Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 20:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
248b5259fe72528b22e66bedcfd3ba95b1c52a37aacfe8e20c821dc1350b67edN.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
248b5259fe72528b22e66bedcfd3ba95b1c52a37aacfe8e20c821dc1350b67edN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
248b5259fe72528b22e66bedcfd3ba95b1c52a37aacfe8e20c821dc1350b67edN.exe
-
Size
608KB
-
MD5
ed7e9e0a6a9f98757195e278a887ee50
-
SHA1
cb98f621202678e6ff49397230ce6a56259272c8
-
SHA256
248b5259fe72528b22e66bedcfd3ba95b1c52a37aacfe8e20c821dc1350b67ed
-
SHA512
746ab93baf9e7f90e8095e68fad42a4010d0f430fb5a837e1bec08e04d28026f73ea474778c13b66d2255f92643c206fb137e78ea4652c03394cf369ed98df3b
-
SSDEEP
12288:CsjkY660fIaDZkY660f8jTK/XhdAwlt01A:XjgsaDZgQjGkwlp
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abfdpfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbqmiinl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhgonidg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klfaapbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljceqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfhbga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Manmoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmaffnce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amodep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkogiikb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkohaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbhboolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bheffh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afbgkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmbbejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aamknj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmhgmmbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efgemb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffobhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qachgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hoobdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nopfpgip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kidben32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njinmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emanjldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckbemgcp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekkkoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aabkbono.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aggegh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmbmkpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pejkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfqlfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gicgpelg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqoefand.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhniccb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neqopnhb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkhkjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bochmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpqggh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gqkhda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfbaonae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpjcgm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmfeidbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcndbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Manmoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llmhaold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccnncgmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpihcgoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cibain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofkgcobj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpeahb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohpkmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onnmdcjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmojkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbiockdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdaaaeqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmigoagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbkqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iajdgcab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfnjpfcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfaajnfb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iamamcop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dblgpl32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2580 Ogpepl32.exe 4888 Pgbbek32.exe 5088 Ppjgoaoj.exe 2332 Pjbkgfej.exe 3264 Plagcbdn.exe 3684 Pjehmfch.exe 396 Ppamophb.exe 2648 Plhnda32.exe 2632 Qfpbmfdf.exe 5008 Qhakoa32.exe 2868 Amodep32.exe 2348 Afghneoo.exe 4120 Aggegh32.exe 3576 Amcmpodi.exe 3768 Ajhniccb.exe 4600 Afnnnd32.exe 4992 Bqdblmhl.exe 1404 Bcbohigp.exe 2732 Biogppeg.exe 1580 Bcelmhen.exe 1308 Bfchidda.exe 1896 Bjodjb32.exe 1424 Bmmpfn32.exe 4716 Boklbi32.exe 1548 Bcghch32.exe 3192 Bfedoc32.exe 3272 Bidqko32.exe 3432 Bmomlnjk.exe 4412 Bpnihiio.exe 3320 Bgeaifia.exe 2460 Bfhadc32.exe 3964 Bqmeal32.exe 4876 Bclang32.exe 3900 Bfjnjcni.exe 876 Bihjfnmm.exe 1808 Cqpbglno.exe 4212 Ccnncgmc.exe 4712 Cgjjdf32.exe 3364 Cikglnkj.exe 2296 Cabomkll.exe 704 Ccqkigkp.exe 2140 Cfogeb32.exe 3276 Cimcan32.exe 3724 Cadlbk32.exe 4408 Ccchof32.exe 2700 Cfadkb32.exe 3640 Cmklglpn.exe 1976 Cpihcgoa.exe 4860 Cgqqdeod.exe 1936 Cfcqpa32.exe 4288 Cibmlmeb.exe 1364 Caienjfd.exe 4708 Ccgajfeh.exe 3548 Cgcmjd32.exe 1264 Cjaifp32.exe 3516 Dmpfbk32.exe 3224 Dpnbog32.exe 1840 Dgejpd32.exe 4504 Dfhjkabi.exe 448 Diffglam.exe 556 Dannij32.exe 752 Dclkee32.exe 4296 Djfcaohp.exe 1804 Dapkni32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lijlof32.exe Ljilqnlm.exe File created C:\Windows\SysWOW64\Klqcmdnk.dll Hmpcbhji.exe File opened for modification C:\Windows\SysWOW64\Ofkgcobj.exe Opqofe32.exe File opened for modification C:\Windows\SysWOW64\Omgmeigd.exe Ojhpimhp.exe File created C:\Windows\SysWOW64\Cpljehpo.exe Cibain32.exe File created C:\Windows\SysWOW64\Cmklglpn.exe Cfadkb32.exe File created C:\Windows\SysWOW64\Dpaagldf.dll Fpdcag32.exe File opened for modification C:\Windows\SysWOW64\Mljmhflh.exe Mfpell32.exe File created C:\Windows\SysWOW64\Bjhkmbho.exe Bdocph32.exe File created C:\Windows\SysWOW64\Maenpfhk.dll Ommceclc.exe File opened for modification C:\Windows\SysWOW64\Lldopb32.exe Lieccf32.exe File created C:\Windows\SysWOW64\Lafnnj32.dll Kjmfjj32.exe File opened for modification C:\Windows\SysWOW64\Neqopnhb.exe Nmigoagp.exe File created C:\Windows\SysWOW64\Bgemej32.dll Ncqlkemc.exe File created C:\Windows\SysWOW64\Njljch32.exe Ncbafoge.exe File created C:\Windows\SysWOW64\Hkbado32.dll Idahjg32.exe File created C:\Windows\SysWOW64\Amkhmoap.exe Abfdpfaj.exe File opened for modification C:\Windows\SysWOW64\Bboffejp.exe Bmbnnn32.exe File created C:\Windows\SysWOW64\Foclgq32.exe Fgmdec32.exe File created C:\Windows\SysWOW64\Klndfj32.exe Kedlip32.exe File created C:\Windows\SysWOW64\Adgmoigj.exe Amnebo32.exe File created C:\Windows\SysWOW64\Mlkepaam.exe Mbbagk32.exe File created C:\Windows\SysWOW64\Fibhpbea.exe Fdepgkgj.exe File opened for modification C:\Windows\SysWOW64\Hbhijepa.exe Hmlpaoaj.exe File created C:\Windows\SysWOW64\Mmacdg32.dll Kjblje32.exe File opened for modification C:\Windows\SysWOW64\Bgnffj32.exe Bpdnjple.exe File created C:\Windows\SysWOW64\Mbgjbkfg.exe Mhafeb32.exe File created C:\Windows\SysWOW64\Ilcldb32.exe Iidphgcn.exe File created C:\Windows\SysWOW64\Oikjkc32.exe Obqanjdb.exe File created C:\Windows\SysWOW64\Gjficg32.exe Gdiakp32.exe File created C:\Windows\SysWOW64\Faeghb32.dll Domdjj32.exe File created C:\Windows\SysWOW64\Ljcpchlo.dll Iidphgcn.exe File created C:\Windows\SysWOW64\Akkeajoj.dll Mqimikfj.exe File created C:\Windows\SysWOW64\Hhblffgn.dll Ppahmb32.exe File created C:\Windows\SysWOW64\Laiipofp.exe Lojmcdgl.exe File opened for modification C:\Windows\SysWOW64\Kheekkjl.exe Kefiopki.exe File created C:\Windows\SysWOW64\Bheffh32.exe Bkafmd32.exe File opened for modification C:\Windows\SysWOW64\Gpnmbl32.exe Fmpqfq32.exe File opened for modification C:\Windows\SysWOW64\Omegjomb.exe Ojgjndno.exe File opened for modification C:\Windows\SysWOW64\Dfnbgc32.exe Dkhnjk32.exe File created C:\Windows\SysWOW64\Chiblk32.exe Cncnob32.exe File created C:\Windows\SysWOW64\Djaiilmd.dll Lkofdbkj.exe File created C:\Windows\SysWOW64\Dmkalh32.dll Feoodn32.exe File created C:\Windows\SysWOW64\Jgkhgb32.dll Plhnda32.exe File created C:\Windows\SysWOW64\Kolkod32.dll Fjhacf32.exe File created C:\Windows\SysWOW64\Lgqfdnah.exe Kqfngd32.exe File opened for modification C:\Windows\SysWOW64\Pahilmoc.exe Pmlmkn32.exe File created C:\Windows\SysWOW64\Ifncdb32.dll Ckidcpjl.exe File created C:\Windows\SysWOW64\Ccmbmpbk.dll Ojbacd32.exe File created C:\Windows\SysWOW64\Fkofga32.exe Fiqjke32.exe File opened for modification C:\Windows\SysWOW64\Likhem32.exe Kofdhd32.exe File created C:\Windows\SysWOW64\Bdbbme32.dll Cibain32.exe File created C:\Windows\SysWOW64\Cgnomg32.exe Cpdgqmnb.exe File created C:\Windows\SysWOW64\Jjgkan32.dll Oikjkc32.exe File created C:\Windows\SysWOW64\Eqmlccdi.exe Enopghee.exe File created C:\Windows\SysWOW64\Bckkca32.exe Bkdcbd32.exe File created C:\Windows\SysWOW64\Hgfapd32.exe Hplicjok.exe File created C:\Windows\SysWOW64\Jknfcofa.exe Jddnfd32.exe File created C:\Windows\SysWOW64\Jdgccn32.dll Eokqkh32.exe File created C:\Windows\SysWOW64\Kmephjke.dll Paiogf32.exe File created C:\Windows\SysWOW64\Alapqh32.dll Momcpa32.exe File created C:\Windows\SysWOW64\Bbfmgd32.exe Baepolni.exe File created C:\Windows\SysWOW64\Bcelmhen.exe Biogppeg.exe File created C:\Windows\SysWOW64\Ekaapi32.exe Eehicoel.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7656 6936 WerFault.exe 991 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jddnfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jocefm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edionhpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cibmlmeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hammhcij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jncoikmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcbnpnme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eokqkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdlkdhnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aadghn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldipha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohcegi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cljobphg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcain32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paiogf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikcmbfcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dimenegi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epndknin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahfkimd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enigke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekkkoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpgpgfmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laiipofp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oihmedma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcgdhkem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhdlao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhlkilba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojbacd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqmojd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfnamjhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bclang32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diffglam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkqkhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkogiikb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpnfge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 248b5259fe72528b22e66bedcfd3ba95b1c52a37aacfe8e20c821dc1350b67edN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caienjfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egpnooan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngjbaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jokkgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nopfpgip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmmpfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahmfpap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqnjgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oihagaji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coknoaic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcanll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fplpll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpjoloh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dabhdinj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdlfhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcdeeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcnjijoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llmhaold.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbojlfdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbcncibp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfdpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlblcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oifppdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpkchqdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oogpjbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njjdho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhniccb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okjnnj32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kllfakij.dll" Mfhbga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Joqafgni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egpnooan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pagpdj32.dll" Efhcbodf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eeelnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghaae32.dll" Cdlqqcnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jocefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpdgqmnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecbfdd32.dll" Lieccf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbhijepa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpejlmcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emhkdmlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edplhjhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Geanfelc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcnobqph.dll" Iqbbpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emdajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglfjicq.dll" Fkmjaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjnfn32.dll" Gdiakp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfbiemdb.dll" Nhahaiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flbfjl32.dll" Opnbae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faimhjhp.dll" Eclmamod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momkkhch.dll" Fplpll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdaaaeqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bemqih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohofdmkm.dll" Enbjad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kekbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pifnhpmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cobkhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcoccc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qhlkilba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkconn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpiecd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefklj32.dll" Hekgfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Geldkfpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egbken32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bihjfnmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djfcaohp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgbefe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oqoefand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfjnjcni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgnboabc.dll" Fkkeclfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Geldkfpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbdco32.dll" Hlblcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhkmnj32.dll" Aggegh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glldgljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cocjiehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockbnedp.dll" Poajkgnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfngdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lqkgbcff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncbafoge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qfpbmfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inagcf32.dll" Ljilqnlm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akqfkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmikmcgp.dll" Ogekbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fqgedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiciojhd.dll" Kidben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inomhbeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aplhmakj.dll" Dckdjomg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efkphnbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gahffo32.dll" Qofcff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohnohn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljceqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Meefofek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nemmoe32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4896 wrote to memory of 2580 4896 248b5259fe72528b22e66bedcfd3ba95b1c52a37aacfe8e20c821dc1350b67edN.exe 82 PID 4896 wrote to memory of 2580 4896 248b5259fe72528b22e66bedcfd3ba95b1c52a37aacfe8e20c821dc1350b67edN.exe 82 PID 4896 wrote to memory of 2580 4896 248b5259fe72528b22e66bedcfd3ba95b1c52a37aacfe8e20c821dc1350b67edN.exe 82 PID 2580 wrote to memory of 4888 2580 Ogpepl32.exe 83 PID 2580 wrote to memory of 4888 2580 Ogpepl32.exe 83 PID 2580 wrote to memory of 4888 2580 Ogpepl32.exe 83 PID 4888 wrote to memory of 5088 4888 Pgbbek32.exe 84 PID 4888 wrote to memory of 5088 4888 Pgbbek32.exe 84 PID 4888 wrote to memory of 5088 4888 Pgbbek32.exe 84 PID 5088 wrote to memory of 2332 5088 Ppjgoaoj.exe 85 PID 5088 wrote to memory of 2332 5088 Ppjgoaoj.exe 85 PID 5088 wrote to memory of 2332 5088 Ppjgoaoj.exe 85 PID 2332 wrote to memory of 3264 2332 Pjbkgfej.exe 86 PID 2332 wrote to memory of 3264 2332 Pjbkgfej.exe 86 PID 2332 wrote to memory of 3264 2332 Pjbkgfej.exe 86 PID 3264 wrote to memory of 3684 3264 Plagcbdn.exe 87 PID 3264 wrote to memory of 3684 3264 Plagcbdn.exe 87 PID 3264 wrote to memory of 3684 3264 Plagcbdn.exe 87 PID 3684 wrote to memory of 396 3684 Pjehmfch.exe 88 PID 3684 wrote to memory of 396 3684 Pjehmfch.exe 88 PID 3684 wrote to memory of 396 3684 Pjehmfch.exe 88 PID 396 wrote to memory of 2648 396 Ppamophb.exe 89 PID 396 wrote to memory of 2648 396 Ppamophb.exe 89 PID 396 wrote to memory of 2648 396 Ppamophb.exe 89 PID 2648 wrote to memory of 2632 2648 Plhnda32.exe 90 PID 2648 wrote to memory of 2632 2648 Plhnda32.exe 90 PID 2648 wrote to memory of 2632 2648 Plhnda32.exe 90 PID 2632 wrote to memory of 5008 2632 Qfpbmfdf.exe 91 PID 2632 wrote to memory of 5008 2632 Qfpbmfdf.exe 91 PID 2632 wrote to memory of 5008 2632 Qfpbmfdf.exe 91 PID 5008 wrote to memory of 2868 5008 Qhakoa32.exe 92 PID 5008 wrote to memory of 2868 5008 Qhakoa32.exe 92 PID 5008 wrote to memory of 2868 5008 Qhakoa32.exe 92 PID 2868 wrote to memory of 2348 2868 Amodep32.exe 93 PID 2868 wrote to memory of 2348 2868 Amodep32.exe 93 PID 2868 wrote to memory of 2348 2868 Amodep32.exe 93 PID 2348 wrote to memory of 4120 2348 Afghneoo.exe 94 PID 2348 wrote to memory of 4120 2348 Afghneoo.exe 94 PID 2348 wrote to memory of 4120 2348 Afghneoo.exe 94 PID 4120 wrote to memory of 3576 4120 Aggegh32.exe 95 PID 4120 wrote to memory of 3576 4120 Aggegh32.exe 95 PID 4120 wrote to memory of 3576 4120 Aggegh32.exe 95 PID 3576 wrote to memory of 3768 3576 Amcmpodi.exe 96 PID 3576 wrote to memory of 3768 3576 Amcmpodi.exe 96 PID 3576 wrote to memory of 3768 3576 Amcmpodi.exe 96 PID 3768 wrote to memory of 4600 3768 Ajhniccb.exe 97 PID 3768 wrote to memory of 4600 3768 Ajhniccb.exe 97 PID 3768 wrote to memory of 4600 3768 Ajhniccb.exe 97 PID 4600 wrote to memory of 4992 4600 Afnnnd32.exe 98 PID 4600 wrote to memory of 4992 4600 Afnnnd32.exe 98 PID 4600 wrote to memory of 4992 4600 Afnnnd32.exe 98 PID 4992 wrote to memory of 1404 4992 Bqdblmhl.exe 99 PID 4992 wrote to memory of 1404 4992 Bqdblmhl.exe 99 PID 4992 wrote to memory of 1404 4992 Bqdblmhl.exe 99 PID 1404 wrote to memory of 2732 1404 Bcbohigp.exe 100 PID 1404 wrote to memory of 2732 1404 Bcbohigp.exe 100 PID 1404 wrote to memory of 2732 1404 Bcbohigp.exe 100 PID 2732 wrote to memory of 1580 2732 Biogppeg.exe 101 PID 2732 wrote to memory of 1580 2732 Biogppeg.exe 101 PID 2732 wrote to memory of 1580 2732 Biogppeg.exe 101 PID 1580 wrote to memory of 1308 1580 Bcelmhen.exe 102 PID 1580 wrote to memory of 1308 1580 Bcelmhen.exe 102 PID 1580 wrote to memory of 1308 1580 Bcelmhen.exe 102 PID 1308 wrote to memory of 1896 1308 Bfchidda.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\248b5259fe72528b22e66bedcfd3ba95b1c52a37aacfe8e20c821dc1350b67edN.exe"C:\Users\Admin\AppData\Local\Temp\248b5259fe72528b22e66bedcfd3ba95b1c52a37aacfe8e20c821dc1350b67edN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\Pjehmfch.exeC:\Windows\system32\Pjehmfch.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\Ppamophb.exeC:\Windows\system32\Ppamophb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Qfpbmfdf.exeC:\Windows\system32\Qfpbmfdf.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\Amodep32.exeC:\Windows\system32\Amodep32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Afghneoo.exeC:\Windows\system32\Afghneoo.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\Afnnnd32.exeC:\Windows\system32\Afnnnd32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Bcbohigp.exeC:\Windows\system32\Bcbohigp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Biogppeg.exeC:\Windows\system32\Biogppeg.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Bfchidda.exeC:\Windows\system32\Bfchidda.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Bjodjb32.exeC:\Windows\system32\Bjodjb32.exe23⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Bmmpfn32.exeC:\Windows\system32\Bmmpfn32.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1424 -
C:\Windows\SysWOW64\Boklbi32.exeC:\Windows\system32\Boklbi32.exe25⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Bcghch32.exeC:\Windows\system32\Bcghch32.exe26⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Bfedoc32.exeC:\Windows\system32\Bfedoc32.exe27⤵
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\Bidqko32.exeC:\Windows\system32\Bidqko32.exe28⤵
- Executes dropped EXE
PID:3272 -
C:\Windows\SysWOW64\Bmomlnjk.exeC:\Windows\system32\Bmomlnjk.exe29⤵
- Executes dropped EXE
PID:3432 -
C:\Windows\SysWOW64\Bpnihiio.exeC:\Windows\system32\Bpnihiio.exe30⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe31⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Bfhadc32.exeC:\Windows\system32\Bfhadc32.exe32⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Bqmeal32.exeC:\Windows\system32\Bqmeal32.exe33⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4876 -
C:\Windows\SysWOW64\Bfjnjcni.exeC:\Windows\system32\Bfjnjcni.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:3900 -
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Cqpbglno.exeC:\Windows\system32\Cqpbglno.exe37⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Cgjjdf32.exeC:\Windows\system32\Cgjjdf32.exe39⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe40⤵
- Executes dropped EXE
PID:3364 -
C:\Windows\SysWOW64\Cabomkll.exeC:\Windows\system32\Cabomkll.exe41⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Ccqkigkp.exeC:\Windows\system32\Ccqkigkp.exe42⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Cfogeb32.exeC:\Windows\system32\Cfogeb32.exe43⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Cimcan32.exeC:\Windows\system32\Cimcan32.exe44⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Cadlbk32.exeC:\Windows\system32\Cadlbk32.exe45⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Ccchof32.exeC:\Windows\system32\Ccchof32.exe46⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Cfadkb32.exeC:\Windows\system32\Cfadkb32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe48⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Cpihcgoa.exeC:\Windows\system32\Cpihcgoa.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Cgqqdeod.exeC:\Windows\system32\Cgqqdeod.exe50⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Cfcqpa32.exeC:\Windows\system32\Cfcqpa32.exe51⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Cibmlmeb.exeC:\Windows\system32\Cibmlmeb.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4288 -
C:\Windows\SysWOW64\Caienjfd.exeC:\Windows\system32\Caienjfd.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1364 -
C:\Windows\SysWOW64\Ccgajfeh.exeC:\Windows\system32\Ccgajfeh.exe54⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe55⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Cjaifp32.exeC:\Windows\system32\Cjaifp32.exe56⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Dmpfbk32.exeC:\Windows\system32\Dmpfbk32.exe57⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Dpnbog32.exeC:\Windows\system32\Dpnbog32.exe58⤵
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\Dgejpd32.exeC:\Windows\system32\Dgejpd32.exe59⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Dfhjkabi.exeC:\Windows\system32\Dfhjkabi.exe60⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:448 -
C:\Windows\SysWOW64\Dannij32.exeC:\Windows\system32\Dannij32.exe62⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Dclkee32.exeC:\Windows\system32\Dclkee32.exe63⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Djfcaohp.exeC:\Windows\system32\Djfcaohp.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:4296 -
C:\Windows\SysWOW64\Dapkni32.exeC:\Windows\system32\Dapkni32.exe65⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Dhjckcgi.exeC:\Windows\system32\Dhjckcgi.exe66⤵PID:4352
-
C:\Windows\SysWOW64\Dikpbl32.exeC:\Windows\system32\Dikpbl32.exe67⤵PID:3188
-
C:\Windows\SysWOW64\Dabhdinj.exeC:\Windows\system32\Dabhdinj.exe68⤵
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\Dhlpqc32.exeC:\Windows\system32\Dhlpqc32.exe69⤵PID:4004
-
C:\Windows\SysWOW64\Djklmo32.exeC:\Windows\system32\Djklmo32.exe70⤵PID:3452
-
C:\Windows\SysWOW64\Dmihij32.exeC:\Windows\system32\Dmihij32.exe71⤵PID:4360
-
C:\Windows\SysWOW64\Ddcqedkk.exeC:\Windows\system32\Ddcqedkk.exe72⤵PID:652
-
C:\Windows\SysWOW64\Dfamapjo.exeC:\Windows\system32\Dfamapjo.exe73⤵PID:3816
-
C:\Windows\SysWOW64\Emlenj32.exeC:\Windows\system32\Emlenj32.exe74⤵PID:1140
-
C:\Windows\SysWOW64\Edemkd32.exeC:\Windows\system32\Edemkd32.exe75⤵PID:2688
-
C:\Windows\SysWOW64\Efdjgo32.exeC:\Windows\system32\Efdjgo32.exe76⤵PID:2456
-
C:\Windows\SysWOW64\Emnbdioi.exeC:\Windows\system32\Emnbdioi.exe77⤵PID:2872
-
C:\Windows\SysWOW64\Eplnpeol.exeC:\Windows\system32\Eplnpeol.exe78⤵PID:1632
-
C:\Windows\SysWOW64\Efffmo32.exeC:\Windows\system32\Efffmo32.exe79⤵PID:1780
-
C:\Windows\SysWOW64\Eidbij32.exeC:\Windows\system32\Eidbij32.exe80⤵PID:3312
-
C:\Windows\SysWOW64\Ealkjh32.exeC:\Windows\system32\Ealkjh32.exe81⤵PID:4100
-
C:\Windows\SysWOW64\Edjgfcec.exeC:\Windows\system32\Edjgfcec.exe82⤵PID:3852
-
C:\Windows\SysWOW64\Efhcbodf.exeC:\Windows\system32\Efhcbodf.exe83⤵
- Modifies registry class
PID:852 -
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe84⤵PID:3740
-
C:\Windows\SysWOW64\Eangpgcl.exeC:\Windows\system32\Eangpgcl.exe85⤵PID:1616
-
C:\Windows\SysWOW64\Edmclccp.exeC:\Windows\system32\Edmclccp.exe86⤵PID:3808
-
C:\Windows\SysWOW64\Efkphnbd.exeC:\Windows\system32\Efkphnbd.exe87⤵
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Emehdh32.exeC:\Windows\system32\Emehdh32.exe88⤵PID:4856
-
C:\Windows\SysWOW64\Epcdqd32.exeC:\Windows\system32\Epcdqd32.exe89⤵PID:3560
-
C:\Windows\SysWOW64\Ehjlaaig.exeC:\Windows\system32\Ehjlaaig.exe90⤵PID:3528
-
C:\Windows\SysWOW64\Fkihnmhj.exeC:\Windows\system32\Fkihnmhj.exe91⤵PID:1444
-
C:\Windows\SysWOW64\Fmgejhgn.exeC:\Windows\system32\Fmgejhgn.exe92⤵PID:3532
-
C:\Windows\SysWOW64\Fpeafcfa.exeC:\Windows\system32\Fpeafcfa.exe93⤵PID:3644
-
C:\Windows\SysWOW64\Fkkeclfh.exeC:\Windows\system32\Fkkeclfh.exe94⤵
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Fmlneg32.exeC:\Windows\system32\Fmlneg32.exe95⤵PID:3608
-
C:\Windows\SysWOW64\Fgdbnmji.exeC:\Windows\system32\Fgdbnmji.exe96⤵PID:2232
-
C:\Windows\SysWOW64\Fpmggb32.exeC:\Windows\system32\Fpmggb32.exe97⤵PID:3236
-
C:\Windows\SysWOW64\Fggocmhf.exeC:\Windows\system32\Fggocmhf.exe98⤵PID:1224
-
C:\Windows\SysWOW64\Gkdhjknm.exeC:\Windows\system32\Gkdhjknm.exe99⤵PID:3004
-
C:\Windows\SysWOW64\Gpfjma32.exeC:\Windows\system32\Gpfjma32.exe100⤵PID:1716
-
C:\Windows\SysWOW64\Gddbcp32.exeC:\Windows\system32\Gddbcp32.exe101⤵PID:1100
-
C:\Windows\SysWOW64\Gpkchqdj.exeC:\Windows\system32\Gpkchqdj.exe102⤵
- System Location Discovery: System Language Discovery
PID:4568 -
C:\Windows\SysWOW64\Hgelek32.exeC:\Windows\system32\Hgelek32.exe103⤵PID:3580
-
C:\Windows\SysWOW64\Hdilnojp.exeC:\Windows\system32\Hdilnojp.exe104⤵PID:4704
-
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe105⤵
- System Location Discovery: System Language Discovery
PID:4884 -
C:\Windows\SysWOW64\Hhfedm32.exeC:\Windows\system32\Hhfedm32.exe106⤵PID:3088
-
C:\Windows\SysWOW64\Hkgnfhnh.exeC:\Windows\system32\Hkgnfhnh.exe107⤵PID:2144
-
C:\Windows\SysWOW64\Hjjnae32.exeC:\Windows\system32\Hjjnae32.exe108⤵PID:844
-
C:\Windows\SysWOW64\Haafcb32.exeC:\Windows\system32\Haafcb32.exe109⤵PID:4356
-
C:\Windows\SysWOW64\Hdpbon32.exeC:\Windows\system32\Hdpbon32.exe110⤵PID:768
-
C:\Windows\SysWOW64\Igqkqiai.exeC:\Windows\system32\Igqkqiai.exe111⤵PID:1188
-
C:\Windows\SysWOW64\Injcmc32.exeC:\Windows\system32\Injcmc32.exe112⤵PID:1728
-
C:\Windows\SysWOW64\Ikndgg32.exeC:\Windows\system32\Ikndgg32.exe113⤵PID:4076
-
C:\Windows\SysWOW64\Ihbdplfi.exeC:\Windows\system32\Ihbdplfi.exe114⤵PID:1416
-
C:\Windows\SysWOW64\Ikqqlgem.exeC:\Windows\system32\Ikqqlgem.exe115⤵PID:1280
-
C:\Windows\SysWOW64\Inomhbeq.exeC:\Windows\system32\Inomhbeq.exe116⤵
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Ikcmbfcj.exeC:\Windows\system32\Ikcmbfcj.exe117⤵
- System Location Discovery: System Language Discovery
PID:4236 -
C:\Windows\SysWOW64\Inainbcn.exeC:\Windows\system32\Inainbcn.exe118⤵PID:2040
-
C:\Windows\SysWOW64\Iqbbpm32.exeC:\Windows\system32\Iqbbpm32.exe119⤵
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe120⤵PID:452
-
C:\Windows\SysWOW64\Jbdlop32.exeC:\Windows\system32\Jbdlop32.exe121⤵PID:1436
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-