Analysis
-
max time kernel
111s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22/08/2024, 21:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
944ceb89f3d9a9845989d15adb12bb60N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
944ceb89f3d9a9845989d15adb12bb60N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
944ceb89f3d9a9845989d15adb12bb60N.exe
-
Size
72KB
-
MD5
944ceb89f3d9a9845989d15adb12bb60
-
SHA1
5ad6edc311e6d30b0fc5897f3d45ad8e65c3b1f4
-
SHA256
27665a421c42119a93a6fdce269f5da7f2303ceac8c8e1920fcd4c4bed4c53af
-
SHA512
a2a0cbac1343f8580f905e436095266a60deb8f987c1ffb273f7c2fa9643e46f58f4423abc7ed3f512f74276fd779891dc5d461e75101d5384a1c1250480f578
-
SSDEEP
1536:CWMDvtIAR6O7RWIuImJaCpDnW3xQb6jS8t2LN6+lWCWQ+:GvWAR6/IaaADnKjh+N6+bWQ+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaqhjggp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keqdmihc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfeaopqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngdfdmdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pflibgil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjmcnbdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmfgek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdlfhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlolpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhdbhifj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdnhih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjpobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cndeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fefedmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbohpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiphjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgbdcgld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diffglam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcepkfld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkahilkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jljbeali.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kghjhemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqbdldnq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iamamcop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jafdcbge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bknlbhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnfkdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jikoopij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddadpdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaindh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpnkdq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Popbpqjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gimqajgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mifljdjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbiado32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Illfdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgkmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oepifi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehailbaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phganm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efafgifc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgdejd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmieae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gojiiafp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgpfbjlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hekgfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cggimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggilil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efafgifc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmpkadnm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkadfj32.exe -
Executes dropped EXE 64 IoCs
pid Process 3460 Nhnlkfpp.exe 2924 Nohehq32.exe 872 Ngomin32.exe 1372 Niniei32.exe 2112 Npgabc32.exe 3452 Ncfmno32.exe 228 Nipekiep.exe 5032 Nlnbgddc.exe 112 Nomncpcg.exe 5056 Ngdfdmdi.exe 3628 Nibbqicm.exe 4372 Nheble32.exe 4856 Ncjginjn.exe 1548 Oidofh32.exe 1588 Opogbbig.exe 1848 Oekpkigo.exe 2356 Olehhc32.exe 3400 Ocopdn32.exe 2508 Oenlqi32.exe 636 Olgemcli.exe 2468 Oofaiokl.exe 1244 Oepifi32.exe 388 Oljaccjf.exe 1660 Oohnonij.exe 5064 Ogpepl32.exe 1952 Ojnblg32.exe 3892 Ollnhb32.exe 928 Pgbbek32.exe 3368 Pjpobg32.exe 2652 Ppjgoaoj.exe 2568 Pcicklnn.exe 4924 Pjbkgfej.exe 3640 Plagcbdn.exe 1856 Ppmcdq32.exe 2108 Pckppl32.exe 3624 Pfillg32.exe 1500 Phhhhc32.exe 4716 Ppopjp32.exe 4204 Pcmlfl32.exe 3016 Pflibgil.exe 1504 Pjgebf32.exe 1844 Acgolj32.exe 4280 Agbkmijg.exe 2204 Ajqgidij.exe 4912 Aqkpeopg.exe 3140 Aompak32.exe 4744 Agdhbi32.exe 2500 Ahfdjanb.exe 4180 Aqmlknnd.exe 4684 Aopmfk32.exe 5004 Afjeceml.exe 3408 Aobilkcl.exe 744 Acnemi32.exe 4780 Ajhniccb.exe 3732 Amfjeobf.exe 4304 Aodfajaj.exe 4996 Aglnbhal.exe 4472 Aimkjp32.exe 1252 Bqdblmhl.exe 4396 Bogcgj32.exe 4884 Bgnkhg32.exe 4696 Bjlgdc32.exe 660 Bmkcqn32.exe 2240 Bcelmhen.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dfgjhf32.dll Gdafnpqh.exe File created C:\Windows\SysWOW64\Ikbfgppo.exe Icknfcol.exe File created C:\Windows\SysWOW64\Jlkidpke.dll Chfegk32.exe File created C:\Windows\SysWOW64\Dgmfnkfn.dll Process not Found File opened for modification C:\Windows\SysWOW64\Llimgb32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pflibgil.exe Pcmlfl32.exe File opened for modification C:\Windows\SysWOW64\Ihpcinld.exe Iafkld32.exe File created C:\Windows\SysWOW64\Jnpjlajn.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ncfmno32.exe Npgabc32.exe File created C:\Windows\SysWOW64\Kknombmk.dll Nhdlao32.exe File opened for modification C:\Windows\SysWOW64\Ljobpiql.exe Lgqfdnah.exe File created C:\Windows\SysWOW64\Hojpmg32.dll Peahgl32.exe File created C:\Windows\SysWOW64\Ffiipfmi.dll Ekdnei32.exe File opened for modification C:\Windows\SysWOW64\Dckoia32.exe Process not Found File created C:\Windows\SysWOW64\Ponfhp32.dll Ooqqdi32.exe File created C:\Windows\SysWOW64\Aafkfgeh.dll Jgkmgk32.exe File created C:\Windows\SysWOW64\Ckkpjkai.dll Ncchae32.exe File created C:\Windows\SysWOW64\Jabphdjm.dll Dgeenfog.exe File opened for modification C:\Windows\SysWOW64\Lijlof32.exe Lacdmh32.exe File opened for modification C:\Windows\SysWOW64\Bmggingc.exe Process not Found File created C:\Windows\SysWOW64\Bmkcqn32.exe Bjlgdc32.exe File opened for modification C:\Windows\SysWOW64\Bqmeal32.exe Bjcmebie.exe File opened for modification C:\Windows\SysWOW64\Qdaniq32.exe Qpeahb32.exe File opened for modification C:\Windows\SysWOW64\Hnlodjpa.exe Hlmchoan.exe File created C:\Windows\SysWOW64\Jklaah32.dll Inmpcc32.exe File opened for modification C:\Windows\SysWOW64\Bombmcec.exe Bmofagfp.exe File created C:\Windows\SysWOW64\Mgphpe32.exe Mcelpggq.exe File created C:\Windows\SysWOW64\Acffllhk.dll Process not Found File created C:\Windows\SysWOW64\Poigcbng.dll Dfglfdkb.exe File opened for modification C:\Windows\SysWOW64\Klddlckd.exe Process not Found File created C:\Windows\SysWOW64\Fmfnpa32.exe Fjhacf32.exe File opened for modification C:\Windows\SysWOW64\Chqogq32.exe Cbfgkffn.exe File opened for modification C:\Windows\SysWOW64\Nfaemp32.exe Ncchae32.exe File created C:\Windows\SysWOW64\Imqpnq32.dll Process not Found File created C:\Windows\SysWOW64\Fhcbhh32.dll Process not Found File created C:\Windows\SysWOW64\Ipmbjgpi.exe Innfnl32.exe File created C:\Windows\SysWOW64\Bjbmjjno.dll Klahfp32.exe File created C:\Windows\SysWOW64\Ckbcpc32.dll Panhbfep.exe File opened for modification C:\Windows\SysWOW64\Qbajeg32.exe Process not Found File created C:\Windows\SysWOW64\Cibmlmeb.exe Cgqqdeod.exe File created C:\Windows\SysWOW64\Gbbgpbmj.dll Fgbfhmll.exe File created C:\Windows\SysWOW64\Aphblj32.dll Bkaobnio.exe File opened for modification C:\Windows\SysWOW64\Daediilg.exe Dmihij32.exe File created C:\Windows\SysWOW64\Lbekag32.dll Boflmdkk.exe File created C:\Windows\SysWOW64\Iinjhh32.exe Ifomll32.exe File created C:\Windows\SysWOW64\Qpcecb32.exe Qobhkjdi.exe File opened for modification C:\Windows\SysWOW64\Ipkdek32.exe Ihdldn32.exe File opened for modification C:\Windows\SysWOW64\Lacdmh32.exe Lelchgne.exe File opened for modification C:\Windows\SysWOW64\Oondnini.exe Nhdlao32.exe File created C:\Windows\SysWOW64\Bopocbcq.exe Bheffh32.exe File created C:\Windows\SysWOW64\Nfjola32.exe Nclbpf32.exe File created C:\Windows\SysWOW64\Cgbiiion.dll Dannij32.exe File created C:\Windows\SysWOW64\Bkkple32.exe Bjicdmmd.exe File created C:\Windows\SysWOW64\Kghfphob.dll Ipoheakj.exe File created C:\Windows\SysWOW64\Ojdgnn32.exe Ogekbb32.exe File created C:\Windows\SysWOW64\Aagdnn32.exe Process not Found File created C:\Windows\SysWOW64\Ckmehb32.exe Cioilg32.exe File opened for modification C:\Windows\SysWOW64\Bohbhmfm.exe Blielbfi.exe File created C:\Windows\SysWOW64\Gafian32.dll Phhhhc32.exe File opened for modification C:\Windows\SysWOW64\Pcepkfld.exe Pojcjh32.exe File created C:\Windows\SysWOW64\Cajdjn32.dll Kjeiodek.exe File created C:\Windows\SysWOW64\Lfdqcn32.dll Pjmjdm32.exe File opened for modification C:\Windows\SysWOW64\Pdjgha32.exe Pmpolgoi.exe File created C:\Windows\SysWOW64\Khkdad32.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 10980 5896 Process not Found 1393 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jadgnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbfpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohiemobf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcelpggq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnlnbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njinmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iahgad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jafdcbge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pocpfphe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nclbpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekcgkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feenjgfq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmbbejp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amlogfel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpimlfke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipihpkkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiildjag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmnkkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkmgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbchj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnkbkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdagpnbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpomcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qljcoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcbnnpka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebifmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnfmbmbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iajdgcab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpegkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogcgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbcfhibj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmbfbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dngjff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnepna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqmlknnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aglnbhal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqpfjnba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaajed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpkibf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilfennic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efafgifc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbnmke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejoomhmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cggimh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgcjddh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jekjcaef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oenlqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgbdcgld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabfjpak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gimqajgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boldhf32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfigpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafnnj32.dll" Kmkbfeab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqpamb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdijliok.dll" Bnhenj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmcain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmncdk32.dll" Baegibae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fclbolkk.dll" Jgogbgei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcgnbaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoepebho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqpfjnba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpildobq.dll" Oaajed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omjpeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofkgcobj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glllagck.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cboeai32.dll" Dngjff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbqceofn.dll" Bgkiaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnibokbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjijid32.dll" Nmfcok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhijep32.dll" Cacckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cclaff32.dll" Gklnjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leoema32.dll" Hdpbon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enbjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jppnpjel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmgjnl32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmafqb32.dll" Mccfdmmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekamnhne.dll" Kpcjgnhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjlopc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaadlo32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hidkle32.dll" Fibhpbea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmaffnce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jilfifme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjbmjjno.dll" Klahfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohlqcagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnphoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eaqdegaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcpmen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnindhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqdkac32.dll" Aaohcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgnpek32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emjgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qikoka32.dll" Glkmmefl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlpfhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipaooi32.dll" Dhgonidg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakdmb32.dll" Gdjibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dibkjmof.dll" Gmfplibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iinjhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iondqhpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiphjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plejdkmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbqdpi32.dll" Imkbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fboqkn32.dll" Lflbkcll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhifomdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpofii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjaonjaj.dll" Ekajec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccgjopal.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 740 wrote to memory of 3460 740 944ceb89f3d9a9845989d15adb12bb60N.exe 84 PID 740 wrote to memory of 3460 740 944ceb89f3d9a9845989d15adb12bb60N.exe 84 PID 740 wrote to memory of 3460 740 944ceb89f3d9a9845989d15adb12bb60N.exe 84 PID 3460 wrote to memory of 2924 3460 Nhnlkfpp.exe 85 PID 3460 wrote to memory of 2924 3460 Nhnlkfpp.exe 85 PID 3460 wrote to memory of 2924 3460 Nhnlkfpp.exe 85 PID 2924 wrote to memory of 872 2924 Nohehq32.exe 86 PID 2924 wrote to memory of 872 2924 Nohehq32.exe 86 PID 2924 wrote to memory of 872 2924 Nohehq32.exe 86 PID 872 wrote to memory of 1372 872 Ngomin32.exe 87 PID 872 wrote to memory of 1372 872 Ngomin32.exe 87 PID 872 wrote to memory of 1372 872 Ngomin32.exe 87 PID 1372 wrote to memory of 2112 1372 Niniei32.exe 88 PID 1372 wrote to memory of 2112 1372 Niniei32.exe 88 PID 1372 wrote to memory of 2112 1372 Niniei32.exe 88 PID 2112 wrote to memory of 3452 2112 Npgabc32.exe 89 PID 2112 wrote to memory of 3452 2112 Npgabc32.exe 89 PID 2112 wrote to memory of 3452 2112 Npgabc32.exe 89 PID 3452 wrote to memory of 228 3452 Ncfmno32.exe 90 PID 3452 wrote to memory of 228 3452 Ncfmno32.exe 90 PID 3452 wrote to memory of 228 3452 Ncfmno32.exe 90 PID 228 wrote to memory of 5032 228 Nipekiep.exe 91 PID 228 wrote to memory of 5032 228 Nipekiep.exe 91 PID 228 wrote to memory of 5032 228 Nipekiep.exe 91 PID 5032 wrote to memory of 112 5032 Nlnbgddc.exe 92 PID 5032 wrote to memory of 112 5032 Nlnbgddc.exe 92 PID 5032 wrote to memory of 112 5032 Nlnbgddc.exe 92 PID 112 wrote to memory of 5056 112 Nomncpcg.exe 93 PID 112 wrote to memory of 5056 112 Nomncpcg.exe 93 PID 112 wrote to memory of 5056 112 Nomncpcg.exe 93 PID 5056 wrote to memory of 3628 5056 Ngdfdmdi.exe 94 PID 5056 wrote to memory of 3628 5056 Ngdfdmdi.exe 94 PID 5056 wrote to memory of 3628 5056 Ngdfdmdi.exe 94 PID 3628 wrote to memory of 4372 3628 Nibbqicm.exe 95 PID 3628 wrote to memory of 4372 3628 Nibbqicm.exe 95 PID 3628 wrote to memory of 4372 3628 Nibbqicm.exe 95 PID 4372 wrote to memory of 4856 4372 Nheble32.exe 96 PID 4372 wrote to memory of 4856 4372 Nheble32.exe 96 PID 4372 wrote to memory of 4856 4372 Nheble32.exe 96 PID 4856 wrote to memory of 1548 4856 Ncjginjn.exe 97 PID 4856 wrote to memory of 1548 4856 Ncjginjn.exe 97 PID 4856 wrote to memory of 1548 4856 Ncjginjn.exe 97 PID 1548 wrote to memory of 1588 1548 Oidofh32.exe 99 PID 1548 wrote to memory of 1588 1548 Oidofh32.exe 99 PID 1548 wrote to memory of 1588 1548 Oidofh32.exe 99 PID 1588 wrote to memory of 1848 1588 Opogbbig.exe 100 PID 1588 wrote to memory of 1848 1588 Opogbbig.exe 100 PID 1588 wrote to memory of 1848 1588 Opogbbig.exe 100 PID 1848 wrote to memory of 2356 1848 Oekpkigo.exe 101 PID 1848 wrote to memory of 2356 1848 Oekpkigo.exe 101 PID 1848 wrote to memory of 2356 1848 Oekpkigo.exe 101 PID 2356 wrote to memory of 3400 2356 Olehhc32.exe 103 PID 2356 wrote to memory of 3400 2356 Olehhc32.exe 103 PID 2356 wrote to memory of 3400 2356 Olehhc32.exe 103 PID 3400 wrote to memory of 2508 3400 Ocopdn32.exe 104 PID 3400 wrote to memory of 2508 3400 Ocopdn32.exe 104 PID 3400 wrote to memory of 2508 3400 Ocopdn32.exe 104 PID 2508 wrote to memory of 636 2508 Oenlqi32.exe 105 PID 2508 wrote to memory of 636 2508 Oenlqi32.exe 105 PID 2508 wrote to memory of 636 2508 Oenlqi32.exe 105 PID 636 wrote to memory of 2468 636 Olgemcli.exe 106 PID 636 wrote to memory of 2468 636 Olgemcli.exe 106 PID 636 wrote to memory of 2468 636 Olgemcli.exe 106 PID 2468 wrote to memory of 1244 2468 Oofaiokl.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\944ceb89f3d9a9845989d15adb12bb60N.exe"C:\Users\Admin\AppData\Local\Temp\944ceb89f3d9a9845989d15adb12bb60N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\Nipekiep.exeC:\Windows\system32\Nipekiep.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\Nlnbgddc.exeC:\Windows\system32\Nlnbgddc.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Nomncpcg.exeC:\Windows\system32\Nomncpcg.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\Nheble32.exeC:\Windows\system32\Nheble32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Opogbbig.exeC:\Windows\system32\Opogbbig.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Ocopdn32.exeC:\Windows\system32\Ocopdn32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\Oenlqi32.exeC:\Windows\system32\Oenlqi32.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Oepifi32.exeC:\Windows\system32\Oepifi32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe24⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe25⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe26⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe27⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe28⤵
- Executes dropped EXE
PID:3892 -
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe29⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Pjpobg32.exeC:\Windows\system32\Pjpobg32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3368 -
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe31⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe32⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe33⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe34⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Ppmcdq32.exeC:\Windows\system32\Ppmcdq32.exe35⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe36⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Pfillg32.exeC:\Windows\system32\Pfillg32.exe37⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1500 -
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe39⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4204 -
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Pjgebf32.exeC:\Windows\system32\Pjgebf32.exe42⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe43⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe44⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Ajqgidij.exeC:\Windows\system32\Ajqgidij.exe45⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Aqkpeopg.exeC:\Windows\system32\Aqkpeopg.exe46⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe47⤵
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\Agdhbi32.exeC:\Windows\system32\Agdhbi32.exe48⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Ahfdjanb.exeC:\Windows\system32\Ahfdjanb.exe49⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Aqmlknnd.exeC:\Windows\system32\Aqmlknnd.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4180 -
C:\Windows\SysWOW64\Aopmfk32.exeC:\Windows\system32\Aopmfk32.exe51⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Afjeceml.exeC:\Windows\system32\Afjeceml.exe52⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe53⤵
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe54⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe55⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe56⤵
- Executes dropped EXE
PID:3732 -
C:\Windows\SysWOW64\Aodfajaj.exeC:\Windows\system32\Aodfajaj.exe57⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Aglnbhal.exeC:\Windows\system32\Aglnbhal.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4996 -
C:\Windows\SysWOW64\Aimkjp32.exeC:\Windows\system32\Aimkjp32.exe59⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe60⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4396 -
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe62⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Bjlgdc32.exeC:\Windows\system32\Bjlgdc32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4696 -
C:\Windows\SysWOW64\Bmkcqn32.exeC:\Windows\system32\Bmkcqn32.exe64⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe65⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Bfchidda.exeC:\Windows\system32\Bfchidda.exe66⤵PID:2968
-
C:\Windows\SysWOW64\Biadeoce.exeC:\Windows\system32\Biadeoce.exe67⤵PID:1516
-
C:\Windows\SysWOW64\Boklbi32.exeC:\Windows\system32\Boklbi32.exe68⤵PID:2536
-
C:\Windows\SysWOW64\Bgbdcgld.exeC:\Windows\system32\Bgbdcgld.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2964 -
C:\Windows\SysWOW64\Bidqko32.exeC:\Windows\system32\Bidqko32.exe70⤵PID:4560
-
C:\Windows\SysWOW64\Bciehh32.exeC:\Windows\system32\Bciehh32.exe71⤵PID:544
-
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe72⤵
- Drops file in System32 directory
PID:5028 -
C:\Windows\SysWOW64\Bqmeal32.exeC:\Windows\system32\Bqmeal32.exe73⤵PID:2044
-
C:\Windows\SysWOW64\Bggnof32.exeC:\Windows\system32\Bggnof32.exe74⤵PID:4852
-
C:\Windows\SysWOW64\Bfjnjcni.exeC:\Windows\system32\Bfjnjcni.exe75⤵PID:3600
-
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe76⤵PID:2008
-
C:\Windows\SysWOW64\Cqpbglno.exeC:\Windows\system32\Cqpbglno.exe77⤵PID:2764
-
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe78⤵PID:2888
-
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe79⤵PID:3720
-
C:\Windows\SysWOW64\Cmfclm32.exeC:\Windows\system32\Cmfclm32.exe80⤵PID:4748
-
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe81⤵PID:1880
-
C:\Windows\SysWOW64\Cglgjeci.exeC:\Windows\system32\Cglgjeci.exe82⤵PID:1600
-
C:\Windows\SysWOW64\Cimcan32.exeC:\Windows\system32\Cimcan32.exe83⤵PID:1760
-
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe84⤵PID:2920
-
C:\Windows\SysWOW64\Cfadkb32.exeC:\Windows\system32\Cfadkb32.exe85⤵PID:3132
-
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe86⤵PID:5088
-
C:\Windows\SysWOW64\Cgqqdeod.exeC:\Windows\system32\Cgqqdeod.exe87⤵
- Drops file in System32 directory
PID:4872 -
C:\Windows\SysWOW64\Cibmlmeb.exeC:\Windows\system32\Cibmlmeb.exe88⤵PID:2124
-
C:\Windows\SysWOW64\Caienjfd.exeC:\Windows\system32\Caienjfd.exe89⤵PID:3668
-
C:\Windows\SysWOW64\Ccgajfeh.exeC:\Windows\system32\Ccgajfeh.exe90⤵PID:5132
-
C:\Windows\SysWOW64\Cffmfadl.exeC:\Windows\system32\Cffmfadl.exe91⤵PID:5176
-
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe92⤵PID:5220
-
C:\Windows\SysWOW64\Dakacjdb.exeC:\Windows\system32\Dakacjdb.exe93⤵PID:5264
-
C:\Windows\SysWOW64\Dgejpd32.exeC:\Windows\system32\Dgejpd32.exe94⤵PID:5308
-
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5352 -
C:\Windows\SysWOW64\Dannij32.exeC:\Windows\system32\Dannij32.exe96⤵
- Drops file in System32 directory
PID:5392 -
C:\Windows\SysWOW64\Dfjgaq32.exeC:\Windows\system32\Dfjgaq32.exe97⤵PID:5440
-
C:\Windows\SysWOW64\Dmdonkgc.exeC:\Windows\system32\Dmdonkgc.exe98⤵PID:5484
-
C:\Windows\SysWOW64\Dpckjfgg.exeC:\Windows\system32\Dpckjfgg.exe99⤵PID:5524
-
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe100⤵PID:5572
-
C:\Windows\SysWOW64\Dfmcfp32.exeC:\Windows\system32\Dfmcfp32.exe101⤵PID:5620
-
C:\Windows\SysWOW64\Dmglcj32.exeC:\Windows\system32\Dmglcj32.exe102⤵PID:5664
-
C:\Windows\SysWOW64\Ddadpdmn.exeC:\Windows\system32\Ddadpdmn.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5704 -
C:\Windows\SysWOW64\Dfoplpla.exeC:\Windows\system32\Dfoplpla.exe104⤵PID:5776
-
C:\Windows\SysWOW64\Dinmhkke.exeC:\Windows\system32\Dinmhkke.exe105⤵PID:5832
-
C:\Windows\SysWOW64\Dmihij32.exeC:\Windows\system32\Dmihij32.exe106⤵
- Drops file in System32 directory
PID:5888 -
C:\Windows\SysWOW64\Daediilg.exeC:\Windows\system32\Daediilg.exe107⤵PID:5932
-
C:\Windows\SysWOW64\Ddcqedkk.exeC:\Windows\system32\Ddcqedkk.exe108⤵PID:5972
-
C:\Windows\SysWOW64\Dfamapjo.exeC:\Windows\system32\Dfamapjo.exe109⤵PID:6016
-
C:\Windows\SysWOW64\Eipinkib.exeC:\Windows\system32\Eipinkib.exe110⤵PID:6060
-
C:\Windows\SysWOW64\Eagaoh32.exeC:\Windows\system32\Eagaoh32.exe111⤵PID:6104
-
C:\Windows\SysWOW64\Ehailbaa.exeC:\Windows\system32\Ehailbaa.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3988 -
C:\Windows\SysWOW64\Efdjgo32.exeC:\Windows\system32\Efdjgo32.exe113⤵PID:5184
-
C:\Windows\SysWOW64\Eibfck32.exeC:\Windows\system32\Eibfck32.exe114⤵PID:5252
-
C:\Windows\SysWOW64\Eaindh32.exeC:\Windows\system32\Eaindh32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5324 -
C:\Windows\SysWOW64\Ehcfaboo.exeC:\Windows\system32\Ehcfaboo.exe116⤵PID:5384
-
C:\Windows\SysWOW64\Ejbbmnnb.exeC:\Windows\system32\Ejbbmnnb.exe117⤵PID:5456
-
C:\Windows\SysWOW64\Empoiimf.exeC:\Windows\system32\Empoiimf.exe118⤵PID:5532
-
C:\Windows\SysWOW64\Epokedmj.exeC:\Windows\system32\Epokedmj.exe119⤵PID:5616
-
C:\Windows\SysWOW64\Ehfcfb32.exeC:\Windows\system32\Ehfcfb32.exe120⤵PID:5680
-
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe121⤵PID:5752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-