Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2024 10:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6154158a7a7ec29432e1623f55aba526b53b82498f64a4dfdd2f8fe66f23f881N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
6154158a7a7ec29432e1623f55aba526b53b82498f64a4dfdd2f8fe66f23f881N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
6154158a7a7ec29432e1623f55aba526b53b82498f64a4dfdd2f8fe66f23f881N.exe
-
Size
117KB
-
MD5
d77ecf9a8bbd5b559b86bf2abc0b9f40
-
SHA1
1857d0a66b0243412bbf88479f616725c3f029e9
-
SHA256
6154158a7a7ec29432e1623f55aba526b53b82498f64a4dfdd2f8fe66f23f881
-
SHA512
5a06ac8ea9580c7924d6dcddbda8c7717b3fda5f71f30ce934af79430f7ce3720e99bb6829403b08291e23ea80cec16a47aa80383bffb50c3b3ab8ac9d1502d0
-
SSDEEP
1536:zp6g5H8TW1NXaCVNqGbd+7zbsoYwd9UHcc0aIbcMiJcjGEdzrHYRFFfUN1Avhw6L:KW1NXX9+nbh9Ul0iJcpzrHiFFfUrQlM
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noqofdlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okiefn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdajabdc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dendok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfeccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfdlif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cafpkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjeaog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oooodcci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcfnqccd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nehekq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggfobofl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odcojm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onkbenbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbnmkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njmopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opiidhoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaekkfcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfjjbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnqaheai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcbded32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccajdmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnaffdfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmejlcoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aoenbkll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbniai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpmifkgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mapgfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hocjaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Executes dropped EXE 64 IoCs
pid Process 3924 Khfdlnab.exe 5636 Kmbmdeoj.exe 948 Khhaanop.exe 2364 Knbinhfl.exe 2852 Kaqejcep.exe 8 Ljijci32.exe 2592 Lennpb32.exe 4140 Lfpkhjae.exe 1040 Laeoec32.exe 3264 Lhogamih.exe 4724 Lmlpjdgo.exe 3076 Lhadgmge.exe 1368 Lmnlpcel.exe 1488 Lajhpbme.exe 1944 Ldhdlnli.exe 3600 Lhdqml32.exe 2688 Loniiflo.exe 1984 Mehafq32.exe 4540 Mhfmbl32.exe 3944 Mmcfkc32.exe 5540 Maoakaip.exe 432 Mdmngm32.exe 2924 Mkgfdgpq.exe 5956 Maaoaa32.exe 1340 Mhkgnkoj.exe 4480 Mgngih32.exe 5520 Mmhofbma.exe 4280 Mackfa32.exe 5764 Mhmcck32.exe 1804 Mklpof32.exe 244 Mdddhlbl.exe 4876 Ndfanlpi.exe 2824 Najagp32.exe 436 Nonbqd32.exe 5264 Ndkjik32.exe 5840 Noqofdlj.exe 1004 Nockkcjg.exe 3220 Nkjlqd32.exe 880 Oklifdmi.exe 1524 Ogcike32.exe 5256 Ohbfeh32.exe 4360 Oggbfdog.exe 5076 Okeklcen.exe 2360 Pndhhnda.exe 4072 Pkhhbbck.exe 5188 Pdpmkhjl.exe 2904 Pbdmdlie.exe 1792 Pnknim32.exe 4536 Phpbffnp.exe 852 Phbolflm.exe 3668 Qbkcek32.exe 1800 Qbmpjkqk.exe 6084 Agjhbbob.exe 1904 Abpmpkoh.exe 2088 Aijeme32.exe 3612 Afnefieo.exe 2724 Ailabddb.exe 5260 Akjnnpcf.exe 3100 Ainnhdbp.exe 5424 Aohfdnil.exe 1540 Aeeomegd.exe 5940 Afdkfh32.exe 4552 Bichcc32.exe 5436 Bfghlhmd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mjiloqjb.exe Mfmpob32.exe File opened for modification C:\Windows\SysWOW64\Jhcmbm32.exe Jbieebha.exe File created C:\Windows\SysWOW64\Fabqdl32.exe Process not Found File created C:\Windows\SysWOW64\Pdkolm32.exe Process not Found File created C:\Windows\SysWOW64\Hlkmlhea.exe Headon32.exe File created C:\Windows\SysWOW64\Hkkhjj32.exe Process not Found File created C:\Windows\SysWOW64\Pmnbpm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Foakpc32.exe Flboch32.exe File created C:\Windows\SysWOW64\Ccbqeg32.dll Anccjp32.exe File created C:\Windows\SysWOW64\Bdelid32.dll Nbfeoohe.exe File created C:\Windows\SysWOW64\Kgenlldo.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ijmobhdd.exe Process not Found File created C:\Windows\SysWOW64\Jgfdemck.dll Process not Found File created C:\Windows\SysWOW64\Pkinmlnm.exe Phkaqqoi.exe File created C:\Windows\SysWOW64\Cmidpjmc.dll Gajibq32.exe File created C:\Windows\SysWOW64\Ipndco32.dll Ffjkdc32.exe File created C:\Windows\SysWOW64\Cbdijhno.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jnelha32.exe Process not Found File created C:\Windows\SysWOW64\Eqbcqnph.exe Eflocepa.exe File opened for modification C:\Windows\SysWOW64\Kgeiokao.exe Kahpgcch.exe File opened for modification C:\Windows\SysWOW64\Dampal32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fkflbb32.exe Process not Found File created C:\Windows\SysWOW64\Nbmmoklg.exe Ndjldo32.exe File opened for modification C:\Windows\SysWOW64\Kbpboj32.exe Process not Found File created C:\Windows\SysWOW64\Lbkdla32.dll Jhocgqjj.exe File created C:\Windows\SysWOW64\Qhlejo32.dll Process not Found File created C:\Windows\SysWOW64\Kfieepcf.dll Process not Found File opened for modification C:\Windows\SysWOW64\Iblfgc32.exe Process not Found File created C:\Windows\SysWOW64\Cikmbf32.dll Process not Found File created C:\Windows\SysWOW64\Cfnqdale.exe Process not Found File created C:\Windows\SysWOW64\Cblmllnj.dll Process not Found File opened for modification C:\Windows\SysWOW64\Npedfjfo.exe Process not Found File created C:\Windows\SysWOW64\Hoebhpfd.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cjcmognb.exe Process not Found File created C:\Windows\SysWOW64\Geipnl32.exe Ggfobofl.exe File created C:\Windows\SysWOW64\Ndomiddc.exe Nmedmj32.exe File opened for modification C:\Windows\SysWOW64\Phiekaql.exe Pncanhaf.exe File created C:\Windows\SysWOW64\Gbfdbdgk.dll Qlmopqdc.exe File created C:\Windows\SysWOW64\Dqhicdkm.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mepfbflb.exe Process not Found File created C:\Windows\SysWOW64\Ffnkggld.exe Process not Found File opened for modification C:\Windows\SysWOW64\Phbolflm.exe Phpbffnp.exe File created C:\Windows\SysWOW64\Igghilhi.exe Hladlc32.exe File created C:\Windows\SysWOW64\Nkojheoe.exe Niqnli32.exe File created C:\Windows\SysWOW64\Bagmpoco.exe Process not Found File opened for modification C:\Windows\SysWOW64\Apfhajjf.exe Ajlpepbi.exe File created C:\Windows\SysWOW64\Inkabp32.dll Process not Found File created C:\Windows\SysWOW64\Ddfmipco.dll Process not Found File created C:\Windows\SysWOW64\Dnbadlnj.exe Process not Found File created C:\Windows\SysWOW64\Ndhqmknd.dll Clffalkf.exe File created C:\Windows\SysWOW64\Ompfnoci.exe Process not Found File created C:\Windows\SysWOW64\Mlhnob32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Klahof32.exe Process not Found File created C:\Windows\SysWOW64\Npjlfcgj.dll Mndjhhjp.exe File created C:\Windows\SysWOW64\Bhhhma32.dll Process not Found File created C:\Windows\SysWOW64\Gpaqkgba.exe Process not Found File created C:\Windows\SysWOW64\Mmodfqhf.exe Mfdlif32.exe File created C:\Windows\SysWOW64\Oeahap32.exe Obcled32.exe File opened for modification C:\Windows\SysWOW64\Hfljfjpq.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lgdbedmc.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ohaokbfd.exe Omlkmign.exe File created C:\Windows\SysWOW64\Pdbbfadn.exe Pacfjfej.exe File opened for modification C:\Windows\SysWOW64\Gjpaffhl.exe Ghadjkhh.exe File created C:\Windows\SysWOW64\Eelbhc32.dll Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 4584 6944 Process not Found 2509 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfcdaehf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phpklp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bidefbcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ginenk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gplbcgbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpmbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohmepbki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfdlif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkbcpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diamko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jalakeme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jicdlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpdefc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emgnje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lofjam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbkmngfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehbihj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koceep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecmlmcmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaqejcep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpmifkgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmfaafej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 13672 Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogokeh32.dll" Ppepkmhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfqafh32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gapgpnkg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdhcdlco.dll" Djhiglji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flfjjkgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iofienka.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfkioeh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hakidd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbhina32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhdceo32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kinnei32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbkifhp.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qlomemlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efbqkjgq.dll" Ehpmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmcnap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqjakqen.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bacjpg32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgjboe32.dll" Bgkaip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eoocfegl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqbnpknn.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fghcqq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Giahndcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqccq32.dll" Ajlpepbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghjlocgj.dll" Haaocp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhqhpj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qlnfkgho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcglfjgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgokdomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbemgh32.dll" Bgicdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oakhaadf.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifabik32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akamab32.dll" Npipnjmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkhceh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfdhlhfj.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcepbooa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iacepmik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljpdiidf.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afnefieo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aeeomegd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmejlcoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khmoionj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkaenf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igggjgoe.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedaobdo.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dehnpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhnkppbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kodjnclg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2940 wrote to memory of 3924 2940 6154158a7a7ec29432e1623f55aba526b53b82498f64a4dfdd2f8fe66f23f881N.exe 89 PID 2940 wrote to memory of 3924 2940 6154158a7a7ec29432e1623f55aba526b53b82498f64a4dfdd2f8fe66f23f881N.exe 89 PID 2940 wrote to memory of 3924 2940 6154158a7a7ec29432e1623f55aba526b53b82498f64a4dfdd2f8fe66f23f881N.exe 89 PID 3924 wrote to memory of 5636 3924 Khfdlnab.exe 90 PID 3924 wrote to memory of 5636 3924 Khfdlnab.exe 90 PID 3924 wrote to memory of 5636 3924 Khfdlnab.exe 90 PID 5636 wrote to memory of 948 5636 Kmbmdeoj.exe 91 PID 5636 wrote to memory of 948 5636 Kmbmdeoj.exe 91 PID 5636 wrote to memory of 948 5636 Kmbmdeoj.exe 91 PID 948 wrote to memory of 2364 948 Khhaanop.exe 92 PID 948 wrote to memory of 2364 948 Khhaanop.exe 92 PID 948 wrote to memory of 2364 948 Khhaanop.exe 92 PID 2364 wrote to memory of 2852 2364 Knbinhfl.exe 93 PID 2364 wrote to memory of 2852 2364 Knbinhfl.exe 93 PID 2364 wrote to memory of 2852 2364 Knbinhfl.exe 93 PID 2852 wrote to memory of 8 2852 Kaqejcep.exe 94 PID 2852 wrote to memory of 8 2852 Kaqejcep.exe 94 PID 2852 wrote to memory of 8 2852 Kaqejcep.exe 94 PID 8 wrote to memory of 2592 8 Ljijci32.exe 95 PID 8 wrote to memory of 2592 8 Ljijci32.exe 95 PID 8 wrote to memory of 2592 8 Ljijci32.exe 95 PID 2592 wrote to memory of 4140 2592 Lennpb32.exe 96 PID 2592 wrote to memory of 4140 2592 Lennpb32.exe 96 PID 2592 wrote to memory of 4140 2592 Lennpb32.exe 96 PID 4140 wrote to memory of 1040 4140 Lfpkhjae.exe 97 PID 4140 wrote to memory of 1040 4140 Lfpkhjae.exe 97 PID 4140 wrote to memory of 1040 4140 Lfpkhjae.exe 97 PID 1040 wrote to memory of 3264 1040 Laeoec32.exe 98 PID 1040 wrote to memory of 3264 1040 Laeoec32.exe 98 PID 1040 wrote to memory of 3264 1040 Laeoec32.exe 98 PID 3264 wrote to memory of 4724 3264 Lhogamih.exe 99 PID 3264 wrote to memory of 4724 3264 Lhogamih.exe 99 PID 3264 wrote to memory of 4724 3264 Lhogamih.exe 99 PID 4724 wrote to memory of 3076 4724 Lmlpjdgo.exe 100 PID 4724 wrote to memory of 3076 4724 Lmlpjdgo.exe 100 PID 4724 wrote to memory of 3076 4724 Lmlpjdgo.exe 100 PID 3076 wrote to memory of 1368 3076 Lhadgmge.exe 101 PID 3076 wrote to memory of 1368 3076 Lhadgmge.exe 101 PID 3076 wrote to memory of 1368 3076 Lhadgmge.exe 101 PID 1368 wrote to memory of 1488 1368 Lmnlpcel.exe 102 PID 1368 wrote to memory of 1488 1368 Lmnlpcel.exe 102 PID 1368 wrote to memory of 1488 1368 Lmnlpcel.exe 102 PID 1488 wrote to memory of 1944 1488 Lajhpbme.exe 103 PID 1488 wrote to memory of 1944 1488 Lajhpbme.exe 103 PID 1488 wrote to memory of 1944 1488 Lajhpbme.exe 103 PID 1944 wrote to memory of 3600 1944 Ldhdlnli.exe 104 PID 1944 wrote to memory of 3600 1944 Ldhdlnli.exe 104 PID 1944 wrote to memory of 3600 1944 Ldhdlnli.exe 104 PID 3600 wrote to memory of 2688 3600 Lhdqml32.exe 105 PID 3600 wrote to memory of 2688 3600 Lhdqml32.exe 105 PID 3600 wrote to memory of 2688 3600 Lhdqml32.exe 105 PID 2688 wrote to memory of 1984 2688 Loniiflo.exe 106 PID 2688 wrote to memory of 1984 2688 Loniiflo.exe 106 PID 2688 wrote to memory of 1984 2688 Loniiflo.exe 106 PID 1984 wrote to memory of 4540 1984 Mehafq32.exe 107 PID 1984 wrote to memory of 4540 1984 Mehafq32.exe 107 PID 1984 wrote to memory of 4540 1984 Mehafq32.exe 107 PID 4540 wrote to memory of 3944 4540 Mhfmbl32.exe 108 PID 4540 wrote to memory of 3944 4540 Mhfmbl32.exe 108 PID 4540 wrote to memory of 3944 4540 Mhfmbl32.exe 108 PID 3944 wrote to memory of 5540 3944 Mmcfkc32.exe 109 PID 3944 wrote to memory of 5540 3944 Mmcfkc32.exe 109 PID 3944 wrote to memory of 5540 3944 Mmcfkc32.exe 109 PID 5540 wrote to memory of 432 5540 Maoakaip.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\6154158a7a7ec29432e1623f55aba526b53b82498f64a4dfdd2f8fe66f23f881N.exe"C:\Users\Admin\AppData\Local\Temp\6154158a7a7ec29432e1623f55aba526b53b82498f64a4dfdd2f8fe66f23f881N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Khfdlnab.exeC:\Windows\system32\Khfdlnab.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\Kmbmdeoj.exeC:\Windows\system32\Kmbmdeoj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5636 -
C:\Windows\SysWOW64\Khhaanop.exeC:\Windows\system32\Khhaanop.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\Knbinhfl.exeC:\Windows\system32\Knbinhfl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Kaqejcep.exeC:\Windows\system32\Kaqejcep.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Ljijci32.exeC:\Windows\system32\Ljijci32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\Lennpb32.exeC:\Windows\system32\Lennpb32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Lfpkhjae.exeC:\Windows\system32\Lfpkhjae.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\Laeoec32.exeC:\Windows\system32\Laeoec32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Lhogamih.exeC:\Windows\system32\Lhogamih.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\Lmlpjdgo.exeC:\Windows\system32\Lmlpjdgo.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\Lhadgmge.exeC:\Windows\system32\Lhadgmge.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\Lmnlpcel.exeC:\Windows\system32\Lmnlpcel.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Lajhpbme.exeC:\Windows\system32\Lajhpbme.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Ldhdlnli.exeC:\Windows\system32\Ldhdlnli.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Lhdqml32.exeC:\Windows\system32\Lhdqml32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\Loniiflo.exeC:\Windows\system32\Loniiflo.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Mehafq32.exeC:\Windows\system32\Mehafq32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Mhfmbl32.exeC:\Windows\system32\Mhfmbl32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Mmcfkc32.exeC:\Windows\system32\Mmcfkc32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\Maoakaip.exeC:\Windows\system32\Maoakaip.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5540 -
C:\Windows\SysWOW64\Mdmngm32.exeC:\Windows\system32\Mdmngm32.exe23⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Mkgfdgpq.exeC:\Windows\system32\Mkgfdgpq.exe24⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Maaoaa32.exeC:\Windows\system32\Maaoaa32.exe25⤵
- Executes dropped EXE
PID:5956 -
C:\Windows\SysWOW64\Mhkgnkoj.exeC:\Windows\system32\Mhkgnkoj.exe26⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Mgngih32.exeC:\Windows\system32\Mgngih32.exe27⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Mmhofbma.exeC:\Windows\system32\Mmhofbma.exe28⤵
- Executes dropped EXE
PID:5520 -
C:\Windows\SysWOW64\Mackfa32.exeC:\Windows\system32\Mackfa32.exe29⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Mhmcck32.exeC:\Windows\system32\Mhmcck32.exe30⤵
- Executes dropped EXE
PID:5764 -
C:\Windows\SysWOW64\Mklpof32.exeC:\Windows\system32\Mklpof32.exe31⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Mdddhlbl.exeC:\Windows\system32\Mdddhlbl.exe32⤵
- Executes dropped EXE
PID:244 -
C:\Windows\SysWOW64\Ndfanlpi.exeC:\Windows\system32\Ndfanlpi.exe33⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Najagp32.exeC:\Windows\system32\Najagp32.exe34⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Nonbqd32.exeC:\Windows\system32\Nonbqd32.exe35⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Ndkjik32.exeC:\Windows\system32\Ndkjik32.exe36⤵
- Executes dropped EXE
PID:5264 -
C:\Windows\SysWOW64\Noqofdlj.exeC:\Windows\system32\Noqofdlj.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5840 -
C:\Windows\SysWOW64\Nockkcjg.exeC:\Windows\system32\Nockkcjg.exe38⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Nkjlqd32.exeC:\Windows\system32\Nkjlqd32.exe39⤵
- Executes dropped EXE
PID:3220 -
C:\Windows\SysWOW64\Oklifdmi.exeC:\Windows\system32\Oklifdmi.exe40⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Ogcike32.exeC:\Windows\system32\Ogcike32.exe41⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Ohbfeh32.exeC:\Windows\system32\Ohbfeh32.exe42⤵
- Executes dropped EXE
PID:5256 -
C:\Windows\SysWOW64\Oggbfdog.exeC:\Windows\system32\Oggbfdog.exe43⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Okeklcen.exeC:\Windows\system32\Okeklcen.exe44⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Pndhhnda.exeC:\Windows\system32\Pndhhnda.exe45⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Pkhhbbck.exeC:\Windows\system32\Pkhhbbck.exe46⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Pdpmkhjl.exeC:\Windows\system32\Pdpmkhjl.exe47⤵
- Executes dropped EXE
PID:5188 -
C:\Windows\SysWOW64\Pbdmdlie.exeC:\Windows\system32\Pbdmdlie.exe48⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Pnknim32.exeC:\Windows\system32\Pnknim32.exe49⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Phpbffnp.exeC:\Windows\system32\Phpbffnp.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4536 -
C:\Windows\SysWOW64\Phbolflm.exeC:\Windows\system32\Phbolflm.exe51⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Qbkcek32.exeC:\Windows\system32\Qbkcek32.exe52⤵
- Executes dropped EXE
PID:3668 -
C:\Windows\SysWOW64\Qbmpjkqk.exeC:\Windows\system32\Qbmpjkqk.exe53⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Agjhbbob.exeC:\Windows\system32\Agjhbbob.exe54⤵
- Executes dropped EXE
PID:6084 -
C:\Windows\SysWOW64\Abpmpkoh.exeC:\Windows\system32\Abpmpkoh.exe55⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Aijeme32.exeC:\Windows\system32\Aijeme32.exe56⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Afnefieo.exeC:\Windows\system32\Afnefieo.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:3612 -
C:\Windows\SysWOW64\Ailabddb.exeC:\Windows\system32\Ailabddb.exe58⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Akjnnpcf.exeC:\Windows\system32\Akjnnpcf.exe59⤵
- Executes dropped EXE
PID:5260 -
C:\Windows\SysWOW64\Ainnhdbp.exeC:\Windows\system32\Ainnhdbp.exe60⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Aohfdnil.exeC:\Windows\system32\Aohfdnil.exe61⤵
- Executes dropped EXE
PID:5424 -
C:\Windows\SysWOW64\Aeeomegd.exeC:\Windows\system32\Aeeomegd.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Afdkfh32.exeC:\Windows\system32\Afdkfh32.exe63⤵
- Executes dropped EXE
PID:5940 -
C:\Windows\SysWOW64\Bichcc32.exeC:\Windows\system32\Bichcc32.exe64⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Bfghlhmd.exeC:\Windows\system32\Bfghlhmd.exe65⤵
- Executes dropped EXE
PID:5436 -
C:\Windows\SysWOW64\Bkdqdokk.exeC:\Windows\system32\Bkdqdokk.exe66⤵PID:5192
-
C:\Windows\SysWOW64\Bbniai32.exeC:\Windows\system32\Bbniai32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2860 -
C:\Windows\SysWOW64\Bgkaip32.exeC:\Windows\system32\Bgkaip32.exe68⤵
- Modifies registry class
PID:5224 -
C:\Windows\SysWOW64\Bbpeghpe.exeC:\Windows\system32\Bbpeghpe.exe69⤵PID:5980
-
C:\Windows\SysWOW64\Bkhjpn32.exeC:\Windows\system32\Bkhjpn32.exe70⤵PID:4632
-
C:\Windows\SysWOW64\Bbbblhnc.exeC:\Windows\system32\Bbbblhnc.exe71⤵PID:5292
-
C:\Windows\SysWOW64\Bgokdomj.exeC:\Windows\system32\Bgokdomj.exe72⤵
- Modifies registry class
PID:4748 -
C:\Windows\SysWOW64\Bbeobhlp.exeC:\Windows\system32\Bbeobhlp.exe73⤵PID:4544
-
C:\Windows\SysWOW64\Becknc32.exeC:\Windows\system32\Becknc32.exe74⤵PID:1008
-
C:\Windows\SysWOW64\Clmckmcq.exeC:\Windows\system32\Clmckmcq.exe75⤵PID:2776
-
C:\Windows\SysWOW64\Ciaddaaj.exeC:\Windows\system32\Ciaddaaj.exe76⤵PID:6124
-
C:\Windows\SysWOW64\Cpklql32.exeC:\Windows\system32\Cpklql32.exe77⤵PID:4036
-
C:\Windows\SysWOW64\Cicqja32.exeC:\Windows\system32\Cicqja32.exe78⤵PID:4384
-
C:\Windows\SysWOW64\Cpmifkgd.exeC:\Windows\system32\Cpmifkgd.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5852 -
C:\Windows\SysWOW64\Cblebgfh.exeC:\Windows\system32\Cblebgfh.exe80⤵PID:4736
-
C:\Windows\SysWOW64\Cldjkl32.exeC:\Windows\system32\Cldjkl32.exe81⤵PID:4156
-
C:\Windows\SysWOW64\Clffalkf.exeC:\Windows\system32\Clffalkf.exe82⤵
- Drops file in System32 directory
PID:6064 -
C:\Windows\SysWOW64\Cnebmgjj.exeC:\Windows\system32\Cnebmgjj.exe83⤵PID:3884
-
C:\Windows\SysWOW64\Dpdogj32.exeC:\Windows\system32\Dpdogj32.exe84⤵PID:4476
-
C:\Windows\SysWOW64\Dimcppgm.exeC:\Windows\system32\Dimcppgm.exe85⤵PID:4084
-
C:\Windows\SysWOW64\Dbehienn.exeC:\Windows\system32\Dbehienn.exe86⤵PID:5616
-
C:\Windows\SysWOW64\Diopep32.exeC:\Windows\system32\Diopep32.exe87⤵PID:5392
-
C:\Windows\SysWOW64\Dfcqod32.exeC:\Windows\system32\Dfcqod32.exe88⤵PID:5204
-
C:\Windows\SysWOW64\Diamko32.exeC:\Windows\system32\Diamko32.exe89⤵
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\Dfemdcba.exeC:\Windows\system32\Dfemdcba.exe90⤵PID:1756
-
C:\Windows\SysWOW64\Dehnpp32.exeC:\Windows\system32\Dehnpp32.exe91⤵
- Modifies registry class
PID:5068 -
C:\Windows\SysWOW64\Dlbfmjqi.exeC:\Windows\system32\Dlbfmjqi.exe92⤵PID:1264
-
C:\Windows\SysWOW64\Dblnid32.exeC:\Windows\system32\Dblnid32.exe93⤵PID:1500
-
C:\Windows\SysWOW64\Eekjep32.exeC:\Windows\system32\Eekjep32.exe94⤵PID:4028
-
C:\Windows\SysWOW64\Eifffoob.exeC:\Windows\system32\Eifffoob.exe95⤵PID:5676
-
C:\Windows\SysWOW64\Eldbbjof.exeC:\Windows\system32\Eldbbjof.exe96⤵PID:5416
-
C:\Windows\SysWOW64\Eemgkpef.exeC:\Windows\system32\Eemgkpef.exe97⤵PID:2988
-
C:\Windows\SysWOW64\Ehkcgkdj.exeC:\Windows\system32\Ehkcgkdj.exe98⤵PID:5708
-
C:\Windows\SysWOW64\Eflceb32.exeC:\Windows\system32\Eflceb32.exe99⤵PID:4528
-
C:\Windows\SysWOW64\Eikpan32.exeC:\Windows\system32\Eikpan32.exe100⤵PID:4424
-
C:\Windows\SysWOW64\Eeaqfo32.exeC:\Windows\system32\Eeaqfo32.exe101⤵PID:3652
-
C:\Windows\SysWOW64\Ehpmbj32.exeC:\Windows\system32\Ehpmbj32.exe102⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4836 -
C:\Windows\SysWOW64\Epgdch32.exeC:\Windows\system32\Epgdch32.exe103⤵PID:924
-
C:\Windows\SysWOW64\Ebeapc32.exeC:\Windows\system32\Ebeapc32.exe104⤵PID:5768
-
C:\Windows\SysWOW64\Ehbihj32.exeC:\Windows\system32\Ehbihj32.exe105⤵
- System Location Discovery: System Language Discovery
PID:6044 -
C:\Windows\SysWOW64\Epiaig32.exeC:\Windows\system32\Epiaig32.exe106⤵PID:4200
-
C:\Windows\SysWOW64\Fbhnec32.exeC:\Windows\system32\Fbhnec32.exe107⤵PID:1436
-
C:\Windows\SysWOW64\Fibfbm32.exeC:\Windows\system32\Fibfbm32.exe108⤵PID:5808
-
C:\Windows\SysWOW64\Fbjjkble.exeC:\Windows\system32\Fbjjkble.exe109⤵PID:5460
-
C:\Windows\SysWOW64\Feifgnki.exeC:\Windows\system32\Feifgnki.exe110⤵PID:1660
-
C:\Windows\SysWOW64\Flboch32.exeC:\Windows\system32\Flboch32.exe111⤵
- Drops file in System32 directory
PID:3328 -
C:\Windows\SysWOW64\Foakpc32.exeC:\Windows\system32\Foakpc32.exe112⤵PID:4364
-
C:\Windows\SysWOW64\Fghcqq32.exeC:\Windows\system32\Fghcqq32.exe113⤵
- Modifies registry class
PID:4852 -
C:\Windows\SysWOW64\Flekihpc.exeC:\Windows\system32\Flekihpc.exe114⤵PID:5488
-
C:\Windows\SysWOW64\Fochecog.exeC:\Windows\system32\Fochecog.exe115⤵PID:3932
-
C:\Windows\SysWOW64\Fiilblom.exeC:\Windows\system32\Fiilblom.exe116⤵PID:4504
-
C:\Windows\SysWOW64\Fpcdof32.exeC:\Windows\system32\Fpcdof32.exe117⤵PID:5012
-
C:\Windows\SysWOW64\Fcaqka32.exeC:\Windows\system32\Fcaqka32.exe118⤵PID:1044
-
C:\Windows\SysWOW64\Fhnichde.exeC:\Windows\system32\Fhnichde.exe119⤵PID:4664
-
C:\Windows\SysWOW64\Fljedg32.exeC:\Windows\system32\Fljedg32.exe120⤵PID:2792
-
C:\Windows\SysWOW64\Ggoiap32.exeC:\Windows\system32\Ggoiap32.exe121⤵PID:5096
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-