjkjpgfi.exe File opened for modification C:\Windows\SysWOW64\Cmiflbel.exe Cjkjpgfi.exe File created C:\Windows\SysWOW64\Dejacond.exe Dmcibama.exe File created C:\Windows\SysWOW64\Dhmgki32.exe Deokon32.exe File opened for modification C:\Windows\SysWOW64\Pqpgdfnp.exe Pjeoglgc.exe File opened for modification C:\Windows\SysWOW64\Acjclpcf.exe Aqkgpedc.exe File created C:\Windows\SysWOW64\Aeniabfd.exe Amgapeea.exe File created C:\Windows\SysWOW64\Aglemn32.exe Aeniabfd.exe File created C:\Windows\SysWOW64\Elkadb32.dll Deagdn32.exe File opened for modification C:\Windows\SysWOW64\Bjddphlq.exe Beglgani.exe File created C:\Windows\SysWOW64\Cdabcm32.exe Cabfga32.exe File opened for modification C:\Windows\SysWOW64\Ceqnmpfo.exe Cmiflbel.exe File created C:\Windows\SysWOW64\Clghpklj.dll Cmnpgb32.exe File created C:\Windows\SysWOW64\Pmannhhj.exe Pjcbbmif.exe File created C:\Windows\SysWOW64\Aoqimi32.dll Qcgffqei.exe File created C:\Windows\SysWOW64\Acjclpcf.exe Aqkgpedc.exe File created C:\Windows\SysWOW64\Hjlena32.dll Amgapeea.exe File opened for modification C:\Windows\SysWOW64\Dhmgki32.exe Deokon32.exe File created C:\Windows\SysWOW64\Nokpao32.dll Dgbdlf32.exe File created C:\Windows\SysWOW64\Cfdhkhjj.exe Chagok32.exe File created C:\Windows\SysWOW64\Jgilhm32.dll Chcddk32.exe File created C:\Windows\SysWOW64\Ingfla32.dll Cjbpaf32.exe File created C:\Windows\SysWOW64\Poahbe32.dll Ddonekbl.exe File opened for modification C:\Windows\SysWOW64\Aqkgpedc.exe Ampkof32.exe File created C:\Windows\SysWOW64\Ljbncc32.dll Ajkaii32.exe File opened for modification C:\Windows\SysWOW64\Bfdodjhm.exe Bganhm32.exe File created C:\Windows\SysWOW64\Jhbffb32.dll Bfkedibe.exe File created C:\Windows\SysWOW64\Kdqjac32.dll Cmiflbel.exe File opened for modification C:\Windows\SysWOW64\Pqknig32.exe Pnlaml32.exe File opened for modification C:\Windows\SysWOW64\Aeiofcji.exe Aqncedbp.exe File created C:\Windows\SysWOW64\Mgbpghdn.dll Aadifclh.exe File opened for modification C:\Windows\SysWOW64\Bmpcfdmg.exe Bjagjhnc.exe File created C:\Windows\SysWOW64\Fnmnbf32.dll Dfnjafap.exe File created C:\Windows\SysWOW64\Dmllipeg.exe Dknpmdfc.exe File opened for modification C:\Windows\SysWOW64\Ojaelm32.exe Ogbipa32.exe File created C:\Windows\SysWOW64\Aqncedbp.exe Anogiicl.exe File opened for modification C:\Windows\SysWOW64\Cfpnph32.exe Cdabcm32.exe File opened for modification C:\Windows\SysWOW64\Cnkplejl.exe Cfdhkhjj.exe File created C:\Windows\SysWOW64\Jmmmebhb.dll Agglboim.exe File created C:\Windows\SysWOW64\Bagflcje.exe Bnhjohkb.exe File opened for modification C:\Windows\SysWOW64\Cmqmma32.exe Cnnlaehj.exe File created C:\Windows\SysWOW64\Dgbdlf32.exe Dhocqigp.exe File opened for modification C:\Windows\SysWOW64\Chagok32.exe Ceckcp32.exe File created C:\Windows\SysWOW64\Okgoadbf.dll Cnnlaehj.exe File opened for modification C:\Windows\SysWOW64\Dmcibama.exe Djdmffnn.exe File created C:\Windows\SysWOW64\Booogccm.dll Ogkcpbam.exe File opened for modification C:\Windows\SysWOW64\Ogbipa32.exe Oqhacgdh.exe File opened for modification C:\Windows\SysWOW64\Pfaigm32.exe Pgnilpah.exe File opened for modification C:\Windows\SysWOW64\Cfmajipb.exe Belebq32.exe File created C:\Windows\SysWOW64\Npmagine.exe 44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe File created C:\Windows\SysWOW64\Qfbgbeai.dll Odapnf32.exe File created C:\Windows\SysWOW64\Nlaqpipg.dll Pcncpbmd.exe File created C:\Windows\SysWOW64\Ceehho32.exe Cajlhqjp.exe File created C:\Windows\SysWOW64\Gfnphnen.dll Afjlnk32.exe File created C:\Windows\SysWOW64\Ghilmi32.dll Chagok32.exe File created C:\Windows\SysWOW64\Cajlhqjp.exe Cmnpgb32.exe File created C:\Windows\SysWOW64\Deagdn32.exe Daekdooc.exe File created C:\Windows\SysWOW64\Mbpfgbfp.dll Anadoi32.exe File created C:\Windows\SysWOW64\Ladjgikj.dll Ofnckp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6124 5476 WerFault.exe 219 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njefqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opdghh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ognpebpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfhfan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfolbmje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqijje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onhhamgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgnilpah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgqeappe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhocqigp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjhlml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qffbbldm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhddjfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calhnpgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcncpbmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdmpje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amddjegd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aglemn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnnlaehj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Delnin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgbdlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojgbfocc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhhdil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmajipb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daconoae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daekdooc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqknig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aadifclh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beglgani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceehho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dknpmdfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oneklm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqbdjfln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdpmpdbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdmffnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afhohlbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anadoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bapiabak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjkjpgfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chokikeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deokon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfaigm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajkaii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bebblb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceqnmpfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oflgep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beihma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cagobalc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfknkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmidog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ampkof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogkcpbam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmannhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcgffqei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Accfbokl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhmgki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeiofcji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmiflbel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfnjafap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqncedbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beeoaapl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmkadgpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfabnjjp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll" Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll" Dhocqigp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njefqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odapnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll" Ogpmjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Accfbokl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogkcpbam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opdghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qjoankoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojgbfocc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oneklm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll" Belebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cndikf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qceiaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll" Anogiicl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amgapeea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfknkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anogiicl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajhddjfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll" Ceehho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olcbmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjcbbmif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqpgdfnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfolbmje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qmkadgpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll" Dfnjafap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chcddk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjbpaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qqfmde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qnjnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll" Ampkof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aeiofcji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aadifclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Calhnpgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfiafg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfknkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll" Nggjdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll" Pcncpbmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajanck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll" Amddjegd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll" Aadifclh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Belebq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjkjpgfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qgqeappe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qjoankoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aqncedbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll" Accfbokl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfdodjhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll" Pmannhhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfaigm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajanck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aeniabfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll" Cjkjpgfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll" Dfiafg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opakbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odapnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll" Pjeoglgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anadoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll" Bebblb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4000 wrote to memory of 3600 4000 44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe 83 PID 4000 wrote to memory of 3600 4000 44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe 83 PID 4000 wrote to memory of 3600 4000 44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe 83 PID 3600 wrote to memory of 3440 3600 Npmagine.exe 84 PID 3600 wrote to memory of 3440 3600 Npmagine.exe 84 PID 3600 wrote to memory of 3440 3600 Npmagine.exe 84 PID 3440 wrote to memory of 2440 3440 Nggjdc32.exe 85 PID 3440 wrote to memory of 2440 3440 Nggjdc32.exe 85 PID 3440 wrote to memory of 2440 3440 Nggjdc32.exe 85 PID 2440 wrote to memory of 4828 2440 Njefqo32.exe 86 PID 2440 wrote to memory of 4828 2440 Njefqo32.exe 86 PID 2440 wrote to memory of 4828 2440 Njefqo32.exe 86 PID 4828 wrote to memory of 1264 4828 Olcbmj32.exe 87 PID 4828 wrote to memory of 1264 4828 Olcbmj32.exe 87 PID 4828 wrote to memory of 1264 4828 Olcbmj32.exe 87 PID 1264 wrote to memory of 4984 1264 Ocnjidkf.exe 88 PID 1264 wrote to memory of 4984 1264 Ocnjidkf.exe 88 PID 1264 wrote to memory of 4984 1264 Ocnjidkf.exe 88 PID 4984 wrote to memory of 864 4984 Oflgep32.exe 89 PID 4984 wrote to memory of 864 4984 Oflgep32.exe 89 PID 4984 wrote to memory of 864 4984 Oflgep32.exe 89 PID 864 wrote to memory of 2552 864 Ojgbfocc.exe 90 PID 864 wrote to memory of 2552 864 Ojgbfocc.exe 90 PID 864 wrote to memory of 2552 864 Ojgbfocc.exe 90 PID 2552 wrote to memory of 4776 2552 Opakbi32.exe 91 PID 2552 wrote to memory of 4776 2552 Opakbi32.exe 91 PID 2552 wrote to memory of 4776 2552 Opakbi32.exe 91 PID 4776 wrote to memory of 3888 4776 Ogkcpbam.exe 93 PID 4776 wrote to memory of 3888 4776 Ogkcpbam.exe 93 PID 4776 wrote to memory of 3888 4776 Ogkcpbam.exe 93 PID 3888 wrote to memory of 4044 3888 Ofnckp32.exe 94 PID 3888 wrote to memory of 4044 3888 Ofnckp32.exe 94 PID 3888 wrote to memory of 4044 3888 Ofnckp32.exe 94 PID 4044 wrote to memory of 3356 4044 Oneklm32.exe 95 PID 4044 wrote to memory of 3356 4044 Oneklm32.exe 95 PID 4044 wrote to memory of 3356 4044 Oneklm32.exe 95 PID 3356 wrote to memory of 400 3356 Opdghh32.exe 96 PID 3356 wrote to memory of 400 3356 Opdghh32.exe 96 PID 3356 wrote to memory of 400 3356 Opdghh32.exe 96 PID 400 wrote to memory of 412 400 Ognpebpj.exe 98 PID 400 wrote to memory of 412 400 Ognpebpj.exe 98 PID 400 wrote to memory of 412 400 Ognpebpj.exe 98 PID 412 wrote to memory of 876 412 Onhhamgg.exe 99 PID 412 wrote to memory of 876 412 Onhhamgg.exe 99 PID 412 wrote to memory of 876 412 Onhhamgg.exe 99 PID 876 wrote to memory of 5028 876 Odapnf32.exe 100 PID 876 wrote to memory of 5028 876 Odapnf32.exe 100 PID 876 wrote to memory of 5028 876 Odapnf32.exe 100 PID 5028 wrote to memory of 3280 5028 Ogpmjb32.exe 101 PID 5028 wrote to memory of 3280 5028 Ogpmjb32.exe 101 PID 5028 wrote to memory of 3280 5028 Ogpmjb32.exe 101 PID 3280 wrote to memory of 1772 3280 Ojoign32.exe 102 PID 3280 wrote to memory of 1772 3280 Ojoign32.exe 102 PID 3280 wrote to memory of 1772 3280 Ojoign32.exe 102 PID 1772 wrote to memory of 2548 1772 Oqhacgdh.exe 103 PID 1772 wrote to memory of 2548 1772 Oqhacgdh.exe 103 PID 1772 wrote to memory of 2548 1772 Oqhacgdh.exe 103 PID 2548 wrote to memory of 2956 2548 Ogbipa32.exe 104 PID 2548 wrote to memory of 2956 2548 Ogbipa32.exe 104 PID 2548 wrote to memory of 2956 2548 Ogbipa32.exe 104 PID 2956 wrote to memory of 1944 2956 Ojaelm32.exe 105 PID 2956 wrote to memory of 1944 2956 Ojaelm32.exe 105 PID 2956 wrote to memory of 1944 2956 Ojaelm32.exe 105 PID 1944 wrote to memory of 2128 1944 Pnlaml32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe"C:\Users\Admin\AppData\Local\Temp\44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\Npmagine.exeC:\Windows\system32\Npmagine.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\Nggjdc32.exeC:\Windows\system32\Nggjdc32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\Njefqo32.exeC:\Windows\system32\Njefqo32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Olcbmj32.exeC:\Windows\system32\Olcbmj32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Ocnjidkf.exeC:\Windows\system32\Ocnjidkf.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Oflgep32.exeC:\Windows\system32\Oflgep32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\Ojgbfocc.exeC:\Windows\system32\Ojgbfocc.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Opakbi32.exeC:\Windows\system32\Opakbi32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Ogkcpbam.exeC:\Windows\system32\Ogkcpbam.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\Ofnckp32.exeC:\Windows\system32\Ofnckp32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\Oneklm32.exeC:\Windows\system32\Oneklm32.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\Opdghh32.exeC:\Windows\system32\Opdghh32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Ognpebpj.exeC:\Windows\system32\Ognpebpj.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Onhhamgg.exeC:\Windows\system32\Onhhamgg.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\Odapnf32.exeC:\Windows\system32\Odapnf32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\Ogpmjb32.exeC:\Windows\system32\Ogpmjb32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Ojoign32.exeC:\Windows\system32\Ojoign32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\Oqhacgdh.exeC:\Windows\system32\Oqhacgdh.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Ogbipa32.exeC:\Windows\system32\Ogbipa32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Ojaelm32.exeC:\Windows\system32\Ojaelm32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Pnlaml32.exeC:\Windows\system32\Pnlaml32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Pqknig32.exeC:\Windows\system32\Pqknig32.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\Pfhfan32.exeC:\Windows\system32\Pfhfan32.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3348 -
C:\Windows\SysWOW64\Pjcbbmif.exeC:\Windows\system32\Pjcbbmif.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:408 -
C:\Windows\SysWOW64\Pmannhhj.exeC:\Windows\system32\Pmannhhj.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4328 -
C:\Windows\SysWOW64\Pggbkagp.exeC:\Windows\system32\Pggbkagp.exe27⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Pjeoglgc.exeC:\Windows\system32\Pjeoglgc.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Pqpgdfnp.exeC:\Windows\system32\Pqpgdfnp.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Pcncpbmd.exeC:\Windows\system32\Pcncpbmd.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Pjhlml32.exeC:\Windows\system32\Pjhlml32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3964 -
C:\Windows\SysWOW64\Pqbdjfln.exeC:\Windows\system32\Pqbdjfln.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:676 -
C:\Windows\SysWOW64\Pdmpje32.exeC:\Windows\system32\Pdmpje32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4860 -
C:\Windows\SysWOW64\Pfolbmje.exeC:\Windows\system32\Pfolbmje.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4988 -
C:\Windows\SysWOW64\Pjjhbl32.exeC:\Windows\system32\Pjjhbl32.exe35⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Pmidog32.exeC:\Windows\system32\Pmidog32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5008 -
C:\Windows\SysWOW64\Pdpmpdbd.exeC:\Windows\system32\Pdpmpdbd.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1784 -
C:\Windows\SysWOW64\Pgnilpah.exeC:\Windows\system32\Pgnilpah.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3164 -
C:\Windows\SysWOW64\Pfaigm32.exeC:\Windows\system32\Pfaigm32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4224 -
C:\Windows\SysWOW64\Qmkadgpo.exeC:\Windows\system32\Qmkadgpo.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Qqfmde32.exeC:\Windows\system32\Qqfmde32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1012 -
C:\Windows\SysWOW64\Qceiaa32.exeC:\Windows\system32\Qceiaa32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Qgqeappe.exeC:\Windows\system32\Qgqeappe.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3996 -
C:\Windows\SysWOW64\Qjoankoi.exeC:\Windows\system32\Qjoankoi.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Qnjnnj32.exeC:\Windows\system32\Qnjnnj32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1192 -
C:\Windows\SysWOW64\Qqijje32.exeC:\Windows\system32\Qqijje32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5016 -
C:\Windows\SysWOW64\Qffbbldm.exeC:\Windows\system32\Qffbbldm.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4120 -
C:\Windows\SysWOW64\Ajanck32.exeC:\Windows\system32\Ajanck32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3304 -
C:\Windows\SysWOW64\Ampkof32.exeC:\Windows\system32\Ampkof32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4052 -
C:\Windows\SysWOW64\Aqkgpedc.exeC:\Windows\system32\Aqkgpedc.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4752 -
C:\Windows\SysWOW64\Acjclpcf.exeC:\Windows\system32\Acjclpcf.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4420 -
C:\Windows\SysWOW64\Afhohlbj.exeC:\Windows\system32\Afhohlbj.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Anogiicl.exeC:\Windows\system32\Anogiicl.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4660 -
C:\Windows\SysWOW64\Aqncedbp.exeC:\Windows\system32\Aqncedbp.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Aeiofcji.exeC:\Windows\system32\Aeiofcji.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1084 -
C:\Windows\SysWOW64\Agglboim.exeC:\Windows\system32\Agglboim.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Afjlnk32.exeC:\Windows\system32\Afjlnk32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5068 -
C:\Windows\SysWOW64\Anadoi32.exeC:\Windows\system32\Anadoi32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4792 -
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Acnlgp32.exeC:\Windows\system32\Acnlgp32.exe61⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Ajhddjfn.exeC:\Windows\system32\Ajhddjfn.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Amgapeea.exeC:\Windows\system32\Amgapeea.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Aeniabfd.exeC:\Windows\system32\Aeniabfd.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:628 -
C:\Windows\SysWOW64\Aglemn32.exeC:\Windows\system32\Aglemn32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4992 -
C:\Windows\SysWOW64\Ajkaii32.exeC:\Windows\system32\Ajkaii32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4960 -
C:\Windows\SysWOW64\Anfmjhmd.exeC:\Windows\system32\Anfmjhmd.exe67⤵PID:5104
-
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe68⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5032 -
C:\Windows\SysWOW64\Accfbokl.exeC:\Windows\system32\Accfbokl.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4164 -
C:\Windows\SysWOW64\Bfabnjjp.exeC:\Windows\system32\Bfabnjjp.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3364 -
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4824 -
C:\Windows\SysWOW64\Bebblb32.exeC:\Windows\system32\Bebblb32.exe73⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4728 -
C:\Windows\SysWOW64\Bganhm32.exeC:\Windows\system32\Bganhm32.exe74⤵
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5056 -
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2088 -
C:\Windows\SysWOW64\Bjagjhnc.exeC:\Windows\system32\Bjagjhnc.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3664 -
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe79⤵PID:3624
-
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe80⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4304 -
C:\Windows\SysWOW64\Bjddphlq.exeC:\Windows\system32\Bjddphlq.exe81⤵PID:1296
-
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe82⤵
- System Location Discovery: System Language Discovery
PID:4736 -
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe83⤵
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Windows\SysWOW64\Bfkedibe.exeC:\Windows\system32\Bfkedibe.exe84⤵
- Drops file in System32 directory
PID:1020 -
C:\Windows\SysWOW64\Bapiabak.exeC:\Windows\system32\Bapiabak.exe85⤵
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe86⤵
- Drops file in System32 directory
- Modifies registry class
PID:5132 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe87⤵
- System Location Discovery: System Language Discovery
PID:5176 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5220 -
C:\Windows\SysWOW64\Cabfga32.exeC:\Windows\system32\Cabfga32.exe89⤵
- Drops file in System32 directory
PID:5264 -
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5308 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5352 -
C:\Windows\SysWOW64\Cjkjpgfi.exeC:\Windows\system32\Cjkjpgfi.exe92⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5396 -
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe93⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5440 -
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe94⤵
- System Location Discovery: System Language Discovery
PID:5484 -
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe95⤵
- System Location Discovery: System Language Discovery
PID:5528 -
C:\Windows\SysWOW64\Cjmgfgdf.exeC:\Windows\system32\Cjmgfgdf.exe96⤵PID:5572
-
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe97⤵PID:5616
-
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe98⤵
- System Location Discovery: System Language Discovery
PID:5660 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5704 -
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe100⤵
- Drops file in System32 directory
PID:5748 -
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5792 -
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5836 -
C:\Windows\SysWOW64\Cmnpgb32.exeC:\Windows\system32\Cmnpgb32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5880 -
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5924 -
C:\Windows\SysWOW64\Ceehho32.exeC:\Windows\system32\Ceehho32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5964 -
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:6008 -
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe107⤵
- Drops file in System32 directory
- Modifies registry class
PID:6052 -
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe108⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6096 -
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6140 -
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5164 -
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe111⤵PID:5244
-
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe112⤵
- Modifies registry class
PID:5288 -
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe113⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5360 -
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5436 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe115⤵PID:5512
-
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5580 -
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe117⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5672 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe118⤵
- Drops file in System32 directory
PID:5740 -
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5844 -
C:\Windows\SysWOW64\Dodbbdbb.exeC:\Windows\system32\Dodbbdbb.exe120⤵PID:5908
-
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5992 -
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe122⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6088
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-