Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 07:48
Static task
static1
Behavioral task
behavioral1
Sample
d8cca602585d74865ce6896959f08134431142804cfe608cd1281a2277b21393N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
d8cca602585d74865ce6896959f08134431142804cfe608cd1281a2277b21393N.exe
Resource
win10v2004-20241007-en
General
-
Target
d8cca602585d74865ce6896959f08134431142804cfe608cd1281a2277b21393N.exe
-
Size
74KB
-
MD5
671f028d57dd941c81a19c8b3e0abc00
-
SHA1
f9e584895990642fb668c023f8a1f1a8fded95e3
-
SHA256
d8cca602585d74865ce6896959f08134431142804cfe608cd1281a2277b21393
-
SHA512
1c5e9f1f8bbfcfdc211ca1cbd2343a7e6cca22df422c8b2a75a4ce2cf9b590bd83dd2284709f823c1f9000aa4329e3e4734557405052482dd623790a7cea1151
-
SSDEEP
1536:/uDlQNYecvayW3gqnJ8BDyPsWvi7A3hp0Q4NJFf5EFldhA:/KQ66yU3J4Davikbr4n9C/dh
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoalgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnobem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niooqcad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bblnindg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpmoiof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpqodfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjnffjkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Embddb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdjibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehapfiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nliaao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkqkhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inbqhhfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnkcogno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nheble32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijegcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpnihiio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diccgfpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmfhig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmpfbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nccokk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qklmpalf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgeihcme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdcjlb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eopbnbhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nchjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjhacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knhakh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eipinkib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdkdgchl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdpmbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oloahhki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggbook32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnhpoamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecbjkngo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpomcp32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 5108 Ndhmhh32.exe 3708 Nfjjppmm.exe 4808 Nnqbanmo.exe 4756 Odkjng32.exe 1144 Ogifjcdp.exe 1600 Ojgbfocc.exe 4456 Olfobjbg.exe 1180 Odmgcgbi.exe 1436 Ofnckp32.exe 3836 Olhlhjpd.exe 3640 Odocigqg.exe 3356 Ognpebpj.exe 3364 Ofqpqo32.exe 3432 Olkhmi32.exe 4140 Ocdqjceo.exe 2768 Ofcmfodb.exe 5072 Onjegled.exe 1612 Oddmdf32.exe 1956 Ofeilobp.exe 4292 Pnlaml32.exe 4592 Pdfjifjo.exe 544 Pcijeb32.exe 2092 Pfhfan32.exe 1480 Pnonbk32.exe 2248 Pqmjog32.exe 2860 Pqmjog32.exe 2152 Pclgkb32.exe 4632 Pfjcgn32.exe 4012 Pnakhkol.exe 3188 Pqpgdfnp.exe 4348 Pcncpbmd.exe 3180 Pgioqq32.exe 4984 Pmfhig32.exe 2264 Pqbdjfln.exe 1548 Pcppfaka.exe 3256 Pgllfp32.exe 3716 Pjjhbl32.exe 4768 Pnfdcjkg.exe 2288 Pqdqof32.exe 620 Pcbmka32.exe 5064 Qmkadgpo.exe 4748 Qqfmde32.exe 2728 Qgqeappe.exe 2776 Qmmnjfnl.exe 4372 Qddfkd32.exe 3916 Qgcbgo32.exe 1988 Ajanck32.exe 3348 Anmjcieo.exe 1936 Aqkgpedc.exe 212 Ageolo32.exe 3152 Ajckij32.exe 4264 Ambgef32.exe 1372 Aqncedbp.exe 4284 Aclpap32.exe 2712 Afjlnk32.exe 864 Anadoi32.exe 2036 Amddjegd.exe 5000 Aeklkchg.exe 440 Agjhgngj.exe 228 Ajhddjfn.exe 3280 Amgapeea.exe 4820 Aeniabfd.exe 2660 Aglemn32.exe 5036 Afoeiklb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dikhjofo.dll Dmbbhkjf.exe File created C:\Windows\SysWOW64\Dabhdinj.exe Dmglcj32.exe File opened for modification C:\Windows\SysWOW64\Jgbjbp32.exe Jddnfd32.exe File opened for modification C:\Windows\SysWOW64\Gmdcfidg.exe Process not Found File created C:\Windows\SysWOW64\Imgicgca.exe Process not Found File created C:\Windows\SysWOW64\Lbmolo32.dll Process not Found File created C:\Windows\SysWOW64\Lcmodajm.exe Process not Found File created C:\Windows\SysWOW64\Lpggmhkg.dll Cajlhqjp.exe File opened for modification C:\Windows\SysWOW64\Oiagde32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hmmfmhll.exe Process not Found File created C:\Windows\SysWOW64\Nfaemp32.exe Process not Found File created C:\Windows\SysWOW64\Oeaoab32.exe Oafcqcea.exe File created C:\Windows\SysWOW64\Ljceqb32.exe Process not Found File created C:\Windows\SysWOW64\Pefabkej.exe Pmoiqneg.exe File created C:\Windows\SysWOW64\Gahcmd32.exe Giqkkf32.exe File created C:\Windows\SysWOW64\Hipmfjee.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nfqnbjfi.exe Process not Found File created C:\Windows\SysWOW64\Mehjol32.exe Mbjnbqhp.exe File opened for modification C:\Windows\SysWOW64\Mmbanbmg.exe Mjdebfnd.exe File opened for modification C:\Windows\SysWOW64\Ocjoadei.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jbepme32.exe Process not Found File created C:\Windows\SysWOW64\Nfldgk32.exe Process not Found File created C:\Windows\SysWOW64\Ggccllai.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jbdbjf32.exe Joffnk32.exe File created C:\Windows\SysWOW64\Qbkbgfif.dll Egnchd32.exe File opened for modification C:\Windows\SysWOW64\Aknifq32.exe Alkijdci.exe File created C:\Windows\SysWOW64\Gdlfcb32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ehpadhll.exe Process not Found File created C:\Windows\SysWOW64\Apjfbb32.dll Process not Found File created C:\Windows\SysWOW64\Cmgjgcgo.exe Chjaol32.exe File opened for modification C:\Windows\SysWOW64\Ehdmlhcj.exe Edhakj32.exe File created C:\Windows\SysWOW64\Hlnchmib.dll Fnmepn32.exe File created C:\Windows\SysWOW64\Dmbbhkjf.exe Dfhjkabi.exe File created C:\Windows\SysWOW64\Galdglpd.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bcjlcn32.exe Balpgb32.exe File opened for modification C:\Windows\SysWOW64\Kijchhbo.exe Kqbkfkal.exe File opened for modification C:\Windows\SysWOW64\Nnafno32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cmedjl32.exe Process not Found File created C:\Windows\SysWOW64\Jklphekp.exe Jhndljll.exe File created C:\Windows\SysWOW64\Eiobodkp.dll Acnemi32.exe File created C:\Windows\SysWOW64\Hgkkkcbc.exe Hdmoohbo.exe File opened for modification C:\Windows\SysWOW64\Knnhjcog.exe Process not Found File created C:\Windows\SysWOW64\Hbobifpp.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mcfbkpab.exe Process not Found File opened for modification C:\Windows\SysWOW64\Aqkpeopg.exe Amodep32.exe File created C:\Windows\SysWOW64\Ajdjin32.exe Aanbhp32.exe File opened for modification C:\Windows\SysWOW64\Pmhbqbae.exe Process not Found File created C:\Windows\SysWOW64\Jedohked.dll Hammhcij.exe File opened for modification C:\Windows\SysWOW64\Nhdlao32.exe Nefped32.exe File created C:\Windows\SysWOW64\Gdaociml.exe Gljgbllj.exe File created C:\Windows\SysWOW64\Llmhaold.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jihbip32.exe Process not Found File created C:\Windows\SysWOW64\Cnokmj32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Hgiepjga.exe Hpomcp32.exe File opened for modification C:\Windows\SysWOW64\Jecofa32.exe Jfpojead.exe File opened for modification C:\Windows\SysWOW64\Lihfcm32.exe Lemkcnaa.exe File created C:\Windows\SysWOW64\Bgnagk32.dll Kdbjhbbd.exe File created C:\Windows\SysWOW64\Olieecnn.dll Process not Found File created C:\Windows\SysWOW64\Dkodcb32.dll Process not Found File created C:\Windows\SysWOW64\Dpiplm32.exe Process not Found File created C:\Windows\SysWOW64\Oddmdf32.exe Onjegled.exe File created C:\Windows\SysWOW64\Bfbghcbm.dll Meefofek.exe File created C:\Windows\SysWOW64\Gljgbllj.exe Gikkfqmf.exe File opened for modification C:\Windows\SysWOW64\Hhdcmp32.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 15760 16332 Process not Found 1884 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcigeooj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbjbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkmnln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhdlao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blielbfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgenbfoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdbdah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klifnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lihfcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfjka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icfekc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmkadgpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlfpdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oobfob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgfapd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palbgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mekgdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjmpkqqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoofle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igqkqiai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nojjcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghpendjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkaqnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlnipg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoifflkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oifeab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onjegled.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqpgdfnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lemkcnaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhafeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjjiej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcecjmkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmihij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njkkbehl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajhddjfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edhjqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Baadiiif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnbebofc.dll" Kelalp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfkbde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Peahgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Albpkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocdqjceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdicienl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egcjff32.dll" Djhpgofm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbfoaba.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipecicga.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alfgikbb.dll" Dpgeee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbbdjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlkipgpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cglblmfn.dll" Qklmpalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Almoijfo.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fegbnohh.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhlgfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epllglpf.dll" Ecbjkngo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleoiomo.dll" Kggcnoic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfcklp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkjkef32.dll" Inmgmijo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhoaad32.dll" Ngaionfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnfcia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhmmjbkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlfnaicd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chjaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Malhfo32.dll" Qlggjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpbdopck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnkfj32.dll" Hkdjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbeojn32.dll" Jlfpdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkgpbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iggaah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkhpdcab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbhijepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehqkihfg.dll" Ncabfkqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gepmlimi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbiejoaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qebhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddplkbaa.dll" Jcphab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nofoidko.dll" Kbpbed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdkdgchl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkjpda32.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2908 wrote to memory of 5108 2908 d8cca602585d74865ce6896959f08134431142804cfe608cd1281a2277b21393N.exe 83 PID 2908 wrote to memory of 5108 2908 d8cca602585d74865ce6896959f08134431142804cfe608cd1281a2277b21393N.exe 83 PID 2908 wrote to memory of 5108 2908 d8cca602585d74865ce6896959f08134431142804cfe608cd1281a2277b21393N.exe 83 PID 5108 wrote to memory of 3708 5108 Ndhmhh32.exe 84 PID 5108 wrote to memory of 3708 5108 Ndhmhh32.exe 84 PID 5108 wrote to memory of 3708 5108 Ndhmhh32.exe 84 PID 3708 wrote to memory of 4808 3708 Nfjjppmm.exe 85 PID 3708 wrote to memory of 4808 3708 Nfjjppmm.exe 85 PID 3708 wrote to memory of 4808 3708 Nfjjppmm.exe 85 PID 4808 wrote to memory of 4756 4808 Nnqbanmo.exe 86 PID 4808 wrote to memory of 4756 4808 Nnqbanmo.exe 86 PID 4808 wrote to memory of 4756 4808 Nnqbanmo.exe 86 PID 4756 wrote to memory of 1144 4756 Odkjng32.exe 87 PID 4756 wrote to memory of 1144 4756 Odkjng32.exe 87 PID 4756 wrote to memory of 1144 4756 Odkjng32.exe 87 PID 1144 wrote to memory of 1600 1144 Ogifjcdp.exe 88 PID 1144 wrote to memory of 1600 1144 Ogifjcdp.exe 88 PID 1144 wrote to memory of 1600 1144 Ogifjcdp.exe 88 PID 1600 wrote to memory of 4456 1600 Ojgbfocc.exe 89 PID 1600 wrote to memory of 4456 1600 Ojgbfocc.exe 89 PID 1600 wrote to memory of 4456 1600 Ojgbfocc.exe 89 PID 4456 wrote to memory of 1180 4456 Olfobjbg.exe 91 PID 4456 wrote to memory of 1180 4456 Olfobjbg.exe 91 PID 4456 wrote to memory of 1180 4456 Olfobjbg.exe 91 PID 1180 wrote to memory of 1436 1180 Odmgcgbi.exe 92 PID 1180 wrote to memory of 1436 1180 Odmgcgbi.exe 92 PID 1180 wrote to memory of 1436 1180 Odmgcgbi.exe 92 PID 1436 wrote to memory of 3836 1436 Ofnckp32.exe 93 PID 1436 wrote to memory of 3836 1436 Ofnckp32.exe 93 PID 1436 wrote to memory of 3836 1436 Ofnckp32.exe 93 PID 3836 wrote to memory of 3640 3836 Olhlhjpd.exe 94 PID 3836 wrote to memory of 3640 3836 Olhlhjpd.exe 94 PID 3836 wrote to memory of 3640 3836 Olhlhjpd.exe 94 PID 3640 wrote to memory of 3356 3640 Odocigqg.exe 95 PID 3640 wrote to memory of 3356 3640 Odocigqg.exe 95 PID 3640 wrote to memory of 3356 3640 Odocigqg.exe 95 PID 3356 wrote to memory of 3364 3356 Ognpebpj.exe 96 PID 3356 wrote to memory of 3364 3356 Ognpebpj.exe 96 PID 3356 wrote to memory of 3364 3356 Ognpebpj.exe 96 PID 3364 wrote to memory of 3432 3364 Ofqpqo32.exe 97 PID 3364 wrote to memory of 3432 3364 Ofqpqo32.exe 97 PID 3364 wrote to memory of 3432 3364 Ofqpqo32.exe 97 PID 3432 wrote to memory of 4140 3432 Olkhmi32.exe 99 PID 3432 wrote to memory of 4140 3432 Olkhmi32.exe 99 PID 3432 wrote to memory of 4140 3432 Olkhmi32.exe 99 PID 4140 wrote to memory of 2768 4140 Ocdqjceo.exe 100 PID 4140 wrote to memory of 2768 4140 Ocdqjceo.exe 100 PID 4140 wrote to memory of 2768 4140 Ocdqjceo.exe 100 PID 2768 wrote to memory of 5072 2768 Ofcmfodb.exe 101 PID 2768 wrote to memory of 5072 2768 Ofcmfodb.exe 101 PID 2768 wrote to memory of 5072 2768 Ofcmfodb.exe 101 PID 5072 wrote to memory of 1612 5072 Onjegled.exe 102 PID 5072 wrote to memory of 1612 5072 Onjegled.exe 102 PID 5072 wrote to memory of 1612 5072 Onjegled.exe 102 PID 1612 wrote to memory of 1956 1612 Oddmdf32.exe 103 PID 1612 wrote to memory of 1956 1612 Oddmdf32.exe 103 PID 1612 wrote to memory of 1956 1612 Oddmdf32.exe 103 PID 1956 wrote to memory of 4292 1956 Ofeilobp.exe 105 PID 1956 wrote to memory of 4292 1956 Ofeilobp.exe 105 PID 1956 wrote to memory of 4292 1956 Ofeilobp.exe 105 PID 4292 wrote to memory of 4592 4292 Pnlaml32.exe 106 PID 4292 wrote to memory of 4592 4292 Pnlaml32.exe 106 PID 4292 wrote to memory of 4592 4292 Pnlaml32.exe 106 PID 4592 wrote to memory of 544 4592 Pdfjifjo.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8cca602585d74865ce6896959f08134431142804cfe608cd1281a2277b21393N.exe"C:\Users\Admin\AppData\Local\Temp\d8cca602585d74865ce6896959f08134431142804cfe608cd1281a2277b21393N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Ndhmhh32.exeC:\Windows\system32\Ndhmhh32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\Nfjjppmm.exeC:\Windows\system32\Nfjjppmm.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\Nnqbanmo.exeC:\Windows\system32\Nnqbanmo.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Odkjng32.exeC:\Windows\system32\Odkjng32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\Ogifjcdp.exeC:\Windows\system32\Ogifjcdp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Ojgbfocc.exeC:\Windows\system32\Ojgbfocc.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Olfobjbg.exeC:\Windows\system32\Olfobjbg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\Odmgcgbi.exeC:\Windows\system32\Odmgcgbi.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Ofnckp32.exeC:\Windows\system32\Ofnckp32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Olhlhjpd.exeC:\Windows\system32\Olhlhjpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\Odocigqg.exeC:\Windows\system32\Odocigqg.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\Ognpebpj.exeC:\Windows\system32\Ognpebpj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Ofqpqo32.exeC:\Windows\system32\Ofqpqo32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\Olkhmi32.exeC:\Windows\system32\Olkhmi32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\Ocdqjceo.exeC:\Windows\system32\Ocdqjceo.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\Ofcmfodb.exeC:\Windows\system32\Ofcmfodb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Onjegled.exeC:\Windows\system32\Onjegled.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Oddmdf32.exeC:\Windows\system32\Oddmdf32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Ofeilobp.exeC:\Windows\system32\Ofeilobp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Pnlaml32.exeC:\Windows\system32\Pnlaml32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\Pdfjifjo.exeC:\Windows\system32\Pdfjifjo.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Pcijeb32.exeC:\Windows\system32\Pcijeb32.exe23⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Pfhfan32.exeC:\Windows\system32\Pfhfan32.exe24⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Pnonbk32.exeC:\Windows\system32\Pnonbk32.exe25⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Pqmjog32.exeC:\Windows\system32\Pqmjog32.exe26⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Pqmjog32.exeC:\Windows\system32\Pqmjog32.exe27⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Pclgkb32.exeC:\Windows\system32\Pclgkb32.exe28⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Pfjcgn32.exeC:\Windows\system32\Pfjcgn32.exe29⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Pnakhkol.exeC:\Windows\system32\Pnakhkol.exe30⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Pqpgdfnp.exeC:\Windows\system32\Pqpgdfnp.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3188 -
C:\Windows\SysWOW64\Pcncpbmd.exeC:\Windows\system32\Pcncpbmd.exe32⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Pgioqq32.exeC:\Windows\system32\Pgioqq32.exe33⤵
- Executes dropped EXE
PID:3180 -
C:\Windows\SysWOW64\Pmfhig32.exeC:\Windows\system32\Pmfhig32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Pqbdjfln.exeC:\Windows\system32\Pqbdjfln.exe35⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Pcppfaka.exeC:\Windows\system32\Pcppfaka.exe36⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Pgllfp32.exeC:\Windows\system32\Pgllfp32.exe37⤵
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\Pjjhbl32.exeC:\Windows\system32\Pjjhbl32.exe38⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Pnfdcjkg.exeC:\Windows\system32\Pnfdcjkg.exe39⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Pqdqof32.exeC:\Windows\system32\Pqdqof32.exe40⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Pcbmka32.exeC:\Windows\system32\Pcbmka32.exe41⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Qmkadgpo.exeC:\Windows\system32\Qmkadgpo.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5064 -
C:\Windows\SysWOW64\Qqfmde32.exeC:\Windows\system32\Qqfmde32.exe43⤵
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Qgqeappe.exeC:\Windows\system32\Qgqeappe.exe44⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Qmmnjfnl.exeC:\Windows\system32\Qmmnjfnl.exe45⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Qddfkd32.exeC:\Windows\system32\Qddfkd32.exe46⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Qgcbgo32.exeC:\Windows\system32\Qgcbgo32.exe47⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Ajanck32.exeC:\Windows\system32\Ajanck32.exe48⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Anmjcieo.exeC:\Windows\system32\Anmjcieo.exe49⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Aqkgpedc.exeC:\Windows\system32\Aqkgpedc.exe50⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Ageolo32.exeC:\Windows\system32\Ageolo32.exe51⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Ajckij32.exeC:\Windows\system32\Ajckij32.exe52⤵
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\Ambgef32.exeC:\Windows\system32\Ambgef32.exe53⤵
- Executes dropped EXE
PID:4264 -
C:\Windows\SysWOW64\Aqncedbp.exeC:\Windows\system32\Aqncedbp.exe54⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Aclpap32.exeC:\Windows\system32\Aclpap32.exe55⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\Afjlnk32.exeC:\Windows\system32\Afjlnk32.exe56⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Anadoi32.exeC:\Windows\system32\Anadoi32.exe57⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe58⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe59⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Agjhgngj.exeC:\Windows\system32\Agjhgngj.exe60⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Ajhddjfn.exeC:\Windows\system32\Ajhddjfn.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:228 -
C:\Windows\SysWOW64\Amgapeea.exeC:\Windows\system32\Amgapeea.exe62⤵
- Executes dropped EXE
PID:3280 -
C:\Windows\SysWOW64\Aeniabfd.exeC:\Windows\system32\Aeniabfd.exe63⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Aglemn32.exeC:\Windows\system32\Aglemn32.exe64⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe65⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Aminee32.exeC:\Windows\system32\Aminee32.exe66⤵PID:408
-
C:\Windows\SysWOW64\Aepefb32.exeC:\Windows\system32\Aepefb32.exe67⤵PID:2144
-
C:\Windows\SysWOW64\Accfbokl.exeC:\Windows\system32\Accfbokl.exe68⤵PID:1616
-
C:\Windows\SysWOW64\Bfabnjjp.exeC:\Windows\system32\Bfabnjjp.exe69⤵PID:4936
-
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe70⤵PID:1700
-
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe71⤵PID:5068
-
C:\Windows\SysWOW64\Bcebhoii.exeC:\Windows\system32\Bcebhoii.exe72⤵PID:1104
-
C:\Windows\SysWOW64\Bjokdipf.exeC:\Windows\system32\Bjokdipf.exe73⤵PID:2960
-
C:\Windows\SysWOW64\Bchomn32.exeC:\Windows\system32\Bchomn32.exe74⤵PID:628
-
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe75⤵PID:2188
-
C:\Windows\SysWOW64\Bnmcjg32.exeC:\Windows\system32\Bnmcjg32.exe76⤵PID:2556
-
C:\Windows\SysWOW64\Balpgb32.exeC:\Windows\system32\Balpgb32.exe77⤵
- Drops file in System32 directory
PID:3696 -
C:\Windows\SysWOW64\Bcjlcn32.exeC:\Windows\system32\Bcjlcn32.exe78⤵PID:4044
-
C:\Windows\SysWOW64\Bjddphlq.exeC:\Windows\system32\Bjddphlq.exe79⤵PID:4676
-
C:\Windows\SysWOW64\Bnpppgdj.exeC:\Windows\system32\Bnpppgdj.exe80⤵PID:3008
-
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe81⤵PID:428
-
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe82⤵PID:2028
-
C:\Windows\SysWOW64\Bjfaeh32.exeC:\Windows\system32\Bjfaeh32.exe83⤵PID:968
-
C:\Windows\SysWOW64\Bmemac32.exeC:\Windows\system32\Bmemac32.exe84⤵PID:2440
-
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe85⤵PID:2320
-
C:\Windows\SysWOW64\Chjaol32.exeC:\Windows\system32\Chjaol32.exe86⤵
- Drops file in System32 directory
- Modifies registry class
PID:4064 -
C:\Windows\SysWOW64\Cmgjgcgo.exeC:\Windows\system32\Cmgjgcgo.exe87⤵PID:3672
-
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe88⤵PID:5128
-
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe89⤵PID:5172
-
C:\Windows\SysWOW64\Caebma32.exeC:\Windows\system32\Caebma32.exe90⤵PID:5220
-
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe91⤵PID:5264
-
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe92⤵PID:5308
-
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe93⤵PID:5352
-
C:\Windows\SysWOW64\Cdfkolkf.exeC:\Windows\system32\Cdfkolkf.exe94⤵PID:5404
-
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe95⤵PID:5464
-
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe96⤵PID:5532
-
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe97⤵
- Drops file in System32 directory
PID:5580 -
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe98⤵PID:5624
-
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe99⤵PID:5668
-
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe100⤵PID:5712
-
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe101⤵PID:5756
-
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe102⤵PID:5800
-
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe103⤵PID:5844
-
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe104⤵PID:5892
-
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe105⤵PID:5936
-
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe106⤵PID:5980
-
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe107⤵PID:6020
-
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe108⤵PID:6064
-
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe109⤵PID:6108
-
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe110⤵PID:1396
-
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe111⤵PID:5188
-
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe112⤵PID:5248
-
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe113⤵PID:5332
-
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe114⤵PID:5420
-
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe115⤵PID:5484
-
C:\Windows\SysWOW64\Eecdjmfi.exeC:\Windows\system32\Eecdjmfi.exe116⤵PID:5576
-
C:\Windows\SysWOW64\Ehapfiem.exeC:\Windows\system32\Ehapfiem.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5644 -
C:\Windows\SysWOW64\Ekpmbddq.exeC:\Windows\system32\Ekpmbddq.exe118⤵PID:5696
-
C:\Windows\SysWOW64\Eajeon32.exeC:\Windows\system32\Eajeon32.exe119⤵PID:5792
-
C:\Windows\SysWOW64\Edhakj32.exeC:\Windows\system32\Edhakj32.exe120⤵
- Drops file in System32 directory
PID:5876 -
C:\Windows\SysWOW64\Ehdmlhcj.exeC:\Windows\system32\Ehdmlhcj.exe121⤵PID:5956
-
C:\Windows\SysWOW64\Ekbihd32.exeC:\Windows\system32\Ekbihd32.exe122⤵PID:6052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-