Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30-09-2024 06:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b5904751a331d6b682a6d8b97b420e93567130f8ac5668ec6b62568c06cb26bfN.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
b5904751a331d6b682a6d8b97b420e93567130f8ac5668ec6b62568c06cb26bfN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
b5904751a331d6b682a6d8b97b420e93567130f8ac5668ec6b62568c06cb26bfN.exe
-
Size
45KB
-
MD5
24787b13e22e242cad5c747730403660
-
SHA1
a4548af4c678ffef5fbdd358c6d546a7606f29aa
-
SHA256
b5904751a331d6b682a6d8b97b420e93567130f8ac5668ec6b62568c06cb26bf
-
SHA512
68b729043cdab61e44ec2b301482b1962a4d3977ca277004fa523cdc2288891cf7264077d558efdaa3b4e6eedf1697ed394f29c30a9195799e7195669a07d621
-
SSDEEP
768:NSajMMACCGYhwfWjWEoirlQCDIKh6x4+z0Cy4B/1H5c:721wuZhvc26x4+z0CymK
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbpphi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efdjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Madjhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olfghg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feocelll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aglnbhal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpfcdojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdpkflfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqfngd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gknkpjfb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooqqdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oafcqcea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iebngial.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geaepk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpnoncim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmfkhmdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kimghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgjjdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cabomkll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkjlic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cljobphg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aobilkcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdhcgaic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nihipdhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfnqklgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbhpch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdkoch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efeihb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqhdbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjlpjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnkpnclp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpehof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lieccf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhdlao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oklkdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qepkbpak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkggg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejbbmnnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpdaepai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njfagf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mehcdfch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Najceeoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eokqkh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jilfifme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egnchd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcmbee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbpchb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipgbdbqb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cffmfadl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cimmggfl.exe -
Executes dropped EXE 64 IoCs
pid Process 1240 Eonehbjg.exe 3128 Ealadnik.exe 2736 Egijmegb.exe 728 Emcbio32.exe 5048 Edmjfifl.exe 1976 Ekgbccni.exe 2584 Emeoooml.exe 1416 Eemgplno.exe 4612 Egnchd32.exe 1716 Eoekia32.exe 772 Feocelll.exe 4772 Fhmpagkp.exe 2028 Fkllnbjc.exe 2136 Fnjhjn32.exe 3668 Fhpmgg32.exe 3972 Fnmepn32.exe 3284 Fedmqk32.exe 3616 Fhbimf32.exe 2900 Folaiqng.exe 4928 Fdijbg32.exe 2084 Fhdfbfdh.exe 2796 Fnaokmco.exe 3888 Fdkggg32.exe 1052 Fkeodaai.exe 4604 Gaogak32.exe 3988 Gdncmghi.exe 3112 Gochjpho.exe 4464 Gdppbfff.exe 2264 Ggnlobej.exe 2240 Gnhdkl32.exe 3788 Ggqida32.exe 1944 Gkleeplq.exe 2484 Gfbibikg.exe 2816 Gahjgj32.exe 2248 Gdgfce32.exe 868 Gkaopp32.exe 4824 Hakgmjoh.exe 440 Hkckeo32.exe 2948 Hdlpneli.exe 4468 Hkehkocf.exe 4320 Hbpphi32.exe 3444 Hglipp32.exe 3480 Hnfamjqg.exe 3336 Hfningai.exe 1028 Hgoeep32.exe 4276 Hofmfmhj.exe 5076 Hfpecg32.exe 5004 Hhnbpb32.exe 2120 Iohjlmeg.exe 3120 Ibffhhek.exe 4972 Ihqoeb32.exe 2204 Inmgmijo.exe 4252 Iickkbje.exe 2904 Iomcgl32.exe 2352 Ibkpcg32.exe 3452 Iiehpahb.exe 5068 Ikcdlmgf.exe 4432 Inbqhhfj.exe 1752 Ieliebnf.exe 2836 Ikfabm32.exe 1564 Indmnh32.exe 3548 Ifleoe32.exe 3968 Igmagnkg.exe 3536 Jngjch32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bbbmaq32.dll Eonehbjg.exe File created C:\Windows\SysWOW64\Kgdpni32.exe Kpjgaoqm.exe File opened for modification C:\Windows\SysWOW64\Jgogbgei.exe Jdpkflfe.exe File created C:\Windows\SysWOW64\Dcigeooj.exe Dkbocbog.exe File opened for modification C:\Windows\SysWOW64\Ibaeen32.exe Hlglidlo.exe File created C:\Windows\SysWOW64\Fngbbg32.dll Llflea32.exe File created C:\Windows\SysWOW64\Bfpfngma.dll Glengm32.exe File created C:\Windows\SysWOW64\Jdodkebj.exe Jlhljhbg.exe File created C:\Windows\SysWOW64\Paoollik.exe Popbpqjh.exe File created C:\Windows\SysWOW64\Bomkcm32.exe Blnoga32.exe File opened for modification C:\Windows\SysWOW64\Aokkahlo.exe Process not Found File created C:\Windows\SysWOW64\Idfplbal.dll Jngjch32.exe File created C:\Windows\SysWOW64\Idieem32.exe Inomhbeq.exe File opened for modification C:\Windows\SysWOW64\Hkbmqb32.exe Hckeoeno.exe File created C:\Windows\SysWOW64\Gddbcp32.exe Gnjjfegi.exe File opened for modification C:\Windows\SysWOW64\Nkqkhk32.exe Nhbolp32.exe File created C:\Windows\SysWOW64\Lhhmmcaa.dll Cihclh32.exe File created C:\Windows\SysWOW64\Gikgni32.dll Process not Found File created C:\Windows\SysWOW64\Kabcopmg.exe Process not Found File created C:\Windows\SysWOW64\Ooibkpmi.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ijadbdoj.exe Ihphkl32.exe File created C:\Windows\SysWOW64\Ikcmbfcj.exe Iggaah32.exe File opened for modification C:\Windows\SysWOW64\Emmkiclm.exe Efccmidp.exe File opened for modification C:\Windows\SysWOW64\Kgnbdh32.exe Kofkbk32.exe File created C:\Windows\SysWOW64\Nbebbk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ojcpdg32.exe Process not Found File created C:\Windows\SysWOW64\Odnknc32.dll Cpleig32.exe File created C:\Windows\SysWOW64\Feoodn32.exe Fbpchb32.exe File opened for modification C:\Windows\SysWOW64\Mjodla32.exe Mcelpggq.exe File opened for modification C:\Windows\SysWOW64\Pccahbmn.exe Process not Found File created C:\Windows\SysWOW64\Fqeioiam.exe Process not Found File created C:\Windows\SysWOW64\Ceknlgnl.dll Process not Found File created C:\Windows\SysWOW64\Emeoooml.exe Ekgbccni.exe File created C:\Windows\SysWOW64\Jdfjld32.exe Jlobkg32.exe File created C:\Windows\SysWOW64\Hehkga32.dll Nabfjpak.exe File created C:\Windows\SysWOW64\Jgamhc32.dll Process not Found File created C:\Windows\SysWOW64\Aobmce32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kldmckic.exe Jieagojp.exe File opened for modification C:\Windows\SysWOW64\Phganm32.exe Pamiaboj.exe File created C:\Windows\SysWOW64\Knooej32.exe Kkpbin32.exe File created C:\Windows\SysWOW64\Legjmh32.exe Lbinam32.exe File created C:\Windows\SysWOW64\Ekfjcc32.dll Iliinc32.exe File created C:\Windows\SysWOW64\Bmgagk32.dll Mmfkhmdi.exe File created C:\Windows\SysWOW64\Nhoped32.dll Process not Found File created C:\Windows\SysWOW64\Pcicklnn.exe Ppjgoaoj.exe File created C:\Windows\SysWOW64\Cpleig32.exe Cmniml32.exe File opened for modification C:\Windows\SysWOW64\Eblpgjha.exe Epndknin.exe File opened for modification C:\Windows\SysWOW64\Gkkgpc32.exe Gdaociml.exe File created C:\Windows\SysWOW64\Jcphdpff.dll Icfekc32.exe File opened for modification C:\Windows\SysWOW64\Qoelkp32.exe Qlgpod32.exe File created C:\Windows\SysWOW64\Npdpachh.dll Deqcbpld.exe File created C:\Windows\SysWOW64\Pnifekmd.exe Process not Found File created C:\Windows\SysWOW64\Odaodc32.dll Process not Found File created C:\Windows\SysWOW64\Mjpnkbfj.dll Process not Found File created C:\Windows\SysWOW64\Mecclb32.dll Hakgmjoh.exe File opened for modification C:\Windows\SysWOW64\Ohghgodi.exe Oidhlb32.exe File created C:\Windows\SysWOW64\Cboeco32.dll Glbjggof.exe File created C:\Windows\SysWOW64\Llodgnja.exe Ljqhkckn.exe File created C:\Windows\SysWOW64\Iokifhcf.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pibdmp32.exe Pchlpfjb.exe File created C:\Windows\SysWOW64\Ilmifh32.dll Eiokinbk.exe File opened for modification C:\Windows\SysWOW64\Ajhniccb.exe Acnemi32.exe File created C:\Windows\SysWOW64\Aalebkhm.dll Lnbklm32.exe File opened for modification C:\Windows\SysWOW64\Leopnglc.exe Lbpdblmo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10948 10404 Process not Found 1416 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibkpcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nohehq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgbfhmll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabfjpak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljeafb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfedoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faenpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lenicahg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaehljpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lieccf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcain32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeicejia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlghoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfeeabda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhpmgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghkeio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dckdjomg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjokgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiaael32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljqhkckn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfgipd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emcbio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpkchqdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncabfkqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkaopp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mojhgbdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogklelna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhdlao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnmkfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgaokl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fealin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Likcilhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omgcpokp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpqldc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mleoafmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opadhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pleaoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmbfbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbbffdlq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiodpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffceip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkggg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b5904751a331d6b682a6d8b97b420e93567130f8ac5668ec6b62568c06cb26bfN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnjhjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boflmdkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ompfej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npgmpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipbdikp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkpool32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knbbep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbpmb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mehjol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpbkpm32.dll" Dcigeooj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doaneiop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cioilg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljqhkckn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgeakekd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkefnho.dll" Nagpeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efeihb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfhkccfn.dll" Jkaqnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgbbek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmofagfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdpecjm.dll" Ijqmhnko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bheplb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plcdiabk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eipinkib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nojjcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnknop32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oghppm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpkchqdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhhpnaf.dll" Gdlfhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Konidd32.dll" Ffceip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgmjmjnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocopdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nihipdhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjebhadm.dll" Qhngolpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioolkncg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagnlg32.dll" Nbcjnilj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjhacf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbhijepa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmfclm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpaoan32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqndhcdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baadiiif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojgljk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aobilkcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehhpla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhegobpi.dll" Ilqoobdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hncmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdglhf32.dll" Nfaemp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dckajh32.dll" Mmhgmmbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nohehq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nclikl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilnbicff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oghppm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkogiikb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pninea32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bohibc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhnikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bllbaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiokinbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dndhqgbm.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2340 wrote to memory of 1240 2340 b5904751a331d6b682a6d8b97b420e93567130f8ac5668ec6b62568c06cb26bfN.exe 82 PID 2340 wrote to memory of 1240 2340 b5904751a331d6b682a6d8b97b420e93567130f8ac5668ec6b62568c06cb26bfN.exe 82 PID 2340 wrote to memory of 1240 2340 b5904751a331d6b682a6d8b97b420e93567130f8ac5668ec6b62568c06cb26bfN.exe 82 PID 1240 wrote to memory of 3128 1240 Eonehbjg.exe 83 PID 1240 wrote to memory of 3128 1240 Eonehbjg.exe 83 PID 1240 wrote to memory of 3128 1240 Eonehbjg.exe 83 PID 3128 wrote to memory of 2736 3128 Ealadnik.exe 84 PID 3128 wrote to memory of 2736 3128 Ealadnik.exe 84 PID 3128 wrote to memory of 2736 3128 Ealadnik.exe 84 PID 2736 wrote to memory of 728 2736 Egijmegb.exe 85 PID 2736 wrote to memory of 728 2736 Egijmegb.exe 85 PID 2736 wrote to memory of 728 2736 Egijmegb.exe 85 PID 728 wrote to memory of 5048 728 Emcbio32.exe 86 PID 728 wrote to memory of 5048 728 Emcbio32.exe 86 PID 728 wrote to memory of 5048 728 Emcbio32.exe 86 PID 5048 wrote to memory of 1976 5048 Edmjfifl.exe 87 PID 5048 wrote to memory of 1976 5048 Edmjfifl.exe 87 PID 5048 wrote to memory of 1976 5048 Edmjfifl.exe 87 PID 1976 wrote to memory of 2584 1976 Ekgbccni.exe 88 PID 1976 wrote to memory of 2584 1976 Ekgbccni.exe 88 PID 1976 wrote to memory of 2584 1976 Ekgbccni.exe 88 PID 2584 wrote to memory of 1416 2584 Emeoooml.exe 89 PID 2584 wrote to memory of 1416 2584 Emeoooml.exe 89 PID 2584 wrote to memory of 1416 2584 Emeoooml.exe 89 PID 1416 wrote to memory of 4612 1416 Eemgplno.exe 90 PID 1416 wrote to memory of 4612 1416 Eemgplno.exe 90 PID 1416 wrote to memory of 4612 1416 Eemgplno.exe 90 PID 4612 wrote to memory of 1716 4612 Egnchd32.exe 91 PID 4612 wrote to memory of 1716 4612 Egnchd32.exe 91 PID 4612 wrote to memory of 1716 4612 Egnchd32.exe 91 PID 1716 wrote to memory of 772 1716 Eoekia32.exe 92 PID 1716 wrote to memory of 772 1716 Eoekia32.exe 92 PID 1716 wrote to memory of 772 1716 Eoekia32.exe 92 PID 772 wrote to memory of 4772 772 Feocelll.exe 93 PID 772 wrote to memory of 4772 772 Feocelll.exe 93 PID 772 wrote to memory of 4772 772 Feocelll.exe 93 PID 4772 wrote to memory of 2028 4772 Fhmpagkp.exe 94 PID 4772 wrote to memory of 2028 4772 Fhmpagkp.exe 94 PID 4772 wrote to memory of 2028 4772 Fhmpagkp.exe 94 PID 2028 wrote to memory of 2136 2028 Fkllnbjc.exe 95 PID 2028 wrote to memory of 2136 2028 Fkllnbjc.exe 95 PID 2028 wrote to memory of 2136 2028 Fkllnbjc.exe 95 PID 2136 wrote to memory of 3668 2136 Fnjhjn32.exe 96 PID 2136 wrote to memory of 3668 2136 Fnjhjn32.exe 96 PID 2136 wrote to memory of 3668 2136 Fnjhjn32.exe 96 PID 3668 wrote to memory of 3972 3668 Fhpmgg32.exe 97 PID 3668 wrote to memory of 3972 3668 Fhpmgg32.exe 97 PID 3668 wrote to memory of 3972 3668 Fhpmgg32.exe 97 PID 3972 wrote to memory of 3284 3972 Fnmepn32.exe 98 PID 3972 wrote to memory of 3284 3972 Fnmepn32.exe 98 PID 3972 wrote to memory of 3284 3972 Fnmepn32.exe 98 PID 3284 wrote to memory of 3616 3284 Fedmqk32.exe 99 PID 3284 wrote to memory of 3616 3284 Fedmqk32.exe 99 PID 3284 wrote to memory of 3616 3284 Fedmqk32.exe 99 PID 3616 wrote to memory of 2900 3616 Fhbimf32.exe 100 PID 3616 wrote to memory of 2900 3616 Fhbimf32.exe 100 PID 3616 wrote to memory of 2900 3616 Fhbimf32.exe 100 PID 2900 wrote to memory of 4928 2900 Folaiqng.exe 101 PID 2900 wrote to memory of 4928 2900 Folaiqng.exe 101 PID 2900 wrote to memory of 4928 2900 Folaiqng.exe 101 PID 4928 wrote to memory of 2084 4928 Fdijbg32.exe 102 PID 4928 wrote to memory of 2084 4928 Fdijbg32.exe 102 PID 4928 wrote to memory of 2084 4928 Fdijbg32.exe 102 PID 2084 wrote to memory of 2796 2084 Fhdfbfdh.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5904751a331d6b682a6d8b97b420e93567130f8ac5668ec6b62568c06cb26bfN.exe"C:\Users\Admin\AppData\Local\Temp\b5904751a331d6b682a6d8b97b420e93567130f8ac5668ec6b62568c06cb26bfN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Eonehbjg.exeC:\Windows\system32\Eonehbjg.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Ealadnik.exeC:\Windows\system32\Ealadnik.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\Egijmegb.exeC:\Windows\system32\Egijmegb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Emcbio32.exeC:\Windows\system32\Emcbio32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Windows\SysWOW64\Edmjfifl.exeC:\Windows\system32\Edmjfifl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\Ekgbccni.exeC:\Windows\system32\Ekgbccni.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Emeoooml.exeC:\Windows\system32\Emeoooml.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Eemgplno.exeC:\Windows\system32\Eemgplno.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Egnchd32.exeC:\Windows\system32\Egnchd32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\Eoekia32.exeC:\Windows\system32\Eoekia32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Feocelll.exeC:\Windows\system32\Feocelll.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Fhmpagkp.exeC:\Windows\system32\Fhmpagkp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\Fkllnbjc.exeC:\Windows\system32\Fkllnbjc.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Fnjhjn32.exeC:\Windows\system32\Fnjhjn32.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Fhpmgg32.exeC:\Windows\system32\Fhpmgg32.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\Fnmepn32.exeC:\Windows\system32\Fnmepn32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\Fedmqk32.exeC:\Windows\system32\Fedmqk32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\Fhbimf32.exeC:\Windows\system32\Fhbimf32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\Folaiqng.exeC:\Windows\system32\Folaiqng.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Fdijbg32.exeC:\Windows\system32\Fdijbg32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\Fhdfbfdh.exeC:\Windows\system32\Fhdfbfdh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Fnaokmco.exeC:\Windows\system32\Fnaokmco.exe23⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Fdkggg32.exeC:\Windows\system32\Fdkggg32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3888 -
C:\Windows\SysWOW64\Fkeodaai.exeC:\Windows\system32\Fkeodaai.exe25⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Gaogak32.exeC:\Windows\system32\Gaogak32.exe26⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Gdncmghi.exeC:\Windows\system32\Gdncmghi.exe27⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Gochjpho.exeC:\Windows\system32\Gochjpho.exe28⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\Gdppbfff.exeC:\Windows\system32\Gdppbfff.exe29⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Ggnlobej.exeC:\Windows\system32\Ggnlobej.exe30⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Gnhdkl32.exeC:\Windows\system32\Gnhdkl32.exe31⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Ggqida32.exeC:\Windows\system32\Ggqida32.exe32⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\Gkleeplq.exeC:\Windows\system32\Gkleeplq.exe33⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Gfbibikg.exeC:\Windows\system32\Gfbibikg.exe34⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Gkobjpin.exeC:\Windows\system32\Gkobjpin.exe35⤵PID:2308
-
C:\Windows\SysWOW64\Gahjgj32.exeC:\Windows\system32\Gahjgj32.exe36⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Gdgfce32.exeC:\Windows\system32\Gdgfce32.exe37⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Gkaopp32.exeC:\Windows\system32\Gkaopp32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:868 -
C:\Windows\SysWOW64\Hakgmjoh.exeC:\Windows\system32\Hakgmjoh.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4824 -
C:\Windows\SysWOW64\Hkckeo32.exeC:\Windows\system32\Hkckeo32.exe40⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Hdlpneli.exeC:\Windows\system32\Hdlpneli.exe41⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe42⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Hbpphi32.exeC:\Windows\system32\Hbpphi32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Hglipp32.exeC:\Windows\system32\Hglipp32.exe44⤵
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\Hnfamjqg.exeC:\Windows\system32\Hnfamjqg.exe45⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\Hfningai.exeC:\Windows\system32\Hfningai.exe46⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe47⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Hofmfmhj.exeC:\Windows\system32\Hofmfmhj.exe48⤵
- Executes dropped EXE
PID:4276 -
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe49⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Hhnbpb32.exeC:\Windows\system32\Hhnbpb32.exe50⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Iohjlmeg.exeC:\Windows\system32\Iohjlmeg.exe51⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Ibffhhek.exeC:\Windows\system32\Ibffhhek.exe52⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Ihqoeb32.exeC:\Windows\system32\Ihqoeb32.exe53⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Inmgmijo.exeC:\Windows\system32\Inmgmijo.exe54⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe55⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe56⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Ibkpcg32.exeC:\Windows\system32\Ibkpcg32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\Iiehpahb.exeC:\Windows\system32\Iiehpahb.exe58⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Ikcdlmgf.exeC:\Windows\system32\Ikcdlmgf.exe59⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Inbqhhfj.exeC:\Windows\system32\Inbqhhfj.exe60⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Ieliebnf.exeC:\Windows\system32\Ieliebnf.exe61⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Ikfabm32.exeC:\Windows\system32\Ikfabm32.exe62⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Indmnh32.exeC:\Windows\system32\Indmnh32.exe63⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Ifleoe32.exeC:\Windows\system32\Ifleoe32.exe64⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Igmagnkg.exeC:\Windows\system32\Igmagnkg.exe65⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3536 -
C:\Windows\SysWOW64\Jbbfdfkn.exeC:\Windows\system32\Jbbfdfkn.exe67⤵PID:2128
-
C:\Windows\SysWOW64\Jgonlm32.exeC:\Windows\system32\Jgonlm32.exe68⤵PID:3628
-
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe69⤵PID:1488
-
C:\Windows\SysWOW64\Jfpojead.exeC:\Windows\system32\Jfpojead.exe70⤵PID:1656
-
C:\Windows\SysWOW64\Jgakbm32.exeC:\Windows\system32\Jgakbm32.exe71⤵PID:2320
-
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe72⤵PID:1452
-
C:\Windows\SysWOW64\Jfbkpd32.exeC:\Windows\system32\Jfbkpd32.exe73⤵PID:4564
-
C:\Windows\SysWOW64\Jgdhgmep.exeC:\Windows\system32\Jgdhgmep.exe74⤵PID:4260
-
C:\Windows\SysWOW64\Jpkphjeb.exeC:\Windows\system32\Jpkphjeb.exe75⤵PID:1112
-
C:\Windows\SysWOW64\Jfehed32.exeC:\Windows\system32\Jfehed32.exe76⤵PID:4008
-
C:\Windows\SysWOW64\Jgfdmlcm.exeC:\Windows\system32\Jgfdmlcm.exe77⤵PID:1404
-
C:\Windows\SysWOW64\Jkaqnk32.exeC:\Windows\system32\Jkaqnk32.exe78⤵
- Modifies registry class
PID:3684 -
C:\Windows\SysWOW64\Jfgdkd32.exeC:\Windows\system32\Jfgdkd32.exe79⤵PID:4976
-
C:\Windows\SysWOW64\Jieagojp.exeC:\Windows\system32\Jieagojp.exe80⤵
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Kldmckic.exeC:\Windows\system32\Kldmckic.exe81⤵PID:8
-
C:\Windows\SysWOW64\Knbiofhg.exeC:\Windows\system32\Knbiofhg.exe82⤵PID:244
-
C:\Windows\SysWOW64\Kfjapcii.exeC:\Windows\system32\Kfjapcii.exe83⤵PID:3036
-
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe84⤵PID:3368
-
C:\Windows\SysWOW64\Knefeffd.exeC:\Windows\system32\Knefeffd.exe85⤵PID:1176
-
C:\Windows\SysWOW64\Klifnj32.exeC:\Windows\system32\Klifnj32.exe86⤵PID:3376
-
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe87⤵PID:2200
-
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2692 -
C:\Windows\SysWOW64\Kpgodhkd.exeC:\Windows\system32\Kpgodhkd.exe89⤵PID:2756
-
C:\Windows\SysWOW64\Kfqgab32.exeC:\Windows\system32\Kfqgab32.exe90⤵PID:3976
-
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe91⤵PID:376
-
C:\Windows\SysWOW64\Khbdikip.exeC:\Windows\system32\Khbdikip.exe92⤵PID:2768
-
C:\Windows\SysWOW64\Knlleepl.exeC:\Windows\system32\Knlleepl.exe93⤵PID:1872
-
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe94⤵PID:1852
-
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe95⤵PID:4296
-
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe96⤵PID:3748
-
C:\Windows\SysWOW64\Lnnikdnj.exeC:\Windows\system32\Lnnikdnj.exe97⤵PID:1040
-
C:\Windows\SysWOW64\Lfealaol.exeC:\Windows\system32\Lfealaol.exe98⤵PID:2632
-
C:\Windows\SysWOW64\Lhfmdj32.exeC:\Windows\system32\Lhfmdj32.exe99⤵PID:3468
-
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe100⤵PID:4376
-
C:\Windows\SysWOW64\Lblaabdp.exeC:\Windows\system32\Lblaabdp.exe101⤵PID:1136
-
C:\Windows\SysWOW64\Lejnmncd.exeC:\Windows\system32\Lejnmncd.exe102⤵PID:4624
-
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe103⤵PID:2376
-
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe104⤵PID:4476
-
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe105⤵PID:1448
-
C:\Windows\SysWOW64\Lihfcm32.exeC:\Windows\system32\Lihfcm32.exe106⤵PID:4832
-
C:\Windows\SysWOW64\Llgcph32.exeC:\Windows\system32\Llgcph32.exe107⤵PID:1880
-
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe108⤵PID:4248
-
C:\Windows\SysWOW64\Leoghn32.exeC:\Windows\system32\Leoghn32.exe109⤵PID:3996
-
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe110⤵
- System Location Discovery: System Language Discovery
PID:208 -
C:\Windows\SysWOW64\Lpekef32.exeC:\Windows\system32\Lpekef32.exe111⤵PID:4956
-
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe112⤵PID:4768
-
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe113⤵PID:1516
-
C:\Windows\SysWOW64\Mlklkgei.exeC:\Windows\system32\Mlklkgei.exe114⤵PID:3100
-
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe115⤵
- System Location Discovery: System Language Discovery
PID:3432 -
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe116⤵PID:1792
-
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe117⤵PID:4136
-
C:\Windows\SysWOW64\Mpieqeko.exeC:\Windows\system32\Mpieqeko.exe118⤵PID:4472
-
C:\Windows\SysWOW64\Mefmimif.exeC:\Windows\system32\Mefmimif.exe119⤵PID:3916
-
C:\Windows\SysWOW64\Mibijk32.exeC:\Windows\system32\Mibijk32.exe120⤵PID:4412
-
C:\Windows\SysWOW64\Mhdjehhj.exeC:\Windows\system32\Mhdjehhj.exe121⤵PID:4532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-