Analysis
-
max time kernel
95s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 07:20
Static task
static1
Behavioral task
behavioral1
Sample
44da282e78c309a5fccc137db8169e642e71ce2760ca8fa1868f240067c86c8bN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
44da282e78c309a5fccc137db8169e642e71ce2760ca8fa1868f240067c86c8bN.exe
Resource
win10v2004-20241007-en
General
-
Target
44da282e78c309a5fccc137db8169e642e71ce2760ca8fa1868f240067c86c8bN.exe
-
Size
92KB
-
MD5
f383a1343be61229d6ec9ac56767c330
-
SHA1
92536f31009f4e323bc6ccd8bb7d11ea277a8ad5
-
SHA256
44da282e78c309a5fccc137db8169e642e71ce2760ca8fa1868f240067c86c8b
-
SHA512
f99efe68cd81e6b260d58f0b77b127c045e813ca34bb44eae96b8c5129e85a73404ae891e47e9033f6540871a14d5366c12d65d20e27efa9df9a286e261674d7
-
SSDEEP
1536:K05AnpQ/RMHX9At2Vx4IJgTVg79uznS0jnnKtO25nKQrUoR24HsUs:K05uWMHX9N/nT9uznSQnKt+6THsR
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfefkkqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpjcgm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilccoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnegbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aehgnied.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbhoeid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmdfonj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lobjni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elbhjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlegnjbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oeehkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdickcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Peahgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfbped32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llmhaold.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjlhgaqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpnnle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkoigdom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Difpmfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpdaepai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igdnabjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmenca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bllbaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmennnni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kegpifod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfoplpla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmlpaoaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iloidijb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phaahggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgmgqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmkdcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kiejmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Neclenfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lobjni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbinam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hplicjok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mglfplgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aonoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kqfngd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmcain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocgbld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfqkddfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pekbga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afinioip.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3100 Jpkphjeb.exe 1396 Jbileede.exe 4696 Jehhaaci.exe 4840 Jkaqnk32.exe 1460 Jblijebc.exe 2068 Jfgdkd32.exe 2320 Jieagojp.exe 3840 Kldmckic.exe 1928 Knbiofhg.exe 316 Kfjapcii.exe 4544 Kgknhl32.exe 1924 Kpbfii32.exe 1528 Kbpbed32.exe 3272 Kijjbofj.exe 2720 Kpdboimg.exe 3168 Kfnkkb32.exe 2660 Kimghn32.exe 1556 Klkcdj32.exe 3648 Knippe32.exe 4780 Kbekqdjh.exe 3420 Kiodmn32.exe 960 Klmpiiai.exe 908 Knlleepl.exe 3176 Kfcdfbqo.exe 4816 Lhdqnj32.exe 1432 Lpkiph32.exe 3924 Lnnikdnj.exe 540 Lfealaol.exe 1036 Lhfmdj32.exe 3120 Lpneegel.exe 2212 Lblaabdp.exe 2196 Lejnmncd.exe 3592 Lppbkgcj.exe 772 Lbnngbbn.exe 2488 Lemkcnaa.exe 660 Lhkgoiqe.exe 912 Lpbopfag.exe 1692 Lflgmqhd.exe 220 Leoghn32.exe 1600 Lpekef32.exe 2296 Lfodbqfa.exe 5024 Mimpolee.exe 5048 Mlklkgei.exe 3936 Mojhgbdl.exe 400 Medqcmki.exe 3260 Mhbmphjm.exe 5032 Mlnipg32.exe 4632 Molelb32.exe 4704 Mfcmmp32.exe 1268 Mibijk32.exe 4896 Mplafeil.exe 3868 Mbjnbqhp.exe 1544 Mehjol32.exe 2632 Midfokpm.exe 444 Mpnnle32.exe 3428 Mblkhq32.exe 2036 Mekgdl32.exe 2556 Mhicpg32.exe 4512 Mleoafmn.exe 1652 Mbognp32.exe 2872 Niipjj32.exe 2708 Nlglfe32.exe 2064 Npchgdcd.exe 2700 Nbadcpbh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bihjfnmm.exe Bfjnjcni.exe File created C:\Windows\SysWOW64\Kaedkn32.dll Lndham32.exe File created C:\Windows\SysWOW64\Dhikci32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hqghqpnl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ahgcjddh.exe Aehgnied.exe File opened for modification C:\Windows\SysWOW64\Ahippdbe.exe Aekddhcb.exe File created C:\Windows\SysWOW64\Enhpao32.exe Process not Found File created C:\Windows\SysWOW64\Dmehgibj.dll Process not Found File created C:\Windows\SysWOW64\Jgnboabc.dll Fgbfhmll.exe File created C:\Windows\SysWOW64\Gnlgleef.exe Gknkpjfb.exe File created C:\Windows\SysWOW64\Keimof32.exe Koodbl32.exe File created C:\Windows\SysWOW64\Eegcnaoo.dll Process not Found File created C:\Windows\SysWOW64\Ghnllm32.dll Process not Found File created C:\Windows\SysWOW64\Kdmlkfjb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fkkeclfh.exe Ffpicn32.exe File created C:\Windows\SysWOW64\Gljgbllj.exe Gkhkjd32.exe File created C:\Windows\SysWOW64\Lgnqimah.dll Omqmop32.exe File opened for modification C:\Windows\SysWOW64\Qdphngfl.exe Qaalblgi.exe File created C:\Windows\SysWOW64\Fhgebmil.dll Cbphdn32.exe File created C:\Windows\SysWOW64\Jkdgfllg.dll Bhnikc32.exe File opened for modification C:\Windows\SysWOW64\Fbbicl32.exe Process not Found File created C:\Windows\SysWOW64\Picoja32.dll Process not Found File created C:\Windows\SysWOW64\Cohddjgl.dll Process not Found File created C:\Windows\SysWOW64\Ncjginjn.exe Nlqomd32.exe File created C:\Windows\SysWOW64\Mhibfmcl.dll Bggnof32.exe File created C:\Windows\SysWOW64\Bombmcec.exe Bmofagfp.exe File opened for modification C:\Windows\SysWOW64\Icfekc32.exe Iphioh32.exe File created C:\Windows\SysWOW64\Eclhcj32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Lddble32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Qqhcpo32.exe Qfbobf32.exe File opened for modification C:\Windows\SysWOW64\Hjchaf32.exe Hhbkinel.exe File opened for modification C:\Windows\SysWOW64\Iggaah32.exe Ihdafkdg.exe File created C:\Windows\SysWOW64\Ghpkld32.dll Process not Found File created C:\Windows\SysWOW64\Oedlic32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ppopjp32.exe Plcdiabk.exe File created C:\Windows\SysWOW64\Fpjcgm32.exe Fmkgkapm.exe File opened for modification C:\Windows\SysWOW64\Gfodeohd.exe Goglcahb.exe File opened for modification C:\Windows\SysWOW64\Pciqnk32.exe Process not Found File created C:\Windows\SysWOW64\Ikncgkdf.dll Oepifi32.exe File created C:\Windows\SysWOW64\Ahjgjj32.exe Afkknogn.exe File opened for modification C:\Windows\SysWOW64\Kcndbp32.exe Kmdlffhj.exe File created C:\Windows\SysWOW64\Kknikplo.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bjpjel32.exe Bcfahbpo.exe File created C:\Windows\SysWOW64\Gpkchqdj.exe Gnlgleef.exe File opened for modification C:\Windows\SysWOW64\Fjhmbihg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Aggegh32.exe Aqmlknnd.exe File created C:\Windows\SysWOW64\Jcgmgn32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ilfennic.exe Process not Found File created C:\Windows\SysWOW64\Ebadmmge.dll Fkkeclfh.exe File created C:\Windows\SysWOW64\Jlbdab32.dll Lqndhcdc.exe File created C:\Windows\SysWOW64\Kfcdfbqo.exe Knlleepl.exe File created C:\Windows\SysWOW64\Pbehoafp.dll Qhonib32.exe File created C:\Windows\SysWOW64\Elbhjp32.exe Ejalcgkg.exe File created C:\Windows\SysWOW64\Fdccbl32.exe Fllkqn32.exe File created C:\Windows\SysWOW64\Bqcmhb32.dll Gaamlecg.exe File created C:\Windows\SysWOW64\Dlieda32.exe Dikihe32.exe File opened for modification C:\Windows\SysWOW64\Nmjfodne.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dggbcf32.exe Process not Found File created C:\Windows\SysWOW64\Jaljbmkd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cfadkb32.exe Cmipblaq.exe File opened for modification C:\Windows\SysWOW64\Kiggbhda.exe Kbmoen32.exe File created C:\Windows\SysWOW64\Fimodc32.exe Fbcfhibj.exe File created C:\Windows\SysWOW64\Hmkqgckn.dll Ljnlecmp.exe File created C:\Windows\SysWOW64\Pfepdg32.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 14204 13712 Process not Found 1692 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noeahkfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoofle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlhkgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohmhmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iedjmioj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpbfii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppopjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kinmcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocaebc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiodmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhloj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjmba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgninn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncchb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojnblg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amodep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbfpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Legjmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljhnlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iplkpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fggocmhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alkijdci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhkmec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meepdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iibccgep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcbfakec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pefhlaie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkmmaeap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nohehq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfqkddfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgnlkfal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkiaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niooqcad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhamkipi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccmgiaig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqhafffk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhijijbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neppokal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Empoiimf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgphpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjodla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nncccnol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plcdiabk.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbfnhm32.dll" Nhokljge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aogiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbpflbpa.dll" Onmfimga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhfedm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqhafffk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjcngpjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Badjai32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmklglpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blciboie.dll" Pldcjeia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddplkbaa.dll" Jdmgfedl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfipab32.dll" Emjgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lijlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljaoeini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpnmig32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpdcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenpmnno.dll" Offnhpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnakbdid.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbhgkfkg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dafipibl.dll" Jklinohd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdickcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhibfek.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oapijm32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npbblbdb.dll" Dmalne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jilfifme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckjbhmad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmpaoopf.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddadpdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpmggb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcghdkpf.dll" Impliekg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlcagc32.dll" Ghmbno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfoiaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Neclenfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pleaoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccnncgmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facdchai.dll" Hkgnfhnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oadfkdgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlpfhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejdocm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmcldc32.dll" Faenpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Miaboe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmofagfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmfqknfm.dll" Ljeafb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnegbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmocfo32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kijjbofj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moqeaphi.dll" Fpeafcfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odanidih.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhbek32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeclnmik.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4200 wrote to memory of 3100 4200 44da282e78c309a5fccc137db8169e642e71ce2760ca8fa1868f240067c86c8bN.exe 85 PID 4200 wrote to memory of 3100 4200 44da282e78c309a5fccc137db8169e642e71ce2760ca8fa1868f240067c86c8bN.exe 85 PID 4200 wrote to memory of 3100 4200 44da282e78c309a5fccc137db8169e642e71ce2760ca8fa1868f240067c86c8bN.exe 85 PID 3100 wrote to memory of 1396 3100 Jpkphjeb.exe 86 PID 3100 wrote to memory of 1396 3100 Jpkphjeb.exe 86 PID 3100 wrote to memory of 1396 3100 Jpkphjeb.exe 86 PID 1396 wrote to memory of 4696 1396 Jbileede.exe 87 PID 1396 wrote to memory of 4696 1396 Jbileede.exe 87 PID 1396 wrote to memory of 4696 1396 Jbileede.exe 87 PID 4696 wrote to memory of 4840 4696 Jehhaaci.exe 88 PID 4696 wrote to memory of 4840 4696 Jehhaaci.exe 88 PID 4696 wrote to memory of 4840 4696 Jehhaaci.exe 88 PID 4840 wrote to memory of 1460 4840 Jkaqnk32.exe 89 PID 4840 wrote to memory of 1460 4840 Jkaqnk32.exe 89 PID 4840 wrote to memory of 1460 4840 Jkaqnk32.exe 89 PID 1460 wrote to memory of 2068 1460 Jblijebc.exe 90 PID 1460 wrote to memory of 2068 1460 Jblijebc.exe 90 PID 1460 wrote to memory of 2068 1460 Jblijebc.exe 90 PID 2068 wrote to memory of 2320 2068 Jfgdkd32.exe 91 PID 2068 wrote to memory of 2320 2068 Jfgdkd32.exe 91 PID 2068 wrote to memory of 2320 2068 Jfgdkd32.exe 91 PID 2320 wrote to memory of 3840 2320 Jieagojp.exe 93 PID 2320 wrote to memory of 3840 2320 Jieagojp.exe 93 PID 2320 wrote to memory of 3840 2320 Jieagojp.exe 93 PID 3840 wrote to memory of 1928 3840 Kldmckic.exe 94 PID 3840 wrote to memory of 1928 3840 Kldmckic.exe 94 PID 3840 wrote to memory of 1928 3840 Kldmckic.exe 94 PID 1928 wrote to memory of 316 1928 Knbiofhg.exe 95 PID 1928 wrote to memory of 316 1928 Knbiofhg.exe 95 PID 1928 wrote to memory of 316 1928 Knbiofhg.exe 95 PID 316 wrote to memory of 4544 316 Kfjapcii.exe 96 PID 316 wrote to memory of 4544 316 Kfjapcii.exe 96 PID 316 wrote to memory of 4544 316 Kfjapcii.exe 96 PID 4544 wrote to memory of 1924 4544 Kgknhl32.exe 97 PID 4544 wrote to memory of 1924 4544 Kgknhl32.exe 97 PID 4544 wrote to memory of 1924 4544 Kgknhl32.exe 97 PID 1924 wrote to memory of 1528 1924 Kpbfii32.exe 98 PID 1924 wrote to memory of 1528 1924 Kpbfii32.exe 98 PID 1924 wrote to memory of 1528 1924 Kpbfii32.exe 98 PID 1528 wrote to memory of 3272 1528 Kbpbed32.exe 99 PID 1528 wrote to memory of 3272 1528 Kbpbed32.exe 99 PID 1528 wrote to memory of 3272 1528 Kbpbed32.exe 99 PID 3272 wrote to memory of 2720 3272 Kijjbofj.exe 100 PID 3272 wrote to memory of 2720 3272 Kijjbofj.exe 100 PID 3272 wrote to memory of 2720 3272 Kijjbofj.exe 100 PID 2720 wrote to memory of 3168 2720 Kpdboimg.exe 101 PID 2720 wrote to memory of 3168 2720 Kpdboimg.exe 101 PID 2720 wrote to memory of 3168 2720 Kpdboimg.exe 101 PID 3168 wrote to memory of 2660 3168 Kfnkkb32.exe 102 PID 3168 wrote to memory of 2660 3168 Kfnkkb32.exe 102 PID 3168 wrote to memory of 2660 3168 Kfnkkb32.exe 102 PID 2660 wrote to memory of 1556 2660 Kimghn32.exe 103 PID 2660 wrote to memory of 1556 2660 Kimghn32.exe 103 PID 2660 wrote to memory of 1556 2660 Kimghn32.exe 103 PID 1556 wrote to memory of 3648 1556 Klkcdj32.exe 104 PID 1556 wrote to memory of 3648 1556 Klkcdj32.exe 104 PID 1556 wrote to memory of 3648 1556 Klkcdj32.exe 104 PID 3648 wrote to memory of 4780 3648 Knippe32.exe 105 PID 3648 wrote to memory of 4780 3648 Knippe32.exe 105 PID 3648 wrote to memory of 4780 3648 Knippe32.exe 105 PID 4780 wrote to memory of 3420 4780 Kbekqdjh.exe 106 PID 4780 wrote to memory of 3420 4780 Kbekqdjh.exe 106 PID 4780 wrote to memory of 3420 4780 Kbekqdjh.exe 106 PID 3420 wrote to memory of 960 3420 Kiodmn32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\44da282e78c309a5fccc137db8169e642e71ce2760ca8fa1868f240067c86c8bN.exe"C:\Users\Admin\AppData\Local\Temp\44da282e78c309a5fccc137db8169e642e71ce2760ca8fa1868f240067c86c8bN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\Jpkphjeb.exeC:\Windows\system32\Jpkphjeb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\Jbileede.exeC:\Windows\system32\Jbileede.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Jehhaaci.exeC:\Windows\system32\Jehhaaci.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\Jkaqnk32.exeC:\Windows\system32\Jkaqnk32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Jfgdkd32.exeC:\Windows\system32\Jfgdkd32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Jieagojp.exeC:\Windows\system32\Jieagojp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Kldmckic.exeC:\Windows\system32\Kldmckic.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SysWOW64\Knbiofhg.exeC:\Windows\system32\Knbiofhg.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Kfjapcii.exeC:\Windows\system32\Kfjapcii.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Kgknhl32.exeC:\Windows\system32\Kgknhl32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\Kpbfii32.exeC:\Windows\system32\Kpbfii32.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Kbpbed32.exeC:\Windows\system32\Kbpbed32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Kijjbofj.exeC:\Windows\system32\Kijjbofj.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\Kpdboimg.exeC:\Windows\system32\Kpdboimg.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Kfnkkb32.exeC:\Windows\system32\Kfnkkb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Klkcdj32.exeC:\Windows\system32\Klkcdj32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Knippe32.exeC:\Windows\system32\Knippe32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\Kbekqdjh.exeC:\Windows\system32\Kbekqdjh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\Klmpiiai.exeC:\Windows\system32\Klmpiiai.exe23⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Knlleepl.exeC:\Windows\system32\Knlleepl.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:908 -
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe25⤵
- Executes dropped EXE
PID:3176 -
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe26⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe27⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Lnnikdnj.exeC:\Windows\system32\Lnnikdnj.exe28⤵
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Lfealaol.exeC:\Windows\system32\Lfealaol.exe29⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Lhfmdj32.exeC:\Windows\system32\Lhfmdj32.exe30⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe31⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Lblaabdp.exeC:\Windows\system32\Lblaabdp.exe32⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Lejnmncd.exeC:\Windows\system32\Lejnmncd.exe33⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe34⤵
- System Location Discovery: System Language Discovery
PID:1720 -
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe35⤵
- Executes dropped EXE
PID:3592 -
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe36⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Lemkcnaa.exeC:\Windows\system32\Lemkcnaa.exe37⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe38⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Lpbopfag.exeC:\Windows\system32\Lpbopfag.exe39⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Lflgmqhd.exeC:\Windows\system32\Lflgmqhd.exe40⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Leoghn32.exeC:\Windows\system32\Leoghn32.exe41⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Lpekef32.exeC:\Windows\system32\Lpekef32.exe42⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe43⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe44⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Mlklkgei.exeC:\Windows\system32\Mlklkgei.exe45⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe46⤵
- Executes dropped EXE
PID:3936 -
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe47⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe48⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe49⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Molelb32.exeC:\Windows\system32\Molelb32.exe50⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Mfcmmp32.exeC:\Windows\system32\Mfcmmp32.exe51⤵
- Executes dropped EXE
PID:4704 -
C:\Windows\SysWOW64\Mibijk32.exeC:\Windows\system32\Mibijk32.exe52⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe53⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe54⤵
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\Mehjol32.exeC:\Windows\system32\Mehjol32.exe55⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe56⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Mpnnle32.exeC:\Windows\system32\Mpnnle32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Mblkhq32.exeC:\Windows\system32\Mblkhq32.exe58⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe59⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe60⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe61⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe62⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Niipjj32.exeC:\Windows\system32\Niipjj32.exe63⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe64⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe65⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe66⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe67⤵
- System Location Discovery: System Language Discovery
PID:3608 -
C:\Windows\SysWOW64\Nlihle32.exeC:\Windows\system32\Nlihle32.exe68⤵PID:3712
-
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe69⤵
- System Location Discovery: System Language Discovery
PID:3192 -
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe70⤵PID:1772
-
C:\Windows\SysWOW64\Nlleaeff.exeC:\Windows\system32\Nlleaeff.exe71⤵PID:3900
-
C:\Windows\SysWOW64\Nojanpej.exeC:\Windows\system32\Nojanpej.exe72⤵PID:1748
-
C:\Windows\SysWOW64\Ngaionfl.exeC:\Windows\system32\Ngaionfl.exe73⤵PID:2528
-
C:\Windows\SysWOW64\Nhbfff32.exeC:\Windows\system32\Nhbfff32.exe74⤵PID:1788
-
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe75⤵PID:4404
-
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe76⤵PID:768
-
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe77⤵PID:3520
-
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe78⤵
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe79⤵PID:1240
-
C:\Windows\SysWOW64\Oeicejia.exeC:\Windows\system32\Oeicejia.exe80⤵PID:1996
-
C:\Windows\SysWOW64\Ohgoaehe.exeC:\Windows\system32\Ohgoaehe.exe81⤵PID:3328
-
C:\Windows\SysWOW64\Opogbbig.exeC:\Windows\system32\Opogbbig.exe82⤵PID:732
-
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe83⤵PID:2088
-
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe84⤵PID:4524
-
C:\Windows\SysWOW64\Ohjlgefb.exeC:\Windows\system32\Ohjlgefb.exe85⤵PID:4076
-
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe86⤵PID:2312
-
C:\Windows\SysWOW64\Opadhb32.exeC:\Windows\system32\Opadhb32.exe87⤵PID:1900
-
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe88⤵PID:3380
-
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe89⤵PID:2592
-
C:\Windows\SysWOW64\Oepifi32.exeC:\Windows\system32\Oepifi32.exe90⤵
- Drops file in System32 directory
PID:4424 -
C:\Windows\SysWOW64\Ohnebd32.exeC:\Windows\system32\Ohnebd32.exe91⤵PID:3632
-
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe92⤵PID:2808
-
C:\Windows\SysWOW64\Ocdjpmac.exeC:\Windows\system32\Ocdjpmac.exe93⤵PID:620
-
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe94⤵
- System Location Discovery: System Language Discovery
PID:3108 -
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe95⤵PID:5072
-
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe96⤵PID:1480
-
C:\Windows\SysWOW64\Ploknb32.exeC:\Windows\system32\Ploknb32.exe97⤵PID:3732
-
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe98⤵PID:1020
-
C:\Windows\SysWOW64\Pomgjn32.exeC:\Windows\system32\Pomgjn32.exe99⤵PID:1628
-
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe100⤵PID:5172
-
C:\Windows\SysWOW64\Ppmcdq32.exeC:\Windows\system32\Ppmcdq32.exe101⤵PID:5216
-
C:\Windows\SysWOW64\Pfillg32.exeC:\Windows\system32\Pfillg32.exe102⤵PID:5260
-
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5320 -
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe104⤵
- System Location Discovery: System Language Discovery
PID:5356 -
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe105⤵PID:5408
-
C:\Windows\SysWOW64\Pgihfj32.exeC:\Windows\system32\Pgihfj32.exe106⤵PID:5468
-
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe107⤵PID:5504
-
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe108⤵
- Modifies registry class
PID:5576 -
C:\Windows\SysWOW64\Podmkm32.exeC:\Windows\system32\Podmkm32.exe109⤵PID:5644
-
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe110⤵PID:5692
-
C:\Windows\SysWOW64\Pjjahe32.exeC:\Windows\system32\Pjjahe32.exe111⤵PID:5756
-
C:\Windows\SysWOW64\Phlacbfm.exeC:\Windows\system32\Phlacbfm.exe112⤵PID:5804
-
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe113⤵PID:5880
-
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe114⤵PID:5928
-
C:\Windows\SysWOW64\Qcbfakec.exeC:\Windows\system32\Qcbfakec.exe115⤵
- System Location Discovery: System Language Discovery
PID:5984 -
C:\Windows\SysWOW64\Qfpbmfdf.exeC:\Windows\system32\Qfpbmfdf.exe116⤵PID:6024
-
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe117⤵
- Drops file in System32 directory
PID:6072 -
C:\Windows\SysWOW64\Qljjjqlc.exeC:\Windows\system32\Qljjjqlc.exe118⤵PID:6116
-
C:\Windows\SysWOW64\Qoifflkg.exeC:\Windows\system32\Qoifflkg.exe119⤵PID:5028
-
C:\Windows\SysWOW64\Qfbobf32.exeC:\Windows\system32\Qfbobf32.exe120⤵
- Drops file in System32 directory
PID:5208 -
C:\Windows\SysWOW64\Qqhcpo32.exeC:\Windows\system32\Qqhcpo32.exe121⤵PID:5304
-
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe122⤵PID:5376
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-