Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
05-12-2024 04:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fc72ce1bd67b215a10ce12ed16c3a5a00ecd228ef8ec760e98cc7ff3a06ca65b.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
fc72ce1bd67b215a10ce12ed16c3a5a00ecd228ef8ec760e98cc7ff3a06ca65b.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
fc72ce1bd67b215a10ce12ed16c3a5a00ecd228ef8ec760e98cc7ff3a06ca65b.exe
-
Size
96KB
-
MD5
5d919622dfaa37205234b83cc9d7ed4f
-
SHA1
22f6c12b848567e0690982757eda67949df8aa66
-
SHA256
fc72ce1bd67b215a10ce12ed16c3a5a00ecd228ef8ec760e98cc7ff3a06ca65b
-
SHA512
b5b444267ef70c919486cbda1f1ef9679fc05251b3b862d26262397e9bfc7836d4fcf4b5484671c829b8182fba8864f15ac1c0361da81421ec895eac5ff73157
-
SSDEEP
1536:3VRkpg9mz9+mTJPVOkxPbeg2LQ7RZObZUUWaegPYAi:3ne+mPbeRQClUUWae3
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooicid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okgjodmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anjlebjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajcipc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bflbigdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gembhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ednbncmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkjdopeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgmahg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjcmap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjonncab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbdiia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhonngce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcmfmlen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Demofaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecnoijbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpkompgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdeqfhjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjoofhgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cadjgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njbdea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Becpap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbhbdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieigfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncfoch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmpkqklh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pckoam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogqaehak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pclhdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eniclh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnipkkdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opaebkmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdaglmcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chfbgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhpgpebh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnjplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdiejfej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilkpogmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcpkpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkhhhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agdjkogm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioilkblq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edclib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idadnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfpeeqig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Endjaief.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnbdko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceeieced.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akmjfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihdmihpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naalga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olbchn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oghhfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edibhmml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfoojj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akcomepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaelanmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldllgiek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jefpeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akmjfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clmbddgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fidhof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hicqmmfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfgafadm.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 1 IoCs
resource yara_rule behavioral1/files/0x000300000002080d-4836.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 2832 Oebimf32.exe 2940 Olonpp32.exe 2852 Ohendqhd.exe 2720 Oqacic32.exe 2568 Oappcfmb.exe 1484 Ogmhkmki.exe 2052 Pmjqcc32.exe 2772 Pcdipnqn.exe 2540 Pnimnfpc.exe 2992 Pqhijbog.exe 2424 Pjpnbg32.exe 2996 Pmojocel.exe 1308 Pckoam32.exe 2276 Pkfceo32.exe 2492 Qijdocfj.exe 448 Qngmgjeb.exe 1612 Qqeicede.exe 1364 Acfaeq32.exe 1540 Akmjfn32.exe 1744 Amnfnfgg.exe 1708 Agdjkogm.exe 1432 Ajbggjfq.exe 1856 Ackkppma.exe 1600 Afiglkle.exe 2400 Aigchgkh.exe 2936 Ajgpbj32.exe 2928 Amelne32.exe 2212 Acpdko32.exe 1644 Aeqabgoj.exe 2672 Bbdallnd.exe 2728 Blmfea32.exe 2548 Biafnecn.exe 1796 Bjbcfn32.exe 2360 Bhfcpb32.exe 2776 Boplllob.exe 2328 Bejdiffp.exe 3032 Bhhpeafc.exe 1160 Cdoajb32.exe 1244 Cfnmfn32.exe 2268 Cgpjlnhh.exe 2248 Clmbddgp.exe 1140 Cgbfamff.exe 1440 Cpkkjc32.exe 964 Cicpch32.exe 1348 Cejphiik.exe 2288 Dkgippgb.exe 1728 Daqamj32.exe 1772 Dkiefp32.exe 872 Dngabk32.exe 1288 Deojci32.exe 1800 Dgpfkakd.exe 2864 Dnjngk32.exe 2844 Dphjcf32.exe 2696 Dgbcpq32.exe 1388 Djqoll32.exe 264 Dpjgifpa.exe 1700 Dciceaoe.exe 2384 Dlahng32.exe 2096 Ddhpod32.exe 1736 Egglkp32.exe 2084 Ejehgkdp.exe 2156 Epoqde32.exe 1652 Ecnmpa32.exe 1504 Eflill32.exe -
Loads dropped DLL 64 IoCs
pid Process 2876 fc72ce1bd67b215a10ce12ed16c3a5a00ecd228ef8ec760e98cc7ff3a06ca65b.exe 2876 fc72ce1bd67b215a10ce12ed16c3a5a00ecd228ef8ec760e98cc7ff3a06ca65b.exe 2832 Oebimf32.exe 2832 Oebimf32.exe 2940 Olonpp32.exe 2940 Olonpp32.exe 2852 Ohendqhd.exe 2852 Ohendqhd.exe 2720 Oqacic32.exe 2720 Oqacic32.exe 2568 Oappcfmb.exe 2568 Oappcfmb.exe 1484 Ogmhkmki.exe 1484 Ogmhkmki.exe 2052 Pmjqcc32.exe 2052 Pmjqcc32.exe 2772 Pcdipnqn.exe 2772 Pcdipnqn.exe 2540 Pnimnfpc.exe 2540 Pnimnfpc.exe 2992 Pqhijbog.exe 2992 Pqhijbog.exe 2424 Pjpnbg32.exe 2424 Pjpnbg32.exe 2996 Pmojocel.exe 2996 Pmojocel.exe 1308 Pckoam32.exe 1308 Pckoam32.exe 2276 Pkfceo32.exe 2276 Pkfceo32.exe 2492 Qijdocfj.exe 2492 Qijdocfj.exe 448 Qngmgjeb.exe 448 Qngmgjeb.exe 1612 Qqeicede.exe 1612 Qqeicede.exe 1364 Acfaeq32.exe 1364 Acfaeq32.exe 1540 Akmjfn32.exe 1540 Akmjfn32.exe 1744 Amnfnfgg.exe 1744 Amnfnfgg.exe 1708 Agdjkogm.exe 1708 Agdjkogm.exe 1432 Ajbggjfq.exe 1432 Ajbggjfq.exe 1856 Ackkppma.exe 1856 Ackkppma.exe 1600 Afiglkle.exe 1600 Afiglkle.exe 2400 Aigchgkh.exe 2400 Aigchgkh.exe 2936 Ajgpbj32.exe 2936 Ajgpbj32.exe 2928 Amelne32.exe 2928 Amelne32.exe 2212 Acpdko32.exe 2212 Acpdko32.exe 1644 Aeqabgoj.exe 1644 Aeqabgoj.exe 2672 Bbdallnd.exe 2672 Bbdallnd.exe 2728 Blmfea32.exe 2728 Blmfea32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Oippjl32.exe Onfoin32.exe File opened for modification C:\Windows\SysWOW64\Cbdiia32.exe Cnimiblo.exe File created C:\Windows\SysWOW64\Elmnchif.dll Acfaeq32.exe File created C:\Windows\SysWOW64\Ihdjpd32.dll Qdojgmfe.exe File created C:\Windows\SysWOW64\Cpnidcen.dll Ccdmnj32.exe File opened for modification C:\Windows\SysWOW64\Hjcppidk.exe Hblgnkdh.exe File opened for modification C:\Windows\SysWOW64\Lfkeokjp.exe Loqmba32.exe File created C:\Windows\SysWOW64\Liklhmom.exe Lflplbpi.exe File opened for modification C:\Windows\SysWOW64\Gnpflj32.exe Gfhnjm32.exe File opened for modification C:\Windows\SysWOW64\Ccdmnj32.exe Cmjdaqgi.exe File opened for modification C:\Windows\SysWOW64\Idiaii32.exe Ioliqbjn.exe File created C:\Windows\SysWOW64\Dlmkljal.dll Aboaff32.exe File created C:\Windows\SysWOW64\Jgcomkpo.dll Ncfoch32.exe File created C:\Windows\SysWOW64\Ffeganon.dll Pofkha32.exe File opened for modification C:\Windows\SysWOW64\Biafnecn.exe Blmfea32.exe File created C:\Windows\SysWOW64\Cdbhodcb.dll Hfbaql32.exe File created C:\Windows\SysWOW64\Jclnhnji.dll Bjbeofpp.exe File created C:\Windows\SysWOW64\Fkbgckgd.exe Fpmbfbgo.exe File opened for modification C:\Windows\SysWOW64\Fkbdkb32.exe Fidhof32.exe File opened for modification C:\Windows\SysWOW64\Lbcpac32.exe Liklhmom.exe File created C:\Windows\SysWOW64\Niplmn32.dll Mngjeamd.exe File created C:\Windows\SysWOW64\Kaqnpc32.dll Cinafkkd.exe File created C:\Windows\SysWOW64\Ojklfdgh.dll Kceqjhiq.exe File created C:\Windows\SysWOW64\Hdffnl32.dll Ljfogake.exe File created C:\Windows\SysWOW64\Kcnfobob.dll Lhnkffeo.exe File opened for modification C:\Windows\SysWOW64\Mfjann32.exe Mdiefffn.exe File created C:\Windows\SysWOW64\Igcale32.dll Pnalad32.exe File created C:\Windows\SysWOW64\Bimoloog.exe Bfncpcoc.exe File opened for modification C:\Windows\SysWOW64\Bajqfq32.exe Boidnh32.exe File created C:\Windows\SysWOW64\Dlnipf32.dll Nmejllia.exe File created C:\Windows\SysWOW64\Omnipjni.exe Odedge32.exe File created C:\Windows\SysWOW64\Cnmloc32.dll Dkiefp32.exe File opened for modification C:\Windows\SysWOW64\Hnjplo32.exe Hhpgpebh.exe File opened for modification C:\Windows\SysWOW64\Fchijone.exe Eolmip32.exe File created C:\Windows\SysWOW64\Cdoajb32.exe Bhhpeafc.exe File created C:\Windows\SysWOW64\Acnenl32.dll Caifjn32.exe File opened for modification C:\Windows\SysWOW64\Dgoopkgh.exe Dpegcq32.exe File created C:\Windows\SysWOW64\Melifl32.exe Mbnljqic.exe File created C:\Windows\SysWOW64\Njpgpbpf.exe Ncfoch32.exe File created C:\Windows\SysWOW64\Ikmpacaf.dll Eoepnk32.exe File created C:\Windows\SysWOW64\Ffjmmbcg.dll Pmojocel.exe File created C:\Windows\SysWOW64\Mlcpdacl.dll Bjbcfn32.exe File created C:\Windows\SysWOW64\Dkefga32.dll Heakcjcd.exe File created C:\Windows\SysWOW64\Chdkak32.dll Ioakoq32.exe File opened for modification C:\Windows\SysWOW64\Odedge32.exe Oippjl32.exe File created C:\Windows\SysWOW64\Iplnnd32.exe Imnbbi32.exe File created C:\Windows\SysWOW64\Dgkjaa32.dll Amcbankf.exe File created C:\Windows\SysWOW64\Jlamphei.dll Cpdgbm32.exe File created C:\Windows\SysWOW64\Dnabbkhk.dll Bhhpeafc.exe File created C:\Windows\SysWOW64\Pnopldgn.exe Pgegok32.exe File opened for modification C:\Windows\SysWOW64\Cikbhc32.exe Cadjgf32.exe File created C:\Windows\SysWOW64\Nfdddm32.exe Nbhhdnlh.exe File created C:\Windows\SysWOW64\Ccjoli32.exe Calcpm32.exe File opened for modification C:\Windows\SysWOW64\Ikefkcmo.exe Idknoi32.exe File created C:\Windows\SysWOW64\Bepejfpc.dll Jjjclobg.exe File opened for modification C:\Windows\SysWOW64\Qdaglmcb.exe Qngopb32.exe File opened for modification C:\Windows\SysWOW64\Lipecm32.exe Lahmbo32.exe File created C:\Windows\SysWOW64\Cedpbd32.exe Chqoipkk.exe File opened for modification C:\Windows\SysWOW64\Imnbbi32.exe Ifdjeoep.exe File created C:\Windows\SysWOW64\Fgadda32.exe Fdbhge32.exe File created C:\Windows\SysWOW64\Lcdfnehp.exe Lmjnak32.exe File created C:\Windows\SysWOW64\Oopijc32.exe Ogiaif32.exe File created C:\Windows\SysWOW64\Pohbak32.dll Mjkgjl32.exe File created C:\Windows\SysWOW64\Pdeqfhjd.exe Pohhna32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7700 7600 WerFault.exe 816 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbnbkbja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcghof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bajqfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmdjkhdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aebmjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjakccop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogiaif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aobnniji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daofpchf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgqocoin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdeqfhjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdkjnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmmebm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abfnpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egahen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfpifm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pckajebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmpkqklh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdiia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpbdnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cemjae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cakqgeoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khielcfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmjgcipg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgkleabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meabakda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhkkbmnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnjbeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejehgkdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgncfcaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgnpeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gghkdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaeegh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgdnnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmgfqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkljdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iipiljgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danpemej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifoqjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pecgea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhiomn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doecog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnofjfhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkejcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmjqpdje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcjlnpmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqeqqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljfogake.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mamgmofp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giiglhjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajnpecbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elkmmodo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klbdgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbfook32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkegah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmifhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aapemc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Locjhqpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecbfkpfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcpfedki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knmamp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdiefffn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qndkpmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqbdkk32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmbji32.dll" Hgbfnngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hckmla32.dll" Becpap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfebambf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hboddk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfnmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikekpn32.dll" Olgmcmgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhmcmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbflno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojiilami.dll" Oldpnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgokokhf.dll" Pdldnomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngndfk32.dll" Aobnniji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clpabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajhaomoi.dll" Loefnpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfoojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oippjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbdjfk32.dll" Pifbjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcdopc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afiglkle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kldhfkql.dll" Hicqmmfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddnfop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbbofjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnpbjnpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkfklboi.dll" Mhonngce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qqeicede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dchmkkkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbpipp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mleijpbj.dll" Plolgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idppjg32.dll" Dahifbpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elkmmodo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjbcfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcbecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcckcbgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajhiei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpdgbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpfdhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kffldlne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcnbhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnfqccna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll" Dnpciaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bajqfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefejmjq.dll" Phnnho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkddnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eogmcjef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mikjpiim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmjgcipg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkdgkc32.dll" Agljom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dedlag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgmahg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkqnoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iajfhi32.dll" Gkglnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgbipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oldpnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffcllo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnofjfhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjbcfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkegah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljabkeaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deokbacp.dll" Blmfea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhmcmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amcbankf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnnbf32.dll" Fqalaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcqombic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qngmgjeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Giahhj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2876 wrote to memory of 2832 2876 fc72ce1bd67b215a10ce12ed16c3a5a00ecd228ef8ec760e98cc7ff3a06ca65b.exe 30 PID 2876 wrote to memory of 2832 2876 fc72ce1bd67b215a10ce12ed16c3a5a00ecd228ef8ec760e98cc7ff3a06ca65b.exe 30 PID 2876 wrote to memory of 2832 2876 fc72ce1bd67b215a10ce12ed16c3a5a00ecd228ef8ec760e98cc7ff3a06ca65b.exe 30 PID 2876 wrote to memory of 2832 2876 fc72ce1bd67b215a10ce12ed16c3a5a00ecd228ef8ec760e98cc7ff3a06ca65b.exe 30 PID 2832 wrote to memory of 2940 2832 Oebimf32.exe 31 PID 2832 wrote to memory of 2940 2832 Oebimf32.exe 31 PID 2832 wrote to memory of 2940 2832 Oebimf32.exe 31 PID 2832 wrote to memory of 2940 2832 Oebimf32.exe 31 PID 2940 wrote to memory of 2852 2940 Olonpp32.exe 32 PID 2940 wrote to memory of 2852 2940 Olonpp32.exe 32 PID 2940 wrote to memory of 2852 2940 Olonpp32.exe 32 PID 2940 wrote to memory of 2852 2940 Olonpp32.exe 32 PID 2852 wrote to memory of 2720 2852 Ohendqhd.exe 33 PID 2852 wrote to memory of 2720 2852 Ohendqhd.exe 33 PID 2852 wrote to memory of 2720 2852 Ohendqhd.exe 33 PID 2852 wrote to memory of 2720 2852 Ohendqhd.exe 33 PID 2720 wrote to memory of 2568 2720 Oqacic32.exe 34 PID 2720 wrote to memory of 2568 2720 Oqacic32.exe 34 PID 2720 wrote to memory of 2568 2720 Oqacic32.exe 34 PID 2720 wrote to memory of 2568 2720 Oqacic32.exe 34 PID 2568 wrote to memory of 1484 2568 Oappcfmb.exe 35 PID 2568 wrote to memory of 1484 2568 Oappcfmb.exe 35 PID 2568 wrote to memory of 1484 2568 Oappcfmb.exe 35 PID 2568 wrote to memory of 1484 2568 Oappcfmb.exe 35 PID 1484 wrote to memory of 2052 1484 Ogmhkmki.exe 36 PID 1484 wrote to memory of 2052 1484 Ogmhkmki.exe 36 PID 1484 wrote to memory of 2052 1484 Ogmhkmki.exe 36 PID 1484 wrote to memory of 2052 1484 Ogmhkmki.exe 36 PID 2052 wrote to memory of 2772 2052 Pmjqcc32.exe 37 PID 2052 wrote to memory of 2772 2052 Pmjqcc32.exe 37 PID 2052 wrote to memory of 2772 2052 Pmjqcc32.exe 37 PID 2052 wrote to memory of 2772 2052 Pmjqcc32.exe 37 PID 2772 wrote to memory of 2540 2772 Pcdipnqn.exe 38 PID 2772 wrote to memory of 2540 2772 Pcdipnqn.exe 38 PID 2772 wrote to memory of 2540 2772 Pcdipnqn.exe 38 PID 2772 wrote to memory of 2540 2772 Pcdipnqn.exe 38 PID 2540 wrote to memory of 2992 2540 Pnimnfpc.exe 39 PID 2540 wrote to memory of 2992 2540 Pnimnfpc.exe 39 PID 2540 wrote to memory of 2992 2540 Pnimnfpc.exe 39 PID 2540 wrote to memory of 2992 2540 Pnimnfpc.exe 39 PID 2992 wrote to memory of 2424 2992 Pqhijbog.exe 40 PID 2992 wrote to memory of 2424 2992 Pqhijbog.exe 40 PID 2992 wrote to memory of 2424 2992 Pqhijbog.exe 40 PID 2992 wrote to memory of 2424 2992 Pqhijbog.exe 40 PID 2424 wrote to memory of 2996 2424 Pjpnbg32.exe 41 PID 2424 wrote to memory of 2996 2424 Pjpnbg32.exe 41 PID 2424 wrote to memory of 2996 2424 Pjpnbg32.exe 41 PID 2424 wrote to memory of 2996 2424 Pjpnbg32.exe 41 PID 2996 wrote to memory of 1308 2996 Pmojocel.exe 42 PID 2996 wrote to memory of 1308 2996 Pmojocel.exe 42 PID 2996 wrote to memory of 1308 2996 Pmojocel.exe 42 PID 2996 wrote to memory of 1308 2996 Pmojocel.exe 42 PID 1308 wrote to memory of 2276 1308 Pckoam32.exe 43 PID 1308 wrote to memory of 2276 1308 Pckoam32.exe 43 PID 1308 wrote to memory of 2276 1308 Pckoam32.exe 43 PID 1308 wrote to memory of 2276 1308 Pckoam32.exe 43 PID 2276 wrote to memory of 2492 2276 Pkfceo32.exe 44 PID 2276 wrote to memory of 2492 2276 Pkfceo32.exe 44 PID 2276 wrote to memory of 2492 2276 Pkfceo32.exe 44 PID 2276 wrote to memory of 2492 2276 Pkfceo32.exe 44 PID 2492 wrote to memory of 448 2492 Qijdocfj.exe 45 PID 2492 wrote to memory of 448 2492 Qijdocfj.exe 45 PID 2492 wrote to memory of 448 2492 Qijdocfj.exe 45 PID 2492 wrote to memory of 448 2492 Qijdocfj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc72ce1bd67b215a10ce12ed16c3a5a00ecd228ef8ec760e98cc7ff3a06ca65b.exe"C:\Users\Admin\AppData\Local\Temp\fc72ce1bd67b215a10ce12ed16c3a5a00ecd228ef8ec760e98cc7ff3a06ca65b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Oebimf32.exeC:\Windows\system32\Oebimf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Olonpp32.exeC:\Windows\system32\Olonpp32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Ohendqhd.exeC:\Windows\system32\Ohendqhd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Oqacic32.exeC:\Windows\system32\Oqacic32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Oappcfmb.exeC:\Windows\system32\Oappcfmb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Ogmhkmki.exeC:\Windows\system32\Ogmhkmki.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Pmjqcc32.exeC:\Windows\system32\Pmjqcc32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Pcdipnqn.exeC:\Windows\system32\Pcdipnqn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Pnimnfpc.exeC:\Windows\system32\Pnimnfpc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Pqhijbog.exeC:\Windows\system32\Pqhijbog.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Pjpnbg32.exeC:\Windows\system32\Pjpnbg32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Pmojocel.exeC:\Windows\system32\Pmojocel.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Pckoam32.exeC:\Windows\system32\Pckoam32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Pkfceo32.exeC:\Windows\system32\Pkfceo32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Qijdocfj.exeC:\Windows\system32\Qijdocfj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Qngmgjeb.exeC:\Windows\system32\Qngmgjeb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:448 -
C:\Windows\SysWOW64\Qqeicede.exeC:\Windows\system32\Qqeicede.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Acfaeq32.exeC:\Windows\system32\Acfaeq32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1364 -
C:\Windows\SysWOW64\Akmjfn32.exeC:\Windows\system32\Akmjfn32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Amnfnfgg.exeC:\Windows\system32\Amnfnfgg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1744 -
C:\Windows\SysWOW64\Agdjkogm.exeC:\Windows\system32\Agdjkogm.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Ajbggjfq.exeC:\Windows\system32\Ajbggjfq.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1432 -
C:\Windows\SysWOW64\Ackkppma.exeC:\Windows\system32\Ackkppma.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1856 -
C:\Windows\SysWOW64\Afiglkle.exeC:\Windows\system32\Afiglkle.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Aigchgkh.exeC:\Windows\system32\Aigchgkh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Ajgpbj32.exeC:\Windows\system32\Ajgpbj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Amelne32.exeC:\Windows\system32\Amelne32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Acpdko32.exeC:\Windows\system32\Acpdko32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Aeqabgoj.exeC:\Windows\system32\Aeqabgoj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Bbdallnd.exeC:\Windows\system32\Bbdallnd.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Blmfea32.exeC:\Windows\system32\Blmfea32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Biafnecn.exeC:\Windows\system32\Biafnecn.exe33⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Bjbcfn32.exeC:\Windows\system32\Bjbcfn32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Bhfcpb32.exeC:\Windows\system32\Bhfcpb32.exe35⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Boplllob.exeC:\Windows\system32\Boplllob.exe36⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Bejdiffp.exeC:\Windows\system32\Bejdiffp.exe37⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Bhhpeafc.exeC:\Windows\system32\Bhhpeafc.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Cdoajb32.exeC:\Windows\system32\Cdoajb32.exe39⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Cfnmfn32.exeC:\Windows\system32\Cfnmfn32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Cgpjlnhh.exeC:\Windows\system32\Cgpjlnhh.exe41⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Clmbddgp.exeC:\Windows\system32\Clmbddgp.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Cgbfamff.exeC:\Windows\system32\Cgbfamff.exe43⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Cpkkjc32.exeC:\Windows\system32\Cpkkjc32.exe44⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Cicpch32.exeC:\Windows\system32\Cicpch32.exe45⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Cejphiik.exeC:\Windows\system32\Cejphiik.exe46⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Dkgippgb.exeC:\Windows\system32\Dkgippgb.exe47⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Daqamj32.exeC:\Windows\system32\Daqamj32.exe48⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Dkiefp32.exeC:\Windows\system32\Dkiefp32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1772 -
C:\Windows\SysWOW64\Dngabk32.exeC:\Windows\system32\Dngabk32.exe50⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Deojci32.exeC:\Windows\system32\Deojci32.exe51⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Dgpfkakd.exeC:\Windows\system32\Dgpfkakd.exe52⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Dnjngk32.exeC:\Windows\system32\Dnjngk32.exe53⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Dphjcf32.exeC:\Windows\system32\Dphjcf32.exe54⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Dgbcpq32.exeC:\Windows\system32\Dgbcpq32.exe55⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Djqoll32.exeC:\Windows\system32\Djqoll32.exe56⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Dpjgifpa.exeC:\Windows\system32\Dpjgifpa.exe57⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Dciceaoe.exeC:\Windows\system32\Dciceaoe.exe58⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Dlahng32.exeC:\Windows\system32\Dlahng32.exe59⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Ddhpod32.exeC:\Windows\system32\Ddhpod32.exe60⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Egglkp32.exeC:\Windows\system32\Egglkp32.exe61⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Ejehgkdp.exeC:\Windows\system32\Ejehgkdp.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2084 -
C:\Windows\SysWOW64\Epoqde32.exeC:\Windows\system32\Epoqde32.exe63⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Ecnmpa32.exeC:\Windows\system32\Ecnmpa32.exe64⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Eflill32.exeC:\Windows\system32\Eflill32.exe65⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Eqamje32.exeC:\Windows\system32\Eqamje32.exe66⤵PID:2292
-
C:\Windows\SysWOW64\Ecpjfq32.exeC:\Windows\system32\Ecpjfq32.exe67⤵PID:300
-
C:\Windows\SysWOW64\Ejjbbkpj.exeC:\Windows\system32\Ejjbbkpj.exe68⤵PID:2164
-
C:\Windows\SysWOW64\Ekknjcfh.exeC:\Windows\system32\Ekknjcfh.exe69⤵PID:2576
-
C:\Windows\SysWOW64\Ecbfkpfk.exeC:\Windows\system32\Ecbfkpfk.exe70⤵
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Windows\SysWOW64\Ehoocgeb.exeC:\Windows\system32\Ehoocgeb.exe71⤵PID:1584
-
C:\Windows\SysWOW64\Emkkdf32.exeC:\Windows\system32\Emkkdf32.exe72⤵PID:1568
-
C:\Windows\SysWOW64\Ebgclm32.exeC:\Windows\system32\Ebgclm32.exe73⤵PID:2704
-
C:\Windows\SysWOW64\Egdlec32.exeC:\Windows\system32\Egdlec32.exe74⤵PID:2496
-
C:\Windows\SysWOW64\Fnndan32.exeC:\Windows\system32\Fnndan32.exe75⤵PID:3044
-
C:\Windows\SysWOW64\Fqmpni32.exeC:\Windows\system32\Fqmpni32.exe76⤵PID:904
-
C:\Windows\SysWOW64\Fidhof32.exeC:\Windows\system32\Fidhof32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Fkbdkb32.exeC:\Windows\system32\Fkbdkb32.exe78⤵PID:3028
-
C:\Windows\SysWOW64\Fblmglgm.exeC:\Windows\system32\Fblmglgm.exe79⤵PID:2508
-
C:\Windows\SysWOW64\Fqomci32.exeC:\Windows\system32\Fqomci32.exe80⤵PID:1428
-
C:\Windows\SysWOW64\Fgiepced.exeC:\Windows\system32\Fgiepced.exe81⤵PID:1192
-
C:\Windows\SysWOW64\Fncmmmma.exeC:\Windows\system32\Fncmmmma.exe82⤵PID:1792
-
C:\Windows\SysWOW64\Fqajihle.exeC:\Windows\system32\Fqajihle.exe83⤵PID:1132
-
C:\Windows\SysWOW64\Fcpfedki.exeC:\Windows\system32\Fcpfedki.exe84⤵
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Windows\SysWOW64\Fnejbmko.exeC:\Windows\system32\Fnejbmko.exe85⤵PID:800
-
C:\Windows\SysWOW64\Fqcfnhjb.exeC:\Windows\system32\Fqcfnhjb.exe86⤵PID:2272
-
C:\Windows\SysWOW64\Ffqofohj.exeC:\Windows\system32\Ffqofohj.exe87⤵PID:2396
-
C:\Windows\SysWOW64\Fmjgcipg.exeC:\Windows\system32\Fmjgcipg.exe88⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Fcdopc32.exeC:\Windows\system32\Fcdopc32.exe89⤵
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Ffcllo32.exeC:\Windows\system32\Ffcllo32.exe90⤵
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Giahhj32.exeC:\Windows\system32\Giahhj32.exe91⤵
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Glpdde32.exeC:\Windows\system32\Glpdde32.exe92⤵PID:3000
-
C:\Windows\SysWOW64\Gfehan32.exeC:\Windows\system32\Gfehan32.exe93⤵PID:2716
-
C:\Windows\SysWOW64\Glbqje32.exeC:\Windows\system32\Glbqje32.exe94⤵PID:2880
-
C:\Windows\SysWOW64\Gblifo32.exeC:\Windows\system32\Gblifo32.exe95⤵PID:2340
-
C:\Windows\SysWOW64\Gfgegnbb.exeC:\Windows\system32\Gfgegnbb.exe96⤵PID:1920
-
C:\Windows\SysWOW64\Ghiaof32.exeC:\Windows\system32\Ghiaof32.exe97⤵PID:2436
-
C:\Windows\SysWOW64\Gldmoepi.exeC:\Windows\system32\Gldmoepi.exe98⤵PID:1828
-
C:\Windows\SysWOW64\Gbnflo32.exeC:\Windows\system32\Gbnflo32.exe99⤵PID:1624
-
C:\Windows\SysWOW64\Gembhj32.exeC:\Windows\system32\Gembhj32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:284 -
C:\Windows\SysWOW64\Glgjednf.exeC:\Windows\system32\Glgjednf.exe101⤵PID:1716
-
C:\Windows\SysWOW64\Gnefapmj.exeC:\Windows\system32\Gnefapmj.exe102⤵PID:2684
-
C:\Windows\SysWOW64\Geoonjeg.exeC:\Windows\system32\Geoonjeg.exe103⤵PID:2472
-
C:\Windows\SysWOW64\Gjlgfaco.exeC:\Windows\system32\Gjlgfaco.exe104⤵PID:2528
-
C:\Windows\SysWOW64\Heakcjcd.exeC:\Windows\system32\Heakcjcd.exe105⤵
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Hhpgpebh.exeC:\Windows\system32\Hhpgpebh.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Hnjplo32.exeC:\Windows\system32\Hnjplo32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2108 -
C:\Windows\SysWOW64\Hpkldg32.exeC:\Windows\system32\Hpkldg32.exe108⤵PID:3060
-
C:\Windows\SysWOW64\Hfedqagp.exeC:\Windows\system32\Hfedqagp.exe109⤵PID:2280
-
C:\Windows\SysWOW64\Hicqmmfc.exeC:\Windows\system32\Hicqmmfc.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Hdiejfej.exeC:\Windows\system32\Hdiejfej.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1680 -
C:\Windows\SysWOW64\Hfgafadm.exeC:\Windows\system32\Hfgafadm.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:844 -
C:\Windows\SysWOW64\Hdkape32.exeC:\Windows\system32\Hdkape32.exe113⤵PID:828
-
C:\Windows\SysWOW64\Hbnbkbja.exeC:\Windows\system32\Hbnbkbja.exe114⤵
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Windows\SysWOW64\Hlffdh32.exeC:\Windows\system32\Hlffdh32.exe115⤵PID:2652
-
C:\Windows\SysWOW64\Hoebpc32.exeC:\Windows\system32\Hoebpc32.exe116⤵PID:2952
-
C:\Windows\SysWOW64\Hijgml32.exeC:\Windows\system32\Hijgml32.exe117⤵PID:2244
-
C:\Windows\SysWOW64\Ipdojfgh.exeC:\Windows\system32\Ipdojfgh.exe118⤵PID:2616
-
C:\Windows\SysWOW64\Ibckfa32.exeC:\Windows\system32\Ibckfa32.exe119⤵PID:2584
-
C:\Windows\SysWOW64\Iaelanmg.exeC:\Windows\system32\Iaelanmg.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2284 -
C:\Windows\SysWOW64\Ilkpogmm.exeC:\Windows\system32\Ilkpogmm.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1656
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-