Analysis
-
max time kernel
93s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 20:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2bd31a9e1525d756b4a35739055cf6a82c6cc0af8438ee6cd86a3553d06ccff7.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
2bd31a9e1525d756b4a35739055cf6a82c6cc0af8438ee6cd86a3553d06ccff7.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
2bd31a9e1525d756b4a35739055cf6a82c6cc0af8438ee6cd86a3553d06ccff7.exe
-
Size
89KB
-
MD5
c81183c327221f51bc25673025280058
-
SHA1
25672f7ad6bf23d18af152c180761d23e3c61921
-
SHA256
2bd31a9e1525d756b4a35739055cf6a82c6cc0af8438ee6cd86a3553d06ccff7
-
SHA512
39ac2957eaec95f3e1e816b934f12d5183ea57e3b3ca8e42ba30a3c9de2f69e66b38bd16ef9ffd88c54ddd14626de94d5e6265b3fa4dde553a8f8502aa5812ac
-
SSDEEP
1536:V7uSJPcbTXeKu3XxFG6mMBfqjIXL6LwXUIEXdzbYfbGMSoAyKkt4WcjlExkg8Fk:V7xPcbTXJuH/DmMBfqjIXCwXUlNzbEKI
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nognnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidabppl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdehni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Popbpqjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hammhcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcblpdgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnkbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nojjcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igdgglfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejlbhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhoqeibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnjnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dolmodpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkjlic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbbdjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgkfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pagbaglh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqklon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gigheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Poomegpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmojkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lopmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aimkjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbgalmej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfgjjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpbmfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akglloai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Badanigc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hplbickp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjjkaabc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bclang32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obcceg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hginecde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igigla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kclgmq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffnknafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gijekg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cncnob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igajal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nojjcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahgcjddh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fechomko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enfckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbighjdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhflnpoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojcjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iedjmioj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjgeedch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afpjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Finnef32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4260 Acgolj32.exe 3848 Ahchda32.exe 4296 Amodep32.exe 3348 Aompak32.exe 3940 Agdhbi32.exe 4200 Ajcdnd32.exe 3172 Amaqjp32.exe 2068 Ackigjmh.exe 3276 Ajeadd32.exe 1052 Aihaoqlp.exe 5048 Aobilkcl.exe 1724 Agiamhdo.exe 4816 Aijnep32.exe 1608 Aodfajaj.exe 1956 Acpbbi32.exe 392 Aimkjp32.exe 4212 Bgnkhg32.exe 2624 Biogppeg.exe 3548 Boipmj32.exe 2968 Bjodjb32.exe 3040 Bqilgmdg.exe 4468 Bjaqpbkh.exe 5100 Bpnihiio.exe 3920 Bjcmebie.exe 848 Bmbiamhi.exe 2612 Bclang32.exe 1428 Bjfjka32.exe 1708 Cqpbglno.exe 2196 Ccnncgmc.exe 4512 Cflkpblf.exe 3896 Cikglnkj.exe 2212 Cpeohh32.exe 3384 Cglgjeci.exe 4944 Cfogeb32.exe 4500 Cmipblaq.exe 3860 Cpglnhad.exe 2040 Cgndoeag.exe 4440 Cippgm32.exe 3524 Cpihcgoa.exe 1864 Cjomap32.exe 4764 Cpleig32.exe 1672 Cidjbmcp.exe 2668 Dakacjdb.exe 5068 Dfhjkabi.exe 1940 Dmbbhkjf.exe 4800 Dpqodfij.exe 720 Dhhfedil.exe 1004 Diicml32.exe 548 Dmdonkgc.exe 5104 Dcogje32.exe 2616 Dhjckcgi.exe 3852 Dikpbl32.exe 3304 Dpehof32.exe 1544 Dfoplpla.exe 2312 Dmihij32.exe 1860 Ddcqedkk.exe 1772 Dhomfc32.exe 2724 Emlenj32.exe 4732 Eagaoh32.exe 3688 Efdjgo32.exe 1336 Eibfck32.exe 2076 Eplnpeol.exe 1296 Ehcfaboo.exe 4580 Empoiimf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Qaqegecm.exe Qmeigg32.exe File created C:\Windows\SysWOW64\Cdjnam32.dll Ackigjmh.exe File created C:\Windows\SysWOW64\Dcoffg32.dll Omjpeo32.exe File opened for modification C:\Windows\SysWOW64\Djhimica.exe Dbqqkkbo.exe File created C:\Windows\SysWOW64\Cgifbhid.exe Cdkifmjq.exe File opened for modification C:\Windows\SysWOW64\Mbgeqmjp.exe Process not Found File created C:\Windows\SysWOW64\Mjpbam32.exe Mhafeb32.exe File created C:\Windows\SysWOW64\Oldamm32.exe Oifeab32.exe File created C:\Windows\SysWOW64\Dafppp32.exe Cogddd32.exe File created C:\Windows\SysWOW64\Kjhcjq32.exe Kgjgne32.exe File opened for modification C:\Windows\SysWOW64\Ipeeobbe.exe Imgicgca.exe File created C:\Windows\SysWOW64\Pnpban32.dll Kijchhbo.exe File created C:\Windows\SysWOW64\Igedlh32.exe Iqklon32.exe File created C:\Windows\SysWOW64\Dngjff32.exe Dkhnjk32.exe File opened for modification C:\Windows\SysWOW64\Llnnmhfe.exe Process not Found File created C:\Windows\SysWOW64\Oipgkfab.dll Process not Found File created C:\Windows\SysWOW64\Inmabofh.dll Kmdlffhj.exe File created C:\Windows\SysWOW64\Cpiijfll.dll Process not Found File created C:\Windows\SysWOW64\Inmdohhp.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ihphkl32.exe Iafonaao.exe File created C:\Windows\SysWOW64\Gghocf32.dll Nkqkhk32.exe File created C:\Windows\SysWOW64\Ahpmjejp.exe Aeaanjkl.exe File opened for modification C:\Windows\SysWOW64\Bojomm32.exe Bkobmnka.exe File created C:\Windows\SysWOW64\Pninea32.dll Process not Found File created C:\Windows\SysWOW64\Oefmflff.dll Mhoipb32.exe File created C:\Windows\SysWOW64\Ebejfk32.exe Dlkbjqgm.exe File opened for modification C:\Windows\SysWOW64\Nflkbanj.exe Ncnofeof.exe File opened for modification C:\Windows\SysWOW64\Njbgmjgl.exe Process not Found File created C:\Windows\SysWOW64\Ncmhko32.exe Process not Found File created C:\Windows\SysWOW64\Lbmoin32.dll Hgghjjid.exe File created C:\Windows\SysWOW64\Ncndec32.dll Papfgbmg.exe File created C:\Windows\SysWOW64\Ekonpckp.exe Ehpadhll.exe File created C:\Windows\SysWOW64\Nbenoa32.dll Chlflabp.exe File created C:\Windows\SysWOW64\Okddnh32.dll Qaqegecm.exe File created C:\Windows\SysWOW64\Ljhpog32.dll Neqopnhb.exe File created C:\Windows\SysWOW64\Cpabibmg.dll Hlbcnd32.exe File created C:\Windows\SysWOW64\Adfnba32.dll Npgmpf32.exe File created C:\Windows\SysWOW64\Jilpfgkh.dll Dkndie32.exe File created C:\Windows\SysWOW64\Jblmgf32.exe Process not Found File created C:\Windows\SysWOW64\Njljch32.exe Process not Found File created C:\Windows\SysWOW64\Dcpmen32.exe Dlieda32.exe File created C:\Windows\SysWOW64\Ggahedjn.exe Gdcliikj.exe File opened for modification C:\Windows\SysWOW64\Alnfpcag.exe Adfnofpd.exe File opened for modification C:\Windows\SysWOW64\Omnjojpo.exe Ojomcopk.exe File opened for modification C:\Windows\SysWOW64\Cgifbhid.exe Cdkifmjq.exe File created C:\Windows\SysWOW64\Jlmmnd32.dll Process not Found File created C:\Windows\SysWOW64\Jqiipljg.exe Jjopcb32.exe File created C:\Windows\SysWOW64\Igpoaebh.dll Plmmif32.exe File created C:\Windows\SysWOW64\Iggjga32.exe Idhnkf32.exe File created C:\Windows\SysWOW64\Dkceokii.exe Dheibpje.exe File created C:\Windows\SysWOW64\Lejgpb32.dll Gbalopbn.exe File created C:\Windows\SysWOW64\Dpqodfij.exe Dmbbhkjf.exe File created C:\Windows\SysWOW64\Inainbcn.exe Ijfnmc32.exe File created C:\Windows\SysWOW64\Chiblk32.exe Cpbjkn32.exe File created C:\Windows\SysWOW64\Nkpcjeml.dll Dpqodfij.exe File created C:\Windows\SysWOW64\Badanigc.exe Bnhenj32.exe File opened for modification C:\Windows\SysWOW64\Keqdmihc.exe Knflpoqf.exe File created C:\Windows\SysWOW64\Mpnmig32.dll Process not Found File created C:\Windows\SysWOW64\Mqfpckhm.exe Mnhdgpii.exe File created C:\Windows\SysWOW64\Haedpe32.dll Hacbhb32.exe File created C:\Windows\SysWOW64\Dphefd32.dll Jjmcnbdm.exe File opened for modification C:\Windows\SysWOW64\Enpfan32.exe Ekajec32.exe File created C:\Windows\SysWOW64\Bfgjjm32.exe Bcinna32.exe File created C:\Windows\SysWOW64\Afnqfkij.dll Dkokcl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7228 6936 Process not Found 1330 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnofeof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeelnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbeejp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cggimh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmkbfeab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhecmcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgibpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjecpkcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkalplel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpihcgoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cijpahho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmeigg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lejgch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oplfkeob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngkqbgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aijnep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poomegpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fealin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qacameaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Empoiimf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbjkkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpcodihc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjahlgpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkeldnpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coadnlnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Felbnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmipdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcehdod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amodep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boflmdkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpdfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnkggfkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmigoagp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pldcjeia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbfcmhpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbofcghl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oejbfmpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akepfpcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkqpkla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amaqjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fffhifdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkbcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geohklaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pabblb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkpbin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnqfcbnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adhdjpjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnmjjdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eifaim32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmnjnld.dll" Oeehkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dlieda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flpmagqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epokedmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eofgpikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igdgglfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnbpqkj.dll" Bmhocd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anfjipgp.dll" Cbbdjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofhknodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgoakc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpqjglii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edgbii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgpilmfi.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Filiii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggnedlao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcgmfg32.dll" Lcnmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhijqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqdoem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehndnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qadoba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adhdjpjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfibjl32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikndgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggebqoki.dll" Faenpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nliaao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoong32.dll" Epndknin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enhodk32.dll" Adfnofpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hidgai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipamlopb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbemad32.dll" Gmeakf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gknkpjfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leabba32.dll" Ipjedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdcebook.dll" Anclbkbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godcje32.dll" Qdoacabq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebkbbmqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biepfnpi.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgogbgei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohpkmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lalbjhdj.dll" Pojcjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gljgbllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Neqopnhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpdhj32.dll" Goglcahb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cggimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmomj32.dll" Kbddfmgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kqpoakco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbeejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocfgbfdm.dll" Fqppci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hclkag32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmapoggk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cippgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okedcjcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbhmo32.dll" Bkjiao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mioodgbj.dll" Bgnkhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljdceo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1260 wrote to memory of 4260 1260 2bd31a9e1525d756b4a35739055cf6a82c6cc0af8438ee6cd86a3553d06ccff7.exe 83 PID 1260 wrote to memory of 4260 1260 2bd31a9e1525d756b4a35739055cf6a82c6cc0af8438ee6cd86a3553d06ccff7.exe 83 PID 1260 wrote to memory of 4260 1260 2bd31a9e1525d756b4a35739055cf6a82c6cc0af8438ee6cd86a3553d06ccff7.exe 83 PID 4260 wrote to memory of 3848 4260 Acgolj32.exe 84 PID 4260 wrote to memory of 3848 4260 Acgolj32.exe 84 PID 4260 wrote to memory of 3848 4260 Acgolj32.exe 84 PID 3848 wrote to memory of 4296 3848 Ahchda32.exe 85 PID 3848 wrote to memory of 4296 3848 Ahchda32.exe 85 PID 3848 wrote to memory of 4296 3848 Ahchda32.exe 85 PID 4296 wrote to memory of 3348 4296 Amodep32.exe 86 PID 4296 wrote to memory of 3348 4296 Amodep32.exe 86 PID 4296 wrote to memory of 3348 4296 Amodep32.exe 86 PID 3348 wrote to memory of 3940 3348 Aompak32.exe 87 PID 3348 wrote to memory of 3940 3348 Aompak32.exe 87 PID 3348 wrote to memory of 3940 3348 Aompak32.exe 87 PID 3940 wrote to memory of 4200 3940 Agdhbi32.exe 88 PID 3940 wrote to memory of 4200 3940 Agdhbi32.exe 88 PID 3940 wrote to memory of 4200 3940 Agdhbi32.exe 88 PID 4200 wrote to memory of 3172 4200 Ajcdnd32.exe 89 PID 4200 wrote to memory of 3172 4200 Ajcdnd32.exe 89 PID 4200 wrote to memory of 3172 4200 Ajcdnd32.exe 89 PID 3172 wrote to memory of 2068 3172 Amaqjp32.exe 90 PID 3172 wrote to memory of 2068 3172 Amaqjp32.exe 90 PID 3172 wrote to memory of 2068 3172 Amaqjp32.exe 90 PID 2068 wrote to memory of 3276 2068 Ackigjmh.exe 91 PID 2068 wrote to memory of 3276 2068 Ackigjmh.exe 91 PID 2068 wrote to memory of 3276 2068 Ackigjmh.exe 91 PID 3276 wrote to memory of 1052 3276 Ajeadd32.exe 92 PID 3276 wrote to memory of 1052 3276 Ajeadd32.exe 92 PID 3276 wrote to memory of 1052 3276 Ajeadd32.exe 92 PID 1052 wrote to memory of 5048 1052 Aihaoqlp.exe 93 PID 1052 wrote to memory of 5048 1052 Aihaoqlp.exe 93 PID 1052 wrote to memory of 5048 1052 Aihaoqlp.exe 93 PID 5048 wrote to memory of 1724 5048 Aobilkcl.exe 94 PID 5048 wrote to memory of 1724 5048 Aobilkcl.exe 94 PID 5048 wrote to memory of 1724 5048 Aobilkcl.exe 94 PID 1724 wrote to memory of 4816 1724 Agiamhdo.exe 95 PID 1724 wrote to memory of 4816 1724 Agiamhdo.exe 95 PID 1724 wrote to memory of 4816 1724 Agiamhdo.exe 95 PID 4816 wrote to memory of 1608 4816 Aijnep32.exe 96 PID 4816 wrote to memory of 1608 4816 Aijnep32.exe 96 PID 4816 wrote to memory of 1608 4816 Aijnep32.exe 96 PID 1608 wrote to memory of 1956 1608 Aodfajaj.exe 97 PID 1608 wrote to memory of 1956 1608 Aodfajaj.exe 97 PID 1608 wrote to memory of 1956 1608 Aodfajaj.exe 97 PID 1956 wrote to memory of 392 1956 Acpbbi32.exe 98 PID 1956 wrote to memory of 392 1956 Acpbbi32.exe 98 PID 1956 wrote to memory of 392 1956 Acpbbi32.exe 98 PID 392 wrote to memory of 4212 392 Aimkjp32.exe 99 PID 392 wrote to memory of 4212 392 Aimkjp32.exe 99 PID 392 wrote to memory of 4212 392 Aimkjp32.exe 99 PID 4212 wrote to memory of 2624 4212 Bgnkhg32.exe 100 PID 4212 wrote to memory of 2624 4212 Bgnkhg32.exe 100 PID 4212 wrote to memory of 2624 4212 Bgnkhg32.exe 100 PID 2624 wrote to memory of 3548 2624 Biogppeg.exe 101 PID 2624 wrote to memory of 3548 2624 Biogppeg.exe 101 PID 2624 wrote to memory of 3548 2624 Biogppeg.exe 101 PID 3548 wrote to memory of 2968 3548 Boipmj32.exe 102 PID 3548 wrote to memory of 2968 3548 Boipmj32.exe 102 PID 3548 wrote to memory of 2968 3548 Boipmj32.exe 102 PID 2968 wrote to memory of 3040 2968 Bjodjb32.exe 103 PID 2968 wrote to memory of 3040 2968 Bjodjb32.exe 103 PID 2968 wrote to memory of 3040 2968 Bjodjb32.exe 103 PID 3040 wrote to memory of 4468 3040 Bqilgmdg.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bd31a9e1525d756b4a35739055cf6a82c6cc0af8438ee6cd86a3553d06ccff7.exe"C:\Users\Admin\AppData\Local\Temp\2bd31a9e1525d756b4a35739055cf6a82c6cc0af8438ee6cd86a3553d06ccff7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\Amodep32.exeC:\Windows\system32\Amodep32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\SysWOW64\Agdhbi32.exeC:\Windows\system32\Agdhbi32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\Ajcdnd32.exeC:\Windows\system32\Ajcdnd32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Ajeadd32.exeC:\Windows\system32\Ajeadd32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\Agiamhdo.exeC:\Windows\system32\Agiamhdo.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\Aodfajaj.exeC:\Windows\system32\Aodfajaj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Aimkjp32.exeC:\Windows\system32\Aimkjp32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\Biogppeg.exeC:\Windows\system32\Biogppeg.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\Bjodjb32.exeC:\Windows\system32\Bjodjb32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Bqilgmdg.exeC:\Windows\system32\Bqilgmdg.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe23⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Bpnihiio.exeC:\Windows\system32\Bpnihiio.exe24⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe25⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe26⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Bjfjka32.exeC:\Windows\system32\Bjfjka32.exe28⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Cqpbglno.exeC:\Windows\system32\Cqpbglno.exe29⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe30⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe31⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe32⤵
- Executes dropped EXE
PID:3896 -
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe33⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Cglgjeci.exeC:\Windows\system32\Cglgjeci.exe34⤵
- Executes dropped EXE
PID:3384 -
C:\Windows\SysWOW64\Cfogeb32.exeC:\Windows\system32\Cfogeb32.exe35⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Cmipblaq.exeC:\Windows\system32\Cmipblaq.exe36⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe37⤵
- Executes dropped EXE
PID:3860 -
C:\Windows\SysWOW64\Cgndoeag.exeC:\Windows\system32\Cgndoeag.exe38⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Cippgm32.exeC:\Windows\system32\Cippgm32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:4440 -
C:\Windows\SysWOW64\Cpihcgoa.exeC:\Windows\system32\Cpihcgoa.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3524 -
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe41⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Cpleig32.exeC:\Windows\system32\Cpleig32.exe42⤵
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe43⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Dakacjdb.exeC:\Windows\system32\Dakacjdb.exe44⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Dfhjkabi.exeC:\Windows\system32\Dfhjkabi.exe45⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Dmbbhkjf.exeC:\Windows\system32\Dmbbhkjf.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1940 -
C:\Windows\SysWOW64\Dpqodfij.exeC:\Windows\system32\Dpqodfij.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4800 -
C:\Windows\SysWOW64\Dhhfedil.exeC:\Windows\system32\Dhhfedil.exe48⤵
- Executes dropped EXE
PID:720 -
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe49⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Dmdonkgc.exeC:\Windows\system32\Dmdonkgc.exe50⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe51⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Dhjckcgi.exeC:\Windows\system32\Dhjckcgi.exe52⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Dikpbl32.exeC:\Windows\system32\Dikpbl32.exe53⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Dpehof32.exeC:\Windows\system32\Dpehof32.exe54⤵
- Executes dropped EXE
PID:3304 -
C:\Windows\SysWOW64\Dfoplpla.exeC:\Windows\system32\Dfoplpla.exe55⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Dmihij32.exeC:\Windows\system32\Dmihij32.exe56⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Ddcqedkk.exeC:\Windows\system32\Ddcqedkk.exe57⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Dhomfc32.exeC:\Windows\system32\Dhomfc32.exe58⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Emlenj32.exeC:\Windows\system32\Emlenj32.exe59⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Eagaoh32.exeC:\Windows\system32\Eagaoh32.exe60⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Efdjgo32.exeC:\Windows\system32\Efdjgo32.exe61⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Eibfck32.exeC:\Windows\system32\Eibfck32.exe62⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Eplnpeol.exeC:\Windows\system32\Eplnpeol.exe63⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Ehcfaboo.exeC:\Windows\system32\Ehcfaboo.exe64⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Empoiimf.exeC:\Windows\system32\Empoiimf.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4580 -
C:\Windows\SysWOW64\Epokedmj.exeC:\Windows\system32\Epokedmj.exe66⤵
- Modifies registry class
PID:3340 -
C:\Windows\SysWOW64\Ehfcfb32.exeC:\Windows\system32\Ehfcfb32.exe67⤵PID:1344
-
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe68⤵PID:2628
-
C:\Windows\SysWOW64\Epagkd32.exeC:\Windows\system32\Epagkd32.exe69⤵PID:4576
-
C:\Windows\SysWOW64\Edmclccp.exeC:\Windows\system32\Edmclccp.exe70⤵PID:1836
-
C:\Windows\SysWOW64\Eiildjag.exeC:\Windows\system32\Eiildjag.exe71⤵PID:4628
-
C:\Windows\SysWOW64\Emehdh32.exeC:\Windows\system32\Emehdh32.exe72⤵PID:3720
-
C:\Windows\SysWOW64\Ehjlaaig.exeC:\Windows\system32\Ehjlaaig.exe73⤵PID:2216
-
C:\Windows\SysWOW64\Filiii32.exeC:\Windows\system32\Filiii32.exe74⤵
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Facqkg32.exeC:\Windows\system32\Facqkg32.exe75⤵PID:1660
-
C:\Windows\SysWOW64\Fdamgb32.exeC:\Windows\system32\Fdamgb32.exe76⤵PID:2524
-
C:\Windows\SysWOW64\Fkkeclfh.exeC:\Windows\system32\Fkkeclfh.exe77⤵PID:4860
-
C:\Windows\SysWOW64\Fineoi32.exeC:\Windows\system32\Fineoi32.exe78⤵PID:4312
-
C:\Windows\SysWOW64\Faenpf32.exeC:\Windows\system32\Faenpf32.exe79⤵
- Modifies registry class
PID:5084 -
C:\Windows\SysWOW64\Fdcjlb32.exeC:\Windows\system32\Fdcjlb32.exe80⤵PID:1936
-
C:\Windows\SysWOW64\Fgbfhmll.exeC:\Windows\system32\Fgbfhmll.exe81⤵PID:3508
-
C:\Windows\SysWOW64\Fagjfflb.exeC:\Windows\system32\Fagjfflb.exe82⤵PID:816
-
C:\Windows\SysWOW64\Fpjjac32.exeC:\Windows\system32\Fpjjac32.exe83⤵PID:644
-
C:\Windows\SysWOW64\Fibojhim.exeC:\Windows\system32\Fibojhim.exe84⤵PID:2080
-
C:\Windows\SysWOW64\Fmnkkg32.exeC:\Windows\system32\Fmnkkg32.exe85⤵PID:3904
-
C:\Windows\SysWOW64\Fhdohp32.exeC:\Windows\system32\Fhdohp32.exe86⤵PID:4060
-
C:\Windows\SysWOW64\Fielph32.exeC:\Windows\system32\Fielph32.exe87⤵PID:688
-
C:\Windows\SysWOW64\Fdkpma32.exeC:\Windows\system32\Fdkpma32.exe88⤵PID:5032
-
C:\Windows\SysWOW64\Fhflnpoi.exeC:\Windows\system32\Fhflnpoi.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4272 -
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2940 -
C:\Windows\SysWOW64\Gpaqbbld.exeC:\Windows\system32\Gpaqbbld.exe91⤵PID:3096
-
C:\Windows\SysWOW64\Ghhhcomg.exeC:\Windows\system32\Ghhhcomg.exe92⤵PID:3948
-
C:\Windows\SysWOW64\Gijekg32.exeC:\Windows\system32\Gijekg32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5092 -
C:\Windows\SysWOW64\Gmeakf32.exeC:\Windows\system32\Gmeakf32.exe94⤵
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Gpcmga32.exeC:\Windows\system32\Gpcmga32.exe95⤵PID:1908
-
C:\Windows\SysWOW64\Ghkeio32.exeC:\Windows\system32\Ghkeio32.exe96⤵PID:4828
-
C:\Windows\SysWOW64\Ggnedlao.exeC:\Windows\system32\Ggnedlao.exe97⤵
- Modifies registry class
PID:5112 -
C:\Windows\SysWOW64\Gilapgqb.exeC:\Windows\system32\Gilapgqb.exe98⤵PID:3068
-
C:\Windows\SysWOW64\Gacjadad.exeC:\Windows\system32\Gacjadad.exe99⤵PID:1320
-
C:\Windows\SysWOW64\Ghmbno32.exeC:\Windows\system32\Ghmbno32.exe100⤵PID:4140
-
C:\Windows\SysWOW64\Gklnjj32.exeC:\Windows\system32\Gklnjj32.exe101⤵PID:2164
-
C:\Windows\SysWOW64\Gnjjfegi.exeC:\Windows\system32\Gnjjfegi.exe102⤵PID:672
-
C:\Windows\SysWOW64\Gphgbafl.exeC:\Windows\system32\Gphgbafl.exe103⤵PID:2028
-
C:\Windows\SysWOW64\Ghpocngo.exeC:\Windows\system32\Ghpocngo.exe104⤵PID:3424
-
C:\Windows\SysWOW64\Gknkpjfb.exeC:\Windows\system32\Gknkpjfb.exe105⤵
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Gnlgleef.exeC:\Windows\system32\Gnlgleef.exe106⤵PID:2992
-
C:\Windows\SysWOW64\Gpkchqdj.exeC:\Windows\system32\Gpkchqdj.exe107⤵PID:1976
-
C:\Windows\SysWOW64\Hhbkinel.exeC:\Windows\system32\Hhbkinel.exe108⤵PID:3032
-
C:\Windows\SysWOW64\Hkpheidp.exeC:\Windows\system32\Hkpheidp.exe109⤵PID:748
-
C:\Windows\SysWOW64\Hjchaf32.exeC:\Windows\system32\Hjchaf32.exe110⤵PID:4604
-
C:\Windows\SysWOW64\Hajpbckl.exeC:\Windows\system32\Hajpbckl.exe111⤵PID:2044
-
C:\Windows\SysWOW64\Hdilnojp.exeC:\Windows\system32\Hdilnojp.exe112⤵PID:4180
-
C:\Windows\SysWOW64\Hgghjjid.exeC:\Windows\system32\Hgghjjid.exe113⤵
- Drops file in System32 directory
PID:1332 -
C:\Windows\SysWOW64\Hkbdki32.exeC:\Windows\system32\Hkbdki32.exe114⤵PID:844
-
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4612 -
C:\Windows\SysWOW64\Hdkidohn.exeC:\Windows\system32\Hdkidohn.exe116⤵PID:5132
-
C:\Windows\SysWOW64\Hgiepjga.exeC:\Windows\system32\Hgiepjga.exe117⤵PID:5172
-
C:\Windows\SysWOW64\Hkeaqi32.exeC:\Windows\system32\Hkeaqi32.exe118⤵PID:5216
-
C:\Windows\SysWOW64\Haoimcgg.exeC:\Windows\system32\Haoimcgg.exe119⤵PID:5260
-
C:\Windows\SysWOW64\Hpbiip32.exeC:\Windows\system32\Hpbiip32.exe120⤵PID:5304
-
C:\Windows\SysWOW64\Hglaej32.exeC:\Windows\system32\Hglaej32.exe121⤵PID:5348
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-