Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2024 00:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8dc5acb6fb6de70a47bc1957ecf6501cd68d7bd818e3e5df2ed1a1c019e7c811.exe
Resource
win7-20241023-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
8dc5acb6fb6de70a47bc1957ecf6501cd68d7bd818e3e5df2ed1a1c019e7c811.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
8dc5acb6fb6de70a47bc1957ecf6501cd68d7bd818e3e5df2ed1a1c019e7c811.exe
-
Size
2.3MB
-
MD5
aa28b98471e5ae1f2cd9cc6d7c575c24
-
SHA1
1a9fd21c102a0a5512d52d27912eacb5f59e80ce
-
SHA256
8dc5acb6fb6de70a47bc1957ecf6501cd68d7bd818e3e5df2ed1a1c019e7c811
-
SHA512
6d3f4bd322f7b882fbd9a0a884e7e4aa0d0807ea615cf0d860a3bcf9ea3ee849fe85730a349be36d704788e1728d886b9f4f5b5741deca5eb1fa9bea943a6a22
-
SSDEEP
3072:4YI7082vl+Z0I/I0Q5OPIN+/cuTQ2TgRX7Jg3A9z:4Xovl+ZVgp54tRo7KA9z
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lobjni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjmmepfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbefdijg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmpkadnm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmpdhboj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dngjff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooqqdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boflmdkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fllkqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bphgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bahdob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcapicdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbiamhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebhglj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idcepgmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akqfkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqmmmmph.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkfkmmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcaipa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlljnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpiljh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfkbde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omcjep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilqoobdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjjbjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ockdmmoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgklmacf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dknnoofg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hninbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iickkbje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Podmkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqmlknnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pahpfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olanmgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbkqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Affikdfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efmmmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjamia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbpkkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhdlao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiknlagg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cohkokgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmnbfhal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bogkmgba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iickkbje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdafnpqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqnbkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Objpoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peahgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhphmj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhkmec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcmdaljn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onkidm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgldfio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkcadhgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cofecami.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpnmbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igpdfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haaaaeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihpcinld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Affikdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pblajhje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnnbqnjn.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3556 Gaogak32.exe 3328 Gochjpho.exe 4076 Ghbbcd32.exe 3780 Hghoeqmp.exe 4920 Hbmcbime.exe 904 Hbpphi32.exe 3640 Hkhdqoac.exe 436 Hbbmmi32.exe 4068 Hgoeep32.exe 2264 Hninbj32.exe 1532 Hfpecg32.exe 1908 Hgabkoee.exe 4440 Iohjlmeg.exe 3624 Ifbbig32.exe 4968 Igcoqocb.exe 4192 Iokgal32.exe 544 Ifdonfka.exe 4820 Iickkbje.exe 4760 Iomcgl32.exe 3348 Ifgldfio.exe 2588 Ighhln32.exe 3608 Inbqhhfj.exe 2584 Ieliebnf.exe 4136 Indmnh32.exe 2504 Ifleoe32.exe 2736 Igmagnkg.exe 1860 Jngjch32.exe 1584 Jfnbdecg.exe 620 Jgonlm32.exe 100 Jnifigpa.exe 1624 Jecofa32.exe 3036 Jgakbm32.exe 1924 Jnkcogno.exe 4328 Jeekkafl.exe 4652 Jgdhgmep.exe 4456 Jnnpdg32.exe 1928 Jehhaaci.exe 912 Jgfdmlcm.exe 2776 Jnpmjf32.exe 1560 Jejefqaf.exe 1632 Kldmckic.exe 992 Kbnepe32.exe 648 Kelalp32.exe 3472 Kpbfii32.exe 856 Kflnfcgg.exe 1228 Khmknk32.exe 1840 Kngcje32.exe 2904 Keakgpko.exe 800 Klkcdj32.exe 2012 Kbekqdjh.exe 1724 Kiodmn32.exe 4776 Kpiljh32.exe 1768 Kfcdfbqo.exe 2328 Lhdqnj32.exe 3676 Lnnikdnj.exe 2032 Lehaho32.exe 3080 Llbidimc.exe 372 Lblaabdp.exe 2076 Lifjnm32.exe 208 Lppbkgcj.exe 3972 Lemkcnaa.exe 4684 Llgcph32.exe 528 Lbqklb32.exe 396 Likcilhh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jgakbm32.exe Jecofa32.exe File opened for modification C:\Windows\SysWOW64\Kldmckic.exe Jejefqaf.exe File opened for modification C:\Windows\SysWOW64\Kenggi32.exe Kbpkkn32.exe File opened for modification C:\Windows\SysWOW64\Acokhc32.exe Akhcfe32.exe File created C:\Windows\SysWOW64\Djqblj32.exe Ciafbg32.exe File opened for modification C:\Windows\SysWOW64\Qacameaj.exe Qfmmplad.exe File opened for modification C:\Windows\SysWOW64\Cgklmacf.exe Cpacqg32.exe File created C:\Windows\SysWOW64\Nnfgcd32.exe Nlhkgi32.exe File created C:\Windows\SysWOW64\Ojgjndno.exe Odmbaj32.exe File created C:\Windows\SysWOW64\Pmoiqneg.exe Pmlmkn32.exe File opened for modification C:\Windows\SysWOW64\Dngjff32.exe Dflfac32.exe File created C:\Windows\SysWOW64\Oidofh32.exe Ncjginjn.exe File created C:\Windows\SysWOW64\Maeachag.exe Ljkifn32.exe File created C:\Windows\SysWOW64\Pjajmpkj.dll Iggjga32.exe File created C:\Windows\SysWOW64\Lmpkadnm.exe Lddgmbpb.exe File created C:\Windows\SysWOW64\Abklmb32.dll Cofnik32.exe File created C:\Windows\SysWOW64\Ojcpdg32.exe Ocihgnam.exe File created C:\Windows\SysWOW64\Fegbnohh.dll Llcghg32.exe File opened for modification C:\Windows\SysWOW64\Hdkidohn.exe Hhdhon32.exe File created C:\Windows\SysWOW64\Jdedak32.exe Jnkldqkc.exe File opened for modification C:\Windows\SysWOW64\Lndham32.exe Lnbklm32.exe File created C:\Windows\SysWOW64\Dngjff32.exe Dflfac32.exe File created C:\Windows\SysWOW64\Fknajfhe.dll Fimhjl32.exe File created C:\Windows\SysWOW64\Jiglnf32.exe Jcmdaljn.exe File opened for modification C:\Windows\SysWOW64\Knqepc32.exe Keimof32.exe File opened for modification C:\Windows\SysWOW64\Aadghn32.exe Apeknk32.exe File created C:\Windows\SysWOW64\Ampaho32.exe Affikdfn.exe File created C:\Windows\SysWOW64\Dkfadkgf.exe Digehphc.exe File opened for modification C:\Windows\SysWOW64\Mplafeil.exe Mibijk32.exe File created C:\Windows\SysWOW64\Niipjj32.exe Mbognp32.exe File created C:\Windows\SysWOW64\Kkbllbmg.dll Pcicklnn.exe File created C:\Windows\SysWOW64\Olojcl32.dll Lnpofnhk.exe File created C:\Windows\SysWOW64\Lbbfpo32.dll Akhcfe32.exe File opened for modification C:\Windows\SysWOW64\Jlhljhbg.exe Jkgpbp32.exe File opened for modification C:\Windows\SysWOW64\Paoollik.exe Plbfdekd.exe File opened for modification C:\Windows\SysWOW64\Ocihgnam.exe Oiccje32.exe File opened for modification C:\Windows\SysWOW64\Kkpbin32.exe Jcikgacl.exe File created C:\Windows\SysWOW64\Cajdjn32.dll Knqepc32.exe File opened for modification C:\Windows\SysWOW64\Nclbpf32.exe Mjcngpjh.exe File opened for modification C:\Windows\SysWOW64\Dgjoif32.exe Dnajppda.exe File created C:\Windows\SysWOW64\Ebkbbmqj.exe Ekajec32.exe File opened for modification C:\Windows\SysWOW64\Ihphkl32.exe Injcmc32.exe File created C:\Windows\SysWOW64\Nbefdijg.exe Nafjjf32.exe File created C:\Windows\SysWOW64\Npgmpf32.exe Nnfpinmi.exe File opened for modification C:\Windows\SysWOW64\Feqeog32.exe Fbbicl32.exe File created C:\Windows\SysWOW64\Hmafal32.dll Bkkhbb32.exe File created C:\Windows\SysWOW64\Lehaho32.exe Lnnikdnj.exe File opened for modification C:\Windows\SysWOW64\Kqnbkl32.exe Jkaicd32.exe File created C:\Windows\SysWOW64\Kkmioc32.exe Kjmmepfj.exe File opened for modification C:\Windows\SysWOW64\Ojgjndno.exe Odmbaj32.exe File created C:\Windows\SysWOW64\Ipgijcij.dll Loighj32.exe File created C:\Windows\SysWOW64\Lgbloglj.exe Lnjgfb32.exe File created C:\Windows\SysWOW64\Eiacog32.dll Jifecp32.exe File created C:\Windows\SysWOW64\Egkddo32.exe Ddmhhd32.exe File created C:\Windows\SysWOW64\Dhlbgmif.dll Pmmlla32.exe File opened for modification C:\Windows\SysWOW64\Jkjcbe32.exe Jdpkflfe.exe File opened for modification C:\Windows\SysWOW64\Kclgmq32.exe Kqmkae32.exe File created C:\Windows\SysWOW64\Fechok32.dll Oacoqnci.exe File created C:\Windows\SysWOW64\Jdobpkmb.dll Qhkdof32.exe File created C:\Windows\SysWOW64\Klfaapbl.exe Kjgeedch.exe File created C:\Windows\SysWOW64\Mmkdcm32.exe Mogcihaj.exe File created C:\Windows\SysWOW64\Anjcohke.dll Jbepme32.exe File created C:\Windows\SysWOW64\Bdbbme32.dll Bpjmph32.exe File created C:\Windows\SysWOW64\Aplaoj32.exe Ajohfcpj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8088 6260 WerFault.exe 855 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qofcff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akoqpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jejefqaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooagno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leenhhdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlggjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkhjph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pehngkcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnnjmbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knqepc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngomin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnbklm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akhcfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plkpcfal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lacdmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bckkca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmndpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfqnbjfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmdkcnie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaceghcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnfnlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjmoag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiloco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmenca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnafno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijqcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enlcahgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfcabp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpjmph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnfcia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objpoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpecbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cohkokgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqbpojnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgkiaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fncibg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moaogand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpqodfij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkjcbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfkbde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkhgod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pibdmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahjgjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgnqgqan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eokqkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpofii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kclgmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lggejg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcibca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngcje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqlefl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoabad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flinkojm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpdfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkmgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egcaod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifbbig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diicml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edemkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdhedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oekpkigo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgaeolp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gokbgpeg.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbcncibp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpcblj32.dll" Jgnqgqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpkmal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Banjnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpljehpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njmhhefi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadiippo.dll" Ofmdio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anoipp32.dll" Lfgipd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbqklb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pchlpfjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajdbac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akejpg32.dll" Jgakbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dngjff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abhemohm.dll" Kckqbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpjjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnekbm32.dll" Lpjjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjmkoeqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkoqgjn.dll" Gpnmbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mleoafmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gphphj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqoloc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klkcdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fccfqqkf.dll" Boflmdkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lndham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgllff32.dll" Bkmmaeap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmeddp32.dll" Aekddhcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdaia32.dll" Gpbpbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdbpgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdhdlin.dll" Egohdegl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpiljh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdmmkl32.dll" Mlnipg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddmhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjpefo32.dll" Olanmgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hghoeqmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngdfdmdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cohkokgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elnoopdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgffoo32.dll" Ieidhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lljklo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dndfnlpc.dll" Ojcpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhofmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmbheilp.dll" Legjmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plbfdekd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgjoif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glllagck.dll" Lakfeodm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhhqamj.dll" Nijqcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkipkani.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbkqfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmlkhofd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmiadaea.dll" Ncnofeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgbpaipl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mljmhflh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lifjnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmiag32.dll" Oekiqccc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahkdgl32.dll" Dkedonpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhagaamj.dll" Kngcje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Micgbemj.dll" Cdpjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaedkn32.dll" Lndham32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhphmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmepam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgkmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaodc32.dll" Geoapenf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llcghg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmbiamhi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4712 wrote to memory of 3556 4712 8dc5acb6fb6de70a47bc1957ecf6501cd68d7bd818e3e5df2ed1a1c019e7c811.exe 83 PID 4712 wrote to memory of 3556 4712 8dc5acb6fb6de70a47bc1957ecf6501cd68d7bd818e3e5df2ed1a1c019e7c811.exe 83 PID 4712 wrote to memory of 3556 4712 8dc5acb6fb6de70a47bc1957ecf6501cd68d7bd818e3e5df2ed1a1c019e7c811.exe 83 PID 3556 wrote to memory of 3328 3556 Gaogak32.exe 84 PID 3556 wrote to memory of 3328 3556 Gaogak32.exe 84 PID 3556 wrote to memory of 3328 3556 Gaogak32.exe 84 PID 3328 wrote to memory of 4076 3328 Gochjpho.exe 85 PID 3328 wrote to memory of 4076 3328 Gochjpho.exe 85 PID 3328 wrote to memory of 4076 3328 Gochjpho.exe 85 PID 4076 wrote to memory of 3780 4076 Ghbbcd32.exe 86 PID 4076 wrote to memory of 3780 4076 Ghbbcd32.exe 86 PID 4076 wrote to memory of 3780 4076 Ghbbcd32.exe 86 PID 3780 wrote to memory of 4920 3780 Hghoeqmp.exe 87 PID 3780 wrote to memory of 4920 3780 Hghoeqmp.exe 87 PID 3780 wrote to memory of 4920 3780 Hghoeqmp.exe 87 PID 4920 wrote to memory of 904 4920 Hbmcbime.exe 88 PID 4920 wrote to memory of 904 4920 Hbmcbime.exe 88 PID 4920 wrote to memory of 904 4920 Hbmcbime.exe 88 PID 904 wrote to memory of 3640 904 Hbpphi32.exe 89 PID 904 wrote to memory of 3640 904 Hbpphi32.exe 89 PID 904 wrote to memory of 3640 904 Hbpphi32.exe 89 PID 3640 wrote to memory of 436 3640 Hkhdqoac.exe 90 PID 3640 wrote to memory of 436 3640 Hkhdqoac.exe 90 PID 3640 wrote to memory of 436 3640 Hkhdqoac.exe 90 PID 436 wrote to memory of 4068 436 Hbbmmi32.exe 91 PID 436 wrote to memory of 4068 436 Hbbmmi32.exe 91 PID 436 wrote to memory of 4068 436 Hbbmmi32.exe 91 PID 4068 wrote to memory of 2264 4068 Hgoeep32.exe 92 PID 4068 wrote to memory of 2264 4068 Hgoeep32.exe 92 PID 4068 wrote to memory of 2264 4068 Hgoeep32.exe 92 PID 2264 wrote to memory of 1532 2264 Hninbj32.exe 93 PID 2264 wrote to memory of 1532 2264 Hninbj32.exe 93 PID 2264 wrote to memory of 1532 2264 Hninbj32.exe 93 PID 1532 wrote to memory of 1908 1532 Hfpecg32.exe 94 PID 1532 wrote to memory of 1908 1532 Hfpecg32.exe 94 PID 1532 wrote to memory of 1908 1532 Hfpecg32.exe 94 PID 1908 wrote to memory of 4440 1908 Hgabkoee.exe 95 PID 1908 wrote to memory of 4440 1908 Hgabkoee.exe 95 PID 1908 wrote to memory of 4440 1908 Hgabkoee.exe 95 PID 4440 wrote to memory of 3624 4440 Iohjlmeg.exe 96 PID 4440 wrote to memory of 3624 4440 Iohjlmeg.exe 96 PID 4440 wrote to memory of 3624 4440 Iohjlmeg.exe 96 PID 3624 wrote to memory of 4968 3624 Ifbbig32.exe 97 PID 3624 wrote to memory of 4968 3624 Ifbbig32.exe 97 PID 3624 wrote to memory of 4968 3624 Ifbbig32.exe 97 PID 4968 wrote to memory of 4192 4968 Igcoqocb.exe 98 PID 4968 wrote to memory of 4192 4968 Igcoqocb.exe 98 PID 4968 wrote to memory of 4192 4968 Igcoqocb.exe 98 PID 4192 wrote to memory of 544 4192 Iokgal32.exe 99 PID 4192 wrote to memory of 544 4192 Iokgal32.exe 99 PID 4192 wrote to memory of 544 4192 Iokgal32.exe 99 PID 544 wrote to memory of 4820 544 Ifdonfka.exe 100 PID 544 wrote to memory of 4820 544 Ifdonfka.exe 100 PID 544 wrote to memory of 4820 544 Ifdonfka.exe 100 PID 4820 wrote to memory of 4760 4820 Iickkbje.exe 101 PID 4820 wrote to memory of 4760 4820 Iickkbje.exe 101 PID 4820 wrote to memory of 4760 4820 Iickkbje.exe 101 PID 4760 wrote to memory of 3348 4760 Iomcgl32.exe 102 PID 4760 wrote to memory of 3348 4760 Iomcgl32.exe 102 PID 4760 wrote to memory of 3348 4760 Iomcgl32.exe 102 PID 3348 wrote to memory of 2588 3348 Ifgldfio.exe 103 PID 3348 wrote to memory of 2588 3348 Ifgldfio.exe 103 PID 3348 wrote to memory of 2588 3348 Ifgldfio.exe 103 PID 2588 wrote to memory of 3608 2588 Ighhln32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\8dc5acb6fb6de70a47bc1957ecf6501cd68d7bd818e3e5df2ed1a1c019e7c811.exe"C:\Users\Admin\AppData\Local\Temp\8dc5acb6fb6de70a47bc1957ecf6501cd68d7bd818e3e5df2ed1a1c019e7c811.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\Gaogak32.exeC:\Windows\system32\Gaogak32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\Gochjpho.exeC:\Windows\system32\Gochjpho.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\Ghbbcd32.exeC:\Windows\system32\Ghbbcd32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Hghoeqmp.exeC:\Windows\system32\Hghoeqmp.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\Hbmcbime.exeC:\Windows\system32\Hbmcbime.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Hbpphi32.exeC:\Windows\system32\Hbpphi32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\Hkhdqoac.exeC:\Windows\system32\Hkhdqoac.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\Hbbmmi32.exeC:\Windows\system32\Hbbmmi32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Hninbj32.exeC:\Windows\system32\Hninbj32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Hgabkoee.exeC:\Windows\system32\Hgabkoee.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Iohjlmeg.exeC:\Windows\system32\Iohjlmeg.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\Ifbbig32.exeC:\Windows\system32\Ifbbig32.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Iokgal32.exeC:\Windows\system32\Iokgal32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\Ifgldfio.exeC:\Windows\system32\Ifgldfio.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\SysWOW64\Ighhln32.exeC:\Windows\system32\Ighhln32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Inbqhhfj.exeC:\Windows\system32\Inbqhhfj.exe23⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Ieliebnf.exeC:\Windows\system32\Ieliebnf.exe24⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Indmnh32.exeC:\Windows\system32\Indmnh32.exe25⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Ifleoe32.exeC:\Windows\system32\Ifleoe32.exe26⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Igmagnkg.exeC:\Windows\system32\Igmagnkg.exe27⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe28⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Jfnbdecg.exeC:\Windows\system32\Jfnbdecg.exe29⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Jgonlm32.exeC:\Windows\system32\Jgonlm32.exe30⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe31⤵
- Executes dropped EXE
PID:100 -
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Jgakbm32.exeC:\Windows\system32\Jgakbm32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe34⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Jeekkafl.exeC:\Windows\system32\Jeekkafl.exe35⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Jgdhgmep.exeC:\Windows\system32\Jgdhgmep.exe36⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe37⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Jehhaaci.exeC:\Windows\system32\Jehhaaci.exe38⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Jgfdmlcm.exeC:\Windows\system32\Jgfdmlcm.exe39⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Jnpmjf32.exeC:\Windows\system32\Jnpmjf32.exe40⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\SysWOW64\Kldmckic.exeC:\Windows\system32\Kldmckic.exe42⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe43⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Kelalp32.exeC:\Windows\system32\Kelalp32.exe44⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Kpbfii32.exeC:\Windows\system32\Kpbfii32.exe45⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Kflnfcgg.exeC:\Windows\system32\Kflnfcgg.exe46⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Khmknk32.exeC:\Windows\system32\Khmknk32.exe47⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1840 -
C:\Windows\SysWOW64\Keakgpko.exeC:\Windows\system32\Keakgpko.exe49⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Klkcdj32.exeC:\Windows\system32\Klkcdj32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:800 -
C:\Windows\SysWOW64\Kbekqdjh.exeC:\Windows\system32\Kbekqdjh.exe51⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe52⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Kpiljh32.exeC:\Windows\system32\Kpiljh32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4776 -
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe54⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe55⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Lnnikdnj.exeC:\Windows\system32\Lnnikdnj.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3676 -
C:\Windows\SysWOW64\Lehaho32.exeC:\Windows\system32\Lehaho32.exe57⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Llbidimc.exeC:\Windows\system32\Llbidimc.exe58⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Lblaabdp.exeC:\Windows\system32\Lblaabdp.exe59⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\Lifjnm32.exeC:\Windows\system32\Lifjnm32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe61⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\Lemkcnaa.exeC:\Windows\system32\Lemkcnaa.exe62⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Llgcph32.exeC:\Windows\system32\Llgcph32.exe63⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:528 -
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe65⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Lpekef32.exeC:\Windows\system32\Lpekef32.exe66⤵PID:408
-
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe67⤵PID:2968
-
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe68⤵PID:4816
-
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe69⤵PID:368
-
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe70⤵PID:1416
-
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe71⤵
- Modifies registry class
PID:3160 -
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe72⤵PID:1344
-
C:\Windows\SysWOW64\Mibijk32.exeC:\Windows\system32\Mibijk32.exe73⤵
- Drops file in System32 directory
PID:3908 -
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe74⤵PID:3636
-
C:\Windows\SysWOW64\Mffjcopi.exeC:\Windows\system32\Mffjcopi.exe75⤵PID:3240
-
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe76⤵PID:3208
-
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe77⤵
- System Location Discovery: System Language Discovery
PID:2480 -
C:\Windows\SysWOW64\Mfhfhong.exeC:\Windows\system32\Mfhfhong.exe78⤵PID:4492
-
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe79⤵
- Modifies registry class
PID:60 -
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe80⤵
- Drops file in System32 directory
PID:5156 -
C:\Windows\SysWOW64\Niipjj32.exeC:\Windows\system32\Niipjj32.exe81⤵PID:5196
-
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe82⤵PID:5240
-
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe83⤵PID:5280
-
C:\Windows\SysWOW64\Nlihle32.exeC:\Windows\system32\Nlihle32.exe84⤵PID:5324
-
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe85⤵
- System Location Discovery: System Language Discovery
PID:5368 -
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe86⤵PID:5412
-
C:\Windows\SysWOW64\Nojanpej.exeC:\Windows\system32\Nojanpej.exe87⤵PID:5456
-
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe88⤵PID:5500
-
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe89⤵PID:5540
-
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe90⤵
- Modifies registry class
PID:5580 -
C:\Windows\SysWOW64\Nheble32.exeC:\Windows\system32\Nheble32.exe91⤵PID:5624
-
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe92⤵
- Drops file in System32 directory
PID:5664 -
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe93⤵PID:5704
-
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe94⤵
- System Location Discovery: System Language Discovery
PID:5744 -
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe95⤵
- System Location Discovery: System Language Discovery
PID:5784 -
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe96⤵PID:5824
-
C:\Windows\SysWOW64\Ocopdn32.exeC:\Windows\system32\Ocopdn32.exe97⤵PID:5864
-
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe98⤵PID:5904
-
C:\Windows\SysWOW64\Opcqnb32.exeC:\Windows\system32\Opcqnb32.exe99⤵PID:5944
-
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe100⤵PID:5984
-
C:\Windows\SysWOW64\Ohnebd32.exeC:\Windows\system32\Ohnebd32.exe101⤵PID:6024
-
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe102⤵PID:6064
-
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe103⤵PID:6104
-
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe104⤵PID:4312
-
C:\Windows\SysWOW64\Ocffempp.exeC:\Windows\system32\Ocffempp.exe105⤵PID:3104
-
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe106⤵PID:1440
-
C:\Windows\SysWOW64\Ploknb32.exeC:\Windows\system32\Ploknb32.exe107⤵PID:3420
-
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe108⤵
- Drops file in System32 directory
PID:5140 -
C:\Windows\SysWOW64\Podmkm32.exeC:\Windows\system32\Podmkm32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5232 -
C:\Windows\SysWOW64\Phlacbfm.exeC:\Windows\system32\Phlacbfm.exe110⤵PID:5288
-
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe111⤵PID:5396
-
C:\Windows\SysWOW64\Qcdbfk32.exeC:\Windows\system32\Qcdbfk32.exe112⤵PID:5452
-
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe113⤵PID:2720
-
C:\Windows\SysWOW64\Aqmlknnd.exeC:\Windows\system32\Aqmlknnd.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1280 -
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe115⤵PID:4928
-
C:\Windows\SysWOW64\Aimkjp32.exeC:\Windows\system32\Aimkjp32.exe116⤵PID:1108
-
C:\Windows\SysWOW64\Bgpgng32.exeC:\Windows\system32\Bgpgng32.exe117⤵PID:5768
-
C:\Windows\SysWOW64\Boklbi32.exeC:\Windows\system32\Boklbi32.exe118⤵PID:5812
-
C:\Windows\SysWOW64\Bqkill32.exeC:\Windows\system32\Bqkill32.exe119⤵PID:5860
-
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4232 -
C:\Windows\SysWOW64\Bfjnjcni.exeC:\Windows\system32\Bfjnjcni.exe121⤵PID:3984
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-