Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 03:17
Behavioral task
behavioral1
Sample
7c2b725bf5e6c71bc794219c7e6e974fe3f302ee02f13506e154e604bae838a3N.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
7c2b725bf5e6c71bc794219c7e6e974fe3f302ee02f13506e154e604bae838a3N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
7c2b725bf5e6c71bc794219c7e6e974fe3f302ee02f13506e154e604bae838a3N.exe
-
Size
194KB
-
MD5
5841b666547ab983f2d2e175be62f340
-
SHA1
658fa7a8528b96baa74f708cef8f73111a4fb7f2
-
SHA256
7c2b725bf5e6c71bc794219c7e6e974fe3f302ee02f13506e154e604bae838a3
-
SHA512
f7f25085a4f4f0f87b37ea20023826db57aa84f877944f24d60c57df5ab506c863bee9e87ed956b4bfc63a8a63a65566321e390c576e97d2dc7731892a9a2fcc
-
SSDEEP
3072:D24btgqyWhf9AmmMIM/kEmMIGumMIc/1GV:9Rwm5/pbuh/UV
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glfmgp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbepme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbepme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgiohbfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nglhld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppjbmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egaejeej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhnhajba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfbaalbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laiipofp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmlla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmjmekgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jldbpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocgbend.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhcali32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mablfnne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofegni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opeiadfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laiipofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccdihbgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefphb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhldbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oonlfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njljch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmbegqjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 7c2b725bf5e6c71bc794219c7e6e974fe3f302ee02f13506e154e604bae838a3N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boihcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lohqnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mapppn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oihmedma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lakfeodm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpogkhnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nofefp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afappe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgpcliao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgbpaipl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hihibbjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfolacnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cibain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oihmedma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afockelf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaplqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chfegk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilphdlqh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljdkll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aibibp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgnomg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcoccc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khlklj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcdeeq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqcejcha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppdbgncl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciihjmcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiopca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmbnnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cigkdmel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgqlcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egaejeej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhqefjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbekii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qobhkjdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edgbii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiopca32.exe -
Executes dropped EXE 64 IoCs
pid Process 752 Nmdgikhi.exe 1272 Ncnofeof.exe 4592 Nglhld32.exe 4464 Npgmpf32.exe 3512 Nnhmnn32.exe 4960 Npiiffqe.exe 4984 Oplfkeob.exe 1504 Ogcnmc32.exe 4368 Ocjoadei.exe 2840 Oanokhdb.exe 3228 Onapdl32.exe 4668 Oaplqh32.exe 4752 Opeiadfg.exe 4384 Pnfiplog.exe 1744 Pccahbmn.exe 2864 Ppjbmc32.exe 1624 Pjpfjl32.exe 2428 Phcgcqab.exe 1268 Pmpolgoi.exe 2328 Pfiddm32.exe 1064 Ppahmb32.exe 1116 Qobhkjdi.exe 3172 Qdoacabq.exe 1960 Qodeajbg.exe 3684 Qdaniq32.exe 2772 Aogbfi32.exe 536 Ahofoogd.exe 4372 Aknbkjfh.exe 4868 Aagkhd32.exe 2656 Aokkahlo.exe 4852 Aggpfkjj.exe 1388 Aaldccip.exe 4584 Akdilipp.exe 3648 Aaoaic32.exe 5088 Bobabg32.exe 4456 Bhkfkmmg.exe 4936 Boenhgdd.exe 1484 Bgpcliao.exe 4948 Bphgeo32.exe 4792 Bgbpaipl.exe 4824 Boihcf32.exe 2920 Bnoddcef.exe 720 Cponen32.exe 1676 Chfegk32.exe 4048 Cncnob32.exe 2684 Cocjiehd.exe 4516 Cpdgqmnb.exe 2736 Cgnomg32.exe 4664 Cpfcfmlp.exe 1760 Cgqlcg32.exe 2332 Dpiplm32.exe 2208 Dkndie32.exe 3688 Dahmfpap.exe 1620 Dgeenfog.exe 4316 Dqnjgl32.exe 4220 Dkcndeen.exe 1372 Dgjoif32.exe 4688 Ddnobj32.exe 3012 Eqdpgk32.exe 1020 Egaejeej.exe 2184 Edgbii32.exe 4044 Egened32.exe 3276 Ebkbbmqj.exe 2972 Ekcgkb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fomnhddq.dll Cgnomg32.exe File created C:\Windows\SysWOW64\Gijmad32.exe Gacepg32.exe File created C:\Windows\SysWOW64\Ilkoim32.exe Iafkld32.exe File opened for modification C:\Windows\SysWOW64\Binhnomg.exe Bfolacnc.exe File opened for modification C:\Windows\SysWOW64\Oaplqh32.exe Onapdl32.exe File created C:\Windows\SysWOW64\Okddnh32.dll Qobhkjdi.exe File opened for modification C:\Windows\SysWOW64\Chfegk32.exe Cponen32.exe File created C:\Windows\SysWOW64\Lhcali32.exe Laiipofp.exe File opened for modification C:\Windows\SysWOW64\Mbibfm32.exe Mokfja32.exe File created C:\Windows\SysWOW64\Hpfohk32.dll Nfnamjhk.exe File created C:\Windows\SysWOW64\Ahhjomjk.dll Oonlfo32.exe File opened for modification C:\Windows\SysWOW64\Oplfkeob.exe Npiiffqe.exe File opened for modification C:\Windows\SysWOW64\Cocjiehd.exe Cncnob32.exe File opened for modification C:\Windows\SysWOW64\Gnpphljo.exe Gegkpf32.exe File created C:\Windows\SysWOW64\Jlgfga32.dll Kcjjhdjb.exe File created C:\Windows\SysWOW64\Mofmobmo.exe Mhldbh32.exe File created C:\Windows\SysWOW64\Hpoejj32.dll Ojemig32.exe File opened for modification C:\Windows\SysWOW64\Njedbjej.exe Nckkfp32.exe File created C:\Windows\SysWOW64\Gbhhqamj.dll Nfldgk32.exe File created C:\Windows\SysWOW64\Ncpeaoih.exe Nqaiecjd.exe File created C:\Windows\SysWOW64\Nlhego32.dll Nqcejcha.exe File opened for modification C:\Windows\SysWOW64\Pmmlla32.exe Piapkbeg.exe File created C:\Windows\SysWOW64\Pnfiplog.exe Opeiadfg.exe File created C:\Windows\SysWOW64\Dqnjgl32.exe Dgeenfog.exe File created C:\Windows\SysWOW64\Fijdjfdb.exe Fkfcqb32.exe File opened for modification C:\Windows\SysWOW64\Dknnoofg.exe Dgbanq32.exe File created C:\Windows\SysWOW64\Ocoick32.dll Giecfejd.exe File opened for modification C:\Windows\SysWOW64\Jaonbc32.exe Jpnakk32.exe File created C:\Windows\SysWOW64\Diadam32.dll Laiipofp.exe File created C:\Windows\SysWOW64\Mgccelpk.dll Mfbaalbi.exe File created C:\Windows\SysWOW64\Oanokhdb.exe Ocjoadei.exe File created C:\Windows\SysWOW64\Qkhnbpne.dll Aaldccip.exe File created C:\Windows\SysWOW64\Ofblbapl.dll Fijdjfdb.exe File created C:\Windows\SysWOW64\Lhdbgapf.dll Pnfiplog.exe File created C:\Windows\SysWOW64\Ockdmmoj.exe Oqmhqapg.exe File created C:\Windows\SysWOW64\Boenhgdd.exe Bhkfkmmg.exe File created C:\Windows\SysWOW64\Ncjakdno.dll Khlklj32.exe File created C:\Windows\SysWOW64\Kdohflaf.dll Lhenai32.exe File created C:\Windows\SysWOW64\Hobbfhjl.dll Mhjhmhhd.exe File opened for modification C:\Windows\SysWOW64\Mablfnne.exe Modpib32.exe File opened for modification C:\Windows\SysWOW64\Ampaho32.exe Aibibp32.exe File opened for modification C:\Windows\SysWOW64\Bdapehop.exe Bfmolc32.exe File created C:\Windows\SysWOW64\Chfegk32.exe Cponen32.exe File created C:\Windows\SysWOW64\Enndkpea.dll Hppeim32.exe File opened for modification C:\Windows\SysWOW64\Iojkeh32.exe Ilkoim32.exe File created C:\Windows\SysWOW64\Fajbjh32.exe Finnef32.exe File created C:\Windows\SysWOW64\Iojkeh32.exe Ilkoim32.exe File created C:\Windows\SysWOW64\Ljdkll32.exe Loofnccf.exe File opened for modification C:\Windows\SysWOW64\Pmhbqbae.exe Pjjfdfbb.exe File created C:\Windows\SysWOW64\Ppnenlka.exe Pjaleemj.exe File created C:\Windows\SysWOW64\Bhgbbckh.dll Npgmpf32.exe File opened for modification C:\Windows\SysWOW64\Ddnobj32.exe Dgjoif32.exe File opened for modification C:\Windows\SysWOW64\Edgbii32.exe Egaejeej.exe File opened for modification C:\Windows\SysWOW64\Bfolacnc.exe Bdapehop.exe File opened for modification C:\Windows\SysWOW64\Pjlcjf32.exe Pbekii32.exe File opened for modification C:\Windows\SysWOW64\Piapkbeg.exe Pfccogfc.exe File created C:\Windows\SysWOW64\Diqnjl32.exe Dknnoofg.exe File created C:\Windows\SysWOW64\Qimkic32.dll 7c2b725bf5e6c71bc794219c7e6e974fe3f302ee02f13506e154e604bae838a3N.exe File created C:\Windows\SysWOW64\Jhifomdj.exe Jaonbc32.exe File created C:\Windows\SysWOW64\Chgnfq32.dll Lebijnak.exe File opened for modification C:\Windows\SysWOW64\Aagdnn32.exe Aiplmq32.exe File created C:\Windows\SysWOW64\Goniok32.dll Ilphdlqh.exe File created C:\Windows\SysWOW64\Mfbaalbi.exe Mcdeeq32.exe File created C:\Windows\SysWOW64\Fjoiip32.dll Mokfja32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7856 7736 WerFault.exe 328 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpcgpihi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npgmpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnfiplog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdaniq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boihcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kekbjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njljch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhenai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loofnccf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noppeaed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aogbfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aokkahlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bphgeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgoakc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iijfhbhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcapicdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iojkeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohqnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhldbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acqgojmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npiiffqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnpphljo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbbajjlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jldbpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokfja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Finnef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpiplm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiphjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojcpdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdocph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cncnob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocjiehd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijdjfdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kefiopki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niojoeel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnofeof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geldkfpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gacepg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiopca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcoccc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdapehop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nglhld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpfcfmlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpfbcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmjfodne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjcikejg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjhbfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcgcqab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaoaic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egaejeej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jocnlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhjhmhhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnoddcef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipkdek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aagdnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaplqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlblcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppdbgncl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajdbac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpdgqmnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilphdlqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocgbend.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljdkll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncpeaoih.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hapfpelh.dll" Kekbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccdihbgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogcnmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmefoohh.dll" Fajbjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lebijnak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmjfodne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aibibp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajdbac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cigkdmel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfiddm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdaniq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blknem32.dll" Gacepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pboglh32.dll" Ipkdek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibjqaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acbldmmh.dll" Kefiopki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onapdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhenai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhgkgijg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ampaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkndie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkfcqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laiipofp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qiiflaoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlojif32.dll" Cgiohbfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfmolc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epopbo32.dll" Bhkfkmmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giecfejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgfnm32.dll" Jemfhacc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhhdnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqbala32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amfobp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkidpke.dll" Chfegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kplmliko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njljch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmedjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmjmekgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laiimcij.dll" Lhgkgijg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqmhqapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichqihli.dll" Aggpfkjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgeenfog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgjoif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Figgdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkjmlaac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnpphljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjlcjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbandhne.dll" Qodeajbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgpcliao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilibdmgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhkdqh32.dll" Jpnakk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kefiopki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppjbmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnflfgji.dll" Cponen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gacepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdkcj32.dll" Ljdkll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbibfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dknnoofg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjjfdfbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqaip32.dll" Ccdihbgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpolbbim.dll" Nmdgikhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aogbfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmipm32.dll" Ddnobj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Figgdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbkkik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hihibbjo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3300 wrote to memory of 752 3300 7c2b725bf5e6c71bc794219c7e6e974fe3f302ee02f13506e154e604bae838a3N.exe 83 PID 3300 wrote to memory of 752 3300 7c2b725bf5e6c71bc794219c7e6e974fe3f302ee02f13506e154e604bae838a3N.exe 83 PID 3300 wrote to memory of 752 3300 7c2b725bf5e6c71bc794219c7e6e974fe3f302ee02f13506e154e604bae838a3N.exe 83 PID 752 wrote to memory of 1272 752 Nmdgikhi.exe 85 PID 752 wrote to memory of 1272 752 Nmdgikhi.exe 85 PID 752 wrote to memory of 1272 752 Nmdgikhi.exe 85 PID 1272 wrote to memory of 4592 1272 Ncnofeof.exe 86 PID 1272 wrote to memory of 4592 1272 Ncnofeof.exe 86 PID 1272 wrote to memory of 4592 1272 Ncnofeof.exe 86 PID 4592 wrote to memory of 4464 4592 Nglhld32.exe 87 PID 4592 wrote to memory of 4464 4592 Nglhld32.exe 87 PID 4592 wrote to memory of 4464 4592 Nglhld32.exe 87 PID 4464 wrote to memory of 3512 4464 Npgmpf32.exe 89 PID 4464 wrote to memory of 3512 4464 Npgmpf32.exe 89 PID 4464 wrote to memory of 3512 4464 Npgmpf32.exe 89 PID 3512 wrote to memory of 4960 3512 Nnhmnn32.exe 90 PID 3512 wrote to memory of 4960 3512 Nnhmnn32.exe 90 PID 3512 wrote to memory of 4960 3512 Nnhmnn32.exe 90 PID 4960 wrote to memory of 4984 4960 Npiiffqe.exe 91 PID 4960 wrote to memory of 4984 4960 Npiiffqe.exe 91 PID 4960 wrote to memory of 4984 4960 Npiiffqe.exe 91 PID 4984 wrote to memory of 1504 4984 Oplfkeob.exe 92 PID 4984 wrote to memory of 1504 4984 Oplfkeob.exe 92 PID 4984 wrote to memory of 1504 4984 Oplfkeob.exe 92 PID 1504 wrote to memory of 4368 1504 Ogcnmc32.exe 93 PID 1504 wrote to memory of 4368 1504 Ogcnmc32.exe 93 PID 1504 wrote to memory of 4368 1504 Ogcnmc32.exe 93 PID 4368 wrote to memory of 2840 4368 Ocjoadei.exe 94 PID 4368 wrote to memory of 2840 4368 Ocjoadei.exe 94 PID 4368 wrote to memory of 2840 4368 Ocjoadei.exe 94 PID 2840 wrote to memory of 3228 2840 Oanokhdb.exe 95 PID 2840 wrote to memory of 3228 2840 Oanokhdb.exe 95 PID 2840 wrote to memory of 3228 2840 Oanokhdb.exe 95 PID 3228 wrote to memory of 4668 3228 Onapdl32.exe 96 PID 3228 wrote to memory of 4668 3228 Onapdl32.exe 96 PID 3228 wrote to memory of 4668 3228 Onapdl32.exe 96 PID 4668 wrote to memory of 4752 4668 Oaplqh32.exe 97 PID 4668 wrote to memory of 4752 4668 Oaplqh32.exe 97 PID 4668 wrote to memory of 4752 4668 Oaplqh32.exe 97 PID 4752 wrote to memory of 4384 4752 Opeiadfg.exe 98 PID 4752 wrote to memory of 4384 4752 Opeiadfg.exe 98 PID 4752 wrote to memory of 4384 4752 Opeiadfg.exe 98 PID 4384 wrote to memory of 1744 4384 Pnfiplog.exe 99 PID 4384 wrote to memory of 1744 4384 Pnfiplog.exe 99 PID 4384 wrote to memory of 1744 4384 Pnfiplog.exe 99 PID 1744 wrote to memory of 2864 1744 Pccahbmn.exe 100 PID 1744 wrote to memory of 2864 1744 Pccahbmn.exe 100 PID 1744 wrote to memory of 2864 1744 Pccahbmn.exe 100 PID 2864 wrote to memory of 1624 2864 Ppjbmc32.exe 101 PID 2864 wrote to memory of 1624 2864 Ppjbmc32.exe 101 PID 2864 wrote to memory of 1624 2864 Ppjbmc32.exe 101 PID 1624 wrote to memory of 2428 1624 Pjpfjl32.exe 102 PID 1624 wrote to memory of 2428 1624 Pjpfjl32.exe 102 PID 1624 wrote to memory of 2428 1624 Pjpfjl32.exe 102 PID 2428 wrote to memory of 1268 2428 Phcgcqab.exe 103 PID 2428 wrote to memory of 1268 2428 Phcgcqab.exe 103 PID 2428 wrote to memory of 1268 2428 Phcgcqab.exe 103 PID 1268 wrote to memory of 2328 1268 Pmpolgoi.exe 104 PID 1268 wrote to memory of 2328 1268 Pmpolgoi.exe 104 PID 1268 wrote to memory of 2328 1268 Pmpolgoi.exe 104 PID 2328 wrote to memory of 1064 2328 Pfiddm32.exe 105 PID 2328 wrote to memory of 1064 2328 Pfiddm32.exe 105 PID 2328 wrote to memory of 1064 2328 Pfiddm32.exe 105 PID 1064 wrote to memory of 1116 1064 Ppahmb32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c2b725bf5e6c71bc794219c7e6e974fe3f302ee02f13506e154e604bae838a3N.exe"C:\Users\Admin\AppData\Local\Temp\7c2b725bf5e6c71bc794219c7e6e974fe3f302ee02f13506e154e604bae838a3N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\Nmdgikhi.exeC:\Windows\system32\Nmdgikhi.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\Ncnofeof.exeC:\Windows\system32\Ncnofeof.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Nglhld32.exeC:\Windows\system32\Nglhld32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Npgmpf32.exeC:\Windows\system32\Npgmpf32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\Nnhmnn32.exeC:\Windows\system32\Nnhmnn32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\Npiiffqe.exeC:\Windows\system32\Npiiffqe.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\Oplfkeob.exeC:\Windows\system32\Oplfkeob.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\Ogcnmc32.exeC:\Windows\system32\Ogcnmc32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Ocjoadei.exeC:\Windows\system32\Ocjoadei.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\Oanokhdb.exeC:\Windows\system32\Oanokhdb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Onapdl32.exeC:\Windows\system32\Onapdl32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\Oaplqh32.exeC:\Windows\system32\Oaplqh32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\Opeiadfg.exeC:\Windows\system32\Opeiadfg.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Pnfiplog.exeC:\Windows\system32\Pnfiplog.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\Pccahbmn.exeC:\Windows\system32\Pccahbmn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Ppjbmc32.exeC:\Windows\system32\Ppjbmc32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Pjpfjl32.exeC:\Windows\system32\Pjpfjl32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Phcgcqab.exeC:\Windows\system32\Phcgcqab.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Pmpolgoi.exeC:\Windows\system32\Pmpolgoi.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Pfiddm32.exeC:\Windows\system32\Pfiddm32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Ppahmb32.exeC:\Windows\system32\Ppahmb32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Qobhkjdi.exeC:\Windows\system32\Qobhkjdi.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1116 -
C:\Windows\SysWOW64\Qdoacabq.exeC:\Windows\system32\Qdoacabq.exe24⤵
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Qodeajbg.exeC:\Windows\system32\Qodeajbg.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Qdaniq32.exeC:\Windows\system32\Qdaniq32.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3684 -
C:\Windows\SysWOW64\Aogbfi32.exeC:\Windows\system32\Aogbfi32.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Ahofoogd.exeC:\Windows\system32\Ahofoogd.exe28⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Aknbkjfh.exeC:\Windows\system32\Aknbkjfh.exe29⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Aagkhd32.exeC:\Windows\system32\Aagkhd32.exe30⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Aokkahlo.exeC:\Windows\system32\Aokkahlo.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\Aggpfkjj.exeC:\Windows\system32\Aggpfkjj.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:4852 -
C:\Windows\SysWOW64\Aaldccip.exeC:\Windows\system32\Aaldccip.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1388 -
C:\Windows\SysWOW64\Akdilipp.exeC:\Windows\system32\Akdilipp.exe34⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Aaoaic32.exeC:\Windows\system32\Aaoaic32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3648 -
C:\Windows\SysWOW64\Bobabg32.exeC:\Windows\system32\Bobabg32.exe36⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Bhkfkmmg.exeC:\Windows\system32\Bhkfkmmg.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4456 -
C:\Windows\SysWOW64\Boenhgdd.exeC:\Windows\system32\Boenhgdd.exe38⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Bgpcliao.exeC:\Windows\system32\Bgpcliao.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Bphgeo32.exeC:\Windows\system32\Bphgeo32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4948 -
C:\Windows\SysWOW64\Bgbpaipl.exeC:\Windows\system32\Bgbpaipl.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Boihcf32.exeC:\Windows\system32\Boihcf32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4824 -
C:\Windows\SysWOW64\Bnoddcef.exeC:\Windows\system32\Bnoddcef.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\SysWOW64\Cponen32.exeC:\Windows\system32\Cponen32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:720 -
C:\Windows\SysWOW64\Chfegk32.exeC:\Windows\system32\Chfegk32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Cncnob32.exeC:\Windows\system32\Cncnob32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4048 -
C:\Windows\SysWOW64\Cocjiehd.exeC:\Windows\system32\Cocjiehd.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Cpdgqmnb.exeC:\Windows\system32\Cpdgqmnb.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4516 -
C:\Windows\SysWOW64\Cgnomg32.exeC:\Windows\system32\Cgnomg32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Cpfcfmlp.exeC:\Windows\system32\Cpfcfmlp.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4664 -
C:\Windows\SysWOW64\Cgqlcg32.exeC:\Windows\system32\Cgqlcg32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Dpiplm32.exeC:\Windows\system32\Dpiplm32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\Dkndie32.exeC:\Windows\system32\Dkndie32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Dahmfpap.exeC:\Windows\system32\Dahmfpap.exe54⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Dgeenfog.exeC:\Windows\system32\Dgeenfog.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Dqnjgl32.exeC:\Windows\system32\Dqnjgl32.exe56⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Dkcndeen.exeC:\Windows\system32\Dkcndeen.exe57⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Dgjoif32.exeC:\Windows\system32\Dgjoif32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1372 -
C:\Windows\SysWOW64\Ddnobj32.exeC:\Windows\system32\Ddnobj32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:4688 -
C:\Windows\SysWOW64\Eqdpgk32.exeC:\Windows\system32\Eqdpgk32.exe60⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Egaejeej.exeC:\Windows\system32\Egaejeej.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1020 -
C:\Windows\SysWOW64\Edgbii32.exeC:\Windows\system32\Edgbii32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Egened32.exeC:\Windows\system32\Egened32.exe63⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Ebkbbmqj.exeC:\Windows\system32\Ebkbbmqj.exe64⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Ekcgkb32.exeC:\Windows\system32\Ekcgkb32.exe65⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Figgdg32.exeC:\Windows\system32\Figgdg32.exe66⤵
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Fkfcqb32.exeC:\Windows\system32\Fkfcqb32.exe67⤵
- Drops file in System32 directory
- Modifies registry class
PID:4400 -
C:\Windows\SysWOW64\Fijdjfdb.exeC:\Windows\system32\Fijdjfdb.exe68⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Windows\SysWOW64\Fnfmbmbi.exeC:\Windows\system32\Fnfmbmbi.exe69⤵PID:4216
-
C:\Windows\SysWOW64\Fgoakc32.exeC:\Windows\system32\Fgoakc32.exe70⤵
- System Location Discovery: System Language Discovery
PID:4804 -
C:\Windows\SysWOW64\Fkjmlaac.exeC:\Windows\system32\Fkjmlaac.exe71⤵
- Modifies registry class
PID:1056 -
C:\Windows\SysWOW64\Fbdehlip.exeC:\Windows\system32\Fbdehlip.exe72⤵PID:4408
-
C:\Windows\SysWOW64\Finnef32.exeC:\Windows\system32\Finnef32.exe73⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\Fajbjh32.exeC:\Windows\system32\Fajbjh32.exe74⤵
- Modifies registry class
PID:4192 -
C:\Windows\SysWOW64\Gnnccl32.exeC:\Windows\system32\Gnnccl32.exe75⤵PID:5024
-
C:\Windows\SysWOW64\Gegkpf32.exeC:\Windows\system32\Gegkpf32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4576 -
C:\Windows\SysWOW64\Gnpphljo.exeC:\Windows\system32\Gnpphljo.exe77⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3100 -
C:\Windows\SysWOW64\Gbkkik32.exeC:\Windows\system32\Gbkkik32.exe78⤵
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Giecfejd.exeC:\Windows\system32\Giecfejd.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:4772 -
C:\Windows\SysWOW64\Geldkfpi.exeC:\Windows\system32\Geldkfpi.exe80⤵
- System Location Discovery: System Language Discovery
PID:2448 -
C:\Windows\SysWOW64\Glfmgp32.exeC:\Windows\system32\Glfmgp32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4292 -
C:\Windows\SysWOW64\Gacepg32.exeC:\Windows\system32\Gacepg32.exe82⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Gijmad32.exeC:\Windows\system32\Gijmad32.exe83⤵PID:4876
-
C:\Windows\SysWOW64\Gbbajjlp.exeC:\Windows\system32\Gbbajjlp.exe84⤵
- System Location Discovery: System Language Discovery
PID:3428 -
C:\Windows\SysWOW64\Hpfbcn32.exeC:\Windows\system32\Hpfbcn32.exe85⤵
- System Location Discovery: System Language Discovery
PID:4288 -
C:\Windows\SysWOW64\Hioflcbj.exeC:\Windows\system32\Hioflcbj.exe86⤵PID:4764
-
C:\Windows\SysWOW64\Hnlodjpa.exeC:\Windows\system32\Hnlodjpa.exe87⤵PID:4348
-
C:\Windows\SysWOW64\Hlblcn32.exeC:\Windows\system32\Hlblcn32.exe88⤵
- System Location Discovery: System Language Discovery
PID:1176 -
C:\Windows\SysWOW64\Hnphoj32.exeC:\Windows\system32\Hnphoj32.exe89⤵PID:4052
-
C:\Windows\SysWOW64\Hppeim32.exeC:\Windows\system32\Hppeim32.exe90⤵
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Haaaaeim.exeC:\Windows\system32\Haaaaeim.exe91⤵PID:1944
-
C:\Windows\SysWOW64\Hihibbjo.exeC:\Windows\system32\Hihibbjo.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3972 -
C:\Windows\SysWOW64\Inebjihf.exeC:\Windows\system32\Inebjihf.exe93⤵PID:4840
-
C:\Windows\SysWOW64\Iijfhbhl.exeC:\Windows\system32\Iijfhbhl.exe94⤵
- System Location Discovery: System Language Discovery
PID:4448 -
C:\Windows\SysWOW64\Ilibdmgp.exeC:\Windows\system32\Ilibdmgp.exe95⤵
- Modifies registry class
PID:3108 -
C:\Windows\SysWOW64\Iafkld32.exeC:\Windows\system32\Iafkld32.exe96⤵
- Drops file in System32 directory
PID:3280 -
C:\Windows\SysWOW64\Ilkoim32.exeC:\Windows\system32\Ilkoim32.exe97⤵
- Drops file in System32 directory
PID:456 -
C:\Windows\SysWOW64\Iojkeh32.exeC:\Windows\system32\Iojkeh32.exe98⤵
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Iiopca32.exeC:\Windows\system32\Iiopca32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4660 -
C:\Windows\SysWOW64\Ihbponja.exeC:\Windows\system32\Ihbponja.exe100⤵PID:4416
-
C:\Windows\SysWOW64\Iolhkh32.exeC:\Windows\system32\Iolhkh32.exe101⤵PID:3656
-
C:\Windows\SysWOW64\Iefphb32.exeC:\Windows\system32\Iefphb32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4012 -
C:\Windows\SysWOW64\Ilphdlqh.exeC:\Windows\system32\Ilphdlqh.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4696 -
C:\Windows\SysWOW64\Ipkdek32.exeC:\Windows\system32\Ipkdek32.exe104⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5136 -
C:\Windows\SysWOW64\Ibjqaf32.exeC:\Windows\system32\Ibjqaf32.exe105⤵
- Modifies registry class
PID:5180 -
C:\Windows\SysWOW64\Jpnakk32.exeC:\Windows\system32\Jpnakk32.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:5224 -
C:\Windows\SysWOW64\Jaonbc32.exeC:\Windows\system32\Jaonbc32.exe107⤵
- Drops file in System32 directory
PID:5268 -
C:\Windows\SysWOW64\Jhifomdj.exeC:\Windows\system32\Jhifomdj.exe108⤵PID:5312
-
C:\Windows\SysWOW64\Jldbpl32.exeC:\Windows\system32\Jldbpl32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5352 -
C:\Windows\SysWOW64\Jocnlg32.exeC:\Windows\system32\Jocnlg32.exe110⤵
- System Location Discovery: System Language Discovery
PID:5396 -
C:\Windows\SysWOW64\Jemfhacc.exeC:\Windows\system32\Jemfhacc.exe111⤵
- Modifies registry class
PID:5440 -
C:\Windows\SysWOW64\Jadgnb32.exeC:\Windows\system32\Jadgnb32.exe112⤵PID:5484
-
C:\Windows\SysWOW64\Jeocna32.exeC:\Windows\system32\Jeocna32.exe113⤵PID:5528
-
C:\Windows\SysWOW64\Jpegkj32.exeC:\Windows\system32\Jpegkj32.exe114⤵PID:5572
-
C:\Windows\SysWOW64\Jbccge32.exeC:\Windows\system32\Jbccge32.exe115⤵PID:5616
-
C:\Windows\SysWOW64\Jimldogg.exeC:\Windows\system32\Jimldogg.exe116⤵PID:5660
-
C:\Windows\SysWOW64\Jbepme32.exeC:\Windows\system32\Jbepme32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5704 -
C:\Windows\SysWOW64\Jahqiaeb.exeC:\Windows\system32\Jahqiaeb.exe118⤵PID:5744
-
C:\Windows\SysWOW64\Kiphjo32.exeC:\Windows\system32\Kiphjo32.exe119⤵
- System Location Discovery: System Language Discovery
PID:5788 -
C:\Windows\SysWOW64\Kefiopki.exeC:\Windows\system32\Kefiopki.exe120⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5832 -
C:\Windows\SysWOW64\Kibeoo32.exeC:\Windows\system32\Kibeoo32.exe121⤵PID:5876
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-