Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04/10/2024, 01:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7f34701d83c1c98c38fb8f7ea67fe02f94849521f8ae4f15bc123b641c3daca0N.exe
Resource
win7-20240704-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
7f34701d83c1c98c38fb8f7ea67fe02f94849521f8ae4f15bc123b641c3daca0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
7f34701d83c1c98c38fb8f7ea67fe02f94849521f8ae4f15bc123b641c3daca0N.exe
-
Size
62KB
-
MD5
0a5d382a9794654e2616247ce7e1c470
-
SHA1
9b4bc4a6b741664143ac20b3430ca7a5427e56ef
-
SHA256
7f34701d83c1c98c38fb8f7ea67fe02f94849521f8ae4f15bc123b641c3daca0
-
SHA512
4da94776b03ab81db7dd9b158bc8b33a2f6852f5b86c5a024234ae8c694a8d4351ef292f6a078cf2ac37a3127d73b9a87ef05c654ee954749a8e980fe76fa339
-
SSDEEP
768:sQtrz1mRPh+kEZLtNxKa1EqdiauzfSShCpX9jBVCi1lqgu+JMeSgf6/1H5daHXdW:s8lmRJ+vn+NzaR91VCSU+thwydve8Cy
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Donecfao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glkkop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koiejemn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggbmafnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnbmqjjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjnndime.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqjcgbbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmpkakak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgpplf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndjcne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgaiffii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akmjdpac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhdicjfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icnphd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokpcmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bboplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmlafk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pafcofcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fajgfiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fempbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjlcmdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgjglg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opmcod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beobcdoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjcfcakn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbkfjko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnfkgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkgaglpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbhlikpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bejobk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbalaoda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibmlc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdhlepkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgcjea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjbhph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odcfdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 7f34701d83c1c98c38fb8f7ea67fe02f94849521f8ae4f15bc123b641c3daca0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agcdnjcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfddci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiinoc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijgjpaao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmkbeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elolco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mackfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deagoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfgahikm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmdqbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgpobmca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkqdnkge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbknhqbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijgjpaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgijkgeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lapopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbcffk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbinlp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkadoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcealh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndejcemn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgjjoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enpknplq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmnlpcel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpklql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhbqalle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfehpg32.exe -
Executes dropped EXE 64 IoCs
pid Process 4952 Ocmjhfjl.exe 3968 Pijcpmhc.exe 4796 Pkholi32.exe 2692 Pcpgmf32.exe 664 Pilpfm32.exe 4300 Pofhbgmn.exe 992 Pecpknke.exe 1424 Poidhg32.exe 2444 Pfbmdabh.exe 4776 Pkoemhao.exe 928 Pehjfm32.exe 4228 Pomncfge.exe 4212 Qejfkmem.exe 2896 Qppkhfec.exe 3676 Qfjcep32.exe 2584 Qpbgnecp.exe 2252 Acppddig.exe 4052 Alkeifga.exe 1228 Abemep32.exe 1300 Almanf32.exe 3024 Afceko32.exe 748 Ammnhilb.exe 4020 Apkjddke.exe 3124 Acgfec32.exe 1404 Aidomjaf.exe 5032 Albkieqj.exe 4452 Bejobk32.exe 1104 Bifkcioc.exe 4904 Bboplo32.exe 4816 Bemlhj32.exe 944 Bmddihfj.exe 2160 Bcnleb32.exe 720 Bbalaoda.exe 380 Beoimjce.exe 3252 Bcbeqaia.exe 2316 Bmkjig32.exe 784 Cibkohef.exe 4752 Cehlcikj.exe 3304 Cfhhml32.exe 760 Cleqfb32.exe 1008 Cemeoh32.exe 1076 Cbaehl32.exe 3888 Dpefaq32.exe 4576 Dinjjf32.exe 4464 Ddcogo32.exe 4812 Dbhlikpf.exe 3556 Dlqpaafg.exe 3444 Ddjehneg.exe 1612 Dekapfke.exe 3468 Edlann32.exe 3052 Edoncm32.exe 3388 Emgblc32.exe 2432 Ecdkdj32.exe 2352 Ephlnn32.exe 4264 Elolco32.exe 1416 Eibmlc32.exe 1984 Fpmeimpn.exe 4532 Fgfmeg32.exe 3428 Flcfnn32.exe 4508 Fgijkgeh.exe 4332 Fncbha32.exe 3872 Fdmjdkda.exe 4696 Fgkfqgce.exe 3576 Flhoinbl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mpaflkim.dll Pilpfm32.exe File created C:\Windows\SysWOW64\Ecdkdj32.exe Emgblc32.exe File created C:\Windows\SysWOW64\Ejhikgob.dll Dehnpp32.exe File created C:\Windows\SysWOW64\Ojonli32.dll Eldbbjof.exe File created C:\Windows\SysWOW64\Pjnbdofa.dll Dbphcpog.exe File opened for modification C:\Windows\SysWOW64\Fhkecb32.exe Faamghko.exe File created C:\Windows\SysWOW64\Bjbboi32.dll Fempbm32.exe File opened for modification C:\Windows\SysWOW64\Hfgloiqf.exe Hgdlcm32.exe File opened for modification C:\Windows\SysWOW64\Focakm32.exe Flddoa32.exe File created C:\Windows\SysWOW64\Fehplggn.exe Fbjcplhj.exe File created C:\Windows\SysWOW64\Fjmaii32.dll Gcmpgpkp.exe File created C:\Windows\SysWOW64\Knemellp.dll Ppffec32.exe File created C:\Windows\SysWOW64\Jjlmcilb.dll Dijppjfd.exe File created C:\Windows\SysWOW64\Bnaffdfc.exe Bdiamnpc.exe File created C:\Windows\SysWOW64\Jamenc32.dll Jqbbno32.exe File created C:\Windows\SysWOW64\Gajfpi32.dll Bglgdi32.exe File created C:\Windows\SysWOW64\Dgomaf32.exe Dbbdip32.exe File created C:\Windows\SysWOW64\Kihnhc32.dll Hjbhph32.exe File created C:\Windows\SysWOW64\Emfbmcph.dll Jggapj32.exe File opened for modification C:\Windows\SysWOW64\Iqbpahpc.exe Ijhhenhf.exe File created C:\Windows\SysWOW64\Oogdfc32.exe Oklifdmi.exe File created C:\Windows\SysWOW64\Ghcbohpp.exe Gojnfb32.exe File created C:\Windows\SysWOW64\Kgiamm32.dll Oinbgk32.exe File opened for modification C:\Windows\SysWOW64\Lbnggpfj.exe Kkdoje32.exe File created C:\Windows\SysWOW64\Dbebgj32.dll Bcbeqaia.exe File opened for modification C:\Windows\SysWOW64\Lfbgmj32.exe Ldckan32.exe File created C:\Windows\SysWOW64\Oafacn32.exe Oogdfc32.exe File created C:\Windows\SysWOW64\Ohaokbfd.exe Odfcjc32.exe File opened for modification C:\Windows\SysWOW64\Ndfanlpi.exe Nahdapae.exe File created C:\Windows\SysWOW64\Belemd32.exe Bnbmqjjo.exe File created C:\Windows\SysWOW64\Hfgloiqf.exe Hgdlcm32.exe File opened for modification C:\Windows\SysWOW64\Kgemahmg.exe Kakednfj.exe File opened for modification C:\Windows\SysWOW64\Mmghklif.exe Mjiloqjb.exe File created C:\Windows\SysWOW64\Loifpp32.dll Ohmepbki.exe File created C:\Windows\SysWOW64\Dcplke32.dll Kffhakjp.exe File opened for modification C:\Windows\SysWOW64\Ijjnpg32.exe Ifleji32.exe File opened for modification C:\Windows\SysWOW64\Ababkdij.exe Akgjnj32.exe File created C:\Windows\SysWOW64\Cnppaiii.dll Ikhghi32.exe File created C:\Windows\SysWOW64\Iljpgl32.exe Ifphkbep.exe File opened for modification C:\Windows\SysWOW64\Pfbmdabh.exe Poidhg32.exe File created C:\Windows\SysWOW64\Bbjogi32.dll Namnmp32.exe File opened for modification C:\Windows\SysWOW64\Cinpdl32.exe Cbdhgaid.exe File created C:\Windows\SysWOW64\Beobcdoi.exe Bndjfjhl.exe File created C:\Windows\SysWOW64\Qeeloaik.dll Deagoa32.exe File opened for modification C:\Windows\SysWOW64\Jihngboe.exe Jggapj32.exe File created C:\Windows\SysWOW64\Jmdjha32.exe Jihngboe.exe File opened for modification C:\Windows\SysWOW64\Bndblcdq.exe Bgjjoi32.exe File opened for modification C:\Windows\SysWOW64\Fajgfiag.exe Fbggkl32.exe File opened for modification C:\Windows\SysWOW64\Ijgjpaao.exe Icmbcg32.exe File created C:\Windows\SysWOW64\Obkcmi32.dll Apkjddke.exe File created C:\Windows\SysWOW64\Npjpkn32.dll Fgfmeg32.exe File created C:\Windows\SysWOW64\Imknli32.exe Ifaepolg.exe File created C:\Windows\SysWOW64\Lhjnfn32.exe Kaqejcep.exe File created C:\Windows\SysWOW64\Mfomiaim.dll Bdgehobe.exe File created C:\Windows\SysWOW64\Fhbfdm32.dll Kfbmgo32.exe File opened for modification C:\Windows\SysWOW64\Bkhjpn32.exe Beobcdoi.exe File created C:\Windows\SysWOW64\Bmddihfj.exe Bemlhj32.exe File created C:\Windows\SysWOW64\Jmdqbg32.exe Jeilne32.exe File created C:\Windows\SysWOW64\Elfhmc32.exe Eelpqi32.exe File created C:\Windows\SysWOW64\Cnaoemei.dll Ljffccjh.exe File created C:\Windows\SysWOW64\Mackfa32.exe Mkicjgnn.exe File opened for modification C:\Windows\SysWOW64\Lmnlpcel.exe Lokldg32.exe File created C:\Windows\SysWOW64\Nbogaaom.dll Mjiloqjb.exe File opened for modification C:\Windows\SysWOW64\Hfpenj32.exe Hofmaq32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13320 13144 WerFault.exe 668 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfehpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkiiee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmncif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahkkhnpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhcmbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmccnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbldhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifaepolg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gomkkagl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfeoijbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciefek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljglnmdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icciccmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcddkggf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chfaenfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbqalle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdlncn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmddihfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcbkpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elaobdmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehhpge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pilpfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flpkcbqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbnknpqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhjnfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Namnmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgcjea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icdhdfcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cibkohef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbaehl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpmeimpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjcfcakn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifjoop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmjcdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpilekqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohaokbfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qppkhfec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiinoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giddddad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Almanf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noqofdlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akfdcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biljib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clmckmcq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfljnejl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fempbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pijcpmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gedohfmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koiejemn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bndblcdq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfmpob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fehplggn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkjlqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijjnpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcihjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmghklif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elfhmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhflhcfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lechkaga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kceoppmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdokmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgkaip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcbgfhii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaqejcep.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ginenk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmcldhfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qodhmn32.dll" Hddilh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqpclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmfodn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohobebig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcnehb32.dll" Oiehhjjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Econlc32.dll" Fpcdof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jggapj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ababkdij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daliqjnc.dll" Pkoemhao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kceoppmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edcfpa32.dll" Ghcbohpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohkijc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhdmmg32.dll" Omlkmign.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnkbcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbnggpfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fddogn32.dll" Pecpknke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmbkfjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpodkdll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjcqffkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfkoaf32.dll" Kjlmbnof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmhklj32.dll" Kfdklllb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmqiec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noqofdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gohoibbd.dll" Hpaqqdjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmkbeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdmcki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Engaon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnlpgibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajmkad32.dll" Odcfdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bemlhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjdgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfaph32.dll" Njmejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbdhgaid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Celgjlpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oogdfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eikpan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndjcne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfikaqme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kifjip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkloka32.dll" Hgebnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgaelcgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phbolflm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpfcelml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohaokbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebldoh32.dll" Dinjjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpnbmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfomda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enpknplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbfdm32.dll" Kfbmgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjlcmdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkgaglpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdmjdkda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Infqklol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmopone.dll" Bkhjpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hphfac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmpkakak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebeapc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gojgkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmccnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adbijq32.dll" Ljglnmdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgebnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiffij32.dll" Lhjnfn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4536 wrote to memory of 4952 4536 7f34701d83c1c98c38fb8f7ea67fe02f94849521f8ae4f15bc123b641c3daca0N.exe 89 PID 4536 wrote to memory of 4952 4536 7f34701d83c1c98c38fb8f7ea67fe02f94849521f8ae4f15bc123b641c3daca0N.exe 89 PID 4536 wrote to memory of 4952 4536 7f34701d83c1c98c38fb8f7ea67fe02f94849521f8ae4f15bc123b641c3daca0N.exe 89 PID 4952 wrote to memory of 3968 4952 Ocmjhfjl.exe 90 PID 4952 wrote to memory of 3968 4952 Ocmjhfjl.exe 90 PID 4952 wrote to memory of 3968 4952 Ocmjhfjl.exe 90 PID 3968 wrote to memory of 4796 3968 Pijcpmhc.exe 91 PID 3968 wrote to memory of 4796 3968 Pijcpmhc.exe 91 PID 3968 wrote to memory of 4796 3968 Pijcpmhc.exe 91 PID 4796 wrote to memory of 2692 4796 Pkholi32.exe 92 PID 4796 wrote to memory of 2692 4796 Pkholi32.exe 92 PID 4796 wrote to memory of 2692 4796 Pkholi32.exe 92 PID 2692 wrote to memory of 664 2692 Pcpgmf32.exe 93 PID 2692 wrote to memory of 664 2692 Pcpgmf32.exe 93 PID 2692 wrote to memory of 664 2692 Pcpgmf32.exe 93 PID 664 wrote to memory of 4300 664 Pilpfm32.exe 94 PID 664 wrote to memory of 4300 664 Pilpfm32.exe 94 PID 664 wrote to memory of 4300 664 Pilpfm32.exe 94 PID 4300 wrote to memory of 992 4300 Pofhbgmn.exe 95 PID 4300 wrote to memory of 992 4300 Pofhbgmn.exe 95 PID 4300 wrote to memory of 992 4300 Pofhbgmn.exe 95 PID 992 wrote to memory of 1424 992 Pecpknke.exe 96 PID 992 wrote to memory of 1424 992 Pecpknke.exe 96 PID 992 wrote to memory of 1424 992 Pecpknke.exe 96 PID 1424 wrote to memory of 2444 1424 Poidhg32.exe 97 PID 1424 wrote to memory of 2444 1424 Poidhg32.exe 97 PID 1424 wrote to memory of 2444 1424 Poidhg32.exe 97 PID 2444 wrote to memory of 4776 2444 Pfbmdabh.exe 98 PID 2444 wrote to memory of 4776 2444 Pfbmdabh.exe 98 PID 2444 wrote to memory of 4776 2444 Pfbmdabh.exe 98 PID 4776 wrote to memory of 928 4776 Pkoemhao.exe 99 PID 4776 wrote to memory of 928 4776 Pkoemhao.exe 99 PID 4776 wrote to memory of 928 4776 Pkoemhao.exe 99 PID 928 wrote to memory of 4228 928 Pehjfm32.exe 100 PID 928 wrote to memory of 4228 928 Pehjfm32.exe 100 PID 928 wrote to memory of 4228 928 Pehjfm32.exe 100 PID 4228 wrote to memory of 4212 4228 Pomncfge.exe 101 PID 4228 wrote to memory of 4212 4228 Pomncfge.exe 101 PID 4228 wrote to memory of 4212 4228 Pomncfge.exe 101 PID 4212 wrote to memory of 2896 4212 Qejfkmem.exe 102 PID 4212 wrote to memory of 2896 4212 Qejfkmem.exe 102 PID 4212 wrote to memory of 2896 4212 Qejfkmem.exe 102 PID 2896 wrote to memory of 3676 2896 Qppkhfec.exe 103 PID 2896 wrote to memory of 3676 2896 Qppkhfec.exe 103 PID 2896 wrote to memory of 3676 2896 Qppkhfec.exe 103 PID 3676 wrote to memory of 2584 3676 Qfjcep32.exe 104 PID 3676 wrote to memory of 2584 3676 Qfjcep32.exe 104 PID 3676 wrote to memory of 2584 3676 Qfjcep32.exe 104 PID 2584 wrote to memory of 2252 2584 Qpbgnecp.exe 105 PID 2584 wrote to memory of 2252 2584 Qpbgnecp.exe 105 PID 2584 wrote to memory of 2252 2584 Qpbgnecp.exe 105 PID 2252 wrote to memory of 4052 2252 Acppddig.exe 106 PID 2252 wrote to memory of 4052 2252 Acppddig.exe 106 PID 2252 wrote to memory of 4052 2252 Acppddig.exe 106 PID 4052 wrote to memory of 1228 4052 Alkeifga.exe 107 PID 4052 wrote to memory of 1228 4052 Alkeifga.exe 107 PID 4052 wrote to memory of 1228 4052 Alkeifga.exe 107 PID 1228 wrote to memory of 1300 1228 Abemep32.exe 108 PID 1228 wrote to memory of 1300 1228 Abemep32.exe 108 PID 1228 wrote to memory of 1300 1228 Abemep32.exe 108 PID 1300 wrote to memory of 3024 1300 Almanf32.exe 109 PID 1300 wrote to memory of 3024 1300 Almanf32.exe 109 PID 1300 wrote to memory of 3024 1300 Almanf32.exe 109 PID 3024 wrote to memory of 748 3024 Afceko32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f34701d83c1c98c38fb8f7ea67fe02f94849521f8ae4f15bc123b641c3daca0N.exe"C:\Users\Admin\AppData\Local\Temp\7f34701d83c1c98c38fb8f7ea67fe02f94849521f8ae4f15bc123b641c3daca0N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Ocmjhfjl.exeC:\Windows\system32\Ocmjhfjl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\Pijcpmhc.exeC:\Windows\system32\Pijcpmhc.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\Pkholi32.exeC:\Windows\system32\Pkholi32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\Pcpgmf32.exeC:\Windows\system32\Pcpgmf32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Pilpfm32.exeC:\Windows\system32\Pilpfm32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\Pofhbgmn.exeC:\Windows\system32\Pofhbgmn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\Pecpknke.exeC:\Windows\system32\Pecpknke.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\Poidhg32.exeC:\Windows\system32\Poidhg32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Pfbmdabh.exeC:\Windows\system32\Pfbmdabh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Pkoemhao.exeC:\Windows\system32\Pkoemhao.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\Pehjfm32.exeC:\Windows\system32\Pehjfm32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Pomncfge.exeC:\Windows\system32\Pomncfge.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\Qejfkmem.exeC:\Windows\system32\Qejfkmem.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\Qppkhfec.exeC:\Windows\system32\Qppkhfec.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Qfjcep32.exeC:\Windows\system32\Qfjcep32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\Qpbgnecp.exeC:\Windows\system32\Qpbgnecp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Acppddig.exeC:\Windows\system32\Acppddig.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Alkeifga.exeC:\Windows\system32\Alkeifga.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\Abemep32.exeC:\Windows\system32\Abemep32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\Almanf32.exeC:\Windows\system32\Almanf32.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Afceko32.exeC:\Windows\system32\Afceko32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Ammnhilb.exeC:\Windows\system32\Ammnhilb.exe23⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Apkjddke.exeC:\Windows\system32\Apkjddke.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4020 -
C:\Windows\SysWOW64\Acgfec32.exeC:\Windows\system32\Acgfec32.exe25⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Aidomjaf.exeC:\Windows\system32\Aidomjaf.exe26⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Albkieqj.exeC:\Windows\system32\Albkieqj.exe27⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Bejobk32.exeC:\Windows\system32\Bejobk32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Bifkcioc.exeC:\Windows\system32\Bifkcioc.exe29⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Bboplo32.exeC:\Windows\system32\Bboplo32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Bemlhj32.exeC:\Windows\system32\Bemlhj32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4816 -
C:\Windows\SysWOW64\Bmddihfj.exeC:\Windows\system32\Bmddihfj.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:944 -
C:\Windows\SysWOW64\Bcnleb32.exeC:\Windows\system32\Bcnleb32.exe33⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Bbalaoda.exeC:\Windows\system32\Bbalaoda.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:720 -
C:\Windows\SysWOW64\Beoimjce.exeC:\Windows\system32\Beoimjce.exe35⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Bcbeqaia.exeC:\Windows\system32\Bcbeqaia.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3252 -
C:\Windows\SysWOW64\Bmkjig32.exeC:\Windows\system32\Bmkjig32.exe37⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Cibkohef.exeC:\Windows\system32\Cibkohef.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:784 -
C:\Windows\SysWOW64\Cehlcikj.exeC:\Windows\system32\Cehlcikj.exe39⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Cfhhml32.exeC:\Windows\system32\Cfhhml32.exe40⤵
- Executes dropped EXE
PID:3304 -
C:\Windows\SysWOW64\Cleqfb32.exeC:\Windows\system32\Cleqfb32.exe41⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Cemeoh32.exeC:\Windows\system32\Cemeoh32.exe42⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Cbaehl32.exeC:\Windows\system32\Cbaehl32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1076 -
C:\Windows\SysWOW64\Dpefaq32.exeC:\Windows\system32\Dpefaq32.exe44⤵
- Executes dropped EXE
PID:3888 -
C:\Windows\SysWOW64\Dinjjf32.exeC:\Windows\system32\Dinjjf32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:4576 -
C:\Windows\SysWOW64\Ddcogo32.exeC:\Windows\system32\Ddcogo32.exe46⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Dbhlikpf.exeC:\Windows\system32\Dbhlikpf.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Dlqpaafg.exeC:\Windows\system32\Dlqpaafg.exe48⤵
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Ddjehneg.exeC:\Windows\system32\Ddjehneg.exe49⤵
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\Dekapfke.exeC:\Windows\system32\Dekapfke.exe50⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Edlann32.exeC:\Windows\system32\Edlann32.exe51⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Edoncm32.exeC:\Windows\system32\Edoncm32.exe52⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Emgblc32.exeC:\Windows\system32\Emgblc32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3388 -
C:\Windows\SysWOW64\Ecdkdj32.exeC:\Windows\system32\Ecdkdj32.exe54⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Ephlnn32.exeC:\Windows\system32\Ephlnn32.exe55⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Elolco32.exeC:\Windows\system32\Elolco32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4264 -
C:\Windows\SysWOW64\Eibmlc32.exeC:\Windows\system32\Eibmlc32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Fpmeimpn.exeC:\Windows\system32\Fpmeimpn.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\Fgfmeg32.exeC:\Windows\system32\Fgfmeg32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4532 -
C:\Windows\SysWOW64\Flcfnn32.exeC:\Windows\system32\Flcfnn32.exe60⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Fgijkgeh.exeC:\Windows\system32\Fgijkgeh.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Fncbha32.exeC:\Windows\system32\Fncbha32.exe62⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Fdmjdkda.exeC:\Windows\system32\Fdmjdkda.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:3872 -
C:\Windows\SysWOW64\Fgkfqgce.exeC:\Windows\system32\Fgkfqgce.exe64⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Flhoinbl.exeC:\Windows\system32\Flhoinbl.exe65⤵
- Executes dropped EXE
PID:3576 -
C:\Windows\SysWOW64\Fcbgfhii.exeC:\Windows\system32\Fcbgfhii.exe66⤵
- System Location Discovery: System Language Discovery
PID:3296 -
C:\Windows\SysWOW64\Fjlpbb32.exeC:\Windows\system32\Fjlpbb32.exe67⤵PID:3056
-
C:\Windows\SysWOW64\Fpfholhc.exeC:\Windows\system32\Fpfholhc.exe68⤵PID:4112
-
C:\Windows\SysWOW64\Fcddkggf.exeC:\Windows\system32\Fcddkggf.exe69⤵
- System Location Discovery: System Language Discovery
PID:4860 -
C:\Windows\SysWOW64\Fgpplf32.exeC:\Windows\system32\Fgpplf32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2608 -
C:\Windows\SysWOW64\Glmhdm32.exeC:\Windows\system32\Glmhdm32.exe71⤵PID:848
-
C:\Windows\SysWOW64\Ggbmafnm.exeC:\Windows\system32\Ggbmafnm.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2528 -
C:\Windows\SysWOW64\Gloejmld.exeC:\Windows\system32\Gloejmld.exe73⤵PID:2764
-
C:\Windows\SysWOW64\Gcimfg32.exeC:\Windows\system32\Gcimfg32.exe74⤵PID:3500
-
C:\Windows\SysWOW64\Gjcfcakn.exeC:\Windows\system32\Gjcfcakn.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\Glabolja.exeC:\Windows\system32\Glabolja.exe76⤵PID:2368
-
C:\Windows\SysWOW64\Gckjlf32.exeC:\Windows\system32\Gckjlf32.exe77⤵PID:2928
-
C:\Windows\SysWOW64\Gjebiq32.exeC:\Windows\system32\Gjebiq32.exe78⤵PID:4340
-
C:\Windows\SysWOW64\Gmdoel32.exeC:\Windows\system32\Gmdoel32.exe79⤵PID:4372
-
C:\Windows\SysWOW64\Gcngafol.exeC:\Windows\system32\Gcngafol.exe80⤵PID:3868
-
C:\Windows\SysWOW64\Gjhonp32.exeC:\Windows\system32\Gjhonp32.exe81⤵PID:5084
-
C:\Windows\SysWOW64\Gdmcki32.exeC:\Windows\system32\Gdmcki32.exe82⤵
- Modifies registry class
PID:3560 -
C:\Windows\SysWOW64\Hfnpca32.exeC:\Windows\system32\Hfnpca32.exe83⤵PID:724
-
C:\Windows\SysWOW64\Hmhhpkcj.exeC:\Windows\system32\Hmhhpkcj.exe84⤵PID:5124
-
C:\Windows\SysWOW64\Hdppaidl.exeC:\Windows\system32\Hdppaidl.exe85⤵PID:5172
-
C:\Windows\SysWOW64\Hcbpme32.exeC:\Windows\system32\Hcbpme32.exe86⤵PID:5244
-
C:\Windows\SysWOW64\Hfamia32.exeC:\Windows\system32\Hfamia32.exe87⤵PID:5296
-
C:\Windows\SysWOW64\Hqfqfj32.exeC:\Windows\system32\Hqfqfj32.exe88⤵PID:5340
-
C:\Windows\SysWOW64\Hmmakk32.exeC:\Windows\system32\Hmmakk32.exe89⤵PID:5384
-
C:\Windows\SysWOW64\Hddilh32.exeC:\Windows\system32\Hddilh32.exe90⤵
- Modifies registry class
PID:5428 -
C:\Windows\SysWOW64\Hgbfhc32.exeC:\Windows\system32\Hgbfhc32.exe91⤵PID:5472
-
C:\Windows\SysWOW64\Hqkjaifk.exeC:\Windows\system32\Hqkjaifk.exe92⤵PID:5516
-
C:\Windows\SysWOW64\Hgebnc32.exeC:\Windows\system32\Hgebnc32.exe93⤵
- Modifies registry class
PID:5560 -
C:\Windows\SysWOW64\Hnokjm32.exeC:\Windows\system32\Hnokjm32.exe94⤵PID:5608
-
C:\Windows\SysWOW64\Hmbkfjko.exeC:\Windows\system32\Hmbkfjko.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5652 -
C:\Windows\SysWOW64\Ifjoop32.exeC:\Windows\system32\Ifjoop32.exe96⤵
- System Location Discovery: System Language Discovery
PID:5696 -
C:\Windows\SysWOW64\Iqpclh32.exeC:\Windows\system32\Iqpclh32.exe97⤵
- Modifies registry class
PID:5740 -
C:\Windows\SysWOW64\Icnphd32.exeC:\Windows\system32\Icnphd32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5784 -
C:\Windows\SysWOW64\Ijhhenhf.exeC:\Windows\system32\Ijhhenhf.exe99⤵
- Drops file in System32 directory
PID:5828 -
C:\Windows\SysWOW64\Iqbpahpc.exeC:\Windows\system32\Iqbpahpc.exe100⤵PID:5872
-
C:\Windows\SysWOW64\Iglhob32.exeC:\Windows\system32\Iglhob32.exe101⤵PID:5916
-
C:\Windows\SysWOW64\Infqklol.exeC:\Windows\system32\Infqklol.exe102⤵
- Modifies registry class
PID:5960 -
C:\Windows\SysWOW64\Icciccmd.exeC:\Windows\system32\Icciccmd.exe103⤵
- System Location Discovery: System Language Discovery
PID:6004 -
C:\Windows\SysWOW64\Ifaepolg.exeC:\Windows\system32\Ifaepolg.exe104⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6048 -
C:\Windows\SysWOW64\Imknli32.exeC:\Windows\system32\Imknli32.exe105⤵PID:6092
-
C:\Windows\SysWOW64\Iebfmfdg.exeC:\Windows\system32\Iebfmfdg.exe106⤵PID:6136
-
C:\Windows\SysWOW64\Ifcben32.exeC:\Windows\system32\Ifcben32.exe107⤵PID:5216
-
C:\Windows\SysWOW64\Inkjfk32.exeC:\Windows\system32\Inkjfk32.exe108⤵PID:5292
-
C:\Windows\SysWOW64\Icgbob32.exeC:\Windows\system32\Icgbob32.exe109⤵PID:5356
-
C:\Windows\SysWOW64\Jffokn32.exeC:\Windows\system32\Jffokn32.exe110⤵PID:5420
-
C:\Windows\SysWOW64\Jakchf32.exeC:\Windows\system32\Jakchf32.exe111⤵PID:5500
-
C:\Windows\SysWOW64\Jcjodbgl.exeC:\Windows\system32\Jcjodbgl.exe112⤵PID:5568
-
C:\Windows\SysWOW64\Jjdgal32.exeC:\Windows\system32\Jjdgal32.exe113⤵
- Modifies registry class
PID:5640 -
C:\Windows\SysWOW64\Jmbdmg32.exeC:\Windows\system32\Jmbdmg32.exe114⤵PID:5708
-
C:\Windows\SysWOW64\Jeilne32.exeC:\Windows\system32\Jeilne32.exe115⤵
- Drops file in System32 directory
PID:5772 -
C:\Windows\SysWOW64\Jmdqbg32.exeC:\Windows\system32\Jmdqbg32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5840 -
C:\Windows\SysWOW64\Jcoioabf.exeC:\Windows\system32\Jcoioabf.exe117⤵PID:5904
-
C:\Windows\SysWOW64\Jjhalkjc.exeC:\Windows\system32\Jjhalkjc.exe118⤵PID:5988
-
C:\Windows\SysWOW64\Jabiie32.exeC:\Windows\system32\Jabiie32.exe119⤵PID:6056
-
C:\Windows\SysWOW64\Jglaepim.exeC:\Windows\system32\Jglaepim.exe120⤵PID:6128
-
C:\Windows\SysWOW64\Jnfjbj32.exeC:\Windows\system32\Jnfjbj32.exe121⤵PID:5256
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-