Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2024 03:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0a6fe70e995cdae4acba8373dc382dcf342e9d3e6780896640fa9bd026983f25N.exe
Resource
win7-20240729-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
0a6fe70e995cdae4acba8373dc382dcf342e9d3e6780896640fa9bd026983f25N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
0a6fe70e995cdae4acba8373dc382dcf342e9d3e6780896640fa9bd026983f25N.exe
-
Size
80KB
-
MD5
2b65ac76b0ff9d8ed82a70e8b39b4450
-
SHA1
68bac7691968af7a76a52a38f11638f73f80a439
-
SHA256
0a6fe70e995cdae4acba8373dc382dcf342e9d3e6780896640fa9bd026983f25
-
SHA512
bdb9dc079de6ea809e427f43538c78d5219edd58ef4019fe6a1b9c7490419ceda7c9b6dd89bab1e8f2f24a83436fa35f8e8879921e27a0e9069cb265c7e245f5
-
SSDEEP
1536:8Sqk6yXl1z7XRz5UekG3Wuycc2LMBJ9VqDlzVxyh+CbxMa:JqqzTROekG3nVGJ9IDlRxyhTb7
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iakiia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkabjbih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjedh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcjmel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgnkhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idbodn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehjlaaig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknmla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cflkpblf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oakbehfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojbacd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhafeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djelgied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgqfdnah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohkkhhmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmfkhmdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaompd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpmpnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odalmibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkabjbih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clchbqoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aanbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmcolgbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkfcndce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmiclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efpomccg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjfjka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnegbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nolgijpk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mifcejnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnphmkji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fineoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hplbickp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojajin32.exe -
Executes dropped EXE 64 IoCs
pid Process 3216 Kpgodhkd.exe 784 Kfqgab32.exe 4848 Khbdikip.exe 4304 Knlleepl.exe 1272 Kfcdfbqo.exe 2912 Kiaqcnpb.exe 1100 Lnnikdnj.exe 2416 Lehaho32.exe 5036 Lhfmdj32.exe 4544 Lnqeqd32.exe 2676 Lfhnaa32.exe 3356 Lldfjh32.exe 2124 Lbnngbbn.exe 4908 Lihfcm32.exe 4500 Loeolc32.exe 1332 Leoghn32.exe 4584 Loglacfo.exe 2212 Lfodbqfa.exe 3048 Mlklkgei.exe 1368 Mojhgbdl.exe 4828 Medqcmki.exe 2020 Mhbmphjm.exe 3728 Molelb32.exe 5056 Mfcmmp32.exe 3260 Mibijk32.exe 1816 Mlpeff32.exe 2712 Mbjnbqhp.exe 864 Mehjol32.exe 1080 Mpnnle32.exe 740 Mfhfhong.exe 1600 Mifcejnj.exe 540 Mbognp32.exe 4884 Nlglfe32.exe 2568 Npchgdcd.exe 3456 Neppokal.exe 868 Npedmdab.exe 4508 Nbcqiope.exe 436 Niniei32.exe 2228 Nlleaeff.exe 4424 Ncfmno32.exe 5024 Ngaionfl.exe 4088 Nhbfff32.exe 1660 Npjnhc32.exe 4964 Nchjdo32.exe 4492 Neffpj32.exe 1736 Nibbqicm.exe 920 Nookip32.exe 1000 Oeicejia.exe 2748 Ohgoaehe.exe 3584 Olckbd32.exe 4504 Ocmconhk.exe 3000 Oigllh32.exe 4248 Ohjlgefb.exe 1624 Oocddono.exe 1804 Oenlqi32.exe 2500 Opcqnb32.exe 5100 Ocamjm32.exe 4224 Oepifi32.exe 4576 Opemca32.exe 2312 Ocdjpmac.exe 1180 Oebflhaf.exe 1496 Ollnhb32.exe 3532 Pedbahod.exe 4656 Phcomcng.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Oljoen32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Qmckbjdl.exe Process not Found File created C:\Windows\SysWOW64\Nboahd32.dll Lbnngbbn.exe File created C:\Windows\SysWOW64\Hlmjfa32.dll Cidjbmcp.exe File opened for modification C:\Windows\SysWOW64\Ilcldb32.exe Iidphgcn.exe File created C:\Windows\SysWOW64\Kmpaoopf.dll Process not Found File opened for modification C:\Windows\SysWOW64\Nkcmjlio.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kgninn32.exe Kcbnnpka.exe File created C:\Windows\SysWOW64\Njmhhefi.exe Nhokljge.exe File opened for modification C:\Windows\SysWOW64\Koajmepf.exe Process not Found File created C:\Windows\SysWOW64\Pjgebf32.exe Pflibgil.exe File opened for modification C:\Windows\SysWOW64\Jnhidk32.exe Jkimho32.exe File opened for modification C:\Windows\SysWOW64\Knhakh32.exe Kjmfjj32.exe File opened for modification C:\Windows\SysWOW64\Bomkcm32.exe Blnoga32.exe File created C:\Windows\SysWOW64\Odljjo32.exe Process not Found File created C:\Windows\SysWOW64\Nqomdf32.dll Mfcmmp32.exe File created C:\Windows\SysWOW64\Bbiado32.exe Bokehc32.exe File created C:\Windows\SysWOW64\Cbgnemjj.exe Coiaiakf.exe File opened for modification C:\Windows\SysWOW64\Pjpfjl32.exe Process not Found File created C:\Windows\SysWOW64\Lllagh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oiagde32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dhjckcgi.exe Dcogje32.exe File created C:\Windows\SysWOW64\Lnmkfh32.exe Ljaoeini.exe File created C:\Windows\SysWOW64\Pghaae32.dll Cdlqqcnl.exe File opened for modification C:\Windows\SysWOW64\Iikmbh32.exe Iepaaico.exe File created C:\Windows\SysWOW64\Ogmeemdg.dll Process not Found File created C:\Windows\SysWOW64\Amhdmi32.exe Process not Found File created C:\Windows\SysWOW64\Gmemic32.dll Igqkqiai.exe File created C:\Windows\SysWOW64\Gceegdko.dll Cfipef32.exe File opened for modification C:\Windows\SysWOW64\Gnepna32.exe Glgcbf32.exe File opened for modification C:\Windows\SysWOW64\Ojigdcll.exe Ohkkhhmh.exe File opened for modification C:\Windows\SysWOW64\Chlflabp.exe Cfnjpfcl.exe File created C:\Windows\SysWOW64\Lakfeodm.exe Process not Found File created C:\Windows\SysWOW64\Cmniml32.exe Cjomap32.exe File created C:\Windows\SysWOW64\Gbbgpbmj.dll Fgbfhmll.exe File created C:\Windows\SysWOW64\Hpopgneq.dll Nhbolp32.exe File opened for modification C:\Windows\SysWOW64\Khbdikip.exe Kfqgab32.exe File opened for modification C:\Windows\SysWOW64\Fflohaij.exe Fneggdhg.exe File created C:\Windows\SysWOW64\Koaagkcb.exe Knqepc32.exe File opened for modification C:\Windows\SysWOW64\Mibijk32.exe Mfcmmp32.exe File created C:\Windows\SysWOW64\Phahglpk.dll Bbgeno32.exe File created C:\Windows\SysWOW64\Ahiiai32.dll Ljaoeini.exe File created C:\Windows\SysWOW64\Neoogc32.dll Igjngh32.exe File opened for modification C:\Windows\SysWOW64\Bgkiaj32.exe Process not Found File created C:\Windows\SysWOW64\Miofjepg.exe Mahnhhod.exe File created C:\Windows\SysWOW64\Oimkbaed.exe Oeaoab32.exe File opened for modification C:\Windows\SysWOW64\Gigaka32.exe Gbmingjo.exe File created C:\Windows\SysWOW64\Igigla32.exe Icnklbmj.exe File created C:\Windows\SysWOW64\Nphihiif.dll Ofkgcobj.exe File opened for modification C:\Windows\SysWOW64\Cmipblaq.exe Cimcan32.exe File created C:\Windows\SysWOW64\Dpehof32.exe Dmglcj32.exe File created C:\Windows\SysWOW64\Ednhgjia.dll Djklmo32.exe File created C:\Windows\SysWOW64\Pjcblekh.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ejjaqk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gojiiafp.exe Glkmmefl.exe File created C:\Windows\SysWOW64\Oefgjq32.dll Process not Found File created C:\Windows\SysWOW64\Aonhqi32.dll Aglnbhal.exe File opened for modification C:\Windows\SysWOW64\Jhpqaiji.exe Jdedak32.exe File created C:\Windows\SysWOW64\Cmcgolla.dll Gifkpknp.exe File opened for modification C:\Windows\SysWOW64\Bfedoc32.exe Boklbi32.exe File created C:\Windows\SysWOW64\Fbjmhh32.exe Fdglmkeg.exe File created C:\Windows\SysWOW64\Jgmjmjnb.exe Jofalmmp.exe File created C:\Windows\SysWOW64\Fgllff32.dll Bohibc32.exe File created C:\Windows\SysWOW64\Mnfnlf32.exe Mkhapk32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmeakf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akepfpcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nefped32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djjebh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlpeff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqafhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbohpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqoiqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikqqlgem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffmfchle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neqopnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlgepanl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bggnof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmndpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjepjkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnhkbfme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npchgdcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bepmoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgflcifg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijogmdqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paoollik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aajohjon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjopcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igedlh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgadgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlklkgei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlghoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pllgnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiglnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lggejg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfigpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhbfff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfglb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imgicgca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhnbhok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injmcmej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cimcan32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acpbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enkjji32.dll" Mhafeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqojclne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pogppn32.dll" Mpnnle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laahglpp.dll" Ghkeio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hajpbckl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Piijno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjbbo32.dll" Dgejpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjffdalb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaiimadl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgpilmfi.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipeabep.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhkilook.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohjlgefb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmpbnihe.dll" Akffafgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joahqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Einbcgha.dll" Knlleepl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papdfone.dll" Mejpje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oihgmo32.dll" Fbcfhibj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emjgim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfqhkbn.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loeolc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnbnhedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khblgpag.dll" Dokgdkeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ponfka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgamhc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlnecf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjfjka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfpdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Diccgfpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmmqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iphioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpfgmnfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaaial32.dll" Njghbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Palbgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aannbg32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impjjbmh.dll" Bqdblmhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klkkgm32.dll" Ijfnmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafpga32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcejdp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhafeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnmmboed.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3020 wrote to memory of 3216 3020 0a6fe70e995cdae4acba8373dc382dcf342e9d3e6780896640fa9bd026983f25N.exe 84 PID 3020 wrote to memory of 3216 3020 0a6fe70e995cdae4acba8373dc382dcf342e9d3e6780896640fa9bd026983f25N.exe 84 PID 3020 wrote to memory of 3216 3020 0a6fe70e995cdae4acba8373dc382dcf342e9d3e6780896640fa9bd026983f25N.exe 84 PID 3216 wrote to memory of 784 3216 Kpgodhkd.exe 85 PID 3216 wrote to memory of 784 3216 Kpgodhkd.exe 85 PID 3216 wrote to memory of 784 3216 Kpgodhkd.exe 85 PID 784 wrote to memory of 4848 784 Kfqgab32.exe 86 PID 784 wrote to memory of 4848 784 Kfqgab32.exe 86 PID 784 wrote to memory of 4848 784 Kfqgab32.exe 86 PID 4848 wrote to memory of 4304 4848 Khbdikip.exe 87 PID 4848 wrote to memory of 4304 4848 Khbdikip.exe 87 PID 4848 wrote to memory of 4304 4848 Khbdikip.exe 87 PID 4304 wrote to memory of 1272 4304 Knlleepl.exe 88 PID 4304 wrote to memory of 1272 4304 Knlleepl.exe 88 PID 4304 wrote to memory of 1272 4304 Knlleepl.exe 88 PID 1272 wrote to memory of 2912 1272 Kfcdfbqo.exe 89 PID 1272 wrote to memory of 2912 1272 Kfcdfbqo.exe 89 PID 1272 wrote to memory of 2912 1272 Kfcdfbqo.exe 89 PID 2912 wrote to memory of 1100 2912 Kiaqcnpb.exe 90 PID 2912 wrote to memory of 1100 2912 Kiaqcnpb.exe 90 PID 2912 wrote to memory of 1100 2912 Kiaqcnpb.exe 90 PID 1100 wrote to memory of 2416 1100 Lnnikdnj.exe 91 PID 1100 wrote to memory of 2416 1100 Lnnikdnj.exe 91 PID 1100 wrote to memory of 2416 1100 Lnnikdnj.exe 91 PID 2416 wrote to memory of 5036 2416 Lehaho32.exe 92 PID 2416 wrote to memory of 5036 2416 Lehaho32.exe 92 PID 2416 wrote to memory of 5036 2416 Lehaho32.exe 92 PID 5036 wrote to memory of 4544 5036 Lhfmdj32.exe 93 PID 5036 wrote to memory of 4544 5036 Lhfmdj32.exe 93 PID 5036 wrote to memory of 4544 5036 Lhfmdj32.exe 93 PID 4544 wrote to memory of 2676 4544 Lnqeqd32.exe 94 PID 4544 wrote to memory of 2676 4544 Lnqeqd32.exe 94 PID 4544 wrote to memory of 2676 4544 Lnqeqd32.exe 94 PID 2676 wrote to memory of 3356 2676 Lfhnaa32.exe 95 PID 2676 wrote to memory of 3356 2676 Lfhnaa32.exe 95 PID 2676 wrote to memory of 3356 2676 Lfhnaa32.exe 95 PID 3356 wrote to memory of 2124 3356 Lldfjh32.exe 96 PID 3356 wrote to memory of 2124 3356 Lldfjh32.exe 96 PID 3356 wrote to memory of 2124 3356 Lldfjh32.exe 96 PID 2124 wrote to memory of 4908 2124 Lbnngbbn.exe 97 PID 2124 wrote to memory of 4908 2124 Lbnngbbn.exe 97 PID 2124 wrote to memory of 4908 2124 Lbnngbbn.exe 97 PID 4908 wrote to memory of 4500 4908 Lihfcm32.exe 98 PID 4908 wrote to memory of 4500 4908 Lihfcm32.exe 98 PID 4908 wrote to memory of 4500 4908 Lihfcm32.exe 98 PID 4500 wrote to memory of 1332 4500 Loeolc32.exe 99 PID 4500 wrote to memory of 1332 4500 Loeolc32.exe 99 PID 4500 wrote to memory of 1332 4500 Loeolc32.exe 99 PID 1332 wrote to memory of 4584 1332 Leoghn32.exe 100 PID 1332 wrote to memory of 4584 1332 Leoghn32.exe 100 PID 1332 wrote to memory of 4584 1332 Leoghn32.exe 100 PID 4584 wrote to memory of 2212 4584 Loglacfo.exe 101 PID 4584 wrote to memory of 2212 4584 Loglacfo.exe 101 PID 4584 wrote to memory of 2212 4584 Loglacfo.exe 101 PID 2212 wrote to memory of 3048 2212 Lfodbqfa.exe 102 PID 2212 wrote to memory of 3048 2212 Lfodbqfa.exe 102 PID 2212 wrote to memory of 3048 2212 Lfodbqfa.exe 102 PID 3048 wrote to memory of 1368 3048 Mlklkgei.exe 103 PID 3048 wrote to memory of 1368 3048 Mlklkgei.exe 103 PID 3048 wrote to memory of 1368 3048 Mlklkgei.exe 103 PID 1368 wrote to memory of 4828 1368 Mojhgbdl.exe 104 PID 1368 wrote to memory of 4828 1368 Mojhgbdl.exe 104 PID 1368 wrote to memory of 4828 1368 Mojhgbdl.exe 104 PID 4828 wrote to memory of 2020 4828 Medqcmki.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a6fe70e995cdae4acba8373dc382dcf342e9d3e6780896640fa9bd026983f25N.exe"C:\Users\Admin\AppData\Local\Temp\0a6fe70e995cdae4acba8373dc382dcf342e9d3e6780896640fa9bd026983f25N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Kpgodhkd.exeC:\Windows\system32\Kpgodhkd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\Kfqgab32.exeC:\Windows\system32\Kfqgab32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\Khbdikip.exeC:\Windows\system32\Khbdikip.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Knlleepl.exeC:\Windows\system32\Knlleepl.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Kiaqcnpb.exeC:\Windows\system32\Kiaqcnpb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Lnnikdnj.exeC:\Windows\system32\Lnnikdnj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Lehaho32.exeC:\Windows\system32\Lehaho32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Lhfmdj32.exeC:\Windows\system32\Lhfmdj32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Lnqeqd32.exeC:\Windows\system32\Lnqeqd32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Lihfcm32.exeC:\Windows\system32\Lihfcm32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\Loeolc32.exeC:\Windows\system32\Loeolc32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Leoghn32.exeC:\Windows\system32\Leoghn32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Loglacfo.exeC:\Windows\system32\Loglacfo.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Mlklkgei.exeC:\Windows\system32\Mlklkgei.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe23⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Molelb32.exeC:\Windows\system32\Molelb32.exe24⤵
- Executes dropped EXE
PID:3728 -
C:\Windows\SysWOW64\Mfcmmp32.exeC:\Windows\system32\Mfcmmp32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5056 -
C:\Windows\SysWOW64\Mibijk32.exeC:\Windows\system32\Mibijk32.exe26⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1816 -
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe28⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Mehjol32.exeC:\Windows\system32\Mehjol32.exe29⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Mpnnle32.exeC:\Windows\system32\Mpnnle32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:1080 -
C:\Windows\SysWOW64\Mfhfhong.exeC:\Windows\system32\Mfhfhong.exe31⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Mifcejnj.exeC:\Windows\system32\Mifcejnj.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe33⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe34⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe36⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Npedmdab.exeC:\Windows\system32\Npedmdab.exe37⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Nbcqiope.exeC:\Windows\system32\Nbcqiope.exe38⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe39⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Nlleaeff.exeC:\Windows\system32\Nlleaeff.exe40⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe41⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Ngaionfl.exeC:\Windows\system32\Ngaionfl.exe42⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Nhbfff32.exeC:\Windows\system32\Nhbfff32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4088 -
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe44⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe45⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe46⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe47⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Nookip32.exeC:\Windows\system32\Nookip32.exe48⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Oeicejia.exeC:\Windows\system32\Oeicejia.exe49⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Ohgoaehe.exeC:\Windows\system32\Ohgoaehe.exe50⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe51⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Ocmconhk.exeC:\Windows\system32\Ocmconhk.exe52⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Oigllh32.exeC:\Windows\system32\Oigllh32.exe53⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Ohjlgefb.exeC:\Windows\system32\Ohjlgefb.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:4248 -
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe55⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Oenlqi32.exeC:\Windows\system32\Oenlqi32.exe56⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Opcqnb32.exeC:\Windows\system32\Opcqnb32.exe57⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe58⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Oepifi32.exeC:\Windows\system32\Oepifi32.exe59⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe60⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Ocdjpmac.exeC:\Windows\system32\Ocdjpmac.exe61⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe62⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe63⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe64⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Phcomcng.exeC:\Windows\system32\Phcomcng.exe65⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Ploknb32.exeC:\Windows\system32\Ploknb32.exe66⤵PID:3388
-
C:\Windows\SysWOW64\Pgdokkfg.exeC:\Windows\system32\Pgdokkfg.exe67⤵PID:3968
-
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe68⤵PID:3576
-
C:\Windows\SysWOW64\Ppmcdq32.exeC:\Windows\system32\Ppmcdq32.exe69⤵PID:816
-
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe70⤵PID:1680
-
C:\Windows\SysWOW64\Pfillg32.exeC:\Windows\system32\Pfillg32.exe71⤵PID:364
-
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe72⤵PID:636
-
C:\Windows\SysWOW64\Poaqemao.exeC:\Windows\system32\Poaqemao.exe73⤵PID:4420
-
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe74⤵
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Pjgebf32.exeC:\Windows\system32\Pjgebf32.exe75⤵PID:1244
-
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe76⤵PID:2068
-
C:\Windows\SysWOW64\Pcpikkge.exeC:\Windows\system32\Pcpikkge.exe77⤵PID:1380
-
C:\Windows\SysWOW64\Pfnegggi.exeC:\Windows\system32\Pfnegggi.exe78⤵PID:552
-
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe79⤵PID:2112
-
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe80⤵PID:1396
-
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe81⤵PID:3640
-
C:\Windows\SysWOW64\Qljjjqlc.exeC:\Windows\system32\Qljjjqlc.exe82⤵PID:4592
-
C:\Windows\SysWOW64\Qfbobf32.exeC:\Windows\system32\Qfbobf32.exe83⤵PID:4452
-
C:\Windows\SysWOW64\Qlmgopjq.exeC:\Windows\system32\Qlmgopjq.exe84⤵PID:4256
-
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe85⤵PID:4948
-
C:\Windows\SysWOW64\Afelhf32.exeC:\Windows\system32\Afelhf32.exe86⤵PID:2384
-
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe87⤵PID:3692
-
C:\Windows\SysWOW64\Afghneoo.exeC:\Windows\system32\Afghneoo.exe88⤵PID:1800
-
C:\Windows\SysWOW64\Ahfdjanb.exeC:\Windows\system32\Ahfdjanb.exe89⤵PID:2464
-
C:\Windows\SysWOW64\Aqmlknnd.exeC:\Windows\system32\Aqmlknnd.exe90⤵PID:4932
-
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe91⤵PID:544
-
C:\Windows\SysWOW64\Afjeceml.exeC:\Windows\system32\Afjeceml.exe92⤵PID:3480
-
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe93⤵PID:2200
-
C:\Windows\SysWOW64\Aqoiqn32.exeC:\Windows\system32\Aqoiqn32.exe94⤵
- System Location Discovery: System Language Discovery
PID:4956 -
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe95⤵PID:512
-
C:\Windows\SysWOW64\Aflaie32.exeC:\Windows\system32\Aflaie32.exe96⤵PID:1364
-
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe97⤵PID:3300
-
C:\Windows\SysWOW64\Aqaffn32.exeC:\Windows\system32\Aqaffn32.exe98⤵PID:3056
-
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe99⤵
- Modifies registry class
PID:1360 -
C:\Windows\SysWOW64\Aglnbhal.exeC:\Windows\system32\Aglnbhal.exe100⤵
- Drops file in System32 directory
PID:4772 -
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe101⤵PID:2324
-
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe102⤵
- Modifies registry class
PID:4552 -
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe103⤵PID:1792
-
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4952 -
C:\Windows\SysWOW64\Bjlgdc32.exeC:\Windows\system32\Bjlgdc32.exe105⤵PID:680
-
C:\Windows\SysWOW64\Bmkcqn32.exeC:\Windows\system32\Bmkcqn32.exe106⤵PID:3308
-
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe107⤵PID:1732
-
C:\Windows\SysWOW64\Bgpgng32.exeC:\Windows\system32\Bgpgng32.exe108⤵PID:3608
-
C:\Windows\SysWOW64\Biadeoce.exeC:\Windows\system32\Biadeoce.exe109⤵PID:3836
-
C:\Windows\SysWOW64\Bqilgmdg.exeC:\Windows\system32\Bqilgmdg.exe110⤵PID:4172
-
C:\Windows\SysWOW64\Boklbi32.exeC:\Windows\system32\Boklbi32.exe111⤵
- Drops file in System32 directory
PID:3228 -
C:\Windows\SysWOW64\Bfedoc32.exeC:\Windows\system32\Bfedoc32.exe112⤵PID:5060
-
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe113⤵PID:460
-
C:\Windows\SysWOW64\Bmomlnjk.exeC:\Windows\system32\Bmomlnjk.exe114⤵PID:1928
-
C:\Windows\SysWOW64\Bpnihiio.exeC:\Windows\system32\Bpnihiio.exe115⤵PID:1728
-
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe116⤵PID:1936
-
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe117⤵PID:4036
-
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe118⤵PID:4408
-
C:\Windows\SysWOW64\Bqmeal32.exeC:\Windows\system32\Bqmeal32.exe119⤵PID:4152
-
C:\Windows\SysWOW64\Bggnof32.exeC:\Windows\system32\Bggnof32.exe120⤵
- System Location Discovery: System Language Discovery
PID:3332 -
C:\Windows\SysWOW64\Bjfjka32.exeC:\Windows\system32\Bjfjka32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3704
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-