Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 21:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4014e52ccf965b4add4a61cfdb38164f5eb492cd3f46f70e3444d238ef554a74.exe
Resource
win7-20241023-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
4014e52ccf965b4add4a61cfdb38164f5eb492cd3f46f70e3444d238ef554a74.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
4014e52ccf965b4add4a61cfdb38164f5eb492cd3f46f70e3444d238ef554a74.exe
-
Size
84KB
-
MD5
8f08e68e81d5791ec7e854287dc91930
-
SHA1
5f562d52d8879c12dc58ca74faa1e67456f864de
-
SHA256
4014e52ccf965b4add4a61cfdb38164f5eb492cd3f46f70e3444d238ef554a74
-
SHA512
56b3949dfdbc5efba72a43c7e90e97854b030e819354d29a96db0ddf2ce5d8675a62d9edfa7979b3574e9d08885ed2fbd5a22f73028876c32d03238fd4f0949a
-
SSDEEP
1536:/aG8/Q68S/W9EW7JO4o1nelLY4XSREXHfVPfMVwNKT1iqWUPGc4T7VLd:/mI/SEEbNdee4CREXdXNKT1ntPG9pB
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oadfkdgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pflibgil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilmmni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmfplibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljqhkckn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kenggi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Immapg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olckbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjlkge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnhidk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njinmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hipmfjee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpbjkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hflcbngh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfcdfbqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmnqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acnlgp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oekiqccc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbcmakpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oodcdb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbadcpbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfokoelp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkpqkcpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkipkani.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knflpoqf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emcbio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gohaeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hofmfmhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faenpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmndpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmhdkknd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klgqcqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlpeff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeokal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlnipg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbhoqj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibpiogmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgonlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hienlpel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oanokhdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coegoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iejcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcclld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpbmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpecbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bagflcje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbqklb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bheplb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljnlecmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qacameaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifjodl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggeboaob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keonap32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4912 Hkfoeega.exe 1780 Hflcbngh.exe 4556 Hmfkoh32.exe 4304 Hodgkc32.exe 1632 Hbbdholl.exe 4560 Hmhhehlb.exe 1792 Hcbpab32.exe 3480 Hioiji32.exe 548 Hcdmga32.exe 4540 Hfcicmqp.exe 3672 Immapg32.exe 5012 Icgjmapi.exe 3184 Imoneg32.exe 4844 Iblfnn32.exe 2832 Iejcji32.exe 3716 Ildkgc32.exe 4492 Ifjodl32.exe 1696 Ipbdmaah.exe 1676 Ifllil32.exe 5048 Imfdff32.exe 4924 Ibcmom32.exe 1012 Jmhale32.exe 556 Jbeidl32.exe 1516 Jlnnmb32.exe 760 Jfcbjk32.exe 3724 Jcgbco32.exe 4300 Jmpgldhg.exe 3468 Jfhlejnh.exe 4468 Jmbdbd32.exe 3244 Jcllonma.exe 3996 Kemhff32.exe 2580 Klgqcqkl.exe 3264 Kdnidn32.exe 4848 Kfmepi32.exe 4460 Kikame32.exe 4840 Klimip32.exe 2212 Kbceejpf.exe 4464 Kfoafi32.exe 4044 Kmijbcpl.exe 3708 Kpgfooop.exe 924 Kbfbkj32.exe 1284 Kipkhdeq.exe 5084 Kmkfhc32.exe 2392 Kbhoqj32.exe 2320 Kefkme32.exe 1020 Lbjlfi32.exe 2356 Lmppcbjd.exe 4364 Lbmhlihl.exe 1156 Lekehdgp.exe 312 Ldleel32.exe 4400 Lenamdem.exe 1732 Lbabgh32.exe 5116 Lepncd32.exe 768 Lmgfda32.exe 4020 Lbdolh32.exe 2484 Lingibiq.exe 4000 Medgncoe.exe 4476 Mpjlklok.exe 4764 Mibpda32.exe 2880 Mdhdajea.exe 5080 Mmpijp32.exe 3252 Mpoefk32.exe 3892 Mmbfpp32.exe 380 Mdmnlj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ebdijfii.dll Bjagjhnc.exe File opened for modification C:\Windows\SysWOW64\Gkjhoq32.exe Gdppbfff.exe File created C:\Windows\SysWOW64\Kaedkn32.dll Ljilqnlm.exe File created C:\Windows\SysWOW64\Apedgj32.dll Bbdhiojo.exe File opened for modification C:\Windows\SysWOW64\Oaqbkn32.exe Omegjomb.exe File created C:\Windows\SysWOW64\Ombnni32.dll Ljnlecmp.exe File created C:\Windows\SysWOW64\Bgolif32.dll Ajhniccb.exe File created C:\Windows\SysWOW64\Mfbhmo32.dll Boeebnhp.exe File created C:\Windows\SysWOW64\Ondhkbee.dll Process not Found File opened for modification C:\Windows\SysWOW64\Nckndeni.exe Nlaegk32.exe File opened for modification C:\Windows\SysWOW64\Knkekn32.exe Kkmioc32.exe File created C:\Windows\SysWOW64\Hiikaj32.dll Nbcjnilj.exe File created C:\Windows\SysWOW64\Cgnomg32.exe Cpdgqmnb.exe File opened for modification C:\Windows\SysWOW64\Mpoefk32.exe Mmpijp32.exe File created C:\Windows\SysWOW64\Cimmggfl.exe Cfnqklgh.exe File created C:\Windows\SysWOW64\Geldkfpi.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ddakjkqi.exe Daqbip32.exe File opened for modification C:\Windows\SysWOW64\Emdajb32.exe Efjimhnh.exe File created C:\Windows\SysWOW64\Joqafgni.exe Process not Found File created C:\Windows\SysWOW64\Bgbdcgld.exe Boklbi32.exe File created C:\Windows\SysWOW64\Ohfaap32.dll Ohghgodi.exe File created C:\Windows\SysWOW64\Dfglfdkb.exe Domdjj32.exe File opened for modification C:\Windows\SysWOW64\Ekonpckp.exe Process not Found File created C:\Windows\SysWOW64\Aoalgn32.exe Akepfpcl.exe File created C:\Windows\SysWOW64\Kpjbdk32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bmkcqn32.exe Biogppeg.exe File created C:\Windows\SysWOW64\Bbgeno32.exe Bkmmaeap.exe File created C:\Windows\SysWOW64\Njoddaaj.dll Ccdnjp32.exe File created C:\Windows\SysWOW64\Gaocia32.dll Ilccoh32.exe File created C:\Windows\SysWOW64\Ocoick32.dll Process not Found File created C:\Windows\SysWOW64\Momkkhch.dll Fdglmkeg.exe File opened for modification C:\Windows\SysWOW64\Hnbeeiji.exe Process not Found File created C:\Windows\SysWOW64\Adndoe32.exe Aekddhcb.exe File created C:\Windows\SysWOW64\Chqogq32.exe Cfbcke32.exe File created C:\Windows\SysWOW64\Hmhloljn.dll Hhnbpb32.exe File created C:\Windows\SysWOW64\Ajqgidij.exe Qlmgopjq.exe File opened for modification C:\Windows\SysWOW64\Biadeoce.exe Bjodjb32.exe File created C:\Windows\SysWOW64\Aafemk32.exe Qlimed32.exe File created C:\Windows\SysWOW64\Njmqnobn.exe Ngndaccj.exe File created C:\Windows\SysWOW64\Booogccm.dll Odmgcgbi.exe File created C:\Windows\SysWOW64\Ifolfj32.dll Npgabc32.exe File opened for modification C:\Windows\SysWOW64\Nihipdhl.exe Nbnpcj32.exe File opened for modification C:\Windows\SysWOW64\Akcjkfij.exe Afgacokc.exe File opened for modification C:\Windows\SysWOW64\Qmeigg32.exe Pdmdnadc.exe File created C:\Windows\SysWOW64\Dddllkbf.exe Process not Found File created C:\Windows\SysWOW64\Hioiji32.exe Hcbpab32.exe File created C:\Windows\SysWOW64\Aeddnp32.exe Acfhad32.exe File created C:\Windows\SysWOW64\Likage32.dll Process not Found File created C:\Windows\SysWOW64\Hmlgah32.dll Nbadcpbh.exe File opened for modification C:\Windows\SysWOW64\Ljnlecmp.exe Lcdciiec.exe File created C:\Windows\SysWOW64\Hfibla32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kndojobi.exe Kgjgne32.exe File opened for modification C:\Windows\SysWOW64\Cmjemflb.exe Cjliajmo.exe File opened for modification C:\Windows\SysWOW64\Eqdpgk32.exe Process not Found File created C:\Windows\SysWOW64\Hncfnebg.dll Gpcmga32.exe File created C:\Windows\SysWOW64\Nijeec32.exe Nbqmiinl.exe File created C:\Windows\SysWOW64\Melmcj32.dll Oehlkc32.exe File opened for modification C:\Windows\SysWOW64\Cfipef32.exe Coohhlpe.exe File opened for modification C:\Windows\SysWOW64\Ifleoe32.exe Ibpiogmp.exe File opened for modification C:\Windows\SysWOW64\Nimbkc32.exe Nbcjnilj.exe File created C:\Windows\SysWOW64\Lfgnho32.dll Process not Found File created C:\Windows\SysWOW64\Iejcji32.exe Iblfnn32.exe File created C:\Windows\SysWOW64\Keonap32.exe Knefeffd.exe File created C:\Windows\SysWOW64\Ddhmmpnk.dll Mlbkap32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11948 10600 Process not Found 1309 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepncd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnbakghm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddhpjof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfcqpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfngdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeokal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nchjdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpfbjlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acilajpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oldamm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ennqfenp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojhpimhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kefdbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igqkqiai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Komhll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfnfjehl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igcoqocb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnpmjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdpkflfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mniallpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qikgco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcclld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eofgpikj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmbqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ildkgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phhhhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpnbog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aafemk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmdkch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbcjnilj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Embddb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkpqkcpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkjnfkma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkomneim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kenggi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hienlpel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Madjhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paelfmaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qemhbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bganhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hglipp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djjebh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adkgje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodjjimm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjdqmng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alpbecod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoadkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klifnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nheble32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaopfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbighjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eplgeokq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknifq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojnblg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhbolp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aleckinj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdmga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icgjmapi.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olcbmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoogfnnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haedpe32.dll" Hacbhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgkkkcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jibclo32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkjhoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhqihllh.dll" Jbgoof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Piphgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgnomg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kikame32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnocia32.dll" Mmmqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egijmegb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Occgpjdk.dll" Hgkkkcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfqlfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifbkgjd.dll" Ibcmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfpecg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhloljn.dll" Hhnbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aopmfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpkphjeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idbodn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iinqbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgnomg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jodjhkkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Diicml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laqhhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjliajmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Holpib32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lingibiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifdonfka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Likcilhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajhniccb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddligq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nclbpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfooa32.dll" Hbpphi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnlnbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hienlpel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebnfbcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjakdno.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjcbkij.dll" Eajeon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lehaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfdlg32.dll" Afjeceml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdmkhgho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilcldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpenegb.dll" Phajna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfiddm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoadkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llhikacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jinboekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmenjlfh.dll" Hkfoeega.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cffmfadl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjaifp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfoplpla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eplgeokq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgcbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdmein32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aekddhcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nagiji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkibhn32.dll" Plhnda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djdflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdamgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojfcdnjc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1264 wrote to memory of 4912 1264 4014e52ccf965b4add4a61cfdb38164f5eb492cd3f46f70e3444d238ef554a74.exe 83 PID 1264 wrote to memory of 4912 1264 4014e52ccf965b4add4a61cfdb38164f5eb492cd3f46f70e3444d238ef554a74.exe 83 PID 1264 wrote to memory of 4912 1264 4014e52ccf965b4add4a61cfdb38164f5eb492cd3f46f70e3444d238ef554a74.exe 83 PID 4912 wrote to memory of 1780 4912 Hkfoeega.exe 84 PID 4912 wrote to memory of 1780 4912 Hkfoeega.exe 84 PID 4912 wrote to memory of 1780 4912 Hkfoeega.exe 84 PID 1780 wrote to memory of 4556 1780 Hflcbngh.exe 85 PID 1780 wrote to memory of 4556 1780 Hflcbngh.exe 85 PID 1780 wrote to memory of 4556 1780 Hflcbngh.exe 85 PID 4556 wrote to memory of 4304 4556 Hmfkoh32.exe 86 PID 4556 wrote to memory of 4304 4556 Hmfkoh32.exe 86 PID 4556 wrote to memory of 4304 4556 Hmfkoh32.exe 86 PID 4304 wrote to memory of 1632 4304 Hodgkc32.exe 87 PID 4304 wrote to memory of 1632 4304 Hodgkc32.exe 87 PID 4304 wrote to memory of 1632 4304 Hodgkc32.exe 87 PID 1632 wrote to memory of 4560 1632 Hbbdholl.exe 88 PID 1632 wrote to memory of 4560 1632 Hbbdholl.exe 88 PID 1632 wrote to memory of 4560 1632 Hbbdholl.exe 88 PID 4560 wrote to memory of 1792 4560 Hmhhehlb.exe 89 PID 4560 wrote to memory of 1792 4560 Hmhhehlb.exe 89 PID 4560 wrote to memory of 1792 4560 Hmhhehlb.exe 89 PID 1792 wrote to memory of 3480 1792 Hcbpab32.exe 90 PID 1792 wrote to memory of 3480 1792 Hcbpab32.exe 90 PID 1792 wrote to memory of 3480 1792 Hcbpab32.exe 90 PID 3480 wrote to memory of 548 3480 Hioiji32.exe 91 PID 3480 wrote to memory of 548 3480 Hioiji32.exe 91 PID 3480 wrote to memory of 548 3480 Hioiji32.exe 91 PID 548 wrote to memory of 4540 548 Hcdmga32.exe 92 PID 548 wrote to memory of 4540 548 Hcdmga32.exe 92 PID 548 wrote to memory of 4540 548 Hcdmga32.exe 92 PID 4540 wrote to memory of 3672 4540 Hfcicmqp.exe 93 PID 4540 wrote to memory of 3672 4540 Hfcicmqp.exe 93 PID 4540 wrote to memory of 3672 4540 Hfcicmqp.exe 93 PID 3672 wrote to memory of 5012 3672 Immapg32.exe 94 PID 3672 wrote to memory of 5012 3672 Immapg32.exe 94 PID 3672 wrote to memory of 5012 3672 Immapg32.exe 94 PID 5012 wrote to memory of 3184 5012 Icgjmapi.exe 95 PID 5012 wrote to memory of 3184 5012 Icgjmapi.exe 95 PID 5012 wrote to memory of 3184 5012 Icgjmapi.exe 95 PID 3184 wrote to memory of 4844 3184 Imoneg32.exe 96 PID 3184 wrote to memory of 4844 3184 Imoneg32.exe 96 PID 3184 wrote to memory of 4844 3184 Imoneg32.exe 96 PID 4844 wrote to memory of 2832 4844 Iblfnn32.exe 97 PID 4844 wrote to memory of 2832 4844 Iblfnn32.exe 97 PID 4844 wrote to memory of 2832 4844 Iblfnn32.exe 97 PID 2832 wrote to memory of 3716 2832 Iejcji32.exe 98 PID 2832 wrote to memory of 3716 2832 Iejcji32.exe 98 PID 2832 wrote to memory of 3716 2832 Iejcji32.exe 98 PID 3716 wrote to memory of 4492 3716 Ildkgc32.exe 99 PID 3716 wrote to memory of 4492 3716 Ildkgc32.exe 99 PID 3716 wrote to memory of 4492 3716 Ildkgc32.exe 99 PID 4492 wrote to memory of 1696 4492 Ifjodl32.exe 100 PID 4492 wrote to memory of 1696 4492 Ifjodl32.exe 100 PID 4492 wrote to memory of 1696 4492 Ifjodl32.exe 100 PID 1696 wrote to memory of 1676 1696 Ipbdmaah.exe 101 PID 1696 wrote to memory of 1676 1696 Ipbdmaah.exe 101 PID 1696 wrote to memory of 1676 1696 Ipbdmaah.exe 101 PID 1676 wrote to memory of 5048 1676 Ifllil32.exe 102 PID 1676 wrote to memory of 5048 1676 Ifllil32.exe 102 PID 1676 wrote to memory of 5048 1676 Ifllil32.exe 102 PID 5048 wrote to memory of 4924 5048 Imfdff32.exe 103 PID 5048 wrote to memory of 4924 5048 Imfdff32.exe 103 PID 5048 wrote to memory of 4924 5048 Imfdff32.exe 103 PID 4924 wrote to memory of 1012 4924 Ibcmom32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\4014e52ccf965b4add4a61cfdb38164f5eb492cd3f46f70e3444d238ef554a74.exe"C:\Users\Admin\AppData\Local\Temp\4014e52ccf965b4add4a61cfdb38164f5eb492cd3f46f70e3444d238ef554a74.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Hkfoeega.exeC:\Windows\system32\Hkfoeega.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\Hflcbngh.exeC:\Windows\system32\Hflcbngh.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Hmfkoh32.exeC:\Windows\system32\Hmfkoh32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\Hodgkc32.exeC:\Windows\system32\Hodgkc32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\Hbbdholl.exeC:\Windows\system32\Hbbdholl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Hmhhehlb.exeC:\Windows\system32\Hmhhehlb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Hcbpab32.exeC:\Windows\system32\Hcbpab32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Hioiji32.exeC:\Windows\system32\Hioiji32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\Hcdmga32.exeC:\Windows\system32\Hcdmga32.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Hfcicmqp.exeC:\Windows\system32\Hfcicmqp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Immapg32.exeC:\Windows\system32\Immapg32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\Icgjmapi.exeC:\Windows\system32\Icgjmapi.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Imoneg32.exeC:\Windows\system32\Imoneg32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\Iblfnn32.exeC:\Windows\system32\Iblfnn32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Iejcji32.exeC:\Windows\system32\Iejcji32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Ildkgc32.exeC:\Windows\system32\Ildkgc32.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\Ifjodl32.exeC:\Windows\system32\Ifjodl32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\Ipbdmaah.exeC:\Windows\system32\Ipbdmaah.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Ifllil32.exeC:\Windows\system32\Ifllil32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Imfdff32.exeC:\Windows\system32\Imfdff32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\Ibcmom32.exeC:\Windows\system32\Ibcmom32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\Jmhale32.exeC:\Windows\system32\Jmhale32.exe23⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Jbeidl32.exeC:\Windows\system32\Jbeidl32.exe24⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Jlnnmb32.exeC:\Windows\system32\Jlnnmb32.exe25⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Jfcbjk32.exeC:\Windows\system32\Jfcbjk32.exe26⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Jcgbco32.exeC:\Windows\system32\Jcgbco32.exe27⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Jmpgldhg.exeC:\Windows\system32\Jmpgldhg.exe28⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Jfhlejnh.exeC:\Windows\system32\Jfhlejnh.exe29⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Jmbdbd32.exeC:\Windows\system32\Jmbdbd32.exe30⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Jcllonma.exeC:\Windows\system32\Jcllonma.exe31⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Kemhff32.exeC:\Windows\system32\Kemhff32.exe32⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\Klgqcqkl.exeC:\Windows\system32\Klgqcqkl.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Kdnidn32.exeC:\Windows\system32\Kdnidn32.exe34⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Kfmepi32.exeC:\Windows\system32\Kfmepi32.exe35⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Kikame32.exeC:\Windows\system32\Kikame32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:4460 -
C:\Windows\SysWOW64\Klimip32.exeC:\Windows\system32\Klimip32.exe37⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Kbceejpf.exeC:\Windows\system32\Kbceejpf.exe38⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Kfoafi32.exeC:\Windows\system32\Kfoafi32.exe39⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Kmijbcpl.exeC:\Windows\system32\Kmijbcpl.exe40⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Kpgfooop.exeC:\Windows\system32\Kpgfooop.exe41⤵
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\Kbfbkj32.exeC:\Windows\system32\Kbfbkj32.exe42⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Kipkhdeq.exeC:\Windows\system32\Kipkhdeq.exe43⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Kmkfhc32.exeC:\Windows\system32\Kmkfhc32.exe44⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Kbhoqj32.exeC:\Windows\system32\Kbhoqj32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Kefkme32.exeC:\Windows\system32\Kefkme32.exe46⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Lbjlfi32.exeC:\Windows\system32\Lbjlfi32.exe47⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Lmppcbjd.exeC:\Windows\system32\Lmppcbjd.exe48⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Lbmhlihl.exeC:\Windows\system32\Lbmhlihl.exe49⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Lekehdgp.exeC:\Windows\system32\Lekehdgp.exe50⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Ldleel32.exeC:\Windows\system32\Ldleel32.exe51⤵
- Executes dropped EXE
PID:312 -
C:\Windows\SysWOW64\Lenamdem.exeC:\Windows\system32\Lenamdem.exe52⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Lbabgh32.exeC:\Windows\system32\Lbabgh32.exe53⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Lepncd32.exeC:\Windows\system32\Lepncd32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5116 -
C:\Windows\SysWOW64\Lmgfda32.exeC:\Windows\system32\Lmgfda32.exe55⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Lbdolh32.exeC:\Windows\system32\Lbdolh32.exe56⤵
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Lingibiq.exeC:\Windows\system32\Lingibiq.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Medgncoe.exeC:\Windows\system32\Medgncoe.exe58⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Mpjlklok.exeC:\Windows\system32\Mpjlklok.exe59⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Mibpda32.exeC:\Windows\system32\Mibpda32.exe60⤵
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\Mdhdajea.exeC:\Windows\system32\Mdhdajea.exe61⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Mmpijp32.exeC:\Windows\system32\Mmpijp32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5080 -
C:\Windows\SysWOW64\Mpoefk32.exeC:\Windows\system32\Mpoefk32.exe63⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Mmbfpp32.exeC:\Windows\system32\Mmbfpp32.exe64⤵
- Executes dropped EXE
PID:3892 -
C:\Windows\SysWOW64\Mdmnlj32.exeC:\Windows\system32\Mdmnlj32.exe65⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Miifeq32.exeC:\Windows\system32\Miifeq32.exe66⤵PID:5036
-
C:\Windows\SysWOW64\Ncbknfed.exeC:\Windows\system32\Ncbknfed.exe67⤵PID:5052
-
C:\Windows\SysWOW64\Nepgjaeg.exeC:\Windows\system32\Nepgjaeg.exe68⤵PID:1896
-
C:\Windows\SysWOW64\Ngpccdlj.exeC:\Windows\system32\Ngpccdlj.exe69⤵PID:1028
-
C:\Windows\SysWOW64\Nlmllkja.exeC:\Windows\system32\Nlmllkja.exe70⤵PID:2512
-
C:\Windows\SysWOW64\Nphhmj32.exeC:\Windows\system32\Nphhmj32.exe71⤵PID:3904
-
C:\Windows\SysWOW64\Neeqea32.exeC:\Windows\system32\Neeqea32.exe72⤵PID:1956
-
C:\Windows\SysWOW64\Ncianepl.exeC:\Windows\system32\Ncianepl.exe73⤵PID:116
-
C:\Windows\SysWOW64\Nfgmjqop.exeC:\Windows\system32\Nfgmjqop.exe74⤵PID:1468
-
C:\Windows\SysWOW64\Njciko32.exeC:\Windows\system32\Njciko32.exe75⤵PID:4992
-
C:\Windows\SysWOW64\Nlaegk32.exeC:\Windows\system32\Nlaegk32.exe76⤵
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Nckndeni.exeC:\Windows\system32\Nckndeni.exe77⤵PID:1672
-
C:\Windows\SysWOW64\Nfjjppmm.exeC:\Windows\system32\Nfjjppmm.exe78⤵PID:884
-
C:\Windows\SysWOW64\Nnqbanmo.exeC:\Windows\system32\Nnqbanmo.exe79⤵PID:4940
-
C:\Windows\SysWOW64\Olcbmj32.exeC:\Windows\system32\Olcbmj32.exe80⤵
- Modifies registry class
PID:5064 -
C:\Windows\SysWOW64\Ocnjidkf.exeC:\Windows\system32\Ocnjidkf.exe81⤵PID:1172
-
C:\Windows\SysWOW64\Oncofm32.exeC:\Windows\system32\Oncofm32.exe82⤵PID:4452
-
C:\Windows\SysWOW64\Odmgcgbi.exeC:\Windows\system32\Odmgcgbi.exe83⤵
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Ofnckp32.exeC:\Windows\system32\Ofnckp32.exe84⤵PID:972
-
C:\Windows\SysWOW64\Oneklm32.exeC:\Windows\system32\Oneklm32.exe85⤵PID:4592
-
C:\Windows\SysWOW64\Olhlhjpd.exeC:\Windows\system32\Olhlhjpd.exe86⤵PID:4976
-
C:\Windows\SysWOW64\Ofqpqo32.exeC:\Windows\system32\Ofqpqo32.exe87⤵PID:5016
-
C:\Windows\SysWOW64\Oqfdnhfk.exeC:\Windows\system32\Oqfdnhfk.exe88⤵PID:4012
-
C:\Windows\SysWOW64\Ogpmjb32.exeC:\Windows\system32\Ogpmjb32.exe89⤵PID:4528
-
C:\Windows\SysWOW64\Oqhacgdh.exeC:\Windows\system32\Oqhacgdh.exe90⤵PID:1608
-
C:\Windows\SysWOW64\Oddmdf32.exeC:\Windows\system32\Oddmdf32.exe91⤵PID:756
-
C:\Windows\SysWOW64\Ofeilobp.exeC:\Windows\system32\Ofeilobp.exe92⤵PID:2112
-
C:\Windows\SysWOW64\Pgefeajb.exeC:\Windows\system32\Pgefeajb.exe93⤵PID:1184
-
C:\Windows\SysWOW64\Pjcbbmif.exeC:\Windows\system32\Pjcbbmif.exe94⤵PID:4228
-
C:\Windows\SysWOW64\Pdifoehl.exeC:\Windows\system32\Pdifoehl.exe95⤵PID:2084
-
C:\Windows\SysWOW64\Pmdkch32.exeC:\Windows\system32\Pmdkch32.exe96⤵
- System Location Discovery: System Language Discovery
PID:3888 -
C:\Windows\SysWOW64\Pgioqq32.exeC:\Windows\system32\Pgioqq32.exe97⤵PID:1960
-
C:\Windows\SysWOW64\Pmfhig32.exeC:\Windows\system32\Pmfhig32.exe98⤵PID:2128
-
C:\Windows\SysWOW64\Pnfdcjkg.exeC:\Windows\system32\Pnfdcjkg.exe99⤵PID:4904
-
C:\Windows\SysWOW64\Pdpmpdbd.exeC:\Windows\system32\Pdpmpdbd.exe100⤵PID:4632
-
C:\Windows\SysWOW64\Qnhahj32.exeC:\Windows\system32\Qnhahj32.exe101⤵PID:2940
-
C:\Windows\SysWOW64\Qgqeappe.exeC:\Windows\system32\Qgqeappe.exe102⤵PID:4260
-
C:\Windows\SysWOW64\Qjoankoi.exeC:\Windows\system32\Qjoankoi.exe103⤵PID:3104
-
C:\Windows\SysWOW64\Qnjnnj32.exeC:\Windows\system32\Qnjnnj32.exe104⤵PID:224
-
C:\Windows\SysWOW64\Qddfkd32.exeC:\Windows\system32\Qddfkd32.exe105⤵PID:4916
-
C:\Windows\SysWOW64\Qgcbgo32.exeC:\Windows\system32\Qgcbgo32.exe106⤵
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Ajanck32.exeC:\Windows\system32\Ajanck32.exe107⤵PID:1392
-
C:\Windows\SysWOW64\Ampkof32.exeC:\Windows\system32\Ampkof32.exe108⤵PID:5152
-
C:\Windows\SysWOW64\Adgbpc32.exeC:\Windows\system32\Adgbpc32.exe109⤵PID:5208
-
C:\Windows\SysWOW64\Afhohlbj.exeC:\Windows\system32\Afhohlbj.exe110⤵PID:5256
-
C:\Windows\SysWOW64\Ajckij32.exeC:\Windows\system32\Ajckij32.exe111⤵PID:5300
-
C:\Windows\SysWOW64\Aeiofcji.exeC:\Windows\system32\Aeiofcji.exe112⤵PID:5344
-
C:\Windows\SysWOW64\Aclpap32.exeC:\Windows\system32\Aclpap32.exe113⤵PID:5388
-
C:\Windows\SysWOW64\Afjlnk32.exeC:\Windows\system32\Afjlnk32.exe114⤵PID:5432
-
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe115⤵PID:5476
-
C:\Windows\SysWOW64\Acnlgp32.exeC:\Windows\system32\Acnlgp32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5520 -
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe117⤵PID:5560
-
C:\Windows\SysWOW64\Agoabn32.exeC:\Windows\system32\Agoabn32.exe118⤵PID:5600
-
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe119⤵PID:5644
-
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5688 -
C:\Windows\SysWOW64\Bganhm32.exeC:\Windows\system32\Bganhm32.exe121⤵
- System Location Discovery: System Language Discovery
PID:5732
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-