Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29-09-2024 10:52
Behavioral task
behavioral1
Sample
8de789ab161bd0f4bba626fdf9dc5800dfc2e64c88d00341f9ee70f5c5b8a736N.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
General
-
Target
8de789ab161bd0f4bba626fdf9dc5800dfc2e64c88d00341f9ee70f5c5b8a736N.exe
-
Size
337KB
-
MD5
70728a01303d443bb896280a1c17c770
-
SHA1
40f5bc58b6dda615c1c3a07b6a5a588fa05711ec
-
SHA256
8de789ab161bd0f4bba626fdf9dc5800dfc2e64c88d00341f9ee70f5c5b8a736
-
SHA512
a40b018ccfccf93914c441e1133449d74b022b34133c99205c90fc9151f2df1da4922c26cf8f2e1faaa3924255d5282872fb63279842b6648b99a839b61c5d64
-
SSDEEP
3072:s60TePjqVgUztgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:so7qVtzt1+fIyG5jZkCwi8r
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Defheg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohdbkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbifol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgemahmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deejpjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijkdkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kokbpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbhildae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jglaepim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijngkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kggjghkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adkelplc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hligqnjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcdjba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcjldk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geklckkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djbbhafj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcbded32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmjinjnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljoboloa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klgqabib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcmedk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edoncm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggbmafnm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nggjog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pklamb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjbhph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bggnijof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpcila32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkqhpmkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djbbhafj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lokldg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clffalkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhkecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iheaqolo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ephbhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glmhdm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijhhenhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Malefbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Najjmjkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfmahknh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Digmqe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gflcnanp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ienlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnfjbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaefne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfidgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nefmgogl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijkled32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaqdpjia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flddoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkqhpmkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jchaoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dolinf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnpaec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kemhei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhmcck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdofpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbgndoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlobmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaqdpjia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjeplijj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiajck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hligqnjp.exe -
Executes dropped EXE 64 IoCs
pid Process 1744 Abmjqe32.exe 3924 Banjnm32.exe 4488 Bdlfjh32.exe 4564 Bboffejp.exe 2712 Bpedeiff.exe 5108 Bmidnm32.exe 3508 Bfaigclq.exe 2076 Bbhildae.exe 3740 Cmnnimak.exe 676 Cgfbbb32.exe 4740 Cpogkhnl.exe 3208 Ckdkhq32.exe 724 Cgklmacf.exe 1844 Ccblbb32.exe 2336 Dgpeha32.exe 3304 Ddcebe32.exe 552 Dknnoofg.exe 4152 Dahfkimd.exe 5032 Dkpjdo32.exe 4320 Ddhomdje.exe 2432 Dgihop32.exe 1424 Daollh32.exe 4952 Eaaiahei.exe 4292 Epffbd32.exe 4960 Ephbhd32.exe 4700 Eahobg32.exe 3572 Eqmlccdi.exe 1268 Fjeplijj.exe 1940 Fcpakn32.exe 3796 Fnhbmgmk.exe 1464 Fcekfnkb.exe 2668 Fjocbhbo.exe 1276 Gjaphgpl.exe 216 Gdgdeppb.exe 2044 Gdiakp32.exe 3064 Gjficg32.exe 4724 Gcnnllcg.exe 5028 Gjhfif32.exe 4192 Gdnjfojj.exe 3464 Gjkbnfha.exe 2224 Hepgkohh.exe 5044 Hkjohi32.exe 4936 Hnhkdd32.exe 3844 Hgapmj32.exe 2396 Hnkhjdle.exe 4624 Hgcmbj32.exe 5036 Halaloif.exe 404 Hkaeih32.exe 1392 Hnpaec32.exe 3276 Hejjanpm.exe 5104 Hnbnjc32.exe 2568 Igjbci32.exe 4396 Ibpgqa32.exe 4908 Iabglnco.exe 4476 Ijkled32.exe 3636 Ieqpbm32.exe 1912 Inidkb32.exe 220 Iagqgn32.exe 2060 Ilmedf32.exe 4244 Iajmmm32.exe 2200 Ijbbfc32.exe 4296 Jdjfohjg.exe 2068 Jlanpfkj.exe 1264 Jejbhk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mphamg32.exe Minipm32.exe File opened for modification C:\Windows\SysWOW64\Cmnnimak.exe Bbhildae.exe File created C:\Windows\SysWOW64\Lajokiaa.exe Llngbabj.exe File created C:\Windows\SysWOW64\Jpmfpmhg.dll Ndpcdjho.exe File created C:\Windows\SysWOW64\Adnilfnl.exe Abpmpkoh.exe File created C:\Windows\SysWOW64\Dikifc32.dll Daollh32.exe File created C:\Windows\SysWOW64\Nomlek32.exe Nkapelka.exe File opened for modification C:\Windows\SysWOW64\Hkodak32.exe Himgjbii.exe File created C:\Windows\SysWOW64\Hbfhni32.dll Llngbabj.exe File created C:\Windows\SysWOW64\Onccdj32.dll Dbgndoho.exe File created C:\Windows\SysWOW64\Nodeaima.dll Bmidnm32.exe File opened for modification C:\Windows\SysWOW64\Pbifol32.exe Pfbfjk32.exe File created C:\Windows\SysWOW64\Cnebmgjj.exe Clffalkf.exe File created C:\Windows\SysWOW64\Dfdofh32.dll Pklamb32.exe File created C:\Windows\SysWOW64\Bfpkbfdi.exe Bnicai32.exe File opened for modification C:\Windows\SysWOW64\Bggnijof.exe Bjcmpepm.exe File created C:\Windows\SysWOW64\Ggghajap.dll Gjkbnfha.exe File opened for modification C:\Windows\SysWOW64\Pfeijqqe.exe Pmmeak32.exe File opened for modification C:\Windows\SysWOW64\Mkdiog32.exe Malefbkc.exe File opened for modification C:\Windows\SysWOW64\Ohdbkh32.exe Oeffnl32.exe File created C:\Windows\SysWOW64\Acibndof.dll Kemhei32.exe File opened for modification C:\Windows\SysWOW64\Jkajnh32.exe Jfdafa32.exe File created C:\Windows\SysWOW64\Jjfdfl32.exe Jeilne32.exe File created C:\Windows\SysWOW64\Bbbada32.dll Pnhacn32.exe File created C:\Windows\SysWOW64\Bjmpfdhb.exe Bilcol32.exe File created C:\Windows\SysWOW64\Ldpbaelj.dll Jglaepim.exe File opened for modification C:\Windows\SysWOW64\Didjqoae.exe Defajqko.exe File opened for modification C:\Windows\SysWOW64\Gedfblql.exe Gojnfb32.exe File created C:\Windows\SysWOW64\Hhehkepj.exe Hjbhph32.exe File opened for modification C:\Windows\SysWOW64\Bboffejp.exe Bdlfjh32.exe File created C:\Windows\SysWOW64\Kehojiej.exe Kongmo32.exe File opened for modification C:\Windows\SysWOW64\Pkabbgol.exe Pmoagk32.exe File created C:\Windows\SysWOW64\Icefib32.exe Iqgjmg32.exe File created C:\Windows\SysWOW64\Kiiigchq.dll Jmdjha32.exe File opened for modification C:\Windows\SysWOW64\Npcaie32.exe Niihlkdm.exe File opened for modification C:\Windows\SysWOW64\Cnnllhpa.exe Clpppmqn.exe File created C:\Windows\SysWOW64\Jojbil32.dll Bdgehobe.exe File opened for modification C:\Windows\SysWOW64\Ebejem32.exe Ejnbdp32.exe File opened for modification C:\Windows\SysWOW64\Gimoce32.exe Geabbfoc.exe File created C:\Windows\SysWOW64\Iolgql32.dll Fcpakn32.exe File created C:\Windows\SysWOW64\Iilpao32.dll Qihoak32.exe File created C:\Windows\SysWOW64\Clpppmqn.exe Ciaddaaj.exe File opened for modification C:\Windows\SysWOW64\Ogbbqo32.exe Oinbgk32.exe File created C:\Windows\SysWOW64\Phbolflm.exe Pbifol32.exe File created C:\Windows\SysWOW64\Iajncdql.dll Cihjeq32.exe File opened for modification C:\Windows\SysWOW64\Djpfbahm.exe Dlmegd32.exe File opened for modification C:\Windows\SysWOW64\Jjkdlall.exe Jdalog32.exe File created C:\Windows\SysWOW64\Feljgd32.exe Fdjnolfd.exe File created C:\Windows\SysWOW64\Painhneh.dll Gnanioad.exe File opened for modification C:\Windows\SysWOW64\Dmplkd32.exe Dpllbp32.exe File created C:\Windows\SysWOW64\Ababkdij.exe Aglnnkid.exe File created C:\Windows\SysWOW64\Ccblbb32.exe Cgklmacf.exe File created C:\Windows\SysWOW64\Pjcblekh.dll Dkpjdo32.exe File created C:\Windows\SysWOW64\Eiclkk32.dll Eoconenj.exe File created C:\Windows\SysWOW64\Ebndbijh.dll Jchaoe32.exe File created C:\Windows\SysWOW64\Bliajd32.exe Blgddd32.exe File created C:\Windows\SysWOW64\Nfcnnnil.dll Clbdpc32.exe File created C:\Windows\SysWOW64\Emeqhogn.dll Agcdnjcl.exe File created C:\Windows\SysWOW64\Jqfkba32.dll Gehice32.exe File created C:\Windows\SysWOW64\Hpejlc32.exe Hhobjf32.exe File created C:\Windows\SysWOW64\Pnjgog32.exe Pgpobmca.exe File opened for modification C:\Windows\SysWOW64\Gjficg32.exe Gdiakp32.exe File opened for modification C:\Windows\SysWOW64\Fgncff32.exe Fpckjlje.exe File created C:\Windows\SysWOW64\Lmjcdd32.exe Ljkghi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2240 5376 WerFault.exe 809 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iedbcebd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjdgal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clbmfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbnbhfde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Komoed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpdefc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8de789ab161bd0f4bba626fdf9dc5800dfc2e64c88d00341f9ee70f5c5b8a736N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obnnnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beaohcmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqombb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcbkpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iljpgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knkcmild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmcfkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feljgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjqinamq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcngafol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kejeebpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohdbkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgjpfqpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckoifgmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdhbpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpoiho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmdqbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdlfjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdmjdkda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmhofbma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miklkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddcebe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqmlccdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpjompqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meoggpmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bboplo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blgddd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcoioabf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aocmio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjcqffkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odfcjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahinbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkpjdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inkjfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdofpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gekeie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjipmoai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpcila32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhhcne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpaqqdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kimgba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbnopbdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdjfohjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlanpfkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnebmgjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihmnldib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkalnjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgmnooom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cehdib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljkghi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgllad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciaddaaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihjeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fblpflfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmheph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmnnimak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iepihf32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieiajckh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbcabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abbbel32.dll" Dfonnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jglaepim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnfkgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phbolflm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bomppneg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogmiepcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkjjfkcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Komoed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qomghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlkfnim.dll" Beaohcmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biljib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglcla32.dll" Biljib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijngkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klgqabib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjfdfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okqbac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eodeek32.dll" Fhnichde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcgpak32.dll" Opfnne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iajmmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohhbfe32.dll" Mahklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekpidqbi.dll" Nncoaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgagjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhjabbic.dll" Eoladdeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggkgbgid.dll" Ndmgnkja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qghlmbae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feofmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlbllc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kehojiej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgllcdnc.dll" Nejgbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnbnjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbnlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaqkhem.dll" Aeopfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfniikha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djmima32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohpiphlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foaeccgp.dll" Dicbfhni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdgdeppb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkaeih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdmlkfjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgnhmn32.dll" Ldfhgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nncoaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Niglfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edoncm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkchqpgd.dll" Qhghge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngjpgqp.dll" Becknc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbcimhh.dll" Foakpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgemahmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnanioad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceehcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjhjae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cinpdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogqmee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieqpbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emdplb32.dll" Lpbokjho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nomlek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjeibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdofh32.dll" Pklamb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfidgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ancjef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icooig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjcqffkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkboeobh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1852 wrote to memory of 1744 1852 8de789ab161bd0f4bba626fdf9dc5800dfc2e64c88d00341f9ee70f5c5b8a736N.exe 91 PID 1852 wrote to memory of 1744 1852 8de789ab161bd0f4bba626fdf9dc5800dfc2e64c88d00341f9ee70f5c5b8a736N.exe 91 PID 1852 wrote to memory of 1744 1852 8de789ab161bd0f4bba626fdf9dc5800dfc2e64c88d00341f9ee70f5c5b8a736N.exe 91 PID 1744 wrote to memory of 3924 1744 Abmjqe32.exe 92 PID 1744 wrote to memory of 3924 1744 Abmjqe32.exe 92 PID 1744 wrote to memory of 3924 1744 Abmjqe32.exe 92 PID 3924 wrote to memory of 4488 3924 Banjnm32.exe 93 PID 3924 wrote to memory of 4488 3924 Banjnm32.exe 93 PID 3924 wrote to memory of 4488 3924 Banjnm32.exe 93 PID 4488 wrote to memory of 4564 4488 Bdlfjh32.exe 94 PID 4488 wrote to memory of 4564 4488 Bdlfjh32.exe 94 PID 4488 wrote to memory of 4564 4488 Bdlfjh32.exe 94 PID 4564 wrote to memory of 2712 4564 Bboffejp.exe 95 PID 4564 wrote to memory of 2712 4564 Bboffejp.exe 95 PID 4564 wrote to memory of 2712 4564 Bboffejp.exe 95 PID 2712 wrote to memory of 5108 2712 Bpedeiff.exe 96 PID 2712 wrote to memory of 5108 2712 Bpedeiff.exe 96 PID 2712 wrote to memory of 5108 2712 Bpedeiff.exe 96 PID 5108 wrote to memory of 3508 5108 Bmidnm32.exe 97 PID 5108 wrote to memory of 3508 5108 Bmidnm32.exe 97 PID 5108 wrote to memory of 3508 5108 Bmidnm32.exe 97 PID 3508 wrote to memory of 2076 3508 Bfaigclq.exe 98 PID 3508 wrote to memory of 2076 3508 Bfaigclq.exe 98 PID 3508 wrote to memory of 2076 3508 Bfaigclq.exe 98 PID 2076 wrote to memory of 3740 2076 Bbhildae.exe 99 PID 2076 wrote to memory of 3740 2076 Bbhildae.exe 99 PID 2076 wrote to memory of 3740 2076 Bbhildae.exe 99 PID 3740 wrote to memory of 676 3740 Cmnnimak.exe 100 PID 3740 wrote to memory of 676 3740 Cmnnimak.exe 100 PID 3740 wrote to memory of 676 3740 Cmnnimak.exe 100 PID 676 wrote to memory of 4740 676 Cgfbbb32.exe 101 PID 676 wrote to memory of 4740 676 Cgfbbb32.exe 101 PID 676 wrote to memory of 4740 676 Cgfbbb32.exe 101 PID 4740 wrote to memory of 3208 4740 Cpogkhnl.exe 102 PID 4740 wrote to memory of 3208 4740 Cpogkhnl.exe 102 PID 4740 wrote to memory of 3208 4740 Cpogkhnl.exe 102 PID 3208 wrote to memory of 724 3208 Ckdkhq32.exe 103 PID 3208 wrote to memory of 724 3208 Ckdkhq32.exe 103 PID 3208 wrote to memory of 724 3208 Ckdkhq32.exe 103 PID 724 wrote to memory of 1844 724 Cgklmacf.exe 104 PID 724 wrote to memory of 1844 724 Cgklmacf.exe 104 PID 724 wrote to memory of 1844 724 Cgklmacf.exe 104 PID 1844 wrote to memory of 2336 1844 Ccblbb32.exe 105 PID 1844 wrote to memory of 2336 1844 Ccblbb32.exe 105 PID 1844 wrote to memory of 2336 1844 Ccblbb32.exe 105 PID 2336 wrote to memory of 3304 2336 Dgpeha32.exe 106 PID 2336 wrote to memory of 3304 2336 Dgpeha32.exe 106 PID 2336 wrote to memory of 3304 2336 Dgpeha32.exe 106 PID 3304 wrote to memory of 552 3304 Ddcebe32.exe 107 PID 3304 wrote to memory of 552 3304 Ddcebe32.exe 107 PID 3304 wrote to memory of 552 3304 Ddcebe32.exe 107 PID 552 wrote to memory of 4152 552 Dknnoofg.exe 108 PID 552 wrote to memory of 4152 552 Dknnoofg.exe 108 PID 552 wrote to memory of 4152 552 Dknnoofg.exe 108 PID 4152 wrote to memory of 5032 4152 Dahfkimd.exe 109 PID 4152 wrote to memory of 5032 4152 Dahfkimd.exe 109 PID 4152 wrote to memory of 5032 4152 Dahfkimd.exe 109 PID 5032 wrote to memory of 4320 5032 Dkpjdo32.exe 110 PID 5032 wrote to memory of 4320 5032 Dkpjdo32.exe 110 PID 5032 wrote to memory of 4320 5032 Dkpjdo32.exe 110 PID 4320 wrote to memory of 2432 4320 Ddhomdje.exe 111 PID 4320 wrote to memory of 2432 4320 Ddhomdje.exe 111 PID 4320 wrote to memory of 2432 4320 Ddhomdje.exe 111 PID 2432 wrote to memory of 1424 2432 Dgihop32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\8de789ab161bd0f4bba626fdf9dc5800dfc2e64c88d00341f9ee70f5c5b8a736N.exe"C:\Users\Admin\AppData\Local\Temp\8de789ab161bd0f4bba626fdf9dc5800dfc2e64c88d00341f9ee70f5c5b8a736N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Abmjqe32.exeC:\Windows\system32\Abmjqe32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Banjnm32.exeC:\Windows\system32\Banjnm32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\Bdlfjh32.exeC:\Windows\system32\Bdlfjh32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\Bboffejp.exeC:\Windows\system32\Bboffejp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Bpedeiff.exeC:\Windows\system32\Bpedeiff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Bmidnm32.exeC:\Windows\system32\Bmidnm32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\Bfaigclq.exeC:\Windows\system32\Bfaigclq.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\Bbhildae.exeC:\Windows\system32\Bbhildae.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Cmnnimak.exeC:\Windows\system32\Cmnnimak.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\Cgfbbb32.exeC:\Windows\system32\Cgfbbb32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\Cpogkhnl.exeC:\Windows\system32\Cpogkhnl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\Ckdkhq32.exeC:\Windows\system32\Ckdkhq32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Cgklmacf.exeC:\Windows\system32\Cgklmacf.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\SysWOW64\Ccblbb32.exeC:\Windows\system32\Ccblbb32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Dgpeha32.exeC:\Windows\system32\Dgpeha32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Ddcebe32.exeC:\Windows\system32\Ddcebe32.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\Dknnoofg.exeC:\Windows\system32\Dknnoofg.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Dahfkimd.exeC:\Windows\system32\Dahfkimd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\Dkpjdo32.exeC:\Windows\system32\Dkpjdo32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Ddhomdje.exeC:\Windows\system32\Ddhomdje.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\Dgihop32.exeC:\Windows\system32\Dgihop32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Daollh32.exeC:\Windows\system32\Daollh32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1424 -
C:\Windows\SysWOW64\Eaaiahei.exeC:\Windows\system32\Eaaiahei.exe24⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Epffbd32.exeC:\Windows\system32\Epffbd32.exe25⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Ephbhd32.exeC:\Windows\system32\Ephbhd32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Eahobg32.exeC:\Windows\system32\Eahobg32.exe27⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Eqmlccdi.exeC:\Windows\system32\Eqmlccdi.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3572 -
C:\Windows\SysWOW64\Fjeplijj.exeC:\Windows\system32\Fjeplijj.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Fcpakn32.exeC:\Windows\system32\Fcpakn32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1940 -
C:\Windows\SysWOW64\Fnhbmgmk.exeC:\Windows\system32\Fnhbmgmk.exe31⤵
- Executes dropped EXE
PID:3796 -
C:\Windows\SysWOW64\Fcekfnkb.exeC:\Windows\system32\Fcekfnkb.exe32⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Fjocbhbo.exeC:\Windows\system32\Fjocbhbo.exe33⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Gjaphgpl.exeC:\Windows\system32\Gjaphgpl.exe34⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Gdgdeppb.exeC:\Windows\system32\Gdgdeppb.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:216 -
C:\Windows\SysWOW64\Gdiakp32.exeC:\Windows\system32\Gdiakp32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Gjficg32.exeC:\Windows\system32\Gjficg32.exe37⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Gcnnllcg.exeC:\Windows\system32\Gcnnllcg.exe38⤵
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Gjhfif32.exeC:\Windows\system32\Gjhfif32.exe39⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Gdnjfojj.exeC:\Windows\system32\Gdnjfojj.exe40⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Gjkbnfha.exeC:\Windows\system32\Gjkbnfha.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3464 -
C:\Windows\SysWOW64\Hepgkohh.exeC:\Windows\system32\Hepgkohh.exe42⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Hkjohi32.exeC:\Windows\system32\Hkjohi32.exe43⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Hnhkdd32.exeC:\Windows\system32\Hnhkdd32.exe44⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Hgapmj32.exeC:\Windows\system32\Hgapmj32.exe45⤵
- Executes dropped EXE
PID:3844 -
C:\Windows\SysWOW64\Hnkhjdle.exeC:\Windows\system32\Hnkhjdle.exe46⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Hgcmbj32.exeC:\Windows\system32\Hgcmbj32.exe47⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Halaloif.exeC:\Windows\system32\Halaloif.exe48⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Hkaeih32.exeC:\Windows\system32\Hkaeih32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:404 -
C:\Windows\SysWOW64\Hnpaec32.exeC:\Windows\system32\Hnpaec32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Hejjanpm.exeC:\Windows\system32\Hejjanpm.exe51⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Hnbnjc32.exeC:\Windows\system32\Hnbnjc32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:5104 -
C:\Windows\SysWOW64\Igjbci32.exeC:\Windows\system32\Igjbci32.exe53⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Ibpgqa32.exeC:\Windows\system32\Ibpgqa32.exe54⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Iabglnco.exeC:\Windows\system32\Iabglnco.exe55⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Ijkled32.exeC:\Windows\system32\Ijkled32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Ieqpbm32.exeC:\Windows\system32\Ieqpbm32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:3636 -
C:\Windows\SysWOW64\Inidkb32.exeC:\Windows\system32\Inidkb32.exe58⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Iagqgn32.exeC:\Windows\system32\Iagqgn32.exe59⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Ilmedf32.exeC:\Windows\system32\Ilmedf32.exe60⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Iajmmm32.exeC:\Windows\system32\Iajmmm32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:4244 -
C:\Windows\SysWOW64\Ijbbfc32.exeC:\Windows\system32\Ijbbfc32.exe62⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Jdjfohjg.exeC:\Windows\system32\Jdjfohjg.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4296 -
C:\Windows\SysWOW64\Jlanpfkj.exeC:\Windows\system32\Jlanpfkj.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2068 -
C:\Windows\SysWOW64\Jejbhk32.exeC:\Windows\system32\Jejbhk32.exe65⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Jhhodg32.exeC:\Windows\system32\Jhhodg32.exe66⤵PID:2380
-
C:\Windows\SysWOW64\Jelonkph.exeC:\Windows\system32\Jelonkph.exe67⤵PID:232
-
C:\Windows\SysWOW64\Jdopjh32.exeC:\Windows\system32\Jdopjh32.exe68⤵PID:2748
-
C:\Windows\SysWOW64\Jbppgona.exeC:\Windows\system32\Jbppgona.exe69⤵PID:3620
-
C:\Windows\SysWOW64\Jdalog32.exeC:\Windows\system32\Jdalog32.exe70⤵
- Drops file in System32 directory
PID:1288 -
C:\Windows\SysWOW64\Jjkdlall.exeC:\Windows\system32\Jjkdlall.exe71⤵PID:780
-
C:\Windows\SysWOW64\Jlkafdco.exeC:\Windows\system32\Jlkafdco.exe72⤵PID:5168
-
C:\Windows\SysWOW64\Khabke32.exeC:\Windows\system32\Khabke32.exe73⤵PID:5208
-
C:\Windows\SysWOW64\Kajfdk32.exeC:\Windows\system32\Kajfdk32.exe74⤵PID:5248
-
C:\Windows\SysWOW64\Kdhbpf32.exeC:\Windows\system32\Kdhbpf32.exe75⤵
- System Location Discovery: System Language Discovery
PID:5292 -
C:\Windows\SysWOW64\Kongmo32.exeC:\Windows\system32\Kongmo32.exe76⤵
- Drops file in System32 directory
PID:5332 -
C:\Windows\SysWOW64\Kehojiej.exeC:\Windows\system32\Kehojiej.exe77⤵
- Modifies registry class
PID:5372 -
C:\Windows\SysWOW64\Kdkoef32.exeC:\Windows\system32\Kdkoef32.exe78⤵PID:5412
-
C:\Windows\SysWOW64\Kblpcndd.exeC:\Windows\system32\Kblpcndd.exe79⤵PID:5452
-
C:\Windows\SysWOW64\Kdmlkfjb.exeC:\Windows\system32\Kdmlkfjb.exe80⤵
- Modifies registry class
PID:5492 -
C:\Windows\SysWOW64\Kbnlim32.exeC:\Windows\system32\Kbnlim32.exe81⤵
- Modifies registry class
PID:5540 -
C:\Windows\SysWOW64\Kemhei32.exeC:\Windows\system32\Kemhei32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5580 -
C:\Windows\SysWOW64\Klgqabib.exeC:\Windows\system32\Klgqabib.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5640 -
C:\Windows\SysWOW64\Lbqinm32.exeC:\Windows\system32\Lbqinm32.exe84⤵PID:5712
-
C:\Windows\SysWOW64\Llkjmb32.exeC:\Windows\system32\Llkjmb32.exe85⤵PID:5756
-
C:\Windows\SysWOW64\Lahbei32.exeC:\Windows\system32\Lahbei32.exe86⤵PID:5804
-
C:\Windows\SysWOW64\Llngbabj.exeC:\Windows\system32\Llngbabj.exe87⤵
- Drops file in System32 directory
PID:5848 -
C:\Windows\SysWOW64\Lajokiaa.exeC:\Windows\system32\Lajokiaa.exe88⤵PID:5892
-
C:\Windows\SysWOW64\Lhdggb32.exeC:\Windows\system32\Lhdggb32.exe89⤵PID:5936
-
C:\Windows\SysWOW64\Lcjldk32.exeC:\Windows\system32\Lcjldk32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5980 -
C:\Windows\SysWOW64\Lhgdmb32.exeC:\Windows\system32\Lhgdmb32.exe91⤵PID:6024
-
C:\Windows\SysWOW64\Moalil32.exeC:\Windows\system32\Moalil32.exe92⤵PID:6068
-
C:\Windows\SysWOW64\Maoifh32.exeC:\Windows\system32\Maoifh32.exe93⤵PID:6112
-
C:\Windows\SysWOW64\Mhiabbdi.exeC:\Windows\system32\Mhiabbdi.exe94⤵PID:5128
-
C:\Windows\SysWOW64\Mociol32.exeC:\Windows\system32\Mociol32.exe95⤵PID:5196
-
C:\Windows\SysWOW64\Memalfcb.exeC:\Windows\system32\Memalfcb.exe96⤵PID:5268
-
C:\Windows\SysWOW64\Moefdljc.exeC:\Windows\system32\Moefdljc.exe97⤵PID:5360
-
C:\Windows\SysWOW64\Mdbnmbhj.exeC:\Windows\system32\Mdbnmbhj.exe98⤵PID:5436
-
C:\Windows\SysWOW64\Mlifnphl.exeC:\Windows\system32\Mlifnphl.exe99⤵PID:5500
-
C:\Windows\SysWOW64\Mohbjkgp.exeC:\Windows\system32\Mohbjkgp.exe100⤵PID:5612
-
C:\Windows\SysWOW64\Mafofggd.exeC:\Windows\system32\Mafofggd.exe101⤵PID:5696
-
C:\Windows\SysWOW64\Mddkbbfg.exeC:\Windows\system32\Mddkbbfg.exe102⤵PID:5788
-
C:\Windows\SysWOW64\Mllccpfj.exeC:\Windows\system32\Mllccpfj.exe103⤵PID:5876
-
C:\Windows\SysWOW64\Mkocol32.exeC:\Windows\system32\Mkocol32.exe104⤵PID:5948
-
C:\Windows\SysWOW64\Mahklf32.exeC:\Windows\system32\Mahklf32.exe105⤵
- Modifies registry class
PID:6036 -
C:\Windows\SysWOW64\Mdghhb32.exeC:\Windows\system32\Mdghhb32.exe106⤵PID:6104
-
C:\Windows\SysWOW64\Nhbciqln.exeC:\Windows\system32\Nhbciqln.exe107⤵PID:5276
-
C:\Windows\SysWOW64\Nkapelka.exeC:\Windows\system32\Nkapelka.exe108⤵
- Drops file in System32 directory
PID:5408 -
C:\Windows\SysWOW64\Nomlek32.exeC:\Windows\system32\Nomlek32.exe109⤵
- Modifies registry class
PID:5608 -
C:\Windows\SysWOW64\Nakhaf32.exeC:\Windows\system32\Nakhaf32.exe110⤵PID:5784
-
C:\Windows\SysWOW64\Ndidna32.exeC:\Windows\system32\Ndidna32.exe111⤵PID:5944
-
C:\Windows\SysWOW64\Nlqloo32.exeC:\Windows\system32\Nlqloo32.exe112⤵PID:6124
-
C:\Windows\SysWOW64\Nooikj32.exeC:\Windows\system32\Nooikj32.exe113⤵PID:5300
-
C:\Windows\SysWOW64\Ncjdki32.exeC:\Windows\system32\Ncjdki32.exe114⤵PID:5600
-
C:\Windows\SysWOW64\Nfiagd32.exeC:\Windows\system32\Nfiagd32.exe115⤵PID:5964
-
C:\Windows\SysWOW64\Ndnnianm.exeC:\Windows\system32\Ndnnianm.exe116⤵PID:6100
-
C:\Windows\SysWOW64\Nfnjbdep.exeC:\Windows\system32\Nfnjbdep.exe117⤵PID:5596
-
C:\Windows\SysWOW64\Nhlfoodc.exeC:\Windows\system32\Nhlfoodc.exe118⤵PID:5992
-
C:\Windows\SysWOW64\Okmpqjad.exeC:\Windows\system32\Okmpqjad.exe119⤵PID:5820
-
C:\Windows\SysWOW64\Odedipge.exeC:\Windows\system32\Odedipge.exe120⤵PID:5476
-
C:\Windows\SysWOW64\Odgqopeb.exeC:\Windows\system32\Odgqopeb.exe121⤵PID:5792
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-