Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 05:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
439425d5412caa1d6d0f545f7d49ffad728c4df7cecb4256cbd5d5bd69e4890d.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
439425d5412caa1d6d0f545f7d49ffad728c4df7cecb4256cbd5d5bd69e4890d.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
439425d5412caa1d6d0f545f7d49ffad728c4df7cecb4256cbd5d5bd69e4890d.exe
-
Size
302KB
-
MD5
0e0717fc3a7a95c887ae06f9fe6a4ab4
-
SHA1
ea4398d9cd620071193a7e27dca0f8a9883d0e85
-
SHA256
439425d5412caa1d6d0f545f7d49ffad728c4df7cecb4256cbd5d5bd69e4890d
-
SHA512
f3f0d4462881c43ab435d9e02672d78dfd5e68a584f108c5a1e5e23fcbf90bfc73ed9b3836ab47532db002350bdcbbb8beab641d5df44d954fd412024a07cfe0
-
SSDEEP
6144:9GGnkEDZdeRXmbzYALVqq3FF7fPtcsw6UJZqktbOUqCTGepXgbWHr:9GGnkEldeRXmbzYALVP3FF7fFcsw6UJn
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhdohp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fajbjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnfpcag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhfedm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaompd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjohde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dooaoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nopfpgip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qljcoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfpdin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlpfhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mokmdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpecbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdbnjdfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmcdffmq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbmingjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anclbkbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gppcmeem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgjoif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgkelj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fajgkfio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdnhih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eblimcdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbgihaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iipfmggc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jllokajf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pleaoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Podmkm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iphioh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkfadkgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiodpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iohejo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oofaiokl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhmeapmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koodbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkbmqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdphngfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iojbpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eklajcmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdmoohbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enigke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emmkiclm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdjbiheb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdjbiheb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddgplado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eaindh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afgacokc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgdidgjg.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3160 Ocopdn32.exe 384 Oenlqi32.exe 2836 Ohlimd32.exe 4404 Oofaiokl.exe 876 Ogmijllo.exe 3172 Oileggkb.exe 1232 Oljaccjf.exe 3952 Ollnhb32.exe 116 Ophjiaql.exe 4956 Pgbbek32.exe 1372 Phcomcng.exe 1812 Pgdokkfg.exe 2012 Poodpmca.exe 1368 Pckppl32.exe 2280 Plcdiabk.exe 2756 Pcmlfl32.exe 2500 Pflibgil.exe 4416 Pleaoa32.exe 4664 Podmkm32.exe 2004 Pgkelj32.exe 1040 Plhnda32.exe 3756 Pqcjepfo.exe 2044 Qcbfakec.exe 3492 Qfpbmfdf.exe 3196 Qhonib32.exe 4976 Qqffjo32.exe 468 Qfbobf32.exe 4024 Qhakoa32.exe 2288 Qlmgopjq.exe 2604 Acgolj32.exe 1688 Ahchda32.exe 520 Amodep32.exe 3444 Acilajpk.exe 4328 Amaqjp32.exe 4916 Aqmlknnd.exe 3648 Ackigjmh.exe 5044 Aggegh32.exe 1060 Afjeceml.exe 1012 Ajeadd32.exe 1140 Aihaoqlp.exe 1076 Aqoiqn32.exe 1068 Aobilkcl.exe 2116 Agiamhdo.exe 1600 Aflaie32.exe 2668 Ajhniccb.exe 1868 Amfjeobf.exe 3692 Aqaffn32.exe 3464 Aodfajaj.exe 4360 Aglnbhal.exe 4852 Afnnnd32.exe 3640 Aimkjp32.exe 2692 Bqdblmhl.exe 3568 Bogcgj32.exe 688 Bfqkddfd.exe 1308 Bmkcqn32.exe 3240 Bqilgmdg.exe 1460 Bgeaifia.exe 4792 Bggnof32.exe 2516 Cgndoeag.exe 4780 Cgqqdeod.exe 552 Cjomap32.exe 4684 Dmpfbk32.exe 2020 Diffglam.exe 5048 Dannij32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fhmigagd.exe Fpeafcfa.exe File created C:\Windows\SysWOW64\Chlcgfff.dll Oobfob32.exe File opened for modification C:\Windows\SysWOW64\Kiphjo32.exe Jahqiaeb.exe File opened for modification C:\Windows\SysWOW64\Kgdpni32.exe Kcidmkpq.exe File created C:\Windows\SysWOW64\Mmmqhl32.exe Mjodla32.exe File created C:\Windows\SysWOW64\Enpfan32.exe Egened32.exe File opened for modification C:\Windows\SysWOW64\Fbgbnkfm.exe Fohfbpgi.exe File created C:\Windows\SysWOW64\Ljkifn32.exe Llhikacp.exe File created C:\Windows\SysWOW64\Ldgccb32.exe Lqkgbcff.exe File opened for modification C:\Windows\SysWOW64\Cdaile32.exe Process not Found File created C:\Windows\SysWOW64\Ppajlp32.dll Mlmbfqoj.exe File created C:\Windows\SysWOW64\Njfagf32.exe Nlcalieg.exe File created C:\Windows\SysWOW64\Pbbmemif.dll Bdickcpo.exe File created C:\Windows\SysWOW64\Hpioin32.exe Hhaggp32.exe File created C:\Windows\SysWOW64\Ehndnh32.exe Ebdlangb.exe File created C:\Windows\SysWOW64\Aadghn32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Qlggjk32.exe Pabblb32.exe File created C:\Windows\SysWOW64\Gpnmbl32.exe Glcaambb.exe File opened for modification C:\Windows\SysWOW64\Jklinohd.exe Jgpmmp32.exe File created C:\Windows\SysWOW64\Kcndbp32.exe Kdkdgchl.exe File created C:\Windows\SysWOW64\Mjidgkog.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ggilil32.exe Fdkpma32.exe File created C:\Windows\SysWOW64\Blhpqhlh.exe Bjicdmmd.exe File created C:\Windows\SysWOW64\Inmalg32.dll Process not Found File created C:\Windows\SysWOW64\Ofjljj32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bogkmgba.exe Bdagpnbk.exe File created C:\Windows\SysWOW64\Eiobodkp.dll Agiamhdo.exe File created C:\Windows\SysWOW64\Jnfcia32.exe Jglklggl.exe File created C:\Windows\SysWOW64\Ddooacnk.dll Ikkpgafg.exe File created C:\Windows\SysWOW64\Appnje32.dll Jnlbojee.exe File created C:\Windows\SysWOW64\Ofonqd32.dll Oogpjbbb.exe File created C:\Windows\SysWOW64\Anobgl32.exe Alnfpcag.exe File created C:\Windows\SysWOW64\Iamamcop.exe Ilphdlqh.exe File opened for modification C:\Windows\SysWOW64\Kibeoo32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pjlcjf32.exe Process not Found File created C:\Windows\SysWOW64\Pjhfcm32.dll Process not Found File created C:\Windows\SysWOW64\Gdbpil32.dll Cgndoeag.exe File created C:\Windows\SysWOW64\Fdglmkeg.exe Fmndpq32.exe File opened for modification C:\Windows\SysWOW64\Cglbhhga.exe Cdmfllhn.exe File created C:\Windows\SysWOW64\Coadnlnb.exe Clchbqoo.exe File created C:\Windows\SysWOW64\Ckjbhmad.exe Cfnjpfcl.exe File created C:\Windows\SysWOW64\Pcegclgp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jddnfd32.exe Jnjejjgh.exe File opened for modification C:\Windows\SysWOW64\Jgbjbp32.exe Jddnfd32.exe File opened for modification C:\Windows\SysWOW64\Dqbcbkab.exe Doagjc32.exe File created C:\Windows\SysWOW64\Djkpla32.dll Process not Found File created C:\Windows\SysWOW64\Bjbalpnl.dll Dpehof32.exe File opened for modification C:\Windows\SysWOW64\Elbhjp32.exe Eidlnd32.exe File created C:\Windows\SysWOW64\Ghkeio32.exe Gpcmga32.exe File created C:\Windows\SysWOW64\Laiimcij.dll Process not Found File created C:\Windows\SysWOW64\Pagpdj32.dll Ejdocm32.exe File created C:\Windows\SysWOW64\Cijpahho.exe Cfldelik.exe File created C:\Windows\SysWOW64\Ndflak32.exe Nagpeo32.exe File created C:\Windows\SysWOW64\Hkhomj32.dll Pckppl32.exe File created C:\Windows\SysWOW64\Igbalblk.exe Iphioh32.exe File opened for modification C:\Windows\SysWOW64\Eicedn32.exe Efeihb32.exe File opened for modification C:\Windows\SysWOW64\Fbmohmoh.exe Fooclapd.exe File opened for modification C:\Windows\SysWOW64\Pagbaglh.exe Pmlfqh32.exe File created C:\Windows\SysWOW64\Ogpmdqpl.dll Ddkbmj32.exe File created C:\Windows\SysWOW64\Ppkjigdd.dll Process not Found File created C:\Windows\SysWOW64\Bggnof32.exe Bgeaifia.exe File opened for modification C:\Windows\SysWOW64\Lghcocol.exe Lejgch32.exe File opened for modification C:\Windows\SysWOW64\Olicnfco.exe Odalmibl.exe File opened for modification C:\Windows\SysWOW64\Fealin32.exe Fngcmcfe.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7420 8044 Process not Found 1315 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcepkfld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fngcmcfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edgbii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcoaglhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koodbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edemkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neccpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgjlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oacoqnci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jghpbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Manmoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anclbkbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahmjjoig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fineoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hginecde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnfpinmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjccdkki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddgmbpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkhgod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpcmga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igjngh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpnmbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmaffnce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pffgom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnmdme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpqodfij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpmggb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jibmgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooejohhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiieicml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaqdegaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bahkih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkdpbpih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aanbhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Codhnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmojkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbgihaji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbchj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcdciiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aphnnafb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhdbhifj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Finnef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oileggkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpaleglc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plkpcfal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enpmld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adfgdpmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iafonaao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjlkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhigf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bckkca32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biepfnpi.dll" Ihbponja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmadjhb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjbogmdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohlljcfl.dll" Eiieicml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njpdnedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpbflg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgdidgjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlojif32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecefqnel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pncepolj.dll" Gijmad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ieccbbkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckmcadl.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmpmnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gphphj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopnfa32.dll" Pehngkcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhnojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhafeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfnoqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgflfoob.dll" Gdfoio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfeaopqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccbakce.dll" Fibhpbea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmimai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cepjip32.dll" Ddgibkpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icknfcol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlegnjbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbbnpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lacdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgkiaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflbhhom.dll" Fefedmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaedkn32.dll" Ljilqnlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddfioo32.dll" Pgdokkfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnpofnhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhepbll.dll" Dkbocbog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpnmbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpfepf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hffken32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dphefd32.dll" Jgogbgei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpefcn32.dll" Jghpbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdkdgchl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aoofle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbiado32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffaong32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coppbe32.dll" Hahokfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnoeha32.dll" Hgghjjid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jomnmjjb.dll" Blgifbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlblcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fineoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbalhp32.dll" Bojomm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qodeajbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mepfiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmdcfidg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 439425d5412caa1d6d0f545f7d49ffad728c4df7cecb4256cbd5d5bd69e4890d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnfnlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opnbae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gklnjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fajgkfio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmieae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fajgkfio.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1692 wrote to memory of 3160 1692 439425d5412caa1d6d0f545f7d49ffad728c4df7cecb4256cbd5d5bd69e4890d.exe 82 PID 1692 wrote to memory of 3160 1692 439425d5412caa1d6d0f545f7d49ffad728c4df7cecb4256cbd5d5bd69e4890d.exe 82 PID 1692 wrote to memory of 3160 1692 439425d5412caa1d6d0f545f7d49ffad728c4df7cecb4256cbd5d5bd69e4890d.exe 82 PID 3160 wrote to memory of 384 3160 Ocopdn32.exe 83 PID 3160 wrote to memory of 384 3160 Ocopdn32.exe 83 PID 3160 wrote to memory of 384 3160 Ocopdn32.exe 83 PID 384 wrote to memory of 2836 384 Oenlqi32.exe 84 PID 384 wrote to memory of 2836 384 Oenlqi32.exe 84 PID 384 wrote to memory of 2836 384 Oenlqi32.exe 84 PID 2836 wrote to memory of 4404 2836 Ohlimd32.exe 85 PID 2836 wrote to memory of 4404 2836 Ohlimd32.exe 85 PID 2836 wrote to memory of 4404 2836 Ohlimd32.exe 85 PID 4404 wrote to memory of 876 4404 Oofaiokl.exe 86 PID 4404 wrote to memory of 876 4404 Oofaiokl.exe 86 PID 4404 wrote to memory of 876 4404 Oofaiokl.exe 86 PID 876 wrote to memory of 3172 876 Ogmijllo.exe 87 PID 876 wrote to memory of 3172 876 Ogmijllo.exe 87 PID 876 wrote to memory of 3172 876 Ogmijllo.exe 87 PID 3172 wrote to memory of 1232 3172 Oileggkb.exe 88 PID 3172 wrote to memory of 1232 3172 Oileggkb.exe 88 PID 3172 wrote to memory of 1232 3172 Oileggkb.exe 88 PID 1232 wrote to memory of 3952 1232 Oljaccjf.exe 89 PID 1232 wrote to memory of 3952 1232 Oljaccjf.exe 89 PID 1232 wrote to memory of 3952 1232 Oljaccjf.exe 89 PID 3952 wrote to memory of 116 3952 Ollnhb32.exe 90 PID 3952 wrote to memory of 116 3952 Ollnhb32.exe 90 PID 3952 wrote to memory of 116 3952 Ollnhb32.exe 90 PID 116 wrote to memory of 4956 116 Ophjiaql.exe 91 PID 116 wrote to memory of 4956 116 Ophjiaql.exe 91 PID 116 wrote to memory of 4956 116 Ophjiaql.exe 91 PID 4956 wrote to memory of 1372 4956 Pgbbek32.exe 92 PID 4956 wrote to memory of 1372 4956 Pgbbek32.exe 92 PID 4956 wrote to memory of 1372 4956 Pgbbek32.exe 92 PID 1372 wrote to memory of 1812 1372 Phcomcng.exe 93 PID 1372 wrote to memory of 1812 1372 Phcomcng.exe 93 PID 1372 wrote to memory of 1812 1372 Phcomcng.exe 93 PID 1812 wrote to memory of 2012 1812 Pgdokkfg.exe 94 PID 1812 wrote to memory of 2012 1812 Pgdokkfg.exe 94 PID 1812 wrote to memory of 2012 1812 Pgdokkfg.exe 94 PID 2012 wrote to memory of 1368 2012 Poodpmca.exe 95 PID 2012 wrote to memory of 1368 2012 Poodpmca.exe 95 PID 2012 wrote to memory of 1368 2012 Poodpmca.exe 95 PID 1368 wrote to memory of 2280 1368 Pckppl32.exe 96 PID 1368 wrote to memory of 2280 1368 Pckppl32.exe 96 PID 1368 wrote to memory of 2280 1368 Pckppl32.exe 96 PID 2280 wrote to memory of 2756 2280 Plcdiabk.exe 97 PID 2280 wrote to memory of 2756 2280 Plcdiabk.exe 97 PID 2280 wrote to memory of 2756 2280 Plcdiabk.exe 97 PID 2756 wrote to memory of 2500 2756 Pcmlfl32.exe 98 PID 2756 wrote to memory of 2500 2756 Pcmlfl32.exe 98 PID 2756 wrote to memory of 2500 2756 Pcmlfl32.exe 98 PID 2500 wrote to memory of 4416 2500 Pflibgil.exe 99 PID 2500 wrote to memory of 4416 2500 Pflibgil.exe 99 PID 2500 wrote to memory of 4416 2500 Pflibgil.exe 99 PID 4416 wrote to memory of 4664 4416 Pleaoa32.exe 100 PID 4416 wrote to memory of 4664 4416 Pleaoa32.exe 100 PID 4416 wrote to memory of 4664 4416 Pleaoa32.exe 100 PID 4664 wrote to memory of 2004 4664 Podmkm32.exe 101 PID 4664 wrote to memory of 2004 4664 Podmkm32.exe 101 PID 4664 wrote to memory of 2004 4664 Podmkm32.exe 101 PID 2004 wrote to memory of 1040 2004 Pgkelj32.exe 102 PID 2004 wrote to memory of 1040 2004 Pgkelj32.exe 102 PID 2004 wrote to memory of 1040 2004 Pgkelj32.exe 102 PID 1040 wrote to memory of 3756 1040 Plhnda32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\439425d5412caa1d6d0f545f7d49ffad728c4df7cecb4256cbd5d5bd69e4890d.exe"C:\Users\Admin\AppData\Local\Temp\439425d5412caa1d6d0f545f7d49ffad728c4df7cecb4256cbd5d5bd69e4890d.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Ocopdn32.exeC:\Windows\system32\Ocopdn32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\Oenlqi32.exeC:\Windows\system32\Oenlqi32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\Ophjiaql.exeC:\Windows\system32\Ophjiaql.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Phcomcng.exeC:\Windows\system32\Phcomcng.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Pgdokkfg.exeC:\Windows\system32\Pgdokkfg.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\Podmkm32.exeC:\Windows\system32\Podmkm32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Pqcjepfo.exeC:\Windows\system32\Pqcjepfo.exe23⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Qcbfakec.exeC:\Windows\system32\Qcbfakec.exe24⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Qfpbmfdf.exeC:\Windows\system32\Qfpbmfdf.exe25⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe26⤵
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\Qqffjo32.exeC:\Windows\system32\Qqffjo32.exe27⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\Qfbobf32.exeC:\Windows\system32\Qfbobf32.exe28⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe29⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Qlmgopjq.exeC:\Windows\system32\Qlmgopjq.exe30⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe31⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe32⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Amodep32.exeC:\Windows\system32\Amodep32.exe33⤵
- Executes dropped EXE
PID:520 -
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe34⤵
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe35⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Aqmlknnd.exeC:\Windows\system32\Aqmlknnd.exe36⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe37⤵
- Executes dropped EXE
PID:3648 -
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe38⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Afjeceml.exeC:\Windows\system32\Afjeceml.exe39⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Ajeadd32.exeC:\Windows\system32\Ajeadd32.exe40⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe41⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Aqoiqn32.exeC:\Windows\system32\Aqoiqn32.exe42⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe43⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Agiamhdo.exeC:\Windows\system32\Agiamhdo.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Aflaie32.exeC:\Windows\system32\Aflaie32.exe45⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe46⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe47⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Aqaffn32.exeC:\Windows\system32\Aqaffn32.exe48⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Aodfajaj.exeC:\Windows\system32\Aodfajaj.exe49⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Aglnbhal.exeC:\Windows\system32\Aglnbhal.exe50⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Afnnnd32.exeC:\Windows\system32\Afnnnd32.exe51⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Aimkjp32.exeC:\Windows\system32\Aimkjp32.exe52⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe53⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe54⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Bfqkddfd.exeC:\Windows\system32\Bfqkddfd.exe55⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Bmkcqn32.exeC:\Windows\system32\Bmkcqn32.exe56⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Bqilgmdg.exeC:\Windows\system32\Bqilgmdg.exe57⤵
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1460 -
C:\Windows\SysWOW64\Bggnof32.exeC:\Windows\system32\Bggnof32.exe59⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Cgndoeag.exeC:\Windows\system32\Cgndoeag.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Cgqqdeod.exeC:\Windows\system32\Cgqqdeod.exe61⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe62⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Dmpfbk32.exeC:\Windows\system32\Dmpfbk32.exe63⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe64⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Dannij32.exeC:\Windows\system32\Dannij32.exe65⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Dpqodfij.exeC:\Windows\system32\Dpqodfij.exe66⤵
- System Location Discovery: System Language Discovery
PID:2492 -
C:\Windows\SysWOW64\Dfjgaq32.exeC:\Windows\system32\Dfjgaq32.exe67⤵PID:4540
-
C:\Windows\SysWOW64\Djfcaohp.exeC:\Windows\system32\Djfcaohp.exe68⤵PID:2172
-
C:\Windows\SysWOW64\Dapkni32.exeC:\Windows\system32\Dapkni32.exe69⤵PID:4552
-
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe70⤵PID:3940
-
C:\Windows\SysWOW64\Dfmcfp32.exeC:\Windows\system32\Dfmcfp32.exe71⤵PID:2100
-
C:\Windows\SysWOW64\Dikpbl32.exeC:\Windows\system32\Dikpbl32.exe72⤵PID:2052
-
C:\Windows\SysWOW64\Dabhdinj.exeC:\Windows\system32\Dabhdinj.exe73⤵PID:180
-
C:\Windows\SysWOW64\Dpehof32.exeC:\Windows\system32\Dpehof32.exe74⤵
- Drops file in System32 directory
PID:4420 -
C:\Windows\SysWOW64\Djklmo32.exeC:\Windows\system32\Djklmo32.exe75⤵PID:3544
-
C:\Windows\SysWOW64\Dmihij32.exeC:\Windows\system32\Dmihij32.exe76⤵PID:3032
-
C:\Windows\SysWOW64\Ddcqedkk.exeC:\Windows\system32\Ddcqedkk.exe77⤵PID:1280
-
C:\Windows\SysWOW64\Dfamapjo.exeC:\Windows\system32\Dfamapjo.exe78⤵PID:1500
-
C:\Windows\SysWOW64\Eagaoh32.exeC:\Windows\system32\Eagaoh32.exe79⤵PID:1388
-
C:\Windows\SysWOW64\Edemkd32.exeC:\Windows\system32\Edemkd32.exe80⤵
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Windows\SysWOW64\Ehailbaa.exeC:\Windows\system32\Ehailbaa.exe81⤵PID:4032
-
C:\Windows\SysWOW64\Eaindh32.exeC:\Windows\system32\Eaindh32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3684 -
C:\Windows\SysWOW64\Ehcfaboo.exeC:\Windows\system32\Ehcfaboo.exe83⤵PID:3564
-
C:\Windows\SysWOW64\Efffmo32.exeC:\Windows\system32\Efffmo32.exe84⤵PID:2568
-
C:\Windows\SysWOW64\Ealkjh32.exeC:\Windows\system32\Ealkjh32.exe85⤵PID:3700
-
C:\Windows\SysWOW64\Edjgfcec.exeC:\Windows\system32\Edjgfcec.exe86⤵PID:4320
-
C:\Windows\SysWOW64\Ejdocm32.exeC:\Windows\system32\Ejdocm32.exe87⤵
- Drops file in System32 directory
PID:4572 -
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe88⤵PID:1844
-
C:\Windows\SysWOW64\Eangpgcl.exeC:\Windows\system32\Eangpgcl.exe89⤵PID:2420
-
C:\Windows\SysWOW64\Ehhpla32.exeC:\Windows\system32\Ehhpla32.exe90⤵PID:1208
-
C:\Windows\SysWOW64\Eiildjag.exeC:\Windows\system32\Eiildjag.exe91⤵PID:3852
-
C:\Windows\SysWOW64\Eaqdegaj.exeC:\Windows\system32\Eaqdegaj.exe92⤵
- System Location Discovery: System Language Discovery
PID:4384 -
C:\Windows\SysWOW64\Ehjlaaig.exeC:\Windows\system32\Ehjlaaig.exe93⤵PID:5012
-
C:\Windows\SysWOW64\Fkihnmhj.exeC:\Windows\system32\Fkihnmhj.exe94⤵PID:4424
-
C:\Windows\SysWOW64\Fmgejhgn.exeC:\Windows\system32\Fmgejhgn.exe95⤵PID:4772
-
C:\Windows\SysWOW64\Fpeafcfa.exeC:\Windows\system32\Fpeafcfa.exe96⤵
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Fhmigagd.exeC:\Windows\system32\Fhmigagd.exe97⤵PID:5008
-
C:\Windows\SysWOW64\Fineoi32.exeC:\Windows\system32\Fineoi32.exe98⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Fphnlcdo.exeC:\Windows\system32\Fphnlcdo.exe99⤵PID:3532
-
C:\Windows\SysWOW64\Fhofmq32.exeC:\Windows\system32\Fhofmq32.exe100⤵PID:3476
-
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe101⤵PID:1608
-
C:\Windows\SysWOW64\Fpjjac32.exeC:\Windows\system32\Fpjjac32.exe102⤵PID:4380
-
C:\Windows\SysWOW64\Fdffbake.exeC:\Windows\system32\Fdffbake.exe103⤵PID:2588
-
C:\Windows\SysWOW64\Fkpool32.exeC:\Windows\system32\Fkpool32.exe104⤵PID:3704
-
C:\Windows\SysWOW64\Fajgkfio.exeC:\Windows\system32\Fajgkfio.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3512 -
C:\Windows\SysWOW64\Fpmggb32.exeC:\Windows\system32\Fpmggb32.exe106⤵
- System Location Discovery: System Language Discovery
PID:3256 -
C:\Windows\SysWOW64\Fhdohp32.exeC:\Windows\system32\Fhdohp32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3384 -
C:\Windows\SysWOW64\Fkbkdkpp.exeC:\Windows\system32\Fkbkdkpp.exe108⤵PID:4080
-
C:\Windows\SysWOW64\Fmqgpgoc.exeC:\Windows\system32\Fmqgpgoc.exe109⤵PID:2528
-
C:\Windows\SysWOW64\Fdkpma32.exeC:\Windows\system32\Fdkpma32.exe110⤵
- Drops file in System32 directory
PID:1436 -
C:\Windows\SysWOW64\Ggilil32.exeC:\Windows\system32\Ggilil32.exe111⤵PID:5148
-
C:\Windows\SysWOW64\Gmcdffmq.exeC:\Windows\system32\Gmcdffmq.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5196 -
C:\Windows\SysWOW64\Gaopfe32.exeC:\Windows\system32\Gaopfe32.exe113⤵PID:5252
-
C:\Windows\SysWOW64\Gdmmbq32.exeC:\Windows\system32\Gdmmbq32.exe114⤵PID:5316
-
C:\Windows\SysWOW64\Ggkiol32.exeC:\Windows\system32\Ggkiol32.exe115⤵PID:5388
-
C:\Windows\SysWOW64\Gijekg32.exeC:\Windows\system32\Gijekg32.exe116⤵PID:5444
-
C:\Windows\SysWOW64\Gaamlecg.exeC:\Windows\system32\Gaamlecg.exe117⤵PID:5480
-
C:\Windows\SysWOW64\Gpcmga32.exeC:\Windows\system32\Gpcmga32.exe118⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5536 -
C:\Windows\SysWOW64\Ghkeio32.exeC:\Windows\system32\Ghkeio32.exe119⤵PID:5568
-
C:\Windows\SysWOW64\Gkiaej32.exeC:\Windows\system32\Gkiaej32.exe120⤵PID:5620
-
C:\Windows\SysWOW64\Gilapgqb.exeC:\Windows\system32\Gilapgqb.exe121⤵PID:5668
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-