Analysis
-
max time kernel
106s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22-08-2024 23:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ac7d211e23a760c4adac889c38a992f0N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
ac7d211e23a760c4adac889c38a992f0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
ac7d211e23a760c4adac889c38a992f0N.exe
-
Size
364KB
-
MD5
ac7d211e23a760c4adac889c38a992f0
-
SHA1
376f078c51157df1ab4261022bd2917855b37a63
-
SHA256
4b9e2431de45bd66016cfa2603231da1a2883ce970436f17e28aacc471d5eeb4
-
SHA512
fdc48dd0188ac311e843da81d000b416494b3349cd91a7dde21ce106029a5b9437620bbd13c688e0d1e30f7fb8781bf997449e812e35a19d148259233e9068db
-
SSDEEP
3072:6Kic4xP1kg24ho1mtye3lFDrFDHZtOga24ho1mtye3l9vOQV5PxkABq24ho1mtyj:pic4xdktsFj5tT3sFpzvHsFj5tT3sF
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbhamajc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodfajaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgjjdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaefgd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdccbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qemhbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doaneiop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfningai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgbfhmll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfaqhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfhhoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klmpiiai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfbobf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgbdcgld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmeakf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eciplm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkconn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgioqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdecgbfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpaleglc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgehfkop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcbpjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgmgqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmojkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfehed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcmlfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejbbmnnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akcjkfij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eofgpikj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioambknl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nabfjpak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Albpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Monjjgkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfhjkabi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhfmdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mockmala.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmglcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkjnfkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiaael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odmgcgbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpiecd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egijmegb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljdceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngomin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leadnm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnfcia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oekiqccc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeddnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjpjel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibafp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daqbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgcmjd32.exe -
Executes dropped EXE 64 IoCs
pid Process 1568 Icnpmp32.exe 4012 Ifllil32.exe 2280 Ibcmom32.exe 2040 Jeaikh32.exe 1724 Jcbihpel.exe 1868 Jfaedkdp.exe 1448 Jmknaell.exe 628 Jlpkba32.exe 1968 Jfeopj32.exe 316 Jmpgldhg.exe 5076 Jfhlejnh.exe 2060 Jmbdbd32.exe 3840 Jcllonma.exe 3752 Kmdqgd32.exe 2332 Kdnidn32.exe 4580 Kdqejn32.exe 1840 Kimnbd32.exe 1856 Kpgfooop.exe 3884 Kedoge32.exe 3552 Kpjcdn32.exe 1584 Kbhoqj32.exe 4892 Lffhfh32.exe 3416 Llcpoo32.exe 2972 Lfhdlh32.exe 2448 Lmbmibhb.exe 4300 Lfkaag32.exe 4304 Ldoaklml.exe 3456 Likjcbkc.exe 4764 Lbdolh32.exe 4100 Lmiciaaj.exe 2056 Mgagbf32.exe 1188 Mipcob32.exe 3488 Mmlpoqpg.exe 1052 Mpjlklok.exe 2948 Mgddhf32.exe 1952 Mmnldp32.exe 1656 Mdhdajea.exe 2196 Mgfqmfde.exe 1620 Mmpijp32.exe 772 Mdjagjco.exe 4736 Migjoaaf.exe 4988 Mpablkhc.exe 388 Mdmnlj32.exe 1312 Menjdbgj.exe 1016 Ncbknfed.exe 1864 Nepgjaeg.exe 4548 Nljofl32.exe 2052 Ngpccdlj.exe 4940 Nnjlpo32.exe 1208 Ndcdmikd.exe 548 Ncfdie32.exe 2872 Neeqea32.exe 4244 Nloiakho.exe 1616 Ndfqbhia.exe 4748 Ngdmod32.exe 4428 Nnneknob.exe 3180 Nckndeni.exe 1000 Nggjdc32.exe 2484 Nnqbanmo.exe 1392 Oponmilc.exe 4472 Ocnjidkf.exe 2556 Oncofm32.exe 920 Odmgcgbi.exe 2816 Ogkcpbam.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ocihgnam.exe Process not Found File created C:\Windows\SysWOW64\Bhbopgfn.dll Nloiakho.exe File created C:\Windows\SysWOW64\Jlacji32.dll Epjajeqo.exe File created C:\Windows\SysWOW64\Fkkeclfh.exe Fdamgb32.exe File created C:\Windows\SysWOW64\Imiehfao.exe Ifomll32.exe File created C:\Windows\SysWOW64\Dmcnoekk.dll Impliekg.exe File created C:\Windows\SysWOW64\Aglafhih.dll Process not Found File opened for modification C:\Windows\SysWOW64\Koonge32.exe Process not Found File created C:\Windows\SysWOW64\Himnbjpd.dll Hdlpneli.exe File opened for modification C:\Windows\SysWOW64\Dhclmp32.exe Dfdpad32.exe File opened for modification C:\Windows\SysWOW64\Dheibpje.exe Dnpdegjp.exe File created C:\Windows\SysWOW64\Ckjinf32.dll Gldglf32.exe File created C:\Windows\SysWOW64\Defbaa32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fafdkmap.exe Fnjhjn32.exe File created C:\Windows\SysWOW64\Lhmmjbkf.exe Leopnglc.exe File created C:\Windows\SysWOW64\Mnkggfkb.exe Mkmkkjko.exe File created C:\Windows\SysWOW64\Ndcdmikd.exe Nnjlpo32.exe File created C:\Windows\SysWOW64\Dfnjafap.exe Delnin32.exe File created C:\Windows\SysWOW64\Hnfdcegm.dll Hmlpaoaj.exe File created C:\Windows\SysWOW64\Nccokk32.exe Nmigoagp.exe File opened for modification C:\Windows\SysWOW64\Fiqjke32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bdcmkgmm.exe Process not Found File created C:\Windows\SysWOW64\Hflheb32.dll Lfkaag32.exe File created C:\Windows\SysWOW64\Fpejkd32.dll Gemkelcd.exe File opened for modification C:\Windows\SysWOW64\Kocgbend.exe Process not Found File created C:\Windows\SysWOW64\Efbdhf32.dll Fddqghpd.exe File created C:\Windows\SysWOW64\Lldfjh32.exe Lifjnm32.exe File created C:\Windows\SysWOW64\Ecjddk32.dll Efmmmn32.exe File created C:\Windows\SysWOW64\Eplgeokq.exe Eiaoid32.exe File opened for modification C:\Windows\SysWOW64\Iomcgl32.exe Iickkbje.exe File created C:\Windows\SysWOW64\Mnmdme32.exe Mchppmij.exe File created C:\Windows\SysWOW64\Malpia32.exe Mnmdme32.exe File created C:\Windows\SysWOW64\Fihgkk32.dll Lnangaoa.exe File created C:\Windows\SysWOW64\Nljofl32.exe Nepgjaeg.exe File opened for modification C:\Windows\SysWOW64\Glipgf32.exe Geohklaa.exe File created C:\Windows\SysWOW64\Kmcjho32.dll Nckndeni.exe File created C:\Windows\SysWOW64\Fkhfob32.dll Mpnnle32.exe File created C:\Windows\SysWOW64\Ophpeg32.dll Kghjhemo.exe File opened for modification C:\Windows\SysWOW64\Kjmmepfj.exe Kgopidgf.exe File created C:\Windows\SysWOW64\Nkbjmj32.dll Kgflcifg.exe File created C:\Windows\SysWOW64\Igjngh32.exe Idkbkl32.exe File created C:\Windows\SysWOW64\Gdencf32.dll Napjdpcn.exe File created C:\Windows\SysWOW64\Fmbdpnaj.dll Process not Found File created C:\Windows\SysWOW64\Ojemig32.exe Process not Found File created C:\Windows\SysWOW64\Dmjapi32.dll Bffkij32.exe File created C:\Windows\SysWOW64\Ombmjmoh.dll Hkmnln32.exe File opened for modification C:\Windows\SysWOW64\Dmglcj32.exe Dhjckcgi.exe File created C:\Windows\SysWOW64\Gkdhjknm.exe Fhflnpoi.exe File created C:\Windows\SysWOW64\Lbopphio.dll Pehngkcg.exe File opened for modification C:\Windows\SysWOW64\Pfagighf.exe Process not Found File created C:\Windows\SysWOW64\Maghgl32.dll Afjlnk32.exe File created C:\Windows\SysWOW64\Kecabifp.exe Kjmmepfj.exe File created C:\Windows\SysWOW64\Cqhcce32.dll Cmmbbejp.exe File created C:\Windows\SysWOW64\Ggpdhj32.dll Gfodeohd.exe File created C:\Windows\SysWOW64\Blqhpg32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Foapaa32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ljpaqmgb.exe Process not Found File created C:\Windows\SysWOW64\Nnjlpo32.exe Ngpccdlj.exe File created C:\Windows\SysWOW64\Knefeffd.exe Kihnmohm.exe File opened for modification C:\Windows\SysWOW64\Bgbdcgld.exe Bqilgmdg.exe File created C:\Windows\SysWOW64\Mjpbam32.exe Miofjepg.exe File created C:\Windows\SysWOW64\Ggebqoki.dll Fmjaphek.exe File created C:\Windows\SysWOW64\Abakhdbk.dll Ipjedh32.exe File created C:\Windows\SysWOW64\Aplaoj32.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 12968 12776 Process not Found 1439 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkodhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nemcjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljkifn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcphab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklfgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbpajgmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lffhfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocgmpccl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhilfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olgncmim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllbaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcanll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfchlbfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjkjpgfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leadnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ginnfgop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bheplb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knnhjcog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkdhjknm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nognnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ponfka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chmndlge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aodfajaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikcmbfcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdccbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoalgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfeaopqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjmpkqqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbgcih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eciplm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmikeaap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpbpbecj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogpmjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfiafg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eplgeokq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Higjaoci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmlmkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeaikh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmemac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jngjch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcbohigp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kelkaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilccoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojllan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnpofnhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajndioga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cioilg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkipgpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Falcae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckfphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjeljhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmepam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iamfph32.dll" Cjjcfabm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfmajipb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjbogmdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aanbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoideh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiaoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nemcjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nocckb32.dll" Ejdocm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnkggfkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdbnjdfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnqfcbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpahkbdh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll" Odocigqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfdhkhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpjmnjqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bafndi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpbflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jblpmmae.dll" Ngaionfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhiajmod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bohbhmfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmdcfidg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jghpbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqfgdpo.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnqbanmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lihfcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhbkinel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmkigh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipeeobbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmdml32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paenokbf.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhnmh32.dll" Kimnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibkfhc32.dll" Joffnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhabbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lldfjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlpkba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjcbbmif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kelkaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgjjdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdafnpqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pefabkej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alkijdci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldoaklml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plpqil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdfehh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjlmclqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhnikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fefedmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll" Ngdmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnhnaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmcgolla.dll" Gfhndpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipebnafj.dll" Mekgdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gengjl32.dll" Jjamia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmifiap.dll" Fpdcag32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4852 wrote to memory of 1568 4852 ac7d211e23a760c4adac889c38a992f0N.exe 84 PID 4852 wrote to memory of 1568 4852 ac7d211e23a760c4adac889c38a992f0N.exe 84 PID 4852 wrote to memory of 1568 4852 ac7d211e23a760c4adac889c38a992f0N.exe 84 PID 1568 wrote to memory of 4012 1568 Icnpmp32.exe 85 PID 1568 wrote to memory of 4012 1568 Icnpmp32.exe 85 PID 1568 wrote to memory of 4012 1568 Icnpmp32.exe 85 PID 4012 wrote to memory of 2280 4012 Ifllil32.exe 86 PID 4012 wrote to memory of 2280 4012 Ifllil32.exe 86 PID 4012 wrote to memory of 2280 4012 Ifllil32.exe 86 PID 2280 wrote to memory of 2040 2280 Ibcmom32.exe 87 PID 2280 wrote to memory of 2040 2280 Ibcmom32.exe 87 PID 2280 wrote to memory of 2040 2280 Ibcmom32.exe 87 PID 2040 wrote to memory of 1724 2040 Jeaikh32.exe 88 PID 2040 wrote to memory of 1724 2040 Jeaikh32.exe 88 PID 2040 wrote to memory of 1724 2040 Jeaikh32.exe 88 PID 1724 wrote to memory of 1868 1724 Jcbihpel.exe 89 PID 1724 wrote to memory of 1868 1724 Jcbihpel.exe 89 PID 1724 wrote to memory of 1868 1724 Jcbihpel.exe 89 PID 1868 wrote to memory of 1448 1868 Jfaedkdp.exe 91 PID 1868 wrote to memory of 1448 1868 Jfaedkdp.exe 91 PID 1868 wrote to memory of 1448 1868 Jfaedkdp.exe 91 PID 1448 wrote to memory of 628 1448 Jmknaell.exe 93 PID 1448 wrote to memory of 628 1448 Jmknaell.exe 93 PID 1448 wrote to memory of 628 1448 Jmknaell.exe 93 PID 628 wrote to memory of 1968 628 Jlpkba32.exe 94 PID 628 wrote to memory of 1968 628 Jlpkba32.exe 94 PID 628 wrote to memory of 1968 628 Jlpkba32.exe 94 PID 1968 wrote to memory of 316 1968 Jfeopj32.exe 95 PID 1968 wrote to memory of 316 1968 Jfeopj32.exe 95 PID 1968 wrote to memory of 316 1968 Jfeopj32.exe 95 PID 316 wrote to memory of 5076 316 Jmpgldhg.exe 96 PID 316 wrote to memory of 5076 316 Jmpgldhg.exe 96 PID 316 wrote to memory of 5076 316 Jmpgldhg.exe 96 PID 5076 wrote to memory of 2060 5076 Jfhlejnh.exe 97 PID 5076 wrote to memory of 2060 5076 Jfhlejnh.exe 97 PID 5076 wrote to memory of 2060 5076 Jfhlejnh.exe 97 PID 2060 wrote to memory of 3840 2060 Jmbdbd32.exe 98 PID 2060 wrote to memory of 3840 2060 Jmbdbd32.exe 98 PID 2060 wrote to memory of 3840 2060 Jmbdbd32.exe 98 PID 3840 wrote to memory of 3752 3840 Jcllonma.exe 100 PID 3840 wrote to memory of 3752 3840 Jcllonma.exe 100 PID 3840 wrote to memory of 3752 3840 Jcllonma.exe 100 PID 3752 wrote to memory of 2332 3752 Kmdqgd32.exe 101 PID 3752 wrote to memory of 2332 3752 Kmdqgd32.exe 101 PID 3752 wrote to memory of 2332 3752 Kmdqgd32.exe 101 PID 2332 wrote to memory of 4580 2332 Kdnidn32.exe 102 PID 2332 wrote to memory of 4580 2332 Kdnidn32.exe 102 PID 2332 wrote to memory of 4580 2332 Kdnidn32.exe 102 PID 4580 wrote to memory of 1840 4580 Kdqejn32.exe 103 PID 4580 wrote to memory of 1840 4580 Kdqejn32.exe 103 PID 4580 wrote to memory of 1840 4580 Kdqejn32.exe 103 PID 1840 wrote to memory of 1856 1840 Kimnbd32.exe 104 PID 1840 wrote to memory of 1856 1840 Kimnbd32.exe 104 PID 1840 wrote to memory of 1856 1840 Kimnbd32.exe 104 PID 1856 wrote to memory of 3884 1856 Kpgfooop.exe 105 PID 1856 wrote to memory of 3884 1856 Kpgfooop.exe 105 PID 1856 wrote to memory of 3884 1856 Kpgfooop.exe 105 PID 3884 wrote to memory of 3552 3884 Kedoge32.exe 106 PID 3884 wrote to memory of 3552 3884 Kedoge32.exe 106 PID 3884 wrote to memory of 3552 3884 Kedoge32.exe 106 PID 3552 wrote to memory of 1584 3552 Kpjcdn32.exe 107 PID 3552 wrote to memory of 1584 3552 Kpjcdn32.exe 107 PID 3552 wrote to memory of 1584 3552 Kpjcdn32.exe 107 PID 1584 wrote to memory of 4892 1584 Kbhoqj32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac7d211e23a760c4adac889c38a992f0N.exe"C:\Users\Admin\AppData\Local\Temp\ac7d211e23a760c4adac889c38a992f0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Icnpmp32.exeC:\Windows\system32\Icnpmp32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Ifllil32.exeC:\Windows\system32\Ifllil32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Ibcmom32.exeC:\Windows\system32\Ibcmom32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Jeaikh32.exeC:\Windows\system32\Jeaikh32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Jcbihpel.exeC:\Windows\system32\Jcbihpel.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Jfaedkdp.exeC:\Windows\system32\Jfaedkdp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Jmknaell.exeC:\Windows\system32\Jmknaell.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Jlpkba32.exeC:\Windows\system32\Jlpkba32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\Jfeopj32.exeC:\Windows\system32\Jfeopj32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Jmpgldhg.exeC:\Windows\system32\Jmpgldhg.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Jfhlejnh.exeC:\Windows\system32\Jfhlejnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Jmbdbd32.exeC:\Windows\system32\Jmbdbd32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Jcllonma.exeC:\Windows\system32\Jcllonma.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SysWOW64\Kmdqgd32.exeC:\Windows\system32\Kmdqgd32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\Kdnidn32.exeC:\Windows\system32\Kdnidn32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Kdqejn32.exeC:\Windows\system32\Kdqejn32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Kimnbd32.exeC:\Windows\system32\Kimnbd32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Kpgfooop.exeC:\Windows\system32\Kpgfooop.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Kedoge32.exeC:\Windows\system32\Kedoge32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\Kpjcdn32.exeC:\Windows\system32\Kpjcdn32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\Kbhoqj32.exeC:\Windows\system32\Kbhoqj32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Lffhfh32.exeC:\Windows\system32\Lffhfh32.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4892 -
C:\Windows\SysWOW64\Llcpoo32.exeC:\Windows\system32\Llcpoo32.exe24⤵
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\Lfhdlh32.exeC:\Windows\system32\Lfhdlh32.exe25⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Lmbmibhb.exeC:\Windows\system32\Lmbmibhb.exe26⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Lfkaag32.exeC:\Windows\system32\Lfkaag32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4300 -
C:\Windows\SysWOW64\Ldoaklml.exeC:\Windows\system32\Ldoaklml.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:4304 -
C:\Windows\SysWOW64\Likjcbkc.exeC:\Windows\system32\Likjcbkc.exe29⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Lbdolh32.exeC:\Windows\system32\Lbdolh32.exe30⤵
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\Lmiciaaj.exeC:\Windows\system32\Lmiciaaj.exe31⤵
- Executes dropped EXE
PID:4100 -
C:\Windows\SysWOW64\Mgagbf32.exeC:\Windows\system32\Mgagbf32.exe32⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Mipcob32.exeC:\Windows\system32\Mipcob32.exe33⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Mmlpoqpg.exeC:\Windows\system32\Mmlpoqpg.exe34⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Mpjlklok.exeC:\Windows\system32\Mpjlklok.exe35⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Mgddhf32.exeC:\Windows\system32\Mgddhf32.exe36⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Mmnldp32.exeC:\Windows\system32\Mmnldp32.exe37⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Mdhdajea.exeC:\Windows\system32\Mdhdajea.exe38⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Mgfqmfde.exeC:\Windows\system32\Mgfqmfde.exe39⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Mmpijp32.exeC:\Windows\system32\Mmpijp32.exe40⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Mdjagjco.exeC:\Windows\system32\Mdjagjco.exe41⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Migjoaaf.exeC:\Windows\system32\Migjoaaf.exe42⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Mpablkhc.exeC:\Windows\system32\Mpablkhc.exe43⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Mdmnlj32.exeC:\Windows\system32\Mdmnlj32.exe44⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Menjdbgj.exeC:\Windows\system32\Menjdbgj.exe45⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Ncbknfed.exeC:\Windows\system32\Ncbknfed.exe46⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Nepgjaeg.exeC:\Windows\system32\Nepgjaeg.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1864 -
C:\Windows\SysWOW64\Nljofl32.exeC:\Windows\system32\Nljofl32.exe48⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Npfkgjdn.exeC:\Windows\system32\Npfkgjdn.exe49⤵PID:2288
-
C:\Windows\SysWOW64\Ngpccdlj.exeC:\Windows\system32\Ngpccdlj.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Nnjlpo32.exeC:\Windows\system32\Nnjlpo32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4940 -
C:\Windows\SysWOW64\Ndcdmikd.exeC:\Windows\system32\Ndcdmikd.exe52⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Ncfdie32.exeC:\Windows\system32\Ncfdie32.exe53⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Neeqea32.exeC:\Windows\system32\Neeqea32.exe54⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Nloiakho.exeC:\Windows\system32\Nloiakho.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4244 -
C:\Windows\SysWOW64\Ndfqbhia.exeC:\Windows\system32\Ndfqbhia.exe56⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Ngdmod32.exeC:\Windows\system32\Ngdmod32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:4748 -
C:\Windows\SysWOW64\Nnneknob.exeC:\Windows\system32\Nnneknob.exe58⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Nckndeni.exeC:\Windows\system32\Nckndeni.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3180 -
C:\Windows\SysWOW64\Nggjdc32.exeC:\Windows\system32\Nggjdc32.exe60⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Nnqbanmo.exeC:\Windows\system32\Nnqbanmo.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Oponmilc.exeC:\Windows\system32\Oponmilc.exe62⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Ocnjidkf.exeC:\Windows\system32\Ocnjidkf.exe63⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Oncofm32.exeC:\Windows\system32\Oncofm32.exe64⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Odmgcgbi.exeC:\Windows\system32\Odmgcgbi.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Ogkcpbam.exeC:\Windows\system32\Ogkcpbam.exe66⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Oneklm32.exeC:\Windows\system32\Oneklm32.exe67⤵PID:2700
-
C:\Windows\SysWOW64\Odocigqg.exeC:\Windows\system32\Odocigqg.exe68⤵
- Modifies registry class
PID:4680 -
C:\Windows\SysWOW64\Ognpebpj.exeC:\Windows\system32\Ognpebpj.exe69⤵PID:4984
-
C:\Windows\SysWOW64\Ojllan32.exeC:\Windows\system32\Ojllan32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2408 -
C:\Windows\SysWOW64\Olkhmi32.exeC:\Windows\system32\Olkhmi32.exe71⤵PID:2836
-
C:\Windows\SysWOW64\Ogpmjb32.exeC:\Windows\system32\Ogpmjb32.exe72⤵
- System Location Discovery: System Language Discovery
PID:3484 -
C:\Windows\SysWOW64\Ofcmfodb.exeC:\Windows\system32\Ofcmfodb.exe73⤵PID:976
-
C:\Windows\SysWOW64\Onjegled.exeC:\Windows\system32\Onjegled.exe74⤵PID:4976
-
C:\Windows\SysWOW64\Oqhacgdh.exeC:\Windows\system32\Oqhacgdh.exe75⤵PID:4404
-
C:\Windows\SysWOW64\Ocgmpccl.exeC:\Windows\system32\Ocgmpccl.exe76⤵
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\Ofeilobp.exeC:\Windows\system32\Ofeilobp.exe77⤵PID:5068
-
C:\Windows\SysWOW64\Pnlaml32.exeC:\Windows\system32\Pnlaml32.exe78⤵PID:5156
-
C:\Windows\SysWOW64\Pqknig32.exeC:\Windows\system32\Pqknig32.exe79⤵PID:5204
-
C:\Windows\SysWOW64\Pcijeb32.exeC:\Windows\system32\Pcijeb32.exe80⤵PID:5244
-
C:\Windows\SysWOW64\Pjcbbmif.exeC:\Windows\system32\Pjcbbmif.exe81⤵
- Modifies registry class
PID:5316 -
C:\Windows\SysWOW64\Pmannhhj.exeC:\Windows\system32\Pmannhhj.exe82⤵PID:5384
-
C:\Windows\SysWOW64\Pdifoehl.exeC:\Windows\system32\Pdifoehl.exe83⤵PID:5428
-
C:\Windows\SysWOW64\Pjeoglgc.exeC:\Windows\system32\Pjeoglgc.exe84⤵PID:5484
-
C:\Windows\SysWOW64\Pnakhkol.exeC:\Windows\system32\Pnakhkol.exe85⤵PID:5532
-
C:\Windows\SysWOW64\Pqpgdfnp.exeC:\Windows\system32\Pqpgdfnp.exe86⤵PID:5572
-
C:\Windows\SysWOW64\Pgioqq32.exeC:\Windows\system32\Pgioqq32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5612 -
C:\Windows\SysWOW64\Pmfhig32.exeC:\Windows\system32\Pmfhig32.exe88⤵PID:5664
-
C:\Windows\SysWOW64\Pcppfaka.exeC:\Windows\system32\Pcppfaka.exe89⤵PID:5716
-
C:\Windows\SysWOW64\Pfolbmje.exeC:\Windows\system32\Pfolbmje.exe90⤵PID:5764
-
C:\Windows\SysWOW64\Pnfdcjkg.exeC:\Windows\system32\Pnfdcjkg.exe91⤵PID:5816
-
C:\Windows\SysWOW64\Pdpmpdbd.exeC:\Windows\system32\Pdpmpdbd.exe92⤵PID:5860
-
C:\Windows\SysWOW64\Pgnilpah.exeC:\Windows\system32\Pgnilpah.exe93⤵PID:5904
-
C:\Windows\SysWOW64\Pfaigm32.exeC:\Windows\system32\Pfaigm32.exe94⤵PID:5948
-
C:\Windows\SysWOW64\Qmkadgpo.exeC:\Windows\system32\Qmkadgpo.exe95⤵PID:5996
-
C:\Windows\SysWOW64\Qgqeappe.exeC:\Windows\system32\Qgqeappe.exe96⤵PID:6040
-
C:\Windows\SysWOW64\Qnjnnj32.exeC:\Windows\system32\Qnjnnj32.exe97⤵PID:6084
-
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe98⤵PID:6128
-
C:\Windows\SysWOW64\Qffbbldm.exeC:\Windows\system32\Qffbbldm.exe99⤵PID:5148
-
C:\Windows\SysWOW64\Anmjcieo.exeC:\Windows\system32\Anmjcieo.exe100⤵PID:5180
-
C:\Windows\SysWOW64\Adgbpc32.exeC:\Windows\system32\Adgbpc32.exe101⤵PID:5324
-
C:\Windows\SysWOW64\Ajckij32.exeC:\Windows\system32\Ajckij32.exe102⤵PID:5340
-
C:\Windows\SysWOW64\Aeiofcji.exeC:\Windows\system32\Aeiofcji.exe103⤵PID:5508
-
C:\Windows\SysWOW64\Afjlnk32.exeC:\Windows\system32\Afjlnk32.exe104⤵
- Drops file in System32 directory
PID:5500 -
C:\Windows\SysWOW64\Acnlgp32.exeC:\Windows\system32\Acnlgp32.exe105⤵PID:5648
-
C:\Windows\SysWOW64\Afmhck32.exeC:\Windows\system32\Afmhck32.exe106⤵PID:5724
-
C:\Windows\SysWOW64\Aabmqd32.exeC:\Windows\system32\Aabmqd32.exe107⤵PID:5744
-
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe108⤵PID:5876
-
C:\Windows\SysWOW64\Ajkaii32.exeC:\Windows\system32\Ajkaii32.exe109⤵PID:5924
-
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe110⤵PID:6004
-
C:\Windows\SysWOW64\Accfbokl.exeC:\Windows\system32\Accfbokl.exe111⤵PID:6092
-
C:\Windows\SysWOW64\Bfabnjjp.exeC:\Windows\system32\Bfabnjjp.exe112⤵PID:2520
-
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe113⤵PID:5220
-
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe114⤵PID:5476
-
C:\Windows\SysWOW64\Bcebhoii.exeC:\Windows\system32\Bcebhoii.exe115⤵PID:5580
-
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe116⤵PID:5628
-
C:\Windows\SysWOW64\Baicac32.exeC:\Windows\system32\Baicac32.exe117⤵PID:5784
-
C:\Windows\SysWOW64\Bchomn32.exeC:\Windows\system32\Bchomn32.exe118⤵PID:5888
-
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe119⤵
- Drops file in System32 directory
PID:5944 -
C:\Windows\SysWOW64\Bnmcjg32.exeC:\Windows\system32\Bnmcjg32.exe120⤵PID:6136
-
C:\Windows\SysWOW64\Balpgb32.exeC:\Windows\system32\Balpgb32.exe121⤵PID:5228
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-