Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-01-2025 13:36
Behavioral task
behavioral1
Sample
d48c888780fa38d14a3b9ff7fd4c0cd19b20f25b28e33d51497286cc6faa605c.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
120 seconds
General
-
Target
d48c888780fa38d14a3b9ff7fd4c0cd19b20f25b28e33d51497286cc6faa605c.exe
-
Size
93KB
-
MD5
18a4a2bf97b26f05621244aa0d663195
-
SHA1
b88e5d9b9958632a42def22fbb99a1f22ddd4652
-
SHA256
d48c888780fa38d14a3b9ff7fd4c0cd19b20f25b28e33d51497286cc6faa605c
-
SHA512
ae8a0d3428162c1442ebf849eb80bec1066c7faff90d01fa0e317a451a42f84367b77773b2ede6120314448fe38b0f173b04921272a42b8f034af5f790958bac
-
SSDEEP
1536:YVZau9OyxO2sbrJbAAASAcrFWfIjq0pZBk1DaYfMZRWuLsV+1b:gZaW1sbrJbAVcrlO0pZ6gYfc0DV+1b
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhhjop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhopok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naicih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqfcje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnobnbmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpmfmlme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lioccdhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afilbnad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkkeic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iepiokni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlakgfaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lekkgqbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgiipc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eedcmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkfnkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdfakm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nifbka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bojlgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdepmbmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhjeoeai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlooagcm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkngopag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iidggpge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbbfjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efjgggfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nepfog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piakli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnadgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpafangb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajhjcfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geched32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naeaio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlmblg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbgcoonj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aijedi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdammiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elfhdhag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcikmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geched32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibjgbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lflnlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llhfdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnehna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibafiikj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkcaek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdaagl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Golapg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phcempie.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 5100 Fhaplo32.exe 3024 Fokhiibo.exe 3964 Feeqec32.exe 764 Fgfmmlpj.exe 3236 Foneni32.exe 4912 Fehmkchi.exe 4248 Fhfjgogm.exe 3556 Fopbdi32.exe 4408 Fannpd32.exe 3532 Fhhfmnej.exe 4100 Foboih32.exe 3616 Ghkcbn32.exe 4600 Goekohjd.exe 5000 Gdadgohl.exe 640 Goghdhhb.exe 2412 Geapabpo.exe 4920 Ggbmij32.exe 1852 Gnleedmj.exe 2560 Gecmganl.exe 2284 Ggdinj32.exe 688 Golapg32.exe 1196 Gffjla32.exe 5076 Gggfdiag.exe 2628 Gkbbdh32.exe 2012 Gonnegbj.exe 4432 Hfhfba32.exe 2116 Hhfbnl32.exe 1768 Hgiciipe.exe 4092 Hoqkkfpg.exe 3180 Hfjcgq32.exe 4556 Hglpoi32.exe 1832 Hkglpgfk.exe 3044 Hnehlceo.exe 4960 Hdpphm32.exe 3708 Hgnldh32.exe 3712 Hdbmnm32.exe 3352 Hnjagb32.exe 2476 Hhpedk32.exe 2736 Hknapf32.exe 4368 Hbhjmqgp.exe 2072 Ihbbjk32.exe 876 Ioljfe32.exe 4240 Ibjgbp32.exe 3304 Idicol32.exe 4484 Ikckkfln.exe 3668 Ibmchp32.exe 3412 Idkpdk32.exe 3452 Iiglejjg.exe 3104 Ioadadbd.exe 4752 Ibopnpah.exe 4488 Iiihjj32.exe 2584 Iocqgdpb.exe 4552 Infabq32.exe 2420 Iepiokni.exe 2632 Iilepi32.exe 2980 Ioemmcno.exe 1264 Jbdiio32.exe 992 Jgqbaf32.exe 216 Jbffno32.exe 2196 Jfbbomci.exe 4984 Jkokgdaq.exe 4504 Jnmgcpqd.exe 3504 Jegopjha.exe 5072 Jgeklege.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Qkngopag.exe Qlkgdc32.exe File opened for modification C:\Windows\SysWOW64\Qeclmh32.exe Qceoqm32.exe File opened for modification C:\Windows\SysWOW64\Fqiiia32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Qlnkdilf.exe Qfdbgo32.exe File opened for modification C:\Windows\SysWOW64\Ajgdhm32.exe Aghhla32.exe File created C:\Windows\SysWOW64\Ffiage32.dll Djejqhmg.exe File created C:\Windows\SysWOW64\Eblgfblj.exe Epmkjgmf.exe File created C:\Windows\SysWOW64\Hifjfb32.exe Hfgnjf32.exe File opened for modification C:\Windows\SysWOW64\Njgnahkk.exe Process not Found File opened for modification C:\Windows\SysWOW64\Paiefonm.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ckibmo32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dcbhdmoc.exe Dadkhapo.exe File opened for modification C:\Windows\SysWOW64\Ccoknill.exe Ckhcllkj.exe File opened for modification C:\Windows\SysWOW64\Dmeemgba.exe Ddnmli32.exe File created C:\Windows\SysWOW64\Ppndamag.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mjlofjeh.exe Process not Found File opened for modification C:\Windows\SysWOW64\Acmllbpm.exe Aoapkd32.exe File created C:\Windows\SysWOW64\Kdcinc32.dll Ciogff32.exe File created C:\Windows\SysWOW64\Ocbdcgka.dll Kmmekndg.exe File opened for modification C:\Windows\SysWOW64\Klgeehda.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mlfbeooc.exe Mhkgep32.exe File created C:\Windows\SysWOW64\Plehnjdq.exe Pjflaoem.exe File opened for modification C:\Windows\SysWOW64\Cbdhof32.exe Coflbj32.exe File created C:\Windows\SysWOW64\Ejelmp32.exe Ebndlbjg.exe File created C:\Windows\SysWOW64\Oabfpf32.exe Ondjck32.exe File opened for modification C:\Windows\SysWOW64\Infabq32.exe Iocqgdpb.exe File created C:\Windows\SysWOW64\Biedpg32.exe Bfghcl32.exe File created C:\Windows\SysWOW64\Kpenlfkg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kgofhq32.exe Process not Found File created C:\Windows\SysWOW64\Hkfnkk32.exe Hcofin32.exe File opened for modification C:\Windows\SysWOW64\Jpeloo32.exe Jngpcd32.exe File created C:\Windows\SysWOW64\Oofgikfj.exe Olhkmo32.exe File created C:\Windows\SysWOW64\Gajbom32.dll Ddnmli32.exe File created C:\Windows\SysWOW64\Lhaejjnm.dll Process not Found File created C:\Windows\SysWOW64\Neoggqcq.dll Jpbhoikm.exe File opened for modification C:\Windows\SysWOW64\Fnfcafga.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mlabpi32.exe Mibfdn32.exe File created C:\Windows\SysWOW64\Cmjllopj.exe Cjkppc32.exe File created C:\Windows\SysWOW64\Alaola32.dll Fbggbabl.exe File created C:\Windows\SysWOW64\Kiigfbak.dll Hlbagd32.exe File opened for modification C:\Windows\SysWOW64\Ibgbefbk.exe Ipieikcg.exe File opened for modification C:\Windows\SysWOW64\Dgifho32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Amcdoh32.exe Ahghnjpg.exe File created C:\Windows\SysWOW64\Noiabc32.exe Nljefh32.exe File opened for modification C:\Windows\SysWOW64\Akqdeo32.exe Qhbhid32.exe File created C:\Windows\SysWOW64\Ngkokm32.exe Process not Found File created C:\Windows\SysWOW64\Oopjdg32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Lbmnke32.exe Ljffjh32.exe File created C:\Windows\SysWOW64\Kgmica32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gapoiplg.exe Process not Found File created C:\Windows\SysWOW64\Nnhkhm32.exe Nljnla32.exe File created C:\Windows\SysWOW64\Ppcnfcin.dll Acmllbpm.exe File created C:\Windows\SysWOW64\Pbjqgmon.dll Dpdhdheq.exe File created C:\Windows\SysWOW64\Igcdpknp.exe Idehdpol.exe File opened for modification C:\Windows\SysWOW64\Knpbib32.exe Jkbfmg32.exe File created C:\Windows\SysWOW64\Kdmgllkb.exe Kmepjojp.exe File opened for modification C:\Windows\SysWOW64\Bogigfje.exe Blimkkka.exe File opened for modification C:\Windows\SysWOW64\Nhbmeo32.exe Ngqpng32.exe File created C:\Windows\SysWOW64\Ebepfgig.exe Process not Found File created C:\Windows\SysWOW64\Meljid32.exe Mobbljpj.exe File created C:\Windows\SysWOW64\Gcdlfc32.dll Qkmqeinl.exe File created C:\Windows\SysWOW64\Apnlni32.exe Process not Found File created C:\Windows\SysWOW64\Cljopljo.dll Fmoajc32.exe File opened for modification C:\Windows\SysWOW64\Ljgekk32.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 7232 7052 Process not Found 1411 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Effllk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbflk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogomoend.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogcfjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idmeoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqbbedfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akcajo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffglnofp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeopeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocemdfdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aocmqcea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqcjkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhndel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edngpkee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acglfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meipnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmmpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnnfdcgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknilg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eklodc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohkiagel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmokgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooicojdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnhfnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhhfmnej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcempie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppemihid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpihin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjoipf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbingcil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhhpbhao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihhapc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlpiimi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Migpomld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epdakf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhbdfbmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbmgbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjpikbma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdiiha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kknfie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkpboe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iecalbca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joeikf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Golapg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnfjlmjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpafangb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpdlnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpgppgji.dll" Eijbcfle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhhpbhao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfbaed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpimbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcbjc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gklqoa32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bompgbmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqjobonn.dll" Phdlgfma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coflbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odnffb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgaikd32.dll" Dbanenai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjnahe32.dll" Jbdiio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jleahcki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oppkgkkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kneldaab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hijdaapp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phdbblpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppemihid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkmbob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nafdjp32.dll" Jbeodh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njkile32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfomnn32.dll" Djbfqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgehom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlekak32.dll" Emnhce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgekalhk.dll" Lndfkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epmkjgmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdkmgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggclim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgnldh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjflaoem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmkbllhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkodck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnleedmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlnkdilf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnlbeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdgcldio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlnejcfj.dll" Dfmifl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgoefbpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gikiopej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkmbob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjghknkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jklfki32.dll" Nhmmpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbbmga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emnhce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmjcfedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmaebm32.dll" Ikdafofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfjico32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkclndma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odoich32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llhfdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbchjn32.dll" Iagcbjcd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2368 wrote to memory of 5100 2368 d48c888780fa38d14a3b9ff7fd4c0cd19b20f25b28e33d51497286cc6faa605c.exe 82 PID 2368 wrote to memory of 5100 2368 d48c888780fa38d14a3b9ff7fd4c0cd19b20f25b28e33d51497286cc6faa605c.exe 82 PID 2368 wrote to memory of 5100 2368 d48c888780fa38d14a3b9ff7fd4c0cd19b20f25b28e33d51497286cc6faa605c.exe 82 PID 5100 wrote to memory of 3024 5100 Fhaplo32.exe 83 PID 5100 wrote to memory of 3024 5100 Fhaplo32.exe 83 PID 5100 wrote to memory of 3024 5100 Fhaplo32.exe 83 PID 3024 wrote to memory of 3964 3024 Fokhiibo.exe 84 PID 3024 wrote to memory of 3964 3024 Fokhiibo.exe 84 PID 3024 wrote to memory of 3964 3024 Fokhiibo.exe 84 PID 3964 wrote to memory of 764 3964 Feeqec32.exe 85 PID 3964 wrote to memory of 764 3964 Feeqec32.exe 85 PID 3964 wrote to memory of 764 3964 Feeqec32.exe 85 PID 764 wrote to memory of 3236 764 Fgfmmlpj.exe 86 PID 764 wrote to memory of 3236 764 Fgfmmlpj.exe 86 PID 764 wrote to memory of 3236 764 Fgfmmlpj.exe 86 PID 3236 wrote to memory of 4912 3236 Foneni32.exe 87 PID 3236 wrote to memory of 4912 3236 Foneni32.exe 87 PID 3236 wrote to memory of 4912 3236 Foneni32.exe 87 PID 4912 wrote to memory of 4248 4912 Fehmkchi.exe 88 PID 4912 wrote to memory of 4248 4912 Fehmkchi.exe 88 PID 4912 wrote to memory of 4248 4912 Fehmkchi.exe 88 PID 4248 wrote to memory of 3556 4248 Fhfjgogm.exe 89 PID 4248 wrote to memory of 3556 4248 Fhfjgogm.exe 89 PID 4248 wrote to memory of 3556 4248 Fhfjgogm.exe 89 PID 3556 wrote to memory of 4408 3556 Fopbdi32.exe 90 PID 3556 wrote to memory of 4408 3556 Fopbdi32.exe 90 PID 3556 wrote to memory of 4408 3556 Fopbdi32.exe 90 PID 4408 wrote to memory of 3532 4408 Fannpd32.exe 91 PID 4408 wrote to memory of 3532 4408 Fannpd32.exe 91 PID 4408 wrote to memory of 3532 4408 Fannpd32.exe 91 PID 3532 wrote to memory of 4100 3532 Fhhfmnej.exe 92 PID 3532 wrote to memory of 4100 3532 Fhhfmnej.exe 92 PID 3532 wrote to memory of 4100 3532 Fhhfmnej.exe 92 PID 4100 wrote to memory of 3616 4100 Foboih32.exe 93 PID 4100 wrote to memory of 3616 4100 Foboih32.exe 93 PID 4100 wrote to memory of 3616 4100 Foboih32.exe 93 PID 3616 wrote to memory of 4600 3616 Ghkcbn32.exe 94 PID 3616 wrote to memory of 4600 3616 Ghkcbn32.exe 94 PID 3616 wrote to memory of 4600 3616 Ghkcbn32.exe 94 PID 4600 wrote to memory of 5000 4600 Goekohjd.exe 95 PID 4600 wrote to memory of 5000 4600 Goekohjd.exe 95 PID 4600 wrote to memory of 5000 4600 Goekohjd.exe 95 PID 5000 wrote to memory of 640 5000 Gdadgohl.exe 96 PID 5000 wrote to memory of 640 5000 Gdadgohl.exe 96 PID 5000 wrote to memory of 640 5000 Gdadgohl.exe 96 PID 640 wrote to memory of 2412 640 Goghdhhb.exe 97 PID 640 wrote to memory of 2412 640 Goghdhhb.exe 97 PID 640 wrote to memory of 2412 640 Goghdhhb.exe 97 PID 2412 wrote to memory of 4920 2412 Geapabpo.exe 98 PID 2412 wrote to memory of 4920 2412 Geapabpo.exe 98 PID 2412 wrote to memory of 4920 2412 Geapabpo.exe 98 PID 4920 wrote to memory of 1852 4920 Ggbmij32.exe 99 PID 4920 wrote to memory of 1852 4920 Ggbmij32.exe 99 PID 4920 wrote to memory of 1852 4920 Ggbmij32.exe 99 PID 1852 wrote to memory of 2560 1852 Gnleedmj.exe 100 PID 1852 wrote to memory of 2560 1852 Gnleedmj.exe 100 PID 1852 wrote to memory of 2560 1852 Gnleedmj.exe 100 PID 2560 wrote to memory of 2284 2560 Gecmganl.exe 101 PID 2560 wrote to memory of 2284 2560 Gecmganl.exe 101 PID 2560 wrote to memory of 2284 2560 Gecmganl.exe 101 PID 2284 wrote to memory of 688 2284 Ggdinj32.exe 102 PID 2284 wrote to memory of 688 2284 Ggdinj32.exe 102 PID 2284 wrote to memory of 688 2284 Ggdinj32.exe 102 PID 688 wrote to memory of 1196 688 Golapg32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\d48c888780fa38d14a3b9ff7fd4c0cd19b20f25b28e33d51497286cc6faa605c.exe"C:\Users\Admin\AppData\Local\Temp\d48c888780fa38d14a3b9ff7fd4c0cd19b20f25b28e33d51497286cc6faa605c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Fhaplo32.exeC:\Windows\system32\Fhaplo32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Fokhiibo.exeC:\Windows\system32\Fokhiibo.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Feeqec32.exeC:\Windows\system32\Feeqec32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Fgfmmlpj.exeC:\Windows\system32\Fgfmmlpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Foneni32.exeC:\Windows\system32\Foneni32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\Fehmkchi.exeC:\Windows\system32\Fehmkchi.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\Fhfjgogm.exeC:\Windows\system32\Fhfjgogm.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SysWOW64\Fopbdi32.exeC:\Windows\system32\Fopbdi32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\Fannpd32.exeC:\Windows\system32\Fannpd32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\Fhhfmnej.exeC:\Windows\system32\Fhhfmnej.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\Foboih32.exeC:\Windows\system32\Foboih32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\Ghkcbn32.exeC:\Windows\system32\Ghkcbn32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\Goekohjd.exeC:\Windows\system32\Goekohjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Gdadgohl.exeC:\Windows\system32\Gdadgohl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Goghdhhb.exeC:\Windows\system32\Goghdhhb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Geapabpo.exeC:\Windows\system32\Geapabpo.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Ggbmij32.exeC:\Windows\system32\Ggbmij32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Gnleedmj.exeC:\Windows\system32\Gnleedmj.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Gecmganl.exeC:\Windows\system32\Gecmganl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Ggdinj32.exeC:\Windows\system32\Ggdinj32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Golapg32.exeC:\Windows\system32\Golapg32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\Gffjla32.exeC:\Windows\system32\Gffjla32.exe23⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Gggfdiag.exeC:\Windows\system32\Gggfdiag.exe24⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Gkbbdh32.exeC:\Windows\system32\Gkbbdh32.exe25⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Gonnegbj.exeC:\Windows\system32\Gonnegbj.exe26⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Hfhfba32.exeC:\Windows\system32\Hfhfba32.exe27⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Hhfbnl32.exeC:\Windows\system32\Hhfbnl32.exe28⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Hgiciipe.exeC:\Windows\system32\Hgiciipe.exe29⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Hoqkkfpg.exeC:\Windows\system32\Hoqkkfpg.exe30⤵
- Executes dropped EXE
PID:4092 -
C:\Windows\SysWOW64\Hfjcgq32.exeC:\Windows\system32\Hfjcgq32.exe31⤵
- Executes dropped EXE
PID:3180 -
C:\Windows\SysWOW64\Hglpoi32.exeC:\Windows\system32\Hglpoi32.exe32⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Hkglpgfk.exeC:\Windows\system32\Hkglpgfk.exe33⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Hnehlceo.exeC:\Windows\system32\Hnehlceo.exe34⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Hdpphm32.exeC:\Windows\system32\Hdpphm32.exe35⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Hgnldh32.exeC:\Windows\system32\Hgnldh32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:3708 -
C:\Windows\SysWOW64\Hdbmnm32.exeC:\Windows\system32\Hdbmnm32.exe37⤵
- Executes dropped EXE
PID:3712 -
C:\Windows\SysWOW64\Hnjagb32.exeC:\Windows\system32\Hnjagb32.exe38⤵
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\Hhpedk32.exeC:\Windows\system32\Hhpedk32.exe39⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Hknapf32.exeC:\Windows\system32\Hknapf32.exe40⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Hbhjmqgp.exeC:\Windows\system32\Hbhjmqgp.exe41⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Ihbbjk32.exeC:\Windows\system32\Ihbbjk32.exe42⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Ioljfe32.exeC:\Windows\system32\Ioljfe32.exe43⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Ibjgbp32.exeC:\Windows\system32\Ibjgbp32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4240 -
C:\Windows\SysWOW64\Idicol32.exeC:\Windows\system32\Idicol32.exe45⤵
- Executes dropped EXE
PID:3304 -
C:\Windows\SysWOW64\Ikckkfln.exeC:\Windows\system32\Ikckkfln.exe46⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Ibmchp32.exeC:\Windows\system32\Ibmchp32.exe47⤵
- Executes dropped EXE
PID:3668 -
C:\Windows\SysWOW64\Idkpdk32.exeC:\Windows\system32\Idkpdk32.exe48⤵
- Executes dropped EXE
PID:3412 -
C:\Windows\SysWOW64\Iiglejjg.exeC:\Windows\system32\Iiglejjg.exe49⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Ioadadbd.exeC:\Windows\system32\Ioadadbd.exe50⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Ibopnpah.exeC:\Windows\system32\Ibopnpah.exe51⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Iiihjj32.exeC:\Windows\system32\Iiihjj32.exe52⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Iocqgdpb.exeC:\Windows\system32\Iocqgdpb.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Infabq32.exeC:\Windows\system32\Infabq32.exe54⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Iepiokni.exeC:\Windows\system32\Iepiokni.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Iilepi32.exeC:\Windows\system32\Iilepi32.exe56⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Ioemmcno.exeC:\Windows\system32\Ioemmcno.exe57⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Jbdiio32.exeC:\Windows\system32\Jbdiio32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1264 -
C:\Windows\SysWOW64\Jgqbaf32.exeC:\Windows\system32\Jgqbaf32.exe59⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Jbffno32.exeC:\Windows\system32\Jbffno32.exe60⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Jfbbomci.exeC:\Windows\system32\Jfbbomci.exe61⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Jkokgdaq.exeC:\Windows\system32\Jkokgdaq.exe62⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Jnmgcpqd.exeC:\Windows\system32\Jnmgcpqd.exe63⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Jegopjha.exeC:\Windows\system32\Jegopjha.exe64⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Jgeklege.exeC:\Windows\system32\Jgeklege.exe65⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Jpmcmbhg.exeC:\Windows\system32\Jpmcmbhg.exe66⤵PID:3952
-
C:\Windows\SysWOW64\Jffljm32.exeC:\Windows\system32\Jffljm32.exe67⤵PID:3052
-
C:\Windows\SysWOW64\Jghhaeeb.exeC:\Windows\system32\Jghhaeeb.exe68⤵PID:4856
-
C:\Windows\SysWOW64\Jpopcbfd.exeC:\Windows\system32\Jpopcbfd.exe69⤵PID:4608
-
C:\Windows\SysWOW64\Jbmloneh.exeC:\Windows\system32\Jbmloneh.exe70⤵PID:1464
-
C:\Windows\SysWOW64\Jfihplma.exeC:\Windows\system32\Jfihplma.exe71⤵PID:4744
-
C:\Windows\SysWOW64\Jleahcki.exeC:\Windows\system32\Jleahcki.exe72⤵
- Modifies registry class
PID:4732 -
C:\Windows\SysWOW64\Kndmdojl.exeC:\Windows\system32\Kndmdojl.exe73⤵PID:4824
-
C:\Windows\SysWOW64\Keneqi32.exeC:\Windows\system32\Keneqi32.exe74⤵PID:4588
-
C:\Windows\SysWOW64\Klhnmcif.exeC:\Windows\system32\Klhnmcif.exe75⤵PID:1676
-
C:\Windows\SysWOW64\Kbbfjm32.exeC:\Windows\system32\Kbbfjm32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1304 -
C:\Windows\SysWOW64\Kilngg32.exeC:\Windows\system32\Kilngg32.exe77⤵PID:3988
-
C:\Windows\SysWOW64\Kljjcb32.exeC:\Windows\system32\Kljjcb32.exe78⤵PID:4180
-
C:\Windows\SysWOW64\Kfpnpk32.exeC:\Windows\system32\Kfpnpk32.exe79⤵PID:2828
-
C:\Windows\SysWOW64\Kebolhnd.exeC:\Windows\system32\Kebolhnd.exe80⤵PID:2000
-
C:\Windows\SysWOW64\Khakhcmg.exeC:\Windows\system32\Khakhcmg.exe81⤵PID:3092
-
C:\Windows\SysWOW64\Kfbkfk32.exeC:\Windows\system32\Kfbkfk32.exe82⤵PID:4812
-
C:\Windows\SysWOW64\Kiqgbf32.exeC:\Windows\system32\Kiqgbf32.exe83⤵PID:3164
-
C:\Windows\SysWOW64\Kpkpoq32.exeC:\Windows\system32\Kpkpoq32.exe84⤵PID:1176
-
C:\Windows\SysWOW64\Kfdhkkcd.exeC:\Windows\system32\Kfdhkkcd.exe85⤵PID:1160
-
C:\Windows\SysWOW64\Khfdcc32.exeC:\Windows\system32\Khfdcc32.exe86⤵PID:4956
-
C:\Windows\SysWOW64\Lnpmpmpo.exeC:\Windows\system32\Lnpmpmpo.exe87⤵PID:3580
-
C:\Windows\SysWOW64\Lejelg32.exeC:\Windows\system32\Lejelg32.exe88⤵PID:1632
-
C:\Windows\SysWOW64\Lhhahb32.exeC:\Windows\system32\Lhhahb32.exe89⤵PID:1700
-
C:\Windows\SysWOW64\Lelabgfi.exeC:\Windows\system32\Lelabgfi.exe90⤵PID:924
-
C:\Windows\SysWOW64\Lhjnnbem.exeC:\Windows\system32\Lhjnnbem.exe91⤵PID:4360
-
C:\Windows\SysWOW64\Lndfkl32.exeC:\Windows\system32\Lndfkl32.exe92⤵
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Lflnlj32.exeC:\Windows\system32\Lflnlj32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:64 -
C:\Windows\SysWOW64\Lhmjcbcj.exeC:\Windows\system32\Lhmjcbcj.exe94⤵PID:2212
-
C:\Windows\SysWOW64\Llhfdq32.exeC:\Windows\system32\Llhfdq32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:556 -
C:\Windows\SysWOW64\Logbpljg.exeC:\Windows\system32\Logbpljg.exe96⤵PID:2780
-
C:\Windows\SysWOW64\Lfnkaiki.exeC:\Windows\system32\Lfnkaiki.exe97⤵PID:3848
-
C:\Windows\SysWOW64\Leqkmf32.exeC:\Windows\system32\Leqkmf32.exe98⤵PID:5012
-
C:\Windows\SysWOW64\Llkcjpiq.exeC:\Windows\system32\Llkcjpiq.exe99⤵PID:792
-
C:\Windows\SysWOW64\Loioflhd.exeC:\Windows\system32\Loioflhd.exe100⤵PID:4644
-
C:\Windows\SysWOW64\Lbekfj32.exeC:\Windows\system32\Lbekfj32.exe101⤵PID:2192
-
C:\Windows\SysWOW64\Lfpggiif.exeC:\Windows\system32\Lfpggiif.exe102⤵PID:408
-
C:\Windows\SysWOW64\Lioccdhj.exeC:\Windows\system32\Lioccdhj.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5112 -
C:\Windows\SysWOW64\Mlmpopgn.exeC:\Windows\system32\Mlmpopgn.exe104⤵PID:2364
-
C:\Windows\SysWOW64\Moklkkfa.exeC:\Windows\system32\Moklkkfa.exe105⤵PID:1244
-
C:\Windows\SysWOW64\Mfbdmi32.exeC:\Windows\system32\Mfbdmi32.exe106⤵PID:208
-
C:\Windows\SysWOW64\Meedheno.exeC:\Windows\system32\Meedheno.exe107⤵PID:4684
-
C:\Windows\SysWOW64\Mhdqdamb.exeC:\Windows\system32\Mhdqdamb.exe108⤵PID:3460
-
C:\Windows\SysWOW64\Mlomep32.exeC:\Windows\system32\Mlomep32.exe109⤵PID:4808
-
C:\Windows\SysWOW64\Moniak32.exeC:\Windows\system32\Moniak32.exe110⤵PID:4080
-
C:\Windows\SysWOW64\Mfeabh32.exeC:\Windows\system32\Mfeabh32.exe111⤵PID:4028
-
C:\Windows\SysWOW64\Mehanell.exeC:\Windows\system32\Mehanell.exe112⤵PID:5044
-
C:\Windows\SysWOW64\Micmnd32.exeC:\Windows\system32\Micmnd32.exe113⤵PID:2608
-
C:\Windows\SysWOW64\Mpmeknkb.exeC:\Windows\system32\Mpmeknkb.exe114⤵PID:4500
-
C:\Windows\SysWOW64\Mblagi32.exeC:\Windows\system32\Mblagi32.exe115⤵PID:748
-
C:\Windows\SysWOW64\Mejnce32.exeC:\Windows\system32\Mejnce32.exe116⤵PID:1756
-
C:\Windows\SysWOW64\Mhhjop32.exeC:\Windows\system32\Mhhjop32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2092 -
C:\Windows\SysWOW64\Mldfpoaf.exeC:\Windows\system32\Mldfpoaf.exe118⤵PID:1860
-
C:\Windows\SysWOW64\Mobbljpj.exeC:\Windows\system32\Mobbljpj.exe119⤵
- Drops file in System32 directory
PID:552 -
C:\Windows\SysWOW64\Meljid32.exeC:\Windows\system32\Meljid32.exe120⤵PID:2884
-
C:\Windows\SysWOW64\Mhkgep32.exeC:\Windows\system32\Mhkgep32.exe121⤵
- Drops file in System32 directory
PID:5136
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-