Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2024 05:04
Static task
static1
Behavioral task
behavioral1
Sample
d6728967178921014e21dfae07711dbfc0731a1eb88161004a2724bbabcf1376N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
d6728967178921014e21dfae07711dbfc0731a1eb88161004a2724bbabcf1376N.exe
Resource
win10v2004-20240802-en
General
-
Target
d6728967178921014e21dfae07711dbfc0731a1eb88161004a2724bbabcf1376N.exe
-
Size
91KB
-
MD5
7fe56c98c4a61eb8dab7113aa76e8a40
-
SHA1
9d1e846abbf7e594e70edc76092ad1067cf63c22
-
SHA256
d6728967178921014e21dfae07711dbfc0731a1eb88161004a2724bbabcf1376
-
SHA512
33c28c045b32cff5f02e6e780f0a0a9f15fc9ebc0701a5b25475eba17671b8cec07a4d2408327d43b924321239ab60ec52d0ea73f9471a439496d9fc784305ff
-
SSDEEP
1536:C7MFKQtwzvcgz4weZZs1wQtkfnLyDXdi8pE4g5a3iZ8saqYko:SMhWEyeI1w9GDN3E4xSzWP
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmehb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jekqmhia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dakacjdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dimenegi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjoiil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emmdom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glgcbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjeiodek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joffnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmomlnjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epjajeqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pehngkcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmojkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfjapcii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqdblmhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlambk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnohlgep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpdcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhomfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbpkkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pakllc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pifnhpmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgipcogp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akccap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noehba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpleig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocamjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmbbhkjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Embddb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmdlmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlnbgddc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeicejia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljfhqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkkjmlan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oondnini.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjellmbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akffafgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icfekc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqhafffk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pejkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjjkaabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikokan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgcjdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kageaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkchelci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljfhqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njfagf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfglfdkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmmmfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cadlbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgqqdeod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glgjlm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkobmnka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbicpfdk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Executes dropped EXE 64 IoCs
pid Process 1712 Hgoeep32.exe 1256 Hbdjchgn.exe 884 Hdbfodfa.exe 5080 Hkmnln32.exe 4756 Inkjhi32.exe 2312 Idebdcdo.exe 5024 Ihqoeb32.exe 3180 Ikokan32.exe 716 Inmgmijo.exe 1996 Ifdonfka.exe 216 Iickkbje.exe 3200 Igfkfo32.exe 5028 Iomcgl32.exe 60 Ibkpcg32.exe 3940 Ighhln32.exe 2648 Ibnligoc.exe 1268 Igjeanmj.exe 4876 Ioambknl.exe 3528 Ibpiogmp.exe 1980 Ienekbld.exe 3276 Igmagnkg.exe 1104 Jkhngl32.exe 4160 Jngjch32.exe 3660 Jbbfdfkn.exe 3136 Jilnqqbj.exe 3476 Jkkjmlan.exe 1036 Joffnk32.exe 3744 Jbdbjf32.exe 3484 Jkmgblok.exe 2300 Joiccj32.exe 2288 Jfbkpd32.exe 4484 Jkodhk32.exe 4804 Jgfdmlcm.exe 4900 Jnpmjf32.exe 4164 Jieagojp.exe 3948 Knbiofhg.exe 1840 Kfjapcii.exe 3620 Kihnmohm.exe 8 Kpbfii32.exe 1192 Kflnfcgg.exe 3372 Kijjbofj.exe 1660 Kpdboimg.exe 4808 Kfnkkb32.exe 2068 Keakgpko.exe 1468 Khpgckkb.exe 4284 Knippe32.exe 2032 Kbekqdjh.exe 3144 Khbdikip.exe 5072 Knlleepl.exe 2468 Kfcdfbqo.exe 5020 Lhdqnj32.exe 1492 Lpkiph32.exe 4048 Lfealaol.exe 4936 Lidmhmnp.exe 512 Lpneegel.exe 1852 Lblaabdp.exe 2480 Lifjnm32.exe 3356 Lhijijbg.exe 1264 Lppbkgcj.exe 1056 Lfjjga32.exe 4056 Lhkgoiqe.exe 2744 Leoghn32.exe 848 Lpekef32.exe 1560 Loglacfo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ebommi32.exe Eclmamod.exe File opened for modification C:\Windows\SysWOW64\Dfglfdkb.exe Dnpdegjp.exe File created C:\Windows\SysWOW64\Hmmfmhll.exe Hfcnpn32.exe File created C:\Windows\SysWOW64\Cocjiehd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kplmliko.exe Process not Found File opened for modification C:\Windows\SysWOW64\Edemkd32.exe Epjajeqo.exe File created C:\Windows\SysWOW64\Kqpoakco.exe Kjffdalb.exe File created C:\Windows\SysWOW64\Pefabkej.exe Poliea32.exe File created C:\Windows\SysWOW64\Bghakj32.dll Pfillg32.exe File created C:\Windows\SysWOW64\Hckeoeno.exe Hdhedh32.exe File opened for modification C:\Windows\SysWOW64\Gdobnj32.exe Glgjlm32.exe File created C:\Windows\SysWOW64\Jblpmmae.dll Nlnbgddc.exe File opened for modification C:\Windows\SysWOW64\Iqpfjnba.exe Inainbcn.exe File opened for modification C:\Windows\SysWOW64\Maodigil.exe Mjellmbp.exe File opened for modification C:\Windows\SysWOW64\Dmdhcddh.exe Djelgied.exe File opened for modification C:\Windows\SysWOW64\Eehicoel.exe Ebimgcfi.exe File created C:\Windows\SysWOW64\Biepfnpi.dll Process not Found File created C:\Windows\SysWOW64\Nimmifgo.exe Process not Found File created C:\Windows\SysWOW64\Igmagnkg.exe Ienekbld.exe File opened for modification C:\Windows\SysWOW64\Onpjichj.exe Olanmgig.exe File opened for modification C:\Windows\SysWOW64\Galoohke.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ikkpgafg.exe Icdheded.exe File created C:\Windows\SysWOW64\Gmigpf32.dll Qlgpod32.exe File opened for modification C:\Windows\SysWOW64\Iiopca32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jpbjfjci.exe Process not Found File created C:\Windows\SysWOW64\Bfmpaf32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Oelolmnd.exe Omegjomb.exe File created C:\Windows\SysWOW64\Coaadq32.dll Bihjfnmm.exe File opened for modification C:\Windows\SysWOW64\Icdheded.exe Ipflihfq.exe File opened for modification C:\Windows\SysWOW64\Meiioonj.exe Mmbanbmg.exe File created C:\Windows\SysWOW64\Fkldkg32.dll Nmgjia32.exe File opened for modification C:\Windows\SysWOW64\Hlepcdoa.exe Hifcgion.exe File opened for modification C:\Windows\SysWOW64\Bgbpaipl.exe Process not Found File created C:\Windows\SysWOW64\Pcegclgp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cqpbglno.exe Bihjfnmm.exe File created C:\Windows\SysWOW64\Nfaemp32.exe Process not Found File created C:\Windows\SysWOW64\Akffafgg.exe Ajdjin32.exe File opened for modification C:\Windows\SysWOW64\Fmfnpa32.exe Fjhacf32.exe File created C:\Windows\SysWOW64\Dkahilkl.exe Dhclmp32.exe File created C:\Windows\SysWOW64\Pmcckk32.dll Jocefm32.exe File created C:\Windows\SysWOW64\Milidebi.exe Meamcg32.exe File created C:\Windows\SysWOW64\Amlkko32.dll Kdbjhbbd.exe File opened for modification C:\Windows\SysWOW64\Iplkpa32.exe Imnocf32.exe File created C:\Windows\SysWOW64\Akoqpg32.exe Allpejfe.exe File created C:\Windows\SysWOW64\Pifnhpmi.exe Papfgbmg.exe File opened for modification C:\Windows\SysWOW64\Akoqpg32.exe Allpejfe.exe File opened for modification C:\Windows\SysWOW64\Efepbi32.exe Eplgeokq.exe File created C:\Windows\SysWOW64\Dpaagldf.dll Fngcmcfe.exe File created C:\Windows\SysWOW64\Ogigdpmb.dll Hfcnpn32.exe File created C:\Windows\SysWOW64\Fopjdidn.dll Monjjgkb.exe File created C:\Windows\SysWOW64\Maenpfhk.dll Process not Found File created C:\Windows\SysWOW64\Dgooajdl.dll Nlqomd32.exe File opened for modification C:\Windows\SysWOW64\Cpihcgoa.exe Cippgm32.exe File opened for modification C:\Windows\SysWOW64\Dhhfedil.exe Dclkee32.exe File created C:\Windows\SysWOW64\Hpdfnolo.exe Hjjnae32.exe File opened for modification C:\Windows\SysWOW64\Gbchdp32.exe Gpelhd32.exe File created C:\Windows\SysWOW64\Naqbda32.dll Bfchidda.exe File opened for modification C:\Windows\SysWOW64\Pmpolgoi.exe Process not Found File created C:\Windows\SysWOW64\Bdfpkm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ooibkpmi.exe Process not Found File created C:\Windows\SysWOW64\Lfipab32.dll Eiokinbk.exe File created C:\Windows\SysWOW64\Odcfhh32.dll Gjfnedho.exe File opened for modification C:\Windows\SysWOW64\Nfcabp32.exe Process not Found File created C:\Windows\SysWOW64\Ajlgckkf.dll Oimkbaed.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8752 9260 Process not Found 1497 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moaogand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oidofh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogmijllo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peahgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlepcdoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jniood32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmniml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbgalmej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oimkbaed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jocefm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koodbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aijnep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edemkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fknbil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgoeep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khbdikip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjedffig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmpkadnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmlmkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djmibn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qofcff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmfjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcmlfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcclld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pehngkcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeaanjkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkobmnka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddnfmqng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klcekpdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhflnpoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecefqnel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebejfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjlopc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedjjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igfclkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbdjchgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpdfnolo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nolgijpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmechmip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmieae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gehbjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpkkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lndham32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljaoeini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodjjimm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdbnjdfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqdoem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phahglpk.dll" Bfbaonae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnjnqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feoodn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lahdik32.dll" Ifdonfka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idbodn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Papfgbmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icfekc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnaqob32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hplbickp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blgifbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bafndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfqkddfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bblnindg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfokoelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnclimck.dll" Qljcoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phelcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckclhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbhboolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggnjnq32.dll" Ehhpla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oadfkdgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kclgmq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifdonfka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogcggo32.dll" Mhppji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fggocmhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbfgkffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfhjkabi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obonfmck.dll" Kkmioc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jofbdcmb.dll" Pchlpfjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbjdgmg.dll" Deqcbpld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibpiogmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bogcgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bihjfnmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djhimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdomhkp.dll" Afnnnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fibhpbea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knooej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbblob32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oocddono.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnnjancb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dooaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nobkpkdh.dll" Dndnpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipjoja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nemcjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgocj32.dll" Qlmgopjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nenbjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Holpib32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efjikc32.dll" Majjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkmdecbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qimkic32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qejpnh32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhgfkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klobfk32.dll" Akoqpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjqlnnkp.dll" Emhkdmlg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4612 wrote to memory of 1712 4612 d6728967178921014e21dfae07711dbfc0731a1eb88161004a2724bbabcf1376N.exe 82 PID 4612 wrote to memory of 1712 4612 d6728967178921014e21dfae07711dbfc0731a1eb88161004a2724bbabcf1376N.exe 82 PID 4612 wrote to memory of 1712 4612 d6728967178921014e21dfae07711dbfc0731a1eb88161004a2724bbabcf1376N.exe 82 PID 1712 wrote to memory of 1256 1712 Hgoeep32.exe 83 PID 1712 wrote to memory of 1256 1712 Hgoeep32.exe 83 PID 1712 wrote to memory of 1256 1712 Hgoeep32.exe 83 PID 1256 wrote to memory of 884 1256 Hbdjchgn.exe 84 PID 1256 wrote to memory of 884 1256 Hbdjchgn.exe 84 PID 1256 wrote to memory of 884 1256 Hbdjchgn.exe 84 PID 884 wrote to memory of 5080 884 Hdbfodfa.exe 85 PID 884 wrote to memory of 5080 884 Hdbfodfa.exe 85 PID 884 wrote to memory of 5080 884 Hdbfodfa.exe 85 PID 5080 wrote to memory of 4756 5080 Hkmnln32.exe 86 PID 5080 wrote to memory of 4756 5080 Hkmnln32.exe 86 PID 5080 wrote to memory of 4756 5080 Hkmnln32.exe 86 PID 4756 wrote to memory of 2312 4756 Inkjhi32.exe 87 PID 4756 wrote to memory of 2312 4756 Inkjhi32.exe 87 PID 4756 wrote to memory of 2312 4756 Inkjhi32.exe 87 PID 2312 wrote to memory of 5024 2312 Idebdcdo.exe 88 PID 2312 wrote to memory of 5024 2312 Idebdcdo.exe 88 PID 2312 wrote to memory of 5024 2312 Idebdcdo.exe 88 PID 5024 wrote to memory of 3180 5024 Ihqoeb32.exe 89 PID 5024 wrote to memory of 3180 5024 Ihqoeb32.exe 89 PID 5024 wrote to memory of 3180 5024 Ihqoeb32.exe 89 PID 3180 wrote to memory of 716 3180 Ikokan32.exe 90 PID 3180 wrote to memory of 716 3180 Ikokan32.exe 90 PID 3180 wrote to memory of 716 3180 Ikokan32.exe 90 PID 716 wrote to memory of 1996 716 Inmgmijo.exe 91 PID 716 wrote to memory of 1996 716 Inmgmijo.exe 91 PID 716 wrote to memory of 1996 716 Inmgmijo.exe 91 PID 1996 wrote to memory of 216 1996 Ifdonfka.exe 92 PID 1996 wrote to memory of 216 1996 Ifdonfka.exe 92 PID 1996 wrote to memory of 216 1996 Ifdonfka.exe 92 PID 216 wrote to memory of 3200 216 Iickkbje.exe 93 PID 216 wrote to memory of 3200 216 Iickkbje.exe 93 PID 216 wrote to memory of 3200 216 Iickkbje.exe 93 PID 3200 wrote to memory of 5028 3200 Igfkfo32.exe 94 PID 3200 wrote to memory of 5028 3200 Igfkfo32.exe 94 PID 3200 wrote to memory of 5028 3200 Igfkfo32.exe 94 PID 5028 wrote to memory of 60 5028 Iomcgl32.exe 95 PID 5028 wrote to memory of 60 5028 Iomcgl32.exe 95 PID 5028 wrote to memory of 60 5028 Iomcgl32.exe 95 PID 60 wrote to memory of 3940 60 Ibkpcg32.exe 96 PID 60 wrote to memory of 3940 60 Ibkpcg32.exe 96 PID 60 wrote to memory of 3940 60 Ibkpcg32.exe 96 PID 3940 wrote to memory of 2648 3940 Ighhln32.exe 97 PID 3940 wrote to memory of 2648 3940 Ighhln32.exe 97 PID 3940 wrote to memory of 2648 3940 Ighhln32.exe 97 PID 2648 wrote to memory of 1268 2648 Ibnligoc.exe 98 PID 2648 wrote to memory of 1268 2648 Ibnligoc.exe 98 PID 2648 wrote to memory of 1268 2648 Ibnligoc.exe 98 PID 1268 wrote to memory of 4876 1268 Igjeanmj.exe 99 PID 1268 wrote to memory of 4876 1268 Igjeanmj.exe 99 PID 1268 wrote to memory of 4876 1268 Igjeanmj.exe 99 PID 4876 wrote to memory of 3528 4876 Ioambknl.exe 100 PID 4876 wrote to memory of 3528 4876 Ioambknl.exe 100 PID 4876 wrote to memory of 3528 4876 Ioambknl.exe 100 PID 3528 wrote to memory of 1980 3528 Ibpiogmp.exe 101 PID 3528 wrote to memory of 1980 3528 Ibpiogmp.exe 101 PID 3528 wrote to memory of 1980 3528 Ibpiogmp.exe 101 PID 1980 wrote to memory of 3276 1980 Ienekbld.exe 102 PID 1980 wrote to memory of 3276 1980 Ienekbld.exe 102 PID 1980 wrote to memory of 3276 1980 Ienekbld.exe 102 PID 3276 wrote to memory of 1104 3276 Igmagnkg.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6728967178921014e21dfae07711dbfc0731a1eb88161004a2724bbabcf1376N.exe"C:\Users\Admin\AppData\Local\Temp\d6728967178921014e21dfae07711dbfc0731a1eb88161004a2724bbabcf1376N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Hbdjchgn.exeC:\Windows\system32\Hbdjchgn.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Hdbfodfa.exeC:\Windows\system32\Hdbfodfa.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Hkmnln32.exeC:\Windows\system32\Hkmnln32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\Inkjhi32.exeC:\Windows\system32\Inkjhi32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\Idebdcdo.exeC:\Windows\system32\Idebdcdo.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Ihqoeb32.exeC:\Windows\system32\Ihqoeb32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\Ikokan32.exeC:\Windows\system32\Ikokan32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\Inmgmijo.exeC:\Windows\system32\Inmgmijo.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Igfkfo32.exeC:\Windows\system32\Igfkfo32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Ibkpcg32.exeC:\Windows\system32\Ibkpcg32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\Ighhln32.exeC:\Windows\system32\Ighhln32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\Ibnligoc.exeC:\Windows\system32\Ibnligoc.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Igjeanmj.exeC:\Windows\system32\Igjeanmj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\Ibpiogmp.exeC:\Windows\system32\Ibpiogmp.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Ienekbld.exeC:\Windows\system32\Ienekbld.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Igmagnkg.exeC:\Windows\system32\Igmagnkg.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\Jkhngl32.exeC:\Windows\system32\Jkhngl32.exe23⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe24⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Jbbfdfkn.exeC:\Windows\system32\Jbbfdfkn.exe25⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe26⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Jkkjmlan.exeC:\Windows\system32\Jkkjmlan.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3476 -
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Jbdbjf32.exeC:\Windows\system32\Jbdbjf32.exe29⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Jkmgblok.exeC:\Windows\system32\Jkmgblok.exe30⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Joiccj32.exeC:\Windows\system32\Joiccj32.exe31⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Jfbkpd32.exeC:\Windows\system32\Jfbkpd32.exe32⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Jkodhk32.exeC:\Windows\system32\Jkodhk32.exe33⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Jgfdmlcm.exeC:\Windows\system32\Jgfdmlcm.exe34⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Jnpmjf32.exeC:\Windows\system32\Jnpmjf32.exe35⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Jieagojp.exeC:\Windows\system32\Jieagojp.exe36⤵
- Executes dropped EXE
PID:4164 -
C:\Windows\SysWOW64\Knbiofhg.exeC:\Windows\system32\Knbiofhg.exe37⤵
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\Kfjapcii.exeC:\Windows\system32\Kfjapcii.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Kihnmohm.exeC:\Windows\system32\Kihnmohm.exe39⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Kpbfii32.exeC:\Windows\system32\Kpbfii32.exe40⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Kflnfcgg.exeC:\Windows\system32\Kflnfcgg.exe41⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Kijjbofj.exeC:\Windows\system32\Kijjbofj.exe42⤵
- Executes dropped EXE
PID:3372 -
C:\Windows\SysWOW64\Kpdboimg.exeC:\Windows\system32\Kpdboimg.exe43⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Kfnkkb32.exeC:\Windows\system32\Kfnkkb32.exe44⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Keakgpko.exeC:\Windows\system32\Keakgpko.exe45⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Khpgckkb.exeC:\Windows\system32\Khpgckkb.exe46⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Knippe32.exeC:\Windows\system32\Knippe32.exe47⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\Kbekqdjh.exeC:\Windows\system32\Kbekqdjh.exe48⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Khbdikip.exeC:\Windows\system32\Khbdikip.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3144 -
C:\Windows\SysWOW64\Knlleepl.exeC:\Windows\system32\Knlleepl.exe50⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe51⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe52⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe53⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Lfealaol.exeC:\Windows\system32\Lfealaol.exe54⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Lidmhmnp.exeC:\Windows\system32\Lidmhmnp.exe55⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe56⤵
- Executes dropped EXE
PID:512 -
C:\Windows\SysWOW64\Lblaabdp.exeC:\Windows\system32\Lblaabdp.exe57⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Lifjnm32.exeC:\Windows\system32\Lifjnm32.exe58⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe59⤵
- Executes dropped EXE
PID:3356 -
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe60⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Lfjjga32.exeC:\Windows\system32\Lfjjga32.exe61⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe62⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Leoghn32.exeC:\Windows\system32\Leoghn32.exe63⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Lpekef32.exeC:\Windows\system32\Lpekef32.exe64⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Loglacfo.exeC:\Windows\system32\Loglacfo.exe65⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Leadnm32.exeC:\Windows\system32\Leadnm32.exe66⤵PID:4868
-
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe67⤵
- Modifies registry class
PID:3212 -
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe68⤵PID:4860
-
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe69⤵PID:3360
-
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe70⤵PID:2604
-
C:\Windows\SysWOW64\Mpieqeko.exeC:\Windows\system32\Mpieqeko.exe71⤵PID:4416
-
C:\Windows\SysWOW64\Molelb32.exeC:\Windows\system32\Molelb32.exe72⤵PID:3332
-
C:\Windows\SysWOW64\Mfcmmp32.exeC:\Windows\system32\Mfcmmp32.exe73⤵PID:4892
-
C:\Windows\SysWOW64\Mhdjehhj.exeC:\Windows\system32\Mhdjehhj.exe74⤵PID:2524
-
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe75⤵PID:2672
-
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe76⤵PID:4888
-
C:\Windows\SysWOW64\Mehjol32.exeC:\Windows\system32\Mehjol32.exe77⤵PID:1936
-
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe78⤵
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe79⤵
- System Location Discovery: System Language Discovery
PID:4252 -
C:\Windows\SysWOW64\Mblkhq32.exeC:\Windows\system32\Mblkhq32.exe80⤵PID:2164
-
C:\Windows\SysWOW64\Mifcejnj.exeC:\Windows\system32\Mifcejnj.exe81⤵PID:3240
-
C:\Windows\SysWOW64\Mpqkad32.exeC:\Windows\system32\Mpqkad32.exe82⤵PID:4660
-
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe83⤵PID:1316
-
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe84⤵
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2132 -
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe86⤵PID:4644
-
C:\Windows\SysWOW64\Niklpj32.exeC:\Windows\system32\Niklpj32.exe87⤵PID:724
-
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe88⤵PID:4576
-
C:\Windows\SysWOW64\Nebmekoi.exeC:\Windows\system32\Nebmekoi.exe89⤵PID:3248
-
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe90⤵PID:2980
-
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe91⤵PID:3816
-
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe92⤵PID:5036
-
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe93⤵
- System Location Discovery: System Language Discovery
PID:1344 -
C:\Windows\SysWOW64\Nlnbgddc.exeC:\Windows\system32\Nlnbgddc.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3040 -
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe95⤵PID:5048
-
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe96⤵PID:116
-
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe97⤵PID:996
-
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe98⤵
- Drops file in System32 directory
PID:4856 -
C:\Windows\SysWOW64\Nookip32.exeC:\Windows\system32\Nookip32.exe99⤵PID:1604
-
C:\Windows\SysWOW64\Oeicejia.exeC:\Windows\system32\Oeicejia.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3776 -
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe101⤵
- System Location Discovery: System Language Discovery
PID:1896 -
C:\Windows\SysWOW64\Opogbbig.exeC:\Windows\system32\Opogbbig.exe102⤵PID:3524
-
C:\Windows\SysWOW64\Oghppm32.exeC:\Windows\system32\Oghppm32.exe103⤵PID:456
-
C:\Windows\SysWOW64\Oigllh32.exeC:\Windows\system32\Oigllh32.exe104⤵PID:1800
-
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe105⤵PID:3376
-
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe106⤵
- Modifies registry class
PID:3120 -
C:\Windows\SysWOW64\Oenlqi32.exeC:\Windows\system32\Oenlqi32.exe107⤵PID:2060
-
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe108⤵PID:4912
-
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe109⤵PID:3900
-
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2724 -
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe111⤵
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\Ohnebd32.exeC:\Windows\system32\Ohnebd32.exe112⤵PID:4932
-
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe113⤵PID:5088
-
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe114⤵PID:4004
-
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe115⤵PID:5052
-
C:\Windows\SysWOW64\Ohqbhdpj.exeC:\Windows\system32\Ohqbhdpj.exe116⤵PID:4396
-
C:\Windows\SysWOW64\Ophjiaql.exeC:\Windows\system32\Ophjiaql.exe117⤵PID:1576
-
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe118⤵PID:3068
-
C:\Windows\SysWOW64\Pjpobg32.exeC:\Windows\system32\Pjpobg32.exe119⤵PID:1224
-
C:\Windows\SysWOW64\Phcomcng.exeC:\Windows\system32\Phcomcng.exe120⤵PID:740
-
C:\Windows\SysWOW64\Pomgjn32.exeC:\Windows\system32\Pomgjn32.exe121⤵PID:4740
-
C:\Windows\SysWOW64\Pgdokkfg.exeC:\Windows\system32\Pgdokkfg.exe122⤵PID:4712
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-