Analysis
-
max time kernel
94s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
07/03/2025, 09:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5baca78d5454c2a1468670cba3a5dadf86dea652ce9cd1f65cc7974930e7091e.exe
Resource
win7-20250207-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
5baca78d5454c2a1468670cba3a5dadf86dea652ce9cd1f65cc7974930e7091e.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
5baca78d5454c2a1468670cba3a5dadf86dea652ce9cd1f65cc7974930e7091e.exe
-
Size
128KB
-
MD5
b5dfa7448ff883b4430eae569533edbb
-
SHA1
2290c2f5c9a2c92889aa9e943ae8b98a41e1b73a
-
SHA256
5baca78d5454c2a1468670cba3a5dadf86dea652ce9cd1f65cc7974930e7091e
-
SHA512
806d688c2fbe72cef18b1cbefb8ecdf0930bc56e52e5f7697db83b824bd8ec1209863f7c4bc745d6cfd41b169cd224100e61e4cbc6d3ef1ba2b1b85cf311629e
-
SSDEEP
3072:xjkb7DEx6Xv0IrXOoS+FJ2eZUEdmjRrz3TIUV4BKi:xjkHDEx6Xvl8+vNeEdGTBI
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdjbiheb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilccoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gidnkkpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emmdom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjjbjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqkiok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mkjnfkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dijbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hipmfjee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpaekqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kgdpni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpmapodj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmbanbmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bahkih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Impliekg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idahjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pefabkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qdphngfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fneggdhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iikmbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljhnlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Boihcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ilccoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmpdhboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fihnomjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fiaael32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogiap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hplicjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oldjcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddgplado.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flpmagqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nflkbanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jlmfeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qachgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bepmoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doaneiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eofgpikj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imiehfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocaebc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpjmnjqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icnklbmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pldcjeia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iepaaico.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngkqbgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgeghp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mebcop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmcain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbpchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jphkkpbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnlkfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdmdnadc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Coadnlnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhkdmlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmmqhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgbefe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcpojd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmlddqem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oanfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bebjdgmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfipef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkhnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfhgkmpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lnldla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aajohjon.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4228 Gipdap32.exe 2712 Hpjmnjqn.exe 856 Hdehni32.exe 3416 Hkpqkcpd.exe 5096 Hmnmgnoh.exe 4956 Hplicjok.exe 1808 Hckeoeno.exe 3664 Hienlpel.exe 3824 Hlcjhkdp.exe 4488 Hdjbiheb.exe 512 Hkdjfb32.exe 4460 Hmbfbn32.exe 2636 Hpabni32.exe 1536 Hcpojd32.exe 4324 Hgkkkcbc.exe 2544 Hlhccj32.exe 3928 Hdokdg32.exe 2988 Hgmgqc32.exe 3384 Hildmn32.exe 4820 Iljpij32.exe 1728 Idahjg32.exe 4544 Ikkpgafg.exe 3200 Ilmmni32.exe 2516 Idcepgmg.exe 3372 Igbalblk.exe 4468 Inlihl32.exe 2552 Ipjedh32.exe 5044 Iciaqc32.exe 2244 Innfnl32.exe 4120 Idhnkf32.exe 1964 Iggjga32.exe 4076 Ijegcm32.exe 852 Ilccoh32.exe 3360 Icnklbmj.exe 1292 Ikdcmpnl.exe 2176 Jjgchm32.exe 4696 Jlfpdh32.exe 1620 Jdmgfedl.exe 1160 Jgkdbacp.exe 1272 Jjjpnlbd.exe 4428 Jlhljhbg.exe 4208 Jcbdgb32.exe 2528 Jkimho32.exe 4340 Jnhidk32.exe 1320 Jpfepf32.exe 4288 Jdaaaeqg.exe 4924 Jgpmmp32.exe 1376 Jjoiil32.exe 4384 Jlmfeg32.exe 1688 Jddnfd32.exe 948 Jknfcofa.exe 848 Jnlbojee.exe 4800 Jqknkedi.exe 2992 Jgeghp32.exe 3512 Knooej32.exe 4572 Kmaopfjm.exe 2396 Kdigadjo.exe 2052 Kggcnoic.exe 3816 Kjepjkhf.exe 60 Kmdlffhj.exe 4296 Kdkdgchl.exe 2852 Kgipcogp.exe 672 Kjhloj32.exe 2656 Kmfhkf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hdokdg32.exe Hlhccj32.exe File created C:\Windows\SysWOW64\Bdpkjpdi.dll Lkalplel.exe File opened for modification C:\Windows\SysWOW64\Jenmcggo.exe Jpaekqhh.exe File created C:\Windows\SysWOW64\Ljhefhha.exe Lgjijmin.exe File created C:\Windows\SysWOW64\Oacoqnci.exe Oodcdb32.exe File created C:\Windows\SysWOW64\Aekddhcb.exe Aoalgn32.exe File created C:\Windows\SysWOW64\Kldbpfio.dll Ekaapi32.exe File opened for modification C:\Windows\SysWOW64\Flpmagqi.exe Fiaael32.exe File created C:\Windows\SysWOW64\Gfodeohd.exe Goglcahb.exe File opened for modification C:\Windows\SysWOW64\Impliekg.exe Ickglm32.exe File created C:\Windows\SysWOW64\Pnifekmd.exe Pccahbmn.exe File created C:\Windows\SysWOW64\Kjjiej32.exe Kkgiimng.exe File opened for modification C:\Windows\SysWOW64\Naecop32.exe Nmigoagp.exe File created C:\Windows\SysWOW64\Cdbfab32.exe Cfpffeaj.exe File created C:\Windows\SysWOW64\Efgemb32.exe Enpmld32.exe File opened for modification C:\Windows\SysWOW64\Ickglm32.exe Ioolkncg.exe File opened for modification C:\Windows\SysWOW64\Mqdcnl32.exe Mfnoqc32.exe File opened for modification C:\Windows\SysWOW64\Pfdjinjo.exe Pnifekmd.exe File created C:\Windows\SysWOW64\Kdkdgchl.exe Kmdlffhj.exe File created C:\Windows\SysWOW64\Hmokmkpo.dll Kjhloj32.exe File opened for modification C:\Windows\SysWOW64\Mmpdhboj.exe Mjahlgpf.exe File created C:\Windows\SysWOW64\Kflide32.exe Kcmmhj32.exe File created C:\Windows\SysWOW64\Ekbmje32.dll Aajhndkb.exe File opened for modification C:\Windows\SysWOW64\Igbalblk.exe Idcepgmg.exe File created C:\Windows\SysWOW64\Fnipgg32.dll Mebcop32.exe File created C:\Windows\SysWOW64\Nagpeo32.exe Nmlddqem.exe File created C:\Windows\SysWOW64\Cndepccb.dll Palbgl32.exe File opened for modification C:\Windows\SysWOW64\Bemqih32.exe Bnfihkqm.exe File opened for modification C:\Windows\SysWOW64\Bepmoh32.exe Bnhenj32.exe File created C:\Windows\SysWOW64\Dbmdml32.dll Qpcecb32.exe File created C:\Windows\SysWOW64\Kmaopfjm.exe Knooej32.exe File created C:\Windows\SysWOW64\Odoogi32.exe Oelolmnd.exe File created C:\Windows\SysWOW64\Pickil32.dll Oogpjbbb.exe File opened for modification C:\Windows\SysWOW64\Chqogq32.exe Cdecgbfa.exe File created C:\Windows\SysWOW64\Hicakqhn.dll Kgdpni32.exe File opened for modification C:\Windows\SysWOW64\Hdehni32.exe Hpjmnjqn.exe File opened for modification C:\Windows\SysWOW64\Iciaqc32.exe Ipjedh32.exe File opened for modification C:\Windows\SysWOW64\Amjillkj.exe Aogiap32.exe File created C:\Windows\SysWOW64\Jfegnkqm.dll Dbicpfdk.exe File created C:\Windows\SysWOW64\Hipmfjee.exe Gbeejp32.exe File opened for modification C:\Windows\SysWOW64\Kgdpni32.exe Kcidmkpq.exe File created C:\Windows\SysWOW64\Nfdjaieh.dll Ilmmni32.exe File opened for modification C:\Windows\SysWOW64\Jpfepf32.exe Jnhidk32.exe File created C:\Windows\SysWOW64\Lebcnn32.dll Oelolmnd.exe File opened for modification C:\Windows\SysWOW64\Aafemk32.exe Amjillkj.exe File created C:\Windows\SysWOW64\Iojmqe32.dll Cdbfab32.exe File created C:\Windows\SysWOW64\Cbfgkffn.exe Cnkkjh32.exe File created C:\Windows\SysWOW64\Ebmenh32.dll Dbpjaeoc.exe File created C:\Windows\SysWOW64\Kcpjnjii.exe Kjgeedch.exe File created C:\Windows\SysWOW64\Mmpdhboj.exe Mjahlgpf.exe File created C:\Windows\SysWOW64\Ohfami32.exe Oeheqm32.exe File created C:\Windows\SysWOW64\Aogiap32.exe Qlimed32.exe File created C:\Windows\SysWOW64\Egbcih32.dll Iepaaico.exe File created C:\Windows\SysWOW64\Minqeaad.dll Lokdnjkg.exe File created C:\Windows\SysWOW64\Aepjgm32.dll Nceefd32.exe File created C:\Windows\SysWOW64\Lhdbgapf.dll Pnfiplog.exe File opened for modification C:\Windows\SysWOW64\Bkibgh32.exe Bdojjo32.exe File created C:\Windows\SysWOW64\Khliclno.dll Pkegpb32.exe File opened for modification C:\Windows\SysWOW64\Dkceokii.exe Dheibpje.exe File created C:\Windows\SysWOW64\Ilchfdgp.dll Dmcain32.exe File created C:\Windows\SysWOW64\Emhkdmlg.exe Eiloco32.exe File created C:\Windows\SysWOW64\Kbopqlen.dll Pldcjeia.exe File created C:\Windows\SysWOW64\Hmlephen.dll Cbpajgmf.exe File created C:\Windows\SysWOW64\Aoqqpnlk.dll Chiigadc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12692 12608 WerFault.exe 621 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkalplel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plkpcfal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blgifbil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlbcnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lobjni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Modgdicm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjpnlbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mepfiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poliea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnoknihb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbalopbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioolkncg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpfgmnfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idcepgmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdkdgchl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palbgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eejeiocj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibhkfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncofplba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nagpeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjpode32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adcjop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpiplm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqknkedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meepdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdickcpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iciaqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnhkbfme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkpmdbfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcpjnjii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdmdnadc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljhnlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icnklbmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkblhfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pldcjeia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdphngfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmenca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeelnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pajeam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgeghp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lggldm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabfjpak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iggjga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcbdgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncabfkqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddhbipj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmaffnce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aafemk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palklf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpabni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlfpdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnadagbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfagf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgkfnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpkdjofm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nghekkmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peahgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Albpkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmmfmhll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbjoeojc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jedccfqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlolpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oanfen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfeaopqo.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpabni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkpqkcpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ljhefhha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lenicahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hflkamml.dll" Mccfdmmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pmoiqneg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jcfggkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Almoijfo.dll" Knenkbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Palbgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnindhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmgnid32.dll" Efpomccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edommp32.dll" Eeelnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibdlakbf.dll" Hidgai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mqkiok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihiic32.dll" Nopfpgip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amcehdod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kdigadjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehqkihfg.dll" Ncabfkqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ojigdcll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cofnik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dijbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebdcld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpjmnjqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djiiimel.dll" Icnklbmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mgaokl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ohcegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgfcalbj.dll" Qlimed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eieijp32.dll" Jpaekqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kgdpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcpjljph.dll" Ljnlecmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idahjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlhkgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndfbikc.dll" Bohbhmfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gepgfb32.dll" Fimhjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Goglcahb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmkigh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ilnbicff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lnjgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oajpfn32.dll" Hgkkkcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mkhapk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Meepdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pmoiqneg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jcanll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kcpjnjii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aaenbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkndie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mgaokl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Poliea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkajlm32.dll" Addaif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kngkqbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknmmg32.dll" Mfchlbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pfiddm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 5baca78d5454c2a1468670cba3a5dadf86dea652ce9cd1f65cc7974930e7091e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oogpjbbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qdphngfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmcain32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gbeejp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kflide32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkoaeldi.dll" Bphgeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cpmapodj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cdnmfclj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eiokinbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emcnmpcj.dll" Goglcahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqlhmf32.dll" Hlepcdoa.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4484 wrote to memory of 4228 4484 5baca78d5454c2a1468670cba3a5dadf86dea652ce9cd1f65cc7974930e7091e.exe 84 PID 4484 wrote to memory of 4228 4484 5baca78d5454c2a1468670cba3a5dadf86dea652ce9cd1f65cc7974930e7091e.exe 84 PID 4484 wrote to memory of 4228 4484 5baca78d5454c2a1468670cba3a5dadf86dea652ce9cd1f65cc7974930e7091e.exe 84 PID 4228 wrote to memory of 2712 4228 Gipdap32.exe 85 PID 4228 wrote to memory of 2712 4228 Gipdap32.exe 85 PID 4228 wrote to memory of 2712 4228 Gipdap32.exe 85 PID 2712 wrote to memory of 856 2712 Hpjmnjqn.exe 86 PID 2712 wrote to memory of 856 2712 Hpjmnjqn.exe 86 PID 2712 wrote to memory of 856 2712 Hpjmnjqn.exe 86 PID 856 wrote to memory of 3416 856 Hdehni32.exe 87 PID 856 wrote to memory of 3416 856 Hdehni32.exe 87 PID 856 wrote to memory of 3416 856 Hdehni32.exe 87 PID 3416 wrote to memory of 5096 3416 Hkpqkcpd.exe 88 PID 3416 wrote to memory of 5096 3416 Hkpqkcpd.exe 88 PID 3416 wrote to memory of 5096 3416 Hkpqkcpd.exe 88 PID 5096 wrote to memory of 4956 5096 Hmnmgnoh.exe 89 PID 5096 wrote to memory of 4956 5096 Hmnmgnoh.exe 89 PID 5096 wrote to memory of 4956 5096 Hmnmgnoh.exe 89 PID 4956 wrote to memory of 1808 4956 Hplicjok.exe 91 PID 4956 wrote to memory of 1808 4956 Hplicjok.exe 91 PID 4956 wrote to memory of 1808 4956 Hplicjok.exe 91 PID 1808 wrote to memory of 3664 1808 Hckeoeno.exe 92 PID 1808 wrote to memory of 3664 1808 Hckeoeno.exe 92 PID 1808 wrote to memory of 3664 1808 Hckeoeno.exe 92 PID 3664 wrote to memory of 3824 3664 Hienlpel.exe 93 PID 3664 wrote to memory of 3824 3664 Hienlpel.exe 93 PID 3664 wrote to memory of 3824 3664 Hienlpel.exe 93 PID 3824 wrote to memory of 4488 3824 Hlcjhkdp.exe 94 PID 3824 wrote to memory of 4488 3824 Hlcjhkdp.exe 94 PID 3824 wrote to memory of 4488 3824 Hlcjhkdp.exe 94 PID 4488 wrote to memory of 512 4488 Hdjbiheb.exe 95 PID 4488 wrote to memory of 512 4488 Hdjbiheb.exe 95 PID 4488 wrote to memory of 512 4488 Hdjbiheb.exe 95 PID 512 wrote to memory of 4460 512 Hkdjfb32.exe 97 PID 512 wrote to memory of 4460 512 Hkdjfb32.exe 97 PID 512 wrote to memory of 4460 512 Hkdjfb32.exe 97 PID 4460 wrote to memory of 2636 4460 Hmbfbn32.exe 98 PID 4460 wrote to memory of 2636 4460 Hmbfbn32.exe 98 PID 4460 wrote to memory of 2636 4460 Hmbfbn32.exe 98 PID 2636 wrote to memory of 1536 2636 Hpabni32.exe 99 PID 2636 wrote to memory of 1536 2636 Hpabni32.exe 99 PID 2636 wrote to memory of 1536 2636 Hpabni32.exe 99 PID 1536 wrote to memory of 4324 1536 Hcpojd32.exe 100 PID 1536 wrote to memory of 4324 1536 Hcpojd32.exe 100 PID 1536 wrote to memory of 4324 1536 Hcpojd32.exe 100 PID 4324 wrote to memory of 2544 4324 Hgkkkcbc.exe 102 PID 4324 wrote to memory of 2544 4324 Hgkkkcbc.exe 102 PID 4324 wrote to memory of 2544 4324 Hgkkkcbc.exe 102 PID 2544 wrote to memory of 3928 2544 Hlhccj32.exe 103 PID 2544 wrote to memory of 3928 2544 Hlhccj32.exe 103 PID 2544 wrote to memory of 3928 2544 Hlhccj32.exe 103 PID 3928 wrote to memory of 2988 3928 Hdokdg32.exe 104 PID 3928 wrote to memory of 2988 3928 Hdokdg32.exe 104 PID 3928 wrote to memory of 2988 3928 Hdokdg32.exe 104 PID 2988 wrote to memory of 3384 2988 Hgmgqc32.exe 105 PID 2988 wrote to memory of 3384 2988 Hgmgqc32.exe 105 PID 2988 wrote to memory of 3384 2988 Hgmgqc32.exe 105 PID 3384 wrote to memory of 4820 3384 Hildmn32.exe 106 PID 3384 wrote to memory of 4820 3384 Hildmn32.exe 106 PID 3384 wrote to memory of 4820 3384 Hildmn32.exe 106 PID 4820 wrote to memory of 1728 4820 Iljpij32.exe 107 PID 4820 wrote to memory of 1728 4820 Iljpij32.exe 107 PID 4820 wrote to memory of 1728 4820 Iljpij32.exe 107 PID 1728 wrote to memory of 4544 1728 Idahjg32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\5baca78d5454c2a1468670cba3a5dadf86dea652ce9cd1f65cc7974930e7091e.exe"C:\Users\Admin\AppData\Local\Temp\5baca78d5454c2a1468670cba3a5dadf86dea652ce9cd1f65cc7974930e7091e.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Gipdap32.exeC:\Windows\system32\Gipdap32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\Hpjmnjqn.exeC:\Windows\system32\Hpjmnjqn.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Hdehni32.exeC:\Windows\system32\Hdehni32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Hkpqkcpd.exeC:\Windows\system32\Hkpqkcpd.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\Hmnmgnoh.exeC:\Windows\system32\Hmnmgnoh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Hplicjok.exeC:\Windows\system32\Hplicjok.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Hckeoeno.exeC:\Windows\system32\Hckeoeno.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Hienlpel.exeC:\Windows\system32\Hienlpel.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\Hlcjhkdp.exeC:\Windows\system32\Hlcjhkdp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\Hdjbiheb.exeC:\Windows\system32\Hdjbiheb.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\Hkdjfb32.exeC:\Windows\system32\Hkdjfb32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\Hmbfbn32.exeC:\Windows\system32\Hmbfbn32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Hpabni32.exeC:\Windows\system32\Hpabni32.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Hcpojd32.exeC:\Windows\system32\Hcpojd32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Hgkkkcbc.exeC:\Windows\system32\Hgkkkcbc.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\Hlhccj32.exeC:\Windows\system32\Hlhccj32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Hdokdg32.exeC:\Windows\system32\Hdokdg32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\Hgmgqc32.exeC:\Windows\system32\Hgmgqc32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Hildmn32.exeC:\Windows\system32\Hildmn32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\Iljpij32.exeC:\Windows\system32\Iljpij32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\Idahjg32.exeC:\Windows\system32\Idahjg32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Ikkpgafg.exeC:\Windows\system32\Ikkpgafg.exe23⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Ilmmni32.exeC:\Windows\system32\Ilmmni32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3200 -
C:\Windows\SysWOW64\Idcepgmg.exeC:\Windows\system32\Idcepgmg.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\Igbalblk.exeC:\Windows\system32\Igbalblk.exe26⤵
- Executes dropped EXE
PID:3372 -
C:\Windows\SysWOW64\Inlihl32.exeC:\Windows\system32\Inlihl32.exe27⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Ipjedh32.exeC:\Windows\system32\Ipjedh32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Iciaqc32.exeC:\Windows\system32\Iciaqc32.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5044 -
C:\Windows\SysWOW64\Ijcjmmil.exeC:\Windows\system32\Ijcjmmil.exe30⤵PID:4456
-
C:\Windows\SysWOW64\Innfnl32.exeC:\Windows\system32\Innfnl32.exe31⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Idhnkf32.exeC:\Windows\system32\Idhnkf32.exe32⤵
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Iggjga32.exeC:\Windows\system32\Iggjga32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Ijegcm32.exeC:\Windows\system32\Ijegcm32.exe34⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Ilccoh32.exeC:\Windows\system32\Ilccoh32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Icnklbmj.exeC:\Windows\system32\Icnklbmj.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3360 -
C:\Windows\SysWOW64\Ikdcmpnl.exeC:\Windows\system32\Ikdcmpnl.exe37⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Jjgchm32.exeC:\Windows\system32\Jjgchm32.exe38⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Jlfpdh32.exeC:\Windows\system32\Jlfpdh32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4696 -
C:\Windows\SysWOW64\Jdmgfedl.exeC:\Windows\system32\Jdmgfedl.exe40⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Jgkdbacp.exeC:\Windows\system32\Jgkdbacp.exe41⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Jjjpnlbd.exeC:\Windows\system32\Jjjpnlbd.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1272 -
C:\Windows\SysWOW64\Jlhljhbg.exeC:\Windows\system32\Jlhljhbg.exe43⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Jcbdgb32.exeC:\Windows\system32\Jcbdgb32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4208 -
C:\Windows\SysWOW64\Jkimho32.exeC:\Windows\system32\Jkimho32.exe45⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Jnhidk32.exeC:\Windows\system32\Jnhidk32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4340 -
C:\Windows\SysWOW64\Jpfepf32.exeC:\Windows\system32\Jpfepf32.exe47⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Jdaaaeqg.exeC:\Windows\system32\Jdaaaeqg.exe48⤵
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\Jgpmmp32.exeC:\Windows\system32\Jgpmmp32.exe49⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Jjoiil32.exeC:\Windows\system32\Jjoiil32.exe50⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Jlmfeg32.exeC:\Windows\system32\Jlmfeg32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Jddnfd32.exeC:\Windows\system32\Jddnfd32.exe52⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Jknfcofa.exeC:\Windows\system32\Jknfcofa.exe53⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Jnlbojee.exeC:\Windows\system32\Jnlbojee.exe54⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Jqknkedi.exeC:\Windows\system32\Jqknkedi.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4800 -
C:\Windows\SysWOW64\Jgeghp32.exeC:\Windows\system32\Jgeghp32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2992 -
C:\Windows\SysWOW64\Knooej32.exeC:\Windows\system32\Knooej32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3512 -
C:\Windows\SysWOW64\Kmaopfjm.exeC:\Windows\system32\Kmaopfjm.exe58⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Kdigadjo.exeC:\Windows\system32\Kdigadjo.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Kggcnoic.exeC:\Windows\system32\Kggcnoic.exe60⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Kjepjkhf.exeC:\Windows\system32\Kjepjkhf.exe61⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Kmdlffhj.exeC:\Windows\system32\Kmdlffhj.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:60 -
C:\Windows\SysWOW64\Kdkdgchl.exeC:\Windows\system32\Kdkdgchl.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4296 -
C:\Windows\SysWOW64\Kgipcogp.exeC:\Windows\system32\Kgipcogp.exe64⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Kjhloj32.exeC:\Windows\system32\Kjhloj32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:672 -
C:\Windows\SysWOW64\Kmfhkf32.exeC:\Windows\system32\Kmfhkf32.exe66⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Kdmqmc32.exeC:\Windows\system32\Kdmqmc32.exe67⤵PID:4236
-
C:\Windows\SysWOW64\Kkgiimng.exeC:\Windows\system32\Kkgiimng.exe68⤵
- Drops file in System32 directory
PID:4480 -
C:\Windows\SysWOW64\Kjjiej32.exeC:\Windows\system32\Kjjiej32.exe69⤵PID:5100
-
C:\Windows\SysWOW64\Kmieae32.exeC:\Windows\system32\Kmieae32.exe70⤵PID:3852
-
C:\Windows\SysWOW64\Lgepom32.exeC:\Windows\system32\Lgepom32.exe71⤵PID:4200
-
C:\Windows\SysWOW64\Lkalplel.exeC:\Windows\system32\Lkalplel.exe72⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3500 -
C:\Windows\SysWOW64\Lnohlgep.exeC:\Windows\system32\Lnohlgep.exe73⤵PID:4940
-
C:\Windows\SysWOW64\Lmbhgd32.exeC:\Windows\system32\Lmbhgd32.exe74⤵PID:2132
-
C:\Windows\SysWOW64\Ldipha32.exeC:\Windows\system32\Ldipha32.exe75⤵PID:4172
-
C:\Windows\SysWOW64\Lggldm32.exeC:\Windows\system32\Lggldm32.exe76⤵
- System Location Discovery: System Language Discovery
PID:4420 -
C:\Windows\SysWOW64\Ljfhqh32.exeC:\Windows\system32\Ljfhqh32.exe77⤵PID:1648
-
C:\Windows\SysWOW64\Lnadagbm.exeC:\Windows\system32\Lnadagbm.exe78⤵
- System Location Discovery: System Language Discovery
PID:4336 -
C:\Windows\SysWOW64\Lqpamb32.exeC:\Windows\system32\Lqpamb32.exe79⤵PID:3428
-
C:\Windows\SysWOW64\Lcnmin32.exeC:\Windows\system32\Lcnmin32.exe80⤵PID:4900
-
C:\Windows\SysWOW64\Lgjijmin.exeC:\Windows\system32\Lgjijmin.exe81⤵
- Drops file in System32 directory
PID:4072 -
C:\Windows\SysWOW64\Ljhefhha.exeC:\Windows\system32\Ljhefhha.exe82⤵
- Modifies registry class
PID:5164 -
C:\Windows\SysWOW64\Lqbncb32.exeC:\Windows\system32\Lqbncb32.exe83⤵PID:5228
-
C:\Windows\SysWOW64\Lenicahg.exeC:\Windows\system32\Lenicahg.exe84⤵
- Modifies registry class
PID:5292 -
C:\Windows\SysWOW64\Mkhapk32.exeC:\Windows\system32\Mkhapk32.exe85⤵
- Modifies registry class
PID:5360 -
C:\Windows\SysWOW64\Mjkblhfo.exeC:\Windows\system32\Mjkblhfo.exe86⤵
- System Location Discovery: System Language Discovery
PID:5396 -
C:\Windows\SysWOW64\Mepfiq32.exeC:\Windows\system32\Mepfiq32.exe87⤵
- System Location Discovery: System Language Discovery
PID:5472 -
C:\Windows\SysWOW64\Mccfdmmo.exeC:\Windows\system32\Mccfdmmo.exe88⤵
- Modifies registry class
PID:5524 -
C:\Windows\SysWOW64\Mkjnfkma.exeC:\Windows\system32\Mkjnfkma.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5576 -
C:\Windows\SysWOW64\Mnhkbfme.exeC:\Windows\system32\Mnhkbfme.exe90⤵
- System Location Discovery: System Language Discovery
PID:5628 -
C:\Windows\SysWOW64\Mmkkmc32.exeC:\Windows\system32\Mmkkmc32.exe91⤵PID:5688
-
C:\Windows\SysWOW64\Mebcop32.exeC:\Windows\system32\Mebcop32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5740 -
C:\Windows\SysWOW64\Mgaokl32.exeC:\Windows\system32\Mgaokl32.exe93⤵
- Modifies registry class
PID:5788 -
C:\Windows\SysWOW64\Mkmkkjko.exeC:\Windows\system32\Mkmkkjko.exe94⤵PID:5836
-
C:\Windows\SysWOW64\Mjokgg32.exeC:\Windows\system32\Mjokgg32.exe95⤵PID:5872
-
C:\Windows\SysWOW64\Mmnhcb32.exeC:\Windows\system32\Mmnhcb32.exe96⤵PID:5944
-
C:\Windows\SysWOW64\Maiccajf.exeC:\Windows\system32\Maiccajf.exe97⤵PID:5996
-
C:\Windows\SysWOW64\Meepdp32.exeC:\Windows\system32\Meepdp32.exe98⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6052 -
C:\Windows\SysWOW64\Mgclpkac.exeC:\Windows\system32\Mgclpkac.exe99⤵PID:6112
-
C:\Windows\SysWOW64\Mkohaj32.exeC:\Windows\system32\Mkohaj32.exe100⤵PID:5156
-
C:\Windows\SysWOW64\Mjahlgpf.exeC:\Windows\system32\Mjahlgpf.exe101⤵
- Drops file in System32 directory
PID:5236 -
C:\Windows\SysWOW64\Mmpdhboj.exeC:\Windows\system32\Mmpdhboj.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5348 -
C:\Windows\SysWOW64\Malpia32.exeC:\Windows\system32\Malpia32.exe103⤵PID:5416
-
C:\Windows\SysWOW64\Mcjmel32.exeC:\Windows\system32\Mcjmel32.exe104⤵PID:5516
-
C:\Windows\SysWOW64\Mgehfkop.exeC:\Windows\system32\Mgehfkop.exe105⤵PID:5568
-
C:\Windows\SysWOW64\Mjdebfnd.exeC:\Windows\system32\Mjdebfnd.exe106⤵PID:5704
-
C:\Windows\SysWOW64\Mmbanbmg.exeC:\Windows\system32\Mmbanbmg.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5752 -
C:\Windows\SysWOW64\Meiioonj.exeC:\Windows\system32\Meiioonj.exe108⤵PID:5828
-
C:\Windows\SysWOW64\Nghekkmn.exeC:\Windows\system32\Nghekkmn.exe109⤵
- System Location Discovery: System Language Discovery
PID:5892 -
C:\Windows\SysWOW64\Nlcalieg.exeC:\Windows\system32\Nlcalieg.exe110⤵PID:6004
-
C:\Windows\SysWOW64\Njfagf32.exeC:\Windows\system32\Njfagf32.exe111⤵
- System Location Discovery: System Language Discovery
PID:6100 -
C:\Windows\SysWOW64\Nnbnhedj.exeC:\Windows\system32\Nnbnhedj.exe112⤵PID:5144
-
C:\Windows\SysWOW64\Nmenca32.exeC:\Windows\system32\Nmenca32.exe113⤵
- System Location Discovery: System Language Discovery
PID:5368 -
C:\Windows\SysWOW64\Nelfeo32.exeC:\Windows\system32\Nelfeo32.exe114⤵PID:5480
-
C:\Windows\SysWOW64\Ncofplba.exeC:\Windows\system32\Ncofplba.exe115⤵
- System Location Discovery: System Language Discovery
PID:5600 -
C:\Windows\SysWOW64\Ngjbaj32.exeC:\Windows\system32\Ngjbaj32.exe116⤵PID:5728
-
C:\Windows\SysWOW64\Njinmf32.exeC:\Windows\system32\Njinmf32.exe117⤵PID:5852
-
C:\Windows\SysWOW64\Nndjndbh.exeC:\Windows\system32\Nndjndbh.exe118⤵PID:5972
-
C:\Windows\SysWOW64\Nabfjpak.exeC:\Windows\system32\Nabfjpak.exe119⤵
- System Location Discovery: System Language Discovery
PID:4552 -
C:\Windows\SysWOW64\Nenbjo32.exeC:\Windows\system32\Nenbjo32.exe120⤵PID:5180
-
C:\Windows\SysWOW64\Ncabfkqo.exeC:\Windows\system32\Ncabfkqo.exe121⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5584
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-