Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
07/03/2025, 13:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6d3520557e0fb8574dac25348cbc20d0302d3920f0867455d274f08d6e904175.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
6d3520557e0fb8574dac25348cbc20d0302d3920f0867455d274f08d6e904175.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
6d3520557e0fb8574dac25348cbc20d0302d3920f0867455d274f08d6e904175.exe
-
Size
240KB
-
MD5
7474114d50a4eae75e4348673c31a11e
-
SHA1
a0fca52e0df891c54ac487253625c22219c56633
-
SHA256
6d3520557e0fb8574dac25348cbc20d0302d3920f0867455d274f08d6e904175
-
SHA512
6ffedffc340b9e83acde4827031499007035fef297455b7a164f1445ca6327ec72e68ba30b6e59a573e765d26706893d67cc547db0b5a68d87e5705e88efb472
-
SSDEEP
6144:3dgF4r/3GyZ6YugQdjGG1wsKm6eBgdQbkoKTBEA:qF4r/GyXu1jGG1wsGeBgRTGA
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokkgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpanan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnojho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Offnhpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnkbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppolhcnm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpeahb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gojiiafp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibcaknbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmfkhmdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnfiplog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkgeainn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpkmal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmbphg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njfkmphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akkffkhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aoioli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpdnjple.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glkmmefl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifmqfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmpmnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ondljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fligqhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibfnqmpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jghpbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aphnnafb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgelgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gojiiafp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfandnla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilqoobdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igfclkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgkmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amcehdod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chiblk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iibccgep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcpjnjii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljhnlb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmfkhmdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nflkbanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nagiji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onocomdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohlqcagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfqlfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcelpggq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jghpbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgdpni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnqfcbnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfiplog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qobhkjdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfmmplad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfcnpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfbped32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqmfdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pffgom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adfgdpmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpdnjple.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdpcal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 6d3520557e0fb8574dac25348cbc20d0302d3920f0867455d274f08d6e904175.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlglidlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpaekqhh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfjola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opqofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aokkahlo.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1424 Efjbcakl.exe 3164 Fneggdhg.exe 4292 Fligqhga.exe 1496 Fngcmcfe.exe 1824 Fbelcblk.exe 2276 Fmkqpkla.exe 2052 Fbgihaji.exe 5100 Flpmagqi.exe 4808 Fbjena32.exe 3000 Gnqfcbnj.exe 3904 Gejopl32.exe 452 Gbnoiqdq.exe 208 Gmdcfidg.exe 1888 Gbalopbn.exe 4436 Gmfplibd.exe 868 Gbchdp32.exe 3524 Glkmmefl.exe 5028 Gojiiafp.exe 3576 Hbhboolf.exe 1236 Hfcnpn32.exe 3420 Hoobdp32.exe 1040 Hidgai32.exe 4844 Hlbcnd32.exe 1744 Hblkjo32.exe 3384 Hfhgkmpj.exe 4796 Hmbphg32.exe 4908 Hlglidlo.exe 4296 Ifmqfm32.exe 408 Ibcaknbi.exe 5008 Ifomll32.exe 3456 Ibfnqmpf.exe 2388 Igajal32.exe 832 Ilnbicff.exe 3664 Iibccgep.exe 5092 Ilqoobdd.exe 5060 Ioolkncg.exe 1080 Igfclkdj.exe 2292 Impliekg.exe 3236 Joahqn32.exe 520 Jghpbk32.exe 2516 Jekqmhia.exe 3616 Jleijb32.exe 920 Jpaekqhh.exe 1468 Jgkmgk32.exe 1612 Jlgepanl.exe 1548 Jofalmmp.exe 1032 Jilfifme.exe 3080 Jljbeali.exe 888 Jebfng32.exe 4024 Jniood32.exe 2360 Jgbchj32.exe 4252 Jlolpq32.exe 2248 Kgdpni32.exe 1788 Kjblje32.exe 2236 Kpmdfonj.exe 5068 Kckqbj32.exe 4552 Kjeiodek.exe 4952 Klcekpdo.exe 3416 Koaagkcb.exe 4564 Kflide32.exe 3804 Kncaec32.exe 1052 Kpanan32.exe 1576 Kcpjnjii.exe 1296 Kfnfjehl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mkfefigf.dll Qobhkjdi.exe File opened for modification C:\Windows\SysWOW64\Bacjdbch.exe Bpdnjple.exe File created C:\Windows\SysWOW64\Chkobkod.exe Cdpcal32.exe File opened for modification C:\Windows\SysWOW64\Kngkqbgl.exe Kfpcoefj.exe File created C:\Windows\SysWOW64\Onmfimga.exe Offnhpfo.exe File created C:\Windows\SysWOW64\Paiogf32.exe Pnkbkk32.exe File opened for modification C:\Windows\SysWOW64\Ppolhcnm.exe Palklf32.exe File opened for modification C:\Windows\SysWOW64\Ilnbicff.exe Igajal32.exe File opened for modification C:\Windows\SysWOW64\Jilfifme.exe Jofalmmp.exe File created C:\Windows\SysWOW64\Kngkqbgl.exe Kfpcoefj.exe File created C:\Windows\SysWOW64\Okehmlqi.dll Mmpmnl32.exe File created C:\Windows\SysWOW64\Nnahhegq.dll Onapdl32.exe File created C:\Windows\SysWOW64\Kbjpeo32.dll Nqmfdj32.exe File opened for modification C:\Windows\SysWOW64\Nfjola32.exe Nclbpf32.exe File opened for modification C:\Windows\SysWOW64\Njfkmphe.exe Nfjola32.exe File opened for modification C:\Windows\SysWOW64\Nmdgikhi.exe Njfkmphe.exe File created C:\Windows\SysWOW64\Pnfiplog.exe Ohlqcagj.exe File created C:\Windows\SysWOW64\Omfmcjlk.dll Ohlqcagj.exe File created C:\Windows\SysWOW64\Ckjooo32.dll Hblkjo32.exe File opened for modification C:\Windows\SysWOW64\Lgbloglj.exe Lokdnjkg.exe File created C:\Windows\SysWOW64\Nmkmjjaa.exe Njmqnobn.exe File created C:\Windows\SysWOW64\Oakbehfe.exe Onmfimga.exe File created C:\Windows\SysWOW64\Opqofe32.exe Ombcji32.exe File opened for modification C:\Windows\SysWOW64\Panhbfep.exe Pnplfj32.exe File created C:\Windows\SysWOW64\Fmbgla32.dll Aogbfi32.exe File opened for modification C:\Windows\SysWOW64\Hmbphg32.exe Hfhgkmpj.exe File created C:\Windows\SysWOW64\Gifjfmcq.dll Jilfifme.exe File created C:\Windows\SysWOW64\Npbceggm.exe Nmdgikhi.exe File created C:\Windows\SysWOW64\Fcokoohi.dll Ncnofeof.exe File opened for modification C:\Windows\SysWOW64\Lcnfohmi.exe Lmdnbn32.exe File created C:\Windows\SysWOW64\Njfkmphe.exe Nfjola32.exe File opened for modification C:\Windows\SysWOW64\Nncccnol.exe Nflkbanj.exe File created C:\Windows\SysWOW64\Ikjllm32.dll Onmfimga.exe File created C:\Windows\SysWOW64\Kcpjnjii.exe Kpanan32.exe File created C:\Windows\SysWOW64\Dannpknl.dll Nmipdk32.exe File created C:\Windows\SysWOW64\Baiinofi.dll Ngndaccj.exe File opened for modification C:\Windows\SysWOW64\Agdcpkll.exe Adfgdpmi.exe File created C:\Windows\SysWOW64\Aokkahlo.exe Agdcpkll.exe File created C:\Windows\SysWOW64\Gjecbd32.dll Bgpcliao.exe File created C:\Windows\SysWOW64\Pipeabep.dll Chiblk32.exe File created C:\Windows\SysWOW64\Gdaklmfn.dll Fneggdhg.exe File created C:\Windows\SysWOW64\Flpmagqi.exe Fbgihaji.exe File created C:\Windows\SysWOW64\Akcoajfm.dll Hfcnpn32.exe File created C:\Windows\SysWOW64\Ibcaknbi.exe Ifmqfm32.exe File created C:\Windows\SysWOW64\Cgdgna32.dll Ibfnqmpf.exe File opened for modification C:\Windows\SysWOW64\Mjaabq32.exe Mfeeabda.exe File created C:\Windows\SysWOW64\Ocgeag32.dll Opqofe32.exe File opened for modification C:\Windows\SysWOW64\Ahofoogd.exe Aphnnafb.exe File created C:\Windows\SysWOW64\Kiodpebj.dll Ioolkncg.exe File created C:\Windows\SysWOW64\Folnlh32.dll Nnojho32.exe File created C:\Windows\SysWOW64\Nclbpf32.exe Nqmfdj32.exe File opened for modification C:\Windows\SysWOW64\Onmfimga.exe Offnhpfo.exe File created C:\Windows\SysWOW64\Onocomdo.exe Ofhknodl.exe File created C:\Windows\SysWOW64\Kbqceofn.dll Bkgeainn.exe File opened for modification C:\Windows\SysWOW64\Dafppp32.exe Cdbpgl32.exe File created C:\Windows\SysWOW64\Fkccgodj.dll Fbelcblk.exe File created C:\Windows\SysWOW64\Lmaamn32.exe Lfgipd32.exe File opened for modification C:\Windows\SysWOW64\Ljhnlb32.exe Lgibpf32.exe File created C:\Windows\SysWOW64\Nagiji32.exe Nmkmjjaa.exe File created C:\Windows\SysWOW64\Offnhpfo.exe Ocgbld32.exe File created C:\Windows\SysWOW64\Ejphhm32.dll Aoioli32.exe File created C:\Windows\SysWOW64\Akfiji32.dll Nclbpf32.exe File created C:\Windows\SysWOW64\Oclknk32.dll Fbgihaji.exe File created C:\Windows\SysWOW64\Hhaljido.dll Jokkgl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8036 7944 WerFault.exe 312 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onkidm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppolhcnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgpcliao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmbphg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igfclkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jofalmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcbpjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npbceggm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfiddm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpeahb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akkffkhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ombcji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdoacabq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aphnnafb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adfgdpmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chiblk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnldla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llodgnja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njjdho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palklf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoioli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apmhiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chdialdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbelcblk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoobdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jljbeali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knenkbio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oclkgccf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfmmplad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdpcal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dafppp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fngcmcfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkmjjaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nceefd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akblfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bobabg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgifbhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlolpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbgihaji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jleijb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kckqbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahofoogd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fneggdhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gejopl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbchdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbjena32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlbcnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmaamn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqdcnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnhdgpii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfkmphe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aogbfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnaaib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lopmii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnojho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocohmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phonha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amnlme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgelgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpkmal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npgmpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkqaoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibfnqmpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioolkncg.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agimkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 6d3520557e0fb8574dac25348cbc20d0302d3920f0867455d274f08d6e904175.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbchdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbdmdpjg.dll" Jljbeali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfoaecol.dll" Cgifbhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmbphg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcmfjll.dll" Mmfkhmdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpghll32.dll" Oakbehfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppjbmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpkdjofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbhboolf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpaekqhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Koaagkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eleqaiga.dll" Mfhbga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhphmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnqfcbnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glkmmefl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcckk32.dll" Jpaekqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mqdcnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofhknodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekoglqie.dll" Kncaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oakbehfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opqofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalhik32.dll" Dafppp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmfplibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhafck32.dll" Kcbfcigf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcimdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hilpobpd.dll" Mgeakekd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocjoadei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figmglee.dll" Ofhknodl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pplobcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qaqegecm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 6d3520557e0fb8574dac25348cbc20d0302d3920f0867455d274f08d6e904175.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bppgif32.dll" Kpanan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aphnnafb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahofoogd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpmkebjc.dll" Bhhiemoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fligqhga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofkgcobj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofkgcobj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pagbaglh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iibccgep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hblkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anhejhfp.dll" Jlgepanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdmlme32.dll" Mokmdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfiddm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahofoogd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efjbcakl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fneggdhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbgihaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nqmfdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njfkmphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adkqoohc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlmhc32.dll" Caojpaij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 6d3520557e0fb8574dac25348cbc20d0302d3920f0867455d274f08d6e904175.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llodgnja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppjbmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Palklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdmdnadc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bphgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Galdglpd.dll" Gmdcfidg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbjmj32.dll" Kckqbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelche32.dll" Kcpjnjii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njfkmphe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2352 wrote to memory of 1424 2352 6d3520557e0fb8574dac25348cbc20d0302d3920f0867455d274f08d6e904175.exe 85 PID 2352 wrote to memory of 1424 2352 6d3520557e0fb8574dac25348cbc20d0302d3920f0867455d274f08d6e904175.exe 85 PID 2352 wrote to memory of 1424 2352 6d3520557e0fb8574dac25348cbc20d0302d3920f0867455d274f08d6e904175.exe 85 PID 1424 wrote to memory of 3164 1424 Efjbcakl.exe 86 PID 1424 wrote to memory of 3164 1424 Efjbcakl.exe 86 PID 1424 wrote to memory of 3164 1424 Efjbcakl.exe 86 PID 3164 wrote to memory of 4292 3164 Fneggdhg.exe 87 PID 3164 wrote to memory of 4292 3164 Fneggdhg.exe 87 PID 3164 wrote to memory of 4292 3164 Fneggdhg.exe 87 PID 4292 wrote to memory of 1496 4292 Fligqhga.exe 88 PID 4292 wrote to memory of 1496 4292 Fligqhga.exe 88 PID 4292 wrote to memory of 1496 4292 Fligqhga.exe 88 PID 1496 wrote to memory of 1824 1496 Fngcmcfe.exe 89 PID 1496 wrote to memory of 1824 1496 Fngcmcfe.exe 89 PID 1496 wrote to memory of 1824 1496 Fngcmcfe.exe 89 PID 1824 wrote to memory of 2276 1824 Fbelcblk.exe 90 PID 1824 wrote to memory of 2276 1824 Fbelcblk.exe 90 PID 1824 wrote to memory of 2276 1824 Fbelcblk.exe 90 PID 2276 wrote to memory of 2052 2276 Fmkqpkla.exe 91 PID 2276 wrote to memory of 2052 2276 Fmkqpkla.exe 91 PID 2276 wrote to memory of 2052 2276 Fmkqpkla.exe 91 PID 2052 wrote to memory of 5100 2052 Fbgihaji.exe 92 PID 2052 wrote to memory of 5100 2052 Fbgihaji.exe 92 PID 2052 wrote to memory of 5100 2052 Fbgihaji.exe 92 PID 5100 wrote to memory of 4808 5100 Flpmagqi.exe 93 PID 5100 wrote to memory of 4808 5100 Flpmagqi.exe 93 PID 5100 wrote to memory of 4808 5100 Flpmagqi.exe 93 PID 4808 wrote to memory of 3000 4808 Fbjena32.exe 94 PID 4808 wrote to memory of 3000 4808 Fbjena32.exe 94 PID 4808 wrote to memory of 3000 4808 Fbjena32.exe 94 PID 3000 wrote to memory of 3904 3000 Gnqfcbnj.exe 96 PID 3000 wrote to memory of 3904 3000 Gnqfcbnj.exe 96 PID 3000 wrote to memory of 3904 3000 Gnqfcbnj.exe 96 PID 3904 wrote to memory of 452 3904 Gejopl32.exe 97 PID 3904 wrote to memory of 452 3904 Gejopl32.exe 97 PID 3904 wrote to memory of 452 3904 Gejopl32.exe 97 PID 452 wrote to memory of 208 452 Gbnoiqdq.exe 98 PID 452 wrote to memory of 208 452 Gbnoiqdq.exe 98 PID 452 wrote to memory of 208 452 Gbnoiqdq.exe 98 PID 208 wrote to memory of 1888 208 Gmdcfidg.exe 100 PID 208 wrote to memory of 1888 208 Gmdcfidg.exe 100 PID 208 wrote to memory of 1888 208 Gmdcfidg.exe 100 PID 1888 wrote to memory of 4436 1888 Gbalopbn.exe 101 PID 1888 wrote to memory of 4436 1888 Gbalopbn.exe 101 PID 1888 wrote to memory of 4436 1888 Gbalopbn.exe 101 PID 4436 wrote to memory of 868 4436 Gmfplibd.exe 102 PID 4436 wrote to memory of 868 4436 Gmfplibd.exe 102 PID 4436 wrote to memory of 868 4436 Gmfplibd.exe 102 PID 868 wrote to memory of 3524 868 Gbchdp32.exe 103 PID 868 wrote to memory of 3524 868 Gbchdp32.exe 103 PID 868 wrote to memory of 3524 868 Gbchdp32.exe 103 PID 3524 wrote to memory of 5028 3524 Glkmmefl.exe 104 PID 3524 wrote to memory of 5028 3524 Glkmmefl.exe 104 PID 3524 wrote to memory of 5028 3524 Glkmmefl.exe 104 PID 5028 wrote to memory of 3576 5028 Gojiiafp.exe 105 PID 5028 wrote to memory of 3576 5028 Gojiiafp.exe 105 PID 5028 wrote to memory of 3576 5028 Gojiiafp.exe 105 PID 3576 wrote to memory of 1236 3576 Hbhboolf.exe 106 PID 3576 wrote to memory of 1236 3576 Hbhboolf.exe 106 PID 3576 wrote to memory of 1236 3576 Hbhboolf.exe 106 PID 1236 wrote to memory of 3420 1236 Hfcnpn32.exe 107 PID 1236 wrote to memory of 3420 1236 Hfcnpn32.exe 107 PID 1236 wrote to memory of 3420 1236 Hfcnpn32.exe 107 PID 3420 wrote to memory of 1040 3420 Hoobdp32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d3520557e0fb8574dac25348cbc20d0302d3920f0867455d274f08d6e904175.exe"C:\Users\Admin\AppData\Local\Temp\6d3520557e0fb8574dac25348cbc20d0302d3920f0867455d274f08d6e904175.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Efjbcakl.exeC:\Windows\system32\Efjbcakl.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Fneggdhg.exeC:\Windows\system32\Fneggdhg.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\Fligqhga.exeC:\Windows\system32\Fligqhga.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\Fngcmcfe.exeC:\Windows\system32\Fngcmcfe.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Fbelcblk.exeC:\Windows\system32\Fbelcblk.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Fmkqpkla.exeC:\Windows\system32\Fmkqpkla.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Fbgihaji.exeC:\Windows\system32\Fbgihaji.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Flpmagqi.exeC:\Windows\system32\Flpmagqi.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Fbjena32.exeC:\Windows\system32\Fbjena32.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Gnqfcbnj.exeC:\Windows\system32\Gnqfcbnj.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Gejopl32.exeC:\Windows\system32\Gejopl32.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Gbnoiqdq.exeC:\Windows\system32\Gbnoiqdq.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\Gmdcfidg.exeC:\Windows\system32\Gmdcfidg.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\Gbalopbn.exeC:\Windows\system32\Gbalopbn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Gmfplibd.exeC:\Windows\system32\Gmfplibd.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\Gbchdp32.exeC:\Windows\system32\Gbchdp32.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Glkmmefl.exeC:\Windows\system32\Glkmmefl.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\Gojiiafp.exeC:\Windows\system32\Gojiiafp.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Hbhboolf.exeC:\Windows\system32\Hbhboolf.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\Hfcnpn32.exeC:\Windows\system32\Hfcnpn32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Hoobdp32.exeC:\Windows\system32\Hoobdp32.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\Hidgai32.exeC:\Windows\system32\Hidgai32.exe23⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Hlbcnd32.exeC:\Windows\system32\Hlbcnd32.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4844 -
C:\Windows\SysWOW64\Hblkjo32.exeC:\Windows\system32\Hblkjo32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Hfhgkmpj.exeC:\Windows\system32\Hfhgkmpj.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3384 -
C:\Windows\SysWOW64\Hmbphg32.exeC:\Windows\system32\Hmbphg32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4796 -
C:\Windows\SysWOW64\Hlglidlo.exeC:\Windows\system32\Hlglidlo.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Ifmqfm32.exeC:\Windows\system32\Ifmqfm32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4296 -
C:\Windows\SysWOW64\Ibcaknbi.exeC:\Windows\system32\Ibcaknbi.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Ifomll32.exeC:\Windows\system32\Ifomll32.exe31⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Ibfnqmpf.exeC:\Windows\system32\Ibfnqmpf.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3456 -
C:\Windows\SysWOW64\Igajal32.exeC:\Windows\system32\Igajal32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Ilnbicff.exeC:\Windows\system32\Ilnbicff.exe34⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Iibccgep.exeC:\Windows\system32\Iibccgep.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3664 -
C:\Windows\SysWOW64\Ilqoobdd.exeC:\Windows\system32\Ilqoobdd.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Ioolkncg.exeC:\Windows\system32\Ioolkncg.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5060 -
C:\Windows\SysWOW64\Igfclkdj.exeC:\Windows\system32\Igfclkdj.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1080 -
C:\Windows\SysWOW64\Impliekg.exeC:\Windows\system32\Impliekg.exe39⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Joahqn32.exeC:\Windows\system32\Joahqn32.exe40⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Jghpbk32.exeC:\Windows\system32\Jghpbk32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:520 -
C:\Windows\SysWOW64\Jekqmhia.exeC:\Windows\system32\Jekqmhia.exe42⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Jleijb32.exeC:\Windows\system32\Jleijb32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3616 -
C:\Windows\SysWOW64\Jpaekqhh.exeC:\Windows\system32\Jpaekqhh.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:920 -
C:\Windows\SysWOW64\Jgkmgk32.exeC:\Windows\system32\Jgkmgk32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Jlgepanl.exeC:\Windows\system32\Jlgepanl.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Jofalmmp.exeC:\Windows\system32\Jofalmmp.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1548 -
C:\Windows\SysWOW64\Jilfifme.exeC:\Windows\system32\Jilfifme.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1032 -
C:\Windows\SysWOW64\Jljbeali.exeC:\Windows\system32\Jljbeali.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3080 -
C:\Windows\SysWOW64\Jebfng32.exeC:\Windows\system32\Jebfng32.exe50⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Jniood32.exeC:\Windows\system32\Jniood32.exe51⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Jokkgl32.exeC:\Windows\system32\Jokkgl32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4996 -
C:\Windows\SysWOW64\Jgbchj32.exeC:\Windows\system32\Jgbchj32.exe53⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Jlolpq32.exeC:\Windows\system32\Jlolpq32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4252 -
C:\Windows\SysWOW64\Kgdpni32.exeC:\Windows\system32\Kgdpni32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Kjblje32.exeC:\Windows\system32\Kjblje32.exe56⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Kpmdfonj.exeC:\Windows\system32\Kpmdfonj.exe57⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Kckqbj32.exeC:\Windows\system32\Kckqbj32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5068 -
C:\Windows\SysWOW64\Kjeiodek.exeC:\Windows\system32\Kjeiodek.exe59⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Klcekpdo.exeC:\Windows\system32\Klcekpdo.exe60⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Koaagkcb.exeC:\Windows\system32\Koaagkcb.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:3416 -
C:\Windows\SysWOW64\Kflide32.exeC:\Windows\system32\Kflide32.exe62⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Kncaec32.exeC:\Windows\system32\Kncaec32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:3804 -
C:\Windows\SysWOW64\Kpanan32.exeC:\Windows\system32\Kpanan32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1052 -
C:\Windows\SysWOW64\Kcpjnjii.exeC:\Windows\system32\Kcpjnjii.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Kfnfjehl.exeC:\Windows\system32\Kfnfjehl.exe66⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Knenkbio.exeC:\Windows\system32\Knenkbio.exe67⤵
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\SysWOW64\Kpcjgnhb.exeC:\Windows\system32\Kpcjgnhb.exe68⤵PID:4764
-
C:\Windows\SysWOW64\Kcbfcigf.exeC:\Windows\system32\Kcbfcigf.exe69⤵
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Kfpcoefj.exeC:\Windows\system32\Kfpcoefj.exe70⤵
- Drops file in System32 directory
PID:4896 -
C:\Windows\SysWOW64\Kngkqbgl.exeC:\Windows\system32\Kngkqbgl.exe71⤵PID:3560
-
C:\Windows\SysWOW64\Loighj32.exeC:\Windows\system32\Loighj32.exe72⤵PID:1964
-
C:\Windows\SysWOW64\Lfbped32.exeC:\Windows\system32\Lfbped32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4476 -
C:\Windows\SysWOW64\Ljnlecmp.exeC:\Windows\system32\Ljnlecmp.exe74⤵PID:4120
-
C:\Windows\SysWOW64\Lokdnjkg.exeC:\Windows\system32\Lokdnjkg.exe75⤵
- Drops file in System32 directory
PID:4800 -
C:\Windows\SysWOW64\Lgbloglj.exeC:\Windows\system32\Lgbloglj.exe76⤵PID:5076
-
C:\Windows\SysWOW64\Lnldla32.exeC:\Windows\system32\Lnldla32.exe77⤵
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\Llodgnja.exeC:\Windows\system32\Llodgnja.exe78⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Lcimdh32.exeC:\Windows\system32\Lcimdh32.exe79⤵
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Lfgipd32.exeC:\Windows\system32\Lfgipd32.exe80⤵
- Drops file in System32 directory
PID:4432 -
C:\Windows\SysWOW64\Lmaamn32.exeC:\Windows\system32\Lmaamn32.exe81⤵
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\Lopmii32.exeC:\Windows\system32\Lopmii32.exe82⤵
- System Location Discovery: System Language Discovery
PID:1228 -
C:\Windows\SysWOW64\Lmdnbn32.exeC:\Windows\system32\Lmdnbn32.exe83⤵
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Lcnfohmi.exeC:\Windows\system32\Lcnfohmi.exe84⤵PID:5136
-
C:\Windows\SysWOW64\Lgibpf32.exeC:\Windows\system32\Lgibpf32.exe85⤵
- Drops file in System32 directory
PID:5192 -
C:\Windows\SysWOW64\Ljhnlb32.exeC:\Windows\system32\Ljhnlb32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5240 -
C:\Windows\SysWOW64\Mmfkhmdi.exeC:\Windows\system32\Mmfkhmdi.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5288 -
C:\Windows\SysWOW64\Mfnoqc32.exeC:\Windows\system32\Mfnoqc32.exe88⤵PID:5332
-
C:\Windows\SysWOW64\Mqdcnl32.exeC:\Windows\system32\Mqdcnl32.exe89⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5376 -
C:\Windows\SysWOW64\Mcbpjg32.exeC:\Windows\system32\Mcbpjg32.exe90⤵
- System Location Discovery: System Language Discovery
PID:5424 -
C:\Windows\SysWOW64\Mfqlfb32.exeC:\Windows\system32\Mfqlfb32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5472 -
C:\Windows\SysWOW64\Mnhdgpii.exeC:\Windows\system32\Mnhdgpii.exe92⤵
- System Location Discovery: System Language Discovery
PID:5528 -
C:\Windows\SysWOW64\Mqfpckhm.exeC:\Windows\system32\Mqfpckhm.exe93⤵PID:5572
-
C:\Windows\SysWOW64\Mcelpggq.exeC:\Windows\system32\Mcelpggq.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5616 -
C:\Windows\SysWOW64\Mnjqmpgg.exeC:\Windows\system32\Mnjqmpgg.exe95⤵PID:5668
-
C:\Windows\SysWOW64\Mokmdh32.exeC:\Windows\system32\Mokmdh32.exe96⤵
- Modifies registry class
PID:5712 -
C:\Windows\SysWOW64\Mcgiefen.exeC:\Windows\system32\Mcgiefen.exe97⤵PID:5752
-
C:\Windows\SysWOW64\Mfeeabda.exeC:\Windows\system32\Mfeeabda.exe98⤵
- Drops file in System32 directory
PID:5796 -
C:\Windows\SysWOW64\Mjaabq32.exeC:\Windows\system32\Mjaabq32.exe99⤵PID:5840
-
C:\Windows\SysWOW64\Mmpmnl32.exeC:\Windows\system32\Mmpmnl32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5884 -
C:\Windows\SysWOW64\Monjjgkb.exeC:\Windows\system32\Monjjgkb.exe101⤵PID:5936
-
C:\Windows\SysWOW64\Mgeakekd.exeC:\Windows\system32\Mgeakekd.exe102⤵
- Modifies registry class
PID:5996 -
C:\Windows\SysWOW64\Mfhbga32.exeC:\Windows\system32\Mfhbga32.exe103⤵
- Modifies registry class
PID:6048 -
C:\Windows\SysWOW64\Nnojho32.exeC:\Windows\system32\Nnojho32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6092 -
C:\Windows\SysWOW64\Nqmfdj32.exeC:\Windows\system32\Nqmfdj32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5128 -
C:\Windows\SysWOW64\Nclbpf32.exeC:\Windows\system32\Nclbpf32.exe106⤵
- Drops file in System32 directory
PID:5152 -
C:\Windows\SysWOW64\Nfjola32.exeC:\Windows\system32\Nfjola32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5256 -
C:\Windows\SysWOW64\Njfkmphe.exeC:\Windows\system32\Njfkmphe.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5360 -
C:\Windows\SysWOW64\Nmdgikhi.exeC:\Windows\system32\Nmdgikhi.exe109⤵
- Drops file in System32 directory
PID:5436 -
C:\Windows\SysWOW64\Npbceggm.exeC:\Windows\system32\Npbceggm.exe110⤵
- System Location Discovery: System Language Discovery
PID:5524 -
C:\Windows\SysWOW64\Ncnofeof.exeC:\Windows\system32\Ncnofeof.exe111⤵
- Drops file in System32 directory
PID:5612 -
C:\Windows\SysWOW64\Nflkbanj.exeC:\Windows\system32\Nflkbanj.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5680 -
C:\Windows\SysWOW64\Nncccnol.exeC:\Windows\system32\Nncccnol.exe113⤵PID:5748
-
C:\Windows\SysWOW64\Nqbpojnp.exeC:\Windows\system32\Nqbpojnp.exe114⤵PID:5832
-
C:\Windows\SysWOW64\Ncqlkemc.exeC:\Windows\system32\Ncqlkemc.exe115⤵PID:5892
-
C:\Windows\SysWOW64\Njjdho32.exeC:\Windows\system32\Njjdho32.exe116⤵
- System Location Discovery: System Language Discovery
PID:6004 -
C:\Windows\SysWOW64\Nmipdk32.exeC:\Windows\system32\Nmipdk32.exe117⤵
- Drops file in System32 directory
PID:6056 -
C:\Windows\SysWOW64\Npgmpf32.exeC:\Windows\system32\Npgmpf32.exe118⤵
- System Location Discovery: System Language Discovery
PID:6124 -
C:\Windows\SysWOW64\Ngndaccj.exeC:\Windows\system32\Ngndaccj.exe119⤵
- Drops file in System32 directory
PID:5216 -
C:\Windows\SysWOW64\Njmqnobn.exeC:\Windows\system32\Njmqnobn.exe120⤵
- Drops file in System32 directory
PID:5340 -
C:\Windows\SysWOW64\Nmkmjjaa.exeC:\Windows\system32\Nmkmjjaa.exe121⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5468
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-