Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2024, 07:48
Behavioral task
behavioral1
Sample
bb80ef50c662ffe80078b2ba2ffc33edeedb701aee7faf9a53e7b08f59972c78N.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
120 seconds
General
-
Target
bb80ef50c662ffe80078b2ba2ffc33edeedb701aee7faf9a53e7b08f59972c78N.exe
-
Size
93KB
-
MD5
6e488a7b0f80d7db1032f96e13d1b5e0
-
SHA1
eafbecaa59b4b221a5618f8a7b23202efb47813e
-
SHA256
bb80ef50c662ffe80078b2ba2ffc33edeedb701aee7faf9a53e7b08f59972c78
-
SHA512
e52dfa5a6d9c99446becbccfad943b146af2facaa34ddd4379b7785302577c6cc9065dcf7a872ac6e2bf22280772cf515b948f6c10df3480aa2d7e2c34ff3f4a
-
SSDEEP
1536:mT1mQLlTSFjnZXwDC8gaqrzbx1DaYfMZRWuLsV+1L:I1mQ5eBSDcvxgYfc0DV+1L
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfhndpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcdjbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnplfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibqnkh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ommceclc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eblimcdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipoheakj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnhdgpii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngqagcag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfoann32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geldkfpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpqggh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nckkfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efblbbqd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lokdnjkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npepkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ompfej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doojec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbphg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imnocf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhfpbpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niojoeel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffqhcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgbloglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opeiadfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afpjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hihibbjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gidnkkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfjkjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmfkhmdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqbala32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhbebj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipbaol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbpjaeoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hplbickp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipeeobbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boenhgdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dojqjdbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcfbkpab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oblhcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iipfmggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgkfnh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbccge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opbean32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcoljagj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhanngbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oifppdpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddnfmqng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmkdcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feenjgfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpepbgbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hldiinke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iajdgcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njbgmjgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnqfcbnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgnffj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cocjiehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiekog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnlodjpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oonlfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdlkdhnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inebjihf.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 3368 Dbpjaeoc.exe 1368 Ddnfmqng.exe 2524 Dmennnni.exe 3100 Dodjjimm.exe 4632 Eiloco32.exe 3500 Enigke32.exe 1604 Efpomccg.exe 3064 Eoideh32.exe 760 Efblbbqd.exe 4576 Emmdom32.exe 3652 Ennqfenp.exe 3308 Efeihb32.exe 2960 Ekaapi32.exe 2652 Eblimcdf.exe 3024 Eifaim32.exe 1284 Enbjad32.exe 4008 Fihnomjp.exe 4992 Flfkkhid.exe 1844 Fflohaij.exe 4800 Fligqhga.exe 4568 Ffnknafg.exe 4736 Fpgpgfmh.exe 928 Ffqhcq32.exe 4400 Fiodpl32.exe 1048 Fpimlfke.exe 3736 Fbgihaji.exe 4972 Ffceip32.exe 400 Fmmmfj32.exe 2260 Fpkibf32.exe 4816 Gfeaopqo.exe 5052 Gidnkkpc.exe 624 Gmojkj32.exe 1820 Gnqfcbnj.exe 2040 Gfhndpol.exe 2020 Gejopl32.exe 920 Gmafajfi.exe 2692 Gncchb32.exe 3192 Gfjkjo32.exe 4472 Glgcbf32.exe 3504 Gnepna32.exe 4872 Gmfplibd.exe 672 Gbchdp32.exe 4644 Gmimai32.exe 4336 Glkmmefl.exe 2764 Gbeejp32.exe 1156 Hlnjbedi.exe 2424 Hplbickp.exe 512 Hbjoeojc.exe 3692 Hlbcnd32.exe 5076 Hblkjo32.exe 1916 Hmbphg32.exe 4136 Hoclopne.exe 2892 Hiipmhmk.exe 4604 Hpchib32.exe 3768 Ifmqfm32.exe 2428 Ipeeobbe.exe 2384 Ifomll32.exe 2876 Iebngial.exe 4152 Ibfnqmpf.exe 1928 Iipfmggc.exe 2740 Igdgglfl.exe 2444 Imnocf32.exe 4072 Iplkpa32.exe 5028 Ickglm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Llcghg32.exe Lfiokmkc.exe File created C:\Windows\SysWOW64\Ofckhj32.exe Ocdnln32.exe File created C:\Windows\SysWOW64\Fpgpgfmh.exe Ffnknafg.exe File created C:\Windows\SysWOW64\Iidphgcn.exe Ickglm32.exe File opened for modification C:\Windows\SysWOW64\Ombcji32.exe Ojdgnn32.exe File created C:\Windows\SysWOW64\Odlkfe32.dll Hlppno32.exe File created C:\Windows\SysWOW64\Gfhndpol.exe Gnqfcbnj.exe File opened for modification C:\Windows\SysWOW64\Glkmmefl.exe Gmimai32.exe File opened for modification C:\Windows\SysWOW64\Hlppno32.exe Heegad32.exe File opened for modification C:\Windows\SysWOW64\Edgbii32.exe Enmjlojd.exe File created C:\Windows\SysWOW64\Fbdehlip.exe Fofilp32.exe File created C:\Windows\SysWOW64\Aphnnafb.exe Amjbbfgo.exe File created C:\Windows\SysWOW64\Bgbpaipl.exe Bhpofl32.exe File created C:\Windows\SysWOW64\Ckgohf32.exe Cpbjkn32.exe File created C:\Windows\SysWOW64\Lkpemq32.dll Joekag32.exe File opened for modification C:\Windows\SysWOW64\Nckkfp32.exe Njbgmjgl.exe File created C:\Windows\SysWOW64\Kjmgil32.dll Pcpnhl32.exe File created C:\Windows\SysWOW64\Opeiadfg.exe Ofmdio32.exe File created C:\Windows\SysWOW64\Egilaj32.dll Qdaniq32.exe File opened for modification C:\Windows\SysWOW64\Ipkdek32.exe Iialhaad.exe File created C:\Windows\SysWOW64\Mqafhl32.exe Mmfkhmdi.exe File created C:\Windows\SysWOW64\Oblknjim.dll Cklhcfle.exe File created C:\Windows\SysWOW64\Pkpbai32.dll Hldiinke.exe File opened for modification C:\Windows\SysWOW64\Nblolm32.exe Nciopppp.exe File created C:\Windows\SysWOW64\Chjjqebm.dll Ppikbm32.exe File created C:\Windows\SysWOW64\Nobkpkdh.dll bb80ef50c662ffe80078b2ba2ffc33edeedb701aee7faf9a53e7b08f59972c78N.exe File created C:\Windows\SysWOW64\Fihnomjp.exe Enbjad32.exe File created C:\Windows\SysWOW64\Lgbloglj.exe Lokdnjkg.exe File opened for modification C:\Windows\SysWOW64\Iebngial.exe Ifomll32.exe File opened for modification C:\Windows\SysWOW64\Kflide32.exe Knqepc32.exe File opened for modification C:\Windows\SysWOW64\Dmennnni.exe Ddnfmqng.exe File opened for modification C:\Windows\SysWOW64\Ljceqb32.exe Lgbloglj.exe File created C:\Windows\SysWOW64\Ccegpn32.dll Ebkbbmqj.exe File created C:\Windows\SysWOW64\Gjecbd32.dll Bogkmgba.exe File opened for modification C:\Windows\SysWOW64\Gicgpelg.exe Gegkpf32.exe File created C:\Windows\SysWOW64\Dahkpm32.dll Iehmmb32.exe File opened for modification C:\Windows\SysWOW64\Kcapicdj.exe Kabcopmg.exe File opened for modification C:\Windows\SysWOW64\Gnqfcbnj.exe Gmojkj32.exe File created C:\Windows\SysWOW64\Jlllhigk.dll Mmfkhmdi.exe File created C:\Windows\SysWOW64\Omnjojpo.exe Ojomcopk.exe File opened for modification C:\Windows\SysWOW64\Oghghb32.exe Oclkgccf.exe File created C:\Windows\SysWOW64\Flmlag32.dll Jaonbc32.exe File created C:\Windows\SysWOW64\Njlmnj32.dll Ipbaol32.exe File created C:\Windows\SysWOW64\Bcghdkpf.dll Impliekg.exe File created C:\Windows\SysWOW64\Eohmkb32.exe Enhpao32.exe File created C:\Windows\SysWOW64\Ekajec32.exe Edgbii32.exe File opened for modification C:\Windows\SysWOW64\Jjpode32.exe Jinboekc.exe File opened for modification C:\Windows\SysWOW64\Doojec32.exe Dhdbhifj.exe File created C:\Windows\SysWOW64\Ljgmjm32.dll Opbean32.exe File created C:\Windows\SysWOW64\Apgnjp32.dll Pfdjinjo.exe File opened for modification C:\Windows\SysWOW64\Dhdbhifj.exe Dhbebj32.exe File created C:\Windows\SysWOW64\Jpnakk32.exe Jlbejloe.exe File opened for modification C:\Windows\SysWOW64\Kbhmbdle.exe Kolabf32.exe File opened for modification C:\Windows\SysWOW64\Eifaim32.exe Eblimcdf.exe File created C:\Windows\SysWOW64\Eieijp32.dll Jiglnf32.exe File created C:\Windows\SysWOW64\Oglbla32.dll Ompfej32.exe File created C:\Windows\SysWOW64\Caageq32.exe Cocjiehd.exe File created C:\Windows\SysWOW64\Fknajfhe.dll Ffnknafg.exe File opened for modification C:\Windows\SysWOW64\Gidnkkpc.exe Gfeaopqo.exe File created C:\Windows\SysWOW64\Jenmcggo.exe Jiglnf32.exe File opened for modification C:\Windows\SysWOW64\Lckboblp.exe Lplfcf32.exe File opened for modification C:\Windows\SysWOW64\Efblbbqd.exe Eoideh32.exe File created C:\Windows\SysWOW64\Gdaklmfn.dll Fflohaij.exe File opened for modification C:\Windows\SysWOW64\Jlikkkhn.exe Joekag32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10048 9928 WerFault.exe 461 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bphgeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacckp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnajppda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepleocn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmhgmmbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jngbjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onapdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnlodjpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlbcnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocohmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnifekmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdoacabq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oifppdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omdppiif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknbkjfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fajbjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giljfddl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hldiinke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iogopi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihbponja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfldgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ombcji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enhpao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lplfcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfepdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffceip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojomcopk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiekog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iolhkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iehmmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcfbkpab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmmmfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmimai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hblkjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnafno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aajhndkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlbejloe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpgpgfmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngqagcag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iondqhpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqbala32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqafhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocjoadei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amlogfel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqbcbkab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebfign32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggfglb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbihjifh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jojdlfeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omnjojpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcgdhkem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbhmbdle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbdiknlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oihmedma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbebj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njjdho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qacameaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipbaol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nofefp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbebbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmdgikhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amqhbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcapicdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocdnln32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iebngial.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkpjkai.dll" Ngndaccj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbekii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfepdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcdibc32.dll" Cocjiehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klndfknp.dll" Nmfmde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojdgnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eajbghaq.dll" Hnlodjpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnbeeiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipbaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmgilf32.dll" Mcfbkpab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pplobcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpnakk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjcikejg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdjfee32.dll" Ennqfenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eihcbonm.dll" Pfoann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfoann32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hioflcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nimmifgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dndhqgbm.dll" Kolabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iipfmggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdopj32.dll" Iplkpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kflide32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oghghb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enhpao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fohfbpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfomc32.dll" Klndfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lepleocn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phonha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggfglb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mohidbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdockf32.dll" Niojoeel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohlemeao.dll" Jihbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enbjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iidphgcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmdnbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqafhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npepkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngndaccj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amjbbfgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njljch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node bb80ef50c662ffe80078b2ba2ffc33edeedb701aee7faf9a53e7b08f59972c78N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ennqfenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hplbickp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lobjni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgqlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcoaln32.dll" Eohmkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fligqhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jinboekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amlogfel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnaaib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgccelpk.dll" Mhanngbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghnllm32.dll" Nckkfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cohddjgl.dll" Pfccogfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpchib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhikci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffgmig.dll" Glfmgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpfbcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpceplkl.dll" Hemmac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibcjqgnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddnfmqng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdaklmfn.dll" Fflohaij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doojec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdihjbp.dll" Ibqnkh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2376 wrote to memory of 3368 2376 bb80ef50c662ffe80078b2ba2ffc33edeedb701aee7faf9a53e7b08f59972c78N.exe 83 PID 2376 wrote to memory of 3368 2376 bb80ef50c662ffe80078b2ba2ffc33edeedb701aee7faf9a53e7b08f59972c78N.exe 83 PID 2376 wrote to memory of 3368 2376 bb80ef50c662ffe80078b2ba2ffc33edeedb701aee7faf9a53e7b08f59972c78N.exe 83 PID 3368 wrote to memory of 1368 3368 Dbpjaeoc.exe 84 PID 3368 wrote to memory of 1368 3368 Dbpjaeoc.exe 84 PID 3368 wrote to memory of 1368 3368 Dbpjaeoc.exe 84 PID 1368 wrote to memory of 2524 1368 Ddnfmqng.exe 85 PID 1368 wrote to memory of 2524 1368 Ddnfmqng.exe 85 PID 1368 wrote to memory of 2524 1368 Ddnfmqng.exe 85 PID 2524 wrote to memory of 3100 2524 Dmennnni.exe 86 PID 2524 wrote to memory of 3100 2524 Dmennnni.exe 86 PID 2524 wrote to memory of 3100 2524 Dmennnni.exe 86 PID 3100 wrote to memory of 4632 3100 Dodjjimm.exe 87 PID 3100 wrote to memory of 4632 3100 Dodjjimm.exe 87 PID 3100 wrote to memory of 4632 3100 Dodjjimm.exe 87 PID 4632 wrote to memory of 3500 4632 Eiloco32.exe 88 PID 4632 wrote to memory of 3500 4632 Eiloco32.exe 88 PID 4632 wrote to memory of 3500 4632 Eiloco32.exe 88 PID 3500 wrote to memory of 1604 3500 Enigke32.exe 89 PID 3500 wrote to memory of 1604 3500 Enigke32.exe 89 PID 3500 wrote to memory of 1604 3500 Enigke32.exe 89 PID 1604 wrote to memory of 3064 1604 Efpomccg.exe 90 PID 1604 wrote to memory of 3064 1604 Efpomccg.exe 90 PID 1604 wrote to memory of 3064 1604 Efpomccg.exe 90 PID 3064 wrote to memory of 760 3064 Eoideh32.exe 91 PID 3064 wrote to memory of 760 3064 Eoideh32.exe 91 PID 3064 wrote to memory of 760 3064 Eoideh32.exe 91 PID 760 wrote to memory of 4576 760 Efblbbqd.exe 92 PID 760 wrote to memory of 4576 760 Efblbbqd.exe 92 PID 760 wrote to memory of 4576 760 Efblbbqd.exe 92 PID 4576 wrote to memory of 3652 4576 Emmdom32.exe 93 PID 4576 wrote to memory of 3652 4576 Emmdom32.exe 93 PID 4576 wrote to memory of 3652 4576 Emmdom32.exe 93 PID 3652 wrote to memory of 3308 3652 Ennqfenp.exe 94 PID 3652 wrote to memory of 3308 3652 Ennqfenp.exe 94 PID 3652 wrote to memory of 3308 3652 Ennqfenp.exe 94 PID 3308 wrote to memory of 2960 3308 Efeihb32.exe 95 PID 3308 wrote to memory of 2960 3308 Efeihb32.exe 95 PID 3308 wrote to memory of 2960 3308 Efeihb32.exe 95 PID 2960 wrote to memory of 2652 2960 Ekaapi32.exe 96 PID 2960 wrote to memory of 2652 2960 Ekaapi32.exe 96 PID 2960 wrote to memory of 2652 2960 Ekaapi32.exe 96 PID 2652 wrote to memory of 3024 2652 Eblimcdf.exe 97 PID 2652 wrote to memory of 3024 2652 Eblimcdf.exe 97 PID 2652 wrote to memory of 3024 2652 Eblimcdf.exe 97 PID 3024 wrote to memory of 1284 3024 Eifaim32.exe 98 PID 3024 wrote to memory of 1284 3024 Eifaim32.exe 98 PID 3024 wrote to memory of 1284 3024 Eifaim32.exe 98 PID 1284 wrote to memory of 4008 1284 Enbjad32.exe 99 PID 1284 wrote to memory of 4008 1284 Enbjad32.exe 99 PID 1284 wrote to memory of 4008 1284 Enbjad32.exe 99 PID 4008 wrote to memory of 4992 4008 Fihnomjp.exe 100 PID 4008 wrote to memory of 4992 4008 Fihnomjp.exe 100 PID 4008 wrote to memory of 4992 4008 Fihnomjp.exe 100 PID 4992 wrote to memory of 1844 4992 Flfkkhid.exe 101 PID 4992 wrote to memory of 1844 4992 Flfkkhid.exe 101 PID 4992 wrote to memory of 1844 4992 Flfkkhid.exe 101 PID 1844 wrote to memory of 4800 1844 Fflohaij.exe 102 PID 1844 wrote to memory of 4800 1844 Fflohaij.exe 102 PID 1844 wrote to memory of 4800 1844 Fflohaij.exe 102 PID 4800 wrote to memory of 4568 4800 Fligqhga.exe 103 PID 4800 wrote to memory of 4568 4800 Fligqhga.exe 103 PID 4800 wrote to memory of 4568 4800 Fligqhga.exe 103 PID 4568 wrote to memory of 4736 4568 Ffnknafg.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb80ef50c662ffe80078b2ba2ffc33edeedb701aee7faf9a53e7b08f59972c78N.exe"C:\Users\Admin\AppData\Local\Temp\bb80ef50c662ffe80078b2ba2ffc33edeedb701aee7faf9a53e7b08f59972c78N.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Dbpjaeoc.exeC:\Windows\system32\Dbpjaeoc.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\Ddnfmqng.exeC:\Windows\system32\Ddnfmqng.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Dmennnni.exeC:\Windows\system32\Dmennnni.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Dodjjimm.exeC:\Windows\system32\Dodjjimm.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\Eiloco32.exeC:\Windows\system32\Eiloco32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\Enigke32.exeC:\Windows\system32\Enigke32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\Efpomccg.exeC:\Windows\system32\Efpomccg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Eoideh32.exeC:\Windows\system32\Eoideh32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Efblbbqd.exeC:\Windows\system32\Efblbbqd.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Emmdom32.exeC:\Windows\system32\Emmdom32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\Ennqfenp.exeC:\Windows\system32\Ennqfenp.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\Efeihb32.exeC:\Windows\system32\Efeihb32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\Ekaapi32.exeC:\Windows\system32\Ekaapi32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Eblimcdf.exeC:\Windows\system32\Eblimcdf.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Eifaim32.exeC:\Windows\system32\Eifaim32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Enbjad32.exeC:\Windows\system32\Enbjad32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Fihnomjp.exeC:\Windows\system32\Fihnomjp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\Flfkkhid.exeC:\Windows\system32\Flfkkhid.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Fflohaij.exeC:\Windows\system32\Fflohaij.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Fligqhga.exeC:\Windows\system32\Fligqhga.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\Ffnknafg.exeC:\Windows\system32\Ffnknafg.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\Fpgpgfmh.exeC:\Windows\system32\Fpgpgfmh.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4736 -
C:\Windows\SysWOW64\Ffqhcq32.exeC:\Windows\system32\Ffqhcq32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Fiodpl32.exeC:\Windows\system32\Fiodpl32.exe25⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Fpimlfke.exeC:\Windows\system32\Fpimlfke.exe26⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Fbgihaji.exeC:\Windows\system32\Fbgihaji.exe27⤵
- Executes dropped EXE
PID:3736 -
C:\Windows\SysWOW64\Ffceip32.exeC:\Windows\system32\Ffceip32.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4972 -
C:\Windows\SysWOW64\Fmmmfj32.exeC:\Windows\system32\Fmmmfj32.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:400 -
C:\Windows\SysWOW64\Fpkibf32.exeC:\Windows\system32\Fpkibf32.exe30⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Gfeaopqo.exeC:\Windows\system32\Gfeaopqo.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4816 -
C:\Windows\SysWOW64\Gidnkkpc.exeC:\Windows\system32\Gidnkkpc.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Gmojkj32.exeC:\Windows\system32\Gmojkj32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:624 -
C:\Windows\SysWOW64\Gnqfcbnj.exeC:\Windows\system32\Gnqfcbnj.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Gfhndpol.exeC:\Windows\system32\Gfhndpol.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Gejopl32.exeC:\Windows\system32\Gejopl32.exe36⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Gmafajfi.exeC:\Windows\system32\Gmafajfi.exe37⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Gncchb32.exeC:\Windows\system32\Gncchb32.exe38⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Gfjkjo32.exeC:\Windows\system32\Gfjkjo32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\Glgcbf32.exeC:\Windows\system32\Glgcbf32.exe40⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Gnepna32.exeC:\Windows\system32\Gnepna32.exe41⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Gmfplibd.exeC:\Windows\system32\Gmfplibd.exe42⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Gbchdp32.exeC:\Windows\system32\Gbchdp32.exe43⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Gmimai32.exeC:\Windows\system32\Gmimai32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4644 -
C:\Windows\SysWOW64\Glkmmefl.exeC:\Windows\system32\Glkmmefl.exe45⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Gbeejp32.exeC:\Windows\system32\Gbeejp32.exe46⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Hlnjbedi.exeC:\Windows\system32\Hlnjbedi.exe47⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Hplbickp.exeC:\Windows\system32\Hplbickp.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Hbjoeojc.exeC:\Windows\system32\Hbjoeojc.exe49⤵
- Executes dropped EXE
PID:512 -
C:\Windows\SysWOW64\Hlbcnd32.exeC:\Windows\system32\Hlbcnd32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3692 -
C:\Windows\SysWOW64\Hblkjo32.exeC:\Windows\system32\Hblkjo32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5076 -
C:\Windows\SysWOW64\Hmbphg32.exeC:\Windows\system32\Hmbphg32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Hoclopne.exeC:\Windows\system32\Hoclopne.exe53⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Hiipmhmk.exeC:\Windows\system32\Hiipmhmk.exe54⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Hpchib32.exeC:\Windows\system32\Hpchib32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:4604 -
C:\Windows\SysWOW64\Ifmqfm32.exeC:\Windows\system32\Ifmqfm32.exe56⤵
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\Ipeeobbe.exeC:\Windows\system32\Ipeeobbe.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Ifomll32.exeC:\Windows\system32\Ifomll32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Iebngial.exeC:\Windows\system32\Iebngial.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Ibfnqmpf.exeC:\Windows\system32\Ibfnqmpf.exe60⤵
- Executes dropped EXE
PID:4152 -
C:\Windows\SysWOW64\Iipfmggc.exeC:\Windows\system32\Iipfmggc.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Igdgglfl.exeC:\Windows\system32\Igdgglfl.exe62⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Imnocf32.exeC:\Windows\system32\Imnocf32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Iplkpa32.exeC:\Windows\system32\Iplkpa32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:4072 -
C:\Windows\SysWOW64\Ickglm32.exeC:\Windows\system32\Ickglm32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5028 -
C:\Windows\SysWOW64\Iidphgcn.exeC:\Windows\system32\Iidphgcn.exe66⤵
- Modifies registry class
PID:5096 -
C:\Windows\SysWOW64\Impliekg.exeC:\Windows\system32\Impliekg.exe67⤵
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Ipoheakj.exeC:\Windows\system32\Ipoheakj.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4084 -
C:\Windows\SysWOW64\Jghpbk32.exeC:\Windows\system32\Jghpbk32.exe69⤵PID:1160
-
C:\Windows\SysWOW64\Jiglnf32.exeC:\Windows\system32\Jiglnf32.exe70⤵
- Drops file in System32 directory
PID:4908 -
C:\Windows\SysWOW64\Jenmcggo.exeC:\Windows\system32\Jenmcggo.exe71⤵PID:3096
-
C:\Windows\SysWOW64\Jpcapp32.exeC:\Windows\system32\Jpcapp32.exe72⤵PID:2700
-
C:\Windows\SysWOW64\Jngbjd32.exeC:\Windows\system32\Jngbjd32.exe73⤵
- System Location Discovery: System Language Discovery
PID:1584 -
C:\Windows\SysWOW64\Jcdjbk32.exeC:\Windows\system32\Jcdjbk32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1592 -
C:\Windows\SysWOW64\Jinboekc.exeC:\Windows\system32\Jinboekc.exe75⤵
- Drops file in System32 directory
- Modifies registry class
PID:692 -
C:\Windows\SysWOW64\Jjpode32.exeC:\Windows\system32\Jjpode32.exe76⤵PID:468
-
C:\Windows\SysWOW64\Kegpifod.exeC:\Windows\system32\Kegpifod.exe77⤵PID:3644
-
C:\Windows\SysWOW64\Knqepc32.exeC:\Windows\system32\Knqepc32.exe78⤵
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Kflide32.exeC:\Windows\system32\Kflide32.exe79⤵
- Modifies registry class
PID:772 -
C:\Windows\SysWOW64\Kjgeedch.exeC:\Windows\system32\Kjgeedch.exe80⤵PID:1856
-
C:\Windows\SysWOW64\Kgkfnh32.exeC:\Windows\system32\Kgkfnh32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3080 -
C:\Windows\SysWOW64\Kofkbk32.exeC:\Windows\system32\Kofkbk32.exe82⤵PID:408
-
C:\Windows\SysWOW64\Lljklo32.exeC:\Windows\system32\Lljklo32.exe83⤵PID:1196
-
C:\Windows\SysWOW64\Lnjgfb32.exeC:\Windows\system32\Lnjgfb32.exe84⤵PID:4608
-
C:\Windows\SysWOW64\Lokdnjkg.exeC:\Windows\system32\Lokdnjkg.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1200 -
C:\Windows\SysWOW64\Lgbloglj.exeC:\Windows\system32\Lgbloglj.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3824 -
C:\Windows\SysWOW64\Ljceqb32.exeC:\Windows\system32\Ljceqb32.exe87⤵PID:4200
-
C:\Windows\SysWOW64\Lmdnbn32.exeC:\Windows\system32\Lmdnbn32.exe88⤵
- Modifies registry class
PID:448 -
C:\Windows\SysWOW64\Lobjni32.exeC:\Windows\system32\Lobjni32.exe89⤵
- Modifies registry class
PID:3908 -
C:\Windows\SysWOW64\Lgibpf32.exeC:\Windows\system32\Lgibpf32.exe90⤵PID:2104
-
C:\Windows\SysWOW64\Ljhnlb32.exeC:\Windows\system32\Ljhnlb32.exe91⤵PID:4596
-
C:\Windows\SysWOW64\Lncjlq32.exeC:\Windows\system32\Lncjlq32.exe92⤵PID:2728
-
C:\Windows\SysWOW64\Mmfkhmdi.exeC:\Windows\system32\Mmfkhmdi.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1404 -
C:\Windows\SysWOW64\Mqafhl32.exeC:\Windows\system32\Mqafhl32.exe94⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Mnegbp32.exeC:\Windows\system32\Mnegbp32.exe95⤵PID:3748
-
C:\Windows\SysWOW64\Mmhgmmbf.exeC:\Windows\system32\Mmhgmmbf.exe96⤵
- System Location Discovery: System Language Discovery
PID:4112 -
C:\Windows\SysWOW64\Mnhdgpii.exeC:\Windows\system32\Mnhdgpii.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:620 -
C:\Windows\SysWOW64\Mmkdcm32.exeC:\Windows\system32\Mmkdcm32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3296 -
C:\Windows\SysWOW64\Mqfpckhm.exeC:\Windows\system32\Mqfpckhm.exe99⤵PID:1876
-
C:\Windows\SysWOW64\Mcgiefen.exeC:\Windows\system32\Mcgiefen.exe100⤵PID:628
-
C:\Windows\SysWOW64\Monjjgkb.exeC:\Windows\system32\Monjjgkb.exe101⤵PID:3960
-
C:\Windows\SysWOW64\Nopfpgip.exeC:\Windows\system32\Nopfpgip.exe102⤵PID:440
-
C:\Windows\SysWOW64\Nnafno32.exeC:\Windows\system32\Nnafno32.exe103⤵
- System Location Discovery: System Language Discovery
PID:4912 -
C:\Windows\SysWOW64\Nmdgikhi.exeC:\Windows\system32\Nmdgikhi.exe104⤵
- System Location Discovery: System Language Discovery
PID:4444 -
C:\Windows\SysWOW64\Ngjkfd32.exeC:\Windows\system32\Ngjkfd32.exe105⤵PID:404
-
C:\Windows\SysWOW64\Nmfcok32.exeC:\Windows\system32\Nmfcok32.exe106⤵PID:3176
-
C:\Windows\SysWOW64\Npepkf32.exeC:\Windows\system32\Npepkf32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3916 -
C:\Windows\SysWOW64\Njjdho32.exeC:\Windows\system32\Njjdho32.exe108⤵
- System Location Discovery: System Language Discovery
PID:1416 -
C:\Windows\SysWOW64\Nadleilm.exeC:\Windows\system32\Nadleilm.exe109⤵PID:660
-
C:\Windows\SysWOW64\Ngndaccj.exeC:\Windows\system32\Ngndaccj.exe110⤵
- Modifies registry class
PID:4652 -
C:\Windows\SysWOW64\Nfaemp32.exeC:\Windows\system32\Nfaemp32.exe111⤵PID:4500
-
C:\Windows\SysWOW64\Nagiji32.exeC:\Windows\system32\Nagiji32.exe112⤵PID:4524
-
C:\Windows\SysWOW64\Ngqagcag.exeC:\Windows\system32\Ngqagcag.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\SysWOW64\Ojomcopk.exeC:\Windows\system32\Ojomcopk.exe114⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Windows\SysWOW64\Omnjojpo.exeC:\Windows\system32\Omnjojpo.exe115⤵
- System Location Discovery: System Language Discovery
PID:5180 -
C:\Windows\SysWOW64\Oaifpi32.exeC:\Windows\system32\Oaifpi32.exe116⤵PID:5220
-
C:\Windows\SysWOW64\Ocgbld32.exeC:\Windows\system32\Ocgbld32.exe117⤵PID:5260
-
C:\Windows\SysWOW64\Offnhpfo.exeC:\Windows\system32\Offnhpfo.exe118⤵PID:5324
-
C:\Windows\SysWOW64\Ojajin32.exeC:\Windows\system32\Ojajin32.exe119⤵PID:5376
-
C:\Windows\SysWOW64\Ompfej32.exeC:\Windows\system32\Ompfej32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5420 -
C:\Windows\SysWOW64\Opnbae32.exeC:\Windows\system32\Opnbae32.exe121⤵PID:5480
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-