Analysis
-
max time kernel
95s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/08/2024, 10:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
96aa00fc0900c71db510abd64e4577b0N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
96aa00fc0900c71db510abd64e4577b0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
96aa00fc0900c71db510abd64e4577b0N.exe
-
Size
246KB
-
MD5
96aa00fc0900c71db510abd64e4577b0
-
SHA1
c32ed6b9188c5e7bf38c6f348bdd9a1a1fbefd11
-
SHA256
06e7b8be920557703fa933c526bce24815fc6e3e540e494d28c3acaef74271e9
-
SHA512
8366bf8bb2c6d806dc92425ad278c745e44f58a0a597b5faff18d4f123e6d9191e0defa131313d2c58bdf183a26a0eeaeb5d93314f66f9e51d32f9e87513fb56
-
SSDEEP
3072:K/y5kiADTMLpo2B1xdLm102VZjuajDMyap9jCyFsWteYCWS3OF9HqoX:hIMNo2B1xBm102VQlterS9HrX
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggnedlao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejalcgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkceokii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekcgkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hemmac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkgcea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fechomko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enpfan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bopocbcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apodoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaebef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piocecgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lakfeodm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emmkiclm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipflihfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgpmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnjnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmbhgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmglcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amcehdod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dafppp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqlefl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiejmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilafiihp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdlqqcnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcmodajm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecgcfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlolpq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fohfbpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnibokbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhilfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hginecde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdkoch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmmmfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcoaglhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdhcgaic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmalne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jncoikmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibfnqmpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahofoogd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpkdjofm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mokfja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efdjgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekajec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkomneim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfjpfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nclikl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doaneiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfqnbjfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgnoki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqmfdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocohmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khiofk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcmjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpphjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gldglf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgloefco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeokal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjgfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofhknodl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljeafb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhomfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkbdki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccgjopal.exe -
Executes dropped EXE 64 IoCs
pid Process 4636 Bmmpfn32.exe 5096 Bfedoc32.exe 3896 Bjaqpbkh.exe 1656 Bqkill32.exe 436 Bjcmebie.exe 1572 Bqmeal32.exe 672 Bggnof32.exe 3984 Bihjfnmm.exe 4168 Cqpbglno.exe 4452 Cgjjdf32.exe 4584 Cjhfpa32.exe 2068 Cmfclm32.exe 3404 Cabomkll.exe 872 Ccqkigkp.exe 3620 Cfogeb32.exe 1040 Cjjcfabm.exe 468 Cmipblaq.exe 4560 Cadlbk32.exe 4052 Cpglnhad.exe 3536 Ccchof32.exe 2800 Cgndoeag.exe 2128 Cjmpkqqj.exe 4864 Cippgm32.exe 4116 Cmklglpn.exe 1236 Caghhk32.exe 3228 Cceddf32.exe 2952 Cgqqdeod.exe 2820 Cjomap32.exe 4072 Cibmlmeb.exe 3284 Cmniml32.exe 1012 Caienjfd.exe 3204 Cpleig32.exe 2748 Cgcmjd32.exe 1824 Cgcmjd32.exe 1724 Cffmfadl.exe 5084 Cidjbmcp.exe 1156 Dmpfbk32.exe 3508 Dakacjdb.exe 4372 Dpnbog32.exe 3520 Dcjnoece.exe 3052 Dgejpd32.exe 1272 Dfhjkabi.exe 4520 Djdflp32.exe 772 Diffglam.exe 3688 Dmbbhkjf.exe 2240 Dpqodfij.exe 4464 Dclkee32.exe 5100 Dhhfedil.exe 2712 Dfjgaq32.exe 3496 Dmdonkgc.exe 4160 Dapkni32.exe 3524 Dpckjfgg.exe 4900 Djhpgofm.exe 4444 Dmglcj32.exe 1676 Ddadpdmn.exe 4988 Dhlpqc32.exe 1856 Dfoplpla.exe 4308 Dinmhkke.exe 4668 Dmihij32.exe 4580 Daediilg.exe 3844 Dpgeee32.exe 2964 Dhomfc32.exe 852 Dfamapjo.exe 4376 Djmibn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mgbefe32.exe Mcgiefen.exe File created C:\Windows\SysWOW64\Hifpcjin.dll Fmgejhgn.exe File created C:\Windows\SysWOW64\Hkbdki32.exe Hhdhon32.exe File created C:\Windows\SysWOW64\Fenghpla.dll Enbjad32.exe File created C:\Windows\SysWOW64\Hiaafn32.dll Gihgfk32.exe File created C:\Windows\SysWOW64\Jhpicj32.dll Nfcabp32.exe File created C:\Windows\SysWOW64\Ppjbmc32.exe Pmlfqh32.exe File created C:\Windows\SysWOW64\Kfcfimfi.dll Phajna32.exe File created C:\Windows\SysWOW64\Fkdjqkoj.dll Gejhef32.exe File opened for modification C:\Windows\SysWOW64\Dakacjdb.exe Dmpfbk32.exe File created C:\Windows\SysWOW64\Plbhknkl.dll Hmpjmn32.exe File created C:\Windows\SysWOW64\Kqfngd32.exe Kjmfjj32.exe File created C:\Windows\SysWOW64\Jppnpjel.exe Jhifomdj.exe File opened for modification C:\Windows\SysWOW64\Fmnkkg32.exe Fkpool32.exe File opened for modification C:\Windows\SysWOW64\Ajggomog.exe Abponp32.exe File created C:\Windows\SysWOW64\Lajagj32.exe Kkmioc32.exe File opened for modification C:\Windows\SysWOW64\Gpcfmkff.exe Giinpa32.exe File created C:\Windows\SysWOW64\Inebjihf.exe Ihkjno32.exe File created C:\Windows\SysWOW64\Jabphdjm.dll Dgeenfog.exe File created C:\Windows\SysWOW64\Iankhggi.dll Mfkkqmiq.exe File opened for modification C:\Windows\SysWOW64\Mohidbkl.exe Mljmhflh.exe File created C:\Windows\SysWOW64\Pgnnnnod.dll Jnfcia32.exe File created C:\Windows\SysWOW64\Lkpkgebb.dll Laqhhi32.exe File created C:\Windows\SysWOW64\Bmjkic32.exe Bgpcliao.exe File created C:\Windows\SysWOW64\Lgkpdcmi.exe Laqhhi32.exe File created C:\Windows\SysWOW64\Cmakeiil.dll Nklbmllg.exe File created C:\Windows\SysWOW64\Efjbcakl.exe Enbjad32.exe File created C:\Windows\SysWOW64\Edplhjhi.exe Ebaplnie.exe File created C:\Windows\SysWOW64\Cjhfpa32.exe Cgjjdf32.exe File created C:\Windows\SysWOW64\Eibfck32.exe Efdjgo32.exe File created C:\Windows\SysWOW64\Hlbpmd32.dll Jbdlop32.exe File opened for modification C:\Windows\SysWOW64\Mfkkqmiq.exe Lcmodajm.exe File created C:\Windows\SysWOW64\Fnipbc32.exe Flkdfh32.exe File created C:\Windows\SysWOW64\Fkccgodj.dll Fechomko.exe File created C:\Windows\SysWOW64\Hlnjbedi.exe Hedafk32.exe File created C:\Windows\SysWOW64\Iphioh32.exe Injmcmej.exe File created C:\Windows\SysWOW64\Fbgdmb32.dll Dglkoeio.exe File opened for modification C:\Windows\SysWOW64\Kbhmbdle.exe Klndfj32.exe File created C:\Windows\SysWOW64\Mjlalkmd.exe Mbdiknlb.exe File created C:\Windows\SysWOW64\Dfjgaq32.exe Dhhfedil.exe File created C:\Windows\SysWOW64\Dmglcj32.exe Djhpgofm.exe File opened for modification C:\Windows\SysWOW64\Plbmokop.exe Pamiaboj.exe File created C:\Windows\SysWOW64\Flngfn32.exe Ffaong32.exe File created C:\Windows\SysWOW64\Badanigc.exe Bkjiao32.exe File created C:\Windows\SysWOW64\Ipeeobbe.exe Iikmbh32.exe File created C:\Windows\SysWOW64\Hikemehi.dll Chdialdl.exe File opened for modification C:\Windows\SysWOW64\Ieagmcmq.exe Iogopi32.exe File opened for modification C:\Windows\SysWOW64\Djhpgofm.exe Dpckjfgg.exe File created C:\Windows\SysWOW64\Ghpocngo.exe Gphgbafl.exe File created C:\Windows\SysWOW64\Fmdmqp32.dll Lnpofnhk.exe File opened for modification C:\Windows\SysWOW64\Mmmqhl32.exe Mfchlbfd.exe File created C:\Windows\SysWOW64\Ppgegd32.exe Pmiikh32.exe File opened for modification C:\Windows\SysWOW64\Hhdhon32.exe Hpmpnp32.exe File created C:\Windows\SysWOW64\Jgenbfoa.exe Jqlefl32.exe File created C:\Windows\SysWOW64\Bjdbkbbn.dll Kcmmhj32.exe File opened for modification C:\Windows\SysWOW64\Cbbdjm32.exe Ccpdoqgd.exe File created C:\Windows\SysWOW64\Cjibekmc.dll Njfagf32.exe File created C:\Windows\SysWOW64\Bgpcliao.exe Bdagpnbk.exe File created C:\Windows\SysWOW64\Aolblopj.exe Alnfpcag.exe File created C:\Windows\SysWOW64\Egdagc32.dll Jcanll32.exe File created C:\Windows\SysWOW64\Nmcpoedn.exe Njedbjej.exe File created C:\Windows\SysWOW64\Icbcjhfb.dll Ocnabm32.exe File created C:\Windows\SysWOW64\Dcnfjkma.dll Inqbclob.exe File opened for modification C:\Windows\SysWOW64\Knooej32.exe Jgeghp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1920 5352 WerFault.exe 1058 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgflcifg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpkmal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdnoplhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjadje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glcaambb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifcgion.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mohidbkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjjnae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aomifecf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeehkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlmchoan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palbgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgkiaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgpcliao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dndgfpbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbphdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hplicjok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjoiil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oogpjbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlbojee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omgcpokp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlljnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pamiaboj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blnoga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfodeohd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjgfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpodlbng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbfpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbeapmll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boldhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haodle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjaleemj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhcjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdmoohbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhkdof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppjbmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efhlhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmlddqem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjmpkqqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fllkqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabfjpak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iomoenej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aokkahlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqgmmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnpofnhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olijhmgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnkpnclp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlolpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edgbii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gejhef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjnmpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmdhcddh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnfnlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpgind32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpomcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diccgfpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkegpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmiikh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onocomdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnmopk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikpjbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icknfcol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkgcea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbbnpg32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhkikq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkdcbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdcmh32.dll" Glcaambb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekkkoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcmmhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mohidbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbdlop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lagajn32.dll" Eiieicml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcbfcigf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbojlfdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glllagck.dll" Lakfeodm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Angdnk32.dll" Dmohno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhcali32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqpbglno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfhjkabi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hammhcij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihgnkkbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jklphekp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnhidk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggqecq32.dll" Ekkkoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffceip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbdlop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplbgk32.dll" Ljbfpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbmhabha.dll" Cimmggfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aplhmakj.dll" Dfjpfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpqjglii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igpdfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnbpqkj.dll" Bacjdbch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipkdek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gldglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhqndghj.dll" Bajqda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mohidbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fecadghc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddgfdiop.dll" Ccchof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkpihfh.dll" Emmkiclm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgdejd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miepkipc.dll" Iknmla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjjhhfnd.dll" Blnoga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmjkic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknmmg32.dll" Mfchlbfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggilil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkjcbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgeghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqpamb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmigpf32.dll" Qhkdof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcidmkpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odepdabi.dll" Lndagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqncnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobmce32.dll" Feqeog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Conanfli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpfcfmlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glcaambb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhcmlj32.dll" Ikpjbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjepjkhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnkkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldldehjm.dll" Hedafk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaldccip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cibmlmeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncndec32.dll" Poajkgnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjdpelnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omfekbdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfapoa32.dll" Bjnmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjqkamhk.dll" Bkafmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgcihgaj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3808 wrote to memory of 4636 3808 96aa00fc0900c71db510abd64e4577b0N.exe 83 PID 3808 wrote to memory of 4636 3808 96aa00fc0900c71db510abd64e4577b0N.exe 83 PID 3808 wrote to memory of 4636 3808 96aa00fc0900c71db510abd64e4577b0N.exe 83 PID 4636 wrote to memory of 5096 4636 Bmmpfn32.exe 84 PID 4636 wrote to memory of 5096 4636 Bmmpfn32.exe 84 PID 4636 wrote to memory of 5096 4636 Bmmpfn32.exe 84 PID 5096 wrote to memory of 3896 5096 Bfedoc32.exe 85 PID 5096 wrote to memory of 3896 5096 Bfedoc32.exe 85 PID 5096 wrote to memory of 3896 5096 Bfedoc32.exe 85 PID 3896 wrote to memory of 1656 3896 Bjaqpbkh.exe 87 PID 3896 wrote to memory of 1656 3896 Bjaqpbkh.exe 87 PID 3896 wrote to memory of 1656 3896 Bjaqpbkh.exe 87 PID 1656 wrote to memory of 436 1656 Bqkill32.exe 88 PID 1656 wrote to memory of 436 1656 Bqkill32.exe 88 PID 1656 wrote to memory of 436 1656 Bqkill32.exe 88 PID 436 wrote to memory of 1572 436 Bjcmebie.exe 89 PID 436 wrote to memory of 1572 436 Bjcmebie.exe 89 PID 436 wrote to memory of 1572 436 Bjcmebie.exe 89 PID 1572 wrote to memory of 672 1572 Bqmeal32.exe 91 PID 1572 wrote to memory of 672 1572 Bqmeal32.exe 91 PID 1572 wrote to memory of 672 1572 Bqmeal32.exe 91 PID 672 wrote to memory of 3984 672 Bggnof32.exe 92 PID 672 wrote to memory of 3984 672 Bggnof32.exe 92 PID 672 wrote to memory of 3984 672 Bggnof32.exe 92 PID 3984 wrote to memory of 4168 3984 Bihjfnmm.exe 93 PID 3984 wrote to memory of 4168 3984 Bihjfnmm.exe 93 PID 3984 wrote to memory of 4168 3984 Bihjfnmm.exe 93 PID 4168 wrote to memory of 4452 4168 Cqpbglno.exe 94 PID 4168 wrote to memory of 4452 4168 Cqpbglno.exe 94 PID 4168 wrote to memory of 4452 4168 Cqpbglno.exe 94 PID 4452 wrote to memory of 4584 4452 Cgjjdf32.exe 95 PID 4452 wrote to memory of 4584 4452 Cgjjdf32.exe 95 PID 4452 wrote to memory of 4584 4452 Cgjjdf32.exe 95 PID 4584 wrote to memory of 2068 4584 Cjhfpa32.exe 96 PID 4584 wrote to memory of 2068 4584 Cjhfpa32.exe 96 PID 4584 wrote to memory of 2068 4584 Cjhfpa32.exe 96 PID 2068 wrote to memory of 3404 2068 Cmfclm32.exe 97 PID 2068 wrote to memory of 3404 2068 Cmfclm32.exe 97 PID 2068 wrote to memory of 3404 2068 Cmfclm32.exe 97 PID 3404 wrote to memory of 872 3404 Cabomkll.exe 98 PID 3404 wrote to memory of 872 3404 Cabomkll.exe 98 PID 3404 wrote to memory of 872 3404 Cabomkll.exe 98 PID 872 wrote to memory of 3620 872 Ccqkigkp.exe 99 PID 872 wrote to memory of 3620 872 Ccqkigkp.exe 99 PID 872 wrote to memory of 3620 872 Ccqkigkp.exe 99 PID 3620 wrote to memory of 1040 3620 Cfogeb32.exe 100 PID 3620 wrote to memory of 1040 3620 Cfogeb32.exe 100 PID 3620 wrote to memory of 1040 3620 Cfogeb32.exe 100 PID 1040 wrote to memory of 468 1040 Cjjcfabm.exe 101 PID 1040 wrote to memory of 468 1040 Cjjcfabm.exe 101 PID 1040 wrote to memory of 468 1040 Cjjcfabm.exe 101 PID 468 wrote to memory of 4560 468 Cmipblaq.exe 102 PID 468 wrote to memory of 4560 468 Cmipblaq.exe 102 PID 468 wrote to memory of 4560 468 Cmipblaq.exe 102 PID 4560 wrote to memory of 4052 4560 Cadlbk32.exe 103 PID 4560 wrote to memory of 4052 4560 Cadlbk32.exe 103 PID 4560 wrote to memory of 4052 4560 Cadlbk32.exe 103 PID 4052 wrote to memory of 3536 4052 Cpglnhad.exe 104 PID 4052 wrote to memory of 3536 4052 Cpglnhad.exe 104 PID 4052 wrote to memory of 3536 4052 Cpglnhad.exe 104 PID 3536 wrote to memory of 2800 3536 Ccchof32.exe 105 PID 3536 wrote to memory of 2800 3536 Ccchof32.exe 105 PID 3536 wrote to memory of 2800 3536 Ccchof32.exe 105 PID 2800 wrote to memory of 2128 2800 Cgndoeag.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\96aa00fc0900c71db510abd64e4577b0N.exe"C:\Users\Admin\AppData\Local\Temp\96aa00fc0900c71db510abd64e4577b0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\Bmmpfn32.exeC:\Windows\system32\Bmmpfn32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\Bfedoc32.exeC:\Windows\system32\Bfedoc32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\Bqkill32.exeC:\Windows\system32\Bqkill32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\Bqmeal32.exeC:\Windows\system32\Bqmeal32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Bggnof32.exeC:\Windows\system32\Bggnof32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\Cqpbglno.exeC:\Windows\system32\Cqpbglno.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\Cgjjdf32.exeC:\Windows\system32\Cgjjdf32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\Cjhfpa32.exeC:\Windows\system32\Cjhfpa32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\Cmfclm32.exeC:\Windows\system32\Cmfclm32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Cabomkll.exeC:\Windows\system32\Cabomkll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\Ccqkigkp.exeC:\Windows\system32\Ccqkigkp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Cfogeb32.exeC:\Windows\system32\Cfogeb32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Cmipblaq.exeC:\Windows\system32\Cmipblaq.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\Cadlbk32.exeC:\Windows\system32\Cadlbk32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\Ccchof32.exeC:\Windows\system32\Ccchof32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\Cgndoeag.exeC:\Windows\system32\Cgndoeag.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Cjmpkqqj.exeC:\Windows\system32\Cjmpkqqj.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\Cippgm32.exeC:\Windows\system32\Cippgm32.exe24⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe25⤵
- Executes dropped EXE
PID:4116 -
C:\Windows\SysWOW64\Caghhk32.exeC:\Windows\system32\Caghhk32.exe26⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Cceddf32.exeC:\Windows\system32\Cceddf32.exe27⤵
- Executes dropped EXE
PID:3228 -
C:\Windows\SysWOW64\Cgqqdeod.exeC:\Windows\system32\Cgqqdeod.exe28⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe29⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Cibmlmeb.exeC:\Windows\system32\Cibmlmeb.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:4072 -
C:\Windows\SysWOW64\Cmniml32.exeC:\Windows\system32\Cmniml32.exe31⤵
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\Caienjfd.exeC:\Windows\system32\Caienjfd.exe32⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Cpleig32.exeC:\Windows\system32\Cpleig32.exe33⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe35⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Cffmfadl.exeC:\Windows\system32\Cffmfadl.exe36⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe37⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Dmpfbk32.exeC:\Windows\system32\Dmpfbk32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1156 -
C:\Windows\SysWOW64\Dakacjdb.exeC:\Windows\system32\Dakacjdb.exe39⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\Dpnbog32.exeC:\Windows\system32\Dpnbog32.exe40⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Dcjnoece.exeC:\Windows\system32\Dcjnoece.exe41⤵
- Executes dropped EXE
PID:3520 -
C:\Windows\SysWOW64\Dgejpd32.exeC:\Windows\system32\Dgejpd32.exe42⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Dfhjkabi.exeC:\Windows\system32\Dfhjkabi.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1272 -
C:\Windows\SysWOW64\Djdflp32.exeC:\Windows\system32\Djdflp32.exe44⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe45⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Dmbbhkjf.exeC:\Windows\system32\Dmbbhkjf.exe46⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Dpqodfij.exeC:\Windows\system32\Dpqodfij.exe47⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Dclkee32.exeC:\Windows\system32\Dclkee32.exe48⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Dhhfedil.exeC:\Windows\system32\Dhhfedil.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5100 -
C:\Windows\SysWOW64\Dfjgaq32.exeC:\Windows\system32\Dfjgaq32.exe50⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Dmdonkgc.exeC:\Windows\system32\Dmdonkgc.exe51⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Dapkni32.exeC:\Windows\system32\Dapkni32.exe52⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Dpckjfgg.exeC:\Windows\system32\Dpckjfgg.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3524 -
C:\Windows\SysWOW64\Djhpgofm.exeC:\Windows\system32\Djhpgofm.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4900 -
C:\Windows\SysWOW64\Dmglcj32.exeC:\Windows\system32\Dmglcj32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Ddadpdmn.exeC:\Windows\system32\Ddadpdmn.exe56⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Dhlpqc32.exeC:\Windows\system32\Dhlpqc32.exe57⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Dfoplpla.exeC:\Windows\system32\Dfoplpla.exe58⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Dinmhkke.exeC:\Windows\system32\Dinmhkke.exe59⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Dmihij32.exeC:\Windows\system32\Dmihij32.exe60⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Daediilg.exeC:\Windows\system32\Daediilg.exe61⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Dpgeee32.exeC:\Windows\system32\Dpgeee32.exe62⤵
- Executes dropped EXE
PID:3844 -
C:\Windows\SysWOW64\Dhomfc32.exeC:\Windows\system32\Dhomfc32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Dfamapjo.exeC:\Windows\system32\Dfamapjo.exe64⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Djmibn32.exeC:\Windows\system32\Djmibn32.exe65⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Eipinkib.exeC:\Windows\system32\Eipinkib.exe66⤵PID:5024
-
C:\Windows\SysWOW64\Emlenj32.exeC:\Windows\system32\Emlenj32.exe67⤵PID:3628
-
C:\Windows\SysWOW64\Epjajeqo.exeC:\Windows\system32\Epjajeqo.exe68⤵PID:2200
-
C:\Windows\SysWOW64\Edemkd32.exeC:\Windows\system32\Edemkd32.exe69⤵PID:4036
-
C:\Windows\SysWOW64\Ehailbaa.exeC:\Windows\system32\Ehailbaa.exe70⤵PID:4640
-
C:\Windows\SysWOW64\Efdjgo32.exeC:\Windows\system32\Efdjgo32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Eibfck32.exeC:\Windows\system32\Eibfck32.exe72⤵PID:2268
-
C:\Windows\SysWOW64\Emnbdioi.exeC:\Windows\system32\Emnbdioi.exe73⤵PID:3484
-
C:\Windows\SysWOW64\Eaindh32.exeC:\Windows\system32\Eaindh32.exe74⤵PID:3948
-
C:\Windows\SysWOW64\Eplnpeol.exeC:\Windows\system32\Eplnpeol.exe75⤵PID:3684
-
C:\Windows\SysWOW64\Edhjqc32.exeC:\Windows\system32\Edhjqc32.exe76⤵PID:1608
-
C:\Windows\SysWOW64\Ehcfaboo.exeC:\Windows\system32\Ehcfaboo.exe77⤵PID:1752
-
C:\Windows\SysWOW64\Empoiimf.exeC:\Windows\system32\Empoiimf.exe78⤵PID:2600
-
C:\Windows\SysWOW64\Epokedmj.exeC:\Windows\system32\Epokedmj.exe79⤵PID:724
-
C:\Windows\SysWOW64\Efmmmn32.exeC:\Windows\system32\Efmmmn32.exe80⤵PID:384
-
C:\Windows\SysWOW64\Fmgejhgn.exeC:\Windows\system32\Fmgejhgn.exe81⤵
- Drops file in System32 directory
PID:4600 -
C:\Windows\SysWOW64\Fpeafcfa.exeC:\Windows\system32\Fpeafcfa.exe82⤵PID:1640
-
C:\Windows\SysWOW64\Ffpicn32.exeC:\Windows\system32\Ffpicn32.exe83⤵PID:1704
-
C:\Windows\SysWOW64\Fineoi32.exeC:\Windows\system32\Fineoi32.exe84⤵PID:4400
-
C:\Windows\SysWOW64\Fdcjlb32.exeC:\Windows\system32\Fdcjlb32.exe85⤵PID:4108
-
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe86⤵PID:2284
-
C:\Windows\SysWOW64\Fagjfflb.exeC:\Windows\system32\Fagjfflb.exe87⤵PID:4200
-
C:\Windows\SysWOW64\Fhabbp32.exeC:\Windows\system32\Fhabbp32.exe88⤵PID:2032
-
C:\Windows\SysWOW64\Fgdbnmji.exeC:\Windows\system32\Fgdbnmji.exe89⤵PID:1564
-
C:\Windows\SysWOW64\Fkpool32.exeC:\Windows\system32\Fkpool32.exe90⤵
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Fmnkkg32.exeC:\Windows\system32\Fmnkkg32.exe91⤵PID:2164
-
C:\Windows\SysWOW64\Fpmggb32.exeC:\Windows\system32\Fpmggb32.exe92⤵PID:1472
-
C:\Windows\SysWOW64\Fdhcgaic.exeC:\Windows\system32\Fdhcgaic.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2184 -
C:\Windows\SysWOW64\Fggocmhf.exeC:\Windows\system32\Fggocmhf.exe94⤵PID:1128
-
C:\Windows\SysWOW64\Fielph32.exeC:\Windows\system32\Fielph32.exe95⤵PID:4152
-
C:\Windows\SysWOW64\Falcae32.exeC:\Windows\system32\Falcae32.exe96⤵PID:3956
-
C:\Windows\SysWOW64\Fpodlbng.exeC:\Windows\system32\Fpodlbng.exe97⤵
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Fdkpma32.exeC:\Windows\system32\Fdkpma32.exe98⤵PID:556
-
C:\Windows\SysWOW64\Ggilil32.exeC:\Windows\system32\Ggilil32.exe99⤵
- Modifies registry class
PID:4552 -
C:\Windows\SysWOW64\Gkdhjknm.exeC:\Windows\system32\Gkdhjknm.exe100⤵PID:2440
-
C:\Windows\SysWOW64\Gmcdffmq.exeC:\Windows\system32\Gmcdffmq.exe101⤵PID:4692
-
C:\Windows\SysWOW64\Gaopfe32.exeC:\Windows\system32\Gaopfe32.exe102⤵PID:5168
-
C:\Windows\SysWOW64\Gdmmbq32.exeC:\Windows\system32\Gdmmbq32.exe103⤵PID:5220
-
C:\Windows\SysWOW64\Ghhhcomg.exeC:\Windows\system32\Ghhhcomg.exe104⤵PID:5264
-
C:\Windows\SysWOW64\Ggkiol32.exeC:\Windows\system32\Ggkiol32.exe105⤵PID:5312
-
C:\Windows\SysWOW64\Gmeakf32.exeC:\Windows\system32\Gmeakf32.exe106⤵PID:5360
-
C:\Windows\SysWOW64\Gaamlecg.exeC:\Windows\system32\Gaamlecg.exe107⤵PID:5404
-
C:\Windows\SysWOW64\Gdoihpbk.exeC:\Windows\system32\Gdoihpbk.exe108⤵PID:5444
-
C:\Windows\SysWOW64\Ggnedlao.exeC:\Windows\system32\Ggnedlao.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5488 -
C:\Windows\SysWOW64\Gilapgqb.exeC:\Windows\system32\Gilapgqb.exe110⤵PID:5532
-
C:\Windows\SysWOW64\Gacjadad.exeC:\Windows\system32\Gacjadad.exe111⤵PID:5572
-
C:\Windows\SysWOW64\Gdafnpqh.exeC:\Windows\system32\Gdafnpqh.exe112⤵PID:5616
-
C:\Windows\SysWOW64\Gklnjj32.exeC:\Windows\system32\Gklnjj32.exe113⤵PID:5660
-
C:\Windows\SysWOW64\Gnjjfegi.exeC:\Windows\system32\Gnjjfegi.exe114⤵PID:5700
-
C:\Windows\SysWOW64\Gphgbafl.exeC:\Windows\system32\Gphgbafl.exe115⤵
- Drops file in System32 directory
PID:5744 -
C:\Windows\SysWOW64\Ghpocngo.exeC:\Windows\system32\Ghpocngo.exe116⤵PID:5796
-
C:\Windows\SysWOW64\Gknkpjfb.exeC:\Windows\system32\Gknkpjfb.exe117⤵PID:5840
-
C:\Windows\SysWOW64\Giqkkf32.exeC:\Windows\system32\Giqkkf32.exe118⤵PID:5884
-
C:\Windows\SysWOW64\Gpkchqdj.exeC:\Windows\system32\Gpkchqdj.exe119⤵PID:5928
-
C:\Windows\SysWOW64\Hhbkinel.exeC:\Windows\system32\Hhbkinel.exe120⤵PID:5972
-
C:\Windows\SysWOW64\Hgelek32.exeC:\Windows\system32\Hgelek32.exe121⤵PID:6016
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-