Analysis
-
max time kernel
96s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/08/2024, 14:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b7e513272533b1bcfc8a03e27a057200N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
b7e513272533b1bcfc8a03e27a057200N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
b7e513272533b1bcfc8a03e27a057200N.exe
-
Size
360KB
-
MD5
b7e513272533b1bcfc8a03e27a057200
-
SHA1
2b101cd13c8282428506693acb20986e2ec694f3
-
SHA256
e7ad8c7483321bc79b7f0191aac444b40d43e4e800508a507c19da5cb5e935e7
-
SHA512
f3905cd0a54ba9187041606ab8e1d652ac75fd3cc543a7c42df5660b717a30b9969ac45889aad9ef1882d8da0d3efb11b52c349088879160b380b52aa67a37a6
-
SSDEEP
6144:l9rXEEEEEEEVIYCpX2/mnbzvdLaD6OkPgl6bmIjlQFxU:lFXEEEEEEEdCpXImbzQD6OkPgl6bmIjR
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjnkcekm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbcmakpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idcepgmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gphgbafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbqmiinl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oekiqccc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkoigdom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfmmplad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgfdmlcm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnaqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oemefcap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bahkih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Johnamkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joffnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqcjepfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiieicml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icdheded.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjdebfnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nelfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Domdjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfjfecno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgeihcme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckilmcgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaifpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioopml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agiamhdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpdgqmnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmigoagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdkoch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igajal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhgonidg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pllgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajbmdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqphfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aojefobm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anobgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmkigh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imkbnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cponen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pefhlaie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nncccnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fafdkmap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mekgdl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qljjjqlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfqkddfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfamapjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meiioonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmomlnjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdlfhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adfnofpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fibojhim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iljpij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfiplog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Filapfbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Executes dropped EXE 64 IoCs
pid Process 4780 Eehnem32.exe 1212 Ehfjah32.exe 4868 Edmjfifl.exe 4200 Emeoooml.exe 3444 Egnchd32.exe 1288 Emhldnkj.exe 208 Feocelll.exe 2208 Foghnabl.exe 808 Fafdkmap.exe 4736 Fddqghpd.exe 2820 Fgeihcme.exe 1572 Fnobem32.exe 4420 Fdijbg32.exe 1504 Fnaokmco.exe 4728 Fgjccb32.exe 4940 Gkglja32.exe 3076 Gadqlkep.exe 4476 Gkleeplq.exe 1412 Ghpendjj.exe 1892 Gahjgj32.exe 3984 Goljqnpd.exe 4608 Hakgmjoh.exe 2964 Hkckeo32.exe 1080 Hnagak32.exe 4796 Hfipbh32.exe 112 Hkehkocf.exe 436 Hnddgjbj.exe 5100 Hglipp32.exe 2108 Hocqam32.exe 1900 Hfningai.exe 1076 Hkjafn32.exe 4124 Hdbfodfa.exe 728 Hkmnln32.exe 1224 Inkjhi32.exe 2164 Ibffhhek.exe 3284 Idebdcdo.exe 2824 Igcoqocb.exe 3780 Inmgmijo.exe 3488 Ifdonfka.exe 4536 Iickkbje.exe 5052 Ikaggmii.exe 1936 Inpccihl.exe 4428 Ifgldfio.exe 4764 Idjlpc32.exe 800 Ikcdlmgf.exe 1520 Ioopml32.exe 3572 Ieliebnf.exe 2544 Ioambknl.exe 1368 Ibpiogmp.exe 4056 Igmagnkg.exe 2908 Jodjhkkj.exe 5112 Jngjch32.exe 448 Jeqbpb32.exe 4688 Jilnqqbj.exe 5024 Joffnk32.exe 4284 Jfpojead.exe 4804 Jiokfpph.exe 3416 Joiccj32.exe 4080 Jbgoof32.exe 532 Jfbkpd32.exe 4712 Jiaglp32.exe 3156 Jkodhk32.exe 4980 Jnnpdg32.exe 4484 Jbileede.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nknbglob.dll Feocelll.exe File created C:\Windows\SysWOW64\Bkhakafh.dll Pjgebf32.exe File opened for modification C:\Windows\SysWOW64\Fbjena32.exe Fnnjmbpm.exe File created C:\Windows\SysWOW64\Hioflcbj.exe Hahokfag.exe File created C:\Windows\SysWOW64\Ibqnkh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fbelcblk.exe Fimhjl32.exe File created C:\Windows\SysWOW64\Hibjli32.exe Hbhboolf.exe File created C:\Windows\SysWOW64\Fppcajgd.dll Ckilmcgb.exe File created C:\Windows\SysWOW64\Plpjoe32.exe Pdhbmh32.exe File created C:\Windows\SysWOW64\Pdmdnadc.exe Panhbfep.exe File created C:\Windows\SysWOW64\Fnobem32.exe Fgeihcme.exe File opened for modification C:\Windows\SysWOW64\Cpbbch32.exe Cmdfgm32.exe File created C:\Windows\SysWOW64\Fjbhpb32.dll Kijchhbo.exe File opened for modification C:\Windows\SysWOW64\Jieagojp.exe Jfgdkd32.exe File created C:\Windows\SysWOW64\Bmmpfn32.exe Bjodjb32.exe File created C:\Windows\SysWOW64\Pdkjmfeo.dll Alcfei32.exe File created C:\Windows\SysWOW64\Nkpcjeml.dll Dpqodfij.exe File opened for modification C:\Windows\SysWOW64\Dblgpl32.exe Dpnkdq32.exe File opened for modification C:\Windows\SysWOW64\Ieidhh32.exe Ickglm32.exe File created C:\Windows\SysWOW64\Fgjhpcmo.exe Fdlkdhnk.exe File created C:\Windows\SysWOW64\Ckcdlpbd.dll Fqgedh32.exe File created C:\Windows\SysWOW64\Jjjghcfp.exe Jhijqj32.exe File created C:\Windows\SysWOW64\Bomfgoah.dll Mmbanbmg.exe File created C:\Windows\SysWOW64\Paelfmaf.exe Okkdic32.exe File opened for modification C:\Windows\SysWOW64\Mqdcnl32.exe Mnegbp32.exe File created C:\Windows\SysWOW64\Hkmnln32.exe Hdbfodfa.exe File opened for modification C:\Windows\SysWOW64\Fpjjac32.exe Fmlneg32.exe File created C:\Windows\SysWOW64\Mhfppabl.exe Malgcg32.exe File created C:\Windows\SysWOW64\Modpib32.exe Process not Found File created C:\Windows\SysWOW64\Lacdmh32.exe Llflea32.exe File created C:\Windows\SysWOW64\Dannpknl.dll Nnfpinmi.exe File opened for modification C:\Windows\SysWOW64\Cocjiehd.exe Cdmfllhn.exe File opened for modification C:\Windows\SysWOW64\Knfeeimj.exe Kglmio32.exe File created C:\Windows\SysWOW64\Emlmcm32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cmdfgm32.exe Bjfjka32.exe File created C:\Windows\SysWOW64\Ogacbllg.dll Phaahggp.exe File created C:\Windows\SysWOW64\Jekjcaef.exe Process not Found File opened for modification C:\Windows\SysWOW64\Olfghg32.exe Odoogi32.exe File created C:\Windows\SysWOW64\Ehkaqc32.dll Iebngial.exe File created C:\Windows\SysWOW64\Aijqqd32.dll Hoobdp32.exe File created C:\Windows\SysWOW64\Hhlpmmgb.dll Kgkfnh32.exe File created C:\Windows\SysWOW64\Jpbhgp32.dll Edgbii32.exe File created C:\Windows\SysWOW64\Aggamk32.dll Bifmqo32.exe File created C:\Windows\SysWOW64\Bcddcbab.exe Bkmmaeap.exe File opened for modification C:\Windows\SysWOW64\Nabfjpak.exe Nndjndbh.exe File opened for modification C:\Windows\SysWOW64\Fgjhpcmo.exe Fdlkdhnk.exe File created C:\Windows\SysWOW64\Jpegkj32.exe Process not Found File created C:\Windows\SysWOW64\Bhagaamj.dll Kbbokdlk.exe File created C:\Windows\SysWOW64\Omlokmha.dll Fdhcgaic.exe File opened for modification C:\Windows\SysWOW64\Pjdpelnc.exe Pdjgha32.exe File opened for modification C:\Windows\SysWOW64\Inpccihl.exe Ikaggmii.exe File created C:\Windows\SysWOW64\Bmaplg32.dll Pcmlfl32.exe File opened for modification C:\Windows\SysWOW64\Hkbdki32.exe Hdilnojp.exe File created C:\Windows\SysWOW64\Cdbfab32.exe Cnindhpg.exe File opened for modification C:\Windows\SysWOW64\Jqhafffk.exe Jnjejjgh.exe File created C:\Windows\SysWOW64\Cihdpk32.dll Nchjdo32.exe File created C:\Windows\SysWOW64\Cmmdfp32.dll Dbocfo32.exe File opened for modification C:\Windows\SysWOW64\Fimodc32.exe Ffobhg32.exe File created C:\Windows\SysWOW64\Ceknlgnl.dll Glhimp32.exe File opened for modification C:\Windows\SysWOW64\Gadqlkep.exe Gkglja32.exe File created C:\Windows\SysWOW64\Ldqmlddk.dll Mpghkf32.exe File created C:\Windows\SysWOW64\Fgppmg32.dll Opogbbig.exe File created C:\Windows\SysWOW64\Jbojlfdp.exe Process not Found File created C:\Windows\SysWOW64\Jdljmf32.dll Jeqbpb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 16644 9200 Process not Found 1281 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffobhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icnklbmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mminhceb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gacepg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpghkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgenbfoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddhbipj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbjena32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncchb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dakikoom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amodep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmggfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inlihl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdmdnadc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hioflcbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Majjng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeddnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecefqnel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcphab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnmopk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjcfabm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jljbeali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnaokmco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kihnmohm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cponen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghojbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aanbhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiieicml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnepna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhblllfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pamiaboj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfglb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maiccajf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgkelj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bochmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baannc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neoieenp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkimho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddjpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dheibpje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnnjmbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlbcnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igcoqocb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdamgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdhbmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpkkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boeebnhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllbaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpimlfke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdijbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkmmaeap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbjkkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieliebnf.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebkbbmqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiggbhda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbnpcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjjfon32.dll" Kqfngd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmpdfl32.dll" Cglgjeci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqphfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgepom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcanll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhlgfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdmkhgho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poigcbng.dll" Dfglfdkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chfegk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdjgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akpoaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peehmbji.dll" Nliaao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnhpfjhc.dll" Obcceg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdifpa32.dll" Gejopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgigo32.dll" Jlolpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmafajfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liokmchg.dll" Edhjqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knfeeimj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgeakekd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bobabg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpmlnjco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikkpgafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lggldm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnnjmbpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emhldnkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnkggfkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bepmoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqmfdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enpfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khmnbgbp.dll" Ehfjah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgbbek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdbqla32.dll" Eiildjag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqhafffk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbighjdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddlnnc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpiaimfg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idcepgmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbnnhndk.dll" Pdhbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akqfkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmfkhmdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibffhhek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjaqpbkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgieglah.dll" Papfgbmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgjbbcpq.dll" Gdobnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbehfom.dll" Lnjgfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Demnop32.dll" Gadqlkep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joffnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pagbaglh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmmljnd.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjaifp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alnmjjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgfnagdi.dll" Nnhmnn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2456 wrote to memory of 4780 2456 b7e513272533b1bcfc8a03e27a057200N.exe 83 PID 2456 wrote to memory of 4780 2456 b7e513272533b1bcfc8a03e27a057200N.exe 83 PID 2456 wrote to memory of 4780 2456 b7e513272533b1bcfc8a03e27a057200N.exe 83 PID 4780 wrote to memory of 1212 4780 Eehnem32.exe 85 PID 4780 wrote to memory of 1212 4780 Eehnem32.exe 85 PID 4780 wrote to memory of 1212 4780 Eehnem32.exe 85 PID 1212 wrote to memory of 4868 1212 Ehfjah32.exe 87 PID 1212 wrote to memory of 4868 1212 Ehfjah32.exe 87 PID 1212 wrote to memory of 4868 1212 Ehfjah32.exe 87 PID 4868 wrote to memory of 4200 4868 Edmjfifl.exe 88 PID 4868 wrote to memory of 4200 4868 Edmjfifl.exe 88 PID 4868 wrote to memory of 4200 4868 Edmjfifl.exe 88 PID 4200 wrote to memory of 3444 4200 Emeoooml.exe 89 PID 4200 wrote to memory of 3444 4200 Emeoooml.exe 89 PID 4200 wrote to memory of 3444 4200 Emeoooml.exe 89 PID 3444 wrote to memory of 1288 3444 Egnchd32.exe 91 PID 3444 wrote to memory of 1288 3444 Egnchd32.exe 91 PID 3444 wrote to memory of 1288 3444 Egnchd32.exe 91 PID 1288 wrote to memory of 208 1288 Emhldnkj.exe 92 PID 1288 wrote to memory of 208 1288 Emhldnkj.exe 92 PID 1288 wrote to memory of 208 1288 Emhldnkj.exe 92 PID 208 wrote to memory of 2208 208 Feocelll.exe 93 PID 208 wrote to memory of 2208 208 Feocelll.exe 93 PID 208 wrote to memory of 2208 208 Feocelll.exe 93 PID 2208 wrote to memory of 808 2208 Foghnabl.exe 94 PID 2208 wrote to memory of 808 2208 Foghnabl.exe 94 PID 2208 wrote to memory of 808 2208 Foghnabl.exe 94 PID 808 wrote to memory of 4736 808 Fafdkmap.exe 95 PID 808 wrote to memory of 4736 808 Fafdkmap.exe 95 PID 808 wrote to memory of 4736 808 Fafdkmap.exe 95 PID 4736 wrote to memory of 2820 4736 Fddqghpd.exe 96 PID 4736 wrote to memory of 2820 4736 Fddqghpd.exe 96 PID 4736 wrote to memory of 2820 4736 Fddqghpd.exe 96 PID 2820 wrote to memory of 1572 2820 Fgeihcme.exe 97 PID 2820 wrote to memory of 1572 2820 Fgeihcme.exe 97 PID 2820 wrote to memory of 1572 2820 Fgeihcme.exe 97 PID 1572 wrote to memory of 4420 1572 Fnobem32.exe 98 PID 1572 wrote to memory of 4420 1572 Fnobem32.exe 98 PID 1572 wrote to memory of 4420 1572 Fnobem32.exe 98 PID 4420 wrote to memory of 1504 4420 Fdijbg32.exe 99 PID 4420 wrote to memory of 1504 4420 Fdijbg32.exe 99 PID 4420 wrote to memory of 1504 4420 Fdijbg32.exe 99 PID 1504 wrote to memory of 4728 1504 Fnaokmco.exe 100 PID 1504 wrote to memory of 4728 1504 Fnaokmco.exe 100 PID 1504 wrote to memory of 4728 1504 Fnaokmco.exe 100 PID 4728 wrote to memory of 4940 4728 Fgjccb32.exe 101 PID 4728 wrote to memory of 4940 4728 Fgjccb32.exe 101 PID 4728 wrote to memory of 4940 4728 Fgjccb32.exe 101 PID 4940 wrote to memory of 3076 4940 Gkglja32.exe 102 PID 4940 wrote to memory of 3076 4940 Gkglja32.exe 102 PID 4940 wrote to memory of 3076 4940 Gkglja32.exe 102 PID 3076 wrote to memory of 4476 3076 Gadqlkep.exe 103 PID 3076 wrote to memory of 4476 3076 Gadqlkep.exe 103 PID 3076 wrote to memory of 4476 3076 Gadqlkep.exe 103 PID 4476 wrote to memory of 1412 4476 Gkleeplq.exe 104 PID 4476 wrote to memory of 1412 4476 Gkleeplq.exe 104 PID 4476 wrote to memory of 1412 4476 Gkleeplq.exe 104 PID 1412 wrote to memory of 1892 1412 Ghpendjj.exe 105 PID 1412 wrote to memory of 1892 1412 Ghpendjj.exe 105 PID 1412 wrote to memory of 1892 1412 Ghpendjj.exe 105 PID 1892 wrote to memory of 3984 1892 Gahjgj32.exe 106 PID 1892 wrote to memory of 3984 1892 Gahjgj32.exe 106 PID 1892 wrote to memory of 3984 1892 Gahjgj32.exe 106 PID 3984 wrote to memory of 4608 3984 Goljqnpd.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7e513272533b1bcfc8a03e27a057200N.exe"C:\Users\Admin\AppData\Local\Temp\b7e513272533b1bcfc8a03e27a057200N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Eehnem32.exeC:\Windows\system32\Eehnem32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\Ehfjah32.exeC:\Windows\system32\Ehfjah32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Edmjfifl.exeC:\Windows\system32\Edmjfifl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\Emeoooml.exeC:\Windows\system32\Emeoooml.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\Egnchd32.exeC:\Windows\system32\Egnchd32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\Emhldnkj.exeC:\Windows\system32\Emhldnkj.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\Feocelll.exeC:\Windows\system32\Feocelll.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\Foghnabl.exeC:\Windows\system32\Foghnabl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Fafdkmap.exeC:\Windows\system32\Fafdkmap.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Fddqghpd.exeC:\Windows\system32\Fddqghpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\Fgeihcme.exeC:\Windows\system32\Fgeihcme.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Fnobem32.exeC:\Windows\system32\Fnobem32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Fdijbg32.exeC:\Windows\system32\Fdijbg32.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\Fnaokmco.exeC:\Windows\system32\Fnaokmco.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Fgjccb32.exeC:\Windows\system32\Fgjccb32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SysWOW64\Gkglja32.exeC:\Windows\system32\Gkglja32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Gadqlkep.exeC:\Windows\system32\Gadqlkep.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\Gkleeplq.exeC:\Windows\system32\Gkleeplq.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\Ghpendjj.exeC:\Windows\system32\Ghpendjj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\Gahjgj32.exeC:\Windows\system32\Gahjgj32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Goljqnpd.exeC:\Windows\system32\Goljqnpd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\Hakgmjoh.exeC:\Windows\system32\Hakgmjoh.exe23⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Hkckeo32.exeC:\Windows\system32\Hkckeo32.exe24⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Hnagak32.exeC:\Windows\system32\Hnagak32.exe25⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe26⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe27⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Hnddgjbj.exeC:\Windows\system32\Hnddgjbj.exe28⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Hglipp32.exeC:\Windows\system32\Hglipp32.exe29⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Hocqam32.exeC:\Windows\system32\Hocqam32.exe30⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Hfningai.exeC:\Windows\system32\Hfningai.exe31⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Hkjafn32.exeC:\Windows\system32\Hkjafn32.exe32⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Hdbfodfa.exeC:\Windows\system32\Hdbfodfa.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4124 -
C:\Windows\SysWOW64\Hkmnln32.exeC:\Windows\system32\Hkmnln32.exe34⤵
- Executes dropped EXE
PID:728 -
C:\Windows\SysWOW64\Inkjhi32.exeC:\Windows\system32\Inkjhi32.exe35⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Ibffhhek.exeC:\Windows\system32\Ibffhhek.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Idebdcdo.exeC:\Windows\system32\Idebdcdo.exe37⤵
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Inmgmijo.exeC:\Windows\system32\Inmgmijo.exe39⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe40⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe41⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Ikaggmii.exeC:\Windows\system32\Ikaggmii.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5052 -
C:\Windows\SysWOW64\Inpccihl.exeC:\Windows\system32\Inpccihl.exe43⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Ifgldfio.exeC:\Windows\system32\Ifgldfio.exe44⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Idjlpc32.exeC:\Windows\system32\Idjlpc32.exe45⤵
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\Ikcdlmgf.exeC:\Windows\system32\Ikcdlmgf.exe46⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Ioopml32.exeC:\Windows\system32\Ioopml32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Ieliebnf.exeC:\Windows\system32\Ieliebnf.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3572 -
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe49⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Ibpiogmp.exeC:\Windows\system32\Ibpiogmp.exe50⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Igmagnkg.exeC:\Windows\system32\Igmagnkg.exe51⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Jodjhkkj.exeC:\Windows\system32\Jodjhkkj.exe52⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe53⤵
- Executes dropped EXE
PID:5112 -
C:\Windows\SysWOW64\Jeqbpb32.exeC:\Windows\system32\Jeqbpb32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:448 -
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe55⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5024 -
C:\Windows\SysWOW64\Jfpojead.exeC:\Windows\system32\Jfpojead.exe57⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\Jiokfpph.exeC:\Windows\system32\Jiokfpph.exe58⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Joiccj32.exeC:\Windows\system32\Joiccj32.exe59⤵
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\Jbgoof32.exeC:\Windows\system32\Jbgoof32.exe60⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Jfbkpd32.exeC:\Windows\system32\Jfbkpd32.exe61⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Jiaglp32.exeC:\Windows\system32\Jiaglp32.exe62⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Jkodhk32.exeC:\Windows\system32\Jkodhk32.exe63⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe64⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Jbileede.exeC:\Windows\system32\Jbileede.exe65⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Jehhaaci.exeC:\Windows\system32\Jehhaaci.exe66⤵PID:1972
-
C:\Windows\SysWOW64\Jgfdmlcm.exeC:\Windows\system32\Jgfdmlcm.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1120 -
C:\Windows\SysWOW64\Jpmlnjco.exeC:\Windows\system32\Jpmlnjco.exe68⤵
- Modifies registry class
PID:668 -
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe69⤵PID:4032
-
C:\Windows\SysWOW64\Jfgdkd32.exeC:\Windows\system32\Jfgdkd32.exe70⤵
- Drops file in System32 directory
PID:1244 -
C:\Windows\SysWOW64\Jieagojp.exeC:\Windows\system32\Jieagojp.exe71⤵PID:1948
-
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe72⤵PID:4192
-
C:\Windows\SysWOW64\Knbiofhg.exeC:\Windows\system32\Knbiofhg.exe73⤵PID:4084
-
C:\Windows\SysWOW64\Kfjapcii.exeC:\Windows\system32\Kfjapcii.exe74⤵PID:1648
-
C:\Windows\SysWOW64\Kihnmohm.exeC:\Windows\system32\Kihnmohm.exe75⤵
- System Location Discovery: System Language Discovery
PID:4368 -
C:\Windows\SysWOW64\Kgknhl32.exeC:\Windows\system32\Kgknhl32.exe76⤵PID:4872
-
C:\Windows\SysWOW64\Knefeffd.exeC:\Windows\system32\Knefeffd.exe77⤵PID:684
-
C:\Windows\SysWOW64\Keonap32.exeC:\Windows\system32\Keonap32.exe78⤵PID:1756
-
C:\Windows\SysWOW64\Khmknk32.exeC:\Windows\system32\Khmknk32.exe79⤵PID:1404
-
C:\Windows\SysWOW64\Kpdboimg.exeC:\Windows\system32\Kpdboimg.exe80⤵PID:3248
-
C:\Windows\SysWOW64\Kbbokdlk.exeC:\Windows\system32\Kbbokdlk.exe81⤵
- Drops file in System32 directory
PID:804 -
C:\Windows\SysWOW64\Keakgpko.exeC:\Windows\system32\Keakgpko.exe82⤵PID:3356
-
C:\Windows\SysWOW64\Klkcdj32.exeC:\Windows\system32\Klkcdj32.exe83⤵PID:4996
-
C:\Windows\SysWOW64\Knippe32.exeC:\Windows\system32\Knippe32.exe84⤵PID:3560
-
C:\Windows\SysWOW64\Kfqgab32.exeC:\Windows\system32\Kfqgab32.exe85⤵PID:3960
-
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe86⤵PID:1220
-
C:\Windows\SysWOW64\Knlleepl.exeC:\Windows\system32\Knlleepl.exe87⤵PID:1464
-
C:\Windows\SysWOW64\Kefdbo32.exeC:\Windows\system32\Kefdbo32.exe88⤵PID:4628
-
C:\Windows\SysWOW64\Llpmoiof.exeC:\Windows\system32\Llpmoiof.exe89⤵PID:4392
-
C:\Windows\SysWOW64\Lbjelc32.exeC:\Windows\system32\Lbjelc32.exe90⤵PID:816
-
C:\Windows\SysWOW64\Lidmhmnp.exeC:\Windows\system32\Lidmhmnp.exe91⤵PID:3540
-
C:\Windows\SysWOW64\Llbidimc.exeC:\Windows\system32\Llbidimc.exe92⤵PID:2564
-
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe93⤵PID:4816
-
C:\Windows\SysWOW64\Lifjnm32.exeC:\Windows\system32\Lifjnm32.exe94⤵PID:1980
-
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe95⤵PID:4600
-
C:\Windows\SysWOW64\Lfjjga32.exeC:\Windows\system32\Lfjjga32.exe96⤵PID:3056
-
C:\Windows\SysWOW64\Llgcph32.exeC:\Windows\system32\Llgcph32.exe97⤵PID:4088
-
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe98⤵PID:1248
-
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe99⤵PID:3912
-
C:\Windows\SysWOW64\Loglacfo.exeC:\Windows\system32\Loglacfo.exe100⤵PID:4444
-
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe101⤵PID:5116
-
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe102⤵PID:1364
-
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe104⤵PID:4900
-
C:\Windows\SysWOW64\Mhdjehhj.exeC:\Windows\system32\Mhdjehhj.exe105⤵PID:4172
-
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe106⤵PID:2508
-
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe107⤵PID:3324
-
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4300 -
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe109⤵PID:3640
-
C:\Windows\SysWOW64\Niipjj32.exeC:\Windows\system32\Niipjj32.exe110⤵PID:4704
-
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe111⤵PID:5132
-
C:\Windows\SysWOW64\Niklpj32.exeC:\Windows\system32\Niklpj32.exe112⤵PID:5176
-
C:\Windows\SysWOW64\Nlleaeff.exeC:\Windows\system32\Nlleaeff.exe113⤵PID:5220
-
C:\Windows\SysWOW64\Nlnbgddc.exeC:\Windows\system32\Nlnbgddc.exe114⤵PID:5264
-
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe115⤵
- Drops file in System32 directory
PID:5304 -
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe116⤵PID:5348
-
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe117⤵PID:5388
-
C:\Windows\SysWOW64\Nplkmckj.exeC:\Windows\system32\Nplkmckj.exe118⤵PID:5436
-
C:\Windows\SysWOW64\Ohgoaehe.exeC:\Windows\system32\Ohgoaehe.exe119⤵PID:5480
-
C:\Windows\SysWOW64\Opogbbig.exeC:\Windows\system32\Opogbbig.exe120⤵
- Drops file in System32 directory
PID:5524 -
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe121⤵PID:5568
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-