Analysis
-
max time kernel
114s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30/09/2024, 06:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e141d626e26a5ceb3bf3b0db8f6af469e74a57c606b091a4ba1d7452a4394206N.exe
Resource
win7-20240729-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
e141d626e26a5ceb3bf3b0db8f6af469e74a57c606b091a4ba1d7452a4394206N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
e141d626e26a5ceb3bf3b0db8f6af469e74a57c606b091a4ba1d7452a4394206N.exe
-
Size
123KB
-
MD5
fbf88e096a09eee49a8dc2295049c840
-
SHA1
f8011b94a1e1f46e7ce2456128d39a0a4398ed91
-
SHA256
e141d626e26a5ceb3bf3b0db8f6af469e74a57c606b091a4ba1d7452a4394206
-
SHA512
32b81a7b3b14028cd729b64db9acb51186c9069f9825f46d526b4e9abd3cc7207b9b3752267c899311f8a83a553054bf61b75df7c55f89a255fbc96bd0d00463
-
SSDEEP
3072:jyjofaFXLivLDIJpGYJ5RYSa9rR85DEn5k7r8:esfaF7igJpn54rQD85k/8
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppafpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icciccmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnhjig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecjpfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfhklabb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lglcag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohnljine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhdocc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kicfijal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldnbdnlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knkcmild.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lplaaiqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbmqmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Neclpamg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogqmee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acdeneij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odifjipd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iljpgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lopkkdgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aohbbqme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kphdma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Capkim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odgjdibf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlomemlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hknmgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bplhhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Keekjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pklamb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bleebc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Didqkeeq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gojnfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioicnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmifcjif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlicflic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odbpij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpdfpmoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dedceddg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnlqig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oafacn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjaiac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Folkjnbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lihpdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbhbbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpejlc32.exe -
Executes dropped EXE 64 IoCs
pid Process 2144 Afqifo32.exe 2900 Apimodmh.exe 4740 Aeffgkkp.exe 1140 Aiabhj32.exe 500 Afeban32.exe 3036 Amoknh32.exe 2700 Bblcfo32.exe 412 Bmagch32.exe 1884 Bfjllnnm.exe 3596 Bmddihfj.exe 912 Blgddd32.exe 1688 Bpemkcck.exe 3584 Bmimdg32.exe 1740 Bpgjpb32.exe 3120 Blnjecfl.exe 3508 Cbhbbn32.exe 4320 Cbjogmlf.exe 3220 Clbdpc32.exe 4024 Cdjlap32.exe 2280 Cekhihig.exe 3108 Cemeoh32.exe 3028 Clgmkbna.exe 5080 Clijablo.exe 1368 Dbfoclai.exe 4184 Defheg32.exe 244 Didqkeeq.exe 1644 Ddjehneg.exe 2876 Epaemojk.exe 3428 Eennefib.exe 3960 Eljchpnl.exe 3416 Ephlnn32.exe 708 Elolco32.exe 4640 Fckaeioa.exe 4856 Fpoaom32.exe 1616 Fjgfgbek.exe 1288 Fcpkph32.exe 548 Fjjcmbci.exe 4444 Fcbgfhii.exe 4384 Fljlom32.exe 4940 Ffcpgcfj.exe 4680 Gcgqag32.exe 2028 Gnlenp32.exe 1916 Gfgjbb32.exe 552 Gdhjpjjd.exe 4304 Gnanioad.exe 1976 Gcngafol.exe 4708 Gmfkjl32.exe 4808 Hfnpca32.exe 3868 Hdppaidl.exe 3412 Hnhdjn32.exe 1604 Hdbmfhbi.exe 4180 Hmmakk32.exe 4208 Hjabdo32.exe 1816 Hdffah32.exe 3248 Hgebnc32.exe 2208 Hqmggi32.exe 3064 Hclccd32.exe 2256 Inagpm32.exe 3420 Iqpclh32.exe 2316 Icnphd32.exe 3348 Iqbpahpc.exe 3696 Ienlbf32.exe 840 Iglhob32.exe 1624 Ijjekn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lceajc32.dll Cdbmifdl.exe File opened for modification C:\Windows\SysWOW64\Gjmmfq32.exe Gcceifof.exe File created C:\Windows\SysWOW64\Gaklld32.dll Kanidd32.exe File created C:\Windows\SysWOW64\Bjpakhmh.dll Mffjnc32.exe File opened for modification C:\Windows\SysWOW64\Mikepg32.exe Mbamcm32.exe File created C:\Windows\SysWOW64\Gjpmlp32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ofooqinh.exe Oljkcpnb.exe File created C:\Windows\SysWOW64\Mnjqhcno.exe Lhnhplpg.exe File opened for modification C:\Windows\SysWOW64\Njogdldg.exe Process not Found File created C:\Windows\SysWOW64\Qipjokik.exe Qbeaba32.exe File opened for modification C:\Windows\SysWOW64\Jmjojh32.exe Jkkbnl32.exe File created C:\Windows\SysWOW64\Ldbeqlcg.dll Dbfoclai.exe File created C:\Windows\SysWOW64\Hhehkepj.exe Hfgloiqf.exe File created C:\Windows\SysWOW64\Plgkpj32.dll Jqofippg.exe File created C:\Windows\SysWOW64\Cfoqghgc.dll Icdhdfcj.exe File opened for modification C:\Windows\SysWOW64\Qhofjbnl.exe Process not Found File created C:\Windows\SysWOW64\Cebllbcc.exe Process not Found File created C:\Windows\SysWOW64\Jjenfc32.dll Process not Found File created C:\Windows\SysWOW64\Fdegkdim.exe Process not Found File created C:\Windows\SysWOW64\Gdjgppkk.dll Hdbmfhbi.exe File created C:\Windows\SysWOW64\Bbpeghpe.exe Bndjfjhl.exe File created C:\Windows\SysWOW64\Bplmeg32.dll Ceehcc32.exe File opened for modification C:\Windows\SysWOW64\Hcpcehko.exe Process not Found File created C:\Windows\SysWOW64\Kdqecc32.exe Process not Found File created C:\Windows\SysWOW64\Qkakhakq.exe Pdgckg32.exe File opened for modification C:\Windows\SysWOW64\Kilphk32.exe Kfndlphp.exe File created C:\Windows\SysWOW64\Kkgepcpk.dll Kblkap32.exe File created C:\Windows\SysWOW64\Jlqmgaad.dll Cicjokll.exe File created C:\Windows\SysWOW64\Jfgnka32.exe Jchaoe32.exe File created C:\Windows\SysWOW64\Kopacfjh.dll Lglcag32.exe File opened for modification C:\Windows\SysWOW64\Ikcmmjkb.exe Iibaeb32.exe File created C:\Windows\SysWOW64\Ppphkq32.exe Process not Found File created C:\Windows\SysWOW64\Fddnkoig.dll Process not Found File opened for modification C:\Windows\SysWOW64\Nehjmnei.exe Nnabladg.exe File opened for modification C:\Windows\SysWOW64\Jcgldl32.exe Iiaggc32.exe File created C:\Windows\SysWOW64\Jjqdafmp.exe Jcgldl32.exe File opened for modification C:\Windows\SysWOW64\Ooalibaf.exe Process not Found File created C:\Windows\SysWOW64\Gjikhb32.dll Fongpm32.exe File created C:\Windows\SysWOW64\Ldccid32.exe Lnikmjdm.exe File opened for modification C:\Windows\SysWOW64\Bmlofhca.exe Bcfkiock.exe File created C:\Windows\SysWOW64\Lmeapbpa.exe Lndaaj32.exe File created C:\Windows\SysWOW64\Hcflch32.exe Hllcfnhm.exe File created C:\Windows\SysWOW64\Hddejjdo.exe Hmjmnpmb.exe File created C:\Windows\SysWOW64\Clmicmbn.dll Jkcpia32.exe File created C:\Windows\SysWOW64\Edijfd32.dll Process not Found File created C:\Windows\SysWOW64\Mkbcbp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hcflch32.exe Hllcfnhm.exe File opened for modification C:\Windows\SysWOW64\Pehnboko.exe Pbjbfclk.exe File opened for modification C:\Windows\SysWOW64\Plbfohbl.exe Pehnboko.exe File created C:\Windows\SysWOW64\Qpibke32.exe Qipjokik.exe File opened for modification C:\Windows\SysWOW64\Emhmkh32.exe Process not Found File created C:\Windows\SysWOW64\Jcfejfag.exe Jllmml32.exe File opened for modification C:\Windows\SysWOW64\Npldnp32.exe Njokei32.exe File created C:\Windows\SysWOW64\Glagpmgi.dll Mmaakpfd.exe File opened for modification C:\Windows\SysWOW64\Jliimf32.exe Idbalhho.exe File opened for modification C:\Windows\SysWOW64\Mndjhhjp.exe Mmcnap32.exe File opened for modification C:\Windows\SysWOW64\Bibpkiie.exe Begcjjql.exe File created C:\Windows\SysWOW64\Fghhpq32.dll Process not Found File created C:\Windows\SysWOW64\Hmolbene.exe Process not Found File opened for modification C:\Windows\SysWOW64\Iapbodql.exe Ioafchai.exe File opened for modification C:\Windows\SysWOW64\Liabjh32.exe Lcdjba32.exe File created C:\Windows\SysWOW64\Ilpfgg32.exe Iefnjm32.exe File opened for modification C:\Windows\SysWOW64\Pmdkmnkd.exe Process not Found File created C:\Windows\SysWOW64\Gkedmpik.dll Lbenho32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6632 7080 Process not Found 1619 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clbdpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djmima32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnfngj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmaakpfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmimdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmlhaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgodjiio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejhanj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikdlmmbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldoafodd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdgckg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flfjjkgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfpjgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfdfoala.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imeeohoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohnljine.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddokabk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Folkjnbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjbddh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bplhhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmginjki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfjnhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enpknplq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mldhacpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpenmadn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eggbbhkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imnoni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khakqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhojqcil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfjllnnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inflio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eonmkkmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbhbbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdipag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikcmmjkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcinie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acaanp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmjlkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phneqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djpfbahm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkaljpmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbkdgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlgegcng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pknghk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaaakfgk.dll" Fqiiamjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdchhk32.dll" Jllmml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fckaeioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hokgmpkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkolme32.dll" Jhocgqjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqkhidmg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkonbamc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjlaoioh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnikmjdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogoibgad.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgihkehk.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkloef32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Appgbghf.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} e141d626e26a5ceb3bf3b0db8f6af469e74a57c606b091a4ba1d7452a4394206N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbfola32.dll" Hecadm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obgeqcnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Homcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mimbfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpfhbh32.dll" Acpkbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enlqdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiclkk32.dll" Eoekde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kclnfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ealbbj32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnhacn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkfmjnii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhackbjl.dll" Gbjlgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgjlq32.dll" Bfjllnnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikbphn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmopmalc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhdlael.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epbkhhel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Giboijgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neknbkci.dll" Dagajlal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghollnfk.dll" Ebbmpmnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kaaaak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opdbppoj.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdcnpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejbkao32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acbhhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogllb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqdgbl32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajaqjfbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihgnfnjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgdqpp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oikbgh32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icgbob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnefdf32.dll" Mbamcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkioojpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4352 wrote to memory of 2144 4352 e141d626e26a5ceb3bf3b0db8f6af469e74a57c606b091a4ba1d7452a4394206N.exe 89 PID 4352 wrote to memory of 2144 4352 e141d626e26a5ceb3bf3b0db8f6af469e74a57c606b091a4ba1d7452a4394206N.exe 89 PID 4352 wrote to memory of 2144 4352 e141d626e26a5ceb3bf3b0db8f6af469e74a57c606b091a4ba1d7452a4394206N.exe 89 PID 2144 wrote to memory of 2900 2144 Afqifo32.exe 90 PID 2144 wrote to memory of 2900 2144 Afqifo32.exe 90 PID 2144 wrote to memory of 2900 2144 Afqifo32.exe 90 PID 2900 wrote to memory of 4740 2900 Apimodmh.exe 91 PID 2900 wrote to memory of 4740 2900 Apimodmh.exe 91 PID 2900 wrote to memory of 4740 2900 Apimodmh.exe 91 PID 4740 wrote to memory of 1140 4740 Aeffgkkp.exe 92 PID 4740 wrote to memory of 1140 4740 Aeffgkkp.exe 92 PID 4740 wrote to memory of 1140 4740 Aeffgkkp.exe 92 PID 1140 wrote to memory of 500 1140 Aiabhj32.exe 93 PID 1140 wrote to memory of 500 1140 Aiabhj32.exe 93 PID 1140 wrote to memory of 500 1140 Aiabhj32.exe 93 PID 500 wrote to memory of 3036 500 Afeban32.exe 94 PID 500 wrote to memory of 3036 500 Afeban32.exe 94 PID 500 wrote to memory of 3036 500 Afeban32.exe 94 PID 3036 wrote to memory of 2700 3036 Amoknh32.exe 95 PID 3036 wrote to memory of 2700 3036 Amoknh32.exe 95 PID 3036 wrote to memory of 2700 3036 Amoknh32.exe 95 PID 2700 wrote to memory of 412 2700 Bblcfo32.exe 96 PID 2700 wrote to memory of 412 2700 Bblcfo32.exe 96 PID 2700 wrote to memory of 412 2700 Bblcfo32.exe 96 PID 412 wrote to memory of 1884 412 Bmagch32.exe 97 PID 412 wrote to memory of 1884 412 Bmagch32.exe 97 PID 412 wrote to memory of 1884 412 Bmagch32.exe 97 PID 1884 wrote to memory of 3596 1884 Bfjllnnm.exe 98 PID 1884 wrote to memory of 3596 1884 Bfjllnnm.exe 98 PID 1884 wrote to memory of 3596 1884 Bfjllnnm.exe 98 PID 3596 wrote to memory of 912 3596 Bmddihfj.exe 99 PID 3596 wrote to memory of 912 3596 Bmddihfj.exe 99 PID 3596 wrote to memory of 912 3596 Bmddihfj.exe 99 PID 912 wrote to memory of 1688 912 Blgddd32.exe 100 PID 912 wrote to memory of 1688 912 Blgddd32.exe 100 PID 912 wrote to memory of 1688 912 Blgddd32.exe 100 PID 1688 wrote to memory of 3584 1688 Bpemkcck.exe 101 PID 1688 wrote to memory of 3584 1688 Bpemkcck.exe 101 PID 1688 wrote to memory of 3584 1688 Bpemkcck.exe 101 PID 3584 wrote to memory of 1740 3584 Bmimdg32.exe 102 PID 3584 wrote to memory of 1740 3584 Bmimdg32.exe 102 PID 3584 wrote to memory of 1740 3584 Bmimdg32.exe 102 PID 1740 wrote to memory of 3120 1740 Bpgjpb32.exe 103 PID 1740 wrote to memory of 3120 1740 Bpgjpb32.exe 103 PID 1740 wrote to memory of 3120 1740 Bpgjpb32.exe 103 PID 3120 wrote to memory of 3508 3120 Blnjecfl.exe 104 PID 3120 wrote to memory of 3508 3120 Blnjecfl.exe 104 PID 3120 wrote to memory of 3508 3120 Blnjecfl.exe 104 PID 3508 wrote to memory of 4320 3508 Cbhbbn32.exe 105 PID 3508 wrote to memory of 4320 3508 Cbhbbn32.exe 105 PID 3508 wrote to memory of 4320 3508 Cbhbbn32.exe 105 PID 4320 wrote to memory of 3220 4320 Cbjogmlf.exe 106 PID 4320 wrote to memory of 3220 4320 Cbjogmlf.exe 106 PID 4320 wrote to memory of 3220 4320 Cbjogmlf.exe 106 PID 3220 wrote to memory of 4024 3220 Clbdpc32.exe 107 PID 3220 wrote to memory of 4024 3220 Clbdpc32.exe 107 PID 3220 wrote to memory of 4024 3220 Clbdpc32.exe 107 PID 4024 wrote to memory of 2280 4024 Cdjlap32.exe 108 PID 4024 wrote to memory of 2280 4024 Cdjlap32.exe 108 PID 4024 wrote to memory of 2280 4024 Cdjlap32.exe 108 PID 2280 wrote to memory of 3108 2280 Cekhihig.exe 109 PID 2280 wrote to memory of 3108 2280 Cekhihig.exe 109 PID 2280 wrote to memory of 3108 2280 Cekhihig.exe 109 PID 3108 wrote to memory of 3028 3108 Cemeoh32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\e141d626e26a5ceb3bf3b0db8f6af469e74a57c606b091a4ba1d7452a4394206N.exe"C:\Users\Admin\AppData\Local\Temp\e141d626e26a5ceb3bf3b0db8f6af469e74a57c606b091a4ba1d7452a4394206N.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\Afqifo32.exeC:\Windows\system32\Afqifo32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Apimodmh.exeC:\Windows\system32\Apimodmh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Aeffgkkp.exeC:\Windows\system32\Aeffgkkp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\Aiabhj32.exeC:\Windows\system32\Aiabhj32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Afeban32.exeC:\Windows\system32\Afeban32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:500 -
C:\Windows\SysWOW64\Amoknh32.exeC:\Windows\system32\Amoknh32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Bblcfo32.exeC:\Windows\system32\Bblcfo32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Bmagch32.exeC:\Windows\system32\Bmagch32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\Bfjllnnm.exeC:\Windows\system32\Bfjllnnm.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Bmddihfj.exeC:\Windows\system32\Bmddihfj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\Blgddd32.exeC:\Windows\system32\Blgddd32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\Bpemkcck.exeC:\Windows\system32\Bpemkcck.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Bmimdg32.exeC:\Windows\system32\Bmimdg32.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\Bpgjpb32.exeC:\Windows\system32\Bpgjpb32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Blnjecfl.exeC:\Windows\system32\Blnjecfl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\Cbhbbn32.exeC:\Windows\system32\Cbhbbn32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\Cbjogmlf.exeC:\Windows\system32\Cbjogmlf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\Clbdpc32.exeC:\Windows\system32\Clbdpc32.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\Cdjlap32.exeC:\Windows\system32\Cdjlap32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\Cekhihig.exeC:\Windows\system32\Cekhihig.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Cemeoh32.exeC:\Windows\system32\Cemeoh32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\Clgmkbna.exeC:\Windows\system32\Clgmkbna.exe23⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Clijablo.exeC:\Windows\system32\Clijablo.exe24⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Dbfoclai.exeC:\Windows\system32\Dbfoclai.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1368 -
C:\Windows\SysWOW64\Defheg32.exeC:\Windows\system32\Defheg32.exe26⤵
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\Didqkeeq.exeC:\Windows\system32\Didqkeeq.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:244 -
C:\Windows\SysWOW64\Ddjehneg.exeC:\Windows\system32\Ddjehneg.exe28⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Epaemojk.exeC:\Windows\system32\Epaemojk.exe29⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Eennefib.exeC:\Windows\system32\Eennefib.exe30⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Eljchpnl.exeC:\Windows\system32\Eljchpnl.exe31⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Ephlnn32.exeC:\Windows\system32\Ephlnn32.exe32⤵
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\Elolco32.exeC:\Windows\system32\Elolco32.exe33⤵
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Fckaeioa.exeC:\Windows\system32\Fckaeioa.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:4640 -
C:\Windows\SysWOW64\Fpoaom32.exeC:\Windows\system32\Fpoaom32.exe35⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Fjgfgbek.exeC:\Windows\system32\Fjgfgbek.exe36⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Fcpkph32.exeC:\Windows\system32\Fcpkph32.exe37⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Fjjcmbci.exeC:\Windows\system32\Fjjcmbci.exe38⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Fcbgfhii.exeC:\Windows\system32\Fcbgfhii.exe39⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Fljlom32.exeC:\Windows\system32\Fljlom32.exe40⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Ffcpgcfj.exeC:\Windows\system32\Ffcpgcfj.exe41⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Gcgqag32.exeC:\Windows\system32\Gcgqag32.exe42⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Gnlenp32.exeC:\Windows\system32\Gnlenp32.exe43⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Gfgjbb32.exeC:\Windows\system32\Gfgjbb32.exe44⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Gdhjpjjd.exeC:\Windows\system32\Gdhjpjjd.exe45⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Gnanioad.exeC:\Windows\system32\Gnanioad.exe46⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Gcngafol.exeC:\Windows\system32\Gcngafol.exe47⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Gmfkjl32.exeC:\Windows\system32\Gmfkjl32.exe48⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Hfnpca32.exeC:\Windows\system32\Hfnpca32.exe49⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Hdppaidl.exeC:\Windows\system32\Hdppaidl.exe50⤵
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\Hnhdjn32.exeC:\Windows\system32\Hnhdjn32.exe51⤵
- Executes dropped EXE
PID:3412 -
C:\Windows\SysWOW64\Hdbmfhbi.exeC:\Windows\system32\Hdbmfhbi.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Hmmakk32.exeC:\Windows\system32\Hmmakk32.exe53⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Hjabdo32.exeC:\Windows\system32\Hjabdo32.exe54⤵
- Executes dropped EXE
PID:4208 -
C:\Windows\SysWOW64\Hdffah32.exeC:\Windows\system32\Hdffah32.exe55⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Hgebnc32.exeC:\Windows\system32\Hgebnc32.exe56⤵
- Executes dropped EXE
PID:3248 -
C:\Windows\SysWOW64\Hqmggi32.exeC:\Windows\system32\Hqmggi32.exe57⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Hclccd32.exeC:\Windows\system32\Hclccd32.exe58⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Inagpm32.exeC:\Windows\system32\Inagpm32.exe59⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Iqpclh32.exeC:\Windows\system32\Iqpclh32.exe60⤵
- Executes dropped EXE
PID:3420 -
C:\Windows\SysWOW64\Icnphd32.exeC:\Windows\system32\Icnphd32.exe61⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Iqbpahpc.exeC:\Windows\system32\Iqbpahpc.exe62⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Ienlbf32.exeC:\Windows\system32\Ienlbf32.exe63⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\Iglhob32.exeC:\Windows\system32\Iglhob32.exe64⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Ijjekn32.exeC:\Windows\system32\Ijjekn32.exe65⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Imiagi32.exeC:\Windows\system32\Imiagi32.exe66⤵PID:2500
-
C:\Windows\SysWOW64\Iepihf32.exeC:\Windows\system32\Iepihf32.exe67⤵PID:5104
-
C:\Windows\SysWOW64\Icciccmd.exeC:\Windows\system32\Icciccmd.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:392 -
C:\Windows\SysWOW64\Ifaepolg.exeC:\Windows\system32\Ifaepolg.exe69⤵PID:5084
-
C:\Windows\SysWOW64\Imknli32.exeC:\Windows\system32\Imknli32.exe70⤵PID:644
-
C:\Windows\SysWOW64\Iebfmfdg.exeC:\Windows\system32\Iebfmfdg.exe71⤵PID:924
-
C:\Windows\SysWOW64\Ijonfmbn.exeC:\Windows\system32\Ijonfmbn.exe72⤵PID:2508
-
C:\Windows\SysWOW64\Iaifbg32.exeC:\Windows\system32\Iaifbg32.exe73⤵PID:2216
-
C:\Windows\SysWOW64\Icgbob32.exeC:\Windows\system32\Icgbob32.exe74⤵
- Modifies registry class
PID:1408 -
C:\Windows\SysWOW64\Jgcooaah.exeC:\Windows\system32\Jgcooaah.exe75⤵PID:4552
-
C:\Windows\SysWOW64\Jnmglk32.exeC:\Windows\system32\Jnmglk32.exe76⤵PID:2980
-
C:\Windows\SysWOW64\Jcjodbgl.exeC:\Windows\system32\Jcjodbgl.exe77⤵PID:3476
-
C:\Windows\SysWOW64\Jghhjq32.exeC:\Windows\system32\Jghhjq32.exe78⤵PID:956
-
C:\Windows\SysWOW64\Japmcfcc.exeC:\Windows\system32\Japmcfcc.exe79⤵PID:532
-
C:\Windows\SysWOW64\Jcoioabf.exeC:\Windows\system32\Jcoioabf.exe80⤵PID:5152
-
C:\Windows\SysWOW64\Jndmlj32.exeC:\Windows\system32\Jndmlj32.exe81⤵PID:5196
-
C:\Windows\SysWOW64\Jeneidji.exeC:\Windows\system32\Jeneidji.exe82⤵PID:5244
-
C:\Windows\SysWOW64\Jglaepim.exeC:\Windows\system32\Jglaepim.exe83⤵PID:5288
-
C:\Windows\SysWOW64\Jjknakhq.exeC:\Windows\system32\Jjknakhq.exe84⤵PID:5332
-
C:\Windows\SysWOW64\Jaefne32.exeC:\Windows\system32\Jaefne32.exe85⤵PID:5372
-
C:\Windows\SysWOW64\Kccbjq32.exeC:\Windows\system32\Kccbjq32.exe86⤵PID:5416
-
C:\Windows\SysWOW64\Kjmjgk32.exeC:\Windows\system32\Kjmjgk32.exe87⤵PID:5460
-
C:\Windows\SysWOW64\Kmlgcf32.exeC:\Windows\system32\Kmlgcf32.exe88⤵PID:5504
-
C:\Windows\SysWOW64\Khakqo32.exeC:\Windows\system32\Khakqo32.exe89⤵
- System Location Discovery: System Language Discovery
PID:5548 -
C:\Windows\SysWOW64\Knkcmild.exeC:\Windows\system32\Knkcmild.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5596 -
C:\Windows\SysWOW64\Keekjc32.exeC:\Windows\system32\Keekjc32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5640 -
C:\Windows\SysWOW64\Khcgfo32.exeC:\Windows\system32\Khcgfo32.exe92⤵PID:5684
-
C:\Windows\SysWOW64\Knmpbi32.exeC:\Windows\system32\Knmpbi32.exe93⤵PID:5728
-
C:\Windows\SysWOW64\Keghocao.exeC:\Windows\system32\Keghocao.exe94⤵PID:5788
-
C:\Windows\SysWOW64\Kdjhkp32.exeC:\Windows\system32\Kdjhkp32.exe95⤵PID:5832
-
C:\Windows\SysWOW64\Kfidgk32.exeC:\Windows\system32\Kfidgk32.exe96⤵PID:5888
-
C:\Windows\SysWOW64\Kmbmdeoj.exeC:\Windows\system32\Kmbmdeoj.exe97⤵PID:5944
-
C:\Windows\SysWOW64\Kanidd32.exeC:\Windows\system32\Kanidd32.exe98⤵
- Drops file in System32 directory
PID:6008 -
C:\Windows\SysWOW64\Kejeebpl.exeC:\Windows\system32\Kejeebpl.exe99⤵PID:6060
-
C:\Windows\SysWOW64\Khhaanop.exeC:\Windows\system32\Khhaanop.exe100⤵PID:6108
-
C:\Windows\SysWOW64\Kfkamk32.exeC:\Windows\system32\Kfkamk32.exe101⤵PID:5188
-
C:\Windows\SysWOW64\Knbinhfl.exeC:\Windows\system32\Knbinhfl.exe102⤵PID:5304
-
C:\Windows\SysWOW64\Kaqejcep.exeC:\Windows\system32\Kaqejcep.exe103⤵PID:5404
-
C:\Windows\SysWOW64\Lelajb32.exeC:\Windows\system32\Lelajb32.exe104⤵PID:5472
-
C:\Windows\SysWOW64\Ldoafodd.exeC:\Windows\system32\Ldoafodd.exe105⤵
- System Location Discovery: System Language Discovery
PID:5544 -
C:\Windows\SysWOW64\Lhjnfn32.exeC:\Windows\system32\Lhjnfn32.exe106⤵PID:5624
-
C:\Windows\SysWOW64\Ljijci32.exeC:\Windows\system32\Ljijci32.exe107⤵PID:5700
-
C:\Windows\SysWOW64\Lmgfod32.exeC:\Windows\system32\Lmgfod32.exe108⤵PID:5784
-
C:\Windows\SysWOW64\Lacbpccn.exeC:\Windows\system32\Lacbpccn.exe109⤵PID:5876
-
C:\Windows\SysWOW64\Logbigbg.exeC:\Windows\system32\Logbigbg.exe110⤵PID:6000
-
C:\Windows\SysWOW64\Leqkeajd.exeC:\Windows\system32\Leqkeajd.exe111⤵PID:6072
-
C:\Windows\SysWOW64\Ljncnhhk.exeC:\Windows\system32\Ljncnhhk.exe112⤵PID:5208
-
C:\Windows\SysWOW64\Lkppchfi.exeC:\Windows\system32\Lkppchfi.exe113⤵PID:5356
-
C:\Windows\SysWOW64\Ldhdlnli.exeC:\Windows\system32\Ldhdlnli.exe114⤵PID:5500
-
C:\Windows\SysWOW64\Malefbkc.exeC:\Windows\system32\Malefbkc.exe115⤵PID:5616
-
C:\Windows\SysWOW64\Mdkabmjf.exeC:\Windows\system32\Mdkabmjf.exe116⤵PID:5712
-
C:\Windows\SysWOW64\Mmcfkc32.exeC:\Windows\system32\Mmcfkc32.exe117⤵PID:5864
-
C:\Windows\SysWOW64\Mejnlpai.exeC:\Windows\system32\Mejnlpai.exe118⤵PID:5992
-
C:\Windows\SysWOW64\Meljappg.exeC:\Windows\system32\Meljappg.exe119⤵PID:6136
-
C:\Windows\SysWOW64\Moeoje32.exeC:\Windows\system32\Moeoje32.exe120⤵PID:5384
-
C:\Windows\SysWOW64\Mdagbl32.exeC:\Windows\system32\Mdagbl32.exe121⤵PID:5560
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-