Analysis
-
max time kernel
94s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17/08/2024, 02:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8fbdc2347bc8e532efbafde5557e441a07cbaf73852d8ae9a4fd656e7d63afe7.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
8fbdc2347bc8e532efbafde5557e441a07cbaf73852d8ae9a4fd656e7d63afe7.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
8fbdc2347bc8e532efbafde5557e441a07cbaf73852d8ae9a4fd656e7d63afe7.exe
-
Size
352KB
-
MD5
f5a23bab081ee0a17483d8c01e84f3f7
-
SHA1
22ca81b740d9e4eac6e76c901fb218896158f6a4
-
SHA256
8fbdc2347bc8e532efbafde5557e441a07cbaf73852d8ae9a4fd656e7d63afe7
-
SHA512
7ad937548e16ab24bc104db35c3abad6064de7e78e3dea6c2662cb866fd3ff6bf6b1b124733c8c6db9a26a068b68c81c6eb67cc7d683e8ed0440fd9ce47505aa
-
SSDEEP
6144:MSBCCKg4Iz9iWis/j9SrJz9ieis/j9SrJz9is/j9SrJwWisp:GCKgAsUasUqsU6sp
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjjlkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eciplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onnmdcjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifomll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npiiffqe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meamcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpodlbng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhoipb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbmokop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpdnjple.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhofmq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikndgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjneln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mifljdjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcmmhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgjjdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdnoplhh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fijkdmhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjjahe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhafeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aamknj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boldhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiodmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcjmel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olfghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kngcje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbkbpoog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocgbld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmbiamhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pckppl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppopjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Injcmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pamiaboj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdhkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocamjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgphpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kijchhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chfegk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meepdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdepgkgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjafok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okjnnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkomneim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjliajmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anobgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hffken32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghkeio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akoqpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aamknj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kndojobi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkkjmlan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggbook32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llflea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdokdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llodgnja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqimikfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifbbig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfeeabda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liqihglg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pedlgbkh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dblgpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnoaaaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cponen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhmigagd.exe -
Executes dropped EXE 64 IoCs
pid Process 712 Hakgmjoh.exe 2648 Hoogfnnb.exe 4664 Hdlpneli.exe 4056 Hoadkn32.exe 3056 Hbpphi32.exe 3856 Hdnldd32.exe 3124 Hglipp32.exe 688 Hkjafn32.exe 2976 Hbdjchgn.exe 1040 Hkmnln32.exe 1252 Ifbbig32.exe 4532 Ikokan32.exe 3580 Ifdonfka.exe 4460 Iomcgl32.exe 3992 Ifgldfio.exe 4008 Ikcdlmgf.exe 4976 Iigdfa32.exe 2376 Indmnh32.exe 2700 Ifleoe32.exe 1188 Jngjch32.exe 716 Jilnqqbj.exe 2892 Jkkjmlan.exe 2532 Jfpojead.exe 1560 Jiokfpph.exe 1064 Jiaglp32.exe 4800 Jpkphjeb.exe 1156 Jbileede.exe 4560 Jkaqnk32.exe 3872 Jnpmjf32.exe 4484 Kppici32.exe 3900 Kbnepe32.exe 1696 Kihnmohm.exe 936 Kpbfii32.exe 3012 Kflnfcgg.exe 4660 Kngcje32.exe 4776 Khpgckkb.exe 2616 Klkcdj32.exe 824 Kfqgab32.exe 1960 Kiodmn32.exe 532 Khbdikip.exe 4828 Kefdbo32.exe 3588 Llpmoiof.exe 3524 Lbjelc32.exe 804 Lehaho32.exe 2800 Lhfmdj32.exe 868 Lnqeqd32.exe 3336 Lejnmncd.exe 4292 Lldfjh32.exe 4844 Lbnngbbn.exe 3080 Lhkgoiqe.exe 3156 Lpbopfag.exe 1272 Lflgmqhd.exe 4416 Likcilhh.exe 4072 Lbchba32.exe 4820 Lfodbqfa.exe 2320 Mlklkgei.exe 5116 Mojhgbdl.exe 1044 Medqcmki.exe 4512 Mhbmphjm.exe 3352 Mpieqeko.exe 920 Mefmimif.exe 5088 Mlpeff32.exe 3920 Moobbb32.exe 4172 Mffjcopi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Gddbcp32.exe Gaefgd32.exe File created C:\Windows\SysWOW64\Hgfapd32.exe Hdhedh32.exe File created C:\Windows\SysWOW64\Gingkqkd.exe Gfokoelp.exe File created C:\Windows\SysWOW64\Fmjhedep.dll Lmgabcge.exe File created C:\Windows\SysWOW64\Dfdcmnil.dll Lpbopfag.exe File created C:\Windows\SysWOW64\Cinbbnpa.dll Jdnoplhh.exe File created C:\Windows\SysWOW64\Ijagjini.dll Ejfeng32.exe File opened for modification C:\Windows\SysWOW64\Aednci32.exe Anmfbl32.exe File opened for modification C:\Windows\SysWOW64\Iohejo32.exe Iliinc32.exe File created C:\Windows\SysWOW64\Kjccdkki.exe Jgeghp32.exe File created C:\Windows\SysWOW64\Hleoiomo.dll Kkconn32.exe File opened for modification C:\Windows\SysWOW64\Oaifpi32.exe Ojomcopk.exe File created C:\Windows\SysWOW64\Fomnhddq.dll Process not Found File opened for modification C:\Windows\SysWOW64\Npiiffqe.exe Nnhmnn32.exe File opened for modification C:\Windows\SysWOW64\Lankbigo.exe Lbkkgl32.exe File created C:\Windows\SysWOW64\Aqoiqn32.exe Afjeceml.exe File created C:\Windows\SysWOW64\Hfombjbg.dll Knkekn32.exe File created C:\Windows\SysWOW64\Ddhnoefl.dll Ohpkmn32.exe File created C:\Windows\SysWOW64\Ejlgio32.dll Lnohlgep.exe File created C:\Windows\SysWOW64\Oghdfilo.dll Ecbjkngo.exe File created C:\Windows\SysWOW64\Ljhpog32.dll Neqopnhb.exe File created C:\Windows\SysWOW64\Kbopqlen.dll Phigif32.exe File opened for modification C:\Windows\SysWOW64\Akglloai.exe Adndoe32.exe File created C:\Windows\SysWOW64\Moqkim32.dll Hpdfnolo.exe File opened for modification C:\Windows\SysWOW64\Qkjgegae.exe Qhlkilba.exe File opened for modification C:\Windows\SysWOW64\Hgkkkcbc.exe Hdmoohbo.exe File opened for modification C:\Windows\SysWOW64\Chnbbqpn.exe Cfpffeaj.exe File created C:\Windows\SysWOW64\Mgphpe32.exe Moipoh32.exe File created C:\Windows\SysWOW64\Fdcpcm32.dll Jkaqnk32.exe File opened for modification C:\Windows\SysWOW64\Nijeec32.exe Nacmdf32.exe File created C:\Windows\SysWOW64\Clkbmh32.dll Nliaao32.exe File created C:\Windows\SysWOW64\Odcfhh32.dll Giinpa32.exe File opened for modification C:\Windows\SysWOW64\Kjpijpdg.exe Kgamnded.exe File created C:\Windows\SysWOW64\Idjnmo32.dll Phincl32.exe File created C:\Windows\SysWOW64\Dfmioc32.dll Emphocjj.exe File created C:\Windows\SysWOW64\Dijbno32.exe Dflfac32.exe File created C:\Windows\SysWOW64\Qgnnai32.dll Mgphpe32.exe File created C:\Windows\SysWOW64\Jcphab32.exe Jpaleglc.exe File created C:\Windows\SysWOW64\Fenghpla.dll Eppjfgcp.exe File opened for modification C:\Windows\SysWOW64\Lhfmdj32.exe Lehaho32.exe File created C:\Windows\SysWOW64\Mnmdme32.exe Mgclpkac.exe File created C:\Windows\SysWOW64\Hdlpneli.exe Hoogfnnb.exe File created C:\Windows\SysWOW64\Kjonng32.dll Pkhjph32.exe File created C:\Windows\SysWOW64\Fbociolq.dll Boflmdkk.exe File created C:\Windows\SysWOW64\Ckjbhmad.exe Chlflabp.exe File created C:\Windows\SysWOW64\Mbkkam32.dll Cdpcal32.exe File created C:\Windows\SysWOW64\Kcmmhj32.exe Kpoalo32.exe File opened for modification C:\Windows\SysWOW64\Amhfkopc.exe Afnnnd32.exe File created C:\Windows\SysWOW64\Dapkni32.exe Djfcaohp.exe File created C:\Windows\SysWOW64\Oidhlb32.exe Oampjeml.exe File opened for modification C:\Windows\SysWOW64\Dmennnni.exe Dijbno32.exe File opened for modification C:\Windows\SysWOW64\Ohkbbn32.exe Oihagaji.exe File created C:\Windows\SysWOW64\Papfgbmg.exe Pkenjh32.exe File opened for modification C:\Windows\SysWOW64\Lknojl32.exe Lcggio32.exe File created C:\Windows\SysWOW64\Bgeemcfc.dll Napjdpcn.exe File created C:\Windows\SysWOW64\Nbenoa32.dll Chlflabp.exe File opened for modification C:\Windows\SysWOW64\Fpgpgfmh.exe Fmhdkknd.exe File created C:\Windows\SysWOW64\Eplnpeol.exe Emnbdioi.exe File created C:\Windows\SysWOW64\Hglaej32.exe Hhiajmod.exe File created C:\Windows\SysWOW64\Neqhhf32.dll Dcpmen32.exe File created C:\Windows\SysWOW64\Lnadagbm.exe Lkchelci.exe File created C:\Windows\SysWOW64\Pickil32.dll Olicnfco.exe File created C:\Windows\SysWOW64\Akcoajfm.dll Hlpfhe32.exe File opened for modification C:\Windows\SysWOW64\Pmblagmf.exe Pjdpelnc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6300 4232 Process not Found 1135 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklomh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgelgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhofmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjnffjkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oelolmnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mockmala.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcbfakec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollnhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqkgbcff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpffeaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpcapp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhbmphjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbjbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbicpfdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anobgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlegnjbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efblbbqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaenbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djfcaohp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejpfhnpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikndgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edmclccp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqbbpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmennnni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mleoafmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkkeclfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peahgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkogiikb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaehljpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qemhbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibfnqmpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkhpdcab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phbhcmjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omjpeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mifljdjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcpmen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aafemk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpnihiio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikdcmpnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkadfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpphjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipoopgnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgaokl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpfgmnfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnaqgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkomneim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neccpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acokhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkdcbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efhlhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Manmoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onnmdcjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfillg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkihnmhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alcfei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Camddhoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfkmphe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npgmpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdodkebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcndbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjehmfch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkhgmf32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Difpmfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eklpgqkc.dll" Cgjjdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpofmcef.dll" Dannij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jebfng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekaacddn.dll" Ohlqcagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqfbknfp.dll" Npchgdcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poliea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddgpk32.dll" Ipflihfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Appnje32.dll" Jjafok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeokal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkbjjbda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljlpjaf.dll" Bhmbqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elnoopdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfoeejd.dll" Ogjdmbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofgjophm.dll" Gmggfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcdjbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amfjeobf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddfioo32.dll" Plagcbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdkidohn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jebqacjl.dll" Njiegl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cihclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glienb32.dll" Eciplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llpmoiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfcnpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lobjni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbjmhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpdfnolo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfkecidg.dll" Fjmkoeqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifmqfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbqpfg32.dll" Jilfifme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmeandma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnpban32.dll" Kijchhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aknifq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aedkdf32.dll" Knbbep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaopkj32.dll" Abbkcpma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjopcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnfjbdmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knflpoqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aamknj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phlepppi.dll" Aopemh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gddbcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnkkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmfqknfm.dll" Lfjfecno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkiaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjodla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqhblk32.dll" Pknqoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcgeilmb.dll" Dpgnjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hockka32.dll" Qodeajbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abbkcpma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oihagaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejoomhmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmojkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oampjeml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednhgjia.dll" Dfoplpla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jecampmk.dll" Coknoaic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeedjegm.dll" Mjokgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpenfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ginnfgop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpmpnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeeobqbq.dll" Digehphc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afpjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dannij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbefdijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqmiic32.dll" Iepaaico.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3700 wrote to memory of 712 3700 8fbdc2347bc8e532efbafde5557e441a07cbaf73852d8ae9a4fd656e7d63afe7.exe 84 PID 3700 wrote to memory of 712 3700 8fbdc2347bc8e532efbafde5557e441a07cbaf73852d8ae9a4fd656e7d63afe7.exe 84 PID 3700 wrote to memory of 712 3700 8fbdc2347bc8e532efbafde5557e441a07cbaf73852d8ae9a4fd656e7d63afe7.exe 84 PID 712 wrote to memory of 2648 712 Hakgmjoh.exe 85 PID 712 wrote to memory of 2648 712 Hakgmjoh.exe 85 PID 712 wrote to memory of 2648 712 Hakgmjoh.exe 85 PID 2648 wrote to memory of 4664 2648 Hoogfnnb.exe 86 PID 2648 wrote to memory of 4664 2648 Hoogfnnb.exe 86 PID 2648 wrote to memory of 4664 2648 Hoogfnnb.exe 86 PID 4664 wrote to memory of 4056 4664 Hdlpneli.exe 87 PID 4664 wrote to memory of 4056 4664 Hdlpneli.exe 87 PID 4664 wrote to memory of 4056 4664 Hdlpneli.exe 87 PID 4056 wrote to memory of 3056 4056 Hoadkn32.exe 88 PID 4056 wrote to memory of 3056 4056 Hoadkn32.exe 88 PID 4056 wrote to memory of 3056 4056 Hoadkn32.exe 88 PID 3056 wrote to memory of 3856 3056 Hbpphi32.exe 89 PID 3056 wrote to memory of 3856 3056 Hbpphi32.exe 89 PID 3056 wrote to memory of 3856 3056 Hbpphi32.exe 89 PID 3856 wrote to memory of 3124 3856 Hdnldd32.exe 90 PID 3856 wrote to memory of 3124 3856 Hdnldd32.exe 90 PID 3856 wrote to memory of 3124 3856 Hdnldd32.exe 90 PID 3124 wrote to memory of 688 3124 Hglipp32.exe 92 PID 3124 wrote to memory of 688 3124 Hglipp32.exe 92 PID 3124 wrote to memory of 688 3124 Hglipp32.exe 92 PID 688 wrote to memory of 2976 688 Hkjafn32.exe 94 PID 688 wrote to memory of 2976 688 Hkjafn32.exe 94 PID 688 wrote to memory of 2976 688 Hkjafn32.exe 94 PID 2976 wrote to memory of 1040 2976 Hbdjchgn.exe 95 PID 2976 wrote to memory of 1040 2976 Hbdjchgn.exe 95 PID 2976 wrote to memory of 1040 2976 Hbdjchgn.exe 95 PID 1040 wrote to memory of 1252 1040 Hkmnln32.exe 97 PID 1040 wrote to memory of 1252 1040 Hkmnln32.exe 97 PID 1040 wrote to memory of 1252 1040 Hkmnln32.exe 97 PID 1252 wrote to memory of 4532 1252 Ifbbig32.exe 98 PID 1252 wrote to memory of 4532 1252 Ifbbig32.exe 98 PID 1252 wrote to memory of 4532 1252 Ifbbig32.exe 98 PID 4532 wrote to memory of 3580 4532 Ikokan32.exe 99 PID 4532 wrote to memory of 3580 4532 Ikokan32.exe 99 PID 4532 wrote to memory of 3580 4532 Ikokan32.exe 99 PID 3580 wrote to memory of 4460 3580 Ifdonfka.exe 100 PID 3580 wrote to memory of 4460 3580 Ifdonfka.exe 100 PID 3580 wrote to memory of 4460 3580 Ifdonfka.exe 100 PID 4460 wrote to memory of 3992 4460 Iomcgl32.exe 101 PID 4460 wrote to memory of 3992 4460 Iomcgl32.exe 101 PID 4460 wrote to memory of 3992 4460 Iomcgl32.exe 101 PID 3992 wrote to memory of 4008 3992 Ifgldfio.exe 102 PID 3992 wrote to memory of 4008 3992 Ifgldfio.exe 102 PID 3992 wrote to memory of 4008 3992 Ifgldfio.exe 102 PID 4008 wrote to memory of 4976 4008 Ikcdlmgf.exe 103 PID 4008 wrote to memory of 4976 4008 Ikcdlmgf.exe 103 PID 4008 wrote to memory of 4976 4008 Ikcdlmgf.exe 103 PID 4976 wrote to memory of 2376 4976 Iigdfa32.exe 104 PID 4976 wrote to memory of 2376 4976 Iigdfa32.exe 104 PID 4976 wrote to memory of 2376 4976 Iigdfa32.exe 104 PID 2376 wrote to memory of 2700 2376 Indmnh32.exe 105 PID 2376 wrote to memory of 2700 2376 Indmnh32.exe 105 PID 2376 wrote to memory of 2700 2376 Indmnh32.exe 105 PID 2700 wrote to memory of 1188 2700 Ifleoe32.exe 106 PID 2700 wrote to memory of 1188 2700 Ifleoe32.exe 106 PID 2700 wrote to memory of 1188 2700 Ifleoe32.exe 106 PID 1188 wrote to memory of 716 1188 Jngjch32.exe 107 PID 1188 wrote to memory of 716 1188 Jngjch32.exe 107 PID 1188 wrote to memory of 716 1188 Jngjch32.exe 107 PID 716 wrote to memory of 2892 716 Jilnqqbj.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fbdc2347bc8e532efbafde5557e441a07cbaf73852d8ae9a4fd656e7d63afe7.exe"C:\Users\Admin\AppData\Local\Temp\8fbdc2347bc8e532efbafde5557e441a07cbaf73852d8ae9a4fd656e7d63afe7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\Hakgmjoh.exeC:\Windows\system32\Hakgmjoh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Windows\SysWOW64\Hoogfnnb.exeC:\Windows\system32\Hoogfnnb.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Hdlpneli.exeC:\Windows\system32\Hdlpneli.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\Hbpphi32.exeC:\Windows\system32\Hbpphi32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Hdnldd32.exeC:\Windows\system32\Hdnldd32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\Hglipp32.exeC:\Windows\system32\Hglipp32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\Hkjafn32.exeC:\Windows\system32\Hkjafn32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\Hbdjchgn.exeC:\Windows\system32\Hbdjchgn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Hkmnln32.exeC:\Windows\system32\Hkmnln32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Ifbbig32.exeC:\Windows\system32\Ifbbig32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Ikokan32.exeC:\Windows\system32\Ikokan32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Ifgldfio.exeC:\Windows\system32\Ifgldfio.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\Ikcdlmgf.exeC:\Windows\system32\Ikcdlmgf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\Iigdfa32.exeC:\Windows\system32\Iigdfa32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\Indmnh32.exeC:\Windows\system32\Indmnh32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Ifleoe32.exeC:\Windows\system32\Ifleoe32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\SysWOW64\Jkkjmlan.exeC:\Windows\system32\Jkkjmlan.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Jfpojead.exeC:\Windows\system32\Jfpojead.exe24⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Jiokfpph.exeC:\Windows\system32\Jiokfpph.exe25⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Jiaglp32.exeC:\Windows\system32\Jiaglp32.exe26⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Jpkphjeb.exeC:\Windows\system32\Jpkphjeb.exe27⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Jbileede.exeC:\Windows\system32\Jbileede.exe28⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Jkaqnk32.exeC:\Windows\system32\Jkaqnk32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4560 -
C:\Windows\SysWOW64\Jnpmjf32.exeC:\Windows\system32\Jnpmjf32.exe30⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe31⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe32⤵
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\Kihnmohm.exeC:\Windows\system32\Kihnmohm.exe33⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Kpbfii32.exeC:\Windows\system32\Kpbfii32.exe34⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Kflnfcgg.exeC:\Windows\system32\Kflnfcgg.exe35⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Khpgckkb.exeC:\Windows\system32\Khpgckkb.exe37⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Klkcdj32.exeC:\Windows\system32\Klkcdj32.exe38⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Kfqgab32.exeC:\Windows\system32\Kfqgab32.exe39⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Khbdikip.exeC:\Windows\system32\Khbdikip.exe41⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Kefdbo32.exeC:\Windows\system32\Kefdbo32.exe42⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Llpmoiof.exeC:\Windows\system32\Llpmoiof.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:3588 -
C:\Windows\SysWOW64\Lbjelc32.exeC:\Windows\system32\Lbjelc32.exe44⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Lehaho32.exeC:\Windows\system32\Lehaho32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:804 -
C:\Windows\SysWOW64\Lhfmdj32.exeC:\Windows\system32\Lhfmdj32.exe46⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Lnqeqd32.exeC:\Windows\system32\Lnqeqd32.exe47⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Lejnmncd.exeC:\Windows\system32\Lejnmncd.exe48⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe49⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe50⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe51⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Lpbopfag.exeC:\Windows\system32\Lpbopfag.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3156 -
C:\Windows\SysWOW64\Lflgmqhd.exeC:\Windows\system32\Lflgmqhd.exe53⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe54⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe55⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe56⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Mlklkgei.exeC:\Windows\system32\Mlklkgei.exe57⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe58⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe59⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4512 -
C:\Windows\SysWOW64\Mpieqeko.exeC:\Windows\system32\Mpieqeko.exe61⤵
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\Mefmimif.exeC:\Windows\system32\Mefmimif.exe62⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe63⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Moobbb32.exeC:\Windows\system32\Moobbb32.exe64⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Mffjcopi.exeC:\Windows\system32\Mffjcopi.exe65⤵
- Executes dropped EXE
PID:4172 -
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe66⤵PID:924
-
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe67⤵PID:3520
-
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe68⤵
- System Location Discovery: System Language Discovery
PID:2136 -
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe69⤵
- System Location Discovery: System Language Discovery
PID:4780 -
C:\Windows\SysWOW64\Niipjj32.exeC:\Windows\system32\Niipjj32.exe70⤵PID:2888
-
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe71⤵
- Modifies registry class
PID:3680 -
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe72⤵PID:4948
-
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe73⤵PID:1592
-
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe74⤵PID:2696
-
C:\Windows\SysWOW64\Npedmdab.exeC:\Windows\system32\Npedmdab.exe75⤵PID:3780
-
C:\Windows\SysWOW64\Nebmekoi.exeC:\Windows\system32\Nebmekoi.exe76⤵PID:4676
-
C:\Windows\SysWOW64\Nlleaeff.exeC:\Windows\system32\Nlleaeff.exe77⤵PID:2900
-
C:\Windows\SysWOW64\Nojanpej.exeC:\Windows\system32\Nojanpej.exe78⤵PID:3332
-
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe79⤵PID:4744
-
C:\Windows\SysWOW64\Nipekiep.exeC:\Windows\system32\Nipekiep.exe80⤵PID:3760
-
C:\Windows\SysWOW64\Nomncpcg.exeC:\Windows\system32\Nomncpcg.exe81⤵PID:1396
-
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe82⤵PID:2588
-
C:\Windows\SysWOW64\Nheble32.exeC:\Windows\system32\Nheble32.exe83⤵PID:856
-
C:\Windows\SysWOW64\Nookip32.exeC:\Windows\system32\Nookip32.exe84⤵PID:1880
-
C:\Windows\SysWOW64\Opogbbig.exeC:\Windows\system32\Opogbbig.exe85⤵PID:4668
-
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe86⤵PID:3180
-
C:\Windows\SysWOW64\Ohjlgefb.exeC:\Windows\system32\Ohjlgefb.exe87⤵PID:3200
-
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe88⤵PID:1676
-
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe89⤵PID:1172
-
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:376 -
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe91⤵PID:2880
-
C:\Windows\SysWOW64\Ohnebd32.exeC:\Windows\system32\Ohnebd32.exe92⤵PID:2360
-
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe93⤵PID:5132
-
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe94⤵PID:5196
-
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe95⤵PID:5244
-
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe96⤵PID:5312
-
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe97⤵
- System Location Discovery: System Language Discovery
PID:5380 -
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe98⤵PID:5432
-
C:\Windows\SysWOW64\Pjpobg32.exeC:\Windows\system32\Pjpobg32.exe99⤵PID:5480
-
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe100⤵PID:5536
-
C:\Windows\SysWOW64\Pomgjn32.exeC:\Windows\system32\Pomgjn32.exe101⤵PID:5596
-
C:\Windows\SysWOW64\Pgdokkfg.exeC:\Windows\system32\Pgdokkfg.exe102⤵PID:5664
-
C:\Windows\SysWOW64\Pfgogh32.exeC:\Windows\system32\Pfgogh32.exe103⤵PID:5716
-
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe104⤵
- Modifies registry class
PID:5776 -
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe105⤵PID:5836
-
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5884 -
C:\Windows\SysWOW64\Pfillg32.exeC:\Windows\system32\Pfillg32.exe107⤵
- System Location Discovery: System Language Discovery
PID:5928 -
C:\Windows\SysWOW64\Pjehmfch.exeC:\Windows\system32\Pjehmfch.exe108⤵
- System Location Discovery: System Language Discovery
PID:5984 -
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe109⤵PID:6036
-
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6076 -
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe111⤵PID:6132
-
C:\Windows\SysWOW64\Pgihfj32.exeC:\Windows\system32\Pgihfj32.exe112⤵PID:5180
-
C:\Windows\SysWOW64\Pjgebf32.exeC:\Windows\system32\Pjgebf32.exe113⤵PID:5232
-
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe114⤵PID:5356
-
C:\Windows\SysWOW64\Ppamophb.exeC:\Windows\system32\Ppamophb.exe115⤵PID:5444
-
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe116⤵PID:5556
-
C:\Windows\SysWOW64\Pjjahe32.exeC:\Windows\system32\Pjjahe32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5652 -
C:\Windows\SysWOW64\Pqcjepfo.exeC:\Windows\system32\Pqcjepfo.exe118⤵PID:5732
-
C:\Windows\SysWOW64\Qcbfakec.exeC:\Windows\system32\Qcbfakec.exe119⤵
- System Location Discovery: System Language Discovery
PID:5832 -
C:\Windows\SysWOW64\Qljjjqlc.exeC:\Windows\system32\Qljjjqlc.exe120⤵PID:5908
-
C:\Windows\SysWOW64\Qcdbfk32.exeC:\Windows\system32\Qcdbfk32.exe121⤵PID:5996
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-