Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 12:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
df6c8d29bbefda842579fa1cb404f0cf8e5d833d9c7e03ee1cd7ac02a48d4a9d.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
df6c8d29bbefda842579fa1cb404f0cf8e5d833d9c7e03ee1cd7ac02a48d4a9d.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
df6c8d29bbefda842579fa1cb404f0cf8e5d833d9c7e03ee1cd7ac02a48d4a9d.exe
-
Size
205KB
-
MD5
4a67d2586dfdc86bf9b5cf51e295bde7
-
SHA1
1b35bd5d6da1fff08663fa9ab6244f2f137b7586
-
SHA256
df6c8d29bbefda842579fa1cb404f0cf8e5d833d9c7e03ee1cd7ac02a48d4a9d
-
SHA512
73f7463f640099fc46836b111fd7d07c777fdc80e9e304c29670782140a06a8e26a58b0437987c779003f11d39414958f7723c8ad88645b959a2218e88e6ce9e
-
SSDEEP
6144:A7XygxqCgxuKGyZ6YugQdjGG1wsKm6eBgdQbT:AfxqCmGyXu1jGG1wsGeBg8
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akglloai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfdpad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hffken32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbjelc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Indfca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pecellgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebnfbcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkmjaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpqodfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaiimadl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmoohe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oalipoiq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njmqnobn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adcjop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahfdjanb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkalplel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qklmpalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klhnfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmpolgoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfcmmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmlddqem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnepna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pagbaglh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmcain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfhgkmpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilnbicff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocamjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okedcjcm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmalne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glengm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liqihglg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aoalgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bahdob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gokbgpeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkmgblok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfhadc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afgacokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdglmkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjmoag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onapdl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcclld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afinioip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmggfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgfapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilafiihp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lifjnm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijcahd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfefkkqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dflmlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kelalp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eidlnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Holfoqcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hplbickp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcelmhen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knefeffd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnepna32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2476 Gadqlkep.exe 872 Gdbmhf32.exe 4504 Ggqida32.exe 3616 Gohaeo32.exe 3060 Ghpendjj.exe 3360 Gnmnfkia.exe 3220 Gdgfce32.exe 4496 Hnoklk32.exe 984 Hheoid32.exe 1084 Hnagak32.exe 4860 Hdlpneli.exe 2936 Hkehkocf.exe 384 Hfklhhcl.exe 2472 Hhihdcbp.exe 2244 Hnfamjqg.exe 2772 Hhlejcpm.exe 2836 Hkjafn32.exe 1992 Hofmfmhj.exe 1896 Iohjlmeg.exe 3528 Ifbbig32.exe 4548 Inmgmijo.exe 3496 Iickkbje.exe 4600 Inpccihl.exe 2172 Inbqhhfj.exe 2036 Ioambknl.exe 1524 Jkhngl32.exe 2412 Jbbfdfkn.exe 3160 Jnifigpa.exe 2488 Jfpojead.exe 4544 Jkmgblok.exe 2692 Jbgoof32.exe 1704 Jnnpdg32.exe 2508 Jgfdmlcm.exe 544 Jblijebc.exe 3892 Jieagojp.exe 4444 Kppici32.exe 1548 Kelalp32.exe 3644 Kihnmohm.exe 1788 Knefeffd.exe 1820 Keonap32.exe 1032 Kijjbofj.exe 3608 Kngcje32.exe 2312 Keakgpko.exe 4576 Klkcdj32.exe 3688 Kfqgab32.exe 2028 Kiodmn32.exe 2696 Klmpiiai.exe 4424 Kbghfc32.exe 4996 Kiaqcnpb.exe 1344 Llpmoiof.exe 952 Lpkiph32.exe 2888 Lbjelc32.exe 1352 Lehaho32.exe 4952 Lidmhmnp.exe 4980 Llbidimc.exe 3964 Lnqeqd32.exe 4192 Lfhnaa32.exe 4084 Lifjnm32.exe 3832 Lhijijbg.exe 2184 Locbfd32.exe 2744 Lfjjga32.exe 1308 Lemkcnaa.exe 2144 Lhkgoiqe.exe 3204 Lpbopfag.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kohmng32.dll Oljaccjf.exe File created C:\Windows\SysWOW64\Jhgiim32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kjccdkki.exe Jgeghp32.exe File opened for modification C:\Windows\SysWOW64\Kgmcce32.exe Kqbkfkal.exe File created C:\Windows\SysWOW64\Hpjmnjqn.exe Gipdap32.exe File created C:\Windows\SysWOW64\Nmpgal32.dll Hplicjok.exe File created C:\Windows\SysWOW64\Lknojl32.exe Lddgmbpb.exe File created C:\Windows\SysWOW64\Fcpjljph.dll Lgpoihnl.exe File created C:\Windows\SysWOW64\Iocbnhog.dll Mgbefe32.exe File created C:\Windows\SysWOW64\Ieoigp32.dll Ahdpjn32.exe File created C:\Windows\SysWOW64\Ofblbapl.dll Fkhpfbce.exe File opened for modification C:\Windows\SysWOW64\Gklnjj32.exe Ggpbjkpl.exe File created C:\Windows\SysWOW64\Klkkgm32.dll Ikcmbfcj.exe File created C:\Windows\SysWOW64\Jdokpl32.dll Mejpje32.exe File created C:\Windows\SysWOW64\Mfenglqf.exe Process not Found File created C:\Windows\SysWOW64\Dhgonidg.exe Damfao32.exe File opened for modification C:\Windows\SysWOW64\Ehndnh32.exe Eqgmmk32.exe File opened for modification C:\Windows\SysWOW64\Bapgdm32.exe Process not Found File created C:\Windows\SysWOW64\Gkdhjknm.exe Fdkpma32.exe File opened for modification C:\Windows\SysWOW64\Jnlbojee.exe Jgbjbp32.exe File created C:\Windows\SysWOW64\Gpgind32.exe Gimqajgh.exe File created C:\Windows\SysWOW64\Ljeffhcd.dll Hiiggoaf.exe File opened for modification C:\Windows\SysWOW64\Ljeafb32.exe Lggejg32.exe File created C:\Windows\SysWOW64\Bgbdcgld.exe Bmmpfn32.exe File created C:\Windows\SysWOW64\Mhafeb32.exe Mahnhhod.exe File created C:\Windows\SysWOW64\Efafgifc.exe Dpgnjo32.exe File opened for modification C:\Windows\SysWOW64\Inbqhhfj.exe Inpccihl.exe File created C:\Windows\SysWOW64\Igleoo32.dll Caienjfd.exe File created C:\Windows\SysWOW64\Ppihoe32.dll Gpgind32.exe File created C:\Windows\SysWOW64\Oejbfmpg.exe Oanfen32.exe File created C:\Windows\SysWOW64\Cbbdjm32.exe Ckilmcgb.exe File created C:\Windows\SysWOW64\Kfnfjehl.exe Kcpjnjii.exe File created C:\Windows\SysWOW64\Aqlelp32.dll Lpkiph32.exe File opened for modification C:\Windows\SysWOW64\Ddgibkpc.exe Dahmfpap.exe File created C:\Windows\SysWOW64\Hnfjbdmk.exe Hjjnae32.exe File created C:\Windows\SysWOW64\Kmkdjo32.dll Nfjola32.exe File created C:\Windows\SysWOW64\Iohmnmmb.dll Adkqoohc.exe File created C:\Windows\SysWOW64\Mejpje32.exe Mnphmkji.exe File created C:\Windows\SysWOW64\Fealin32.exe Fbbpmb32.exe File opened for modification C:\Windows\SysWOW64\Lnqeqd32.exe Llbidimc.exe File created C:\Windows\SysWOW64\Ocaikjof.dll Hhbkinel.exe File created C:\Windows\SysWOW64\Gedapeof.dll Kmaopfjm.exe File created C:\Windows\SysWOW64\Debcil32.dll Process not Found File created C:\Windows\SysWOW64\Kiodmn32.exe Kfqgab32.exe File created C:\Windows\SysWOW64\Hpmpjoao.dll Mpqkad32.exe File created C:\Windows\SysWOW64\Fdglmkeg.exe Flqdlnde.exe File created C:\Windows\SysWOW64\Iciaqc32.exe Iloidijb.exe File opened for modification C:\Windows\SysWOW64\Kbghfc32.exe Klmpiiai.exe File created C:\Windows\SysWOW64\Migidc32.dll Gklnjj32.exe File created C:\Windows\SysWOW64\Eiaoid32.exe Ebhglj32.exe File opened for modification C:\Windows\SysWOW64\Alnfpcag.exe Aednci32.exe File opened for modification C:\Windows\SysWOW64\Abcgjg32.exe Process not Found File created C:\Windows\SysWOW64\Pkcadhgm.exe Pibdmp32.exe File opened for modification C:\Windows\SysWOW64\Ipgkjlmg.exe Iimcma32.exe File created C:\Windows\SysWOW64\Mmdaih32.dll Process not Found File created C:\Windows\SysWOW64\Adjjeieh.exe Process not Found File created C:\Windows\SysWOW64\Hqomopfd.dll Nojjcj32.exe File created C:\Windows\SysWOW64\Lkchelci.exe Lclpdncg.exe File created C:\Windows\SysWOW64\Kibohd32.dll Ofkgcobj.exe File created C:\Windows\SysWOW64\Domdocba.dll Bnlhncgi.exe File created C:\Windows\SysWOW64\Lkhimi32.dll Emnbdioi.exe File created C:\Windows\SysWOW64\Jomnmjjb.dll Boeebnhp.exe File created C:\Windows\SysWOW64\Lblldc32.dll Ibfnqmpf.exe File created C:\Windows\SysWOW64\Ebjkfjbc.dll Onpjichj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10128 9884 Process not Found 1283 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdmfllhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biogppeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iahlcaol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bedgjgkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpnfge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgcbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhbmphjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedjjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbbhqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdmoohbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inbqhhfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hecjke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aolblopj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gejhef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhimhobl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppopjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfelogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlggjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfjkjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjgeedch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kelalp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lidmhmnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gijekg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmoohe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhpqaiji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbkkgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eleepoob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmikeaap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnnjmbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjlopc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhijijbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehlkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjmkoeqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oanfen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omjpeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqnbkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgqfdnah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poliea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnlhncgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfhnaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcepkfld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbnhoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekodjiol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddifgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhoipb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akcjkfij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blhpqhlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnmoijje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bffcpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhbkinel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neoieenp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfpdin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfgjjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbmohmoh.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pibdmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcndbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oabhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihnap32.dll" Nomncpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmacdg32.dll" Klahfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlmchoan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lemkcnaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elnoopdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qhngolpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knqepc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fckjejfe.dll" Gpmomo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcmmhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcgiefen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcjeh32.dll" Efblbbqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbkkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljekoej.dll" Eclmamod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcqjon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbohpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eaqdegaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inagcf32.dll" Leopnglc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjepjkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpamfo32.dll" Ahippdbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmflc32.dll" Iqipio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peehmbji.dll" Nliaao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajpqnneo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcneqod.dll" Felbnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cceddf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcogje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohlimd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogfcjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eaqdegaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igedlh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eeelnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmmfmhll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkhpdcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilafiihp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbfgkffn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcphab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijdabh32.dll" Kdpmbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qglobbdg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epagkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nojjcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Joahqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhfif32.dll" Johnamkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgqfdnah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejchhgid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbeejp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Moaogand.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpeafcfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klfaapbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mogcihaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjiepeok.dll" Eibfck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpgnjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdnnlj32.dll" Cnindhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abakhdbk.dll" Iloidijb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkbjjbda.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3132 wrote to memory of 2476 3132 df6c8d29bbefda842579fa1cb404f0cf8e5d833d9c7e03ee1cd7ac02a48d4a9d.exe 82 PID 3132 wrote to memory of 2476 3132 df6c8d29bbefda842579fa1cb404f0cf8e5d833d9c7e03ee1cd7ac02a48d4a9d.exe 82 PID 3132 wrote to memory of 2476 3132 df6c8d29bbefda842579fa1cb404f0cf8e5d833d9c7e03ee1cd7ac02a48d4a9d.exe 82 PID 2476 wrote to memory of 872 2476 Gadqlkep.exe 83 PID 2476 wrote to memory of 872 2476 Gadqlkep.exe 83 PID 2476 wrote to memory of 872 2476 Gadqlkep.exe 83 PID 872 wrote to memory of 4504 872 Gdbmhf32.exe 84 PID 872 wrote to memory of 4504 872 Gdbmhf32.exe 84 PID 872 wrote to memory of 4504 872 Gdbmhf32.exe 84 PID 4504 wrote to memory of 3616 4504 Ggqida32.exe 85 PID 4504 wrote to memory of 3616 4504 Ggqida32.exe 85 PID 4504 wrote to memory of 3616 4504 Ggqida32.exe 85 PID 3616 wrote to memory of 3060 3616 Gohaeo32.exe 86 PID 3616 wrote to memory of 3060 3616 Gohaeo32.exe 86 PID 3616 wrote to memory of 3060 3616 Gohaeo32.exe 86 PID 3060 wrote to memory of 3360 3060 Ghpendjj.exe 87 PID 3060 wrote to memory of 3360 3060 Ghpendjj.exe 87 PID 3060 wrote to memory of 3360 3060 Ghpendjj.exe 87 PID 3360 wrote to memory of 3220 3360 Gnmnfkia.exe 88 PID 3360 wrote to memory of 3220 3360 Gnmnfkia.exe 88 PID 3360 wrote to memory of 3220 3360 Gnmnfkia.exe 88 PID 3220 wrote to memory of 4496 3220 Gdgfce32.exe 89 PID 3220 wrote to memory of 4496 3220 Gdgfce32.exe 89 PID 3220 wrote to memory of 4496 3220 Gdgfce32.exe 89 PID 4496 wrote to memory of 984 4496 Hnoklk32.exe 90 PID 4496 wrote to memory of 984 4496 Hnoklk32.exe 90 PID 4496 wrote to memory of 984 4496 Hnoklk32.exe 90 PID 984 wrote to memory of 1084 984 Hheoid32.exe 91 PID 984 wrote to memory of 1084 984 Hheoid32.exe 91 PID 984 wrote to memory of 1084 984 Hheoid32.exe 91 PID 1084 wrote to memory of 4860 1084 Hnagak32.exe 92 PID 1084 wrote to memory of 4860 1084 Hnagak32.exe 92 PID 1084 wrote to memory of 4860 1084 Hnagak32.exe 92 PID 4860 wrote to memory of 2936 4860 Hdlpneli.exe 93 PID 4860 wrote to memory of 2936 4860 Hdlpneli.exe 93 PID 4860 wrote to memory of 2936 4860 Hdlpneli.exe 93 PID 2936 wrote to memory of 384 2936 Hkehkocf.exe 94 PID 2936 wrote to memory of 384 2936 Hkehkocf.exe 94 PID 2936 wrote to memory of 384 2936 Hkehkocf.exe 94 PID 384 wrote to memory of 2472 384 Hfklhhcl.exe 95 PID 384 wrote to memory of 2472 384 Hfklhhcl.exe 95 PID 384 wrote to memory of 2472 384 Hfklhhcl.exe 95 PID 2472 wrote to memory of 2244 2472 Hhihdcbp.exe 96 PID 2472 wrote to memory of 2244 2472 Hhihdcbp.exe 96 PID 2472 wrote to memory of 2244 2472 Hhihdcbp.exe 96 PID 2244 wrote to memory of 2772 2244 Hnfamjqg.exe 97 PID 2244 wrote to memory of 2772 2244 Hnfamjqg.exe 97 PID 2244 wrote to memory of 2772 2244 Hnfamjqg.exe 97 PID 2772 wrote to memory of 2836 2772 Hhlejcpm.exe 98 PID 2772 wrote to memory of 2836 2772 Hhlejcpm.exe 98 PID 2772 wrote to memory of 2836 2772 Hhlejcpm.exe 98 PID 2836 wrote to memory of 1992 2836 Hkjafn32.exe 99 PID 2836 wrote to memory of 1992 2836 Hkjafn32.exe 99 PID 2836 wrote to memory of 1992 2836 Hkjafn32.exe 99 PID 1992 wrote to memory of 1896 1992 Hofmfmhj.exe 100 PID 1992 wrote to memory of 1896 1992 Hofmfmhj.exe 100 PID 1992 wrote to memory of 1896 1992 Hofmfmhj.exe 100 PID 1896 wrote to memory of 3528 1896 Iohjlmeg.exe 101 PID 1896 wrote to memory of 3528 1896 Iohjlmeg.exe 101 PID 1896 wrote to memory of 3528 1896 Iohjlmeg.exe 101 PID 3528 wrote to memory of 4548 3528 Ifbbig32.exe 102 PID 3528 wrote to memory of 4548 3528 Ifbbig32.exe 102 PID 3528 wrote to memory of 4548 3528 Ifbbig32.exe 102 PID 4548 wrote to memory of 3496 4548 Inmgmijo.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\df6c8d29bbefda842579fa1cb404f0cf8e5d833d9c7e03ee1cd7ac02a48d4a9d.exe"C:\Users\Admin\AppData\Local\Temp\df6c8d29bbefda842579fa1cb404f0cf8e5d833d9c7e03ee1cd7ac02a48d4a9d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SysWOW64\Gadqlkep.exeC:\Windows\system32\Gadqlkep.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Gdbmhf32.exeC:\Windows\system32\Gdbmhf32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Ggqida32.exeC:\Windows\system32\Ggqida32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Gohaeo32.exeC:\Windows\system32\Gohaeo32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\Ghpendjj.exeC:\Windows\system32\Ghpendjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Gnmnfkia.exeC:\Windows\system32\Gnmnfkia.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\Gdgfce32.exeC:\Windows\system32\Gdgfce32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\Hnoklk32.exeC:\Windows\system32\Hnoklk32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\Hheoid32.exeC:\Windows\system32\Hheoid32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\Hnagak32.exeC:\Windows\system32\Hnagak32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Hdlpneli.exeC:\Windows\system32\Hdlpneli.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Hfklhhcl.exeC:\Windows\system32\Hfklhhcl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\Hhihdcbp.exeC:\Windows\system32\Hhihdcbp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Hnfamjqg.exeC:\Windows\system32\Hnfamjqg.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Hhlejcpm.exeC:\Windows\system32\Hhlejcpm.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Hkjafn32.exeC:\Windows\system32\Hkjafn32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Hofmfmhj.exeC:\Windows\system32\Hofmfmhj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Iohjlmeg.exeC:\Windows\system32\Iohjlmeg.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Ifbbig32.exeC:\Windows\system32\Ifbbig32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Inmgmijo.exeC:\Windows\system32\Inmgmijo.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe23⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Inpccihl.exeC:\Windows\system32\Inpccihl.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4600 -
C:\Windows\SysWOW64\Inbqhhfj.exeC:\Windows\system32\Inbqhhfj.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe26⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Jkhngl32.exeC:\Windows\system32\Jkhngl32.exe27⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Jbbfdfkn.exeC:\Windows\system32\Jbbfdfkn.exe28⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe29⤵
- Executes dropped EXE
PID:3160 -
C:\Windows\SysWOW64\Jfpojead.exeC:\Windows\system32\Jfpojead.exe30⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Jkmgblok.exeC:\Windows\system32\Jkmgblok.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Jbgoof32.exeC:\Windows\system32\Jbgoof32.exe32⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe33⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Jgfdmlcm.exeC:\Windows\system32\Jgfdmlcm.exe34⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe35⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Jieagojp.exeC:\Windows\system32\Jieagojp.exe36⤵
- Executes dropped EXE
PID:3892 -
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe37⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Kelalp32.exeC:\Windows\system32\Kelalp32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1548 -
C:\Windows\SysWOW64\Kihnmohm.exeC:\Windows\system32\Kihnmohm.exe39⤵
- Executes dropped EXE
PID:3644 -
C:\Windows\SysWOW64\Knefeffd.exeC:\Windows\system32\Knefeffd.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Keonap32.exeC:\Windows\system32\Keonap32.exe41⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Kijjbofj.exeC:\Windows\system32\Kijjbofj.exe42⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe43⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Keakgpko.exeC:\Windows\system32\Keakgpko.exe44⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Klkcdj32.exeC:\Windows\system32\Klkcdj32.exe45⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Kfqgab32.exeC:\Windows\system32\Kfqgab32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3688 -
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe47⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Klmpiiai.exeC:\Windows\system32\Klmpiiai.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2696 -
C:\Windows\SysWOW64\Kbghfc32.exeC:\Windows\system32\Kbghfc32.exe49⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Kiaqcnpb.exeC:\Windows\system32\Kiaqcnpb.exe50⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Llpmoiof.exeC:\Windows\system32\Llpmoiof.exe51⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:952 -
C:\Windows\SysWOW64\Lbjelc32.exeC:\Windows\system32\Lbjelc32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Lehaho32.exeC:\Windows\system32\Lehaho32.exe54⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Lidmhmnp.exeC:\Windows\system32\Lidmhmnp.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4952 -
C:\Windows\SysWOW64\Llbidimc.exeC:\Windows\system32\Llbidimc.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4980 -
C:\Windows\SysWOW64\Lnqeqd32.exeC:\Windows\system32\Lnqeqd32.exe57⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4192 -
C:\Windows\SysWOW64\Lifjnm32.exeC:\Windows\system32\Lifjnm32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3832 -
C:\Windows\SysWOW64\Locbfd32.exeC:\Windows\system32\Locbfd32.exe61⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Lfjjga32.exeC:\Windows\system32\Lfjjga32.exe62⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Lemkcnaa.exeC:\Windows\system32\Lemkcnaa.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1308 -
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe64⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Lpbopfag.exeC:\Windows\system32\Lpbopfag.exe65⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe66⤵PID:4728
-
C:\Windows\SysWOW64\Leoghn32.exeC:\Windows\system32\Leoghn32.exe67⤵PID:1016
-
C:\Windows\SysWOW64\Leadnm32.exeC:\Windows\system32\Leadnm32.exe68⤵PID:2576
-
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe69⤵PID:2908
-
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe70⤵
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Windows\SysWOW64\Mfcmmp32.exeC:\Windows\system32\Mfcmmp32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3244 -
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe72⤵PID:3148
-
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe73⤵PID:2020
-
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe74⤵
- Modifies registry class
PID:216 -
C:\Windows\SysWOW64\Mifcejnj.exeC:\Windows\system32\Mifcejnj.exe75⤵PID:3628
-
C:\Windows\SysWOW64\Mpqkad32.exeC:\Windows\system32\Mpqkad32.exe76⤵
- Drops file in System32 directory
PID:4204 -
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe77⤵PID:4740
-
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe78⤵PID:1596
-
C:\Windows\SysWOW64\Niklpj32.exeC:\Windows\system32\Niklpj32.exe79⤵PID:3792
-
C:\Windows\SysWOW64\Nbcqiope.exeC:\Windows\system32\Nbcqiope.exe80⤵PID:1912
-
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe81⤵PID:312
-
C:\Windows\SysWOW64\Nojanpej.exeC:\Windows\system32\Nojanpej.exe82⤵PID:1540
-
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe83⤵
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe84⤵PID:4824
-
C:\Windows\SysWOW64\Nomncpcg.exeC:\Windows\system32\Nomncpcg.exe85⤵
- Modifies registry class
PID:1440 -
C:\Windows\SysWOW64\Nheble32.exeC:\Windows\system32\Nheble32.exe86⤵PID:4500
-
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe87⤵PID:4216
-
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe88⤵
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe89⤵PID:1680
-
C:\Windows\SysWOW64\Oghppm32.exeC:\Windows\system32\Oghppm32.exe90⤵PID:2748
-
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe91⤵PID:932
-
C:\Windows\SysWOW64\Ocopdn32.exeC:\Windows\system32\Ocopdn32.exe92⤵PID:2080
-
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe93⤵PID:2388
-
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe94⤵
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3112 -
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe96⤵PID:512
-
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe97⤵
- Drops file in System32 directory
PID:3868 -
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe98⤵PID:5036
-
C:\Windows\SysWOW64\Ohqbhdpj.exeC:\Windows\system32\Ohqbhdpj.exe99⤵PID:1808
-
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe100⤵PID:4856
-
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe101⤵PID:844
-
C:\Windows\SysWOW64\Phcomcng.exeC:\Windows\system32\Phcomcng.exe102⤵PID:1428
-
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe103⤵PID:712
-
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe104⤵PID:3464
-
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe105⤵PID:4804
-
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe106⤵PID:1364
-
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe107⤵PID:3988
-
C:\Windows\SysWOW64\Pjehmfch.exeC:\Windows\system32\Pjehmfch.exe108⤵PID:2624
-
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe109⤵
- System Location Discovery: System Language Discovery
PID:5104 -
C:\Windows\SysWOW64\Poaqemao.exeC:\Windows\system32\Poaqemao.exe110⤵PID:5148
-
C:\Windows\SysWOW64\Pjgebf32.exeC:\Windows\system32\Pjgebf32.exe111⤵PID:5192
-
C:\Windows\SysWOW64\Ppamophb.exeC:\Windows\system32\Ppamophb.exe112⤵PID:5240
-
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe113⤵PID:5284
-
C:\Windows\SysWOW64\Phlacbfm.exeC:\Windows\system32\Phlacbfm.exe114⤵PID:5328
-
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe115⤵PID:5376
-
C:\Windows\SysWOW64\Qfpbmfdf.exeC:\Windows\system32\Qfpbmfdf.exe116⤵PID:5420
-
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe117⤵PID:5464
-
C:\Windows\SysWOW64\Qqffjo32.exeC:\Windows\system32\Qqffjo32.exe118⤵PID:5528
-
C:\Windows\SysWOW64\Qgpogili.exeC:\Windows\system32\Qgpogili.exe119⤵PID:5588
-
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe120⤵PID:5632
-
C:\Windows\SysWOW64\Aokcklid.exeC:\Windows\system32\Aokcklid.exe121⤵PID:5676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-