Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2024 03:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dada25dd7f2b5b0b05a166d63619bca2e9d3aa749ef1b1a1eadad7f4b8fc1a3f.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
dada25dd7f2b5b0b05a166d63619bca2e9d3aa749ef1b1a1eadad7f4b8fc1a3f.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
dada25dd7f2b5b0b05a166d63619bca2e9d3aa749ef1b1a1eadad7f4b8fc1a3f.exe
-
Size
790KB
-
MD5
6dde3ecf7ed2b3ee4eb13cbaf2824fe9
-
SHA1
7dd1639feba517161890ac16eb2cac49307c7627
-
SHA256
dada25dd7f2b5b0b05a166d63619bca2e9d3aa749ef1b1a1eadad7f4b8fc1a3f
-
SHA512
24fb155c00b78f4a7b160236e29caa74f98bc4b3619fb54de061aa995b943026b3a30511b11277f74e9630cf5e18f3378b99156416a5cff1c99b03a942bb2d5b
-
SSDEEP
12288:ftmAFB24lwR4P87g7/VycgE81lgxaa79y:vPqoIlg17o
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfldgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhpqaiji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdnabjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfihbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emdajb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bahkih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gblbca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjmcnbdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffclcgfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnbnhedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Momcpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acilajpk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqiipljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njghbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacmdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qemhbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nceefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khpgckkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Leopnglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Milidebi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egohdegl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njljch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fideeaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hehkajig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iipfmggc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfbibikg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phjenbhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkhjph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcaipa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfkbde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gehbjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iogopi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lkabjbih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pciqnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbjbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcmdaljn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpaekqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bgeaifia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dikihe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfkbde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oifppdpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cocacl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqgmmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fehfljca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eidbij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaflgago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Noeahkfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oifeab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppamophb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dabhdinj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aojlaeei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idieem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qofcff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkpqkcpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohmhmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkgeainn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkqeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpnbog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggbook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnphoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klndfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhbimf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpehof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofhknodl.exe -
Executes dropped EXE 64 IoCs
pid Process 2948 Ekiohclf.exe 3632 Eachem32.exe 3556 Fdbdah32.exe 3136 Fgppmd32.exe 1636 Foghnabl.exe 2236 Fnjhjn32.exe 2644 Feapkk32.exe 64 Fhpmgg32.exe 1516 Fgbmccpg.exe 548 Fojedapj.exe 2168 Fnmepn32.exe 2252 Fedmqk32.exe 4240 Fhbimf32.exe 4248 Fkqeib32.exe 2848 Fnobem32.exe 2128 Fajnfl32.exe 4468 Fdijbg32.exe 4328 Fggfnc32.exe 4452 Fonnop32.exe 4104 Fnaokmco.exe 3656 Fehfljca.exe 4652 Fhgbhfbe.exe 1232 Foqkdp32.exe 1664 Gaogak32.exe 3976 Gdncmghi.exe 5048 Gglpibgm.exe 4024 Gochjpho.exe 4524 Gaadfkgc.exe 1752 Ggnlobej.exe 324 Gnhdkl32.exe 4508 Gepmlimi.exe 2084 Ghniielm.exe 1136 Gkleeplq.exe 4364 Gohaeo32.exe 1496 Gafmaj32.exe 4920 Gfbibikg.exe 2324 Ghpendjj.exe 3964 Gkobjpin.exe 2624 Gahjgj32.exe 1400 Gdgfce32.exe 960 Ggeboaob.exe 3596 Goljqnpd.exe 212 Hakgmjoh.exe 1808 Hdicienl.exe 5012 Hghoeqmp.exe 4656 Hoogfnnb.exe 4648 Hbmcbime.exe 1184 Hdlpneli.exe 5108 Hgjljpkm.exe 4284 Hnddgjbj.exe 3932 Hfklhhcl.exe 380 Hhihdcbp.exe 1392 Hkhdqoac.exe 3936 Hnfamjqg.exe 4500 Hfningai.exe 820 Hhlejcpm.exe 4244 Hkjafn32.exe 464 Hbdjchgn.exe 3532 Hdbfodfa.exe 1508 Ibffhhek.exe 3172 Idebdcdo.exe 3164 Igcoqocb.exe 3544 Iokgal32.exe 2120 Ibicnh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bdkohe32.dll Lqbncb32.exe File created C:\Windows\SysWOW64\Emjgim32.exe Ebdcld32.exe File created C:\Windows\SysWOW64\Qfkqjmdg.exe Ppahmb32.exe File created C:\Windows\SysWOW64\Mlkfgena.dll Kijjbofj.exe File created C:\Windows\SysWOW64\Bjodjb32.exe Bgpgng32.exe File opened for modification C:\Windows\SysWOW64\Inbqhhfj.exe Ikcdlmgf.exe File opened for modification C:\Windows\SysWOW64\Amhfkopc.exe Aimkjp32.exe File created C:\Windows\SysWOW64\Nbcpja32.dll Bkdcbd32.exe File created C:\Windows\SysWOW64\Fdepgkgj.exe Flngfn32.exe File created C:\Windows\SysWOW64\Oeedjegm.dll Maggnali.exe File created C:\Windows\SysWOW64\Pejkmk32.exe Phfjcf32.exe File created C:\Windows\SysWOW64\Agolng32.dll Oifppdpd.exe File created C:\Windows\SysWOW64\Cpchnbbb.dll Lhmmjbkf.exe File opened for modification C:\Windows\SysWOW64\Aekddhcb.exe Aoalgn32.exe File created C:\Windows\SysWOW64\Fnadil32.dll Emjgim32.exe File created C:\Windows\SysWOW64\Keimof32.exe Kckqbj32.exe File created C:\Windows\SysWOW64\Idqionfg.dll Bgpgng32.exe File created C:\Windows\SysWOW64\Dglkaf32.dll Cfogeb32.exe File opened for modification C:\Windows\SysWOW64\Qemhbj32.exe Pocpfphe.exe File created C:\Windows\SysWOW64\Kngkqbgl.exe Kcbfcigf.exe File created C:\Windows\SysWOW64\Oaplqh32.exe Opqofe32.exe File created C:\Windows\SysWOW64\Ghfedh32.dll Fgoakc32.exe File opened for modification C:\Windows\SysWOW64\Hgjljpkm.exe Hdlpneli.exe File opened for modification C:\Windows\SysWOW64\Iddljmpc.exe Iafonaao.exe File created C:\Windows\SysWOW64\Kiejmi32.exe Kqnbkl32.exe File opened for modification C:\Windows\SysWOW64\Kiejmi32.exe Kqnbkl32.exe File opened for modification C:\Windows\SysWOW64\Ajndioga.exe Qaflgago.exe File created C:\Windows\SysWOW64\Bcghdkpf.dll Ieidhh32.exe File opened for modification C:\Windows\SysWOW64\Jmbhoeid.exe Jekqmhia.exe File created C:\Windows\SysWOW64\Fdnhih32.exe Fndpmndl.exe File created C:\Windows\SysWOW64\Fjoiip32.dll Mjnnbk32.exe File created C:\Windows\SysWOW64\Mlofcf32.exe Mbibfm32.exe File created C:\Windows\SysWOW64\Hhcjcf32.dll Mhdjehhj.exe File opened for modification C:\Windows\SysWOW64\Ophjiaql.exe Oebflhaf.exe File created C:\Windows\SysWOW64\Dpinoh32.dll Phcomcng.exe File created C:\Windows\SysWOW64\Fdamgb32.exe Facqkg32.exe File opened for modification C:\Windows\SysWOW64\Oifeab32.exe Oblmdhdo.exe File created C:\Windows\SysWOW64\Klobfk32.dll Ajndioga.exe File created C:\Windows\SysWOW64\Gbmingjo.exe Glcaambb.exe File opened for modification C:\Windows\SysWOW64\Lhenai32.exe Lchfib32.exe File created C:\Windows\SysWOW64\Nfldgk32.exe Nbphglbe.exe File created C:\Windows\SysWOW64\Jlacji32.dll Edemkd32.exe File opened for modification C:\Windows\SysWOW64\Hloqml32.exe Ggahedjn.exe File created C:\Windows\SysWOW64\Ofmdio32.exe Oaplqh32.exe File opened for modification C:\Windows\SysWOW64\Ihmfco32.exe Ieojgc32.exe File created C:\Windows\SysWOW64\Mcaipa32.exe Mpclce32.exe File created C:\Windows\SysWOW64\Fajnfl32.exe Fnobem32.exe File created C:\Windows\SysWOW64\Eoefilfc.dll Aobilkcl.exe File created C:\Windows\SysWOW64\Jgbjbp32.exe Jjoiil32.exe File created C:\Windows\SysWOW64\Lhnhajba.exe Kadpdp32.exe File created C:\Windows\SysWOW64\Hmahidnb.dll Fonnop32.exe File opened for modification C:\Windows\SysWOW64\Gpqjglii.exe Gjdaodja.exe File opened for modification C:\Windows\SysWOW64\Dmalne32.exe Dpnkdq32.exe File opened for modification C:\Windows\SysWOW64\Djjebh32.exe Dikihe32.exe File created C:\Windows\SysWOW64\Eppqqn32.exe Eblpgjha.exe File created C:\Windows\SysWOW64\Gkoafbld.dll Ljceqb32.exe File created C:\Windows\SysWOW64\Dhikci32.exe Dbocfo32.exe File created C:\Windows\SysWOW64\Lalbjhdj.dll Pllgnl32.exe File created C:\Windows\SysWOW64\Hlhccj32.exe Hcpojd32.exe File created C:\Windows\SysWOW64\Kngekilj.dll Ilkoim32.exe File opened for modification C:\Windows\SysWOW64\Nfihbk32.exe Nckkfp32.exe File created C:\Windows\SysWOW64\Nldfjqkf.dll Milidebi.exe File created C:\Windows\SysWOW64\Gadiippo.dll Ofmdio32.exe File opened for modification C:\Windows\SysWOW64\Ookoaokf.exe Oiagde32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9200 9448 WerFault.exe 977 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbjbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeehkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nimmifgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgnbaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dabhdinj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdigadjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoeieolb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hemmac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmjfodne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhfedil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncqlkemc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmeapmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlkngo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmdfgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaindh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljilqnlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbphdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hefnkkkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjecpkcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggpbjkpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkibgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimldogg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajeadd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlhccj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkblhfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlgepanl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amlogfel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cogddd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oonlfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fajnfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpleig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkdcbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfjcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdojjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhkbdmbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgodhkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pahpfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdfehh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpaekqhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcbkml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eipinkib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fphnlcdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmbphg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imiehfao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edionhpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ienekbld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nblolm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikfabm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kefdbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Holfoqcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpoihnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfnhfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjlic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbgihaji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlbejloe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edemkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjellmbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmbhoeid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhgfkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkgnfhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjkpoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhmmjbkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpanan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lopmii32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oqoefand.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gpkchqdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpdndomn.dll" Meefofek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lnmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hldiinke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fdffbake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpnmig32.dll" Jbccge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lckboblp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oiccje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpehad32.dll" Ifihif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mifljdjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mjodla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ppjbmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fkqeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkhdqoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cgqqdeod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fpgpgfmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ggahedjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aopemh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckebcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gaadfkgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkpimfpo.dll" Ghpendjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chalkm32.dll" Oiknlagg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gjdaodja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lqbncb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hiipmhmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmikmcgp.dll" Ofhknodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bnlhncgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amodep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fielph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpgiggmj.dll" Hkgnfhnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hcpojd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nbphglbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nopfpgip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jpenfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njmqnobn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Paiogf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejqna32.dll" Ojcpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fajnfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abmmgg32.dll" Bgeaifia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ganmcc32.dll" Hkeaqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbfnhm32.dll" Nmigoagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Obafpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffkpn32.dll" Blnoga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fealin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mogcihaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keojhkpc.dll" Gaogak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nahffe32.dll" Jhpqaiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aedkdf32.dll" Kkcfid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjjnh32.dll" Nafjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lhgkgijg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ocdnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qhjmdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llnnmhfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Acilajpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ccqkigkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdgmickl.dll" Pdfehh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fbgihaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cogddd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glllagck.dll" Lchfib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpikki32.dll" Oqoefand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imllmfjk.dll" Oekpkigo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kageaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbobfjdp.dll" Pakllc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2428 wrote to memory of 2948 2428 dada25dd7f2b5b0b05a166d63619bca2e9d3aa749ef1b1a1eadad7f4b8fc1a3f.exe 84 PID 2428 wrote to memory of 2948 2428 dada25dd7f2b5b0b05a166d63619bca2e9d3aa749ef1b1a1eadad7f4b8fc1a3f.exe 84 PID 2428 wrote to memory of 2948 2428 dada25dd7f2b5b0b05a166d63619bca2e9d3aa749ef1b1a1eadad7f4b8fc1a3f.exe 84 PID 2948 wrote to memory of 3632 2948 Ekiohclf.exe 85 PID 2948 wrote to memory of 3632 2948 Ekiohclf.exe 85 PID 2948 wrote to memory of 3632 2948 Ekiohclf.exe 85 PID 3632 wrote to memory of 3556 3632 Eachem32.exe 86 PID 3632 wrote to memory of 3556 3632 Eachem32.exe 86 PID 3632 wrote to memory of 3556 3632 Eachem32.exe 86 PID 3556 wrote to memory of 3136 3556 Fdbdah32.exe 87 PID 3556 wrote to memory of 3136 3556 Fdbdah32.exe 87 PID 3556 wrote to memory of 3136 3556 Fdbdah32.exe 87 PID 3136 wrote to memory of 1636 3136 Fgppmd32.exe 88 PID 3136 wrote to memory of 1636 3136 Fgppmd32.exe 88 PID 3136 wrote to memory of 1636 3136 Fgppmd32.exe 88 PID 1636 wrote to memory of 2236 1636 Foghnabl.exe 89 PID 1636 wrote to memory of 2236 1636 Foghnabl.exe 89 PID 1636 wrote to memory of 2236 1636 Foghnabl.exe 89 PID 2236 wrote to memory of 2644 2236 Fnjhjn32.exe 90 PID 2236 wrote to memory of 2644 2236 Fnjhjn32.exe 90 PID 2236 wrote to memory of 2644 2236 Fnjhjn32.exe 90 PID 2644 wrote to memory of 64 2644 Feapkk32.exe 91 PID 2644 wrote to memory of 64 2644 Feapkk32.exe 91 PID 2644 wrote to memory of 64 2644 Feapkk32.exe 91 PID 64 wrote to memory of 1516 64 Fhpmgg32.exe 92 PID 64 wrote to memory of 1516 64 Fhpmgg32.exe 92 PID 64 wrote to memory of 1516 64 Fhpmgg32.exe 92 PID 1516 wrote to memory of 548 1516 Fgbmccpg.exe 93 PID 1516 wrote to memory of 548 1516 Fgbmccpg.exe 93 PID 1516 wrote to memory of 548 1516 Fgbmccpg.exe 93 PID 548 wrote to memory of 2168 548 Fojedapj.exe 94 PID 548 wrote to memory of 2168 548 Fojedapj.exe 94 PID 548 wrote to memory of 2168 548 Fojedapj.exe 94 PID 2168 wrote to memory of 2252 2168 Fnmepn32.exe 95 PID 2168 wrote to memory of 2252 2168 Fnmepn32.exe 95 PID 2168 wrote to memory of 2252 2168 Fnmepn32.exe 95 PID 2252 wrote to memory of 4240 2252 Fedmqk32.exe 96 PID 2252 wrote to memory of 4240 2252 Fedmqk32.exe 96 PID 2252 wrote to memory of 4240 2252 Fedmqk32.exe 96 PID 4240 wrote to memory of 4248 4240 Fhbimf32.exe 97 PID 4240 wrote to memory of 4248 4240 Fhbimf32.exe 97 PID 4240 wrote to memory of 4248 4240 Fhbimf32.exe 97 PID 4248 wrote to memory of 2848 4248 Fkqeib32.exe 98 PID 4248 wrote to memory of 2848 4248 Fkqeib32.exe 98 PID 4248 wrote to memory of 2848 4248 Fkqeib32.exe 98 PID 2848 wrote to memory of 2128 2848 Fnobem32.exe 99 PID 2848 wrote to memory of 2128 2848 Fnobem32.exe 99 PID 2848 wrote to memory of 2128 2848 Fnobem32.exe 99 PID 2128 wrote to memory of 4468 2128 Fajnfl32.exe 100 PID 2128 wrote to memory of 4468 2128 Fajnfl32.exe 100 PID 2128 wrote to memory of 4468 2128 Fajnfl32.exe 100 PID 4468 wrote to memory of 4328 4468 Fdijbg32.exe 101 PID 4468 wrote to memory of 4328 4468 Fdijbg32.exe 101 PID 4468 wrote to memory of 4328 4468 Fdijbg32.exe 101 PID 4328 wrote to memory of 4452 4328 Fggfnc32.exe 102 PID 4328 wrote to memory of 4452 4328 Fggfnc32.exe 102 PID 4328 wrote to memory of 4452 4328 Fggfnc32.exe 102 PID 4452 wrote to memory of 4104 4452 Fonnop32.exe 103 PID 4452 wrote to memory of 4104 4452 Fonnop32.exe 103 PID 4452 wrote to memory of 4104 4452 Fonnop32.exe 103 PID 4104 wrote to memory of 3656 4104 Fnaokmco.exe 104 PID 4104 wrote to memory of 3656 4104 Fnaokmco.exe 104 PID 4104 wrote to memory of 3656 4104 Fnaokmco.exe 104 PID 3656 wrote to memory of 4652 3656 Fehfljca.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\dada25dd7f2b5b0b05a166d63619bca2e9d3aa749ef1b1a1eadad7f4b8fc1a3f.exe"C:\Users\Admin\AppData\Local\Temp\dada25dd7f2b5b0b05a166d63619bca2e9d3aa749ef1b1a1eadad7f4b8fc1a3f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Ekiohclf.exeC:\Windows\system32\Ekiohclf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Eachem32.exeC:\Windows\system32\Eachem32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\Fdbdah32.exeC:\Windows\system32\Fdbdah32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\Fgppmd32.exeC:\Windows\system32\Fgppmd32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\SysWOW64\Foghnabl.exeC:\Windows\system32\Foghnabl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Fnjhjn32.exeC:\Windows\system32\Fnjhjn32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Feapkk32.exeC:\Windows\system32\Feapkk32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Fhpmgg32.exeC:\Windows\system32\Fhpmgg32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\Fgbmccpg.exeC:\Windows\system32\Fgbmccpg.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Fojedapj.exeC:\Windows\system32\Fojedapj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Fnmepn32.exeC:\Windows\system32\Fnmepn32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Fedmqk32.exeC:\Windows\system32\Fedmqk32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Fhbimf32.exeC:\Windows\system32\Fhbimf32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\Fkqeib32.exeC:\Windows\system32\Fkqeib32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SysWOW64\Fnobem32.exeC:\Windows\system32\Fnobem32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Fajnfl32.exeC:\Windows\system32\Fajnfl32.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Fdijbg32.exeC:\Windows\system32\Fdijbg32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\Fggfnc32.exeC:\Windows\system32\Fggfnc32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\Fonnop32.exeC:\Windows\system32\Fonnop32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\Fnaokmco.exeC:\Windows\system32\Fnaokmco.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\Fehfljca.exeC:\Windows\system32\Fehfljca.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Fhgbhfbe.exeC:\Windows\system32\Fhgbhfbe.exe23⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Foqkdp32.exeC:\Windows\system32\Foqkdp32.exe24⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Gaogak32.exeC:\Windows\system32\Gaogak32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Gdncmghi.exeC:\Windows\system32\Gdncmghi.exe26⤵
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Gglpibgm.exeC:\Windows\system32\Gglpibgm.exe27⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Gochjpho.exeC:\Windows\system32\Gochjpho.exe28⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Gaadfkgc.exeC:\Windows\system32\Gaadfkgc.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4524 -
C:\Windows\SysWOW64\Ggnlobej.exeC:\Windows\system32\Ggnlobej.exe30⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Gnhdkl32.exeC:\Windows\system32\Gnhdkl32.exe31⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Gepmlimi.exeC:\Windows\system32\Gepmlimi.exe32⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Ghniielm.exeC:\Windows\system32\Ghniielm.exe33⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Gkleeplq.exeC:\Windows\system32\Gkleeplq.exe34⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Gohaeo32.exeC:\Windows\system32\Gohaeo32.exe35⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Gafmaj32.exeC:\Windows\system32\Gafmaj32.exe36⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Gfbibikg.exeC:\Windows\system32\Gfbibikg.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Ghpendjj.exeC:\Windows\system32\Ghpendjj.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Gkobjpin.exeC:\Windows\system32\Gkobjpin.exe39⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Gahjgj32.exeC:\Windows\system32\Gahjgj32.exe40⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Gdgfce32.exeC:\Windows\system32\Gdgfce32.exe41⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Ggeboaob.exeC:\Windows\system32\Ggeboaob.exe42⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Goljqnpd.exeC:\Windows\system32\Goljqnpd.exe43⤵
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Hakgmjoh.exeC:\Windows\system32\Hakgmjoh.exe44⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Hdicienl.exeC:\Windows\system32\Hdicienl.exe45⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Hghoeqmp.exeC:\Windows\system32\Hghoeqmp.exe46⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Hoogfnnb.exeC:\Windows\system32\Hoogfnnb.exe47⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Hbmcbime.exeC:\Windows\system32\Hbmcbime.exe48⤵
- Executes dropped EXE
PID:4648 -
C:\Windows\SysWOW64\Hdlpneli.exeC:\Windows\system32\Hdlpneli.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1184 -
C:\Windows\SysWOW64\Hgjljpkm.exeC:\Windows\system32\Hgjljpkm.exe50⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Hnddgjbj.exeC:\Windows\system32\Hnddgjbj.exe51⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\Hfklhhcl.exeC:\Windows\system32\Hfklhhcl.exe52⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Hhihdcbp.exeC:\Windows\system32\Hhihdcbp.exe53⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Hkhdqoac.exeC:\Windows\system32\Hkhdqoac.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1392 -
C:\Windows\SysWOW64\Hnfamjqg.exeC:\Windows\system32\Hnfamjqg.exe55⤵
- Executes dropped EXE
PID:3936 -
C:\Windows\SysWOW64\Hfningai.exeC:\Windows\system32\Hfningai.exe56⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Hhlejcpm.exeC:\Windows\system32\Hhlejcpm.exe57⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Hkjafn32.exeC:\Windows\system32\Hkjafn32.exe58⤵
- Executes dropped EXE
PID:4244 -
C:\Windows\SysWOW64\Hbdjchgn.exeC:\Windows\system32\Hbdjchgn.exe59⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Hdbfodfa.exeC:\Windows\system32\Hdbfodfa.exe60⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Ibffhhek.exeC:\Windows\system32\Ibffhhek.exe61⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Idebdcdo.exeC:\Windows\system32\Idebdcdo.exe62⤵
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe63⤵
- Executes dropped EXE
PID:3164 -
C:\Windows\SysWOW64\Iokgal32.exeC:\Windows\system32\Iokgal32.exe64⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Ibicnh32.exeC:\Windows\system32\Ibicnh32.exe65⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe66⤵PID:4812
-
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe67⤵PID:5156
-
C:\Windows\SysWOW64\Ikaggmii.exeC:\Windows\system32\Ikaggmii.exe68⤵PID:5196
-
C:\Windows\SysWOW64\Inpccihl.exeC:\Windows\system32\Inpccihl.exe69⤵PID:5232
-
C:\Windows\SysWOW64\Ifgldfio.exeC:\Windows\system32\Ifgldfio.exe70⤵PID:5268
-
C:\Windows\SysWOW64\Iiehpahb.exeC:\Windows\system32\Iiehpahb.exe71⤵PID:5304
-
C:\Windows\SysWOW64\Ikcdlmgf.exeC:\Windows\system32\Ikcdlmgf.exe72⤵
- Drops file in System32 directory
PID:5340 -
C:\Windows\SysWOW64\Inbqhhfj.exeC:\Windows\system32\Inbqhhfj.exe73⤵PID:5376
-
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe74⤵
- Modifies registry class
PID:5412 -
C:\Windows\SysWOW64\Iigdfa32.exeC:\Windows\system32\Iigdfa32.exe75⤵PID:5448
-
C:\Windows\SysWOW64\Ikfabm32.exeC:\Windows\system32\Ikfabm32.exe76⤵
- System Location Discovery: System Language Discovery
PID:5484 -
C:\Windows\SysWOW64\Ibpiogmp.exeC:\Windows\system32\Ibpiogmp.exe77⤵PID:5516
-
C:\Windows\SysWOW64\Ienekbld.exeC:\Windows\system32\Ienekbld.exe78⤵
- System Location Discovery: System Language Discovery
PID:5552 -
C:\Windows\SysWOW64\Igmagnkg.exeC:\Windows\system32\Igmagnkg.exe79⤵PID:5588
-
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe80⤵PID:5624
-
C:\Windows\SysWOW64\Jfnbdecg.exeC:\Windows\system32\Jfnbdecg.exe81⤵PID:5660
-
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe82⤵PID:5696
-
C:\Windows\SysWOW64\Jkkjmlan.exeC:\Windows\system32\Jkkjmlan.exe83⤵PID:5732
-
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe84⤵PID:5768
-
C:\Windows\SysWOW64\Jfpojead.exeC:\Windows\system32\Jfpojead.exe85⤵PID:5804
-
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe86⤵PID:5840
-
C:\Windows\SysWOW64\Jgakbm32.exeC:\Windows\system32\Jgakbm32.exe87⤵PID:5876
-
C:\Windows\SysWOW64\Joiccj32.exeC:\Windows\system32\Joiccj32.exe88⤵PID:5912
-
C:\Windows\SysWOW64\Jbgoof32.exeC:\Windows\system32\Jbgoof32.exe89⤵PID:5948
-
C:\Windows\SysWOW64\Jeekkafl.exeC:\Windows\system32\Jeekkafl.exe90⤵PID:5984
-
C:\Windows\SysWOW64\Jgdhgmep.exeC:\Windows\system32\Jgdhgmep.exe91⤵PID:6020
-
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe92⤵PID:6056
-
C:\Windows\SysWOW64\Jfehed32.exeC:\Windows\system32\Jfehed32.exe93⤵PID:6092
-
C:\Windows\SysWOW64\Jgfdmlcm.exeC:\Windows\system32\Jgfdmlcm.exe94⤵PID:6128
-
C:\Windows\SysWOW64\Jpmlnjco.exeC:\Windows\system32\Jpmlnjco.exe95⤵PID:2444
-
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe96⤵PID:4780
-
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe97⤵PID:2988
-
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe98⤵PID:3748
-
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe99⤵PID:4800
-
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe100⤵PID:4628
-
C:\Windows\SysWOW64\Kelalp32.exeC:\Windows\system32\Kelalp32.exe101⤵PID:4324
-
C:\Windows\SysWOW64\Kgknhl32.exeC:\Windows\system32\Kgknhl32.exe102⤵PID:5140
-
C:\Windows\SysWOW64\Knefeffd.exeC:\Windows\system32\Knefeffd.exe103⤵PID:5184
-
C:\Windows\SysWOW64\Kflnfcgg.exeC:\Windows\system32\Kflnfcgg.exe104⤵PID:5248
-
C:\Windows\SysWOW64\Kijjbofj.exeC:\Windows\system32\Kijjbofj.exe105⤵
- Drops file in System32 directory
PID:5312 -
C:\Windows\SysWOW64\Klifnj32.exeC:\Windows\system32\Klifnj32.exe106⤵PID:5360
-
C:\Windows\SysWOW64\Kpdboimg.exeC:\Windows\system32\Kpdboimg.exe107⤵PID:5432
-
C:\Windows\SysWOW64\Kbbokdlk.exeC:\Windows\system32\Kbbokdlk.exe108⤵PID:5500
-
C:\Windows\SysWOW64\Keakgpko.exeC:\Windows\system32\Keakgpko.exe109⤵PID:5560
-
C:\Windows\SysWOW64\Khpgckkb.exeC:\Windows\system32\Khpgckkb.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5616 -
C:\Windows\SysWOW64\Kpgodhkd.exeC:\Windows\system32\Kpgodhkd.exe111⤵
- System Location Discovery: System Language Discovery
PID:5684 -
C:\Windows\SysWOW64\Kbekqdjh.exeC:\Windows\system32\Kbekqdjh.exe112⤵PID:1212
-
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe113⤵PID:5792
-
C:\Windows\SysWOW64\Khbdikip.exeC:\Windows\system32\Khbdikip.exe114⤵PID:5848
-
C:\Windows\SysWOW64\Kpiljh32.exeC:\Windows\system32\Kpiljh32.exe115⤵PID:5908
-
C:\Windows\SysWOW64\Kbghfc32.exeC:\Windows\system32\Kbghfc32.exe116⤵PID:5972
-
C:\Windows\SysWOW64\Kefdbo32.exeC:\Windows\system32\Kefdbo32.exe117⤵
- System Location Discovery: System Language Discovery
PID:6028 -
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe118⤵PID:6088
-
C:\Windows\SysWOW64\Lnnikdnj.exeC:\Windows\system32\Lnnikdnj.exe119⤵PID:2560
-
C:\Windows\SysWOW64\Lfealaol.exeC:\Windows\system32\Lfealaol.exe120⤵PID:4372
-
C:\Windows\SysWOW64\Lehaho32.exeC:\Windows\system32\Lehaho32.exe121⤵PID:1868
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-