Analysis
-
max time kernel
62s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 07:46
Static task
static1
Behavioral task
behavioral1
Sample
ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe
Resource
win10v2004-20241007-en
General
-
Target
ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe
-
Size
483KB
-
MD5
8e817b2bd1b098659a633bbb584c7150
-
SHA1
678ee145e0b7e78643cc17bcf56b0511127b5f52
-
SHA256
ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50
-
SHA512
65fb19e7c230526e767c22bab09baea775571fc3ede2c517f15f132a93f3362d95a1083669396f93cb07bf03e53a1605046d5093aac4d87ac11884627cf04f7f
-
SSDEEP
12288:fmHutY5vARMSG0dhvARM/3ARMSG0dhvARMoHG:OOtY5wdhcdhMHG
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfodfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kageia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfcabd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khgkpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koaclfgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbhbai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgjkfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpepkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpepkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klecfkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khgkpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kocpbfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jllqplnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcabd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdphjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kageia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdphjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libjncnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnofgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfodfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbclgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klecfkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lplbjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpjifjdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Libjncnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgjkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbclgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjjdhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jllqplnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbfilffm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmimcbja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbfilffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jipaip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kekkiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koaclfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpjifjdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhenjmbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keioca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmimcbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbhbai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjjdhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jipaip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jikhnaao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keioca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kekkiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jikhnaao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhenjmbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lplbjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnofgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocpbfei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdbepm32.exe -
Berbew family
-
Executes dropped EXE 27 IoCs
pid Process 2376 Jgjkfi32.exe 2776 Jikhnaao.exe 2724 Jpepkk32.exe 2720 Jbclgf32.exe 2596 Jjjdhc32.exe 1776 Jllqplnp.exe 2440 Jbfilffm.exe 3056 Jipaip32.exe 2052 Jpjifjdg.exe 2824 Jfcabd32.exe 2620 Jhenjmbb.exe 2932 Jnofgg32.exe 484 Keioca32.exe 2340 Khgkpl32.exe 848 Koaclfgl.exe 1164 Kekkiq32.exe 2468 Klecfkff.exe 1016 Kocpbfei.exe 796 Kdphjm32.exe 1888 Kfodfh32.exe 2104 Kmimcbja.exe 2304 Kdbepm32.exe 1664 Kageia32.exe 2520 Kbhbai32.exe 1480 Libjncnc.exe 2860 Lplbjm32.exe 2800 Lbjofi32.exe -
Loads dropped DLL 58 IoCs
pid Process 2188 ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe 2188 ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe 2376 Jgjkfi32.exe 2376 Jgjkfi32.exe 2776 Jikhnaao.exe 2776 Jikhnaao.exe 2724 Jpepkk32.exe 2724 Jpepkk32.exe 2720 Jbclgf32.exe 2720 Jbclgf32.exe 2596 Jjjdhc32.exe 2596 Jjjdhc32.exe 1776 Jllqplnp.exe 1776 Jllqplnp.exe 2440 Jbfilffm.exe 2440 Jbfilffm.exe 3056 Jipaip32.exe 3056 Jipaip32.exe 2052 Jpjifjdg.exe 2052 Jpjifjdg.exe 2824 Jfcabd32.exe 2824 Jfcabd32.exe 2620 Jhenjmbb.exe 2620 Jhenjmbb.exe 2932 Jnofgg32.exe 2932 Jnofgg32.exe 484 Keioca32.exe 484 Keioca32.exe 2340 Khgkpl32.exe 2340 Khgkpl32.exe 848 Koaclfgl.exe 848 Koaclfgl.exe 1164 Kekkiq32.exe 1164 Kekkiq32.exe 2468 Klecfkff.exe 2468 Klecfkff.exe 1016 Kocpbfei.exe 1016 Kocpbfei.exe 796 Kdphjm32.exe 796 Kdphjm32.exe 1888 Kfodfh32.exe 1888 Kfodfh32.exe 2104 Kmimcbja.exe 2104 Kmimcbja.exe 2304 Kdbepm32.exe 2304 Kdbepm32.exe 1664 Kageia32.exe 1664 Kageia32.exe 2520 Kbhbai32.exe 2520 Kbhbai32.exe 1480 Libjncnc.exe 1480 Libjncnc.exe 2860 Lplbjm32.exe 2860 Lplbjm32.exe 2972 WerFault.exe 2972 WerFault.exe 2972 WerFault.exe 2972 WerFault.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jbfilffm.exe Jllqplnp.exe File created C:\Windows\SysWOW64\Jipaip32.exe Jbfilffm.exe File created C:\Windows\SysWOW64\Ebenek32.dll Jipaip32.exe File created C:\Windows\SysWOW64\Kdphjm32.exe Kocpbfei.exe File created C:\Windows\SysWOW64\Ccmkid32.dll Jpepkk32.exe File created C:\Windows\SysWOW64\Lpgcln32.dll Jfcabd32.exe File created C:\Windows\SysWOW64\Jnofgg32.exe Jhenjmbb.exe File created C:\Windows\SysWOW64\Jlflfm32.dll Kdbepm32.exe File created C:\Windows\SysWOW64\Jgjkfi32.exe ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe File opened for modification C:\Windows\SysWOW64\Jpepkk32.exe Jikhnaao.exe File created C:\Windows\SysWOW64\Jbclgf32.exe Jpepkk32.exe File created C:\Windows\SysWOW64\Jjjdhc32.exe Jbclgf32.exe File opened for modification C:\Windows\SysWOW64\Jbfilffm.exe Jllqplnp.exe File opened for modification C:\Windows\SysWOW64\Jjjdhc32.exe Jbclgf32.exe File created C:\Windows\SysWOW64\Dnhanebc.dll Jjjdhc32.exe File opened for modification C:\Windows\SysWOW64\Lplbjm32.exe Libjncnc.exe File opened for modification C:\Windows\SysWOW64\Lbjofi32.exe Lplbjm32.exe File created C:\Windows\SysWOW64\Jpjifjdg.exe Jipaip32.exe File created C:\Windows\SysWOW64\Jfcabd32.exe Jpjifjdg.exe File opened for modification C:\Windows\SysWOW64\Keioca32.exe Jnofgg32.exe File created C:\Windows\SysWOW64\Abqcpo32.dll Jnofgg32.exe File opened for modification C:\Windows\SysWOW64\Khgkpl32.exe Keioca32.exe File opened for modification C:\Windows\SysWOW64\Jfcabd32.exe Jpjifjdg.exe File created C:\Windows\SysWOW64\Keioca32.exe Jnofgg32.exe File created C:\Windows\SysWOW64\Khgkpl32.exe Keioca32.exe File opened for modification C:\Windows\SysWOW64\Kocpbfei.exe Klecfkff.exe File created C:\Windows\SysWOW64\Pbkboega.dll Khgkpl32.exe File created C:\Windows\SysWOW64\Klecfkff.exe Kekkiq32.exe File opened for modification C:\Windows\SysWOW64\Jpjifjdg.exe Jipaip32.exe File opened for modification C:\Windows\SysWOW64\Kfodfh32.exe Kdphjm32.exe File opened for modification C:\Windows\SysWOW64\Kbhbai32.exe Kageia32.exe File created C:\Windows\SysWOW64\Dlcdel32.dll Libjncnc.exe File created C:\Windows\SysWOW64\Jllqplnp.exe Jjjdhc32.exe File opened for modification C:\Windows\SysWOW64\Jhenjmbb.exe Jfcabd32.exe File created C:\Windows\SysWOW64\Kmkkio32.dll Jhenjmbb.exe File opened for modification C:\Windows\SysWOW64\Koaclfgl.exe Khgkpl32.exe File opened for modification C:\Windows\SysWOW64\Kdbepm32.exe Kmimcbja.exe File created C:\Windows\SysWOW64\Jikhnaao.exe Jgjkfi32.exe File opened for modification C:\Windows\SysWOW64\Klecfkff.exe Kekkiq32.exe File created C:\Windows\SysWOW64\Hnnikfij.dll Kocpbfei.exe File created C:\Windows\SysWOW64\Ipafocdg.dll Lplbjm32.exe File created C:\Windows\SysWOW64\Mebgijei.dll Jbclgf32.exe File created C:\Windows\SysWOW64\Eplpdepa.dll Jpjifjdg.exe File created C:\Windows\SysWOW64\Kmimcbja.exe Kfodfh32.exe File opened for modification C:\Windows\SysWOW64\Kmimcbja.exe Kfodfh32.exe File created C:\Windows\SysWOW64\Lplbjm32.exe Libjncnc.exe File created C:\Windows\SysWOW64\Ffakjm32.dll Klecfkff.exe File opened for modification C:\Windows\SysWOW64\Libjncnc.exe Kbhbai32.exe File created C:\Windows\SysWOW64\Jpbpbbdb.dll ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe File created C:\Windows\SysWOW64\Dfaaak32.dll Jikhnaao.exe File opened for modification C:\Windows\SysWOW64\Jbclgf32.exe Jpepkk32.exe File created C:\Windows\SysWOW64\Ckmhkeef.dll Jllqplnp.exe File created C:\Windows\SysWOW64\Agioom32.dll Koaclfgl.exe File created C:\Windows\SysWOW64\Kbhbai32.exe Kageia32.exe File created C:\Windows\SysWOW64\Bndneq32.dll Kageia32.exe File created C:\Windows\SysWOW64\Qmeedp32.dll Jgjkfi32.exe File opened for modification C:\Windows\SysWOW64\Jipaip32.exe Jbfilffm.exe File created C:\Windows\SysWOW64\Kocpbfei.exe Klecfkff.exe File created C:\Windows\SysWOW64\Kdbepm32.exe Kmimcbja.exe File opened for modification C:\Windows\SysWOW64\Kageia32.exe Kdbepm32.exe File created C:\Windows\SysWOW64\Libjncnc.exe Kbhbai32.exe File created C:\Windows\SysWOW64\Lbjofi32.exe Lplbjm32.exe File opened for modification C:\Windows\SysWOW64\Jnofgg32.exe Jhenjmbb.exe File created C:\Windows\SysWOW64\Kekkiq32.exe Koaclfgl.exe -
Program crash 1 IoCs
pid pid_target Process 2972 2800 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 28 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjkfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khgkpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kekkiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbhbai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbepm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjdhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllqplnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfcabd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhenjmbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keioca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koaclfgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbjofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpepkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdphjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfodfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpjifjdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmimcbja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kageia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbfilffm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jipaip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Libjncnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lplbjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jikhnaao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbclgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnofgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klecfkff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocpbfei.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjjdhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfodfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll" Lplbjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgjkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpepkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbclgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhenjmbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keioca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kekkiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Libjncnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdel32.dll" Libjncnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbpbbdb.dll" ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpgcln32.dll" Jfcabd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koaclfgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdbepm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jipaip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koaclfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdbepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbilijo.dll" Jbfilffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbfilffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffakjm32.dll" Klecfkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kocpbfei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfodfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodilc32.dll" Kfodfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll" Kageia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jllqplnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmhkeef.dll" Jllqplnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbfilffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkkio32.dll" Jhenjmbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpepkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mebgijei.dll" Jbclgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kekkiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdphjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agioom32.dll" Koaclfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbkjl32.dll" Kbhbai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmeedp32.dll" Jgjkfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jikhnaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnofgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjeje32.dll" Kdphjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lplbjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjjdhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpjifjdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kocpbfei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lplbjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jikhnaao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmimcbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Libjncnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keioca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfcabd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbkboega.dll" Khgkpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jllqplnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbclgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfcabd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcdapknb.dll" Keioca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhpic32.dll" Kmimcbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbhbai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfaaak32.dll" Jikhnaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplpdepa.dll" Jpjifjdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnofgg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2376 2188 ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe 30 PID 2188 wrote to memory of 2376 2188 ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe 30 PID 2188 wrote to memory of 2376 2188 ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe 30 PID 2188 wrote to memory of 2376 2188 ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe 30 PID 2376 wrote to memory of 2776 2376 Jgjkfi32.exe 31 PID 2376 wrote to memory of 2776 2376 Jgjkfi32.exe 31 PID 2376 wrote to memory of 2776 2376 Jgjkfi32.exe 31 PID 2376 wrote to memory of 2776 2376 Jgjkfi32.exe 31 PID 2776 wrote to memory of 2724 2776 Jikhnaao.exe 32 PID 2776 wrote to memory of 2724 2776 Jikhnaao.exe 32 PID 2776 wrote to memory of 2724 2776 Jikhnaao.exe 32 PID 2776 wrote to memory of 2724 2776 Jikhnaao.exe 32 PID 2724 wrote to memory of 2720 2724 Jpepkk32.exe 33 PID 2724 wrote to memory of 2720 2724 Jpepkk32.exe 33 PID 2724 wrote to memory of 2720 2724 Jpepkk32.exe 33 PID 2724 wrote to memory of 2720 2724 Jpepkk32.exe 33 PID 2720 wrote to memory of 2596 2720 Jbclgf32.exe 34 PID 2720 wrote to memory of 2596 2720 Jbclgf32.exe 34 PID 2720 wrote to memory of 2596 2720 Jbclgf32.exe 34 PID 2720 wrote to memory of 2596 2720 Jbclgf32.exe 34 PID 2596 wrote to memory of 1776 2596 Jjjdhc32.exe 35 PID 2596 wrote to memory of 1776 2596 Jjjdhc32.exe 35 PID 2596 wrote to memory of 1776 2596 Jjjdhc32.exe 35 PID 2596 wrote to memory of 1776 2596 Jjjdhc32.exe 35 PID 1776 wrote to memory of 2440 1776 Jllqplnp.exe 36 PID 1776 wrote to memory of 2440 1776 Jllqplnp.exe 36 PID 1776 wrote to memory of 2440 1776 Jllqplnp.exe 36 PID 1776 wrote to memory of 2440 1776 Jllqplnp.exe 36 PID 2440 wrote to memory of 3056 2440 Jbfilffm.exe 37 PID 2440 wrote to memory of 3056 2440 Jbfilffm.exe 37 PID 2440 wrote to memory of 3056 2440 Jbfilffm.exe 37 PID 2440 wrote to memory of 3056 2440 Jbfilffm.exe 37 PID 3056 wrote to memory of 2052 3056 Jipaip32.exe 38 PID 3056 wrote to memory of 2052 3056 Jipaip32.exe 38 PID 3056 wrote to memory of 2052 3056 Jipaip32.exe 38 PID 3056 wrote to memory of 2052 3056 Jipaip32.exe 38 PID 2052 wrote to memory of 2824 2052 Jpjifjdg.exe 39 PID 2052 wrote to memory of 2824 2052 Jpjifjdg.exe 39 PID 2052 wrote to memory of 2824 2052 Jpjifjdg.exe 39 PID 2052 wrote to memory of 2824 2052 Jpjifjdg.exe 39 PID 2824 wrote to memory of 2620 2824 Jfcabd32.exe 40 PID 2824 wrote to memory of 2620 2824 Jfcabd32.exe 40 PID 2824 wrote to memory of 2620 2824 Jfcabd32.exe 40 PID 2824 wrote to memory of 2620 2824 Jfcabd32.exe 40 PID 2620 wrote to memory of 2932 2620 Jhenjmbb.exe 41 PID 2620 wrote to memory of 2932 2620 Jhenjmbb.exe 41 PID 2620 wrote to memory of 2932 2620 Jhenjmbb.exe 41 PID 2620 wrote to memory of 2932 2620 Jhenjmbb.exe 41 PID 2932 wrote to memory of 484 2932 Jnofgg32.exe 42 PID 2932 wrote to memory of 484 2932 Jnofgg32.exe 42 PID 2932 wrote to memory of 484 2932 Jnofgg32.exe 42 PID 2932 wrote to memory of 484 2932 Jnofgg32.exe 42 PID 484 wrote to memory of 2340 484 Keioca32.exe 43 PID 484 wrote to memory of 2340 484 Keioca32.exe 43 PID 484 wrote to memory of 2340 484 Keioca32.exe 43 PID 484 wrote to memory of 2340 484 Keioca32.exe 43 PID 2340 wrote to memory of 848 2340 Khgkpl32.exe 44 PID 2340 wrote to memory of 848 2340 Khgkpl32.exe 44 PID 2340 wrote to memory of 848 2340 Khgkpl32.exe 44 PID 2340 wrote to memory of 848 2340 Khgkpl32.exe 44 PID 848 wrote to memory of 1164 848 Koaclfgl.exe 45 PID 848 wrote to memory of 1164 848 Koaclfgl.exe 45 PID 848 wrote to memory of 1164 848 Koaclfgl.exe 45 PID 848 wrote to memory of 1164 848 Koaclfgl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe"C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Jgjkfi32.exeC:\Windows\system32\Jgjkfi32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Jikhnaao.exeC:\Windows\system32\Jikhnaao.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Jpepkk32.exeC:\Windows\system32\Jpepkk32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Jbclgf32.exeC:\Windows\system32\Jbclgf32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Jjjdhc32.exeC:\Windows\system32\Jjjdhc32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Jllqplnp.exeC:\Windows\system32\Jllqplnp.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Jbfilffm.exeC:\Windows\system32\Jbfilffm.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Jipaip32.exeC:\Windows\system32\Jipaip32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Jpjifjdg.exeC:\Windows\system32\Jpjifjdg.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Jfcabd32.exeC:\Windows\system32\Jfcabd32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Jhenjmbb.exeC:\Windows\system32\Jhenjmbb.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Jnofgg32.exeC:\Windows\system32\Jnofgg32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Keioca32.exeC:\Windows\system32\Keioca32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\SysWOW64\Khgkpl32.exeC:\Windows\system32\Khgkpl32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Koaclfgl.exeC:\Windows\system32\Koaclfgl.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Kekkiq32.exeC:\Windows\system32\Kekkiq32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1164 -
C:\Windows\SysWOW64\Klecfkff.exeC:\Windows\system32\Klecfkff.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Kocpbfei.exeC:\Windows\system32\Kocpbfei.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1016 -
C:\Windows\SysWOW64\Kdphjm32.exeC:\Windows\system32\Kdphjm32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:796 -
C:\Windows\SysWOW64\Kfodfh32.exeC:\Windows\system32\Kfodfh32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1888 -
C:\Windows\SysWOW64\Kmimcbja.exeC:\Windows\system32\Kmimcbja.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Kdbepm32.exeC:\Windows\system32\Kdbepm32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Kageia32.exeC:\Windows\system32\Kageia32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Kbhbai32.exeC:\Windows\system32\Kbhbai32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Libjncnc.exeC:\Windows\system32\Libjncnc.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Lplbjm32.exeC:\Windows\system32\Lplbjm32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Lbjofi32.exeC:\Windows\system32\Lbjofi32.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 14029⤵
- Loads dropped DLL
- Program crash
PID:2972
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
483KB
MD551b95a834fa64cd7d0a158c7239dd4ea
SHA1799e9c78bdb50021fe17ce893ec319ffe855f9ef
SHA25661075458009c401d4acd830edb64da5f5a149229234cc5fce52251ba00912690
SHA5127b2f21e1f110607efa6c98621dfc8e1f97fed760fb7b70100764b451cc55d0a9bc0fad6867d211df7d4ef12e7c34639f8fd9b8f062fb0d4b39c1e47b329b4124
-
Filesize
483KB
MD58716ee7716309a0c0e0427c83826a480
SHA1449160263efb63dd184949694063d6a2f583d717
SHA256ef52f4163b9b176b6ee28de85986f923e29cab8266c26742d71225226f989ed6
SHA512280877230abadec40d21148a62386c0b01e845e9e1f962020c556fee9995344ffb19459674c7fa1a5b0d148ba8f6743263019c3ed9315c5d4547273209d8498f
-
Filesize
483KB
MD58285dbb155d844f9ecf7bac1427de000
SHA140938b7409244b3be920086151dea73486d4715f
SHA256d9ca62b9b96648eba89f13bd37aae8abd92f4333d270ffe25ec0d5f0c4f82c1a
SHA5122d5e848e933d75a30e18cc720ab7cd48f0417cf46890eeabe1cbe3d93c0d91e652b0a5a088af777f0591dc0d3a714739f070ea6b363c6171f14a6f551bb216e0
-
Filesize
483KB
MD551e565ef54320e4bc66bb1289f53ce18
SHA1b3d238378962d9b2344bcc64831348d839af3819
SHA256f63d4d06a5affc1a8104af71b6064cbc62fe88a0b5adc8b11e596477e1d07857
SHA512a9638c4bb71a34a2039ae8af0d9f192269befac9bf0bb2dc74c0bc1190bf20629ca3008ab6021462cf64efa68fe363d4cede05b284a413a7b03c11e4575e9599
-
Filesize
483KB
MD5e495583774bd14c6e4e74ad384dfabd8
SHA1af766670f5247eca215aacac558017b5f64275d4
SHA256377ec12481f13faa6b3b437e872ddc58055705d8354beb093c7efb3acaf97842
SHA5124751a09e91ca86537213b64c1796e2f352c08a5173f8dc2c8e9cf46468c93cdb5b131130126925ffa75ca8dd52f7cc1349bf781d2dbf191ab744b82b786a8921
-
Filesize
483KB
MD54a018d725a330c396449eb18e23277c5
SHA17ad4222cfaeff40da4a9b979c9c69547103011ea
SHA256fb16e6b23db1c49ba1bc0889770a778fa3171d52e9e05c4fbad00fca999c7f90
SHA512097c6174c7fc9b796722a00a1476aef4e5a82ac19e859a54f8ee782715d148f30e6e35d8c5ec33686db11e9cc9981ec206dbb30ffc7bb71e1f2fa4e1a81da0f1
-
Filesize
483KB
MD5493c2ed7cc133e9a58585d2b21bcd972
SHA1f3f0b2f70e15723695421a2ac08a2796a6682967
SHA25612c18817f0be0c4e2937d973cddc6cd9e1ff27bce8e2607185fabbe86aa6b41c
SHA51217e943fe5061a7f58b4cd7388d6faec113673cb2ddcfa3cbe45076b6b12275275d7b27da04f4f79feea2800fbeb0dda59da5116b745f2a7e6dc4c9bc0eec67c1
-
Filesize
483KB
MD51a5803752d62b77c30618f9e2174affe
SHA152299255e3ef72f7707b6afd38d814e841dcbbeb
SHA2566c1a65cb4fa01d2debfefcee5dd796468f447a90eeead70fbc0a4ff6873fb9ee
SHA5125416b8723f4a588881328809c5017fd12a39513d32ab51f613d1f8b238f94d0c3f9fc301f816675c4e502ef4dc76bce58c7c53e80bf81d0f929bb1faf0c147c0
-
Filesize
483KB
MD5d0fcf82fd1945fc48fc00209074a7b20
SHA1dd3329490f7a94d0a392b78706ab886e7d1b94e6
SHA2561211e9cd701605deb587a7c4041df87744becb3d3255c43c2df6141ebb2335c5
SHA512e6b86bb3fbed9d8ffe9612317cba46b289165b0786c34cb87b7fc600fccd9e2ec4a739b532e3df979bc71f3f7557910bd2a8b64ab42d5ed0cbdc5cd5365c10df
-
Filesize
483KB
MD55cd198d00558ca06e0c7eb941a616b7f
SHA143cd8b1fc1425b80ab3ea227a1c7f247b97a5044
SHA256489213aecc60de3b2162aaa28767a7c93965c0def799662bdafde14bbfaf8411
SHA5121e67664621e7f3f2fb2915f47ce5c6d8e78f013034abfb8378202d1c8a8a59e774365b1030b04f0e8355cf4b95d851e0a681c0a022290605c055c6bbf574920d
-
Filesize
483KB
MD5465691b6c4b680d8c72d51c381a09989
SHA1fd9f3da357707a17fcda1dc132c79d340a7680f9
SHA25616bc869b6e653942e0772135d0d5c938f1560aea64f96abff3af2995cb1cca32
SHA512423db92c5b4c14df2e73d7dabe186cc6b36985d37d4664ddcdad96b4cc78aec25727c354c4379ea8d60d30da4757e29b1f52390192d49cd0d320e8df5a0b323e
-
Filesize
483KB
MD5e4b6a530b1112a07eefcf3226e6f36ac
SHA118bf710eddb1b87c7f9b478cf1cf1676bcf31498
SHA256dcaeb30a72fe276b36d881283025759751dc562df0273630bdc83f26243a6e85
SHA5124e95ab434b8ff88fd82adf9f52da7d7a450261de24b50a88cca6aa675cc4bf5cb32539163b41c52290881e615894cd25856280695d6deff0e98d242394a02c74
-
Filesize
483KB
MD59f53b13a7612ca308dbad27326662bfe
SHA1844f40c6b764e6926285f4bc78f18357a197eb8c
SHA256074c2971a6d86e9c1233315212b40ad5e2d21e3552ebf5a68fc8bd008bb896ec
SHA5121267e37f5144aaf38c55e8a9002a2f67202fa0beabe590f57f9434e403a35c5ed1f85eb5bfc5146213083bc2a7d356c1fff8a9f45afa35a6a404f4e67743a7b8
-
Filesize
483KB
MD5694b3ad2cdc100e39ef568175de75834
SHA1569886a656767b662f774135a69e4af848588fd9
SHA256500454c1e160873338834ae8ceee2d6d8e5d58b4b4de02216a54b6af70717b44
SHA51257c26b3f08284a087b6307a6dc0725d9d857185d8677153b4c89e85bc155f6b4b1d871ac0efe9cdce1505f3650c5692295fc1b1a650540201495e36efbe17a0f
-
Filesize
483KB
MD57701a5f47eb26881870132810743dee5
SHA13cb6d824d76038f11dc69986bac66be6dc76bd9b
SHA25609982e9c23f6d1e244857c83ad6947a83a276a98e41184888465a337118d80ce
SHA512b630eebfd20f5c55ffe84e4c1dd15905bc2b511668a9280a5456d6faf51aaac9deb19a4c1ceccad5043ac2fd16f45bae88e59120bf2ba97de62be59bc1f69720
-
Filesize
483KB
MD5adb710cfbaeb124ed2071abdc83c060d
SHA134032627f26b73218effd890d5262c1365939a20
SHA25652533e7b2c20e12de4a4914c45b982c9262a79737b0c69cf6e011d452ecac770
SHA51252bf812b0b8a57320d179d077e0fe1ffb63342b3ea0e1506484aad0b4c1b3379b775c39827e5fee2d1b11b96d6692cec58a080de6d01ab69431bcfdec8558c92
-
Filesize
483KB
MD5cc735360f30b810a477416b7136163a8
SHA1b11f664e9672aca0baf17d503369006e27139c22
SHA256bd5a0012ef3fd6ce18d3ff31d25f8fa38ef5e586923eee228a47f5c3d7203b29
SHA51265d02655f9cc13da99e776cded736c8865caf8fb433813819e049b72c0fd38fe233bc442067c04b71a00f85cdf4e38e9c1f9deec53ab2ce2cfdfbb907005c929
-
Filesize
483KB
MD5df5367e5a4a81797aaa4329cf1ccffc9
SHA1b0076f0b45a780a35b7450d8157693bae168a70b
SHA256ddfb6b38d8c4931f3343074aa25aab7d57ab684cf1e9e3ea61425c9e741fa60c
SHA512aa7dafdfd16c614c34d51a0f2882488112cc8dec485e012e96210e5c7571fc983395f19a821a7dbbdf3acb29d7fcd5b30d22c6a304571d8ea69bf8bbea980770
-
Filesize
483KB
MD55781c4654ef7e7045d027c2d7f7186e4
SHA1a04a0408a533d2fc295b420beeac37ee0c91e876
SHA25680c88635a1036a0c8cba2306285292f8d65ca7a6aae75a7da01f68146c3027af
SHA512bb7ecc90c721248bff9b8acc80fb46cecd24c223566966a30f8002cd829b562ae4dbba20b9e4a3483e15cdbf8cc821c84b2b8246e633e59332e17b2554f8ca3d
-
Filesize
483KB
MD5b6b34af828c70506bb95a0b88017ce8f
SHA19004b0441d002731487d740b2e4fd920d461e750
SHA256df61acce046f1f80c477c824a7b96afc9b5a6ed2628cf00bce5ac018094f9803
SHA5124e800161bccc48cce788826f38838c000f75b934eb0c8c7ebd86a68c0bb4e78fe268641317550aac95b11a170213e0562d02f39013fa6a80c2585834654bfe2f
-
Filesize
483KB
MD587f29e43c9ba7148e59e0587449ee78c
SHA17e9fd895e292a3d2261e2f1797d4d0610fda1ef3
SHA2567096d8ae03f131a3f4b0afdffa63f0e5357c784fb882880d248a1a3fc59eee5e
SHA51232380bd6d3c5fdd677d8b3ed77fe7f9eb4510f5ac0e19bb3fab343193423db42c598b40f4d56e802c43f96dee8d440de1c1e38f626ae46139aac04f493c2adb2
-
Filesize
483KB
MD59e72902778473be743411574027647bc
SHA166331d1e174036261647822785186f345c03e106
SHA256710b8afb8fde400d605bd0f0a0f245fcfe9da97590ef8931c58554e4f6087c9c
SHA5129b29dd9191daeac1f97ec05b1c55b11d681dafe201801af24eab56c3c3144f96e824a7d0ea88dd5327b63d08685f973dfbb78dd664d10ba8463a76c50404b8fe
-
Filesize
483KB
MD5df33a2ec047fea81ec05cad95daeb86c
SHA1eb564740f4dfb3e86652663906ec2badcaa6a0d0
SHA256dc84ad496a70f866aa36b4a665b6fc6712c94cde1ef6f4fcebf2ce9d6807f7d3
SHA51209f7423c3b1e04dfbcb768bfde1768ac128b699368dffb1f433da9a3c72b7492402d6c18db4cfe061f63f7955f3245ed111041e9966f950f2e03c7f13109aac6
-
Filesize
483KB
MD5acfdabdfaefa381167f9f19c4ff426cd
SHA103e0f31d6c98b063fb1cde6207fe8c366e0e26e8
SHA256091fd505ccb7a36d0557c7a58d7d07d379a4603331ed2397e30ea1ce8c1f7ffe
SHA51245d8edd72f2e23e574f004ab3d0c129497800f1b2acc235cc3f579ee7509b989a5487133b93681ed63ed412c363ee62808de2eea8be45eabfb8a37fa66de4535
-
Filesize
483KB
MD592cc718f390ca2b2b4acdccc15593ee4
SHA1ee5178793e6673fbae57484e96ab0efc16392cfe
SHA25610c0300e90797121aecb3d683d1fbfe1392c53943b39116076d57b75f0a1e282
SHA512584bf3cd6b2e1d8803422f99a65293f1b92a2d808d6fc8d55c1b4142b8a822e67452a24950448dfedb1b5b1b802ee7a2998c4d4add88d414124e7d4af2b1111f
-
Filesize
483KB
MD5aa1060c69c9536f08f31c3e935f42681
SHA166ff608fea548a029b8769c4f0a625b08f47a877
SHA2565543cd9e2e3fb64397d3be719d8546baef296dfc8c30e6b5e5300443bbd2104a
SHA512da5e1a0c1038fb6bc6f1a95ea2c0d0678f21993ec2e8cb60042e05a58defad13582c825fa792997ab65d8791d7a00d3c1b479f9e17dbb33f7b29fd80b6aa0d7e
-
Filesize
483KB
MD5ed2f8e62c46228749a45086266100062
SHA14d39896697547a482f71aa4aa5d6348ce2cba307
SHA256ddbe2a8c86ae6e3a30b90bac934a3dd9aaec97903aba08e9e101022795088e1c
SHA512ab70198f46ef1df7c5d5d1edded3d152ad48372bff31a4ce55348d4e929582268c39e3d700203c4338bd79ff9c06e7e508fc8623b5beeb4628341622838d128f