Analysis
-
max time kernel
96s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 14:13
Static task
static1
Behavioral task
behavioral1
Sample
79f8acf09bf2b296a28d98d0de81f47e1a9570fdb6db3d451d0bdf924a63dc9aN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
79f8acf09bf2b296a28d98d0de81f47e1a9570fdb6db3d451d0bdf924a63dc9aN.exe
Resource
win10v2004-20241007-en
General
-
Target
79f8acf09bf2b296a28d98d0de81f47e1a9570fdb6db3d451d0bdf924a63dc9aN.exe
-
Size
64KB
-
MD5
34ef8965b125e8950c4fa40dedbcfad0
-
SHA1
f3984a41b58e579c1d18a0f07cd977990e5f5c1b
-
SHA256
79f8acf09bf2b296a28d98d0de81f47e1a9570fdb6db3d451d0bdf924a63dc9a
-
SHA512
f9eaf8cb5e6d0e904125877a644c63b75ad614467e83af29acbb2e1a418251611511aaebda36ad086a0357ee65435706b75b6717fc05e9ffd27612e369c849ce
-
SSDEEP
1536:2OO7Ljcgs5ypjRxDA1XGg/XsnTO3kWy6NrPFW2iwTbW:nO7LsyhDcX/Xs+kXQFW2VTbW
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdinljnk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbpkkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fneggdhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocohmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgfdmlcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahqddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkmmaeap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dblgpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebjcajjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpiecd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phcgcqab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejalcgkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhihdcbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fielph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihgnkkbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jklphekp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhmeapmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qohpkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfpdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipmbjgpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knalji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nabfjpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qaqegecm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dimenegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doaneiop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fipbdikp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inainbcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kglmio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eofgpikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iidphgcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbjcljl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggahedjn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmgabcge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onnmdcjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caebma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Calhnpgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdkpma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keqdmihc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahgjejhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acmobchj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjnkcekm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehailbaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inqbclob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlihle32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edhjqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chglab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ondljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igmagnkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjfjka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgenbfoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjellmbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiieicml.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3808 Cjinkg32.exe 5028 Cabfga32.exe 4076 Cdabcm32.exe 3256 Cjkjpgfi.exe 3532 Caebma32.exe 4276 Cdcoim32.exe 1952 Cfbkeh32.exe 2792 Cnicfe32.exe 1984 Cagobalc.exe 2332 Cdfkolkf.exe 4860 Cfdhkhjj.exe 2384 Cajlhqjp.exe 1480 Chcddk32.exe 2416 Cjbpaf32.exe 2304 Calhnpgn.exe 2348 Dhfajjoj.exe 1860 Danecp32.exe 3488 Dhhnpjmh.exe 880 Dfknkg32.exe 4080 Daqbip32.exe 3752 Ddonekbl.exe 1528 Dodbbdbb.exe 4508 Ddakjkqi.exe 3928 Dkkcge32.exe 836 Deagdn32.exe 3224 Dhocqigp.exe 4316 Dahhio32.exe 4844 Edfdej32.exe 2200 Ekpmbddq.exe 4552 Emoinpcd.exe 2500 Ehdmlhcj.exe 4420 Eonehbjg.exe 5036 Eehnem32.exe 3992 Ehfjah32.exe 4636 Ekefmc32.exe 4324 Eaonjngh.exe 1560 Ehiffh32.exe 3768 Eobocb32.exe 1072 Eaakpm32.exe 1844 Ehkclgmb.exe 4580 Ekiohclf.exe 2944 Eachem32.exe 3492 Fdbdah32.exe 60 Fhmpagkp.exe 4060 Fddqghpd.exe 3296 Fknicb32.exe 1668 Fahaplon.exe 5116 Fhbimf32.exe 1868 Fgeihcme.exe 3712 Fdijbg32.exe 4132 Fnaokmco.exe 5100 Fehfljca.exe 4588 Fgjccb32.exe 3852 Fnckpmql.exe 1360 Gdncmghi.exe 3328 Ghipne32.exe 4416 Gkglja32.exe 1640 Gnfhfl32.exe 3176 Gempgj32.exe 4036 Ghklce32.exe 3184 Ggnlobej.exe 4708 Goedpofl.exe 2164 Gadqlkep.exe 400 Gepmlimi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Efjimhnh.exe Eleepoob.exe File created C:\Windows\SysWOW64\Ibcaknbi.exe Iohejo32.exe File created C:\Windows\SysWOW64\Iomoenej.exe Imkbnf32.exe File created C:\Windows\SysWOW64\Hlnchmib.dll Fhbimf32.exe File opened for modification C:\Windows\SysWOW64\Ihpcinld.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oophlo32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Alpbecod.exe Ahdged32.exe File created C:\Windows\SysWOW64\Edqnimdf.dll Kjgeedch.exe File created C:\Windows\SysWOW64\Phdnngdn.exe Pajeam32.exe File created C:\Windows\SysWOW64\Dannpknl.dll Nmipdk32.exe File created C:\Windows\SysWOW64\Ojnfihmo.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jhlgfj32.exe Jbaojpgb.exe File created C:\Windows\SysWOW64\Onnmdcjm.exe Oloahhki.exe File opened for modification C:\Windows\SysWOW64\Iiopca32.exe Process not Found File created C:\Windows\SysWOW64\Bcodim32.dll Nknobkje.exe File created C:\Windows\SysWOW64\Jjgchm32.exe Igigla32.exe File created C:\Windows\SysWOW64\Amdomd32.dll Cfbcke32.exe File created C:\Windows\SysWOW64\Ccegac32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Gphgbafl.exe Gnjjfegi.exe File created C:\Windows\SysWOW64\Hkpnbd32.dll Aahbbkaq.exe File opened for modification C:\Windows\SysWOW64\Efjbcakl.exe Enbjad32.exe File opened for modification C:\Windows\SysWOW64\Oaifpi32.exe Onkidm32.exe File created C:\Windows\SysWOW64\Qjfmkk32.exe Qhhpop32.exe File opened for modification C:\Windows\SysWOW64\Ifihif32.exe Ioopml32.exe File opened for modification C:\Windows\SysWOW64\Kppici32.exe Jghabl32.exe File created C:\Windows\SysWOW64\Pnpban32.dll Kenggi32.exe File created C:\Windows\SysWOW64\Lacdmh32.exe Llflea32.exe File created C:\Windows\SysWOW64\Khbiello.exe Process not Found File created C:\Windows\SysWOW64\Joiccj32.exe Jgakbm32.exe File opened for modification C:\Windows\SysWOW64\Djdflp32.exe Dfhjkabi.exe File created C:\Windows\SysWOW64\Emphocjj.exe Ejalcgkg.exe File created C:\Windows\SysWOW64\Igbalblk.exe Idcepgmg.exe File opened for modification C:\Windows\SysWOW64\Liqihglg.exe Lajagj32.exe File created C:\Windows\SysWOW64\Ddooacnk.dll Ikkpgafg.exe File created C:\Windows\SysWOW64\Ppahmb32.exe Pnplfj32.exe File opened for modification C:\Windows\SysWOW64\Jafdcbge.exe Process not Found File created C:\Windows\SysWOW64\Cqpnpgeo.dll Mfaqhp32.exe File opened for modification C:\Windows\SysWOW64\Lekmnajj.exe Lmdemd32.exe File created C:\Windows\SysWOW64\Anhaoj32.dll Process not Found File created C:\Windows\SysWOW64\Mlklkgei.exe Mimpolee.exe File opened for modification C:\Windows\SysWOW64\Hkeaqi32.exe Hhfedm32.exe File created C:\Windows\SysWOW64\Blhdmebn.dll Kecabifp.exe File created C:\Windows\SysWOW64\Mmgdfa32.dll Qfpbmfdf.exe File created C:\Windows\SysWOW64\Mehcdfch.exe Mnnkgl32.exe File created C:\Windows\SysWOW64\Mlofcf32.exe Process not Found File created C:\Windows\SysWOW64\Cdpagn32.dll Goljqnpd.exe File created C:\Windows\SysWOW64\Ipbehfom.dll Ljnlecmp.exe File opened for modification C:\Windows\SysWOW64\Mpclce32.exe Process not Found File created C:\Windows\SysWOW64\Dodbbdbb.exe Ddonekbl.exe File created C:\Windows\SysWOW64\Moefhk32.dll Pedbahod.exe File created C:\Windows\SysWOW64\Bkaobnio.exe Bdgged32.exe File created C:\Windows\SysWOW64\Dmjhenbq.dll Klkcdj32.exe File created C:\Windows\SysWOW64\Hhfedm32.exe Hjedffig.exe File created C:\Windows\SysWOW64\Eiohdo32.dll Hlambk32.exe File created C:\Windows\SysWOW64\Lgjijmin.exe Lekmnajj.exe File opened for modification C:\Windows\SysWOW64\Akglloai.exe Ahippdbe.exe File created C:\Windows\SysWOW64\Nelfeo32.exe Nmenca32.exe File created C:\Windows\SysWOW64\Egcaod32.exe Process not Found File created C:\Windows\SysWOW64\Gbnblldi.dll Process not Found File created C:\Windows\SysWOW64\Dhomfc32.exe Dpgeee32.exe File opened for modification C:\Windows\SysWOW64\Jnlkedai.exe Jgbchj32.exe File created C:\Windows\SysWOW64\Loacdc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ohkbbn32.exe Oemefcap.exe File opened for modification C:\Windows\SysWOW64\Pcepkfld.exe Pkogiikb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10628 9496 Process not Found 1394 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nplkmckj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfadkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhmmjbkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgplado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onkidm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oadfkdgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhacf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gohaeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfbkpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oifeab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dikihe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojefobm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofnik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Filiii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdffbake.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oafcqcea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmniml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgjejhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmlpaoaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddgmbpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bedgjgkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkkcge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdncmghi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpiljh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qklmpalf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiodpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjamia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhoqeibl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nndjndbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knalji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcgiefen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodbbdbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nomncpcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajpqnneo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggnlobej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjopcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njhgbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gijekg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahdged32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmohno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoadkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpjmnjqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onapdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jglklggl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfchlbfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfeeabda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mahnhhod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najceeoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpofii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oboijgbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfqmpl32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knhakh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhepbll.dll" Dcigeooj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcmbee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjaifp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgkdbacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbbpccql.dll" Fgjccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikcdlmgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkhpdcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjccdkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmjlphl.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ploknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnknamej.dll" Jglklggl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohhnbhok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keldkigj.dll" Ohhnbhok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfjola32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jghabl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppopjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bedgjgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdcoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnlinml.dll" Innfnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jieagojp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqfoamfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djhpgofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpodlbng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pifnhpmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjhacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiodpebj.dll" Ioolkncg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocoick32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibkpcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlbbkfoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Codhnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjdhhc32.dll" Pajeam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcjppk32.dll" Hkjjlhle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nemmoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipgbdbqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opqofe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpqodfij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgkdbacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lodabb32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abbkcpma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eplgeokq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plbfdekd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbhpb32.dll" Kkhpdcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feaabknn.dll" Peieba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcgnbaeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eofgpikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkkam32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papambbb.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkglja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbhijepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbmpk32.dll" Dblgpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdoacabq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdahdiml.dll" Igajal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eobocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flakaffp.dll" Flngfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkaobnio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4352 wrote to memory of 3808 4352 79f8acf09bf2b296a28d98d0de81f47e1a9570fdb6db3d451d0bdf924a63dc9aN.exe 83 PID 4352 wrote to memory of 3808 4352 79f8acf09bf2b296a28d98d0de81f47e1a9570fdb6db3d451d0bdf924a63dc9aN.exe 83 PID 4352 wrote to memory of 3808 4352 79f8acf09bf2b296a28d98d0de81f47e1a9570fdb6db3d451d0bdf924a63dc9aN.exe 83 PID 3808 wrote to memory of 5028 3808 Cjinkg32.exe 84 PID 3808 wrote to memory of 5028 3808 Cjinkg32.exe 84 PID 3808 wrote to memory of 5028 3808 Cjinkg32.exe 84 PID 5028 wrote to memory of 4076 5028 Cabfga32.exe 85 PID 5028 wrote to memory of 4076 5028 Cabfga32.exe 85 PID 5028 wrote to memory of 4076 5028 Cabfga32.exe 85 PID 4076 wrote to memory of 3256 4076 Cdabcm32.exe 86 PID 4076 wrote to memory of 3256 4076 Cdabcm32.exe 86 PID 4076 wrote to memory of 3256 4076 Cdabcm32.exe 86 PID 3256 wrote to memory of 3532 3256 Cjkjpgfi.exe 87 PID 3256 wrote to memory of 3532 3256 Cjkjpgfi.exe 87 PID 3256 wrote to memory of 3532 3256 Cjkjpgfi.exe 87 PID 3532 wrote to memory of 4276 3532 Caebma32.exe 88 PID 3532 wrote to memory of 4276 3532 Caebma32.exe 88 PID 3532 wrote to memory of 4276 3532 Caebma32.exe 88 PID 4276 wrote to memory of 1952 4276 Cdcoim32.exe 89 PID 4276 wrote to memory of 1952 4276 Cdcoim32.exe 89 PID 4276 wrote to memory of 1952 4276 Cdcoim32.exe 89 PID 1952 wrote to memory of 2792 1952 Cfbkeh32.exe 90 PID 1952 wrote to memory of 2792 1952 Cfbkeh32.exe 90 PID 1952 wrote to memory of 2792 1952 Cfbkeh32.exe 90 PID 2792 wrote to memory of 1984 2792 Cnicfe32.exe 91 PID 2792 wrote to memory of 1984 2792 Cnicfe32.exe 91 PID 2792 wrote to memory of 1984 2792 Cnicfe32.exe 91 PID 1984 wrote to memory of 2332 1984 Cagobalc.exe 92 PID 1984 wrote to memory of 2332 1984 Cagobalc.exe 92 PID 1984 wrote to memory of 2332 1984 Cagobalc.exe 92 PID 2332 wrote to memory of 4860 2332 Cdfkolkf.exe 93 PID 2332 wrote to memory of 4860 2332 Cdfkolkf.exe 93 PID 2332 wrote to memory of 4860 2332 Cdfkolkf.exe 93 PID 4860 wrote to memory of 2384 4860 Cfdhkhjj.exe 95 PID 4860 wrote to memory of 2384 4860 Cfdhkhjj.exe 95 PID 4860 wrote to memory of 2384 4860 Cfdhkhjj.exe 95 PID 2384 wrote to memory of 1480 2384 Cajlhqjp.exe 96 PID 2384 wrote to memory of 1480 2384 Cajlhqjp.exe 96 PID 2384 wrote to memory of 1480 2384 Cajlhqjp.exe 96 PID 1480 wrote to memory of 2416 1480 Chcddk32.exe 97 PID 1480 wrote to memory of 2416 1480 Chcddk32.exe 97 PID 1480 wrote to memory of 2416 1480 Chcddk32.exe 97 PID 2416 wrote to memory of 2304 2416 Cjbpaf32.exe 98 PID 2416 wrote to memory of 2304 2416 Cjbpaf32.exe 98 PID 2416 wrote to memory of 2304 2416 Cjbpaf32.exe 98 PID 2304 wrote to memory of 2348 2304 Calhnpgn.exe 100 PID 2304 wrote to memory of 2348 2304 Calhnpgn.exe 100 PID 2304 wrote to memory of 2348 2304 Calhnpgn.exe 100 PID 2348 wrote to memory of 1860 2348 Dhfajjoj.exe 101 PID 2348 wrote to memory of 1860 2348 Dhfajjoj.exe 101 PID 2348 wrote to memory of 1860 2348 Dhfajjoj.exe 101 PID 1860 wrote to memory of 3488 1860 Danecp32.exe 102 PID 1860 wrote to memory of 3488 1860 Danecp32.exe 102 PID 1860 wrote to memory of 3488 1860 Danecp32.exe 102 PID 3488 wrote to memory of 880 3488 Dhhnpjmh.exe 103 PID 3488 wrote to memory of 880 3488 Dhhnpjmh.exe 103 PID 3488 wrote to memory of 880 3488 Dhhnpjmh.exe 103 PID 880 wrote to memory of 4080 880 Dfknkg32.exe 104 PID 880 wrote to memory of 4080 880 Dfknkg32.exe 104 PID 880 wrote to memory of 4080 880 Dfknkg32.exe 104 PID 4080 wrote to memory of 3752 4080 Daqbip32.exe 105 PID 4080 wrote to memory of 3752 4080 Daqbip32.exe 105 PID 4080 wrote to memory of 3752 4080 Daqbip32.exe 105 PID 3752 wrote to memory of 1528 3752 Ddonekbl.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\79f8acf09bf2b296a28d98d0de81f47e1a9570fdb6db3d451d0bdf924a63dc9aN.exe"C:\Users\Admin\AppData\Local\Temp\79f8acf09bf2b296a28d98d0de81f47e1a9570fdb6db3d451d0bdf924a63dc9aN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\Cjinkg32.exeC:\Windows\system32\Cjinkg32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\Cabfga32.exeC:\Windows\system32\Cabfga32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Cjkjpgfi.exeC:\Windows\system32\Cjkjpgfi.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\Caebma32.exeC:\Windows\system32\Caebma32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Cdfkolkf.exeC:\Windows\system32\Cdfkolkf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\Dodbbdbb.exeC:\Windows\system32\Dodbbdbb.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1528 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe24⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3928 -
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe26⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe27⤵
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\Dahhio32.exeC:\Windows\system32\Dahhio32.exe28⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Edfdej32.exeC:\Windows\system32\Edfdej32.exe29⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Ekpmbddq.exeC:\Windows\system32\Ekpmbddq.exe30⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Emoinpcd.exeC:\Windows\system32\Emoinpcd.exe31⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Ehdmlhcj.exeC:\Windows\system32\Ehdmlhcj.exe32⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Eonehbjg.exeC:\Windows\system32\Eonehbjg.exe33⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Eehnem32.exeC:\Windows\system32\Eehnem32.exe34⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Ehfjah32.exeC:\Windows\system32\Ehfjah32.exe35⤵
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Ekefmc32.exeC:\Windows\system32\Ekefmc32.exe36⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Eaonjngh.exeC:\Windows\system32\Eaonjngh.exe37⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Ehiffh32.exeC:\Windows\system32\Ehiffh32.exe38⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Eobocb32.exeC:\Windows\system32\Eobocb32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:3768 -
C:\Windows\SysWOW64\Eaakpm32.exeC:\Windows\system32\Eaakpm32.exe40⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Ehkclgmb.exeC:\Windows\system32\Ehkclgmb.exe41⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Ekiohclf.exeC:\Windows\system32\Ekiohclf.exe42⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Eachem32.exeC:\Windows\system32\Eachem32.exe43⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Fdbdah32.exeC:\Windows\system32\Fdbdah32.exe44⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Fhmpagkp.exeC:\Windows\system32\Fhmpagkp.exe45⤵
- Executes dropped EXE
PID:60 -
C:\Windows\SysWOW64\Fddqghpd.exeC:\Windows\system32\Fddqghpd.exe46⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Fknicb32.exeC:\Windows\system32\Fknicb32.exe47⤵
- Executes dropped EXE
PID:3296 -
C:\Windows\SysWOW64\Fahaplon.exeC:\Windows\system32\Fahaplon.exe48⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Fhbimf32.exeC:\Windows\system32\Fhbimf32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5116 -
C:\Windows\SysWOW64\Fgeihcme.exeC:\Windows\system32\Fgeihcme.exe50⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Fdijbg32.exeC:\Windows\system32\Fdijbg32.exe51⤵
- Executes dropped EXE
PID:3712 -
C:\Windows\SysWOW64\Fnaokmco.exeC:\Windows\system32\Fnaokmco.exe52⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Fehfljca.exeC:\Windows\system32\Fehfljca.exe53⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Fgjccb32.exeC:\Windows\system32\Fgjccb32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:4588 -
C:\Windows\SysWOW64\Fnckpmql.exeC:\Windows\system32\Fnckpmql.exe55⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Gdncmghi.exeC:\Windows\system32\Gdncmghi.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1360 -
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe57⤵
- Executes dropped EXE
PID:3328 -
C:\Windows\SysWOW64\Gkglja32.exeC:\Windows\system32\Gkglja32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:4416 -
C:\Windows\SysWOW64\Gnfhfl32.exeC:\Windows\system32\Gnfhfl32.exe59⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Gempgj32.exeC:\Windows\system32\Gempgj32.exe60⤵
- Executes dropped EXE
PID:3176 -
C:\Windows\SysWOW64\Ghklce32.exeC:\Windows\system32\Ghklce32.exe61⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Ggnlobej.exeC:\Windows\system32\Ggnlobej.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3184 -
C:\Windows\SysWOW64\Goedpofl.exeC:\Windows\system32\Goedpofl.exe63⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Gadqlkep.exeC:\Windows\system32\Gadqlkep.exe64⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Gepmlimi.exeC:\Windows\system32\Gepmlimi.exe65⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Ghniielm.exeC:\Windows\system32\Ghniielm.exe66⤵PID:1372
-
C:\Windows\SysWOW64\Gkleeplq.exeC:\Windows\system32\Gkleeplq.exe67⤵PID:4312
-
C:\Windows\SysWOW64\Gohaeo32.exeC:\Windows\system32\Gohaeo32.exe68⤵
- System Location Discovery: System Language Discovery
PID:1404 -
C:\Windows\SysWOW64\Gafmaj32.exeC:\Windows\system32\Gafmaj32.exe69⤵PID:704
-
C:\Windows\SysWOW64\Ghpendjj.exeC:\Windows\system32\Ghpendjj.exe70⤵PID:2004
-
C:\Windows\SysWOW64\Gojnko32.exeC:\Windows\system32\Gojnko32.exe71⤵PID:2272
-
C:\Windows\SysWOW64\Gdgfce32.exeC:\Windows\system32\Gdgfce32.exe72⤵PID:2320
-
C:\Windows\SysWOW64\Goljqnpd.exeC:\Windows\system32\Goljqnpd.exe73⤵
- Drops file in System32 directory
PID:4124 -
C:\Windows\SysWOW64\Hakgmjoh.exeC:\Windows\system32\Hakgmjoh.exe74⤵PID:5084
-
C:\Windows\SysWOW64\Hheoid32.exeC:\Windows\system32\Hheoid32.exe75⤵PID:3912
-
C:\Windows\SysWOW64\Hghoeqmp.exeC:\Windows\system32\Hghoeqmp.exe76⤵PID:968
-
C:\Windows\SysWOW64\Hoogfnnb.exeC:\Windows\system32\Hoogfnnb.exe77⤵PID:4568
-
C:\Windows\SysWOW64\Hbmcbime.exeC:\Windows\system32\Hbmcbime.exe78⤵PID:2388
-
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe79⤵PID:1740
-
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe80⤵PID:4156
-
C:\Windows\SysWOW64\Hgjljpkm.exeC:\Windows\system32\Hgjljpkm.exe81⤵PID:948
-
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe82⤵
- System Location Discovery: System Language Discovery
PID:1036 -
C:\Windows\SysWOW64\Hnddgjbj.exeC:\Windows\system32\Hnddgjbj.exe83⤵PID:3252
-
C:\Windows\SysWOW64\Hfklhhcl.exeC:\Windows\system32\Hfklhhcl.exe84⤵PID:3652
-
C:\Windows\SysWOW64\Hhihdcbp.exeC:\Windows\system32\Hhihdcbp.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1120 -
C:\Windows\SysWOW64\Hglipp32.exeC:\Windows\system32\Hglipp32.exe86⤵PID:4344
-
C:\Windows\SysWOW64\Hnfamjqg.exeC:\Windows\system32\Hnfamjqg.exe87⤵PID:5128
-
C:\Windows\SysWOW64\Hbbmmi32.exeC:\Windows\system32\Hbbmmi32.exe88⤵PID:5172
-
C:\Windows\SysWOW64\Hdpiid32.exeC:\Windows\system32\Hdpiid32.exe89⤵PID:5220
-
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe90⤵PID:5280
-
C:\Windows\SysWOW64\Hofmfmhj.exeC:\Windows\system32\Hofmfmhj.exe91⤵PID:5324
-
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe92⤵PID:5368
-
C:\Windows\SysWOW64\Ibffhhek.exeC:\Windows\system32\Ibffhhek.exe93⤵PID:5412
-
C:\Windows\SysWOW64\Ihqoeb32.exeC:\Windows\system32\Ihqoeb32.exe94⤵PID:5456
-
C:\Windows\SysWOW64\Ibicnh32.exeC:\Windows\system32\Ibicnh32.exe95⤵PID:5500
-
C:\Windows\SysWOW64\Idgojc32.exeC:\Windows\system32\Idgojc32.exe96⤵PID:5544
-
C:\Windows\SysWOW64\Igfkfo32.exeC:\Windows\system32\Igfkfo32.exe97⤵PID:5588
-
C:\Windows\SysWOW64\Ibkpcg32.exeC:\Windows\system32\Ibkpcg32.exe98⤵
- Modifies registry class
PID:5632 -
C:\Windows\SysWOW64\Ikcdlmgf.exeC:\Windows\system32\Ikcdlmgf.exe99⤵
- Modifies registry class
PID:5676 -
C:\Windows\SysWOW64\Ioopml32.exeC:\Windows\system32\Ioopml32.exe100⤵
- Drops file in System32 directory
PID:5720 -
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe101⤵PID:5764
-
C:\Windows\SysWOW64\Igjeanmj.exeC:\Windows\system32\Igjeanmj.exe102⤵PID:5808
-
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe103⤵PID:5852
-
C:\Windows\SysWOW64\Igmagnkg.exeC:\Windows\system32\Igmagnkg.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5896 -
C:\Windows\SysWOW64\Jodjhkkj.exeC:\Windows\system32\Jodjhkkj.exe105⤵PID:5940
-
C:\Windows\SysWOW64\Jgonlm32.exeC:\Windows\system32\Jgonlm32.exe106⤵PID:5988
-
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe107⤵PID:6032
-
C:\Windows\SysWOW64\Jfpojead.exeC:\Windows\system32\Jfpojead.exe108⤵PID:6076
-
C:\Windows\SysWOW64\Jgakbm32.exeC:\Windows\system32\Jgakbm32.exe109⤵
- Drops file in System32 directory
PID:6120 -
C:\Windows\SysWOW64\Joiccj32.exeC:\Windows\system32\Joiccj32.exe110⤵PID:5140
-
C:\Windows\SysWOW64\Jfbkpd32.exeC:\Windows\system32\Jfbkpd32.exe111⤵
- System Location Discovery: System Language Discovery
PID:5216 -
C:\Windows\SysWOW64\Jkodhk32.exeC:\Windows\system32\Jkodhk32.exe112⤵PID:5292
-
C:\Windows\SysWOW64\Jehhaaci.exeC:\Windows\system32\Jehhaaci.exe113⤵PID:5364
-
C:\Windows\SysWOW64\Jgfdmlcm.exeC:\Windows\system32\Jgfdmlcm.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5428 -
C:\Windows\SysWOW64\Jpmlnjco.exeC:\Windows\system32\Jpmlnjco.exe115⤵PID:3740
-
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe116⤵PID:5492
-
C:\Windows\SysWOW64\Jieagojp.exeC:\Windows\system32\Jieagojp.exe117⤵
- Modifies registry class
PID:5560 -
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:5628 -
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe119⤵PID:5728
-
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe120⤵PID:5800
-
C:\Windows\SysWOW64\Kelalp32.exeC:\Windows\system32\Kelalp32.exe121⤵PID:5892
-
C:\Windows\SysWOW64\Kgknhl32.exeC:\Windows\system32\Kgknhl32.exe122⤵PID:5952
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-