Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/11/2024, 05:18
Behavioral task
behavioral1
Sample
f2762f1f33b02c081938e9896943da575884cac0ec07c32bc01a64d14b887386.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
General
-
Target
f2762f1f33b02c081938e9896943da575884cac0ec07c32bc01a64d14b887386.exe
-
Size
93KB
-
MD5
68eaa42c000d33e30bb48aba82181ac2
-
SHA1
af689f4bff0177c525cb9cd0336998a336c98207
-
SHA256
f2762f1f33b02c081938e9896943da575884cac0ec07c32bc01a64d14b887386
-
SHA512
01c314f5dd5ccfdf300bf1aa1200c6b19be7c9d8d5a59b5c2fd82d58b4c2c69efe8de4dcf85c4e895f5d0d63d68036b527f1b957f26bda22694d57b7706093b2
-
SSDEEP
1536:zhK9tqnBAMydDUgYgq8HLH7bk5U1DaYfMZRWuLsV+1r:9K9QnBbDg5q8rk5UgYfc0DV+1r
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhnjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgmahg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdghaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npjlhcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhlddkmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qogbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbjcqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdaglmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pakllc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khlili32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfagpiam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfbaql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdlkcdog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ippdgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oococb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcachc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jliohkak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aekqmbod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alihaioe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjonncab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkjphcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajmfad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opnbbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbgqjdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhgkil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfbbjpgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bepjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egahen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdbhge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adfqgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obhdcanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ompefj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcqaok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aollokco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjmpcab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpdgbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceeieced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfhgpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcjcme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhilph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kokjdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnfddp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mamgmofp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdaqmg32.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2524 Jnfomn32.exe 2728 Jliohkak.exe 2676 Jpdkii32.exe 2644 Jeadap32.exe 2756 Jnhlbn32.exe 2664 Jpfhoi32.exe 2356 Joihjfnl.exe 1916 Jcedkd32.exe 1052 Jfcqgpfi.exe 2732 Jjomgo32.exe 1240 Jlmicj32.exe 1648 Jolepe32.exe 1780 Jcgapdeb.exe 2004 Jfemlpdf.exe 2944 Jlpeij32.exe 816 Jkbfdfbm.exe 1560 Jonbee32.exe 1580 Jdkjnl32.exe 1600 Jkebjf32.exe 1064 Kncofa32.exe 1568 Kfjggo32.exe 1688 Kglcogeo.exe 1692 Kbaglpee.exe 1760 Kdpcikdi.exe 2116 Khkpijma.exe 2528 Kbcdbp32.exe 1532 Kgpmjf32.exe 2336 Kjoifb32.exe 2588 Knjegqif.exe 2964 Kgbipf32.exe 2460 Kjaelaok.exe 2468 Kmobhmnn.exe 2448 Kcijeg32.exe 2924 Lifbmn32.exe 1636 Lmbonmll.exe 2248 Lopkjhko.exe 2352 Lclgjg32.exe 2268 Lbogfcjc.exe 2200 Lmdkcl32.exe 1980 Lkgkoiqc.exe 2148 Lbackc32.exe 580 Liklhmom.exe 2168 Lmfhil32.exe 688 Lnhdqdnd.exe 448 Leammn32.exe 772 Liminmmk.exe 1348 Lklejh32.exe 1708 Lpgajgeg.exe 604 Ljabkeaf.exe 1616 Lnlnlc32.exe 2888 Mcifdj32.exe 2704 Mlpneh32.exe 2572 Mnojacgm.exe 1820 Mamgmofp.exe 2648 Mamgmofp.exe 2616 Meicnm32.exe 2044 Mclcijfd.exe 2172 Mfjoeeeh.exe 608 Mjekfd32.exe 1716 Mmdgbp32.exe 1020 Mpbdnk32.exe 2240 Mhilph32.exe 1732 Mjhhld32.exe 2292 Mabphn32.exe -
Loads dropped DLL 64 IoCs
pid Process 1608 f2762f1f33b02c081938e9896943da575884cac0ec07c32bc01a64d14b887386.exe 1608 f2762f1f33b02c081938e9896943da575884cac0ec07c32bc01a64d14b887386.exe 2524 Jnfomn32.exe 2524 Jnfomn32.exe 2728 Jliohkak.exe 2728 Jliohkak.exe 2676 Jpdkii32.exe 2676 Jpdkii32.exe 2644 Jeadap32.exe 2644 Jeadap32.exe 2756 Jnhlbn32.exe 2756 Jnhlbn32.exe 2664 Jpfhoi32.exe 2664 Jpfhoi32.exe 2356 Joihjfnl.exe 2356 Joihjfnl.exe 1916 Jcedkd32.exe 1916 Jcedkd32.exe 1052 Jfcqgpfi.exe 1052 Jfcqgpfi.exe 2732 Jjomgo32.exe 2732 Jjomgo32.exe 1240 Jlmicj32.exe 1240 Jlmicj32.exe 1648 Jolepe32.exe 1648 Jolepe32.exe 1780 Jcgapdeb.exe 1780 Jcgapdeb.exe 2004 Jfemlpdf.exe 2004 Jfemlpdf.exe 2944 Jlpeij32.exe 2944 Jlpeij32.exe 816 Jkbfdfbm.exe 816 Jkbfdfbm.exe 1560 Jonbee32.exe 1560 Jonbee32.exe 1580 Jdkjnl32.exe 1580 Jdkjnl32.exe 1600 Jkebjf32.exe 1600 Jkebjf32.exe 1064 Kncofa32.exe 1064 Kncofa32.exe 1568 Kfjggo32.exe 1568 Kfjggo32.exe 1688 Kglcogeo.exe 1688 Kglcogeo.exe 1692 Kbaglpee.exe 1692 Kbaglpee.exe 1760 Kdpcikdi.exe 1760 Kdpcikdi.exe 2116 Khkpijma.exe 2116 Khkpijma.exe 2528 Kbcdbp32.exe 2528 Kbcdbp32.exe 1532 Kgpmjf32.exe 1532 Kgpmjf32.exe 2336 Kjoifb32.exe 2336 Kjoifb32.exe 2588 Knjegqif.exe 2588 Knjegqif.exe 2964 Kgbipf32.exe 2964 Kgbipf32.exe 2460 Kjaelaok.exe 2460 Kjaelaok.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mgmahg32.exe Mbpipp32.exe File created C:\Windows\SysWOW64\Mnkgen32.dll Epmfgo32.exe File opened for modification C:\Windows\SysWOW64\Bgghac32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jgdfdbhk.exe Jdejhfig.exe File created C:\Windows\SysWOW64\Dbncjf32.exe Djgkii32.exe File opened for modification C:\Windows\SysWOW64\Iegjqk32.exe Ibhndp32.exe File created C:\Windows\SysWOW64\Hjhmbnfb.dll Cnckjddd.exe File created C:\Windows\SysWOW64\Dfocegkg.dll Eiekpd32.exe File created C:\Windows\SysWOW64\Qcachc32.exe Qdncmgbj.exe File opened for modification C:\Windows\SysWOW64\Iaegpaao.exe Process not Found File created C:\Windows\SysWOW64\Ekliqn32.dll Process not Found File created C:\Windows\SysWOW64\Pnmcfeia.exe Pkofjijm.exe File created C:\Windows\SysWOW64\Cgohil32.dll Iaeegh32.exe File opened for modification C:\Windows\SysWOW64\Njbdea32.exe Npmphinm.exe File created C:\Windows\SysWOW64\Miidam32.dll Cacclpae.exe File created C:\Windows\SysWOW64\Iheegf32.dll Mjaddn32.exe File opened for modification C:\Windows\SysWOW64\Dbncjf32.exe Djgkii32.exe File created C:\Windows\SysWOW64\Fhgkakgl.dll Process not Found File created C:\Windows\SysWOW64\Bhkeohhn.exe Process not Found File created C:\Windows\SysWOW64\Pkljdj32.exe Plijimee.exe File created C:\Windows\SysWOW64\Hlafnbal.exe Hibjbgbh.exe File created C:\Windows\SysWOW64\Nnoiph32.dll Ohagbj32.exe File opened for modification C:\Windows\SysWOW64\Flhmfbim.exe Fjjpjgjj.exe File created C:\Windows\SysWOW64\Bfabnl32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kcdjoaee.exe Kohnoc32.exe File opened for modification C:\Windows\SysWOW64\Mpopnejo.exe Mkddnf32.exe File created C:\Windows\SysWOW64\Mhmdim32.dll Pgbdodnh.exe File created C:\Windows\SysWOW64\Jdkjnl32.exe Jonbee32.exe File opened for modification C:\Windows\SysWOW64\Aoohekal.exe Aggpdnpj.exe File created C:\Windows\SysWOW64\Cgnein32.dll Cepfgdnj.exe File opened for modification C:\Windows\SysWOW64\Dpcjnabn.exe Dlgnmb32.exe File opened for modification C:\Windows\SysWOW64\Dfcaiilc.dll Jlckbh32.exe File opened for modification C:\Windows\SysWOW64\Cnmfdb32.exe Process not Found File created C:\Windows\SysWOW64\Ofnpnkgf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gblkoham.exe Gonocmbi.exe File created C:\Windows\SysWOW64\Lepiko32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Lnhdqdnd.exe Lmfhil32.exe File opened for modification C:\Windows\SysWOW64\Ekhkjm32.exe Egmojnlf.exe File opened for modification C:\Windows\SysWOW64\Ilcoce32.exe Ihhcbf32.exe File opened for modification C:\Windows\SysWOW64\Jpogbgmi.exe Jlckbh32.exe File created C:\Windows\SysWOW64\Kfmmfimm.dll Fnacpffh.exe File created C:\Windows\SysWOW64\Ofcqcp32.exe Obhdcanc.exe File created C:\Windows\SysWOW64\Egmhoeom.dll Process not Found File created C:\Windows\SysWOW64\Namclbil.exe Nbjcqe32.exe File created C:\Windows\SysWOW64\Pkjmoj32.exe Ohkaco32.exe File opened for modification C:\Windows\SysWOW64\Lfbbjpgd.exe Lgoboc32.exe File opened for modification C:\Windows\SysWOW64\Mmgfqh32.exe Mjhjdm32.exe File opened for modification C:\Windows\SysWOW64\Nnafnopi.exe Nlcibc32.exe File created C:\Windows\SysWOW64\Deenjpcd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mjjdacik.exe Mfoiqe32.exe File created C:\Windows\SysWOW64\Ehlenfjb.dll Hjipenda.exe File created C:\Windows\SysWOW64\Ihmpobck.exe Ipehmebh.exe File created C:\Windows\SysWOW64\Kfbfkmeh.exe Kbgjkn32.exe File created C:\Windows\SysWOW64\Olebgfao.exe Ohiffh32.exe File created C:\Windows\SysWOW64\Dkolai32.dll Process not Found File created C:\Windows\SysWOW64\Lhelbh32.exe Ldjpbign.exe File created C:\Windows\SysWOW64\Lmjnak32.exe Lngnfnji.exe File created C:\Windows\SysWOW64\Heapkela.dll Lohjnf32.exe File created C:\Windows\SysWOW64\Cgekkhbb.dll Ooicid32.exe File created C:\Windows\SysWOW64\Hmmbqegc.exe Hnjbeh32.exe File created C:\Windows\SysWOW64\Qknbpmpk.dll Chfbgn32.exe File created C:\Windows\SysWOW64\Dklddhka.exe Dhmhhmlm.exe File created C:\Windows\SysWOW64\Dqaegjop.dll Akfkbd32.exe File created C:\Windows\SysWOW64\Gqaafn32.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 4560 4624 Process not Found 1652 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqonbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgkocj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgcbhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfmddp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmhnkfpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajmijmnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohccp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfkloq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nianhplq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmjqpdje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjnnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odbeilbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmjlhfof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohagbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnpkflne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbafjlaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egjbdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohiffh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnmifk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooicid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peedka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkchmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbjmpcab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnofjfhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cebcmdlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apgagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkcpei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgfoie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdgmlhha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjdjklek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkigoimd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmedlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggiigmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihniaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccmpce32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkoncdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdojinhb.dll" Lneaqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pahoec32.dll" Difnaqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcidje32.dll" Hjcppidk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pakllc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfebambf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbkngi32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqeddbgm.dll" Gegabegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieigfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpiqmlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibedepbh.dll" Hcldhnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bidlgdlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dafqii32.dll" Olbfagca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefggi32.dll" Bjallg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihifg32.dll" Idkpganf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqipkhbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbcqem32.dll" Ejpdai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqfkbadh.dll" Lnhgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Padhdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qppkfhlc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfpeeqig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cblfdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmkhjncg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kigeamik.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oggfcl32.dll" Hmalldcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdjjag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okqcnknc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnlpnk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqnlqf32.dll" Nhgkil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amnocpdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pphkbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binbknik.dll" Alqnah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqahpi32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Homdpk32.dll" Jeadap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbhbjgmd.dll" Ancefgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdaglmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijoclhk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhcool32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ancefgfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pocdjfob.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdecha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjicfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhniklfm.dll" Kpicle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nenkqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igiani32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epbfmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgblmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knnpkl32.dll" Ihbcmaje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1608 wrote to memory of 2524 1608 f2762f1f33b02c081938e9896943da575884cac0ec07c32bc01a64d14b887386.exe 28 PID 1608 wrote to memory of 2524 1608 f2762f1f33b02c081938e9896943da575884cac0ec07c32bc01a64d14b887386.exe 28 PID 1608 wrote to memory of 2524 1608 f2762f1f33b02c081938e9896943da575884cac0ec07c32bc01a64d14b887386.exe 28 PID 1608 wrote to memory of 2524 1608 f2762f1f33b02c081938e9896943da575884cac0ec07c32bc01a64d14b887386.exe 28 PID 2524 wrote to memory of 2728 2524 Jnfomn32.exe 29 PID 2524 wrote to memory of 2728 2524 Jnfomn32.exe 29 PID 2524 wrote to memory of 2728 2524 Jnfomn32.exe 29 PID 2524 wrote to memory of 2728 2524 Jnfomn32.exe 29 PID 2728 wrote to memory of 2676 2728 Jliohkak.exe 30 PID 2728 wrote to memory of 2676 2728 Jliohkak.exe 30 PID 2728 wrote to memory of 2676 2728 Jliohkak.exe 30 PID 2728 wrote to memory of 2676 2728 Jliohkak.exe 30 PID 2676 wrote to memory of 2644 2676 Jpdkii32.exe 31 PID 2676 wrote to memory of 2644 2676 Jpdkii32.exe 31 PID 2676 wrote to memory of 2644 2676 Jpdkii32.exe 31 PID 2676 wrote to memory of 2644 2676 Jpdkii32.exe 31 PID 2644 wrote to memory of 2756 2644 Jeadap32.exe 32 PID 2644 wrote to memory of 2756 2644 Jeadap32.exe 32 PID 2644 wrote to memory of 2756 2644 Jeadap32.exe 32 PID 2644 wrote to memory of 2756 2644 Jeadap32.exe 32 PID 2756 wrote to memory of 2664 2756 Jnhlbn32.exe 33 PID 2756 wrote to memory of 2664 2756 Jnhlbn32.exe 33 PID 2756 wrote to memory of 2664 2756 Jnhlbn32.exe 33 PID 2756 wrote to memory of 2664 2756 Jnhlbn32.exe 33 PID 2664 wrote to memory of 2356 2664 Jpfhoi32.exe 34 PID 2664 wrote to memory of 2356 2664 Jpfhoi32.exe 34 PID 2664 wrote to memory of 2356 2664 Jpfhoi32.exe 34 PID 2664 wrote to memory of 2356 2664 Jpfhoi32.exe 34 PID 2356 wrote to memory of 1916 2356 Joihjfnl.exe 35 PID 2356 wrote to memory of 1916 2356 Joihjfnl.exe 35 PID 2356 wrote to memory of 1916 2356 Joihjfnl.exe 35 PID 2356 wrote to memory of 1916 2356 Joihjfnl.exe 35 PID 1916 wrote to memory of 1052 1916 Jcedkd32.exe 36 PID 1916 wrote to memory of 1052 1916 Jcedkd32.exe 36 PID 1916 wrote to memory of 1052 1916 Jcedkd32.exe 36 PID 1916 wrote to memory of 1052 1916 Jcedkd32.exe 36 PID 1052 wrote to memory of 2732 1052 Jfcqgpfi.exe 37 PID 1052 wrote to memory of 2732 1052 Jfcqgpfi.exe 37 PID 1052 wrote to memory of 2732 1052 Jfcqgpfi.exe 37 PID 1052 wrote to memory of 2732 1052 Jfcqgpfi.exe 37 PID 2732 wrote to memory of 1240 2732 Jjomgo32.exe 38 PID 2732 wrote to memory of 1240 2732 Jjomgo32.exe 38 PID 2732 wrote to memory of 1240 2732 Jjomgo32.exe 38 PID 2732 wrote to memory of 1240 2732 Jjomgo32.exe 38 PID 1240 wrote to memory of 1648 1240 Jlmicj32.exe 39 PID 1240 wrote to memory of 1648 1240 Jlmicj32.exe 39 PID 1240 wrote to memory of 1648 1240 Jlmicj32.exe 39 PID 1240 wrote to memory of 1648 1240 Jlmicj32.exe 39 PID 1648 wrote to memory of 1780 1648 Jolepe32.exe 40 PID 1648 wrote to memory of 1780 1648 Jolepe32.exe 40 PID 1648 wrote to memory of 1780 1648 Jolepe32.exe 40 PID 1648 wrote to memory of 1780 1648 Jolepe32.exe 40 PID 1780 wrote to memory of 2004 1780 Jcgapdeb.exe 41 PID 1780 wrote to memory of 2004 1780 Jcgapdeb.exe 41 PID 1780 wrote to memory of 2004 1780 Jcgapdeb.exe 41 PID 1780 wrote to memory of 2004 1780 Jcgapdeb.exe 41 PID 2004 wrote to memory of 2944 2004 Jfemlpdf.exe 42 PID 2004 wrote to memory of 2944 2004 Jfemlpdf.exe 42 PID 2004 wrote to memory of 2944 2004 Jfemlpdf.exe 42 PID 2004 wrote to memory of 2944 2004 Jfemlpdf.exe 42 PID 2944 wrote to memory of 816 2944 Jlpeij32.exe 43 PID 2944 wrote to memory of 816 2944 Jlpeij32.exe 43 PID 2944 wrote to memory of 816 2944 Jlpeij32.exe 43 PID 2944 wrote to memory of 816 2944 Jlpeij32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2762f1f33b02c081938e9896943da575884cac0ec07c32bc01a64d14b887386.exe"C:\Users\Admin\AppData\Local\Temp\f2762f1f33b02c081938e9896943da575884cac0ec07c32bc01a64d14b887386.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Jnfomn32.exeC:\Windows\system32\Jnfomn32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Jliohkak.exeC:\Windows\system32\Jliohkak.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Jpdkii32.exeC:\Windows\system32\Jpdkii32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Jeadap32.exeC:\Windows\system32\Jeadap32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Jnhlbn32.exeC:\Windows\system32\Jnhlbn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Jpfhoi32.exeC:\Windows\system32\Jpfhoi32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Joihjfnl.exeC:\Windows\system32\Joihjfnl.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Jcedkd32.exeC:\Windows\system32\Jcedkd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Jfcqgpfi.exeC:\Windows\system32\Jfcqgpfi.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Jjomgo32.exeC:\Windows\system32\Jjomgo32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Jlmicj32.exeC:\Windows\system32\Jlmicj32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Jolepe32.exeC:\Windows\system32\Jolepe32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Jcgapdeb.exeC:\Windows\system32\Jcgapdeb.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Jfemlpdf.exeC:\Windows\system32\Jfemlpdf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Jlpeij32.exeC:\Windows\system32\Jlpeij32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Jkbfdfbm.exeC:\Windows\system32\Jkbfdfbm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:816 -
C:\Windows\SysWOW64\Jonbee32.exeC:\Windows\system32\Jonbee32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1560 -
C:\Windows\SysWOW64\Jdkjnl32.exeC:\Windows\system32\Jdkjnl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\Jkebjf32.exeC:\Windows\system32\Jkebjf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Kncofa32.exeC:\Windows\system32\Kncofa32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1064 -
C:\Windows\SysWOW64\Kfjggo32.exeC:\Windows\system32\Kfjggo32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568 -
C:\Windows\SysWOW64\Kglcogeo.exeC:\Windows\system32\Kglcogeo.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Kbaglpee.exeC:\Windows\system32\Kbaglpee.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Kdpcikdi.exeC:\Windows\system32\Kdpcikdi.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\Khkpijma.exeC:\Windows\system32\Khkpijma.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Windows\SysWOW64\Kbcdbp32.exeC:\Windows\system32\Kbcdbp32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Kgpmjf32.exeC:\Windows\system32\Kgpmjf32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Kjoifb32.exeC:\Windows\system32\Kjoifb32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Knjegqif.exeC:\Windows\system32\Knjegqif.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Kgbipf32.exeC:\Windows\system32\Kgbipf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2964 -
C:\Windows\SysWOW64\Kjaelaok.exeC:\Windows\system32\Kjaelaok.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\SysWOW64\Kmobhmnn.exeC:\Windows\system32\Kmobhmnn.exe33⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Kcijeg32.exeC:\Windows\system32\Kcijeg32.exe34⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Lifbmn32.exeC:\Windows\system32\Lifbmn32.exe35⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Lmbonmll.exeC:\Windows\system32\Lmbonmll.exe36⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Lopkjhko.exeC:\Windows\system32\Lopkjhko.exe37⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Lclgjg32.exeC:\Windows\system32\Lclgjg32.exe38⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Lbogfcjc.exeC:\Windows\system32\Lbogfcjc.exe39⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Lmdkcl32.exeC:\Windows\system32\Lmdkcl32.exe40⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Lkgkoiqc.exeC:\Windows\system32\Lkgkoiqc.exe41⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Lbackc32.exeC:\Windows\system32\Lbackc32.exe42⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Liklhmom.exeC:\Windows\system32\Liklhmom.exe43⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Lmfhil32.exeC:\Windows\system32\Lmfhil32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Lnhdqdnd.exeC:\Windows\system32\Lnhdqdnd.exe45⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Leammn32.exeC:\Windows\system32\Leammn32.exe46⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Liminmmk.exeC:\Windows\system32\Liminmmk.exe47⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Lklejh32.exeC:\Windows\system32\Lklejh32.exe48⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Lpgajgeg.exeC:\Windows\system32\Lpgajgeg.exe49⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Ljabkeaf.exeC:\Windows\system32\Ljabkeaf.exe50⤵
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Lnlnlc32.exeC:\Windows\system32\Lnlnlc32.exe51⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Mcifdj32.exeC:\Windows\system32\Mcifdj32.exe52⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Mlpneh32.exeC:\Windows\system32\Mlpneh32.exe53⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Mnojacgm.exeC:\Windows\system32\Mnojacgm.exe54⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Mamgmofp.exeC:\Windows\system32\Mamgmofp.exe55⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Mamgmofp.exeC:\Windows\system32\Mamgmofp.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Meicnm32.exeC:\Windows\system32\Meicnm32.exe57⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Mclcijfd.exeC:\Windows\system32\Mclcijfd.exe58⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Mfjoeeeh.exeC:\Windows\system32\Mfjoeeeh.exe59⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Mjekfd32.exeC:\Windows\system32\Mjekfd32.exe60⤵
- Executes dropped EXE
PID:608 -
C:\Windows\SysWOW64\Mmdgbp32.exeC:\Windows\system32\Mmdgbp32.exe61⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Mpbdnk32.exeC:\Windows\system32\Mpbdnk32.exe62⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Mhilph32.exeC:\Windows\system32\Mhilph32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Mjhhld32.exeC:\Windows\system32\Mjhhld32.exe64⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Mabphn32.exeC:\Windows\system32\Mabphn32.exe65⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Mpdqdkie.exeC:\Windows\system32\Mpdqdkie.exe66⤵PID:2428
-
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe67⤵PID:956
-
C:\Windows\SysWOW64\Mfoiqe32.exeC:\Windows\system32\Mfoiqe32.exe68⤵
- Drops file in System32 directory
PID:3008 -
C:\Windows\SysWOW64\Mjjdacik.exeC:\Windows\system32\Mjjdacik.exe69⤵PID:1028
-
C:\Windows\SysWOW64\Mimemp32.exeC:\Windows\system32\Mimemp32.exe70⤵PID:2068
-
C:\Windows\SysWOW64\Mlkail32.exeC:\Windows\system32\Mlkail32.exe71⤵PID:1480
-
C:\Windows\SysWOW64\Mbeiefff.exeC:\Windows\system32\Mbeiefff.exe72⤵PID:3028
-
C:\Windows\SysWOW64\Mfaefd32.exeC:\Windows\system32\Mfaefd32.exe73⤵PID:3000
-
C:\Windows\SysWOW64\Mioabp32.exeC:\Windows\system32\Mioabp32.exe74⤵PID:2516
-
C:\Windows\SysWOW64\Npijoj32.exeC:\Windows\system32\Npijoj32.exe75⤵PID:3020
-
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe76⤵PID:2740
-
C:\Windows\SysWOW64\Nbhfke32.exeC:\Windows\system32\Nbhfke32.exe77⤵PID:1108
-
C:\Windows\SysWOW64\Nefbga32.exeC:\Windows\system32\Nefbga32.exe78⤵PID:1444
-
C:\Windows\SysWOW64\Nianhplq.exeC:\Windows\system32\Nianhplq.exe79⤵
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\SysWOW64\Nlpkdkkd.exeC:\Windows\system32\Nlpkdkkd.exe80⤵PID:1676
-
C:\Windows\SysWOW64\Noogpfjh.exeC:\Windows\system32\Noogpfjh.exe81⤵PID:1848
-
C:\Windows\SysWOW64\Nbjcqe32.exeC:\Windows\system32\Nbjcqe32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Namclbil.exeC:\Windows\system32\Namclbil.exe83⤵PID:2872
-
C:\Windows\SysWOW64\Nhgkil32.exeC:\Windows\system32\Nhgkil32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Nlbgikia.exeC:\Windows\system32\Nlbgikia.exe85⤵PID:1252
-
C:\Windows\SysWOW64\Neklbppb.exeC:\Windows\system32\Neklbppb.exe86⤵PID:2104
-
C:\Windows\SysWOW64\Nhiholof.exeC:\Windows\system32\Nhiholof.exe87⤵PID:908
-
C:\Windows\SysWOW64\Nkhdkgnj.exeC:\Windows\system32\Nkhdkgnj.exe88⤵PID:2140
-
C:\Windows\SysWOW64\Nocpkf32.exeC:\Windows\system32\Nocpkf32.exe89⤵PID:2328
-
C:\Windows\SysWOW64\Nemhhpmp.exeC:\Windows\system32\Nemhhpmp.exe90⤵PID:2584
-
C:\Windows\SysWOW64\Nhlddkmc.exeC:\Windows\system32\Nhlddkmc.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2936 -
C:\Windows\SysWOW64\Ngneph32.exeC:\Windows\system32\Ngneph32.exe92⤵PID:2036
-
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe93⤵PID:1488
-
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe94⤵PID:1828
-
C:\Windows\SysWOW64\Odbeilbg.exeC:\Windows\system32\Odbeilbg.exe95⤵
- System Location Discovery: System Language Discovery
PID:1800 -
C:\Windows\SysWOW64\Oklnff32.exeC:\Windows\system32\Oklnff32.exe96⤵PID:2008
-
C:\Windows\SysWOW64\Omkjbb32.exeC:\Windows\system32\Omkjbb32.exe97⤵PID:2164
-
C:\Windows\SysWOW64\Opifnm32.exeC:\Windows\system32\Opifnm32.exe98⤵PID:3060
-
C:\Windows\SysWOW64\Ocgbji32.exeC:\Windows\system32\Ocgbji32.exe99⤵PID:1344
-
C:\Windows\SysWOW64\Okojkf32.exeC:\Windows\system32\Okojkf32.exe100⤵PID:1220
-
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe101⤵PID:2380
-
C:\Windows\SysWOW64\Opkccm32.exeC:\Windows\system32\Opkccm32.exe102⤵PID:2700
-
C:\Windows\SysWOW64\Odgodl32.exeC:\Windows\system32\Odgodl32.exe103⤵PID:2932
-
C:\Windows\SysWOW64\Ogekpg32.exeC:\Windows\system32\Ogekpg32.exe104⤵PID:784
-
C:\Windows\SysWOW64\Oidglb32.exeC:\Windows\system32\Oidglb32.exe105⤵PID:668
-
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe106⤵PID:2940
-
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe107⤵PID:2736
-
C:\Windows\SysWOW64\Ocllehcj.exeC:\Windows\system32\Ocllehcj.exe108⤵PID:1412
-
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe109⤵PID:1056
-
C:\Windows\SysWOW64\Oifdbb32.exeC:\Windows\system32\Oifdbb32.exe110⤵PID:1976
-
C:\Windows\SysWOW64\Oldpnn32.exeC:\Windows\system32\Oldpnn32.exe111⤵PID:1312
-
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe112⤵PID:1872
-
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe113⤵PID:2724
-
C:\Windows\SysWOW64\Oemegc32.exeC:\Windows\system32\Oemegc32.exe114⤵PID:2764
-
C:\Windows\SysWOW64\Ohkaco32.exeC:\Windows\system32\Ohkaco32.exe115⤵PID:2364
-
C:\Windows\SysWOW64\Ohkaco32.exeC:\Windows\system32\Ohkaco32.exe116⤵
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Pkjmoj32.exeC:\Windows\system32\Pkjmoj32.exe117⤵PID:2748
-
C:\Windows\SysWOW64\Poeipifl.exeC:\Windows\system32\Poeipifl.exe118⤵PID:1656
-
C:\Windows\SysWOW64\Pcaepg32.exeC:\Windows\system32\Pcaepg32.exe119⤵PID:484
-
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe120⤵PID:1400
-
C:\Windows\SysWOW64\Pdbahpec.exeC:\Windows\system32\Pdbahpec.exe121⤵PID:1036
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-