Analysis
-
max time kernel
70s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-01-2025 00:31
Behavioral task
behavioral1
Sample
d8a3b84b4ec63d7eb5c37b12c11e99c308cc88dadb03f505724c8f060147270e.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
120 seconds
General
-
Target
d8a3b84b4ec63d7eb5c37b12c11e99c308cc88dadb03f505724c8f060147270e.exe
-
Size
337KB
-
MD5
1b5e6aec09487fb584076f713fa5d7d7
-
SHA1
85e629a7f70e52fb3186b28ab95910add7d18b8a
-
SHA256
d8a3b84b4ec63d7eb5c37b12c11e99c308cc88dadb03f505724c8f060147270e
-
SHA512
185991a81f606f6123cf5000f3777196ab3ac8041678814ef19a93af3eff0bebd21dc21fbb483aae307872710833a3dc7be6b75e8443f6c3171530d3b4d5b6fa
-
SSDEEP
3072:JfFyvsydj1tJCUfIHayjgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc0P:JfFyvsbayj1+fIyG5jZkCwi8p
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icabeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoeamo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nommodjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apkbnibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmlbaqfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpabpcdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmofdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmohco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faonom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iegeonpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnkglj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaeqmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egflml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpojkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnkhfnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ephdjeol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npfjbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghoijebj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lopfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjohmbpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifmocb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieponofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngeljh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjiljf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhmmcjjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfpfke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjogcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdphjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mclqqeaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onldqejb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhgccbhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hieiqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiflohqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feachqgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jplfkjbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Genlgnhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dglpdomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mghfdcdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emifeqid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfgjml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojmbgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Monhjgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jghqia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Palbgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkkioeig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpjklo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oimmjffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmbndmkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebialmjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mclqqeaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlgkbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljigih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Objjnkie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaeehmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppkmjlca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bacefpbg.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2680 Edaalk32.exe 2704 Egonhf32.exe 2880 Emifeqid.exe 2620 Ephbal32.exe 2376 Fgfdie32.exe 536 Fapeic32.exe 2436 Fleifl32.exe 2896 Fofbhgde.exe 2644 Ggagmjbq.exe 1416 Gkmbmh32.exe 2964 Ggdcbi32.exe 772 Gnphdceh.exe 1708 Gcmamj32.exe 2824 Ggkibhjf.exe 908 Gmhbkohm.exe 1844 Hinbppna.exe 2528 Hohkmj32.exe 1248 Hkolakkb.exe 2460 Hbidne32.exe 1448 Hiclkp32.exe 1460 Homdhjai.exe 1204 Hieiqo32.exe 1584 Hnbaif32.exe 1564 Hgkfal32.exe 3020 Ijibng32.exe 2868 Ifpcchai.exe 2856 Imjkpb32.exe 2928 Ijnkifgp.exe 2696 Iahceq32.exe 1712 Icfpbl32.exe 2072 Iichjc32.exe 1744 Iejiodbl.exe 2564 Imaapa32.exe 2752 Jelfdc32.exe 2988 Jhjbqo32.exe 328 Jndjmifj.exe 3036 Jjkkbjln.exe 1352 Jbbccgmp.exe 3044 Jlkglm32.exe 2304 Jhahanie.exe 976 Jjpdmi32.exe 2324 Jajmjcoe.exe 1716 Jdhifooi.exe 2524 Jfgebjnm.exe 1636 Kmqmod32.exe 1904 Kpojkp32.exe 1528 Kkdnhi32.exe 2768 Kmcjedcg.exe 2720 Kpafapbk.exe 2740 Kgkonj32.exe 2456 Kmegjdad.exe 2112 Kpdcfoph.exe 1612 Keqkofno.exe 1860 Khohkamc.exe 2788 Koipglep.exe 2908 Kechdf32.exe 2036 Kkpqlm32.exe 1912 Kajiigba.exe 2276 Keeeje32.exe 1688 Llomfpag.exe 2552 Lnqjnhge.exe 1676 Legaoehg.exe 2392 Lgingm32.exe 1436 Lopfhk32.exe -
Loads dropped DLL 64 IoCs
pid Process 2412 d8a3b84b4ec63d7eb5c37b12c11e99c308cc88dadb03f505724c8f060147270e.exe 2412 d8a3b84b4ec63d7eb5c37b12c11e99c308cc88dadb03f505724c8f060147270e.exe 2680 Edaalk32.exe 2680 Edaalk32.exe 2704 Egonhf32.exe 2704 Egonhf32.exe 2880 Emifeqid.exe 2880 Emifeqid.exe 2620 Ephbal32.exe 2620 Ephbal32.exe 2376 Fgfdie32.exe 2376 Fgfdie32.exe 536 Fapeic32.exe 536 Fapeic32.exe 2436 Fleifl32.exe 2436 Fleifl32.exe 2896 Fofbhgde.exe 2896 Fofbhgde.exe 2644 Ggagmjbq.exe 2644 Ggagmjbq.exe 1416 Gkmbmh32.exe 1416 Gkmbmh32.exe 2964 Ggdcbi32.exe 2964 Ggdcbi32.exe 772 Gnphdceh.exe 772 Gnphdceh.exe 1708 Gcmamj32.exe 1708 Gcmamj32.exe 2824 Ggkibhjf.exe 2824 Ggkibhjf.exe 908 Gmhbkohm.exe 908 Gmhbkohm.exe 1844 Hinbppna.exe 1844 Hinbppna.exe 2528 Hohkmj32.exe 2528 Hohkmj32.exe 1248 Hkolakkb.exe 1248 Hkolakkb.exe 2460 Hbidne32.exe 2460 Hbidne32.exe 1448 Hiclkp32.exe 1448 Hiclkp32.exe 1460 Homdhjai.exe 1460 Homdhjai.exe 1204 Hieiqo32.exe 1204 Hieiqo32.exe 1584 Hnbaif32.exe 1584 Hnbaif32.exe 1564 Hgkfal32.exe 1564 Hgkfal32.exe 3020 Ijibng32.exe 3020 Ijibng32.exe 2868 Ifpcchai.exe 2868 Ifpcchai.exe 2856 Imjkpb32.exe 2856 Imjkpb32.exe 2928 Ijnkifgp.exe 2928 Ijnkifgp.exe 2696 Iahceq32.exe 2696 Iahceq32.exe 1712 Icfpbl32.exe 1712 Icfpbl32.exe 2072 Iichjc32.exe 2072 Iichjc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ccnifd32.exe Bnapnm32.exe File opened for modification C:\Windows\SysWOW64\Lalhgogb.exe Lonlkcho.exe File opened for modification C:\Windows\SysWOW64\Oqepgk32.exe Ongckp32.exe File opened for modification C:\Windows\SysWOW64\Npppaejj.exe Process not Found File created C:\Windows\SysWOW64\Jelfdc32.exe Imaapa32.exe File created C:\Windows\SysWOW64\Obobnb32.dll Jajmjcoe.exe File created C:\Windows\SysWOW64\Gdecfn32.dll Acicla32.exe File created C:\Windows\SysWOW64\Ipdbellh.dll Ieponofk.exe File created C:\Windows\SysWOW64\Lnkege32.exe Lljipmdl.exe File created C:\Windows\SysWOW64\Kfnnlboi.exe Kpdeoh32.exe File created C:\Windows\SysWOW64\Doclpb32.dll Fdqiiaih.exe File created C:\Windows\SysWOW64\Bmkedj32.dll Decdmi32.exe File opened for modification C:\Windows\SysWOW64\Befnbd32.exe Bnofaf32.exe File created C:\Windows\SysWOW64\Hdpbking.dll Eifobe32.exe File created C:\Windows\SysWOW64\Lcppgbjd.exe Process not Found File created C:\Windows\SysWOW64\Dniefn32.dll Eemnnn32.exe File created C:\Windows\SysWOW64\Ddbdimmi.dll Cccdjl32.exe File created C:\Windows\SysWOW64\Hgkfkohg.dll Kkalcdao.exe File created C:\Windows\SysWOW64\Ndiomdde.exe Process not Found File created C:\Windows\SysWOW64\Ffcnqe32.dll Ddbmcb32.exe File opened for modification C:\Windows\SysWOW64\Lbjjekhl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lkgifd32.exe Ldmaijdc.exe File created C:\Windows\SysWOW64\Dgklibdj.dll Hhcndhap.exe File created C:\Windows\SysWOW64\Lbjjekhl.exe Process not Found File created C:\Windows\SysWOW64\Qlgndbil.exe Qiiahgjh.exe File opened for modification C:\Windows\SysWOW64\Aicfgn32.exe Aegkfpah.exe File opened for modification C:\Windows\SysWOW64\Koflgf32.exe Khldkllj.exe File created C:\Windows\SysWOW64\Peeabm32.exe Pjpmdd32.exe File opened for modification C:\Windows\SysWOW64\Nfgjml32.exe Ngdjaofc.exe File created C:\Windows\SysWOW64\Njboon32.dll Ifmocb32.exe File opened for modification C:\Windows\SysWOW64\Nqmqcmdh.exe Njchfc32.exe File opened for modification C:\Windows\SysWOW64\Emjjfb32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hbghdj32.exe Process not Found File created C:\Windows\SysWOW64\Nmdeem32.dll Lcmklh32.exe File created C:\Windows\SysWOW64\Eddjhb32.exe Dnjalhpp.exe File created C:\Windows\SysWOW64\Ejhoapqd.dll Process not Found File created C:\Windows\SysWOW64\Obfohq32.dll Process not Found File created C:\Windows\SysWOW64\Qldhkc32.exe Qiflohqk.exe File created C:\Windows\SysWOW64\Lhiddoph.exe Lcmklh32.exe File opened for modification C:\Windows\SysWOW64\Fdapcg32.exe Fenphjei.exe File created C:\Windows\SysWOW64\Lclgbcdk.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ghmnmo32.exe Process not Found File created C:\Windows\SysWOW64\Qadkkc32.dll Lbgkfbbj.exe File opened for modification C:\Windows\SysWOW64\Ogmkne32.exe Ohjkcile.exe File created C:\Windows\SysWOW64\Pgaahh32.exe Pbdipa32.exe File created C:\Windows\SysWOW64\Bddbjhlp.exe Baefnmml.exe File opened for modification C:\Windows\SysWOW64\Hmpaom32.exe Hnmacpfj.exe File created C:\Windows\SysWOW64\Dfcllk32.dll Hmdkjmip.exe File created C:\Windows\SysWOW64\Ckkenikc.exe Clhecl32.exe File opened for modification C:\Windows\SysWOW64\Mmccqbpm.exe Mdmkoepk.exe File created C:\Windows\SysWOW64\Hmdkjmip.exe Hiioin32.exe File created C:\Windows\SysWOW64\Hjhobagi.dll Dgfmep32.exe File created C:\Windows\SysWOW64\Genlgnhd.exe Goddjc32.exe File created C:\Windows\SysWOW64\Lophacfl.exe Lkelpd32.exe File created C:\Windows\SysWOW64\Bghmmo32.dll Process not Found File created C:\Windows\SysWOW64\Jqhdfe32.exe Process not Found File created C:\Windows\SysWOW64\Efdmgc32.dll Gefmcp32.exe File opened for modification C:\Windows\SysWOW64\Mlgkbi32.exe Mmdkfmjc.exe File created C:\Windows\SysWOW64\Cdamao32.exe Chjmmnnb.exe File opened for modification C:\Windows\SysWOW64\Aompambg.exe Akadpn32.exe File opened for modification C:\Windows\SysWOW64\Fhglop32.exe Fdlpnamm.exe File created C:\Windows\SysWOW64\Jaiqnakp.dll Hkdgecna.exe File created C:\Windows\SysWOW64\Jeaahk32.exe Jaeehmko.exe File created C:\Windows\SysWOW64\Diaalggp.dll Eddjhb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4812 792 Process not Found 1218 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oekehomj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Negeln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldokfakl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgmmfjip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcblqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oioipf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmnghfhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfnhkq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnmacpfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koaclfgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fogdap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpafapbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aejlnmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdiqpigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjkfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogliemkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goocenaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkgeehnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihbdhepp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpjklo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpfjomf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nndemg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpacogjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkopndcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkalcdao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollqllod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmbdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adipfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghoijebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nphghn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghdiokbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadica32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhcndhap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anpooe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkibjgli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clkicbfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedifo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eokgij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfnnlboi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfjkphjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogljj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmpdmfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjddgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geloanjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cppobaeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdlpnamm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcqjfeja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikldqile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhenjmbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emgdmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhlaiccm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknfeege.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njgpij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objjnkie.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obmhmmga.dll" Qiiahgjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdojnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaqejn32.dll" Flqkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjblg32.dll" Kpojkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcnoejch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqapnjli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maanab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hclmphpn.dll" Clnehado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnlppbbp.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpojkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmlqdp32.dll" Mdadjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbhkmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdhpdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibagdh32.dll" Fapeic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igceej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miclhpjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqmqcmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaloola.dll" Ckecpjdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cblaaajo.dll" Knfopnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgapag32.dll" Ldahkaij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcflko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ficfbkij.dll" Ejdfqogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjhlmfio.dll" Hkbkpcpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhaiccmq.dll" Aaklmhak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaeieh32.dll" Qblfkgqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppfafcpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ildhhm32.dll" Ckeqga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioeclg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfgjgn32.dll" Cbdkbjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blghgj32.dll" Eeagimdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbofmcij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odacbpee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qoeamo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmqkml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piadma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhiddoph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oplgeoea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koibpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ainmlomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iogpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aohgfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmhgcfd.dll" Fdnlcakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfakep32.dll" Ciokijfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejdfqogm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmibmhoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jplfkjbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqennbbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnfhqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keeeje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Modlbmmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nphghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeokba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbcien32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfdpjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehngihn.dll" Qobdgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjjaikoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofeceb32.dll" Ldpnoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfaakfpk.dll" Oddphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nllbdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmlpoade.dll" Ccmblnif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqngcc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2680 2412 d8a3b84b4ec63d7eb5c37b12c11e99c308cc88dadb03f505724c8f060147270e.exe 31 PID 2412 wrote to memory of 2680 2412 d8a3b84b4ec63d7eb5c37b12c11e99c308cc88dadb03f505724c8f060147270e.exe 31 PID 2412 wrote to memory of 2680 2412 d8a3b84b4ec63d7eb5c37b12c11e99c308cc88dadb03f505724c8f060147270e.exe 31 PID 2412 wrote to memory of 2680 2412 d8a3b84b4ec63d7eb5c37b12c11e99c308cc88dadb03f505724c8f060147270e.exe 31 PID 2680 wrote to memory of 2704 2680 Edaalk32.exe 32 PID 2680 wrote to memory of 2704 2680 Edaalk32.exe 32 PID 2680 wrote to memory of 2704 2680 Edaalk32.exe 32 PID 2680 wrote to memory of 2704 2680 Edaalk32.exe 32 PID 2704 wrote to memory of 2880 2704 Egonhf32.exe 33 PID 2704 wrote to memory of 2880 2704 Egonhf32.exe 33 PID 2704 wrote to memory of 2880 2704 Egonhf32.exe 33 PID 2704 wrote to memory of 2880 2704 Egonhf32.exe 33 PID 2880 wrote to memory of 2620 2880 Emifeqid.exe 34 PID 2880 wrote to memory of 2620 2880 Emifeqid.exe 34 PID 2880 wrote to memory of 2620 2880 Emifeqid.exe 34 PID 2880 wrote to memory of 2620 2880 Emifeqid.exe 34 PID 2620 wrote to memory of 2376 2620 Ephbal32.exe 35 PID 2620 wrote to memory of 2376 2620 Ephbal32.exe 35 PID 2620 wrote to memory of 2376 2620 Ephbal32.exe 35 PID 2620 wrote to memory of 2376 2620 Ephbal32.exe 35 PID 2376 wrote to memory of 536 2376 Fgfdie32.exe 36 PID 2376 wrote to memory of 536 2376 Fgfdie32.exe 36 PID 2376 wrote to memory of 536 2376 Fgfdie32.exe 36 PID 2376 wrote to memory of 536 2376 Fgfdie32.exe 36 PID 536 wrote to memory of 2436 536 Fapeic32.exe 37 PID 536 wrote to memory of 2436 536 Fapeic32.exe 37 PID 536 wrote to memory of 2436 536 Fapeic32.exe 37 PID 536 wrote to memory of 2436 536 Fapeic32.exe 37 PID 2436 wrote to memory of 2896 2436 Fleifl32.exe 38 PID 2436 wrote to memory of 2896 2436 Fleifl32.exe 38 PID 2436 wrote to memory of 2896 2436 Fleifl32.exe 38 PID 2436 wrote to memory of 2896 2436 Fleifl32.exe 38 PID 2896 wrote to memory of 2644 2896 Fofbhgde.exe 39 PID 2896 wrote to memory of 2644 2896 Fofbhgde.exe 39 PID 2896 wrote to memory of 2644 2896 Fofbhgde.exe 39 PID 2896 wrote to memory of 2644 2896 Fofbhgde.exe 39 PID 2644 wrote to memory of 1416 2644 Ggagmjbq.exe 40 PID 2644 wrote to memory of 1416 2644 Ggagmjbq.exe 40 PID 2644 wrote to memory of 1416 2644 Ggagmjbq.exe 40 PID 2644 wrote to memory of 1416 2644 Ggagmjbq.exe 40 PID 1416 wrote to memory of 2964 1416 Gkmbmh32.exe 41 PID 1416 wrote to memory of 2964 1416 Gkmbmh32.exe 41 PID 1416 wrote to memory of 2964 1416 Gkmbmh32.exe 41 PID 1416 wrote to memory of 2964 1416 Gkmbmh32.exe 41 PID 2964 wrote to memory of 772 2964 Ggdcbi32.exe 42 PID 2964 wrote to memory of 772 2964 Ggdcbi32.exe 42 PID 2964 wrote to memory of 772 2964 Ggdcbi32.exe 42 PID 2964 wrote to memory of 772 2964 Ggdcbi32.exe 42 PID 772 wrote to memory of 1708 772 Gnphdceh.exe 43 PID 772 wrote to memory of 1708 772 Gnphdceh.exe 43 PID 772 wrote to memory of 1708 772 Gnphdceh.exe 43 PID 772 wrote to memory of 1708 772 Gnphdceh.exe 43 PID 1708 wrote to memory of 2824 1708 Gcmamj32.exe 44 PID 1708 wrote to memory of 2824 1708 Gcmamj32.exe 44 PID 1708 wrote to memory of 2824 1708 Gcmamj32.exe 44 PID 1708 wrote to memory of 2824 1708 Gcmamj32.exe 44 PID 2824 wrote to memory of 908 2824 Ggkibhjf.exe 45 PID 2824 wrote to memory of 908 2824 Ggkibhjf.exe 45 PID 2824 wrote to memory of 908 2824 Ggkibhjf.exe 45 PID 2824 wrote to memory of 908 2824 Ggkibhjf.exe 45 PID 908 wrote to memory of 1844 908 Gmhbkohm.exe 46 PID 908 wrote to memory of 1844 908 Gmhbkohm.exe 46 PID 908 wrote to memory of 1844 908 Gmhbkohm.exe 46 PID 908 wrote to memory of 1844 908 Gmhbkohm.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8a3b84b4ec63d7eb5c37b12c11e99c308cc88dadb03f505724c8f060147270e.exe"C:\Users\Admin\AppData\Local\Temp\d8a3b84b4ec63d7eb5c37b12c11e99c308cc88dadb03f505724c8f060147270e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Edaalk32.exeC:\Windows\system32\Edaalk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Egonhf32.exeC:\Windows\system32\Egonhf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Emifeqid.exeC:\Windows\system32\Emifeqid.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Ephbal32.exeC:\Windows\system32\Ephbal32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Fgfdie32.exeC:\Windows\system32\Fgfdie32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Fapeic32.exeC:\Windows\system32\Fapeic32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Fleifl32.exeC:\Windows\system32\Fleifl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Fofbhgde.exeC:\Windows\system32\Fofbhgde.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Ggagmjbq.exeC:\Windows\system32\Ggagmjbq.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Gkmbmh32.exeC:\Windows\system32\Gkmbmh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Ggdcbi32.exeC:\Windows\system32\Ggdcbi32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Gnphdceh.exeC:\Windows\system32\Gnphdceh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Gcmamj32.exeC:\Windows\system32\Gcmamj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Ggkibhjf.exeC:\Windows\system32\Ggkibhjf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Gmhbkohm.exeC:\Windows\system32\Gmhbkohm.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\Hinbppna.exeC:\Windows\system32\Hinbppna.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1844 -
C:\Windows\SysWOW64\Hohkmj32.exeC:\Windows\system32\Hohkmj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Hkolakkb.exeC:\Windows\system32\Hkolakkb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1248 -
C:\Windows\SysWOW64\Hbidne32.exeC:\Windows\system32\Hbidne32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\SysWOW64\Hiclkp32.exeC:\Windows\system32\Hiclkp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1448 -
C:\Windows\SysWOW64\Homdhjai.exeC:\Windows\system32\Homdhjai.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1460 -
C:\Windows\SysWOW64\Hieiqo32.exeC:\Windows\system32\Hieiqo32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1204 -
C:\Windows\SysWOW64\Hnbaif32.exeC:\Windows\system32\Hnbaif32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Hgkfal32.exeC:\Windows\system32\Hgkfal32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1564 -
C:\Windows\SysWOW64\Ijibng32.exeC:\Windows\system32\Ijibng32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Ifpcchai.exeC:\Windows\system32\Ifpcchai.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Imjkpb32.exeC:\Windows\system32\Imjkpb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Ijnkifgp.exeC:\Windows\system32\Ijnkifgp.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Iahceq32.exeC:\Windows\system32\Iahceq32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Icfpbl32.exeC:\Windows\system32\Icfpbl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Iichjc32.exeC:\Windows\system32\Iichjc32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Windows\SysWOW64\Iejiodbl.exeC:\Windows\system32\Iejiodbl.exe33⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Imaapa32.exeC:\Windows\system32\Imaapa32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Jelfdc32.exeC:\Windows\system32\Jelfdc32.exe35⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Jhjbqo32.exeC:\Windows\system32\Jhjbqo32.exe36⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Jndjmifj.exeC:\Windows\system32\Jndjmifj.exe37⤵
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Jjkkbjln.exeC:\Windows\system32\Jjkkbjln.exe38⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Jbbccgmp.exeC:\Windows\system32\Jbbccgmp.exe39⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Jlkglm32.exeC:\Windows\system32\Jlkglm32.exe40⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Jhahanie.exeC:\Windows\system32\Jhahanie.exe41⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Jjpdmi32.exeC:\Windows\system32\Jjpdmi32.exe42⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Jajmjcoe.exeC:\Windows\system32\Jajmjcoe.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Jdhifooi.exeC:\Windows\system32\Jdhifooi.exe44⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Jfgebjnm.exeC:\Windows\system32\Jfgebjnm.exe45⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Kmqmod32.exeC:\Windows\system32\Kmqmod32.exe46⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Kpojkp32.exeC:\Windows\system32\Kpojkp32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Kkdnhi32.exeC:\Windows\system32\Kkdnhi32.exe48⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Kmcjedcg.exeC:\Windows\system32\Kmcjedcg.exe49⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Kpafapbk.exeC:\Windows\system32\Kpafapbk.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2720 -
C:\Windows\SysWOW64\Kgkonj32.exeC:\Windows\system32\Kgkonj32.exe51⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Kmegjdad.exeC:\Windows\system32\Kmegjdad.exe52⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Kpdcfoph.exeC:\Windows\system32\Kpdcfoph.exe53⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Keqkofno.exeC:\Windows\system32\Keqkofno.exe54⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Khohkamc.exeC:\Windows\system32\Khohkamc.exe55⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Koipglep.exeC:\Windows\system32\Koipglep.exe56⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Kechdf32.exeC:\Windows\system32\Kechdf32.exe57⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Kkpqlm32.exeC:\Windows\system32\Kkpqlm32.exe58⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Kajiigba.exeC:\Windows\system32\Kajiigba.exe59⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Keeeje32.exeC:\Windows\system32\Keeeje32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Llomfpag.exeC:\Windows\system32\Llomfpag.exe61⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Lnqjnhge.exeC:\Windows\system32\Lnqjnhge.exe62⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Legaoehg.exeC:\Windows\system32\Legaoehg.exe63⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Lgingm32.exeC:\Windows\system32\Lgingm32.exe64⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Lopfhk32.exeC:\Windows\system32\Lopfhk32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Lpabpcdf.exeC:\Windows\system32\Lpabpcdf.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2724 -
C:\Windows\SysWOW64\Lgkkmm32.exeC:\Windows\system32\Lgkkmm32.exe67⤵PID:2736
-
C:\Windows\SysWOW64\Ljigih32.exeC:\Windows\system32\Ljigih32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2876 -
C:\Windows\SysWOW64\Ldokfakl.exeC:\Windows\system32\Ldokfakl.exe69⤵
- System Location Discovery: System Language Discovery
PID:2608 -
C:\Windows\SysWOW64\Lkicbk32.exeC:\Windows\system32\Lkicbk32.exe70⤵PID:2772
-
C:\Windows\SysWOW64\Lljpjchg.exeC:\Windows\system32\Lljpjchg.exe71⤵PID:2000
-
C:\Windows\SysWOW64\Ldahkaij.exeC:\Windows\system32\Ldahkaij.exe72⤵
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Lgpdglhn.exeC:\Windows\system32\Lgpdglhn.exe73⤵PID:1976
-
C:\Windows\SysWOW64\Llmmpcfe.exeC:\Windows\system32\Llmmpcfe.exe74⤵PID:2544
-
C:\Windows\SysWOW64\Mokilo32.exeC:\Windows\system32\Mokilo32.exe75⤵PID:1836
-
C:\Windows\SysWOW64\Mfeaiime.exeC:\Windows\system32\Mfeaiime.exe76⤵PID:2124
-
C:\Windows\SysWOW64\Mjqmig32.exeC:\Windows\system32\Mjqmig32.exe77⤵PID:2152
-
C:\Windows\SysWOW64\Mloiec32.exeC:\Windows\system32\Mloiec32.exe78⤵PID:2080
-
C:\Windows\SysWOW64\Momfan32.exeC:\Windows\system32\Momfan32.exe79⤵PID:1644
-
C:\Windows\SysWOW64\Mfgnnhkc.exeC:\Windows\system32\Mfgnnhkc.exe80⤵PID:2424
-
C:\Windows\SysWOW64\Mhfjjdjf.exeC:\Windows\system32\Mhfjjdjf.exe81⤵PID:764
-
C:\Windows\SysWOW64\Mopbgn32.exeC:\Windows\system32\Mopbgn32.exe82⤵PID:2444
-
C:\Windows\SysWOW64\Mcknhm32.exeC:\Windows\system32\Mcknhm32.exe83⤵PID:2836
-
C:\Windows\SysWOW64\Mdmkoepk.exeC:\Windows\system32\Mdmkoepk.exe84⤵
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Mmccqbpm.exeC:\Windows\system32\Mmccqbpm.exe85⤵PID:2624
-
C:\Windows\SysWOW64\Mneohj32.exeC:\Windows\system32\Mneohj32.exe86⤵PID:2616
-
C:\Windows\SysWOW64\Mbqkiind.exeC:\Windows\system32\Mbqkiind.exe87⤵PID:2900
-
C:\Windows\SysWOW64\Mhjcec32.exeC:\Windows\system32\Mhjcec32.exe88⤵PID:2984
-
C:\Windows\SysWOW64\Modlbmmn.exeC:\Windows\system32\Modlbmmn.exe89⤵
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Mnglnj32.exeC:\Windows\system32\Mnglnj32.exe90⤵PID:296
-
C:\Windows\SysWOW64\Mdadjd32.exeC:\Windows\system32\Mdadjd32.exe91⤵
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Ngpqfp32.exeC:\Windows\system32\Ngpqfp32.exe92⤵PID:2184
-
C:\Windows\SysWOW64\Nqhepeai.exeC:\Windows\system32\Nqhepeai.exe93⤵PID:880
-
C:\Windows\SysWOW64\Ngbmlo32.exeC:\Windows\system32\Ngbmlo32.exe94⤵PID:2464
-
C:\Windows\SysWOW64\Nknimnap.exeC:\Windows\system32\Nknimnap.exe95⤵PID:2660
-
C:\Windows\SysWOW64\Nmofdf32.exeC:\Windows\system32\Nmofdf32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2852 -
C:\Windows\SysWOW64\Nqjaeeog.exeC:\Windows\system32\Nqjaeeog.exe97⤵PID:2712
-
C:\Windows\SysWOW64\Ngdjaofc.exeC:\Windows\system32\Ngdjaofc.exe98⤵
- Drops file in System32 directory
PID:1560 -
C:\Windows\SysWOW64\Nfgjml32.exeC:\Windows\system32\Nfgjml32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1520 -
C:\Windows\SysWOW64\Nmabjfek.exeC:\Windows\system32\Nmabjfek.exe100⤵PID:2940
-
C:\Windows\SysWOW64\Nckkgp32.exeC:\Windows\system32\Nckkgp32.exe101⤵PID:1924
-
C:\Windows\SysWOW64\Njeccjcd.exeC:\Windows\system32\Njeccjcd.exe102⤵PID:3048
-
C:\Windows\SysWOW64\Nmcopebh.exeC:\Windows\system32\Nmcopebh.exe103⤵PID:2084
-
C:\Windows\SysWOW64\Ncmglp32.exeC:\Windows\system32\Ncmglp32.exe104⤵PID:568
-
C:\Windows\SysWOW64\Njgpij32.exeC:\Windows\system32\Njgpij32.exe105⤵
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Windows\SysWOW64\Nlilqbgp.exeC:\Windows\system32\Nlilqbgp.exe106⤵PID:1244
-
C:\Windows\SysWOW64\Ncpdbohb.exeC:\Windows\system32\Ncpdbohb.exe107⤵PID:2472
-
C:\Windows\SysWOW64\Ofnpnkgf.exeC:\Windows\system32\Ofnpnkgf.exe108⤵PID:2960
-
C:\Windows\SysWOW64\Oimmjffj.exeC:\Windows\system32\Oimmjffj.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2384 -
C:\Windows\SysWOW64\Olkifaen.exeC:\Windows\system32\Olkifaen.exe110⤵PID:2604
-
C:\Windows\SysWOW64\Oniebmda.exeC:\Windows\system32\Oniebmda.exe111⤵PID:2228
-
C:\Windows\SysWOW64\Oioipf32.exeC:\Windows\system32\Oioipf32.exe112⤵
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\Olmela32.exeC:\Windows\system32\Olmela32.exe113⤵PID:2884
-
C:\Windows\SysWOW64\Onlahm32.exeC:\Windows\system32\Onlahm32.exe114⤵PID:1880
-
C:\Windows\SysWOW64\Oiafee32.exeC:\Windows\system32\Oiafee32.exe115⤵PID:2176
-
C:\Windows\SysWOW64\Olpbaa32.exeC:\Windows\system32\Olpbaa32.exe116⤵PID:2540
-
C:\Windows\SysWOW64\Objjnkie.exeC:\Windows\system32\Objjnkie.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\Oehgjfhi.exeC:\Windows\system32\Oehgjfhi.exe118⤵PID:2332
-
C:\Windows\SysWOW64\Olbogqoe.exeC:\Windows\system32\Olbogqoe.exe119⤵PID:3028
-
C:\Windows\SysWOW64\Onqkclni.exeC:\Windows\system32\Onqkclni.exe120⤵PID:2864
-
C:\Windows\SysWOW64\Omckoi32.exeC:\Windows\system32\Omckoi32.exe121⤵PID:2428
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-