Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2024, 23:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9de5c162511db344d93aa52f024b9194e618fd4d5a80689eb2aa9deac72976f8N.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
9de5c162511db344d93aa52f024b9194e618fd4d5a80689eb2aa9deac72976f8N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
9de5c162511db344d93aa52f024b9194e618fd4d5a80689eb2aa9deac72976f8N.exe
-
Size
96KB
-
MD5
4df8b78490ca86e5d035441243d030e0
-
SHA1
2c64a4159c2bed1603a67b45caa8ddc26d653435
-
SHA256
9de5c162511db344d93aa52f024b9194e618fd4d5a80689eb2aa9deac72976f8
-
SHA512
8607583f5535be1e485d623572091655fea1ce669fbfa5c77efd38c178527aa969a50c5640cc19b38c425c98d6452f188194760075131b3757d61843d21a68dd
-
SSDEEP
1536:qY5u6eFX8j7vMr/R5X2LDpZS/FCb4noaJSNzJOt:qY5xeFMXvKn8DpZSs4noakXOt
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aleckinj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djqblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgobel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckclhn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipeeobbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccbadp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhkmec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clchbqoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjdqmng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcjiff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfnoqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nadleilm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogcnmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dddllkbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qljcoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebejfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qacameaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmdjapgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdfjld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdpaeehj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emanjldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocjoadei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidabppl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cobkhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmbbejp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njmhhefi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbiado32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljclki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eecphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fefedmil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqimikfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lljklo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqimikfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhdlao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohpkmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahcajk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqndhcdc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nelfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flfkkhid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnjdpaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nknobkje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebejfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfokoelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmenca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkhnjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npepkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmbphg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilcldb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehlkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmjemflb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpggamqc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcblpdgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paelfmaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbnoiqdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onkidm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glldgljg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmdemd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekaapi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goglcahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kncaec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nglhld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afpjel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nafjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdlfhj32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1028 Nafjjf32.exe 4240 Nhpbfpka.exe 1656 Nknobkje.exe 5016 Nahgoe32.exe 4400 Nhbolp32.exe 2576 Nkqkhk32.exe 1196 Najceeoo.exe 2708 Nhdlao32.exe 2692 Okchnk32.exe 4992 Oehlkc32.exe 4500 Olbdhn32.exe 4048 Ooqqdi32.exe 4752 Oifeab32.exe 2932 Oboijgbl.exe 384 Oihagaji.exe 3040 Obafpg32.exe 3948 Oiknlagg.exe 2280 Oafcqcea.exe 2524 Ohpkmn32.exe 3124 Pojcjh32.exe 5000 Piphgq32.exe 4104 Pkadoiip.exe 3932 Pakllc32.exe 3804 Plpqil32.exe 888 Pcjiff32.exe 2360 Pidabppl.exe 2224 Pcmeke32.exe 4680 Phincl32.exe 4820 Pkhjph32.exe 4808 Piijno32.exe 2968 Qlggjk32.exe 2240 Qcaofebg.exe 1860 Qikgco32.exe 3636 Qljcoj32.exe 3428 Qohpkf32.exe 408 Qaflgago.exe 4284 Ajndioga.exe 4360 Akoqpg32.exe 1236 Acfhad32.exe 3112 Aeddnp32.exe 4276 Ahcajk32.exe 4540 Aomifecf.exe 436 Ahenokjf.exe 1700 Ackbmcjl.exe 2900 Ajdjin32.exe 3340 Alcfei32.exe 1508 Acmobchj.exe 2440 Ajggomog.exe 4892 Aleckinj.exe 3260 Abbkcpma.exe 4080 Bhldpj32.exe 4888 Bbdhiojo.exe 3596 Bjlpjm32.exe 4536 Bcddcbab.exe 964 Bjnmpl32.exe 3404 Bokehc32.exe 3620 Bbiado32.exe 512 Bmofagfp.exe 2340 Bombmcec.exe 708 Bjbfklei.exe 3136 Bckkca32.exe 1972 Cobkhb32.exe 4492 Cbphdn32.exe 3536 Cijpahho.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kpibgp32.dll Onocomdo.exe File created C:\Windows\SysWOW64\Dfglfdkb.exe Dnpdegjp.exe File created C:\Windows\SysWOW64\Cqmmqg32.dll Emanjldl.exe File opened for modification C:\Windows\SysWOW64\Ipjoja32.exe Imkbnf32.exe File created C:\Windows\SysWOW64\Enkdaepb.exe Eoideh32.exe File created C:\Windows\SysWOW64\Ohfaap32.dll Olbdhn32.exe File opened for modification C:\Windows\SysWOW64\Dfgcakon.exe Dcigeooj.exe File opened for modification C:\Windows\SysWOW64\Lenicahg.exe Lndagg32.exe File created C:\Windows\SysWOW64\Pdfehh32.exe Pahilmoc.exe File created C:\Windows\SysWOW64\Klqcmdnk.dll Hehkajig.exe File created C:\Windows\SysWOW64\Eeelnp32.exe Enkdaepb.exe File created C:\Windows\SysWOW64\Plbhknkl.dll Hmpjmn32.exe File opened for modification C:\Windows\SysWOW64\Oaifpi32.exe Omnjojpo.exe File created C:\Windows\SysWOW64\Mncilb32.dll Cdnmfclj.exe File created C:\Windows\SysWOW64\Iojmqe32.dll Chnbbqpn.exe File created C:\Windows\SysWOW64\Oodcdb32.exe Ojigdcll.exe File opened for modification C:\Windows\SysWOW64\Dnpdegjp.exe Dmohno32.exe File created C:\Windows\SysWOW64\Fknajfhe.dll Fimhjl32.exe File created C:\Windows\SysWOW64\Lmjhab32.dll Jnlkedai.exe File created C:\Windows\SysWOW64\Dckahb32.dll Komhll32.exe File created C:\Windows\SysWOW64\Knhcpa32.dll Oifeab32.exe File created C:\Windows\SysWOW64\Bfjkjgbh.dll Ejalcgkg.exe File created C:\Windows\SysWOW64\Ijilflah.dll Cpdgqmnb.exe File created C:\Windows\SysWOW64\Bogkmgba.exe Bgpcliao.exe File created C:\Windows\SysWOW64\Kgninn32.exe Kdpmbc32.exe File opened for modification C:\Windows\SysWOW64\Mnmdme32.exe Mkohaj32.exe File created C:\Windows\SysWOW64\Ljcpchlo.dll Impliekg.exe File created C:\Windows\SysWOW64\Ponfka32.exe Pkbjjbda.exe File created C:\Windows\SysWOW64\Adikdfna.exe Aefjii32.exe File opened for modification C:\Windows\SysWOW64\Hoobdp32.exe Hlpfhe32.exe File created C:\Windows\SysWOW64\Clahmb32.dll Lobjni32.exe File opened for modification C:\Windows\SysWOW64\Apjkcadp.exe Amlogfel.exe File opened for modification C:\Windows\SysWOW64\Bgkiaj32.exe Bhhiemoj.exe File created C:\Windows\SysWOW64\Jgkdbacp.exe Jcphab32.exe File created C:\Windows\SysWOW64\Ihejacdm.dll Mminhceb.exe File created C:\Windows\SysWOW64\Alnfpcag.exe Adfnofpd.exe File opened for modification C:\Windows\SysWOW64\Ffobhg32.exe Fbcfhibj.exe File created C:\Windows\SysWOW64\Jbkfjo32.dll Meepdp32.exe File created C:\Windows\SysWOW64\Ddfbhfmf.dll Ahenokjf.exe File created C:\Windows\SysWOW64\Fpejlmcf.exe Fikbocki.exe File created C:\Windows\SysWOW64\Imkbnf32.exe Igajal32.exe File opened for modification C:\Windows\SysWOW64\Hlbcnd32.exe Hehkajig.exe File created C:\Windows\SysWOW64\Ecefqnel.exe Emkndc32.exe File created C:\Windows\SysWOW64\Cgdojhec.dll Iljpij32.exe File opened for modification C:\Windows\SysWOW64\Dijbno32.exe Ddnfmqng.exe File created C:\Windows\SysWOW64\Gbchdp32.exe Goglcahb.exe File created C:\Windows\SysWOW64\Dckajh32.dll Mmhgmmbf.exe File created C:\Windows\SysWOW64\Cjelhg32.dll Gpecbk32.exe File created C:\Windows\SysWOW64\Mgobel32.exe Mepfiq32.exe File created C:\Windows\SysWOW64\Pmcclm32.exe Pkegpb32.exe File created C:\Windows\SysWOW64\Lfebfnqn.dll Gbeejp32.exe File opened for modification C:\Windows\SysWOW64\Aomifecf.exe Ahcajk32.exe File created C:\Windows\SysWOW64\Oodlnfco.dll Neqopnhb.exe File created C:\Windows\SysWOW64\Efeihb32.exe Eeelnp32.exe File opened for modification C:\Windows\SysWOW64\Dngjff32.exe Dkhnjk32.exe File created C:\Windows\SysWOW64\Jbklgfdh.dll Ipeeobbe.exe File opened for modification C:\Windows\SysWOW64\Cpmapodj.exe Boldhf32.exe File created C:\Windows\SysWOW64\Cpbjkn32.exe Coqncejg.exe File opened for modification C:\Windows\SysWOW64\Oboijgbl.exe Oifeab32.exe File created C:\Windows\SysWOW64\Obafpg32.exe Oihagaji.exe File opened for modification C:\Windows\SysWOW64\Bllbaa32.exe Bebjdgmj.exe File created C:\Windows\SysWOW64\Phdnngdn.exe Pefabkej.exe File opened for modification C:\Windows\SysWOW64\Pnifekmd.exe Paeelgnj.exe File created C:\Windows\SysWOW64\Pkhjph32.exe Phincl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13688 13468 WerFault.exe 725 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajdjin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idahjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdnmfclj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiipmhmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nagiji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpbjkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acfhad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmimai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfbped32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkqkhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebhglj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omjpeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akepfpcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oafcqcea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piphgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpecbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlhkgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkmjjaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emkndc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpffeaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibjli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hehkajig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imkbnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfaemp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcpcdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qodeajbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obafpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmlpaoaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkadfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnlmhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlbcnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lobjni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddllkbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqmhnko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkalplel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mminhceb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iebngial.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcdjbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eifhdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmpmnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqmfdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoideh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkqpkla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Holfoqcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmpqfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcdala32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oanokhdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpmapodj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcpahpmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naecop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imnocf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfkqjmdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chfegk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amqhbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpdgqmnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glldgljg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lklbdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkchelci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pahilmoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbnmke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nglhld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikkpgafg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijkdmhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmmmfj32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oehlkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipmbjgpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmnajl32.dll" Manmoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paeelgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onmfimga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olbdhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbhijepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kodoah32.dll" Nmigoagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpkibf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqbpojnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bacjdbch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oifeab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ackbmcjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lejgpb32.dll" Gbalopbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmeandma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqhafffk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbfcmhpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdpmbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Felbnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnoaaaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpggodfg.dll" Gjdaodja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfokoelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcmfjll.dll" Mcpcdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okchnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeokal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbopphio.dll" Plbfdekd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aknhkd32.dll" Fbjena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfnfjehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbbffdlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgqin32.dll" Nmdgikhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjfnedho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aamknj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pagbaglh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpofii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neqopnhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckclhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmmde32.dll" Boihcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcecjmkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkceokii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfpagon.dll" Aogbfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejphhm32.dll" Amlogfel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fideeaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdkohe32.dll" Mcqjon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadiippo.dll" Ondljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcaofebg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfojjf32.dll" Jkimho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmenca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhihhecc.dll" Bnkbcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fefedmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njhgbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jofbdcmb.dll" Pkadoiip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmhigf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hekgfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apjkcadp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhdlao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gabmaqlh.dll" Ojigdcll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngjkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnipccc.dll" Gkhkjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miepkipc.dll" Ijqmhnko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipoopgnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pddhbipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooqqdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjlpjm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4900 wrote to memory of 1028 4900 9de5c162511db344d93aa52f024b9194e618fd4d5a80689eb2aa9deac72976f8N.exe 83 PID 4900 wrote to memory of 1028 4900 9de5c162511db344d93aa52f024b9194e618fd4d5a80689eb2aa9deac72976f8N.exe 83 PID 4900 wrote to memory of 1028 4900 9de5c162511db344d93aa52f024b9194e618fd4d5a80689eb2aa9deac72976f8N.exe 83 PID 1028 wrote to memory of 4240 1028 Nafjjf32.exe 84 PID 1028 wrote to memory of 4240 1028 Nafjjf32.exe 84 PID 1028 wrote to memory of 4240 1028 Nafjjf32.exe 84 PID 4240 wrote to memory of 1656 4240 Nhpbfpka.exe 85 PID 4240 wrote to memory of 1656 4240 Nhpbfpka.exe 85 PID 4240 wrote to memory of 1656 4240 Nhpbfpka.exe 85 PID 1656 wrote to memory of 5016 1656 Nknobkje.exe 86 PID 1656 wrote to memory of 5016 1656 Nknobkje.exe 86 PID 1656 wrote to memory of 5016 1656 Nknobkje.exe 86 PID 5016 wrote to memory of 4400 5016 Nahgoe32.exe 87 PID 5016 wrote to memory of 4400 5016 Nahgoe32.exe 87 PID 5016 wrote to memory of 4400 5016 Nahgoe32.exe 87 PID 4400 wrote to memory of 2576 4400 Nhbolp32.exe 88 PID 4400 wrote to memory of 2576 4400 Nhbolp32.exe 88 PID 4400 wrote to memory of 2576 4400 Nhbolp32.exe 88 PID 2576 wrote to memory of 1196 2576 Nkqkhk32.exe 89 PID 2576 wrote to memory of 1196 2576 Nkqkhk32.exe 89 PID 2576 wrote to memory of 1196 2576 Nkqkhk32.exe 89 PID 1196 wrote to memory of 2708 1196 Najceeoo.exe 90 PID 1196 wrote to memory of 2708 1196 Najceeoo.exe 90 PID 1196 wrote to memory of 2708 1196 Najceeoo.exe 90 PID 2708 wrote to memory of 2692 2708 Nhdlao32.exe 91 PID 2708 wrote to memory of 2692 2708 Nhdlao32.exe 91 PID 2708 wrote to memory of 2692 2708 Nhdlao32.exe 91 PID 2692 wrote to memory of 4992 2692 Okchnk32.exe 92 PID 2692 wrote to memory of 4992 2692 Okchnk32.exe 92 PID 2692 wrote to memory of 4992 2692 Okchnk32.exe 92 PID 4992 wrote to memory of 4500 4992 Oehlkc32.exe 93 PID 4992 wrote to memory of 4500 4992 Oehlkc32.exe 93 PID 4992 wrote to memory of 4500 4992 Oehlkc32.exe 93 PID 4500 wrote to memory of 4048 4500 Olbdhn32.exe 94 PID 4500 wrote to memory of 4048 4500 Olbdhn32.exe 94 PID 4500 wrote to memory of 4048 4500 Olbdhn32.exe 94 PID 4048 wrote to memory of 4752 4048 Ooqqdi32.exe 95 PID 4048 wrote to memory of 4752 4048 Ooqqdi32.exe 95 PID 4048 wrote to memory of 4752 4048 Ooqqdi32.exe 95 PID 4752 wrote to memory of 2932 4752 Oifeab32.exe 96 PID 4752 wrote to memory of 2932 4752 Oifeab32.exe 96 PID 4752 wrote to memory of 2932 4752 Oifeab32.exe 96 PID 2932 wrote to memory of 384 2932 Oboijgbl.exe 97 PID 2932 wrote to memory of 384 2932 Oboijgbl.exe 97 PID 2932 wrote to memory of 384 2932 Oboijgbl.exe 97 PID 384 wrote to memory of 3040 384 Oihagaji.exe 98 PID 384 wrote to memory of 3040 384 Oihagaji.exe 98 PID 384 wrote to memory of 3040 384 Oihagaji.exe 98 PID 3040 wrote to memory of 3948 3040 Obafpg32.exe 99 PID 3040 wrote to memory of 3948 3040 Obafpg32.exe 99 PID 3040 wrote to memory of 3948 3040 Obafpg32.exe 99 PID 3948 wrote to memory of 2280 3948 Oiknlagg.exe 100 PID 3948 wrote to memory of 2280 3948 Oiknlagg.exe 100 PID 3948 wrote to memory of 2280 3948 Oiknlagg.exe 100 PID 2280 wrote to memory of 2524 2280 Oafcqcea.exe 101 PID 2280 wrote to memory of 2524 2280 Oafcqcea.exe 101 PID 2280 wrote to memory of 2524 2280 Oafcqcea.exe 101 PID 2524 wrote to memory of 3124 2524 Ohpkmn32.exe 102 PID 2524 wrote to memory of 3124 2524 Ohpkmn32.exe 102 PID 2524 wrote to memory of 3124 2524 Ohpkmn32.exe 102 PID 3124 wrote to memory of 5000 3124 Pojcjh32.exe 103 PID 3124 wrote to memory of 5000 3124 Pojcjh32.exe 103 PID 3124 wrote to memory of 5000 3124 Pojcjh32.exe 103 PID 5000 wrote to memory of 4104 5000 Piphgq32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9de5c162511db344d93aa52f024b9194e618fd4d5a80689eb2aa9deac72976f8N.exe"C:\Users\Admin\AppData\Local\Temp\9de5c162511db344d93aa52f024b9194e618fd4d5a80689eb2aa9deac72976f8N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\Nknobkje.exeC:\Windows\system32\Nknobkje.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Nahgoe32.exeC:\Windows\system32\Nahgoe32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Nhbolp32.exeC:\Windows\system32\Nhbolp32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\Nkqkhk32.exeC:\Windows\system32\Nkqkhk32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Najceeoo.exeC:\Windows\system32\Najceeoo.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Nhdlao32.exeC:\Windows\system32\Nhdlao32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Olbdhn32.exeC:\Windows\system32\Olbdhn32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\Oifeab32.exeC:\Windows\system32\Oifeab32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Oboijgbl.exeC:\Windows\system32\Oboijgbl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Oihagaji.exeC:\Windows\system32\Oihagaji.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Oiknlagg.exeC:\Windows\system32\Oiknlagg.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Oafcqcea.exeC:\Windows\system32\Oafcqcea.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Ohpkmn32.exeC:\Windows\system32\Ohpkmn32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Pojcjh32.exeC:\Windows\system32\Pojcjh32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\Piphgq32.exeC:\Windows\system32\Piphgq32.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Pkadoiip.exeC:\Windows\system32\Pkadoiip.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:4104 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe24⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Plpqil32.exeC:\Windows\system32\Plpqil32.exe25⤵
- Executes dropped EXE
PID:3804 -
C:\Windows\SysWOW64\Pcjiff32.exeC:\Windows\system32\Pcjiff32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Pidabppl.exeC:\Windows\system32\Pidabppl.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Pcmeke32.exeC:\Windows\system32\Pcmeke32.exe28⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Phincl32.exeC:\Windows\system32\Phincl32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4680 -
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe30⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Piijno32.exeC:\Windows\system32\Piijno32.exe31⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Qlggjk32.exeC:\Windows\system32\Qlggjk32.exe32⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Qcaofebg.exeC:\Windows\system32\Qcaofebg.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Qikgco32.exeC:\Windows\system32\Qikgco32.exe34⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Qljcoj32.exeC:\Windows\system32\Qljcoj32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Qohpkf32.exeC:\Windows\system32\Qohpkf32.exe36⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Qaflgago.exeC:\Windows\system32\Qaflgago.exe37⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Ajndioga.exeC:\Windows\system32\Ajndioga.exe38⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\Akoqpg32.exeC:\Windows\system32\Akoqpg32.exe39⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Acfhad32.exeC:\Windows\system32\Acfhad32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1236 -
C:\Windows\SysWOW64\Aeddnp32.exeC:\Windows\system32\Aeddnp32.exe41⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\Ahcajk32.exeC:\Windows\system32\Ahcajk32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4276 -
C:\Windows\SysWOW64\Aomifecf.exeC:\Windows\system32\Aomifecf.exe43⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Ahenokjf.exeC:\Windows\system32\Ahenokjf.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:436 -
C:\Windows\SysWOW64\Ackbmcjl.exeC:\Windows\system32\Ackbmcjl.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Ajdjin32.exeC:\Windows\system32\Ajdjin32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\Alcfei32.exeC:\Windows\system32\Alcfei32.exe47⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Acmobchj.exeC:\Windows\system32\Acmobchj.exe48⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Ajggomog.exeC:\Windows\system32\Ajggomog.exe49⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Aleckinj.exeC:\Windows\system32\Aleckinj.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\Abbkcpma.exeC:\Windows\system32\Abbkcpma.exe51⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\Bhldpj32.exeC:\Windows\system32\Bhldpj32.exe52⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Bbdhiojo.exeC:\Windows\system32\Bbdhiojo.exe53⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Bjlpjm32.exeC:\Windows\system32\Bjlpjm32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:3596 -
C:\Windows\SysWOW64\Bcddcbab.exeC:\Windows\system32\Bcddcbab.exe55⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Bjnmpl32.exeC:\Windows\system32\Bjnmpl32.exe56⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Bokehc32.exeC:\Windows\system32\Bokehc32.exe57⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Bbiado32.exeC:\Windows\system32\Bbiado32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Bmofagfp.exeC:\Windows\system32\Bmofagfp.exe59⤵
- Executes dropped EXE
PID:512 -
C:\Windows\SysWOW64\Bombmcec.exeC:\Windows\system32\Bombmcec.exe60⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Bjbfklei.exeC:\Windows\system32\Bjbfklei.exe61⤵
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Bckkca32.exeC:\Windows\system32\Bckkca32.exe62⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Cobkhb32.exeC:\Windows\system32\Cobkhb32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Cbphdn32.exeC:\Windows\system32\Cbphdn32.exe64⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Cijpahho.exeC:\Windows\system32\Cijpahho.exe65⤵
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\Codhnb32.exeC:\Windows\system32\Codhnb32.exe66⤵PID:1336
-
C:\Windows\SysWOW64\Ccpdoqgd.exeC:\Windows\system32\Ccpdoqgd.exe67⤵PID:1212
-
C:\Windows\SysWOW64\Cjjlkk32.exeC:\Windows\system32\Cjjlkk32.exe68⤵PID:1180
-
C:\Windows\SysWOW64\Cmhigf32.exeC:\Windows\system32\Cmhigf32.exe69⤵
- Modifies registry class
PID:3292 -
C:\Windows\SysWOW64\Ccbadp32.exeC:\Windows\system32\Ccbadp32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4996 -
C:\Windows\SysWOW64\Cbeapmll.exeC:\Windows\system32\Cbeapmll.exe71⤵PID:4720
-
C:\Windows\SysWOW64\Cmjemflb.exeC:\Windows\system32\Cmjemflb.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:440 -
C:\Windows\SysWOW64\Coiaiakf.exeC:\Windows\system32\Coiaiakf.exe73⤵PID:432
-
C:\Windows\SysWOW64\Cjnffjkl.exeC:\Windows\system32\Cjnffjkl.exe74⤵PID:4880
-
C:\Windows\SysWOW64\Cmmbbejp.exeC:\Windows\system32\Cmmbbejp.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4984 -
C:\Windows\SysWOW64\Ccgjopal.exeC:\Windows\system32\Ccgjopal.exe76⤵PID:4028
-
C:\Windows\SysWOW64\Djqblj32.exeC:\Windows\system32\Djqblj32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1688 -
C:\Windows\SysWOW64\Diccgfpd.exeC:\Windows\system32\Diccgfpd.exe78⤵PID:4012
-
C:\Windows\SysWOW64\Dcigeooj.exeC:\Windows\system32\Dcigeooj.exe79⤵
- Drops file in System32 directory
PID:4168 -
C:\Windows\SysWOW64\Dfgcakon.exeC:\Windows\system32\Dfgcakon.exe80⤵PID:1952
-
C:\Windows\SysWOW64\Dkdliame.exeC:\Windows\system32\Dkdliame.exe81⤵PID:4468
-
C:\Windows\SysWOW64\Dpphjp32.exeC:\Windows\system32\Dpphjp32.exe82⤵PID:3020
-
C:\Windows\SysWOW64\Dihlbf32.exeC:\Windows\system32\Dihlbf32.exe83⤵PID:2044
-
C:\Windows\SysWOW64\Dlghoa32.exeC:\Windows\system32\Dlghoa32.exe84⤵PID:4304
-
C:\Windows\SysWOW64\Dbqqkkbo.exeC:\Windows\system32\Dbqqkkbo.exe85⤵PID:2308
-
C:\Windows\SysWOW64\Dmfeidbe.exeC:\Windows\system32\Dmfeidbe.exe86⤵PID:2760
-
C:\Windows\SysWOW64\Dlieda32.exeC:\Windows\system32\Dlieda32.exe87⤵PID:4316
-
C:\Windows\SysWOW64\Djjebh32.exeC:\Windows\system32\Djjebh32.exe88⤵PID:2984
-
C:\Windows\SysWOW64\Dmhand32.exeC:\Windows\system32\Dmhand32.exe89⤵PID:4968
-
C:\Windows\SysWOW64\Ecbjkngo.exeC:\Windows\system32\Ecbjkngo.exe90⤵PID:3408
-
C:\Windows\SysWOW64\Ebejfk32.exeC:\Windows\system32\Ebejfk32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2784 -
C:\Windows\SysWOW64\Ejlbhh32.exeC:\Windows\system32\Ejlbhh32.exe92⤵PID:4948
-
C:\Windows\SysWOW64\Emkndc32.exeC:\Windows\system32\Emkndc32.exe93⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3604 -
C:\Windows\SysWOW64\Ecefqnel.exeC:\Windows\system32\Ecefqnel.exe94⤵PID:4108
-
C:\Windows\SysWOW64\Ebhglj32.exeC:\Windows\system32\Ebhglj32.exe95⤵
- System Location Discovery: System Language Discovery
PID:4228 -
C:\Windows\SysWOW64\Emmkiclm.exeC:\Windows\system32\Emmkiclm.exe96⤵PID:3612
-
C:\Windows\SysWOW64\Elpkep32.exeC:\Windows\system32\Elpkep32.exe97⤵PID:3856
-
C:\Windows\SysWOW64\Ebjcajjd.exeC:\Windows\system32\Ebjcajjd.exe98⤵PID:2180
-
C:\Windows\SysWOW64\Ejalcgkg.exeC:\Windows\system32\Ejalcgkg.exe99⤵
- Drops file in System32 directory
PID:4396 -
C:\Windows\SysWOW64\Emphocjj.exeC:\Windows\system32\Emphocjj.exe100⤵PID:4192
-
C:\Windows\SysWOW64\Epndknin.exeC:\Windows\system32\Epndknin.exe101⤵PID:4544
-
C:\Windows\SysWOW64\Eblpgjha.exeC:\Windows\system32\Eblpgjha.exe102⤵PID:3984
-
C:\Windows\SysWOW64\Eifhdd32.exeC:\Windows\system32\Eifhdd32.exe103⤵
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Eleepoob.exeC:\Windows\system32\Eleepoob.exe104⤵PID:3316
-
C:\Windows\SysWOW64\Eclmamod.exeC:\Windows\system32\Eclmamod.exe105⤵PID:5072
-
C:\Windows\SysWOW64\Efjimhnh.exeC:\Windows\system32\Efjimhnh.exe106⤵PID:4912
-
C:\Windows\SysWOW64\Elgaeolp.exeC:\Windows\system32\Elgaeolp.exe107⤵PID:4688
-
C:\Windows\SysWOW64\Fcniglmb.exeC:\Windows\system32\Fcniglmb.exe108⤵PID:464
-
C:\Windows\SysWOW64\Ffmfchle.exeC:\Windows\system32\Ffmfchle.exe109⤵PID:2700
-
C:\Windows\SysWOW64\Fikbocki.exeC:\Windows\system32\Fikbocki.exe110⤵
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Fpejlmcf.exeC:\Windows\system32\Fpejlmcf.exe111⤵PID:3108
-
C:\Windows\SysWOW64\Fbcfhibj.exeC:\Windows\system32\Fbcfhibj.exe112⤵
- Drops file in System32 directory
PID:1364 -
C:\Windows\SysWOW64\Ffobhg32.exeC:\Windows\system32\Ffobhg32.exe113⤵PID:1496
-
C:\Windows\SysWOW64\Fmikeaap.exeC:\Windows\system32\Fmikeaap.exe114⤵PID:4392
-
C:\Windows\SysWOW64\Fpggamqc.exeC:\Windows\system32\Fpggamqc.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3992 -
C:\Windows\SysWOW64\Fbfcmhpg.exeC:\Windows\system32\Fbfcmhpg.exe116⤵
- Modifies registry class
PID:5136 -
C:\Windows\SysWOW64\Fjmkoeqi.exeC:\Windows\system32\Fjmkoeqi.exe117⤵PID:5180
-
C:\Windows\SysWOW64\Fmkgkapm.exeC:\Windows\system32\Fmkgkapm.exe118⤵PID:5224
-
C:\Windows\SysWOW64\Fdepgkgj.exeC:\Windows\system32\Fdepgkgj.exe119⤵PID:5268
-
C:\Windows\SysWOW64\Fbhpch32.exeC:\Windows\system32\Fbhpch32.exe120⤵PID:5312
-
C:\Windows\SysWOW64\Fibhpbea.exeC:\Windows\system32\Fibhpbea.exe121⤵PID:5356
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-