Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 04:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ef1895575392b3dd51c8dc4196af240ea98f6be430e2473b7ed7dd618e7b6bb8.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
ef1895575392b3dd51c8dc4196af240ea98f6be430e2473b7ed7dd618e7b6bb8.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
ef1895575392b3dd51c8dc4196af240ea98f6be430e2473b7ed7dd618e7b6bb8.exe
-
Size
90KB
-
MD5
42ff9d6deb12b36dc8a210eaed29a8d4
-
SHA1
7ee6f29ae98017654f38122d982690ecc8122d86
-
SHA256
ef1895575392b3dd51c8dc4196af240ea98f6be430e2473b7ed7dd618e7b6bb8
-
SHA512
72ff76f65154b22ce643115dd5559303e9e6376c0cb8ce77bd656ea20ac2a0e4c9a36130ca4b9967bc8806063b148d3be5d25cc89ce6c0292a9ebdf2adfdd638
-
SSDEEP
1536:4B24AoP8eELcGKwJ3keb7avDxDM4aPEJzdKi8xPSRwMLOBG9u/Ub0VkVNK:4B2vneWcsVMNg4aPEJBKi2PBBG9u/Ubi
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bopocbcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpdhkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bemqih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Diicml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcbnnpka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdbnjdfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcelmhen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfpdin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmcclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbognp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fipbdikp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbpajgmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnhahj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edjgfcec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdkpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efafgifc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqdaadln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmnhcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmpdhboj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkhngl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmpjmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjjpnlbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipmbjgpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ampkof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmgki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnfamjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlnkmnah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nolgijpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkenjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bombmcec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcalieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbdjchgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpmlnjco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahgcjddh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkplejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpbbch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlkipgpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oalipoiq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opogbbig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plagcbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bochmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnbakghm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llhikacp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mccfdmmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggilil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mccfdmmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Poliea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqdblmhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgbdcgld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dinmhkke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbghfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njiegl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmnmgnoh.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1284 Pdifoehl.exe 4740 Pfjcgn32.exe 1264 Pmdkch32.exe 452 Pdkcde32.exe 1416 Pflplnlg.exe 4012 Pncgmkmj.exe 2460 Pqbdjfln.exe 2288 Pcppfaka.exe 3700 Pfolbmje.exe 1632 Pmidog32.exe 1904 Pcbmka32.exe 3144 Pfaigm32.exe 1596 Qnhahj32.exe 3608 Qdbiedpa.exe 3484 Qceiaa32.exe 3272 Qnjnnj32.exe 3868 Qcgffqei.exe 4460 Qffbbldm.exe 4464 Ampkof32.exe 4972 Adgbpc32.exe 1804 Ageolo32.exe 436 Ambgef32.exe 1372 Aeiofcji.exe 3408 Afjlnk32.exe 4512 Anadoi32.exe 4620 Aeklkchg.exe 4504 Agjhgngj.exe 1388 Ajhddjfn.exe 3208 Amgapeea.exe 3504 Aeniabfd.exe 2092 Aglemn32.exe 4728 Ajkaii32.exe 3900 Aminee32.exe 3932 Agoabn32.exe 1296 Bnhjohkb.exe 3296 Bganhm32.exe 2524 Bmngqdpj.exe 2452 Beeoaapl.exe 4796 Bffkij32.exe 5000 Bnmcjg32.exe 4152 Bfhhoi32.exe 3956 Bmbplc32.exe 2004 Bhhdil32.exe 4404 Bmemac32.exe 2320 Bcoenmao.exe 4568 Cfmajipb.exe 1056 Cjinkg32.exe 2748 Cabfga32.exe 760 Cdabcm32.exe 1412 Cjkjpgfi.exe 2888 Cmiflbel.exe 4624 Ceqnmpfo.exe 5104 Cfbkeh32.exe 3828 Cjmgfgdf.exe 544 Cagobalc.exe 2680 Chagok32.exe 4524 Cnkplejl.exe 2084 Cajlhqjp.exe 60 Cffdpghg.exe 3196 Cmqmma32.exe 3184 Cegdnopg.exe 1424 Dfiafg32.exe 4328 Dopigd32.exe 2028 Dmcibama.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Dhocqigp.exe Dogogcpo.exe File opened for modification C:\Windows\SysWOW64\Lbchba32.exe Lpekef32.exe File opened for modification C:\Windows\SysWOW64\Oalipoiq.exe Onnmdcjm.exe File created C:\Windows\SysWOW64\Phajna32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fielph32.exe Fhdohp32.exe File created C:\Windows\SysWOW64\Hpabni32.exe Hmbfbn32.exe File created C:\Windows\SysWOW64\Bcjfln32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mfchlbfd.exe Process not Found File created C:\Windows\SysWOW64\Jmmmebhb.dll Aeiofcji.exe File opened for modification C:\Windows\SysWOW64\Bmbiamhi.exe Bjcmebie.exe File created C:\Windows\SysWOW64\Djelgied.exe Dckdjomg.exe File created C:\Windows\SysWOW64\Oakbehfe.exe Process not Found File created C:\Windows\SysWOW64\Ehojko32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Beeoaapl.exe Bmngqdpj.exe File opened for modification C:\Windows\SysWOW64\Llhikacp.exe Lhmmjbkf.exe File opened for modification C:\Windows\SysWOW64\Flqdlnde.exe Fibhpbea.exe File created C:\Windows\SysWOW64\Jpcnha32.dll Bfhhoi32.exe File opened for modification C:\Windows\SysWOW64\Lpneegel.exe Lhfmdj32.exe File created C:\Windows\SysWOW64\Oofaiokl.exe Opcqnb32.exe File created C:\Windows\SysWOW64\Blciboie.dll Pldcjeia.exe File created C:\Windows\SysWOW64\Mogcihaj.exe Process not Found File created C:\Windows\SysWOW64\Npepkf32.exe Process not Found File created C:\Windows\SysWOW64\Ecjddk32.dll Fkihnmhj.exe File opened for modification C:\Windows\SysWOW64\Pehngkcg.exe Pmaffnce.exe File created C:\Windows\SysWOW64\Ldklgegb.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mgeakekd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Npchgdcd.exe Nlglfe32.exe File created C:\Windows\SysWOW64\Neoogc32.dll Igjngh32.exe File created C:\Windows\SysWOW64\Eoideh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Npiiffqe.exe Process not Found File created C:\Windows\SysWOW64\Gahjgj32.exe Gojnko32.exe File created C:\Windows\SysWOW64\Jpimcmab.dll Cgndoeag.exe File created C:\Windows\SysWOW64\Lankbigo.exe Lnpofnhk.exe File created C:\Windows\SysWOW64\Oadfkdgd.exe Ooejohhq.exe File created C:\Windows\SysWOW64\Jecampmk.dll Coknoaic.exe File opened for modification C:\Windows\SysWOW64\Ikpjbq32.exe Iciaqc32.exe File opened for modification C:\Windows\SysWOW64\Hlglidlo.exe Process not Found File created C:\Windows\SysWOW64\Gekcaj32.exe Fnckpmql.exe File created C:\Windows\SysWOW64\Pjglocmi.dll Lhmmjbkf.exe File created C:\Windows\SysWOW64\Pkenjh32.exe Phganm32.exe File opened for modification C:\Windows\SysWOW64\Coiaiakf.exe Cmjemflb.exe File created C:\Windows\SysWOW64\Ilqoobdd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pnifekmd.exe Process not Found File created C:\Windows\SysWOW64\Coegoe32.exe Process not Found File created C:\Windows\SysWOW64\Gilapgqb.exe Ggnedlao.exe File created C:\Windows\SysWOW64\Ecefqnel.exe Epikpo32.exe File opened for modification C:\Windows\SysWOW64\Kfnfjehl.exe Process not Found File created C:\Windows\SysWOW64\Ebcmfjll.dll Process not Found File created C:\Windows\SysWOW64\Kllfakij.dll Process not Found File created C:\Windows\SysWOW64\Iafphi32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Igcoqocb.exe Idebdcdo.exe File created C:\Windows\SysWOW64\Bpkmil32.dll Cmfclm32.exe File created C:\Windows\SysWOW64\Jbaojpgb.exe Jjjghcfp.exe File created C:\Windows\SysWOW64\Kenggi32.exe Kbpkkn32.exe File created C:\Windows\SysWOW64\Knkekn32.exe Kkmioc32.exe File opened for modification C:\Windows\SysWOW64\Edhjqc32.exe Emnbdioi.exe File created C:\Windows\SysWOW64\Mpeaedjn.dll Hpbiip32.exe File created C:\Windows\SysWOW64\Jnchkf32.dll Iahlcaol.exe File created C:\Windows\SysWOW64\Eadpldgf.dll Kecabifp.exe File created C:\Windows\SysWOW64\Efcagd32.dll Mnpabe32.exe File created C:\Windows\SysWOW64\Neppokal.exe Nbadcpbh.exe File opened for modification C:\Windows\SysWOW64\Aglnbhal.exe Aqaffn32.exe File opened for modification C:\Windows\SysWOW64\Afnnnd32.exe Aglnbhal.exe File created C:\Windows\SysWOW64\Pqnpfi32.dll Nlcalieg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8912 9388 Process not Found 1443 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeekkafl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pehngkcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beeoaapl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnqklgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mminhceb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akepfpcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deokon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcddcbab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdkcde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooagno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpdaepai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edpgli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbdjchgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mblkhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbicpfdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkdliame.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkdic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmemac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmlilh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjdjoane.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkbjjbda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmlkhofd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhhdil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eachem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmniml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inomhbeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmadco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnqeqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mehjol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kecabifp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdmkhgho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhkdof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahhio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpbed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iklgah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiiggoaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jklinohd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpkiph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ophjiaql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eangpgcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olanmgig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Falcae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mejpje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaompd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aamknj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egnchd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jejefqaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgcamf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aednci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpnbog32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pofjpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kibohd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhjnfdhk.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hakgmjoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igjeanmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmmffmb.dll" Kbghfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihbdplfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lankbigo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbdoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhblne32.dll" Blhpqhlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjkblhfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gddinf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnnkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfillg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbbagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonklp32.dll" Jgeghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddbogpnj.dll" Jeekkafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iigkob32.dll" Lggldm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oogpjbbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmkkkihe.dll" Edfdej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggnlobej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibnligoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqhafffk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdfmlhna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhdnigno.dll" Ipoopgnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcphab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolfbd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oebflhaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naqbda32.dll" Bfchidda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cidjbmcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbabigfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkgiimng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bebjdgmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjiepeok.dll" Eibfck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll" Pcbmka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gekcaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfapnkp.dll" Bgbdcgld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdpachh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mibijk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihdafkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gghpel32.dll" Pemomqcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgpqgeo.dll" Madjhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhfmdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aglnbhal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmnkkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Najceeoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmlpaoaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aekddhcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkgdfb32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dckdjomg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcoenmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejiofjji.dll" Ehfjah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlphbnoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lndagg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4476 wrote to memory of 1284 4476 ef1895575392b3dd51c8dc4196af240ea98f6be430e2473b7ed7dd618e7b6bb8.exe 83 PID 4476 wrote to memory of 1284 4476 ef1895575392b3dd51c8dc4196af240ea98f6be430e2473b7ed7dd618e7b6bb8.exe 83 PID 4476 wrote to memory of 1284 4476 ef1895575392b3dd51c8dc4196af240ea98f6be430e2473b7ed7dd618e7b6bb8.exe 83 PID 1284 wrote to memory of 4740 1284 Pdifoehl.exe 84 PID 1284 wrote to memory of 4740 1284 Pdifoehl.exe 84 PID 1284 wrote to memory of 4740 1284 Pdifoehl.exe 84 PID 4740 wrote to memory of 1264 4740 Pfjcgn32.exe 85 PID 4740 wrote to memory of 1264 4740 Pfjcgn32.exe 85 PID 4740 wrote to memory of 1264 4740 Pfjcgn32.exe 85 PID 1264 wrote to memory of 452 1264 Pmdkch32.exe 86 PID 1264 wrote to memory of 452 1264 Pmdkch32.exe 86 PID 1264 wrote to memory of 452 1264 Pmdkch32.exe 86 PID 452 wrote to memory of 1416 452 Pdkcde32.exe 87 PID 452 wrote to memory of 1416 452 Pdkcde32.exe 87 PID 452 wrote to memory of 1416 452 Pdkcde32.exe 87 PID 1416 wrote to memory of 4012 1416 Pflplnlg.exe 88 PID 1416 wrote to memory of 4012 1416 Pflplnlg.exe 88 PID 1416 wrote to memory of 4012 1416 Pflplnlg.exe 88 PID 4012 wrote to memory of 2460 4012 Pncgmkmj.exe 89 PID 4012 wrote to memory of 2460 4012 Pncgmkmj.exe 89 PID 4012 wrote to memory of 2460 4012 Pncgmkmj.exe 89 PID 2460 wrote to memory of 2288 2460 Pqbdjfln.exe 90 PID 2460 wrote to memory of 2288 2460 Pqbdjfln.exe 90 PID 2460 wrote to memory of 2288 2460 Pqbdjfln.exe 90 PID 2288 wrote to memory of 3700 2288 Pcppfaka.exe 91 PID 2288 wrote to memory of 3700 2288 Pcppfaka.exe 91 PID 2288 wrote to memory of 3700 2288 Pcppfaka.exe 91 PID 3700 wrote to memory of 1632 3700 Pfolbmje.exe 92 PID 3700 wrote to memory of 1632 3700 Pfolbmje.exe 92 PID 3700 wrote to memory of 1632 3700 Pfolbmje.exe 92 PID 1632 wrote to memory of 1904 1632 Pmidog32.exe 93 PID 1632 wrote to memory of 1904 1632 Pmidog32.exe 93 PID 1632 wrote to memory of 1904 1632 Pmidog32.exe 93 PID 1904 wrote to memory of 3144 1904 Pcbmka32.exe 94 PID 1904 wrote to memory of 3144 1904 Pcbmka32.exe 94 PID 1904 wrote to memory of 3144 1904 Pcbmka32.exe 94 PID 3144 wrote to memory of 1596 3144 Pfaigm32.exe 95 PID 3144 wrote to memory of 1596 3144 Pfaigm32.exe 95 PID 3144 wrote to memory of 1596 3144 Pfaigm32.exe 95 PID 1596 wrote to memory of 3608 1596 Qnhahj32.exe 96 PID 1596 wrote to memory of 3608 1596 Qnhahj32.exe 96 PID 1596 wrote to memory of 3608 1596 Qnhahj32.exe 96 PID 3608 wrote to memory of 3484 3608 Qdbiedpa.exe 97 PID 3608 wrote to memory of 3484 3608 Qdbiedpa.exe 97 PID 3608 wrote to memory of 3484 3608 Qdbiedpa.exe 97 PID 3484 wrote to memory of 3272 3484 Qceiaa32.exe 98 PID 3484 wrote to memory of 3272 3484 Qceiaa32.exe 98 PID 3484 wrote to memory of 3272 3484 Qceiaa32.exe 98 PID 3272 wrote to memory of 3868 3272 Qnjnnj32.exe 99 PID 3272 wrote to memory of 3868 3272 Qnjnnj32.exe 99 PID 3272 wrote to memory of 3868 3272 Qnjnnj32.exe 99 PID 3868 wrote to memory of 4460 3868 Qcgffqei.exe 100 PID 3868 wrote to memory of 4460 3868 Qcgffqei.exe 100 PID 3868 wrote to memory of 4460 3868 Qcgffqei.exe 100 PID 4460 wrote to memory of 4464 4460 Qffbbldm.exe 101 PID 4460 wrote to memory of 4464 4460 Qffbbldm.exe 101 PID 4460 wrote to memory of 4464 4460 Qffbbldm.exe 101 PID 4464 wrote to memory of 4972 4464 Ampkof32.exe 102 PID 4464 wrote to memory of 4972 4464 Ampkof32.exe 102 PID 4464 wrote to memory of 4972 4464 Ampkof32.exe 102 PID 4972 wrote to memory of 1804 4972 Adgbpc32.exe 103 PID 4972 wrote to memory of 1804 4972 Adgbpc32.exe 103 PID 4972 wrote to memory of 1804 4972 Adgbpc32.exe 103 PID 1804 wrote to memory of 436 1804 Ageolo32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef1895575392b3dd51c8dc4196af240ea98f6be430e2473b7ed7dd618e7b6bb8.exe"C:\Users\Admin\AppData\Local\Temp\ef1895575392b3dd51c8dc4196af240ea98f6be430e2473b7ed7dd618e7b6bb8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\Pdifoehl.exeC:\Windows\system32\Pdifoehl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Pfjcgn32.exeC:\Windows\system32\Pfjcgn32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\Pmdkch32.exeC:\Windows\system32\Pmdkch32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Pdkcde32.exeC:\Windows\system32\Pdkcde32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\Pflplnlg.exeC:\Windows\system32\Pflplnlg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Pncgmkmj.exeC:\Windows\system32\Pncgmkmj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Pqbdjfln.exeC:\Windows\system32\Pqbdjfln.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Pcppfaka.exeC:\Windows\system32\Pcppfaka.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Pfolbmje.exeC:\Windows\system32\Pfolbmje.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\Pmidog32.exeC:\Windows\system32\Pmidog32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Pcbmka32.exeC:\Windows\system32\Pcbmka32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Pfaigm32.exeC:\Windows\system32\Pfaigm32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\Qnhahj32.exeC:\Windows\system32\Qnhahj32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Qdbiedpa.exeC:\Windows\system32\Qdbiedpa.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\Qceiaa32.exeC:\Windows\system32\Qceiaa32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Qnjnnj32.exeC:\Windows\system32\Qnjnnj32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\SysWOW64\Qffbbldm.exeC:\Windows\system32\Qffbbldm.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Ampkof32.exeC:\Windows\system32\Ampkof32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\Adgbpc32.exeC:\Windows\system32\Adgbpc32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Ageolo32.exeC:\Windows\system32\Ageolo32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Ambgef32.exeC:\Windows\system32\Ambgef32.exe23⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Aeiofcji.exeC:\Windows\system32\Aeiofcji.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1372 -
C:\Windows\SysWOW64\Afjlnk32.exeC:\Windows\system32\Afjlnk32.exe25⤵
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\Anadoi32.exeC:\Windows\system32\Anadoi32.exe26⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe27⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Agjhgngj.exeC:\Windows\system32\Agjhgngj.exe28⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Ajhddjfn.exeC:\Windows\system32\Ajhddjfn.exe29⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Amgapeea.exeC:\Windows\system32\Amgapeea.exe30⤵
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\Aeniabfd.exeC:\Windows\system32\Aeniabfd.exe31⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Aglemn32.exeC:\Windows\system32\Aglemn32.exe32⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Ajkaii32.exeC:\Windows\system32\Ajkaii32.exe33⤵
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Aminee32.exeC:\Windows\system32\Aminee32.exe34⤵
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\Aepefb32.exeC:\Windows\system32\Aepefb32.exe35⤵PID:1708
-
C:\Windows\SysWOW64\Agoabn32.exeC:\Windows\system32\Agoabn32.exe36⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe37⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Bganhm32.exeC:\Windows\system32\Bganhm32.exe38⤵
- Executes dropped EXE
PID:3296 -
C:\Windows\SysWOW64\Bmngqdpj.exeC:\Windows\system32\Bmngqdpj.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe41⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Bnmcjg32.exeC:\Windows\system32\Bnmcjg32.exe42⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4152 -
C:\Windows\SysWOW64\Bmbplc32.exeC:\Windows\system32\Bmbplc32.exe44⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2004 -
C:\Windows\SysWOW64\Bmemac32.exeC:\Windows\system32\Bmemac32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4404 -
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe48⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Cjinkg32.exeC:\Windows\system32\Cjinkg32.exe49⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Cabfga32.exeC:\Windows\system32\Cabfga32.exe50⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe51⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Cjkjpgfi.exeC:\Windows\system32\Cjkjpgfi.exe52⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe53⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe54⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe55⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Cjmgfgdf.exeC:\Windows\system32\Cjmgfgdf.exe56⤵
- Executes dropped EXE
PID:3828 -
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe57⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe58⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe60⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe61⤵
- Executes dropped EXE
PID:60 -
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe62⤵
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\Cegdnopg.exeC:\Windows\system32\Cegdnopg.exe63⤵
- Executes dropped EXE
PID:3184 -
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe64⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe65⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe66⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe67⤵PID:2268
-
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe68⤵PID:4480
-
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe69⤵PID:4672
-
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe70⤵PID:2920
-
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe71⤵PID:1840
-
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe72⤵PID:5064
-
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe73⤵PID:4984
-
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe74⤵
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4752 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe76⤵
- Drops file in System32 directory
PID:1900 -
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe77⤵PID:3220
-
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe78⤵
- Modifies registry class
PID:3140 -
C:\Windows\SysWOW64\Dahhio32.exeC:\Windows\system32\Dahhio32.exe79⤵
- System Location Discovery: System Language Discovery
PID:1288 -
C:\Windows\SysWOW64\Edfdej32.exeC:\Windows\system32\Edfdej32.exe80⤵
- Modifies registry class
PID:4976 -
C:\Windows\SysWOW64\Ekpmbddq.exeC:\Windows\system32\Ekpmbddq.exe81⤵PID:1096
-
C:\Windows\SysWOW64\Eolhbc32.exeC:\Windows\system32\Eolhbc32.exe82⤵PID:1356
-
C:\Windows\SysWOW64\Eefaomcg.exeC:\Windows\system32\Eefaomcg.exe83⤵PID:652
-
C:\Windows\SysWOW64\Ekbihd32.exeC:\Windows\system32\Ekbihd32.exe84⤵PID:4068
-
C:\Windows\SysWOW64\Emaedo32.exeC:\Windows\system32\Emaedo32.exe85⤵PID:3492
-
C:\Windows\SysWOW64\Ehfjah32.exeC:\Windows\system32\Ehfjah32.exe86⤵
- Modifies registry class
PID:3512 -
C:\Windows\SysWOW64\Eopbnbhd.exeC:\Windows\system32\Eopbnbhd.exe87⤵PID:2272
-
C:\Windows\SysWOW64\Eejjjl32.exeC:\Windows\system32\Eejjjl32.exe88⤵PID:1812
-
C:\Windows\SysWOW64\Ehiffh32.exeC:\Windows\system32\Ehiffh32.exe89⤵PID:4160
-
C:\Windows\SysWOW64\Ekgbccni.exeC:\Windows\system32\Ekgbccni.exe90⤵PID:4280
-
C:\Windows\SysWOW64\Emeoooml.exeC:\Windows\system32\Emeoooml.exe91⤵PID:1796
-
C:\Windows\SysWOW64\Edpgli32.exeC:\Windows\system32\Edpgli32.exe92⤵
- System Location Discovery: System Language Discovery
PID:1248 -
C:\Windows\SysWOW64\Egnchd32.exeC:\Windows\system32\Egnchd32.exe93⤵
- System Location Discovery: System Language Discovery
PID:4724 -
C:\Windows\SysWOW64\Eoekia32.exeC:\Windows\system32\Eoekia32.exe94⤵PID:2256
-
C:\Windows\SysWOW64\Eachem32.exeC:\Windows\system32\Eachem32.exe95⤵
- System Location Discovery: System Language Discovery
PID:3604 -
C:\Windows\SysWOW64\Fdbdah32.exeC:\Windows\system32\Fdbdah32.exe96⤵PID:1176
-
C:\Windows\SysWOW64\Fgppmd32.exeC:\Windows\system32\Fgppmd32.exe97⤵PID:2316
-
C:\Windows\SysWOW64\Foghnabl.exeC:\Windows\system32\Foghnabl.exe98⤵PID:1824
-
C:\Windows\SysWOW64\Fnjhjn32.exeC:\Windows\system32\Fnjhjn32.exe99⤵PID:4084
-
C:\Windows\SysWOW64\Feapkk32.exeC:\Windows\system32\Feapkk32.exe100⤵PID:4428
-
C:\Windows\SysWOW64\Fgbmccpg.exeC:\Windows\system32\Fgbmccpg.exe101⤵PID:896
-
C:\Windows\SysWOW64\Fknicb32.exeC:\Windows\system32\Fknicb32.exe102⤵PID:3748
-
C:\Windows\SysWOW64\Fnmepn32.exeC:\Windows\system32\Fnmepn32.exe103⤵PID:4192
-
C:\Windows\SysWOW64\Fdfmlhna.exeC:\Windows\system32\Fdfmlhna.exe104⤵
- Modifies registry class
PID:4360 -
C:\Windows\SysWOW64\Fhbimf32.exeC:\Windows\system32\Fhbimf32.exe105⤵PID:220
-
C:\Windows\SysWOW64\Fkqeib32.exeC:\Windows\system32\Fkqeib32.exe106⤵PID:5020
-
C:\Windows\SysWOW64\Fnobem32.exeC:\Windows\system32\Fnobem32.exe107⤵PID:3336
-
C:\Windows\SysWOW64\Fdijbg32.exeC:\Windows\system32\Fdijbg32.exe108⤵PID:3616
-
C:\Windows\SysWOW64\Fhdfbfdh.exeC:\Windows\system32\Fhdfbfdh.exe109⤵PID:1184
-
C:\Windows\SysWOW64\Fonnop32.exeC:\Windows\system32\Fonnop32.exe110⤵PID:3692
-
C:\Windows\SysWOW64\Fnaokmco.exeC:\Windows\system32\Fnaokmco.exe111⤵PID:5132
-
C:\Windows\SysWOW64\Fehfljca.exeC:\Windows\system32\Fehfljca.exe112⤵PID:5172
-
C:\Windows\SysWOW64\Fhgbhfbe.exeC:\Windows\system32\Fhgbhfbe.exe113⤵PID:5216
-
C:\Windows\SysWOW64\Fkeodaai.exeC:\Windows\system32\Fkeodaai.exe114⤵PID:5260
-
C:\Windows\SysWOW64\Fnckpmql.exeC:\Windows\system32\Fnckpmql.exe115⤵
- Drops file in System32 directory
PID:5300 -
C:\Windows\SysWOW64\Gekcaj32.exeC:\Windows\system32\Gekcaj32.exe116⤵
- Modifies registry class
PID:5344 -
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe117⤵PID:5380
-
C:\Windows\SysWOW64\Gkglja32.exeC:\Windows\system32\Gkglja32.exe118⤵PID:5432
-
C:\Windows\SysWOW64\Gnfhfl32.exeC:\Windows\system32\Gnfhfl32.exe119⤵PID:5476
-
C:\Windows\SysWOW64\Gempgj32.exeC:\Windows\system32\Gempgj32.exe120⤵PID:5516
-
C:\Windows\SysWOW64\Ggnlobej.exeC:\Windows\system32\Ggnlobej.exe121⤵
- Modifies registry class
PID:5564
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-