Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/12/2024, 00:01
Behavioral task
behavioral1
Sample
f2b12782f6c1363c01e7dbbc59a4acdfb7e35f17a06c921f33d5324ffc5ef932N.exe
Resource
win7-20240708-en
windows7-x64
11 signatures
120 seconds
Behavioral task
behavioral2
Sample
f2b12782f6c1363c01e7dbbc59a4acdfb7e35f17a06c921f33d5324ffc5ef932N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
10 signatures
120 seconds
General
-
Target
f2b12782f6c1363c01e7dbbc59a4acdfb7e35f17a06c921f33d5324ffc5ef932N.exe
-
Size
256KB
-
MD5
ca40c4419c293d3c00ec152ca80e6270
-
SHA1
c3a61e76d624815e42512d08087b192bd7883cf3
-
SHA256
f2b12782f6c1363c01e7dbbc59a4acdfb7e35f17a06c921f33d5324ffc5ef932
-
SHA512
490fe0d7b204196878a85bfe25fdf36c1f0c166b39b2dc747cf67b8e0bb5ea4b81c65595e603b9e3cc36201bc55e1a9e799c81e832b4e2c2ec41a0a13c4334aa
-
SSDEEP
6144:adXJ9NcMc853XBpnTfwNPbAvjDAcXxxXfY09cnEWPDZj:ad59NcXQBpnchWcZj
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkpbgdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkgaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmaofm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbkpingk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afpbcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkfeea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kepklb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijjnglkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdahpneo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkeljdfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhffqnlm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ailaii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhhpbhao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmgepo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdnimc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqhalm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiglejjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohpigm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aocmqcea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjqqei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihbbjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkindqem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kikgladd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efgcga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knfjinhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhadoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfgnhhbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jggagoaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnadgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggppcjgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihhapc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjbmjdia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ighnkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdkaqcpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjehfoqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnmbfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbmgbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlflkhkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcnipn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khchmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Logbpljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edngpkee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhecmhca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmbfkpfb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmjllopj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nadjnhdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qojjjenl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neefdm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nalginad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqchqmpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcmcee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpodbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhbapabo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhogia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lilpcofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aefhbh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efipla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghdfhm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inndgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ponddp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcnipn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oahgelgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qklkjpcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aefhbh32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3020 Fgfmmlpj.exe 3228 Falajd32.exe 4280 Fhfjgogm.exe 2832 Fopbdi32.exe 4416 Fdmjlp32.exe 756 Fkgbijdn.exe 4512 Felgfb32.exe 4260 Goekohjd.exe 3384 Geoclb32.exe 2960 Ggppcjgp.exe 3364 Ggbmij32.exe 2824 Gecmganl.exe 2304 Golapg32.exe 396 Ghdfhm32.exe 4844 Galjabam.exe 1388 Hhfbnl32.exe 2276 Hoqkkfpg.exe 3784 Hfjcgq32.exe 3648 Hhioclgg.exe 4000 Hocgpf32.exe 992 Hdpphm32.exe 1176 Hoedff32.exe 5080 Hdbmnm32.exe 2012 Hklekg32.exe 4524 Hhpedk32.exe 1040 Hnmnlb32.exe 3544 Ihbbjk32.exe 1696 Inokbamd.exe 2872 Ioogld32.exe 3052 Iiglejjg.exe 3520 Ioadadbd.exe 1292 Ifklnn32.exe 3708 Iocqgdpb.exe 3712 Ibamcooe.exe 3480 Iilepi32.exe 4744 Ioemmcno.exe 752 Jgqbaf32.exe 2920 Jbffno32.exe 4880 Jipnkibm.exe 5032 Jnmgcpqd.exe 1916 Jfdodm32.exe 4696 Jkagmd32.exe 5100 Jbkpingk.exe 3688 Jeileifo.exe 3488 Jpopcbfd.exe 3660 Jbmloneh.exe 3616 Jgjegd32.exe 2320 Jpamhb32.exe 5000 Keneqi32.exe 5108 Klhnmcif.exe 2792 Knfjinhj.exe 2036 Kepbfh32.exe 892 Kljjcb32.exe 1316 Knifon32.exe 4348 Kfpnpk32.exe 4344 Khakhcmg.exe 4948 Kphcianj.exe 4432 Kbgoelmm.exe 2612 Keekahla.exe 792 Khchmc32.exe 2496 Knmpjmba.exe 4556 Kbilkl32.exe 1892 Kicdgfbg.exe 4480 Lpmldp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dmcobm32.exe Djdcfb32.exe File opened for modification C:\Windows\SysWOW64\Nnhkhm32.exe Nljnla32.exe File opened for modification C:\Windows\SysWOW64\Nonbhifl.exe Nlpelmgi.exe File created C:\Windows\SysWOW64\Hnbdlm32.exe Hkdhpa32.exe File created C:\Windows\SysWOW64\Phmnnddf.exe Peobaiec.exe File created C:\Windows\SysWOW64\Bkopfmce.exe Bllpkq32.exe File created C:\Windows\SysWOW64\Bjmghfej.dll Ikpgkp32.exe File created C:\Windows\SysWOW64\Neknpa32.dll Bklcqn32.exe File created C:\Windows\SysWOW64\Jbffno32.exe Jgqbaf32.exe File created C:\Windows\SysWOW64\Ljalkh32.dll Dgijjlla.exe File created C:\Windows\SysWOW64\Ljcbfbmj.dll Fmbkeoai.exe File opened for modification C:\Windows\SysWOW64\Ohpigm32.exe Oimikpng.exe File opened for modification C:\Windows\SysWOW64\Bqoifd32.exe Bihaeg32.exe File opened for modification C:\Windows\SysWOW64\Mnadgn32.exe Mjehfoqi.exe File opened for modification C:\Windows\SysWOW64\Gjhaimkd.exe Gflein32.exe File created C:\Windows\SysWOW64\Qcgpoebc.dll Fmihoqjc.exe File opened for modification C:\Windows\SysWOW64\Fidboakb.exe Fgffbelo.exe File opened for modification C:\Windows\SysWOW64\Olmkbe32.exe Oioofi32.exe File created C:\Windows\SysWOW64\Jlgcia32.exe Ijigme32.exe File created C:\Windows\SysWOW64\Ocadif32.exe Opbhmk32.exe File created C:\Windows\SysWOW64\Lkboah32.dll Qhpbnk32.exe File opened for modification C:\Windows\SysWOW64\Lhopok32.exe Lilpcofa.exe File created C:\Windows\SysWOW64\Ioadadbd.exe Iiglejjg.exe File created C:\Windows\SysWOW64\Qdchbc32.dll Mhfmjqkp.exe File opened for modification C:\Windows\SysWOW64\Lnofegmc.exe Ljcjdh32.exe File created C:\Windows\SysWOW64\Phbhpm32.dll Naeaio32.exe File created C:\Windows\SysWOW64\Lpqccm32.dll Kqakkn32.exe File created C:\Windows\SysWOW64\Nmmgiigb.exe Njokmnho.exe File opened for modification C:\Windows\SysWOW64\Mfjjmhql.exe Mobbljpj.exe File created C:\Windows\SysWOW64\Gkbkjbfe.exe Ghconfga.exe File created C:\Windows\SysWOW64\Ijbida32.dll Hneaam32.exe File created C:\Windows\SysWOW64\Eclmkm32.dll Giahei32.exe File opened for modification C:\Windows\SysWOW64\Golapg32.exe Gecmganl.exe File created C:\Windows\SysWOW64\Mgacoe32.dll Mehanell.exe File created C:\Windows\SysWOW64\Mopefk32.exe Mhfmjqkp.exe File created C:\Windows\SysWOW64\Pocdjfcd.exe Ppqdni32.exe File opened for modification C:\Windows\SysWOW64\Njhelo32.exe Mgiipc32.exe File opened for modification C:\Windows\SysWOW64\Fmihoqjc.exe Ekjlbejp.exe File opened for modification C:\Windows\SysWOW64\Jbkpingk.exe Jkagmd32.exe File created C:\Windows\SysWOW64\Cjfbgi32.dll Nliokn32.exe File created C:\Windows\SysWOW64\Bqoifd32.exe Bihaeg32.exe File created C:\Windows\SysWOW64\Ohnlam32.exe Oeopeb32.exe File created C:\Windows\SysWOW64\Cohnkh32.dll Eiepcm32.exe File created C:\Windows\SysWOW64\Ffpjgh32.dll Bpdfga32.exe File opened for modification C:\Windows\SysWOW64\Ghconfga.exe Gplgmifo.exe File opened for modification C:\Windows\SysWOW64\Nljefh32.exe Nilijl32.exe File created C:\Windows\SysWOW64\Ohhllhgo.exe Oejpplhk.exe File created C:\Windows\SysWOW64\Celkcn32.dll Jbkpingk.exe File opened for modification C:\Windows\SysWOW64\Lieamfpe.exe Lfgdajaa.exe File opened for modification C:\Windows\SysWOW64\Mihficpp.exe Mfjjmhql.exe File opened for modification C:\Windows\SysWOW64\Ljffjh32.exe Lggjnl32.exe File created C:\Windows\SysWOW64\Pejifj32.exe Popqjpbk.exe File opened for modification C:\Windows\SysWOW64\Cbbkif32.exe Cocomk32.exe File created C:\Windows\SysWOW64\Ilcjna32.exe Ijdnbfka.exe File opened for modification C:\Windows\SysWOW64\Mahkbjnn.exe Mmmobl32.exe File created C:\Windows\SysWOW64\Mhfmjqkp.exe Mehanell.exe File opened for modification C:\Windows\SysWOW64\Pgjlkc32.exe Pocdjfcd.exe File created C:\Windows\SysWOW64\Jkpqbnlb.exe Jhbdfbmo.exe File created C:\Windows\SysWOW64\Oadelcdg.dll Mcicde32.exe File created C:\Windows\SysWOW64\Dljopcfm.dll Keekahla.exe File opened for modification C:\Windows\SysWOW64\Jcfeajig.exe Jphieo32.exe File opened for modification C:\Windows\SysWOW64\Ldfjbkbg.exe Lnlbeq32.exe File opened for modification C:\Windows\SysWOW64\Oppkgkkl.exe Ohicfnjj.exe File opened for modification C:\Windows\SysWOW64\Ppemihid.exe Phnehkhb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 15848 15776 WerFault.exe 844 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdbmnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mldfpoaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppemihid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aijedi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgdhhoni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkamlmab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbejlado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkpodbhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olhagekb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbfedeoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlkiii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilqmhblg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedpjfhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khakhcmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pocdjfcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Embbnapk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqmpcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Megjcohp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeoikl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aonmknfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipgpnaif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfkpap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhecmhca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igfafklm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mapqci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbkpingk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olglllqq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dppeco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeafpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoeclmpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbddkmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkbomd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okghhcfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qccbkmdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejnflq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phgogl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacbadnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghconfga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbfaad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alndibij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfahnfem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emfeok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giokpimi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hclidnpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ichipl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nafgdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgijjlla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecigkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijdnbfka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjaokp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iocqgdpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpcdfjoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkdhpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfeea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioadadbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keneqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhndel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhhcejea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjchnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhfmjqkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcdjifod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqlcjgbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqoifd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdafcf32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5100 Jbkpingk.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgekfj32.dll" Kfpnpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgekalhk.dll" Lpafopeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfibel32.dll" Bokcab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfghpcef.dll" Hdoing32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npgjej32.dll" Glinae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iocqgdpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejnflq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlgafaei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncljnglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Popqjpbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abdohhog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejnflq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nljnla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnkjldfj.dll" Iocqgdpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ameadhfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmlgeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehdmkaha.dll" Fgcjmfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dacnph32.dll" Ligfho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdnqll32.dll" Hbjlnnbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgnfocll.dll" Jpopcbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghbka32.dll" Qjohmgjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccmdnhdh.dll" Lkieec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgqbaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgnknnfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Diopmdnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnomni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooehnb32.dll" Jphieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfdodm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgdhhoni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bflaokqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfinoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbedmhbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peboajmi.dll" Acafga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efmclgdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aknikj32.dll" Fpfnpfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaghm32.dll" Hmbmag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmfahj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgmiqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cahlmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giheoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Galjabam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebchgpne.dll" Jkagmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmpqlgam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mikmhhab.dll" Hppjmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbjmgie.dll" Goekohjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbkpingk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlnkdilf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eikphbcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmbmag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jphieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfkbhb32.dll" Nljefh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Occqof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fplnfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciigpq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbnefkfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfjjmhql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llilbdhf.dll" Gmdhjopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pifnnane.dll" Dmcobm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efmclgdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmjecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plaeol32.dll" Kcbdmioj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmjien32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnohan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bompgbmg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2368 wrote to memory of 3020 2368 f2b12782f6c1363c01e7dbbc59a4acdfb7e35f17a06c921f33d5324ffc5ef932N.exe 82 PID 2368 wrote to memory of 3020 2368 f2b12782f6c1363c01e7dbbc59a4acdfb7e35f17a06c921f33d5324ffc5ef932N.exe 82 PID 2368 wrote to memory of 3020 2368 f2b12782f6c1363c01e7dbbc59a4acdfb7e35f17a06c921f33d5324ffc5ef932N.exe 82 PID 3020 wrote to memory of 3228 3020 Fgfmmlpj.exe 83 PID 3020 wrote to memory of 3228 3020 Fgfmmlpj.exe 83 PID 3020 wrote to memory of 3228 3020 Fgfmmlpj.exe 83 PID 3228 wrote to memory of 4280 3228 Falajd32.exe 84 PID 3228 wrote to memory of 4280 3228 Falajd32.exe 84 PID 3228 wrote to memory of 4280 3228 Falajd32.exe 84 PID 4280 wrote to memory of 2832 4280 Fhfjgogm.exe 85 PID 4280 wrote to memory of 2832 4280 Fhfjgogm.exe 85 PID 4280 wrote to memory of 2832 4280 Fhfjgogm.exe 85 PID 2832 wrote to memory of 4416 2832 Fopbdi32.exe 86 PID 2832 wrote to memory of 4416 2832 Fopbdi32.exe 86 PID 2832 wrote to memory of 4416 2832 Fopbdi32.exe 86 PID 4416 wrote to memory of 756 4416 Fdmjlp32.exe 87 PID 4416 wrote to memory of 756 4416 Fdmjlp32.exe 87 PID 4416 wrote to memory of 756 4416 Fdmjlp32.exe 87 PID 756 wrote to memory of 4512 756 Fkgbijdn.exe 88 PID 756 wrote to memory of 4512 756 Fkgbijdn.exe 88 PID 756 wrote to memory of 4512 756 Fkgbijdn.exe 88 PID 4512 wrote to memory of 4260 4512 Felgfb32.exe 89 PID 4512 wrote to memory of 4260 4512 Felgfb32.exe 89 PID 4512 wrote to memory of 4260 4512 Felgfb32.exe 89 PID 4260 wrote to memory of 3384 4260 Goekohjd.exe 90 PID 4260 wrote to memory of 3384 4260 Goekohjd.exe 90 PID 4260 wrote to memory of 3384 4260 Goekohjd.exe 90 PID 3384 wrote to memory of 2960 3384 Geoclb32.exe 91 PID 3384 wrote to memory of 2960 3384 Geoclb32.exe 91 PID 3384 wrote to memory of 2960 3384 Geoclb32.exe 91 PID 2960 wrote to memory of 3364 2960 Ggppcjgp.exe 92 PID 2960 wrote to memory of 3364 2960 Ggppcjgp.exe 92 PID 2960 wrote to memory of 3364 2960 Ggppcjgp.exe 92 PID 3364 wrote to memory of 2824 3364 Ggbmij32.exe 93 PID 3364 wrote to memory of 2824 3364 Ggbmij32.exe 93 PID 3364 wrote to memory of 2824 3364 Ggbmij32.exe 93 PID 2824 wrote to memory of 2304 2824 Gecmganl.exe 94 PID 2824 wrote to memory of 2304 2824 Gecmganl.exe 94 PID 2824 wrote to memory of 2304 2824 Gecmganl.exe 94 PID 2304 wrote to memory of 396 2304 Golapg32.exe 95 PID 2304 wrote to memory of 396 2304 Golapg32.exe 95 PID 2304 wrote to memory of 396 2304 Golapg32.exe 95 PID 396 wrote to memory of 4844 396 Ghdfhm32.exe 96 PID 396 wrote to memory of 4844 396 Ghdfhm32.exe 96 PID 396 wrote to memory of 4844 396 Ghdfhm32.exe 96 PID 4844 wrote to memory of 1388 4844 Galjabam.exe 97 PID 4844 wrote to memory of 1388 4844 Galjabam.exe 97 PID 4844 wrote to memory of 1388 4844 Galjabam.exe 97 PID 1388 wrote to memory of 2276 1388 Hhfbnl32.exe 98 PID 1388 wrote to memory of 2276 1388 Hhfbnl32.exe 98 PID 1388 wrote to memory of 2276 1388 Hhfbnl32.exe 98 PID 2276 wrote to memory of 3784 2276 Hoqkkfpg.exe 99 PID 2276 wrote to memory of 3784 2276 Hoqkkfpg.exe 99 PID 2276 wrote to memory of 3784 2276 Hoqkkfpg.exe 99 PID 3784 wrote to memory of 3648 3784 Hfjcgq32.exe 100 PID 3784 wrote to memory of 3648 3784 Hfjcgq32.exe 100 PID 3784 wrote to memory of 3648 3784 Hfjcgq32.exe 100 PID 3648 wrote to memory of 4000 3648 Hhioclgg.exe 101 PID 3648 wrote to memory of 4000 3648 Hhioclgg.exe 101 PID 3648 wrote to memory of 4000 3648 Hhioclgg.exe 101 PID 4000 wrote to memory of 992 4000 Hocgpf32.exe 102 PID 4000 wrote to memory of 992 4000 Hocgpf32.exe 102 PID 4000 wrote to memory of 992 4000 Hocgpf32.exe 102 PID 992 wrote to memory of 1176 992 Hdpphm32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2b12782f6c1363c01e7dbbc59a4acdfb7e35f17a06c921f33d5324ffc5ef932N.exe"C:\Users\Admin\AppData\Local\Temp\f2b12782f6c1363c01e7dbbc59a4acdfb7e35f17a06c921f33d5324ffc5ef932N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Fgfmmlpj.exeC:\Windows\system32\Fgfmmlpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Falajd32.exeC:\Windows\system32\Falajd32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\Fhfjgogm.exeC:\Windows\system32\Fhfjgogm.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\Fopbdi32.exeC:\Windows\system32\Fopbdi32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Fdmjlp32.exeC:\Windows\system32\Fdmjlp32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\Fkgbijdn.exeC:\Windows\system32\Fkgbijdn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Felgfb32.exeC:\Windows\system32\Felgfb32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Goekohjd.exeC:\Windows\system32\Goekohjd.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\Geoclb32.exeC:\Windows\system32\Geoclb32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\Ggppcjgp.exeC:\Windows\system32\Ggppcjgp.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Ggbmij32.exeC:\Windows\system32\Ggbmij32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\Gecmganl.exeC:\Windows\system32\Gecmganl.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Golapg32.exeC:\Windows\system32\Golapg32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Ghdfhm32.exeC:\Windows\system32\Ghdfhm32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Galjabam.exeC:\Windows\system32\Galjabam.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Hhfbnl32.exeC:\Windows\system32\Hhfbnl32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Hoqkkfpg.exeC:\Windows\system32\Hoqkkfpg.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Hfjcgq32.exeC:\Windows\system32\Hfjcgq32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\Hhioclgg.exeC:\Windows\system32\Hhioclgg.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\Hocgpf32.exeC:\Windows\system32\Hocgpf32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\Hdpphm32.exeC:\Windows\system32\Hdpphm32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\Hoedff32.exeC:\Windows\system32\Hoedff32.exe23⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Hdbmnm32.exeC:\Windows\system32\Hdbmnm32.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5080 -
C:\Windows\SysWOW64\Hklekg32.exeC:\Windows\system32\Hklekg32.exe25⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Hhpedk32.exeC:\Windows\system32\Hhpedk32.exe26⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Hnmnlb32.exeC:\Windows\system32\Hnmnlb32.exe27⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Ihbbjk32.exeC:\Windows\system32\Ihbbjk32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Inokbamd.exeC:\Windows\system32\Inokbamd.exe29⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Ioogld32.exeC:\Windows\system32\Ioogld32.exe30⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Iiglejjg.exeC:\Windows\system32\Iiglejjg.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Ioadadbd.exeC:\Windows\system32\Ioadadbd.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3520 -
C:\Windows\SysWOW64\Ifklnn32.exeC:\Windows\system32\Ifklnn32.exe33⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Iocqgdpb.exeC:\Windows\system32\Iocqgdpb.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3708 -
C:\Windows\SysWOW64\Ibamcooe.exeC:\Windows\system32\Ibamcooe.exe35⤵
- Executes dropped EXE
PID:3712 -
C:\Windows\SysWOW64\Iilepi32.exeC:\Windows\system32\Iilepi32.exe36⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\Ioemmcno.exeC:\Windows\system32\Ioemmcno.exe37⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Jgqbaf32.exeC:\Windows\system32\Jgqbaf32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:752 -
C:\Windows\SysWOW64\Jbffno32.exeC:\Windows\system32\Jbffno32.exe39⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Jipnkibm.exeC:\Windows\system32\Jipnkibm.exe40⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Jnmgcpqd.exeC:\Windows\system32\Jnmgcpqd.exe41⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Jfdodm32.exeC:\Windows\system32\Jfdodm32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Jkagmd32.exeC:\Windows\system32\Jkagmd32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4696 -
C:\Windows\SysWOW64\Jbkpingk.exeC:\Windows\system32\Jbkpingk.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Modifies registry class
PID:5100 -
C:\Windows\SysWOW64\Jeileifo.exeC:\Windows\system32\Jeileifo.exe45⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Jpopcbfd.exeC:\Windows\system32\Jpopcbfd.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:3488 -
C:\Windows\SysWOW64\Jbmloneh.exeC:\Windows\system32\Jbmloneh.exe47⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Jgjegd32.exeC:\Windows\system32\Jgjegd32.exe48⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Jpamhb32.exeC:\Windows\system32\Jpamhb32.exe49⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Keneqi32.exeC:\Windows\system32\Keneqi32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5000 -
C:\Windows\SysWOW64\Klhnmcif.exeC:\Windows\system32\Klhnmcif.exe51⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Knfjinhj.exeC:\Windows\system32\Knfjinhj.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Kepbfh32.exeC:\Windows\system32\Kepbfh32.exe53⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Kljjcb32.exeC:\Windows\system32\Kljjcb32.exe54⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Knifon32.exeC:\Windows\system32\Knifon32.exe55⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Kfpnpk32.exeC:\Windows\system32\Kfpnpk32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:4348 -
C:\Windows\SysWOW64\Khakhcmg.exeC:\Windows\system32\Khakhcmg.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4344 -
C:\Windows\SysWOW64\Kphcianj.exeC:\Windows\system32\Kphcianj.exe58⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Kbgoelmm.exeC:\Windows\system32\Kbgoelmm.exe59⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Keekahla.exeC:\Windows\system32\Keekahla.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Khchmc32.exeC:\Windows\system32\Khchmc32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Knmpjmba.exeC:\Windows\system32\Knmpjmba.exe62⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Kbilkl32.exeC:\Windows\system32\Kbilkl32.exe63⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Kicdgfbg.exeC:\Windows\system32\Kicdgfbg.exe64⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Lpmldp32.exeC:\Windows\system32\Lpmldp32.exe65⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Lbkhpl32.exeC:\Windows\system32\Lbkhpl32.exe66⤵PID:400
-
C:\Windows\SysWOW64\Lfgdajaa.exeC:\Windows\system32\Lfgdajaa.exe67⤵
- Drops file in System32 directory
PID:3568 -
C:\Windows\SysWOW64\Lieamfpe.exeC:\Windows\system32\Lieamfpe.exe68⤵PID:2268
-
C:\Windows\SysWOW64\Lpoijpgb.exeC:\Windows\system32\Lpoijpgb.exe69⤵PID:3440
-
C:\Windows\SysWOW64\Lbnefkfe.exeC:\Windows\system32\Lbnefkfe.exe70⤵
- Modifies registry class
PID:512 -
C:\Windows\SysWOW64\Lelabgfi.exeC:\Windows\system32\Lelabgfi.exe71⤵PID:3424
-
C:\Windows\SysWOW64\Lhjnnbem.exeC:\Windows\system32\Lhjnnbem.exe72⤵PID:5112
-
C:\Windows\SysWOW64\Lpafopeo.exeC:\Windows\system32\Lpafopeo.exe73⤵
- Modifies registry class
PID:4372 -
C:\Windows\SysWOW64\Lflnlj32.exeC:\Windows\system32\Lflnlj32.exe74⤵PID:1844
-
C:\Windows\SysWOW64\Lijjhe32.exeC:\Windows\system32\Lijjhe32.exe75⤵PID:2104
-
C:\Windows\SysWOW64\Llhfdq32.exeC:\Windows\system32\Llhfdq32.exe76⤵PID:2828
-
C:\Windows\SysWOW64\Logbpljg.exeC:\Windows\system32\Logbpljg.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4552 -
C:\Windows\SysWOW64\Lfnkaiki.exeC:\Windows\system32\Lfnkaiki.exe78⤵PID:1476
-
C:\Windows\SysWOW64\Lhogia32.exeC:\Windows\system32\Lhogia32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5028 -
C:\Windows\SysWOW64\Lpfojo32.exeC:\Windows\system32\Lpfojo32.exe80⤵PID:1920
-
C:\Windows\SysWOW64\Lbekfj32.exeC:\Windows\system32\Lbekfj32.exe81⤵PID:1196
-
C:\Windows\SysWOW64\Lechbf32.exeC:\Windows\system32\Lechbf32.exe82⤵PID:2788
-
C:\Windows\SysWOW64\Lhadoa32.exeC:\Windows\system32\Lhadoa32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4780 -
C:\Windows\SysWOW64\Mpilpo32.exeC:\Windows\system32\Mpilpo32.exe84⤵PID:1864
-
C:\Windows\SysWOW64\Mbghljok.exeC:\Windows\system32\Mbghljok.exe85⤵PID:1720
-
C:\Windows\SysWOW64\Meedheno.exeC:\Windows\system32\Meedheno.exe86⤵PID:2280
-
C:\Windows\SysWOW64\Mhdqdamb.exeC:\Windows\system32\Mhdqdamb.exe87⤵PID:2720
-
C:\Windows\SysWOW64\Mpkhenmd.exeC:\Windows\system32\Mpkhenmd.exe88⤵PID:4384
-
C:\Windows\SysWOW64\Mbieajlh.exeC:\Windows\system32\Mbieajlh.exe89⤵PID:2056
-
C:\Windows\SysWOW64\Mehanell.exeC:\Windows\system32\Mehanell.exe90⤵
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Mhfmjqkp.exeC:\Windows\system32\Mhfmjqkp.exe91⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1104 -
C:\Windows\SysWOW64\Mopefk32.exeC:\Windows\system32\Mopefk32.exe92⤵PID:3104
-
C:\Windows\SysWOW64\Mfgnhhbo.exeC:\Windows\system32\Mfgnhhbo.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3972 -
C:\Windows\SysWOW64\Mejnce32.exeC:\Windows\system32\Mejnce32.exe94⤵PID:4740
-
C:\Windows\SysWOW64\Mldfpoaf.exeC:\Windows\system32\Mldfpoaf.exe95⤵
- System Location Discovery: System Language Discovery
PID:3664 -
C:\Windows\SysWOW64\Mobbljpj.exeC:\Windows\system32\Mobbljpj.exe96⤵
- Drops file in System32 directory
PID:1856 -
C:\Windows\SysWOW64\Mfjjmhql.exeC:\Windows\system32\Mfjjmhql.exe97⤵
- Drops file in System32 directory
- Modifies registry class
PID:3112 -
C:\Windows\SysWOW64\Mihficpp.exeC:\Windows\system32\Mihficpp.exe98⤵PID:3296
-
C:\Windows\SysWOW64\Mhkgep32.exeC:\Windows\system32\Mhkgep32.exe99⤵PID:3044
-
C:\Windows\SysWOW64\Mpbofm32.exeC:\Windows\system32\Mpbofm32.exe100⤵PID:4520
-
C:\Windows\SysWOW64\Mbqkbi32.exeC:\Windows\system32\Mbqkbi32.exe101⤵PID:4588
-
C:\Windows\SysWOW64\Meognded.exeC:\Windows\system32\Meognded.exe102⤵PID:1860
-
C:\Windows\SysWOW64\Nliokn32.exeC:\Windows\system32\Nliokn32.exe103⤵
- Drops file in System32 directory
PID:184 -
C:\Windows\SysWOW64\Noglgj32.exeC:\Windows\system32\Noglgj32.exe104⤵PID:1256
-
C:\Windows\SysWOW64\Nfnchg32.exeC:\Windows\system32\Nfnchg32.exe105⤵PID:3624
-
C:\Windows\SysWOW64\Neadddca.exeC:\Windows\system32\Neadddca.exe106⤵PID:3504
-
C:\Windows\SysWOW64\Nhpppobe.exeC:\Windows\system32\Nhpppobe.exe107⤵PID:4072
-
C:\Windows\SysWOW64\Nbedmhbk.exeC:\Windows\system32\Nbedmhbk.exe108⤵
- Modifies registry class
PID:4232 -
C:\Windows\SysWOW64\Necqicao.exeC:\Windows\system32\Necqicao.exe109⤵PID:3360
-
C:\Windows\SysWOW64\Nlmifnik.exeC:\Windows\system32\Nlmifnik.exe110⤵PID:4400
-
C:\Windows\SysWOW64\Nbgach32.exeC:\Windows\system32\Nbgach32.exe111⤵PID:2136
-
C:\Windows\SysWOW64\Nefmoc32.exeC:\Windows\system32\Nefmoc32.exe112⤵PID:1072
-
C:\Windows\SysWOW64\Nhdiko32.exeC:\Windows\system32\Nhdiko32.exe113⤵PID:2928
-
C:\Windows\SysWOW64\Nlpelmgi.exeC:\Windows\system32\Nlpelmgi.exe114⤵
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Nonbhifl.exeC:\Windows\system32\Nonbhifl.exe115⤵PID:2776
-
C:\Windows\SysWOW64\Nehjdc32.exeC:\Windows\system32\Nehjdc32.exe116⤵PID:4684
-
C:\Windows\SysWOW64\Nhffqnlm.exeC:\Windows\system32\Nhffqnlm.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4292 -
C:\Windows\SysWOW64\Npnnblmo.exeC:\Windows\system32\Npnnblmo.exe118⤵PID:4168
-
C:\Windows\SysWOW64\Ncljnglc.exeC:\Windows\system32\Ncljnglc.exe119⤵
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Nejgjbkf.exeC:\Windows\system32\Nejgjbkf.exe120⤵PID:1036
-
C:\Windows\SysWOW64\Ohicfnjj.exeC:\Windows\system32\Ohicfnjj.exe121⤵
- Drops file in System32 directory
PID:2560
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-