Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-01-2025 22:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
86f777ec1d377f53328b4cc4800a9007c2c1cb8e3a4006ef9b512908825dd8d3N.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
86f777ec1d377f53328b4cc4800a9007c2c1cb8e3a4006ef9b512908825dd8d3N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
120 seconds
General
-
Target
86f777ec1d377f53328b4cc4800a9007c2c1cb8e3a4006ef9b512908825dd8d3N.exe
-
Size
96KB
-
MD5
536a665014f93175dd212c7c7dcd0860
-
SHA1
3beaf124fd44d25de53137602e3c9f59089dc61d
-
SHA256
86f777ec1d377f53328b4cc4800a9007c2c1cb8e3a4006ef9b512908825dd8d3
-
SHA512
9b88978ae5dd5062b37d14b3714817749d71ebe7766cc83ab93dccb86e2fc60ae790c7cfb18ceffbef5b5e1d0b25b4abdf14d70a271960f3cebcd666af1701c2
-
SSDEEP
1536:us4onKr08Q6TD4rLdF/O6Pzzr2Lq07RZObZUUWaegPYAG:us/KQUDqLddzzIvClUUWaed
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coadnlnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jghpbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcbfcigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mablfnne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjkpoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igdnabjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haodle32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbajbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njmhhefi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkpmdbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkicaahi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbchdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnpofnhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laiipofp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjpijpdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmenca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnphoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Objkmkjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjliajmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjamia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iljpij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pedbahod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfgipd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaqhjggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqcejcha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddjmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nenbjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeehkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdbdcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdickcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okedcjcm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fphnlcdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnodaecc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpejlmcf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibhkfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekonpckp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqdblmhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gblbca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfjkjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oplfkeob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmabggdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkmdecbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpnfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqmidndd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epokedmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dodjjimm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdenmbkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqdblmhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjicdmmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpanan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boklbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbojlfdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hajpbckl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkenjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhclmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hefnkkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akblfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihdldn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqdoem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imgicgca.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023f32-2660.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 744 Oiihahme.exe 1208 Olgemcli.exe 4264 Opcqnb32.exe 1820 Oileggkb.exe 5100 Opemca32.exe 2976 Ogpepl32.exe 4288 Ohqbhdpj.exe 3200 Ookjdn32.exe 5092 Pedbahod.exe 2748 Ploknb32.exe 1748 Pcicklnn.exe 2472 Pjbkgfej.exe 4384 Plagcbdn.exe 5096 Pgflqkdd.exe 1124 Pjehmfch.exe 1196 Plcdiabk.exe 528 Poaqemao.exe 1140 Pjgebf32.exe 4240 Podmkm32.exe 3204 Pqcjepfo.exe 1532 Qhonib32.exe 3296 Qqffjo32.exe 3024 Qgpogili.exe 3580 Qhakoa32.exe 2384 Qqhcpo32.exe 1148 Agbkmijg.exe 1404 Ajqgidij.exe 3100 Ahchda32.exe 3960 Aompak32.exe 4804 Ahfdjanb.exe 1280 Aopmfk32.exe 4536 Aggegh32.exe 3832 Ajeadd32.exe 4216 Amcmpodi.exe 796 Acnemi32.exe 548 Ajhniccb.exe 4456 Amfjeobf.exe 5004 Acpbbi32.exe 512 Bqdblmhl.exe 2040 Bgnkhg32.exe 4016 Biogppeg.exe 4472 Bgpgng32.exe 3016 Bjodjb32.exe 3628 Boklbi32.exe 1032 Bfedoc32.exe 544 Bqkill32.exe 1660 Bmbiamhi.exe 1192 Bggnof32.exe 2652 Bihjfnmm.exe 2772 Cpbbch32.exe 1520 Cflkpblf.exe 2236 Cpeohh32.exe 2960 Cjjcfabm.exe 2632 Cadlbk32.exe 2692 Cgndoeag.exe 2648 Cjmpkqqj.exe 4952 Cmklglpn.exe 3884 Cpihcgoa.exe 4736 Cfcqpa32.exe 1052 Cgcmjd32.exe 2444 Dakacjdb.exe 2552 Dfhjkabi.exe 3840 Dpqodfij.exe 3012 Dfjgaq32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ljhnlb32.exe Lgibpf32.exe File created C:\Windows\SysWOW64\Jlkidpke.dll Ckebcg32.exe File created C:\Windows\SysWOW64\Ccmbmpbk.dll Oloahhki.exe File created C:\Windows\SysWOW64\Pjdhhc32.dll Pdhbmh32.exe File opened for modification C:\Windows\SysWOW64\Bddjpd32.exe Bebjdgmj.exe File created C:\Windows\SysWOW64\Ipeeobbe.exe Imgicgca.exe File created C:\Windows\SysWOW64\Akqfkp32.exe Adfnofpd.exe File created C:\Windows\SysWOW64\Cfcqpa32.exe Cpihcgoa.exe File created C:\Windows\SysWOW64\Dphefd32.dll Jkjcbe32.exe File opened for modification C:\Windows\SysWOW64\Kqpoakco.exe Kbmoen32.exe File opened for modification C:\Windows\SysWOW64\Bdapehop.exe Process not Found File created C:\Windows\SysWOW64\Qhonib32.exe Pqcjepfo.exe File created C:\Windows\SysWOW64\Ibgpcd32.dll Leenhhdn.exe File opened for modification C:\Windows\SysWOW64\Olanmgig.exe Oeheqm32.exe File created C:\Windows\SysWOW64\Ibepke32.dll Kamjda32.exe File opened for modification C:\Windows\SysWOW64\Pcpnhl32.exe Oikjkc32.exe File created C:\Windows\SysWOW64\Bkkhbb32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cmjemflb.exe Cjliajmo.exe File created C:\Windows\SysWOW64\Dcpmen32.exe Dmfeidbe.exe File opened for modification C:\Windows\SysWOW64\Pcjiff32.exe Poomegpf.exe File opened for modification C:\Windows\SysWOW64\Hbenoi32.exe Hpfbcn32.exe File created C:\Windows\SysWOW64\Eeclnmik.dll Lcclncbh.exe File opened for modification C:\Windows\SysWOW64\Ajhniccb.exe Acnemi32.exe File opened for modification C:\Windows\SysWOW64\Ebommi32.exe Eppqqn32.exe File created C:\Windows\SysWOW64\Mgnddp32.dll Cpbjkn32.exe File created C:\Windows\SysWOW64\Dakikoom.exe Dgeenfog.exe File opened for modification C:\Windows\SysWOW64\Bfedoc32.exe Boklbi32.exe File created C:\Windows\SysWOW64\Mapmipen.dll Jjamia32.exe File created C:\Windows\SysWOW64\Bfpfngma.dll Glengm32.exe File created C:\Windows\SysWOW64\Mckdpoji.dll Jklinohd.exe File opened for modification C:\Windows\SysWOW64\Piphgq32.exe Pllgnl32.exe File opened for modification C:\Windows\SysWOW64\Fnipbc32.exe Flkdfh32.exe File created C:\Windows\SysWOW64\Olieecnn.dll Jcdjbk32.exe File created C:\Windows\SysWOW64\Hgeqca32.dll Fbmohmoh.exe File created C:\Windows\SysWOW64\Pencqe32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kjlopc32.exe Kcbfcigf.exe File created C:\Windows\SysWOW64\Ogjembbd.dll Llodgnja.exe File created C:\Windows\SysWOW64\Gbofcghl.exe Gdlfhj32.exe File created C:\Windows\SysWOW64\Nhmofj32.exe Nenbjo32.exe File created C:\Windows\SysWOW64\Ojigdcll.exe Odoogi32.exe File created C:\Windows\SysWOW64\Pdbeojmh.dll Mjodla32.exe File created C:\Windows\SysWOW64\Belqaa32.dll Fjmkoeqi.exe File created C:\Windows\SysWOW64\Aojlaeei.exe Ajndioga.exe File created C:\Windows\SysWOW64\Cjliajmo.exe Ccbadp32.exe File opened for modification C:\Windows\SysWOW64\Ipoheakj.exe Impliekg.exe File created C:\Windows\SysWOW64\Oajgdm32.dll Process not Found File created C:\Windows\SysWOW64\Iqpfjnba.exe Ibmeoq32.exe File created C:\Windows\SysWOW64\Igegpo32.dll Ajdjin32.exe File created C:\Windows\SysWOW64\Lcclncbh.exe Lpepbgbd.exe File opened for modification C:\Windows\SysWOW64\Djegekil.exe Process not Found File opened for modification C:\Windows\SysWOW64\Okedcjcm.exe Oidhlb32.exe File created C:\Windows\SysWOW64\Jimldogg.exe Jbccge32.exe File created C:\Windows\SysWOW64\Fjbhpb32.dll Kgmcce32.exe File created C:\Windows\SysWOW64\Dfnbgc32.exe Dodjjimm.exe File created C:\Windows\SysWOW64\Fldeljei.dll Mhoahh32.exe File opened for modification C:\Windows\SysWOW64\Bpjmph32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fjmfmh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kniieo32.exe Kkjlic32.exe File opened for modification C:\Windows\SysWOW64\Mjlhgaqp.exe Mgnlkfal.exe File created C:\Windows\SysWOW64\Mgphpe32.exe Mcelpggq.exe File created C:\Windows\SysWOW64\Klekfinp.exe Kifojnol.exe File created C:\Windows\SysWOW64\Okgaijaj.exe Oifeab32.exe File created C:\Windows\SysWOW64\Lhlgjo32.dll Process not Found File created C:\Windows\SysWOW64\Onahgf32.dll Adkqoohc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7856 8920 Process not Found 1227 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ookjdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glengm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdojjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkndie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kakmna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqpfjnba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaalblgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojefobm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dakikoom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gndick32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjehmfch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgopidgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcnqpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcjcnoej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nckkfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okchnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlnjbedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amqhbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgflqkdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgpogili.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgehfkop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bakgoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chiigadc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqjpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jddnfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljobpiql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebnfbcbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Higjaoci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jenmcggo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Finnef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhcali32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbkbpoog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjffdalb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcbfcigf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obcceg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fllkqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amlogfel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okedcjcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhjmdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chkobkod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oflmnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpoaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqdblmhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffclcgfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfhbga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmlfqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaqegecm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icnklbmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napjdpcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jinboekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jedccfqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgndoeag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaflgago.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cclaff32.dll" Gklnjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbmhabha.dll" Cjjlkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfpfngma.dll" Glengm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hffken32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjijid32.dll" Nmfcok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akblfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mioodgbj.dll" Bgnkhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhgiim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glfmgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poliea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmokdgeg.dll" Lpfgmnfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gihfoi32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jncoikmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkdoio32.dll" Imnocf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijcahd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckilmcgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ommceclc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akglloai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhijep32.dll" Chnlgjlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadeee32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pocfpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbcjnilj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceifibod.dll" Qikgco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkgpbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqdpgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajhniccb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnadagbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggahedjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgeqca32.dll" Fbmohmoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmlkhofd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empmffib.dll" Ikbfgppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbojlfdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qqhcpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icnklbmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cljobphg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmmnd32.dll" Llcghg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkofdbkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccdnjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabjq32.dll" Gfjkjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjodla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogcnmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plcdiabk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpbpbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bppgif32.dll" Kpanan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nckkfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Logooemi.dll" Kqnbkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flkdfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmkqgckn.dll" Ljnlecmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqindg32.dll" Bheplb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqnbkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hienlpel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdhbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlolpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggnjnq32.dll" Efkphnbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpmdfonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgfnm32.dll" Joekag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cihclh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Embddb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1296 wrote to memory of 744 1296 86f777ec1d377f53328b4cc4800a9007c2c1cb8e3a4006ef9b512908825dd8d3N.exe 83 PID 1296 wrote to memory of 744 1296 86f777ec1d377f53328b4cc4800a9007c2c1cb8e3a4006ef9b512908825dd8d3N.exe 83 PID 1296 wrote to memory of 744 1296 86f777ec1d377f53328b4cc4800a9007c2c1cb8e3a4006ef9b512908825dd8d3N.exe 83 PID 744 wrote to memory of 1208 744 Oiihahme.exe 84 PID 744 wrote to memory of 1208 744 Oiihahme.exe 84 PID 744 wrote to memory of 1208 744 Oiihahme.exe 84 PID 1208 wrote to memory of 4264 1208 Olgemcli.exe 85 PID 1208 wrote to memory of 4264 1208 Olgemcli.exe 85 PID 1208 wrote to memory of 4264 1208 Olgemcli.exe 85 PID 4264 wrote to memory of 1820 4264 Opcqnb32.exe 86 PID 4264 wrote to memory of 1820 4264 Opcqnb32.exe 86 PID 4264 wrote to memory of 1820 4264 Opcqnb32.exe 86 PID 1820 wrote to memory of 5100 1820 Oileggkb.exe 87 PID 1820 wrote to memory of 5100 1820 Oileggkb.exe 87 PID 1820 wrote to memory of 5100 1820 Oileggkb.exe 87 PID 5100 wrote to memory of 2976 5100 Opemca32.exe 88 PID 5100 wrote to memory of 2976 5100 Opemca32.exe 88 PID 5100 wrote to memory of 2976 5100 Opemca32.exe 88 PID 2976 wrote to memory of 4288 2976 Ogpepl32.exe 89 PID 2976 wrote to memory of 4288 2976 Ogpepl32.exe 89 PID 2976 wrote to memory of 4288 2976 Ogpepl32.exe 89 PID 4288 wrote to memory of 3200 4288 Ohqbhdpj.exe 90 PID 4288 wrote to memory of 3200 4288 Ohqbhdpj.exe 90 PID 4288 wrote to memory of 3200 4288 Ohqbhdpj.exe 90 PID 3200 wrote to memory of 5092 3200 Ookjdn32.exe 91 PID 3200 wrote to memory of 5092 3200 Ookjdn32.exe 91 PID 3200 wrote to memory of 5092 3200 Ookjdn32.exe 91 PID 5092 wrote to memory of 2748 5092 Pedbahod.exe 92 PID 5092 wrote to memory of 2748 5092 Pedbahod.exe 92 PID 5092 wrote to memory of 2748 5092 Pedbahod.exe 92 PID 2748 wrote to memory of 1748 2748 Ploknb32.exe 93 PID 2748 wrote to memory of 1748 2748 Ploknb32.exe 93 PID 2748 wrote to memory of 1748 2748 Ploknb32.exe 93 PID 1748 wrote to memory of 2472 1748 Pcicklnn.exe 94 PID 1748 wrote to memory of 2472 1748 Pcicklnn.exe 94 PID 1748 wrote to memory of 2472 1748 Pcicklnn.exe 94 PID 2472 wrote to memory of 4384 2472 Pjbkgfej.exe 95 PID 2472 wrote to memory of 4384 2472 Pjbkgfej.exe 95 PID 2472 wrote to memory of 4384 2472 Pjbkgfej.exe 95 PID 4384 wrote to memory of 5096 4384 Plagcbdn.exe 96 PID 4384 wrote to memory of 5096 4384 Plagcbdn.exe 96 PID 4384 wrote to memory of 5096 4384 Plagcbdn.exe 96 PID 5096 wrote to memory of 1124 5096 Pgflqkdd.exe 97 PID 5096 wrote to memory of 1124 5096 Pgflqkdd.exe 97 PID 5096 wrote to memory of 1124 5096 Pgflqkdd.exe 97 PID 1124 wrote to memory of 1196 1124 Pjehmfch.exe 98 PID 1124 wrote to memory of 1196 1124 Pjehmfch.exe 98 PID 1124 wrote to memory of 1196 1124 Pjehmfch.exe 98 PID 1196 wrote to memory of 528 1196 Plcdiabk.exe 99 PID 1196 wrote to memory of 528 1196 Plcdiabk.exe 99 PID 1196 wrote to memory of 528 1196 Plcdiabk.exe 99 PID 528 wrote to memory of 1140 528 Poaqemao.exe 100 PID 528 wrote to memory of 1140 528 Poaqemao.exe 100 PID 528 wrote to memory of 1140 528 Poaqemao.exe 100 PID 1140 wrote to memory of 4240 1140 Pjgebf32.exe 101 PID 1140 wrote to memory of 4240 1140 Pjgebf32.exe 101 PID 1140 wrote to memory of 4240 1140 Pjgebf32.exe 101 PID 4240 wrote to memory of 3204 4240 Podmkm32.exe 102 PID 4240 wrote to memory of 3204 4240 Podmkm32.exe 102 PID 4240 wrote to memory of 3204 4240 Podmkm32.exe 102 PID 3204 wrote to memory of 1532 3204 Pqcjepfo.exe 103 PID 3204 wrote to memory of 1532 3204 Pqcjepfo.exe 103 PID 3204 wrote to memory of 1532 3204 Pqcjepfo.exe 103 PID 1532 wrote to memory of 3296 1532 Qhonib32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\86f777ec1d377f53328b4cc4800a9007c2c1cb8e3a4006ef9b512908825dd8d3N.exe"C:\Users\Admin\AppData\Local\Temp\86f777ec1d377f53328b4cc4800a9007c2c1cb8e3a4006ef9b512908825dd8d3N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Opcqnb32.exeC:\Windows\system32\Opcqnb32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Ohqbhdpj.exeC:\Windows\system32\Ohqbhdpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\Ploknb32.exeC:\Windows\system32\Ploknb32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\Pgflqkdd.exeC:\Windows\system32\Pgflqkdd.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Pjehmfch.exeC:\Windows\system32\Pjehmfch.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Poaqemao.exeC:\Windows\system32\Poaqemao.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\Pjgebf32.exeC:\Windows\system32\Pjgebf32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Podmkm32.exeC:\Windows\system32\Podmkm32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\Pqcjepfo.exeC:\Windows\system32\Pqcjepfo.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Qqffjo32.exeC:\Windows\system32\Qqffjo32.exe23⤵
- Executes dropped EXE
PID:3296 -
C:\Windows\SysWOW64\Qgpogili.exeC:\Windows\system32\Qgpogili.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3024 -
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe25⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Qqhcpo32.exeC:\Windows\system32\Qqhcpo32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe27⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Ajqgidij.exeC:\Windows\system32\Ajqgidij.exe28⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe29⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe30⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Ahfdjanb.exeC:\Windows\system32\Ahfdjanb.exe31⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Aopmfk32.exeC:\Windows\system32\Aopmfk32.exe32⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe33⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Ajeadd32.exeC:\Windows\system32\Ajeadd32.exe34⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe35⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:796 -
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:548 -
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe38⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe39⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:512 -
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Biogppeg.exeC:\Windows\system32\Biogppeg.exe42⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Bgpgng32.exeC:\Windows\system32\Bgpgng32.exe43⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Bjodjb32.exeC:\Windows\system32\Bjodjb32.exe44⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Boklbi32.exeC:\Windows\system32\Boklbi32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3628 -
C:\Windows\SysWOW64\Bfedoc32.exeC:\Windows\system32\Bfedoc32.exe46⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Bqkill32.exeC:\Windows\system32\Bqkill32.exe47⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe48⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Bggnof32.exeC:\Windows\system32\Bggnof32.exe49⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe50⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Cpbbch32.exeC:\Windows\system32\Cpbbch32.exe51⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe52⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe53⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe54⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Cadlbk32.exeC:\Windows\system32\Cadlbk32.exe55⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Cgndoeag.exeC:\Windows\system32\Cgndoeag.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Cjmpkqqj.exeC:\Windows\system32\Cjmpkqqj.exe57⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe58⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Cpihcgoa.exeC:\Windows\system32\Cpihcgoa.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3884 -
C:\Windows\SysWOW64\Cfcqpa32.exeC:\Windows\system32\Cfcqpa32.exe60⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe61⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Dakacjdb.exeC:\Windows\system32\Dakacjdb.exe62⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Dfhjkabi.exeC:\Windows\system32\Dfhjkabi.exe63⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Dpqodfij.exeC:\Windows\system32\Dpqodfij.exe64⤵
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Dfjgaq32.exeC:\Windows\system32\Dfjgaq32.exe65⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Dpckjfgg.exeC:\Windows\system32\Dpckjfgg.exe66⤵PID:4036
-
C:\Windows\SysWOW64\Dikpbl32.exeC:\Windows\system32\Dikpbl32.exe67⤵PID:3048
-
C:\Windows\SysWOW64\Dhlpqc32.exeC:\Windows\system32\Dhlpqc32.exe68⤵PID:3160
-
C:\Windows\SysWOW64\Daediilg.exeC:\Windows\system32\Daediilg.exe69⤵PID:3264
-
C:\Windows\SysWOW64\Ddcqedkk.exeC:\Windows\system32\Ddcqedkk.exe70⤵PID:1524
-
C:\Windows\SysWOW64\Eipinkib.exeC:\Windows\system32\Eipinkib.exe71⤵PID:2164
-
C:\Windows\SysWOW64\Epjajeqo.exeC:\Windows\system32\Epjajeqo.exe72⤵PID:4004
-
C:\Windows\SysWOW64\Ehailbaa.exeC:\Windows\system32\Ehailbaa.exe73⤵PID:1580
-
C:\Windows\SysWOW64\Eaindh32.exeC:\Windows\system32\Eaindh32.exe74⤵PID:1056
-
C:\Windows\SysWOW64\Edhjqc32.exeC:\Windows\system32\Edhjqc32.exe75⤵PID:3904
-
C:\Windows\SysWOW64\Efffmo32.exeC:\Windows\system32\Efffmo32.exe76⤵PID:4560
-
C:\Windows\SysWOW64\Empoiimf.exeC:\Windows\system32\Empoiimf.exe77⤵PID:3760
-
C:\Windows\SysWOW64\Epokedmj.exeC:\Windows\system32\Epokedmj.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2644 -
C:\Windows\SysWOW64\Efhcbodf.exeC:\Windows\system32\Efhcbodf.exe79⤵PID:4064
-
C:\Windows\SysWOW64\Epagkd32.exeC:\Windows\system32\Epagkd32.exe80⤵PID:4464
-
C:\Windows\SysWOW64\Efkphnbd.exeC:\Windows\system32\Efkphnbd.exe81⤵
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Eiildjag.exeC:\Windows\system32\Eiildjag.exe82⤵PID:3000
-
C:\Windows\SysWOW64\Ehjlaaig.exeC:\Windows\system32\Ehjlaaig.exe83⤵PID:2760
-
C:\Windows\SysWOW64\Fmgejhgn.exeC:\Windows\system32\Fmgejhgn.exe84⤵PID:2944
-
C:\Windows\SysWOW64\Facqkg32.exeC:\Windows\system32\Facqkg32.exe85⤵PID:852
-
C:\Windows\SysWOW64\Fineoi32.exeC:\Windows\system32\Fineoi32.exe86⤵PID:4488
-
C:\Windows\SysWOW64\Fphnlcdo.exeC:\Windows\system32\Fphnlcdo.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:912 -
C:\Windows\SysWOW64\Fhofmq32.exeC:\Windows\system32\Fhofmq32.exe88⤵PID:2036
-
C:\Windows\SysWOW64\Fmlneg32.exeC:\Windows\system32\Fmlneg32.exe89⤵PID:2104
-
C:\Windows\SysWOW64\Fdffbake.exeC:\Windows\system32\Fdffbake.exe90⤵PID:4688
-
C:\Windows\SysWOW64\Fkpool32.exeC:\Windows\system32\Fkpool32.exe91⤵PID:440
-
C:\Windows\SysWOW64\Fibojhim.exeC:\Windows\system32\Fibojhim.exe92⤵PID:4660
-
C:\Windows\SysWOW64\Fdhcgaic.exeC:\Windows\system32\Fdhcgaic.exe93⤵PID:4740
-
C:\Windows\SysWOW64\Fkbkdkpp.exeC:\Windows\system32\Fkbkdkpp.exe94⤵PID:3176
-
C:\Windows\SysWOW64\Falcae32.exeC:\Windows\system32\Falcae32.exe95⤵PID:1672
-
C:\Windows\SysWOW64\Fdkpma32.exeC:\Windows\system32\Fdkpma32.exe96⤵PID:3572
-
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe97⤵PID:396
-
C:\Windows\SysWOW64\Gpaqbbld.exeC:\Windows\system32\Gpaqbbld.exe98⤵PID:1332
-
C:\Windows\SysWOW64\Ggkiol32.exeC:\Windows\system32\Ggkiol32.exe99⤵PID:3544
-
C:\Windows\SysWOW64\Gkgeoklj.exeC:\Windows\system32\Gkgeoklj.exe100⤵PID:2776
-
C:\Windows\SysWOW64\Gpcmga32.exeC:\Windows\system32\Gpcmga32.exe101⤵PID:216
-
C:\Windows\SysWOW64\Ghkeio32.exeC:\Windows\system32\Ghkeio32.exe102⤵PID:5112
-
C:\Windows\SysWOW64\Gilapgqb.exeC:\Windows\system32\Gilapgqb.exe103⤵PID:940
-
C:\Windows\SysWOW64\Gpfjma32.exeC:\Windows\system32\Gpfjma32.exe104⤵PID:4916
-
C:\Windows\SysWOW64\Ghmbno32.exeC:\Windows\system32\Ghmbno32.exe105⤵PID:5000
-
C:\Windows\SysWOW64\Gklnjj32.exeC:\Windows\system32\Gklnjj32.exe106⤵
- Modifies registry class
PID:1204 -
C:\Windows\SysWOW64\Gaefgd32.exeC:\Windows\system32\Gaefgd32.exe107⤵PID:996
-
C:\Windows\SysWOW64\Ghpocngo.exeC:\Windows\system32\Ghpocngo.exe108⤵PID:4652
-
C:\Windows\SysWOW64\Gknkpjfb.exeC:\Windows\system32\Gknkpjfb.exe109⤵PID:1716
-
C:\Windows\SysWOW64\Giqkkf32.exeC:\Windows\system32\Giqkkf32.exe110⤵PID:2908
-
C:\Windows\SysWOW64\Gpkchqdj.exeC:\Windows\system32\Gpkchqdj.exe111⤵PID:3168
-
C:\Windows\SysWOW64\Gdfoio32.exeC:\Windows\system32\Gdfoio32.exe112⤵PID:1428
-
C:\Windows\SysWOW64\Hnodaecc.exeC:\Windows\system32\Hnodaecc.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3740 -
C:\Windows\SysWOW64\Hajpbckl.exeC:\Windows\system32\Hajpbckl.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1692 -
C:\Windows\SysWOW64\Hhdhon32.exeC:\Windows\system32\Hhdhon32.exe115⤵PID:1400
-
C:\Windows\SysWOW64\Hjedffig.exeC:\Windows\system32\Hjedffig.exe116⤵PID:5140
-
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe117⤵PID:5184
-
C:\Windows\SysWOW64\Hhfedm32.exeC:\Windows\system32\Hhfedm32.exe118⤵PID:5232
-
C:\Windows\SysWOW64\Hgiepjga.exeC:\Windows\system32\Hgiepjga.exe119⤵PID:5276
-
C:\Windows\SysWOW64\Hpbiip32.exeC:\Windows\system32\Hpbiip32.exe120⤵PID:5320
-
C:\Windows\SysWOW64\Hhiajmod.exeC:\Windows\system32\Hhiajmod.exe121⤵PID:5364
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-