Analysis
-
max time kernel
131s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08-08-2024 00:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8599c0ee2f972593d38003925f06ca217686418481182f393864a8f012908f2a.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
8599c0ee2f972593d38003925f06ca217686418481182f393864a8f012908f2a.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
8599c0ee2f972593d38003925f06ca217686418481182f393864a8f012908f2a.exe
-
Size
1.3MB
-
MD5
d409905037d0bfdcd4274f79807e1827
-
SHA1
075f1d7b91e4066fbbe2123603ca36128688e4de
-
SHA256
8599c0ee2f972593d38003925f06ca217686418481182f393864a8f012908f2a
-
SHA512
ff42683f0b09e93cfeb161c277f2a5d3379ea4b804c0fde4637e6c8ff8853b8dd2830ee5aa139894162efab030ffa5211c2df935c69fa2a0fbeefdc7e22f2f24
-
SSDEEP
12288:RXaT5QtAbaz22cWfVaw0HBHY8r8ABjMn:NatWsaK2cWfVaw0HB48r8ABY
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcmqin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmpfcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gaepgacn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcaqka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdgjgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjgifhep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjccel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgbepdpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmncif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iefedcmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hadkib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Moiheebb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epjfehbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giboijgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplkhf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eimelg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgfpdmho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmjhlklg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmdbooik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmhphqoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhibgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcbnopkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghjhofjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmhfbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bammeebe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnkflo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Godehbed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkflpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgbmdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgmlde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcpojk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgdlfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckqoapgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmapag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcpgmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjqdafmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Giofggia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfefdpfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iffmmihf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocknbglo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfikaqme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhfenmbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niohap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iebfmfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgbnfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmdjha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmccnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpmqoqbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dqdgop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpbajp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdhigk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Doqbifpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ginenk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geeecogb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcbckk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffcedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpefaq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdphnmjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmhglopl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laacmbkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngcngfgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkdlkope.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djoohk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moofmeal.exe -
Executes dropped EXE 64 IoCs
pid Process 5076 Loopdmpk.exe 540 Mkepineo.exe 2324 Mafofggd.exe 4372 Nomlek32.exe 3600 Nfiagd32.exe 752 Ncmaai32.exe 2028 Odgqopeb.exe 384 Ocknbglo.exe 3564 Pcpgmf32.exe 5064 Pmjhlklg.exe 448 Pcfmneaa.exe 1484 Piceflpi.exe 2420 Qkfkng32.exe 2652 Acppddig.exe 4844 Aecialmb.exe 740 Aiabhj32.exe 2528 Apkjddke.exe 4708 Bppcpc32.exe 5000 Blgddd32.exe 4340 Bipnihgi.exe 184 Cbhbbn32.exe 4944 Cdjlap32.exe 1420 Clgmkbna.exe 4588 Dpefaq32.exe 4540 Dlncla32.exe 64 Defheg32.exe 3084 Dgfdojfm.exe 3500 Eennefib.exe 2044 Eljchpnl.exe 4948 Enllgbcl.exe 4308 Fgfmeg32.exe 916 Fpoaom32.exe 4900 Fcmnkh32.exe 1056 Flfbcndo.exe 1972 Fcpkph32.exe 4792 Fljlom32.exe 3980 Gnjhhpgl.exe 1732 Gloejmld.exe 3088 Ggdigekj.exe 4612 Gnoacp32.exe 4224 Gckjlf32.exe 4820 Gjebiq32.exe 4388 Gflcnanp.exe 2764 Gdmcki32.exe 4416 Hnhdjn32.exe 772 Hdbmfhbi.exe 3128 Hjoeoo32.exe 3620 Hfefdpfe.exe 1676 Hgebnc32.exe 4356 Iggocbke.exe 4144 Imdgljil.exe 964 Icnphd32.exe 3596 Incdem32.exe 1132 Icqmncof.exe 1336 Imiagi32.exe 4432 Igneda32.exe 2896 Ijmapm32.exe 1244 Iebfmfdg.exe 2796 Imnjbhaa.exe 4752 Jffokn32.exe 636 Jnmglk32.exe 1576 Jcjodbgl.exe 1508 Jghhjq32.exe 4512 Japmcfcc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jklihbol.exe Idbalhho.exe File created C:\Windows\SysWOW64\Oimdbnip.exe Ongpeejj.exe File opened for modification C:\Windows\SysWOW64\Nnabladg.exe Nggjog32.exe File created C:\Windows\SysWOW64\Ofacao32.dll Aocmio32.exe File created C:\Windows\SysWOW64\Epgdch32.exe Eimlgnij.exe File created C:\Windows\SysWOW64\Djalnkbo.exe Dgcoaock.exe File created C:\Windows\SysWOW64\Nkgjbjed.dll Deejpjgc.exe File created C:\Windows\SysWOW64\Ioeicajh.exe Ihkpgg32.exe File created C:\Windows\SysWOW64\Lambibap.dll Gjagapbn.exe File opened for modification C:\Windows\SysWOW64\Ccacjgfb.exe Cbofdg32.exe File created C:\Windows\SysWOW64\Jnmglk32.exe Jffokn32.exe File opened for modification C:\Windows\SysWOW64\Djoohk32.exe Debfpd32.exe File created C:\Windows\SysWOW64\Jagqfp32.exe Jjmhie32.exe File created C:\Windows\SysWOW64\Ladhkmno.exe Lfodmdni.exe File opened for modification C:\Windows\SysWOW64\Bnfoac32.exe Bbpolb32.exe File created C:\Windows\SysWOW64\Ehofhdli.exe Eimelg32.exe File opened for modification C:\Windows\SysWOW64\Incdem32.exe Icnphd32.exe File opened for modification C:\Windows\SysWOW64\Jabiie32.exe Jcoioabf.exe File created C:\Windows\SysWOW64\Ndqmkfni.dll Kejeebpl.exe File created C:\Windows\SysWOW64\Abjdng32.dll Mhhjhlqm.exe File opened for modification C:\Windows\SysWOW64\Aecialmb.exe Acppddig.exe File created C:\Windows\SysWOW64\Mnjmpege.dll Beaohcmf.exe File created C:\Windows\SysWOW64\Ocicekcm.dll Alcfpm32.exe File opened for modification C:\Windows\SysWOW64\Fhonpi32.exe Fbeeco32.exe File created C:\Windows\SysWOW64\Hmaihekc.exe Hfhqkk32.exe File created C:\Windows\SysWOW64\Eagdjbff.dll Lmnlpcel.exe File created C:\Windows\SysWOW64\Miflehaf.exe Mcicma32.exe File opened for modification C:\Windows\SysWOW64\Bcmqin32.exe Bpodmb32.exe File opened for modification C:\Windows\SysWOW64\Bedpjdoc.exe Bimoecio.exe File opened for modification C:\Windows\SysWOW64\Abmhbplf.exe Albpff32.exe File opened for modification C:\Windows\SysWOW64\Kgmlde32.exe Kdophj32.exe File opened for modification C:\Windows\SysWOW64\Mkepgp32.exe Mdkhkflh.exe File created C:\Windows\SysWOW64\Oqmhlego.exe Njcpok32.exe File opened for modification C:\Windows\SysWOW64\Qghlmbae.exe Qnpgdmjd.exe File created C:\Windows\SysWOW64\Palkmnim.dll Hofmaq32.exe File opened for modification C:\Windows\SysWOW64\Ioppho32.exe Hfgloiqf.exe File opened for modification C:\Windows\SysWOW64\Lfaqcclf.exe Ladhkmno.exe File created C:\Windows\SysWOW64\Qoqbbhcm.dll Chebcmna.exe File created C:\Windows\SysWOW64\Ipjobhcc.dll Epjfehbd.exe File created C:\Windows\SysWOW64\Pdbiphhi.exe Pnhacn32.exe File created C:\Windows\SysWOW64\Jdeoad32.dll Eoladdeo.exe File opened for modification C:\Windows\SysWOW64\Glpdjpbj.exe Geflne32.exe File opened for modification C:\Windows\SysWOW64\Jibejb32.exe Jagqfp32.exe File created C:\Windows\SysWOW64\Klpjbg32.dll Dgplai32.exe File created C:\Windows\SysWOW64\Dokqfl32.exe Dnjdncio.exe File created C:\Windows\SysWOW64\Kpfmhf32.dll Kmegkp32.exe File opened for modification C:\Windows\SysWOW64\Enedio32.exe Elfhmc32.exe File created C:\Windows\SysWOW64\Kkabefqp.exe Kfejmobh.exe File created C:\Windows\SysWOW64\Agnblobc.dll Dqigee32.exe File created C:\Windows\SysWOW64\Ggliem32.dll Ihdjfhhc.exe File created C:\Windows\SysWOW64\Mfiedfmd.exe Mejijcea.exe File created C:\Windows\SysWOW64\Kpjjhj32.exe Kmlmlo32.exe File created C:\Windows\SysWOW64\Icnphd32.exe Imdgljil.exe File created C:\Windows\SysWOW64\Blkgen32.exe Beaohcmf.exe File opened for modification C:\Windows\SysWOW64\Mpkkgbmi.exe Ljoboloa.exe File opened for modification C:\Windows\SysWOW64\Gmlplbib.exe Glkdejcd.exe File created C:\Windows\SysWOW64\Bnpfnp32.dll Kgpodk32.exe File created C:\Windows\SysWOW64\Bagphg32.dll Mdibplaf.exe File created C:\Windows\SysWOW64\Cehlkk32.dll Lajfbmmi.exe File opened for modification C:\Windows\SysWOW64\Ghjhofjg.exe Gcmpgpkp.exe File created C:\Windows\SysWOW64\Gakgdedc.dll Klnkoc32.exe File opened for modification C:\Windows\SysWOW64\Cjbhbf32.exe Cgdlfk32.exe File created C:\Windows\SysWOW64\Qkkcinhf.dll Iajkohmj.exe File created C:\Windows\SysWOW64\Cjbhbf32.exe Cgdlfk32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9100 10624 WerFault.exe 1007 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jacnegep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miflehaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjheejff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgliapic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnbjpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnfoac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glkkop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odnfonag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhejgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdjfhhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffcedd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgmkbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eciilj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaoadg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebplhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agikne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mojmbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpkliaol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iffmmihf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfefdpfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgknlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkdgqbag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khcgfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaahjmkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahnclp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkpglqgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iajkohmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpbhmna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boohcpgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnmjkahi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfodpbpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aemjjeek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bedpjdoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbhkjicf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmijnfgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkhhbbck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joobdfei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfejmobh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnjhhpgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jabiie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqigee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngodlgka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocknbglo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onjebpml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihkpgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnicai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoglbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jklihbol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbmfig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcpojk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clnanlhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dagiba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihagfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbiooolb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqaipgal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bichcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjcjmclj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcbded32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaepgacn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmmqgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opbcdieb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epjfehbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jibejb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loopdmpk.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbccbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjmaneh.dll" Apkjddke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhiljk32.dll" Hfeoijbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkomhhae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbgcch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kihnhc32.dll" Ioppho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qbeaba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aploae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aikijjon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhgpbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khpcid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhdaik32.dll" Bammeebe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbofdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ophoih32.dll" Phpbffnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfaglf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Addhbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eicholpm.dll" Mpkkgbmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohecgli.dll" Haaocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhpbl32.dll" Alplfpbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imdgljil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Decdeama.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gipbck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgmkbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ciaddaaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogbbqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnanadfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkqqjac.dll" Giofggia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnjjmmkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdbmfhbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkpbpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mojmbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Booaii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abmhbplf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agmmnnpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljncnhhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkpdml32.dll" Hleneo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omkdcccb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghmkol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdkhkflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kljhfc32.dll" Hfpenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbenho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjfplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iajkohmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qiocde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Clihcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifhibhfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odbgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdmcki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elngne32.dll" Nggjog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nicalpak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pblolb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcmkjeko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acpkbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oemjonmn.dll" Elhnhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgimjmfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfpenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aqbfaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnkjb32.dll" Dndlba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eelpqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbhkjicf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihcclb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nieggill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppmleagi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahnclp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1480 wrote to memory of 5076 1480 8599c0ee2f972593d38003925f06ca217686418481182f393864a8f012908f2a.exe 91 PID 1480 wrote to memory of 5076 1480 8599c0ee2f972593d38003925f06ca217686418481182f393864a8f012908f2a.exe 91 PID 1480 wrote to memory of 5076 1480 8599c0ee2f972593d38003925f06ca217686418481182f393864a8f012908f2a.exe 91 PID 5076 wrote to memory of 540 5076 Loopdmpk.exe 93 PID 5076 wrote to memory of 540 5076 Loopdmpk.exe 93 PID 5076 wrote to memory of 540 5076 Loopdmpk.exe 93 PID 540 wrote to memory of 2324 540 Mkepineo.exe 94 PID 540 wrote to memory of 2324 540 Mkepineo.exe 94 PID 540 wrote to memory of 2324 540 Mkepineo.exe 94 PID 2324 wrote to memory of 4372 2324 Mafofggd.exe 96 PID 2324 wrote to memory of 4372 2324 Mafofggd.exe 96 PID 2324 wrote to memory of 4372 2324 Mafofggd.exe 96 PID 4372 wrote to memory of 3600 4372 Nomlek32.exe 97 PID 4372 wrote to memory of 3600 4372 Nomlek32.exe 97 PID 4372 wrote to memory of 3600 4372 Nomlek32.exe 97 PID 3600 wrote to memory of 752 3600 Nfiagd32.exe 98 PID 3600 wrote to memory of 752 3600 Nfiagd32.exe 98 PID 3600 wrote to memory of 752 3600 Nfiagd32.exe 98 PID 752 wrote to memory of 2028 752 Ncmaai32.exe 99 PID 752 wrote to memory of 2028 752 Ncmaai32.exe 99 PID 752 wrote to memory of 2028 752 Ncmaai32.exe 99 PID 2028 wrote to memory of 384 2028 Odgqopeb.exe 100 PID 2028 wrote to memory of 384 2028 Odgqopeb.exe 100 PID 2028 wrote to memory of 384 2028 Odgqopeb.exe 100 PID 384 wrote to memory of 3564 384 Ocknbglo.exe 101 PID 384 wrote to memory of 3564 384 Ocknbglo.exe 101 PID 384 wrote to memory of 3564 384 Ocknbglo.exe 101 PID 3564 wrote to memory of 5064 3564 Pcpgmf32.exe 102 PID 3564 wrote to memory of 5064 3564 Pcpgmf32.exe 102 PID 3564 wrote to memory of 5064 3564 Pcpgmf32.exe 102 PID 5064 wrote to memory of 448 5064 Pmjhlklg.exe 103 PID 5064 wrote to memory of 448 5064 Pmjhlklg.exe 103 PID 5064 wrote to memory of 448 5064 Pmjhlklg.exe 103 PID 448 wrote to memory of 1484 448 Pcfmneaa.exe 104 PID 448 wrote to memory of 1484 448 Pcfmneaa.exe 104 PID 448 wrote to memory of 1484 448 Pcfmneaa.exe 104 PID 1484 wrote to memory of 2420 1484 Piceflpi.exe 105 PID 1484 wrote to memory of 2420 1484 Piceflpi.exe 105 PID 1484 wrote to memory of 2420 1484 Piceflpi.exe 105 PID 2420 wrote to memory of 2652 2420 Qkfkng32.exe 106 PID 2420 wrote to memory of 2652 2420 Qkfkng32.exe 106 PID 2420 wrote to memory of 2652 2420 Qkfkng32.exe 106 PID 2652 wrote to memory of 4844 2652 Acppddig.exe 107 PID 2652 wrote to memory of 4844 2652 Acppddig.exe 107 PID 2652 wrote to memory of 4844 2652 Acppddig.exe 107 PID 4844 wrote to memory of 740 4844 Aecialmb.exe 108 PID 4844 wrote to memory of 740 4844 Aecialmb.exe 108 PID 4844 wrote to memory of 740 4844 Aecialmb.exe 108 PID 740 wrote to memory of 2528 740 Aiabhj32.exe 109 PID 740 wrote to memory of 2528 740 Aiabhj32.exe 109 PID 740 wrote to memory of 2528 740 Aiabhj32.exe 109 PID 2528 wrote to memory of 4708 2528 Apkjddke.exe 110 PID 2528 wrote to memory of 4708 2528 Apkjddke.exe 110 PID 2528 wrote to memory of 4708 2528 Apkjddke.exe 110 PID 4708 wrote to memory of 5000 4708 Bppcpc32.exe 111 PID 4708 wrote to memory of 5000 4708 Bppcpc32.exe 111 PID 4708 wrote to memory of 5000 4708 Bppcpc32.exe 111 PID 5000 wrote to memory of 4340 5000 Blgddd32.exe 112 PID 5000 wrote to memory of 4340 5000 Blgddd32.exe 112 PID 5000 wrote to memory of 4340 5000 Blgddd32.exe 112 PID 4340 wrote to memory of 184 4340 Bipnihgi.exe 113 PID 4340 wrote to memory of 184 4340 Bipnihgi.exe 113 PID 4340 wrote to memory of 184 4340 Bipnihgi.exe 113 PID 184 wrote to memory of 4944 184 Cbhbbn32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\8599c0ee2f972593d38003925f06ca217686418481182f393864a8f012908f2a.exe"C:\Users\Admin\AppData\Local\Temp\8599c0ee2f972593d38003925f06ca217686418481182f393864a8f012908f2a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Loopdmpk.exeC:\Windows\system32\Loopdmpk.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Mkepineo.exeC:\Windows\system32\Mkepineo.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Mafofggd.exeC:\Windows\system32\Mafofggd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Nomlek32.exeC:\Windows\system32\Nomlek32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\Nfiagd32.exeC:\Windows\system32\Nfiagd32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\Ncmaai32.exeC:\Windows\system32\Ncmaai32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\Odgqopeb.exeC:\Windows\system32\Odgqopeb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Ocknbglo.exeC:\Windows\system32\Ocknbglo.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\Pcpgmf32.exeC:\Windows\system32\Pcpgmf32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\Pmjhlklg.exeC:\Windows\system32\Pmjhlklg.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\Pcfmneaa.exeC:\Windows\system32\Pcfmneaa.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Piceflpi.exeC:\Windows\system32\Piceflpi.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Qkfkng32.exeC:\Windows\system32\Qkfkng32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Acppddig.exeC:\Windows\system32\Acppddig.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Aecialmb.exeC:\Windows\system32\Aecialmb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Aiabhj32.exeC:\Windows\system32\Aiabhj32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\Apkjddke.exeC:\Windows\system32\Apkjddke.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Bppcpc32.exeC:\Windows\system32\Bppcpc32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\Blgddd32.exeC:\Windows\system32\Blgddd32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Bipnihgi.exeC:\Windows\system32\Bipnihgi.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\Cbhbbn32.exeC:\Windows\system32\Cbhbbn32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:184 -
C:\Windows\SysWOW64\Cdjlap32.exeC:\Windows\system32\Cdjlap32.exe23⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Clgmkbna.exeC:\Windows\system32\Clgmkbna.exe24⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Dpefaq32.exeC:\Windows\system32\Dpefaq32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Dlncla32.exeC:\Windows\system32\Dlncla32.exe26⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Defheg32.exeC:\Windows\system32\Defheg32.exe27⤵
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\Dgfdojfm.exeC:\Windows\system32\Dgfdojfm.exe28⤵
- Executes dropped EXE
PID:3084 -
C:\Windows\SysWOW64\Eennefib.exeC:\Windows\system32\Eennefib.exe29⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Eljchpnl.exeC:\Windows\system32\Eljchpnl.exe30⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Enllgbcl.exeC:\Windows\system32\Enllgbcl.exe31⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Fgfmeg32.exeC:\Windows\system32\Fgfmeg32.exe32⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Fpoaom32.exeC:\Windows\system32\Fpoaom32.exe33⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Fcmnkh32.exeC:\Windows\system32\Fcmnkh32.exe34⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Flfbcndo.exeC:\Windows\system32\Flfbcndo.exe35⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Fcpkph32.exeC:\Windows\system32\Fcpkph32.exe36⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Fljlom32.exeC:\Windows\system32\Fljlom32.exe37⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Gnjhhpgl.exeC:\Windows\system32\Gnjhhpgl.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3980 -
C:\Windows\SysWOW64\Gloejmld.exeC:\Windows\system32\Gloejmld.exe39⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Ggdigekj.exeC:\Windows\system32\Ggdigekj.exe40⤵
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Gnoacp32.exeC:\Windows\system32\Gnoacp32.exe41⤵
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\Gckjlf32.exeC:\Windows\system32\Gckjlf32.exe42⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Gjebiq32.exeC:\Windows\system32\Gjebiq32.exe43⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Gflcnanp.exeC:\Windows\system32\Gflcnanp.exe44⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Gdmcki32.exeC:\Windows\system32\Gdmcki32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Hnhdjn32.exeC:\Windows\system32\Hnhdjn32.exe46⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Hdbmfhbi.exeC:\Windows\system32\Hdbmfhbi.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:772 -
C:\Windows\SysWOW64\Hjoeoo32.exeC:\Windows\system32\Hjoeoo32.exe48⤵
- Executes dropped EXE
PID:3128 -
C:\Windows\SysWOW64\Hfefdpfe.exeC:\Windows\system32\Hfefdpfe.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3620 -
C:\Windows\SysWOW64\Hgebnc32.exeC:\Windows\system32\Hgebnc32.exe50⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Iggocbke.exeC:\Windows\system32\Iggocbke.exe51⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Imdgljil.exeC:\Windows\system32\Imdgljil.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4144 -
C:\Windows\SysWOW64\Icnphd32.exeC:\Windows\system32\Icnphd32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:964 -
C:\Windows\SysWOW64\Incdem32.exeC:\Windows\system32\Incdem32.exe54⤵
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Icqmncof.exeC:\Windows\system32\Icqmncof.exe55⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Imiagi32.exeC:\Windows\system32\Imiagi32.exe56⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Igneda32.exeC:\Windows\system32\Igneda32.exe57⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Ijmapm32.exeC:\Windows\system32\Ijmapm32.exe58⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Iebfmfdg.exeC:\Windows\system32\Iebfmfdg.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Imnjbhaa.exeC:\Windows\system32\Imnjbhaa.exe60⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Jffokn32.exeC:\Windows\system32\Jffokn32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4752 -
C:\Windows\SysWOW64\Jnmglk32.exeC:\Windows\system32\Jnmglk32.exe62⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Jcjodbgl.exeC:\Windows\system32\Jcjodbgl.exe63⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Jghhjq32.exeC:\Windows\system32\Jghhjq32.exe64⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Japmcfcc.exeC:\Windows\system32\Japmcfcc.exe65⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Jcoioabf.exeC:\Windows\system32\Jcoioabf.exe66⤵
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Jabiie32.exeC:\Windows\system32\Jabiie32.exe67⤵
- System Location Discovery: System Language Discovery
PID:5028 -
C:\Windows\SysWOW64\Jfoaam32.exeC:\Windows\system32\Jfoaam32.exe68⤵PID:3952
-
C:\Windows\SysWOW64\Jmijnfgd.exeC:\Windows\system32\Jmijnfgd.exe69⤵
- System Location Discovery: System Language Discovery
PID:1680 -
C:\Windows\SysWOW64\Kccbjq32.exeC:\Windows\system32\Kccbjq32.exe70⤵PID:676
-
C:\Windows\SysWOW64\Kagbdenk.exeC:\Windows\system32\Kagbdenk.exe71⤵PID:2664
-
C:\Windows\SysWOW64\Kmncif32.exeC:\Windows\system32\Kmncif32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4636 -
C:\Windows\SysWOW64\Khcgfo32.exeC:\Windows\system32\Khcgfo32.exe73⤵
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Windows\SysWOW64\Kjbdbjbi.exeC:\Windows\system32\Kjbdbjbi.exe74⤵PID:4024
-
C:\Windows\SysWOW64\Keghocao.exeC:\Windows\system32\Keghocao.exe75⤵PID:652
-
C:\Windows\SysWOW64\Kejeebpl.exeC:\Windows\system32\Kejeebpl.exe76⤵
- Drops file in System32 directory
PID:5144 -
C:\Windows\SysWOW64\Kmeiie32.exeC:\Windows\system32\Kmeiie32.exe77⤵PID:5188
-
C:\Windows\SysWOW64\Ldoafodd.exeC:\Windows\system32\Ldoafodd.exe78⤵PID:5228
-
C:\Windows\SysWOW64\Ljijci32.exeC:\Windows\system32\Ljijci32.exe79⤵PID:5268
-
C:\Windows\SysWOW64\Lennpb32.exeC:\Windows\system32\Lennpb32.exe80⤵PID:5308
-
C:\Windows\SysWOW64\Lfpkhjae.exeC:\Windows\system32\Lfpkhjae.exe81⤵PID:5348
-
C:\Windows\SysWOW64\Ljncnhhk.exeC:\Windows\system32\Ljncnhhk.exe82⤵
- Modifies registry class
PID:5392 -
C:\Windows\SysWOW64\Laglkb32.exeC:\Windows\system32\Laglkb32.exe83⤵PID:5440
-
C:\Windows\SysWOW64\Lmnlpcel.exeC:\Windows\system32\Lmnlpcel.exe84⤵
- Drops file in System32 directory
PID:5484 -
C:\Windows\SysWOW64\Lfgahikm.exeC:\Windows\system32\Lfgahikm.exe85⤵PID:5532
-
C:\Windows\SysWOW64\Mehafq32.exeC:\Windows\system32\Mehafq32.exe86⤵PID:5572
-
C:\Windows\SysWOW64\Mkdiog32.exeC:\Windows\system32\Mkdiog32.exe87⤵PID:5616
-
C:\Windows\SysWOW64\Mhhjhlqm.exeC:\Windows\system32\Mhhjhlqm.exe88⤵
- Drops file in System32 directory
PID:5664 -
C:\Windows\SysWOW64\Meljappg.exeC:\Windows\system32\Meljappg.exe89⤵PID:5708
-
C:\Windows\SysWOW64\Mhmcck32.exeC:\Windows\system32\Mhmcck32.exe90⤵PID:5752
-
C:\Windows\SysWOW64\Mklpof32.exeC:\Windows\system32\Mklpof32.exe91⤵PID:5796
-
C:\Windows\SysWOW64\Maehlqch.exeC:\Windows\system32\Maehlqch.exe92⤵PID:5840
-
C:\Windows\SysWOW64\Mhppik32.exeC:\Windows\system32\Mhppik32.exe93⤵PID:5884
-
C:\Windows\SysWOW64\Moiheebb.exeC:\Windows\system32\Moiheebb.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5936 -
C:\Windows\SysWOW64\Ndfanlpi.exeC:\Windows\system32\Ndfanlpi.exe95⤵PID:5980
-
C:\Windows\SysWOW64\Nefmgogl.exeC:\Windows\system32\Nefmgogl.exe96⤵PID:6028
-
C:\Windows\SysWOW64\Nggjog32.exeC:\Windows\system32\Nggjog32.exe97⤵
- Drops file in System32 directory
- Modifies registry class
PID:6060 -
C:\Windows\SysWOW64\Nnabladg.exeC:\Windows\system32\Nnabladg.exe98⤵PID:6112
-
C:\Windows\SysWOW64\Nehjmnei.exeC:\Windows\system32\Nehjmnei.exe99⤵PID:5220
-
C:\Windows\SysWOW64\Nhffijdm.exeC:\Windows\system32\Nhffijdm.exe100⤵PID:5292
-
C:\Windows\SysWOW64\Noqofdlj.exeC:\Windows\system32\Noqofdlj.exe101⤵PID:5368
-
C:\Windows\SysWOW64\Nejgbn32.exeC:\Windows\system32\Nejgbn32.exe102⤵PID:5432
-
C:\Windows\SysWOW64\Nemchn32.exeC:\Windows\system32\Nemchn32.exe103⤵PID:5496
-
C:\Windows\SysWOW64\Oacdmo32.exeC:\Windows\system32\Oacdmo32.exe104⤵PID:5568
-
C:\Windows\SysWOW64\Ohnljine.exeC:\Windows\system32\Ohnljine.exe105⤵PID:5640
-
C:\Windows\SysWOW64\Onjebpml.exeC:\Windows\system32\Onjebpml.exe106⤵
- System Location Discovery: System Language Discovery
PID:5704 -
C:\Windows\SysWOW64\Oddmoj32.exeC:\Windows\system32\Oddmoj32.exe107⤵PID:5776
-
C:\Windows\SysWOW64\Okneldkf.exeC:\Windows\system32\Okneldkf.exe108⤵PID:5836
-
C:\Windows\SysWOW64\Ogefqeaj.exeC:\Windows\system32\Ogefqeaj.exe109⤵PID:5920
-
C:\Windows\SysWOW64\Oolnabal.exeC:\Windows\system32\Oolnabal.exe110⤵PID:5964
-
C:\Windows\SysWOW64\Oggbfdog.exeC:\Windows\system32\Oggbfdog.exe111⤵PID:6044
-
C:\Windows\SysWOW64\Ofhcdlgg.exeC:\Windows\system32\Ofhcdlgg.exe112⤵PID:5216
-
C:\Windows\SysWOW64\Okeklcen.exeC:\Windows\system32\Okeklcen.exe113⤵PID:5296
-
C:\Windows\SysWOW64\Paocim32.exeC:\Windows\system32\Paocim32.exe114⤵PID:5420
-
C:\Windows\SysWOW64\Pkhhbbck.exeC:\Windows\system32\Pkhhbbck.exe115⤵
- System Location Discovery: System Language Discovery
PID:5528 -
C:\Windows\SysWOW64\Pdpmkhjl.exeC:\Windows\system32\Pdpmkhjl.exe116⤵PID:5636
-
C:\Windows\SysWOW64\Pnhacn32.exeC:\Windows\system32\Pnhacn32.exe117⤵
- Drops file in System32 directory
PID:5772 -
C:\Windows\SysWOW64\Pdbiphhi.exeC:\Windows\system32\Pdbiphhi.exe118⤵PID:5860
-
C:\Windows\SysWOW64\Pklamb32.exeC:\Windows\system32\Pklamb32.exe119⤵PID:5948
-
C:\Windows\SysWOW64\Pnknim32.exeC:\Windows\system32\Pnknim32.exe120⤵PID:6068
-
C:\Windows\SysWOW64\Phpbffnp.exeC:\Windows\system32\Phpbffnp.exe121⤵
- Modifies registry class
PID:5212
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-