Analysis
-
max time kernel
94s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/12/2024, 21:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4e0793f430ca5c7264f727b56a454b892ead18fd201d7521e6cca879c6c9036a.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
4e0793f430ca5c7264f727b56a454b892ead18fd201d7521e6cca879c6c9036a.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
4e0793f430ca5c7264f727b56a454b892ead18fd201d7521e6cca879c6c9036a.exe
-
Size
87KB
-
MD5
b059ace60f6aaabab1f2c437734a7882
-
SHA1
706846691a8a1d96e8d9ec9ca2912e5fe6637a4e
-
SHA256
4e0793f430ca5c7264f727b56a454b892ead18fd201d7521e6cca879c6c9036a
-
SHA512
77f79a0b2a7c182da74043901d34d59399c84828950ed4af66514b09c63962b6251e8eb8481db7508324306c218347852b1a88c63eb458bf65ac42973ae489f4
-
SSDEEP
1536:gyUtfgVBlxbUZ6KHDxDA3HumRB/RuE2/znRQ4URSRBDNrR0RVe7R6R8RPD2zT:RUtfAOTJAXxRm5/7eNAnDlmbGcGFDeT
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiejmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kqbkfkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dcpmen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jeqbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pekbga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfodeohd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Poaqemao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfamapjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfjpfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oobfob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkbcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dobfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Npjnhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dapkni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Delnin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oocmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjjnifbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akccap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hffcmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjamia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjhcjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccdnjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdokdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pddhbipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kedoge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kqnbkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhdlao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpgnjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmcain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikfabm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfgmjqop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edopabqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkjjlhle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Menjdbgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiokfpph.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igqkqiai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chlflabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npfkgjdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eehicoel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkkple32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cleegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cleegp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmhdkknd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aokcklid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfchidda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqnbkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Objpoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hginecde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nccokk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llflea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Neclenfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkkeclfh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihdafkdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glldgljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgdhgmep.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1164 Klljnp32.exe 3156 Kbfbkj32.exe 3460 Kedoge32.exe 3740 Kpjcdn32.exe 1604 Kfckahdj.exe 1096 Kmncnb32.exe 1332 Kplpjn32.exe 428 Lbjlfi32.exe 3448 Lmppcbjd.exe 2928 Lpnlpnih.exe 836 Lekehdgp.exe 2352 Lmbmibhb.exe 4348 Lpqiemge.exe 1720 Ldleel32.exe 4276 Lfkaag32.exe 2984 Lenamdem.exe 3876 Lmdina32.exe 1968 Llgjjnlj.exe 2636 Lpcfkm32.exe 1872 Ldoaklml.exe 4772 Lbabgh32.exe 872 Lgmngglp.exe 2168 Lepncd32.exe 3148 Likjcbkc.exe 2368 Lljfpnjg.exe 1436 Mbfkbhpa.exe 3988 Mmlpoqpg.exe 2456 Mdehlk32.exe 1176 Megdccmb.exe 1044 Mmnldp32.exe 4776 Mlampmdo.exe 388 Mplhql32.exe 880 Meiaib32.exe 2400 Miemjaci.exe 1180 Mlcifmbl.exe 5068 Mpoefk32.exe 2188 Mcmabg32.exe 4132 Mgimcebb.exe 4616 Mmbfpp32.exe 1204 Mdmnlj32.exe 1184 Mcpnhfhf.exe 776 Menjdbgj.exe 968 Mnebeogl.exe 5060 Ngmgne32.exe 4416 Nljofl32.exe 2252 Npfkgjdn.exe 1456 Ngpccdlj.exe 2196 Nnjlpo32.exe 2720 Ndcdmikd.exe 4848 Nloiakho.exe 4604 Ndfqbhia.exe 552 Nfgmjqop.exe 1288 Nlaegk32.exe 4796 Nckndeni.exe 2272 Olcbmj32.exe 4396 Oflgep32.exe 1472 Odmgcgbi.exe 4716 Ocbddc32.exe 5108 Ofqpqo32.exe 3016 Onhhamgg.exe 1432 Ofcmfodb.exe 2856 Oqhacgdh.exe 4788 Ocgmpccl.exe 1928 Ofeilobp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hgddbm32.dll Ackbmcjl.exe File created C:\Windows\SysWOW64\Kfbdfl32.dll Eiahnnph.exe File created C:\Windows\SysWOW64\Qjlnnemp.exe Qgnbaj32.exe File opened for modification C:\Windows\SysWOW64\Lejgch32.exe Lbkkgl32.exe File created C:\Windows\SysWOW64\Mjjkaabc.exe Process not Found File created C:\Windows\SysWOW64\Kboeke32.dll Ageolo32.exe File created C:\Windows\SysWOW64\Lhjlnlii.dll Pcepkfld.exe File created C:\Windows\SysWOW64\Paeelgnj.exe Process not Found File created C:\Windows\SysWOW64\Flbolp32.dll Klmpiiai.exe File created C:\Windows\SysWOW64\Nfmifiap.dll Fligqhga.exe File opened for modification C:\Windows\SysWOW64\Ppmcdq32.exe Phelcc32.exe File created C:\Windows\SysWOW64\Cmmehdam.dll Hdilnojp.exe File created C:\Windows\SysWOW64\Dcoobn32.dll Ooejohhq.exe File opened for modification C:\Windows\SysWOW64\Kkjeomld.exe Kmieae32.exe File created C:\Windows\SysWOW64\Hfningai.exe Hnfamjqg.exe File opened for modification C:\Windows\SysWOW64\Mpghkf32.exe Mhppji32.exe File created C:\Windows\SysWOW64\Pjgebf32.exe Pgihfj32.exe File created C:\Windows\SysWOW64\Eokchkmi.dll Calhnpgn.exe File created C:\Windows\SysWOW64\Knchpiom.exe Kkeldnpi.exe File created C:\Windows\SysWOW64\Cikjab32.dll Ogfcjm32.exe File opened for modification C:\Windows\SysWOW64\Leenhhdn.exe Lbgalmej.exe File created C:\Windows\SysWOW64\Ibffhhek.exe Iohjlmeg.exe File created C:\Windows\SysWOW64\Aoabad32.exe Alcfei32.exe File created C:\Windows\SysWOW64\Ggamph32.dll Djhimica.exe File created C:\Windows\SysWOW64\Hkjefc32.dll Aeaanjkl.exe File opened for modification C:\Windows\SysWOW64\Ibaeen32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dlieda32.exe Djhimica.exe File opened for modification C:\Windows\SysWOW64\Oaplqh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bkgeainn.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gdncmghi.exe Gaogak32.exe File opened for modification C:\Windows\SysWOW64\Jgakbm32.exe Jiokfpph.exe File created C:\Windows\SysWOW64\Jkdnhmdp.dll Ocamjm32.exe File created C:\Windows\SysWOW64\Jjopcb32.exe Jgadgf32.exe File created C:\Windows\SysWOW64\Oemnpgle.dll Oldamm32.exe File opened for modification C:\Windows\SysWOW64\Cggimh32.exe Process not Found File created C:\Windows\SysWOW64\Fbpchb32.exe Flfkkhid.exe File created C:\Windows\SysWOW64\Pkjpfdin.dll Iickkbje.exe File opened for modification C:\Windows\SysWOW64\Lpekef32.exe Llipehgk.exe File created C:\Windows\SysWOW64\Cibncf32.dll Gkdhjknm.exe File created C:\Windows\SysWOW64\Mlgjal32.dll Bebjdgmj.exe File created C:\Windows\SysWOW64\Bdickcpo.exe Bnoknihb.exe File created C:\Windows\SysWOW64\Dhblne32.dll Bkkple32.exe File opened for modification C:\Windows\SysWOW64\Ffclcgfn.exe Fdepgkgj.exe File opened for modification C:\Windows\SysWOW64\Oeokal32.exe Oodcdb32.exe File opened for modification C:\Windows\SysWOW64\Fehfljca.exe Fnaokmco.exe File opened for modification C:\Windows\SysWOW64\Djhimica.exe Dbqqkkbo.exe File created C:\Windows\SysWOW64\Cfiedd32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bhkfkmmg.exe Process not Found File created C:\Windows\SysWOW64\Lmppcbjd.exe Lbjlfi32.exe File created C:\Windows\SysWOW64\Dahhio32.exe Doilmc32.exe File created C:\Windows\SysWOW64\Hnfamjqg.exe Hglipp32.exe File opened for modification C:\Windows\SysWOW64\Lemkcnaa.exe Locbfd32.exe File created C:\Windows\SysWOW64\Efeichoo.dll Cmhigf32.exe File created C:\Windows\SysWOW64\Dlmmaqlm.dll Hildmn32.exe File created C:\Windows\SysWOW64\Ekoglqie.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mjjkaabc.exe Process not Found File created C:\Windows\SysWOW64\Mjodla32.exe Process not Found File created C:\Windows\SysWOW64\Ahofoogd.exe Process not Found File created C:\Windows\SysWOW64\Ahbohd32.dll Glbjggof.exe File opened for modification C:\Windows\SysWOW64\Gflhoo32.exe Gpbpbecj.exe File created C:\Windows\SysWOW64\Ogfcjm32.exe Nplkmckj.exe File created C:\Windows\SysWOW64\Fclbolkk.dll Jgogbgei.exe File created C:\Windows\SysWOW64\Bmofagfp.exe Bjpjel32.exe File created C:\Windows\SysWOW64\Dcoffg32.dll Paelfmaf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8276 9836 Process not Found 1361 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifihif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpehof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddgmbpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkkple32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhigf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flngfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpecbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Indmnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljgpkonp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knippe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agdhbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgnkhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llgjjnlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqilgmdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfamapjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfelogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhkgoiqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Felbnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpbpbecj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gochjpho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faenpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjepjkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcndbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmdcfidg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgehfkop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hglipp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doaneiop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmhdkknd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbdki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnhkbfme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fligqhga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbbfdfkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dclkee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llflea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpfepf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngpccdlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfcmmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dapkni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggilil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdmmbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaogak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqnbkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnhghcki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onnmdcjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmdina32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfknkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dobfld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olgemcli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npfkgjdn.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll" Bmpcfdmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hffcmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fbfcmhpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll" Qnjnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agadmk32.dll" Pkhjph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdnpclpq.dll" Jqknkedi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hnfamjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Embkoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Okchnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cleegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gpnfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jbbfdfkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efmmmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjnmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkakadbk.dll" Coknoaic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npodfe32.dll" Fjjnifbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkcaoef.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hglipp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hkgnfhnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pjpobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cmklglpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hpdfnolo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jblpmmae.dll" Ngaionfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nknobkje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fggfnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpod32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmephjke.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll" Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apnpee32.dll" Jdpkflfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmaopfjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bhbcfbjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kodoah32.dll" Njkkbehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiffheej.dll" Bkobmnka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mmlpoqpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnkhmbin.dll" Miemjaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eolhbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bgbdcgld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gmafajfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfmcjh32.dll" Ibffhhek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ikdcmpnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bclhhnca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fhmigagd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Domdjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Delnin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aafkfgeh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll" Pcbmka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Emjgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbalagn.dll" Iqipio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kimapcmi.dll" Pefhlaie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ccbadp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3492 wrote to memory of 1164 3492 4e0793f430ca5c7264f727b56a454b892ead18fd201d7521e6cca879c6c9036a.exe 83 PID 3492 wrote to memory of 1164 3492 4e0793f430ca5c7264f727b56a454b892ead18fd201d7521e6cca879c6c9036a.exe 83 PID 3492 wrote to memory of 1164 3492 4e0793f430ca5c7264f727b56a454b892ead18fd201d7521e6cca879c6c9036a.exe 83 PID 1164 wrote to memory of 3156 1164 Klljnp32.exe 84 PID 1164 wrote to memory of 3156 1164 Klljnp32.exe 84 PID 1164 wrote to memory of 3156 1164 Klljnp32.exe 84 PID 3156 wrote to memory of 3460 3156 Kbfbkj32.exe 85 PID 3156 wrote to memory of 3460 3156 Kbfbkj32.exe 85 PID 3156 wrote to memory of 3460 3156 Kbfbkj32.exe 85 PID 3460 wrote to memory of 3740 3460 Kedoge32.exe 86 PID 3460 wrote to memory of 3740 3460 Kedoge32.exe 86 PID 3460 wrote to memory of 3740 3460 Kedoge32.exe 86 PID 3740 wrote to memory of 1604 3740 Kpjcdn32.exe 87 PID 3740 wrote to memory of 1604 3740 Kpjcdn32.exe 87 PID 3740 wrote to memory of 1604 3740 Kpjcdn32.exe 87 PID 1604 wrote to memory of 1096 1604 Kfckahdj.exe 88 PID 1604 wrote to memory of 1096 1604 Kfckahdj.exe 88 PID 1604 wrote to memory of 1096 1604 Kfckahdj.exe 88 PID 1096 wrote to memory of 1332 1096 Kmncnb32.exe 89 PID 1096 wrote to memory of 1332 1096 Kmncnb32.exe 89 PID 1096 wrote to memory of 1332 1096 Kmncnb32.exe 89 PID 1332 wrote to memory of 428 1332 Kplpjn32.exe 90 PID 1332 wrote to memory of 428 1332 Kplpjn32.exe 90 PID 1332 wrote to memory of 428 1332 Kplpjn32.exe 90 PID 428 wrote to memory of 3448 428 Lbjlfi32.exe 91 PID 428 wrote to memory of 3448 428 Lbjlfi32.exe 91 PID 428 wrote to memory of 3448 428 Lbjlfi32.exe 91 PID 3448 wrote to memory of 2928 3448 Lmppcbjd.exe 92 PID 3448 wrote to memory of 2928 3448 Lmppcbjd.exe 92 PID 3448 wrote to memory of 2928 3448 Lmppcbjd.exe 92 PID 2928 wrote to memory of 836 2928 Lpnlpnih.exe 93 PID 2928 wrote to memory of 836 2928 Lpnlpnih.exe 93 PID 2928 wrote to memory of 836 2928 Lpnlpnih.exe 93 PID 836 wrote to memory of 2352 836 Lekehdgp.exe 94 PID 836 wrote to memory of 2352 836 Lekehdgp.exe 94 PID 836 wrote to memory of 2352 836 Lekehdgp.exe 94 PID 2352 wrote to memory of 4348 2352 Lmbmibhb.exe 95 PID 2352 wrote to memory of 4348 2352 Lmbmibhb.exe 95 PID 2352 wrote to memory of 4348 2352 Lmbmibhb.exe 95 PID 4348 wrote to memory of 1720 4348 Lpqiemge.exe 96 PID 4348 wrote to memory of 1720 4348 Lpqiemge.exe 96 PID 4348 wrote to memory of 1720 4348 Lpqiemge.exe 96 PID 1720 wrote to memory of 4276 1720 Ldleel32.exe 97 PID 1720 wrote to memory of 4276 1720 Ldleel32.exe 97 PID 1720 wrote to memory of 4276 1720 Ldleel32.exe 97 PID 4276 wrote to memory of 2984 4276 Lfkaag32.exe 98 PID 4276 wrote to memory of 2984 4276 Lfkaag32.exe 98 PID 4276 wrote to memory of 2984 4276 Lfkaag32.exe 98 PID 2984 wrote to memory of 3876 2984 Lenamdem.exe 99 PID 2984 wrote to memory of 3876 2984 Lenamdem.exe 99 PID 2984 wrote to memory of 3876 2984 Lenamdem.exe 99 PID 3876 wrote to memory of 1968 3876 Lmdina32.exe 100 PID 3876 wrote to memory of 1968 3876 Lmdina32.exe 100 PID 3876 wrote to memory of 1968 3876 Lmdina32.exe 100 PID 1968 wrote to memory of 2636 1968 Llgjjnlj.exe 101 PID 1968 wrote to memory of 2636 1968 Llgjjnlj.exe 101 PID 1968 wrote to memory of 2636 1968 Llgjjnlj.exe 101 PID 2636 wrote to memory of 1872 2636 Lpcfkm32.exe 102 PID 2636 wrote to memory of 1872 2636 Lpcfkm32.exe 102 PID 2636 wrote to memory of 1872 2636 Lpcfkm32.exe 102 PID 1872 wrote to memory of 4772 1872 Ldoaklml.exe 103 PID 1872 wrote to memory of 4772 1872 Ldoaklml.exe 103 PID 1872 wrote to memory of 4772 1872 Ldoaklml.exe 103 PID 4772 wrote to memory of 872 4772 Lbabgh32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e0793f430ca5c7264f727b56a454b892ead18fd201d7521e6cca879c6c9036a.exe"C:\Users\Admin\AppData\Local\Temp\4e0793f430ca5c7264f727b56a454b892ead18fd201d7521e6cca879c6c9036a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\Klljnp32.exeC:\Windows\system32\Klljnp32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Kbfbkj32.exeC:\Windows\system32\Kbfbkj32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\Kedoge32.exeC:\Windows\system32\Kedoge32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\Kpjcdn32.exeC:\Windows\system32\Kpjcdn32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\Kfckahdj.exeC:\Windows\system32\Kfckahdj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Kmncnb32.exeC:\Windows\system32\Kmncnb32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Kplpjn32.exeC:\Windows\system32\Kplpjn32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Lbjlfi32.exeC:\Windows\system32\Lbjlfi32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\Lmppcbjd.exeC:\Windows\system32\Lmppcbjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\Lpnlpnih.exeC:\Windows\system32\Lpnlpnih.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Lekehdgp.exeC:\Windows\system32\Lekehdgp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\Lmbmibhb.exeC:\Windows\system32\Lmbmibhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Lpqiemge.exeC:\Windows\system32\Lpqiemge.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\Ldleel32.exeC:\Windows\system32\Ldleel32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Lfkaag32.exeC:\Windows\system32\Lfkaag32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\Lenamdem.exeC:\Windows\system32\Lenamdem.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Lmdina32.exeC:\Windows\system32\Lmdina32.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\Llgjjnlj.exeC:\Windows\system32\Llgjjnlj.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Lpcfkm32.exeC:\Windows\system32\Lpcfkm32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Ldoaklml.exeC:\Windows\system32\Ldoaklml.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Lbabgh32.exeC:\Windows\system32\Lbabgh32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\Lgmngglp.exeC:\Windows\system32\Lgmngglp.exe23⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Lepncd32.exeC:\Windows\system32\Lepncd32.exe24⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Likjcbkc.exeC:\Windows\system32\Likjcbkc.exe25⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\Lljfpnjg.exeC:\Windows\system32\Lljfpnjg.exe26⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Mbfkbhpa.exeC:\Windows\system32\Mbfkbhpa.exe27⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Mmlpoqpg.exeC:\Windows\system32\Mmlpoqpg.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:3988 -
C:\Windows\SysWOW64\Mdehlk32.exeC:\Windows\system32\Mdehlk32.exe29⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Megdccmb.exeC:\Windows\system32\Megdccmb.exe30⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Mmnldp32.exeC:\Windows\system32\Mmnldp32.exe31⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Mlampmdo.exeC:\Windows\system32\Mlampmdo.exe32⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Mplhql32.exeC:\Windows\system32\Mplhql32.exe33⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Meiaib32.exeC:\Windows\system32\Meiaib32.exe34⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Miemjaci.exeC:\Windows\system32\Miemjaci.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Mlcifmbl.exeC:\Windows\system32\Mlcifmbl.exe36⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Mpoefk32.exeC:\Windows\system32\Mpoefk32.exe37⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Mcmabg32.exeC:\Windows\system32\Mcmabg32.exe38⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Mgimcebb.exeC:\Windows\system32\Mgimcebb.exe39⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Mmbfpp32.exeC:\Windows\system32\Mmbfpp32.exe40⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Mdmnlj32.exeC:\Windows\system32\Mdmnlj32.exe41⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Mcpnhfhf.exeC:\Windows\system32\Mcpnhfhf.exe42⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Menjdbgj.exeC:\Windows\system32\Menjdbgj.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Mnebeogl.exeC:\Windows\system32\Mnebeogl.exe44⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Ngmgne32.exeC:\Windows\system32\Ngmgne32.exe45⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Nljofl32.exeC:\Windows\system32\Nljofl32.exe46⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Npfkgjdn.exeC:\Windows\system32\Npfkgjdn.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Ngpccdlj.exeC:\Windows\system32\Ngpccdlj.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1456 -
C:\Windows\SysWOW64\Nnjlpo32.exeC:\Windows\system32\Nnjlpo32.exe49⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Ndcdmikd.exeC:\Windows\system32\Ndcdmikd.exe50⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Nloiakho.exeC:\Windows\system32\Nloiakho.exe51⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Ndfqbhia.exeC:\Windows\system32\Ndfqbhia.exe52⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Nfgmjqop.exeC:\Windows\system32\Nfgmjqop.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Nlaegk32.exeC:\Windows\system32\Nlaegk32.exe54⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Nckndeni.exeC:\Windows\system32\Nckndeni.exe55⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Olcbmj32.exeC:\Windows\system32\Olcbmj32.exe56⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Oflgep32.exeC:\Windows\system32\Oflgep32.exe57⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Odmgcgbi.exeC:\Windows\system32\Odmgcgbi.exe58⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Ocbddc32.exeC:\Windows\system32\Ocbddc32.exe59⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Ofqpqo32.exeC:\Windows\system32\Ofqpqo32.exe60⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Onhhamgg.exeC:\Windows\system32\Onhhamgg.exe61⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Ofcmfodb.exeC:\Windows\system32\Ofcmfodb.exe62⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Oqhacgdh.exeC:\Windows\system32\Oqhacgdh.exe63⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Ocgmpccl.exeC:\Windows\system32\Ocgmpccl.exe64⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Ofeilobp.exeC:\Windows\system32\Ofeilobp.exe65⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Pmoahijl.exeC:\Windows\system32\Pmoahijl.exe66⤵PID:404
-
C:\Windows\SysWOW64\Pdfjifjo.exeC:\Windows\system32\Pdfjifjo.exe67⤵PID:4224
-
C:\Windows\SysWOW64\Pjcbbmif.exeC:\Windows\system32\Pjcbbmif.exe68⤵PID:3212
-
C:\Windows\SysWOW64\Pqmjog32.exeC:\Windows\system32\Pqmjog32.exe69⤵PID:3668
-
C:\Windows\SysWOW64\Pfjcgn32.exeC:\Windows\system32\Pfjcgn32.exe70⤵PID:3960
-
C:\Windows\SysWOW64\Pqpgdfnp.exeC:\Windows\system32\Pqpgdfnp.exe71⤵PID:628
-
C:\Windows\SysWOW64\Pgioqq32.exeC:\Windows\system32\Pgioqq32.exe72⤵PID:1620
-
C:\Windows\SysWOW64\Pncgmkmj.exeC:\Windows\system32\Pncgmkmj.exe73⤵PID:3880
-
C:\Windows\SysWOW64\Pcppfaka.exeC:\Windows\system32\Pcppfaka.exe74⤵PID:1796
-
C:\Windows\SysWOW64\Pjjhbl32.exeC:\Windows\system32\Pjjhbl32.exe75⤵PID:1004
-
C:\Windows\SysWOW64\Pqdqof32.exeC:\Windows\system32\Pqdqof32.exe76⤵PID:2284
-
C:\Windows\SysWOW64\Pcbmka32.exeC:\Windows\system32\Pcbmka32.exe77⤵
- Modifies registry class
PID:3656 -
C:\Windows\SysWOW64\Qmkadgpo.exeC:\Windows\system32\Qmkadgpo.exe78⤵PID:3588
-
C:\Windows\SysWOW64\Qnjnnj32.exeC:\Windows\system32\Qnjnnj32.exe79⤵
- Modifies registry class
PID:212 -
C:\Windows\SysWOW64\Qqijje32.exeC:\Windows\system32\Qqijje32.exe80⤵PID:860
-
C:\Windows\SysWOW64\Qgcbgo32.exeC:\Windows\system32\Qgcbgo32.exe81⤵PID:5116
-
C:\Windows\SysWOW64\Ajanck32.exeC:\Windows\system32\Ajanck32.exe82⤵PID:4472
-
C:\Windows\SysWOW64\Adgbpc32.exeC:\Windows\system32\Adgbpc32.exe83⤵PID:2924
-
C:\Windows\SysWOW64\Ageolo32.exeC:\Windows\system32\Ageolo32.exe84⤵
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Afhohlbj.exeC:\Windows\system32\Afhohlbj.exe85⤵PID:440
-
C:\Windows\SysWOW64\Anogiicl.exeC:\Windows\system32\Anogiicl.exe86⤵PID:392
-
C:\Windows\SysWOW64\Aeiofcji.exeC:\Windows\system32\Aeiofcji.exe87⤵PID:1668
-
C:\Windows\SysWOW64\Afjlnk32.exeC:\Windows\system32\Afjlnk32.exe88⤵PID:548
-
C:\Windows\SysWOW64\Anadoi32.exeC:\Windows\system32\Anadoi32.exe89⤵PID:464
-
C:\Windows\SysWOW64\Aqppkd32.exeC:\Windows\system32\Aqppkd32.exe90⤵PID:3004
-
C:\Windows\SysWOW64\Afmhck32.exeC:\Windows\system32\Afmhck32.exe91⤵PID:3596
-
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe92⤵PID:1360
-
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe93⤵PID:3172
-
C:\Windows\SysWOW64\Aminee32.exeC:\Windows\system32\Aminee32.exe94⤵PID:2408
-
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe95⤵PID:2172
-
C:\Windows\SysWOW64\Bebblb32.exeC:\Windows\system32\Bebblb32.exe96⤵PID:964
-
C:\Windows\SysWOW64\Bjokdipf.exeC:\Windows\system32\Bjokdipf.exe97⤵PID:4732
-
C:\Windows\SysWOW64\Bchomn32.exeC:\Windows\system32\Bchomn32.exe98⤵PID:1752
-
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe99⤵
- Modifies registry class
PID:4596 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe100⤵PID:4628
-
C:\Windows\SysWOW64\Bclhhnca.exeC:\Windows\system32\Bclhhnca.exe101⤵
- Modifies registry class
PID:3720 -
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe102⤵PID:1292
-
C:\Windows\SysWOW64\Chjaol32.exeC:\Windows\system32\Chjaol32.exe103⤵PID:5152
-
C:\Windows\SysWOW64\Cabfga32.exeC:\Windows\system32\Cabfga32.exe104⤵PID:5196
-
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe105⤵PID:5240
-
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe106⤵PID:5284
-
C:\Windows\SysWOW64\Cjmgfgdf.exeC:\Windows\system32\Cjmgfgdf.exe107⤵PID:5328
-
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe108⤵PID:5372
-
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe109⤵PID:5416
-
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe110⤵PID:5460
-
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe111⤵PID:5504
-
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe112⤵PID:5548
-
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe113⤵PID:5592
-
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe114⤵
- Drops file in System32 directory
PID:5636 -
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe115⤵PID:5680
-
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe116⤵PID:5724
-
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe117⤵PID:5768
-
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe118⤵PID:5812
-
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe119⤵
- System Location Discovery: System Language Discovery
PID:5856 -
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5900 -
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5944
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-