Analysis
-
max time kernel
93s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2024 01:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c42f894d2c0a698384c6ddd2da10ccd2787dffc202c871e4c6baaf46e77a6e0fN.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
c42f894d2c0a698384c6ddd2da10ccd2787dffc202c871e4c6baaf46e77a6e0fN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
c42f894d2c0a698384c6ddd2da10ccd2787dffc202c871e4c6baaf46e77a6e0fN.exe
-
Size
400KB
-
MD5
b4e9dc511d100a949a7c349eb44f92d0
-
SHA1
1e601a3ce20ae76fad4ba07bab0a53f86d32fdb0
-
SHA256
c42f894d2c0a698384c6ddd2da10ccd2787dffc202c871e4c6baaf46e77a6e0f
-
SHA512
6d5590689b039c24f76e170618a6db8893ac5003ff842eab9e86829494b8dadf359e94ba7a824d55e8c6d17ea1a3ed8d13d95e7b6f7f133490b7c90a9811d650
-
SSDEEP
6144:KwD3vZJ4AMFieVodLAY/Xr4Br3CbArLAZ26RQ8sY6CbArLAY/9bPk6CbN:OceKRrgryg426RQagrkp
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cceddf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afkknogn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bllbaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfqlfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdjgha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjjiej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhahaiec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eecphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjmmepfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qadoba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acmobchj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbkcpma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibafp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnfjbdmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbmoen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kelkaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiloco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgnomg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcdciiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bogkmgba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjpobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gphgbafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lldopb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blhpqhlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilcldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omcjep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amqhbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpjjac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebhglj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hplicjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igpdfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcbdgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfjcnold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccpdoqgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdjibj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iojbpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opnbae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckkiccep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqmkae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofhknodl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acpbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diffglam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnpofnhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbngllob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlbkap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aagkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dinmhkke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhdohp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhknpmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhldpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhahaiec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojdnid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdimqm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnpfop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbgalmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmfeidbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgfapd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkchelci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nafjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akffafgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffaong32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnmdme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncchae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccqkigkp.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 5104 Mlpeff32.exe 4296 Moobbb32.exe 2736 Mlbbkfoq.exe 456 Moaogand.exe 1676 Mockmala.exe 5060 Mfjcnold.exe 4808 Neppokal.exe 4024 Nohehq32.exe 1976 Nbcqiope.exe 2184 Nojanpej.exe 1916 Nlnbgddc.exe 5096 Nlqomd32.exe 244 Oeicejia.exe 2444 Ooagno32.exe 2768 Oigllh32.exe 2236 Ocopdn32.exe 4496 Ocamjm32.exe 4840 Oljaccjf.exe 2180 Ojnblg32.exe 3084 Pjpobg32.exe 3264 Plagcbdn.exe 4580 Pfillg32.exe 4464 Pcmlfl32.exe 664 Pleaoa32.exe 4428 Pfnegggi.exe 4732 Qcbfakec.exe 3928 Qoifflkg.exe 4148 Qhakoa32.exe 988 Ajqgidij.exe 3864 Acilajpk.exe 4912 Aqmlknnd.exe 3168 Ackigjmh.exe 3380 Aqoiqn32.exe 3672 Aijnep32.exe 2904 Acpbbi32.exe 4708 Ajjjocap.exe 3572 Bogcgj32.exe 2748 Bgnkhg32.exe 4136 Bjlgdc32.exe 4332 Bcelmhen.exe 4356 Bjodjb32.exe 2896 Bcghch32.exe 1608 Bjaqpbkh.exe 4836 Bpnihiio.exe 4144 Bjcmebie.exe 3020 Bmbiamhi.exe 4980 Bppfmigl.exe 2960 Bfjnjcni.exe 4508 Ccnncgmc.exe 1328 Cikglnkj.exe 4068 Ccqkigkp.exe 1812 Cfogeb32.exe 3916 Cmipblaq.exe 1264 Cfadkb32.exe 2708 Caghhk32.exe 4172 Cceddf32.exe 1524 Cfcqpa32.exe 3088 Caienjfd.exe 4596 Cjaifp32.exe 5088 Dcjnoece.exe 4712 Dgejpd32.exe 3716 Diffglam.exe 4484 Dclkee32.exe 3112 Djfcaohp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kdkdgchl.exe Knalji32.exe File opened for modification C:\Windows\SysWOW64\Mnmdme32.exe Mgclpkac.exe File created C:\Windows\SysWOW64\Njmhhefi.exe Nhokljge.exe File created C:\Windows\SysWOW64\Bakgoh32.exe Bomkcm32.exe File created C:\Windows\SysWOW64\Jhgcicoj.dll Pleaoa32.exe File opened for modification C:\Windows\SysWOW64\Oohgdhfn.exe Oeoblb32.exe File opened for modification C:\Windows\SysWOW64\Pkadoiip.exe Phbhcmjl.exe File opened for modification C:\Windows\SysWOW64\Gdaociml.exe Gljgbllj.exe File created C:\Windows\SysWOW64\Ekoglqie.dll Klfaapbl.exe File opened for modification C:\Windows\SysWOW64\Boenhgdd.exe Bkibgh32.exe File opened for modification C:\Windows\SysWOW64\Cfogeb32.exe Ccqkigkp.exe File created C:\Windows\SysWOW64\Qlimed32.exe Qdbdcg32.exe File opened for modification C:\Windows\SysWOW64\Bafndi32.exe Bohbhmfm.exe File opened for modification C:\Windows\SysWOW64\Fmhdkknd.exe Fbbpmb32.exe File created C:\Windows\SysWOW64\Hginecde.exe Hpofii32.exe File opened for modification C:\Windows\SysWOW64\Iloidijb.exe Ijqmhnko.exe File created C:\Windows\SysWOW64\Dfjehbcf.dll Iikmbh32.exe File created C:\Windows\SysWOW64\Mfjcnold.exe Mockmala.exe File created C:\Windows\SysWOW64\Bbiaci32.dll Aijnep32.exe File opened for modification C:\Windows\SysWOW64\Djfcaohp.exe Dclkee32.exe File created C:\Windows\SysWOW64\Oidhlb32.exe Objpoh32.exe File opened for modification C:\Windows\SysWOW64\Facqkg32.exe Fkihnmhj.exe File created C:\Windows\SysWOW64\Hplicjok.exe Hibafp32.exe File created C:\Windows\SysWOW64\Gbnoiqdq.exe Gldglf32.exe File created C:\Windows\SysWOW64\Hnlonj32.dll Jkjcbe32.exe File created C:\Windows\SysWOW64\Qfglbe32.dll Lqndhcdc.exe File created C:\Windows\SysWOW64\Jgjhee32.dll Nlcalieg.exe File created C:\Windows\SysWOW64\Cajdjn32.dll Knqepc32.exe File created C:\Windows\SysWOW64\Ackigjmh.exe Aqmlknnd.exe File created C:\Windows\SysWOW64\Bfbaonae.exe Bohibc32.exe File created C:\Windows\SysWOW64\Djjebh32.exe Dfoiaj32.exe File created C:\Windows\SysWOW64\Nbnimm32.dll Kdmqmc32.exe File created C:\Windows\SysWOW64\Njjdho32.exe Nglhld32.exe File created C:\Windows\SysWOW64\Lbmoin32.dll Hdilnojp.exe File opened for modification C:\Windows\SysWOW64\Pidabppl.exe Pcjiff32.exe File opened for modification C:\Windows\SysWOW64\Njfagf32.exe Nlcalieg.exe File opened for modification C:\Windows\SysWOW64\Paoollik.exe Pkegpb32.exe File opened for modification C:\Windows\SysWOW64\Jklphekp.exe Jqglkmlj.exe File opened for modification C:\Windows\SysWOW64\Lnpofnhk.exe Lgffic32.exe File opened for modification C:\Windows\SysWOW64\Pcjiff32.exe Pefhlaie.exe File created C:\Windows\SysWOW64\Iefgbh32.exe Ibhkfm32.exe File opened for modification C:\Windows\SysWOW64\Oblmdhdo.exe Ohghgodi.exe File created C:\Windows\SysWOW64\Gmnala32.dll Pahilmoc.exe File created C:\Windows\SysWOW64\Bgemej32.dll Nglhld32.exe File created C:\Windows\SysWOW64\Pghien32.dll Cglbhhga.exe File opened for modification C:\Windows\SysWOW64\Bmbiamhi.exe Bjcmebie.exe File opened for modification C:\Windows\SysWOW64\Jlhljhbg.exe Jkgpbp32.exe File created C:\Windows\SysWOW64\Jjofoqdn.dll Hoclopne.exe File opened for modification C:\Windows\SysWOW64\Nmbjcljl.exe Mfhbga32.exe File created C:\Windows\SysWOW64\Bgagea32.dll Njjdho32.exe File created C:\Windows\SysWOW64\Hildmn32.exe Hdokdg32.exe File created C:\Windows\SysWOW64\Comjoclk.dll Jlmfeg32.exe File created C:\Windows\SysWOW64\Diinlj32.dll Blqllqqa.exe File created C:\Windows\SysWOW64\Enkdaepb.exe Ekmhejao.exe File created C:\Windows\SysWOW64\Nijeec32.exe Noeahkfc.exe File created C:\Windows\SysWOW64\Bafehe32.dll Mkadfj32.exe File opened for modification C:\Windows\SysWOW64\Ofhknodl.exe Opnbae32.exe File opened for modification C:\Windows\SysWOW64\Hlnjbedi.exe Hedafk32.exe File created C:\Windows\SysWOW64\Hkpheidp.exe Gdfoio32.exe File created C:\Windows\SysWOW64\Kqbkfkal.exe Kjhcjq32.exe File created C:\Windows\SysWOW64\Pcleml32.dll Jqknkedi.exe File created C:\Windows\SysWOW64\Nbalhp32.dll Bojomm32.exe File created C:\Windows\SysWOW64\Hmpcbhji.exe Hffken32.exe File opened for modification C:\Windows\SysWOW64\Iinjhh32.exe Ifomll32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2260 4332 WerFault.exe 857 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpmmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoobdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcldb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpoaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogkmgba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhoqeibl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgaeolp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omqmop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blqllqqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efeihb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgnomg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbdki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bohibc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpofii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcndbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phodcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjodla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkqaoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgiepjga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqbkfkal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flqdlnde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Higjaoci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljhefhha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnoddcef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgcihgaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neppokal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfcjfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmoiqneg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekaapi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngkqbgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdjgha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfelogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efafgifc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpdfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmfhkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjeljhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjgeedch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oanokhdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bppfmigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajdjin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omgcpokp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncchae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maggnali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkhnjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhnfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbcqiope.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jglklggl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmehb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlegnjbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfagf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhclmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjpjel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebjcajjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkmdecbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blgifbil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioolkncg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipeeobbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjpobg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohiemobf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgaijaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjlkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfgcakon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbndfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpcbhji.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlbbkfoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonhqi32.dll" Acpbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmlijb32.dll" Qhlkilba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdbijb32.dll" Nmnqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocoaob32.dll" Glbjggof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjkmomfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idhnkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipoopgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eofgpikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gemkelcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgdidgjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfdjinjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpodlbng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjpjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nimbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbjmhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipeeobbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaoaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcfgpga.dll" Knkekn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeheme32.dll" Pabblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abbkcpma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bphgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cglbhhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abmmgg32.dll" Bpnihiio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fphnlcdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkjiao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnfjbdmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqglkmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhbdbmfg.dll" Pehngkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Locfbi32.dll" Jokkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpank32.dll" Bkjiao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blqllqqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmkmjjaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoimppcd.dll" Pjpobg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caghhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkaicd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqndhcdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oonnoglh.dll" Lnldla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhknpmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lehhlb32.dll" Inmpcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofimgb32.dll" Plbmokop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilnpcnol.dll" Kmieae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knkekn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajdjin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ackhdo32.dll" Gdaociml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkpmdbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfjehbcf.dll" Iikmbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ackigjmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odmbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcccepbd.dll" Ahofoogd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coegoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggmookkn.dll" Nohehq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idajkk32.dll" Hgiepjga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifmqfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agimkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eleepoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjhacf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdjibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Golneb32.dll" Glldgljg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blnoga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpkdjofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cceddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgffic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjadje32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4868 wrote to memory of 5104 4868 c42f894d2c0a698384c6ddd2da10ccd2787dffc202c871e4c6baaf46e77a6e0fN.exe 82 PID 4868 wrote to memory of 5104 4868 c42f894d2c0a698384c6ddd2da10ccd2787dffc202c871e4c6baaf46e77a6e0fN.exe 82 PID 4868 wrote to memory of 5104 4868 c42f894d2c0a698384c6ddd2da10ccd2787dffc202c871e4c6baaf46e77a6e0fN.exe 82 PID 5104 wrote to memory of 4296 5104 Mlpeff32.exe 83 PID 5104 wrote to memory of 4296 5104 Mlpeff32.exe 83 PID 5104 wrote to memory of 4296 5104 Mlpeff32.exe 83 PID 4296 wrote to memory of 2736 4296 Moobbb32.exe 84 PID 4296 wrote to memory of 2736 4296 Moobbb32.exe 84 PID 4296 wrote to memory of 2736 4296 Moobbb32.exe 84 PID 2736 wrote to memory of 456 2736 Mlbbkfoq.exe 85 PID 2736 wrote to memory of 456 2736 Mlbbkfoq.exe 85 PID 2736 wrote to memory of 456 2736 Mlbbkfoq.exe 85 PID 456 wrote to memory of 1676 456 Moaogand.exe 86 PID 456 wrote to memory of 1676 456 Moaogand.exe 86 PID 456 wrote to memory of 1676 456 Moaogand.exe 86 PID 1676 wrote to memory of 5060 1676 Mockmala.exe 87 PID 1676 wrote to memory of 5060 1676 Mockmala.exe 87 PID 1676 wrote to memory of 5060 1676 Mockmala.exe 87 PID 5060 wrote to memory of 4808 5060 Mfjcnold.exe 88 PID 5060 wrote to memory of 4808 5060 Mfjcnold.exe 88 PID 5060 wrote to memory of 4808 5060 Mfjcnold.exe 88 PID 4808 wrote to memory of 4024 4808 Neppokal.exe 89 PID 4808 wrote to memory of 4024 4808 Neppokal.exe 89 PID 4808 wrote to memory of 4024 4808 Neppokal.exe 89 PID 4024 wrote to memory of 1976 4024 Nohehq32.exe 90 PID 4024 wrote to memory of 1976 4024 Nohehq32.exe 90 PID 4024 wrote to memory of 1976 4024 Nohehq32.exe 90 PID 1976 wrote to memory of 2184 1976 Nbcqiope.exe 91 PID 1976 wrote to memory of 2184 1976 Nbcqiope.exe 91 PID 1976 wrote to memory of 2184 1976 Nbcqiope.exe 91 PID 2184 wrote to memory of 1916 2184 Nojanpej.exe 92 PID 2184 wrote to memory of 1916 2184 Nojanpej.exe 92 PID 2184 wrote to memory of 1916 2184 Nojanpej.exe 92 PID 1916 wrote to memory of 5096 1916 Nlnbgddc.exe 93 PID 1916 wrote to memory of 5096 1916 Nlnbgddc.exe 93 PID 1916 wrote to memory of 5096 1916 Nlnbgddc.exe 93 PID 5096 wrote to memory of 244 5096 Nlqomd32.exe 94 PID 5096 wrote to memory of 244 5096 Nlqomd32.exe 94 PID 5096 wrote to memory of 244 5096 Nlqomd32.exe 94 PID 244 wrote to memory of 2444 244 Oeicejia.exe 95 PID 244 wrote to memory of 2444 244 Oeicejia.exe 95 PID 244 wrote to memory of 2444 244 Oeicejia.exe 95 PID 2444 wrote to memory of 2768 2444 Ooagno32.exe 96 PID 2444 wrote to memory of 2768 2444 Ooagno32.exe 96 PID 2444 wrote to memory of 2768 2444 Ooagno32.exe 96 PID 2768 wrote to memory of 2236 2768 Oigllh32.exe 97 PID 2768 wrote to memory of 2236 2768 Oigllh32.exe 97 PID 2768 wrote to memory of 2236 2768 Oigllh32.exe 97 PID 2236 wrote to memory of 4496 2236 Ocopdn32.exe 98 PID 2236 wrote to memory of 4496 2236 Ocopdn32.exe 98 PID 2236 wrote to memory of 4496 2236 Ocopdn32.exe 98 PID 4496 wrote to memory of 4840 4496 Ocamjm32.exe 99 PID 4496 wrote to memory of 4840 4496 Ocamjm32.exe 99 PID 4496 wrote to memory of 4840 4496 Ocamjm32.exe 99 PID 4840 wrote to memory of 2180 4840 Oljaccjf.exe 100 PID 4840 wrote to memory of 2180 4840 Oljaccjf.exe 100 PID 4840 wrote to memory of 2180 4840 Oljaccjf.exe 100 PID 2180 wrote to memory of 3084 2180 Ojnblg32.exe 101 PID 2180 wrote to memory of 3084 2180 Ojnblg32.exe 101 PID 2180 wrote to memory of 3084 2180 Ojnblg32.exe 101 PID 3084 wrote to memory of 3264 3084 Pjpobg32.exe 102 PID 3084 wrote to memory of 3264 3084 Pjpobg32.exe 102 PID 3084 wrote to memory of 3264 3084 Pjpobg32.exe 102 PID 3264 wrote to memory of 4580 3264 Plagcbdn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\c42f894d2c0a698384c6ddd2da10ccd2787dffc202c871e4c6baaf46e77a6e0fN.exe"C:\Users\Admin\AppData\Local\Temp\c42f894d2c0a698384c6ddd2da10ccd2787dffc202c871e4c6baaf46e77a6e0fN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Moobbb32.exeC:\Windows\system32\Moobbb32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\Mlbbkfoq.exeC:\Windows\system32\Mlbbkfoq.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\Nbcqiope.exeC:\Windows\system32\Nbcqiope.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Nojanpej.exeC:\Windows\system32\Nojanpej.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Nlnbgddc.exeC:\Windows\system32\Nlnbgddc.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Oeicejia.exeC:\Windows\system32\Oeicejia.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Oigllh32.exeC:\Windows\system32\Oigllh32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Ocopdn32.exeC:\Windows\system32\Ocopdn32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Pjpobg32.exeC:\Windows\system32\Pjpobg32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\Pfillg32.exeC:\Windows\system32\Pfillg32.exe23⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe24⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:664 -
C:\Windows\SysWOW64\Pfnegggi.exeC:\Windows\system32\Pfnegggi.exe26⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Qcbfakec.exeC:\Windows\system32\Qcbfakec.exe27⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Qoifflkg.exeC:\Windows\system32\Qoifflkg.exe28⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe29⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Ajqgidij.exeC:\Windows\system32\Ajqgidij.exe30⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe31⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Aqmlknnd.exeC:\Windows\system32\Aqmlknnd.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4912 -
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:3168 -
C:\Windows\SysWOW64\Aqoiqn32.exeC:\Windows\system32\Aqoiqn32.exe34⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3672 -
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe37⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe38⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe39⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Bjlgdc32.exeC:\Windows\system32\Bjlgdc32.exe40⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe41⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Bjodjb32.exeC:\Windows\system32\Bjodjb32.exe42⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Bcghch32.exeC:\Windows\system32\Bcghch32.exe43⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe44⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Bpnihiio.exeC:\Windows\system32\Bpnihiio.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:4836 -
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4144 -
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe47⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Bppfmigl.exeC:\Windows\system32\Bppfmigl.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4980 -
C:\Windows\SysWOW64\Bfjnjcni.exeC:\Windows\system32\Bfjnjcni.exe49⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe50⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe51⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Ccqkigkp.exeC:\Windows\system32\Ccqkigkp.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4068 -
C:\Windows\SysWOW64\Cfogeb32.exeC:\Windows\system32\Cfogeb32.exe53⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Cmipblaq.exeC:\Windows\system32\Cmipblaq.exe54⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Cfadkb32.exeC:\Windows\system32\Cfadkb32.exe55⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Caghhk32.exeC:\Windows\system32\Caghhk32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Cceddf32.exeC:\Windows\system32\Cceddf32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4172 -
C:\Windows\SysWOW64\Cfcqpa32.exeC:\Windows\system32\Cfcqpa32.exe58⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Caienjfd.exeC:\Windows\system32\Caienjfd.exe59⤵
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Cjaifp32.exeC:\Windows\system32\Cjaifp32.exe60⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Dcjnoece.exeC:\Windows\system32\Dcjnoece.exe61⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Dgejpd32.exeC:\Windows\system32\Dgejpd32.exe62⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Dclkee32.exeC:\Windows\system32\Dclkee32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4484 -
C:\Windows\SysWOW64\Djfcaohp.exeC:\Windows\system32\Djfcaohp.exe65⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\Dmdonkgc.exeC:\Windows\system32\Dmdonkgc.exe66⤵PID:4028
-
C:\Windows\SysWOW64\Dikpbl32.exeC:\Windows\system32\Dikpbl32.exe67⤵PID:1164
-
C:\Windows\SysWOW64\Ddadpdmn.exeC:\Windows\system32\Ddadpdmn.exe68⤵PID:1604
-
C:\Windows\SysWOW64\Dfoplpla.exeC:\Windows\system32\Dfoplpla.exe69⤵PID:2032
-
C:\Windows\SysWOW64\Dinmhkke.exeC:\Windows\system32\Dinmhkke.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3520 -
C:\Windows\SysWOW64\Dfamapjo.exeC:\Windows\system32\Dfamapjo.exe71⤵PID:4012
-
C:\Windows\SysWOW64\Emlenj32.exeC:\Windows\system32\Emlenj32.exe72⤵PID:1552
-
C:\Windows\SysWOW64\Epjajeqo.exeC:\Windows\system32\Epjajeqo.exe73⤵PID:5012
-
C:\Windows\SysWOW64\Ehailbaa.exeC:\Windows\system32\Ehailbaa.exe74⤵PID:4324
-
C:\Windows\SysWOW64\Emnbdioi.exeC:\Windows\system32\Emnbdioi.exe75⤵PID:756
-
C:\Windows\SysWOW64\Eidbij32.exeC:\Windows\system32\Eidbij32.exe76⤵PID:388
-
C:\Windows\SysWOW64\Ealkjh32.exeC:\Windows\system32\Ealkjh32.exe77⤵PID:4984
-
C:\Windows\SysWOW64\Ejdocm32.exeC:\Windows\system32\Ejdocm32.exe78⤵PID:4884
-
C:\Windows\SysWOW64\Embkoi32.exeC:\Windows\system32\Embkoi32.exe79⤵PID:2760
-
C:\Windows\SysWOW64\Edmclccp.exeC:\Windows\system32\Edmclccp.exe80⤵PID:3688
-
C:\Windows\SysWOW64\Eaqdegaj.exeC:\Windows\system32\Eaqdegaj.exe81⤵PID:3456
-
C:\Windows\SysWOW64\Ehjlaaig.exeC:\Windows\system32\Ehjlaaig.exe82⤵PID:3464
-
C:\Windows\SysWOW64\Fkihnmhj.exeC:\Windows\system32\Fkihnmhj.exe83⤵
- Drops file in System32 directory
PID:232 -
C:\Windows\SysWOW64\Facqkg32.exeC:\Windows\system32\Facqkg32.exe84⤵PID:1876
-
C:\Windows\SysWOW64\Ffpicn32.exeC:\Windows\system32\Ffpicn32.exe85⤵PID:4060
-
C:\Windows\SysWOW64\Fphnlcdo.exeC:\Windows\system32\Fphnlcdo.exe86⤵
- Modifies registry class
PID:1196 -
C:\Windows\SysWOW64\Fknbil32.exeC:\Windows\system32\Fknbil32.exe87⤵PID:2228
-
C:\Windows\SysWOW64\Fpjjac32.exeC:\Windows\system32\Fpjjac32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4244 -
C:\Windows\SysWOW64\Fpmggb32.exeC:\Windows\system32\Fpmggb32.exe89⤵PID:2728
-
C:\Windows\SysWOW64\Fhdohp32.exeC:\Windows\system32\Fhdohp32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4240 -
C:\Windows\SysWOW64\Fpodlbng.exeC:\Windows\system32\Fpodlbng.exe91⤵
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Fhflnpoi.exeC:\Windows\system32\Fhflnpoi.exe92⤵PID:2132
-
C:\Windows\SysWOW64\Gkdhjknm.exeC:\Windows\system32\Gkdhjknm.exe93⤵PID:3748
-
C:\Windows\SysWOW64\Gaopfe32.exeC:\Windows\system32\Gaopfe32.exe94⤵PID:4828
-
C:\Windows\SysWOW64\Gdmmbq32.exeC:\Windows\system32\Gdmmbq32.exe95⤵PID:4624
-
C:\Windows\SysWOW64\Ggkiol32.exeC:\Windows\system32\Ggkiol32.exe96⤵PID:4748
-
C:\Windows\SysWOW64\Gpcmga32.exeC:\Windows\system32\Gpcmga32.exe97⤵PID:4352
-
C:\Windows\SysWOW64\Gdoihpbk.exeC:\Windows\system32\Gdoihpbk.exe98⤵PID:1932
-
C:\Windows\SysWOW64\Gkiaej32.exeC:\Windows\system32\Gkiaej32.exe99⤵PID:2836
-
C:\Windows\SysWOW64\Gnhnaf32.exeC:\Windows\system32\Gnhnaf32.exe100⤵PID:852
-
C:\Windows\SysWOW64\Gdafnpqh.exeC:\Windows\system32\Gdafnpqh.exe101⤵PID:4036
-
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe102⤵PID:3440
-
C:\Windows\SysWOW64\Gphgbafl.exeC:\Windows\system32\Gphgbafl.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1792 -
C:\Windows\SysWOW64\Ghpocngo.exeC:\Windows\system32\Ghpocngo.exe104⤵PID:3840
-
C:\Windows\SysWOW64\Giqkkf32.exeC:\Windows\system32\Giqkkf32.exe105⤵PID:4800
-
C:\Windows\SysWOW64\Gahcmd32.exeC:\Windows\system32\Gahcmd32.exe106⤵PID:1084
-
C:\Windows\SysWOW64\Gdfoio32.exeC:\Windows\system32\Gdfoio32.exe107⤵
- Drops file in System32 directory
PID:432 -
C:\Windows\SysWOW64\Hkpheidp.exeC:\Windows\system32\Hkpheidp.exe108⤵PID:2740
-
C:\Windows\SysWOW64\Hajpbckl.exeC:\Windows\system32\Hajpbckl.exe109⤵PID:792
-
C:\Windows\SysWOW64\Hdilnojp.exeC:\Windows\system32\Hdilnojp.exe110⤵
- Drops file in System32 directory
PID:468 -
C:\Windows\SysWOW64\Hkbdki32.exeC:\Windows\system32\Hkbdki32.exe111⤵
- System Location Discovery: System Language Discovery
PID:2024 -
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe112⤵PID:2020
-
C:\Windows\SysWOW64\Hgiepjga.exeC:\Windows\system32\Hgiepjga.exe113⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:324 -
C:\Windows\SysWOW64\Hjhalefe.exeC:\Windows\system32\Hjhalefe.exe114⤵PID:3656
-
C:\Windows\SysWOW64\Hpbiip32.exeC:\Windows\system32\Hpbiip32.exe115⤵PID:2520
-
C:\Windows\SysWOW64\Hglaej32.exeC:\Windows\system32\Hglaej32.exe116⤵PID:2300
-
C:\Windows\SysWOW64\Hnfjbdmk.exeC:\Windows\system32\Hnfjbdmk.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4336 -
C:\Windows\SysWOW64\Haafcb32.exeC:\Windows\system32\Haafcb32.exe118⤵PID:400
-
C:\Windows\SysWOW64\Hhknpmma.exeC:\Windows\system32\Hhknpmma.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4860 -
C:\Windows\SysWOW64\Hjlkge32.exeC:\Windows\system32\Hjlkge32.exe120⤵PID:1556
-
C:\Windows\SysWOW64\Idbodn32.exeC:\Windows\system32\Idbodn32.exe121⤵PID:4792
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-