Analysis
-
max time kernel
103s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22-08-2024 00:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
59dc02f39a1ad03a1e1d552e3c776ab0N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
59dc02f39a1ad03a1e1d552e3c776ab0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
59dc02f39a1ad03a1e1d552e3c776ab0N.exe
-
Size
75KB
-
MD5
59dc02f39a1ad03a1e1d552e3c776ab0
-
SHA1
147ca7b16613385759c740bfd0eacc8844f1b1d1
-
SHA256
1be6a4779c47f7bce8e0ef7b807cdd396c9ef61782f8efb289f0c94027c2a781
-
SHA512
1c40c21afde3174279870e162350d7c51d73d1ba87068f32014aaa873deb8eba9ab8493381f8585a1a50c282f6fac89a2e799ceaad42b93c6c1b3832107f56f6
-
SSDEEP
1536:nhCbCfwWdlDpaDXx2/DCmyirCkmDhkIyk6zSf1cgCe8uvQGYQzlV:0GFDwXc/DBCfDhkVk6zSfugCe8uvQa
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djdflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjadje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdpaeehj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njmqnobn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpchib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olehhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lndagg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Belebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbghfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djfcaohp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcjiff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkjiao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cljobphg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhbfff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfhjkabi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igqkqiai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkcadhgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmnmgnoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oepifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpomcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihgnkkbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjecpkcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elbhjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkdjfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikdcmpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgjijmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qemhbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhecmcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igdnabjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lekmnajj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poimpapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jljbeali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdnldd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkegpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkplejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaogak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehkclgmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cidjbmcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecgcfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjkblhfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiodmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhppji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bljlfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oljaccjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nolgijpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bopocbcq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elnoopdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lddgmbpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmcclm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkleeplq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdnldd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbjmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljilqnlm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlnkmnah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmfgek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlnipg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkcadhgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bahkih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmmpfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdpkflfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknmla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onnmdcjm.exe -
Executes dropped EXE 64 IoCs
pid Process 788 Bmkjkd32.exe 3276 Bebblb32.exe 1268 Bjokdipf.exe 4124 Bmngqdpj.exe 856 Beeoaapl.exe 2820 Bgcknmop.exe 2000 Bnmcjg32.exe 2840 Balpgb32.exe 2548 Bcjlcn32.exe 520 Bfhhoi32.exe 2388 Bnpppgdj.exe 3592 Beihma32.exe 4064 Bhhdil32.exe 3020 Bmemac32.exe 908 Belebq32.exe 4732 Cfmajipb.exe 3640 Cndikf32.exe 1536 Cmgjgcgo.exe 2784 Cdabcm32.exe 2580 Cfpnph32.exe 3744 Cmiflbel.exe 768 Ceqnmpfo.exe 1520 Cdcoim32.exe 3624 Cnicfe32.exe 4548 Chagok32.exe 4512 Cjpckf32.exe 4376 Cnkplejl.exe 4736 Chcddk32.exe 2808 Cjbpaf32.exe 3980 Cmqmma32.exe 4328 Calhnpgn.exe 4900 Dhfajjoj.exe 1596 Djdmffnn.exe 220 Dmcibama.exe 1424 Danecp32.exe 1924 Ddmaok32.exe 1412 Dhhnpjmh.exe 3916 Djgjlelk.exe 2448 Dmefhako.exe 5060 Delnin32.exe 972 Dhkjej32.exe 4144 Dkifae32.exe 4072 Dodbbdbb.exe 5112 Deokon32.exe 4928 Ddakjkqi.exe 1112 Dfpgffpm.exe 3992 Dogogcpo.exe 4392 Deagdn32.exe 2148 Dhocqigp.exe 2184 Dknpmdfc.exe 4584 Dahhio32.exe 2704 Edfdej32.exe 412 Egdqae32.exe 540 Eolhbc32.exe 4524 Eajeon32.exe 1824 Eefaomcg.exe 1000 Ehdmlhcj.exe 4992 Ekbihd32.exe 892 Emaedo32.exe 3636 Edknqiho.exe 408 Egijmegb.exe 660 Eopbnbhd.exe 4772 Eejjjl32.exe 1140 Ehiffh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Phodcg32.exe Omjpeo32.exe File created C:\Windows\SysWOW64\Mhegobpi.dll Iplkpa32.exe File opened for modification C:\Windows\SysWOW64\Mmfkhmdi.exe Lgibpf32.exe File created C:\Windows\SysWOW64\Algpao32.dll Jfehed32.exe File opened for modification C:\Windows\SysWOW64\Ohlqcagj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kjgeedch.exe Kcmmhj32.exe File created C:\Windows\SysWOW64\Cpfcfmlp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jibmgi32.exe Jnmijq32.exe File created C:\Windows\SysWOW64\Bkjiao32.exe Bdpaeehj.exe File opened for modification C:\Windows\SysWOW64\Cfnjpfcl.exe Ckhecmcf.exe File opened for modification C:\Windows\SysWOW64\Meepdp32.exe Mmnhcb32.exe File created C:\Windows\SysWOW64\Aknifq32.exe Ahpmjejp.exe File opened for modification C:\Windows\SysWOW64\Efpomccg.exe Ebdcld32.exe File created C:\Windows\SysWOW64\Dhhmleng.dll Process not Found File created C:\Windows\SysWOW64\Coegoe32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mnnkgl32.exe Miaboe32.exe File opened for modification C:\Windows\SysWOW64\Hhgloc32.exe Hfipbh32.exe File opened for modification C:\Windows\SysWOW64\Cimcan32.exe Ccqkigkp.exe File opened for modification C:\Windows\SysWOW64\Hjjnae32.exe Hglaej32.exe File created C:\Windows\SysWOW64\Jomnmjjb.dll Boeebnhp.exe File created C:\Windows\SysWOW64\Bndfbikc.dll Bklfgo32.exe File opened for modification C:\Windows\SysWOW64\Ffqhcq32.exe Fpgpgfmh.exe File created C:\Windows\SysWOW64\Geohklaa.exe Gnepna32.exe File created C:\Windows\SysWOW64\Cdcoim32.exe Ceqnmpfo.exe File opened for modification C:\Windows\SysWOW64\Aaldccip.exe Process not Found File created C:\Windows\SysWOW64\Oaplqh32.exe Process not Found File created C:\Windows\SysWOW64\Ejjlbppk.dll Jdpkflfe.exe File created C:\Windows\SysWOW64\Oohgdhfn.exe Oklkdi32.exe File created C:\Windows\SysWOW64\Bgnagk32.dll Kmkbfeab.exe File created C:\Windows\SysWOW64\Lnjnqh32.exe Lklbdm32.exe File opened for modification C:\Windows\SysWOW64\Dflfac32.exe Doaneiop.exe File created C:\Windows\SysWOW64\Amdcghbo.dll Jepjhg32.exe File created C:\Windows\SysWOW64\Balpgb32.exe Bnmcjg32.exe File created C:\Windows\SysWOW64\Cmiogmig.dll Fmkgkapm.exe File opened for modification C:\Windows\SysWOW64\Nmlddqem.exe Njmhhefi.exe File created C:\Windows\SysWOW64\Jhglpo32.dll Clchbqoo.exe File created C:\Windows\SysWOW64\Flpmagqi.exe Fiaael32.exe File created C:\Windows\SysWOW64\Lbandhne.dll Process not Found File opened for modification C:\Windows\SysWOW64\Joiccj32.exe Jgakbm32.exe File created C:\Windows\SysWOW64\Cgifbhid.exe Process not Found File created C:\Windows\SysWOW64\Aoofle32.exe Alqjpi32.exe File opened for modification C:\Windows\SysWOW64\Hncmmd32.exe Hjhalefe.exe File created C:\Windows\SysWOW64\Befhip32.dll Nahgoe32.exe File opened for modification C:\Windows\SysWOW64\Iidphgcn.exe Igfclkdj.exe File created C:\Windows\SysWOW64\Chiblk32.exe Process not Found File created C:\Windows\SysWOW64\Delnin32.exe Dmefhako.exe File opened for modification C:\Windows\SysWOW64\Cmjemflb.exe Cjliajmo.exe File created C:\Windows\SysWOW64\Lpmbai32.dll Adkgje32.exe File opened for modification C:\Windows\SysWOW64\Onmfimga.exe Offnhpfo.exe File created C:\Windows\SysWOW64\Efbdhf32.dll Fgbmccpg.exe File created C:\Windows\SysWOW64\Njfkmphe.exe Nopfpgip.exe File opened for modification C:\Windows\SysWOW64\Lgbloglj.exe Llmhaold.exe File created C:\Windows\SysWOW64\Fnmnbf32.dll Dkifae32.exe File created C:\Windows\SysWOW64\Jnkldqkc.exe Jhndljll.exe File created C:\Windows\SysWOW64\Nhahaiec.exe Neclenfo.exe File opened for modification C:\Windows\SysWOW64\Dkifae32.exe Dhkjej32.exe File created C:\Windows\SysWOW64\Jnjejjgh.exe Jklinohd.exe File created C:\Windows\SysWOW64\Ljclki32.exe Lgepom32.exe File created C:\Windows\SysWOW64\Dkndie32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lhkgoiqe.exe Lemkcnaa.exe File opened for modification C:\Windows\SysWOW64\Igmagnkg.exe Ifleoe32.exe File created C:\Windows\SysWOW64\Leckbi32.dll Aokcklid.exe File opened for modification C:\Windows\SysWOW64\Klhnfo32.exe Kfnfjehl.exe File opened for modification C:\Windows\SysWOW64\Fhgbhfbe.exe Fnaokmco.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8288 6848 Process not Found 1207 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgpogili.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oklkdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoabad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bopocbcq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glldgljg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdbfodfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jehhaaci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmlilh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabfjpak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcmdaljn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbghfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnadagbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdgglfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhiajmod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbkkgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcphab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogfcjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emlenj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogpepl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfpbmfdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hghoeqmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkgkapm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjcgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppjfgcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmkkmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeaanjkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbchdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dknpmdfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poodpmca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piijno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akhcfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lklbdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hninbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmoohe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efafgifc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbjmhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmqnobn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfjjga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbhamajc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jklinohd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjnqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiloco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Johnamkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfpgffpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekbihd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lblaabdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nafjjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnmoijje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhnpjmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkodhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aokcklid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djfcaohp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkpool32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbnkonbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elbhjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfkmkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofnik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iidphgcn.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kamhmbej.dll" Dpdaepai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phfjcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjbfklei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knippe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbidda32.dll" Bfqkddfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfpbmfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gceegdko.dll" Camddhoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbeapmll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jiaglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oifeab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jedohked.dll" Hnaqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jiiicf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhkgkgoe.dll" Kpbfii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihdpleo.dll" Glldgljg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngomin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiilcp32.dll" Pcmeke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Achhaode.dll" Fhabbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elnoopdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmkigh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effama32.dll" Oigllh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dheibpje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nklbmllg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbgnemjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feocelll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doogdl32.dll" Ncofplba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjalckog.dll" Qeodhjmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhmqdemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggpbjkpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfghc32.dll" Dblgpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceqnmpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikaqhj32.dll" Mhppji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejoomhmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emmkiclm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjmfjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amoljp32.dll" Aknifq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chnbbqpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnkhbo32.dll" Nohehq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnchkf32.dll" Ijadbdoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oofaiokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loighj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeggngeb.dll" Ehfcfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kecabifp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gemdebha.dll" Kjlopc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfcabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckdpoji.dll" Jnjejjgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdmqmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnmdme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcpka32.dll" Ahpmjejp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcaofebg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnmmboed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbcmakpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmkigh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iahici32.dll" Bdpaeehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caienjfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npgabc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edemkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbandhne.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbdbjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oofaiokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbofpe32.dll" Npiiffqe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4812 wrote to memory of 788 4812 59dc02f39a1ad03a1e1d552e3c776ab0N.exe 84 PID 4812 wrote to memory of 788 4812 59dc02f39a1ad03a1e1d552e3c776ab0N.exe 84 PID 4812 wrote to memory of 788 4812 59dc02f39a1ad03a1e1d552e3c776ab0N.exe 84 PID 788 wrote to memory of 3276 788 Bmkjkd32.exe 85 PID 788 wrote to memory of 3276 788 Bmkjkd32.exe 85 PID 788 wrote to memory of 3276 788 Bmkjkd32.exe 85 PID 3276 wrote to memory of 1268 3276 Bebblb32.exe 86 PID 3276 wrote to memory of 1268 3276 Bebblb32.exe 86 PID 3276 wrote to memory of 1268 3276 Bebblb32.exe 86 PID 1268 wrote to memory of 4124 1268 Bjokdipf.exe 87 PID 1268 wrote to memory of 4124 1268 Bjokdipf.exe 87 PID 1268 wrote to memory of 4124 1268 Bjokdipf.exe 87 PID 4124 wrote to memory of 856 4124 Bmngqdpj.exe 88 PID 4124 wrote to memory of 856 4124 Bmngqdpj.exe 88 PID 4124 wrote to memory of 856 4124 Bmngqdpj.exe 88 PID 856 wrote to memory of 2820 856 Beeoaapl.exe 89 PID 856 wrote to memory of 2820 856 Beeoaapl.exe 89 PID 856 wrote to memory of 2820 856 Beeoaapl.exe 89 PID 2820 wrote to memory of 2000 2820 Bgcknmop.exe 90 PID 2820 wrote to memory of 2000 2820 Bgcknmop.exe 90 PID 2820 wrote to memory of 2000 2820 Bgcknmop.exe 90 PID 2000 wrote to memory of 2840 2000 Bnmcjg32.exe 91 PID 2000 wrote to memory of 2840 2000 Bnmcjg32.exe 91 PID 2000 wrote to memory of 2840 2000 Bnmcjg32.exe 91 PID 2840 wrote to memory of 2548 2840 Balpgb32.exe 92 PID 2840 wrote to memory of 2548 2840 Balpgb32.exe 92 PID 2840 wrote to memory of 2548 2840 Balpgb32.exe 92 PID 2548 wrote to memory of 520 2548 Bcjlcn32.exe 93 PID 2548 wrote to memory of 520 2548 Bcjlcn32.exe 93 PID 2548 wrote to memory of 520 2548 Bcjlcn32.exe 93 PID 520 wrote to memory of 2388 520 Bfhhoi32.exe 95 PID 520 wrote to memory of 2388 520 Bfhhoi32.exe 95 PID 520 wrote to memory of 2388 520 Bfhhoi32.exe 95 PID 2388 wrote to memory of 3592 2388 Bnpppgdj.exe 96 PID 2388 wrote to memory of 3592 2388 Bnpppgdj.exe 96 PID 2388 wrote to memory of 3592 2388 Bnpppgdj.exe 96 PID 3592 wrote to memory of 4064 3592 Beihma32.exe 97 PID 3592 wrote to memory of 4064 3592 Beihma32.exe 97 PID 3592 wrote to memory of 4064 3592 Beihma32.exe 97 PID 4064 wrote to memory of 3020 4064 Bhhdil32.exe 98 PID 4064 wrote to memory of 3020 4064 Bhhdil32.exe 98 PID 4064 wrote to memory of 3020 4064 Bhhdil32.exe 98 PID 3020 wrote to memory of 908 3020 Bmemac32.exe 99 PID 3020 wrote to memory of 908 3020 Bmemac32.exe 99 PID 3020 wrote to memory of 908 3020 Bmemac32.exe 99 PID 908 wrote to memory of 4732 908 Belebq32.exe 100 PID 908 wrote to memory of 4732 908 Belebq32.exe 100 PID 908 wrote to memory of 4732 908 Belebq32.exe 100 PID 4732 wrote to memory of 3640 4732 Cfmajipb.exe 101 PID 4732 wrote to memory of 3640 4732 Cfmajipb.exe 101 PID 4732 wrote to memory of 3640 4732 Cfmajipb.exe 101 PID 3640 wrote to memory of 1536 3640 Cndikf32.exe 103 PID 3640 wrote to memory of 1536 3640 Cndikf32.exe 103 PID 3640 wrote to memory of 1536 3640 Cndikf32.exe 103 PID 1536 wrote to memory of 2784 1536 Cmgjgcgo.exe 104 PID 1536 wrote to memory of 2784 1536 Cmgjgcgo.exe 104 PID 1536 wrote to memory of 2784 1536 Cmgjgcgo.exe 104 PID 2784 wrote to memory of 2580 2784 Cdabcm32.exe 105 PID 2784 wrote to memory of 2580 2784 Cdabcm32.exe 105 PID 2784 wrote to memory of 2580 2784 Cdabcm32.exe 105 PID 2580 wrote to memory of 3744 2580 Cfpnph32.exe 106 PID 2580 wrote to memory of 3744 2580 Cfpnph32.exe 106 PID 2580 wrote to memory of 3744 2580 Cfpnph32.exe 106 PID 3744 wrote to memory of 768 3744 Cmiflbel.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\59dc02f39a1ad03a1e1d552e3c776ab0N.exe"C:\Users\Admin\AppData\Local\Temp\59dc02f39a1ad03a1e1d552e3c776ab0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\Bmkjkd32.exeC:\Windows\system32\Bmkjkd32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\Bebblb32.exeC:\Windows\system32\Bebblb32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\Bjokdipf.exeC:\Windows\system32\Bjokdipf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Bmngqdpj.exeC:\Windows\system32\Bmngqdpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Bnmcjg32.exeC:\Windows\system32\Bnmcjg32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Balpgb32.exeC:\Windows\system32\Balpgb32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Bcjlcn32.exeC:\Windows\system32\Bcjlcn32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\Bnpppgdj.exeC:\Windows\system32\Bnpppgdj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Bmemac32.exeC:\Windows\system32\Bmemac32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\Cmgjgcgo.exeC:\Windows\system32\Cmgjgcgo.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe24⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe25⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe26⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe27⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe29⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe30⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe31⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe32⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe33⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe34⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe35⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe36⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe37⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1412 -
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe39⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe41⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:972 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4144 -
C:\Windows\SysWOW64\Dodbbdbb.exeC:\Windows\system32\Dodbbdbb.exe44⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe45⤵
- Executes dropped EXE
PID:5112 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe46⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1112 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe48⤵
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe49⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe50⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Dahhio32.exeC:\Windows\system32\Dahhio32.exe52⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Edfdej32.exeC:\Windows\system32\Edfdej32.exe53⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Egdqae32.exeC:\Windows\system32\Egdqae32.exe54⤵
- Executes dropped EXE
PID:412 -
C:\Windows\SysWOW64\Eolhbc32.exeC:\Windows\system32\Eolhbc32.exe55⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Eajeon32.exeC:\Windows\system32\Eajeon32.exe56⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Eefaomcg.exeC:\Windows\system32\Eefaomcg.exe57⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Ehdmlhcj.exeC:\Windows\system32\Ehdmlhcj.exe58⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Ekbihd32.exeC:\Windows\system32\Ekbihd32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4992 -
C:\Windows\SysWOW64\Emaedo32.exeC:\Windows\system32\Emaedo32.exe60⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Edknqiho.exeC:\Windows\system32\Edknqiho.exe61⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Egijmegb.exeC:\Windows\system32\Egijmegb.exe62⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Eopbnbhd.exeC:\Windows\system32\Eopbnbhd.exe63⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Eejjjl32.exeC:\Windows\system32\Eejjjl32.exe64⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Ehiffh32.exeC:\Windows\system32\Ehiffh32.exe65⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Ekgbccni.exeC:\Windows\system32\Ekgbccni.exe66⤵PID:4712
-
C:\Windows\SysWOW64\Emeoooml.exeC:\Windows\system32\Emeoooml.exe67⤵PID:3528
-
C:\Windows\SysWOW64\Edpgli32.exeC:\Windows\system32\Edpgli32.exe68⤵PID:3712
-
C:\Windows\SysWOW64\Ehkclgmb.exeC:\Windows\system32\Ehkclgmb.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1152 -
C:\Windows\SysWOW64\Eoekia32.exeC:\Windows\system32\Eoekia32.exe70⤵PID:5104
-
C:\Windows\SysWOW64\Feocelll.exeC:\Windows\system32\Feocelll.exe71⤵
- Modifies registry class
PID:5100 -
C:\Windows\SysWOW64\Fhmpagkp.exeC:\Windows\system32\Fhmpagkp.exe72⤵PID:472
-
C:\Windows\SysWOW64\Foghnabl.exeC:\Windows\system32\Foghnabl.exe73⤵PID:3200
-
C:\Windows\SysWOW64\Feapkk32.exeC:\Windows\system32\Feapkk32.exe74⤵PID:3104
-
C:\Windows\SysWOW64\Fgbmccpg.exeC:\Windows\system32\Fgbmccpg.exe75⤵
- Drops file in System32 directory
PID:4956 -
C:\Windows\SysWOW64\Fojedapj.exeC:\Windows\system32\Fojedapj.exe76⤵PID:1944
-
C:\Windows\SysWOW64\Fahaplon.exeC:\Windows\system32\Fahaplon.exe77⤵PID:4960
-
C:\Windows\SysWOW64\Fdfmlhna.exeC:\Windows\system32\Fdfmlhna.exe78⤵PID:444
-
C:\Windows\SysWOW64\Fgeihcme.exeC:\Windows\system32\Fgeihcme.exe79⤵PID:4380
-
C:\Windows\SysWOW64\Fnobem32.exeC:\Windows\system32\Fnobem32.exe80⤵PID:3604
-
C:\Windows\SysWOW64\Fefjfked.exeC:\Windows\system32\Fefjfked.exe81⤵PID:3456
-
C:\Windows\SysWOW64\Fggfnc32.exeC:\Windows\system32\Fggfnc32.exe82⤵PID:3100
-
C:\Windows\SysWOW64\Fnaokmco.exeC:\Windows\system32\Fnaokmco.exe83⤵
- Drops file in System32 directory
PID:5024 -
C:\Windows\SysWOW64\Fhgbhfbe.exeC:\Windows\system32\Fhgbhfbe.exe84⤵PID:1416
-
C:\Windows\SysWOW64\Foqkdp32.exeC:\Windows\system32\Foqkdp32.exe85⤵PID:2988
-
C:\Windows\SysWOW64\Gaogak32.exeC:\Windows\system32\Gaogak32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2536 -
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe87⤵PID:2028
-
C:\Windows\SysWOW64\Gochjpho.exeC:\Windows\system32\Gochjpho.exe88⤵PID:3176
-
C:\Windows\SysWOW64\Gdppbfff.exeC:\Windows\system32\Gdppbfff.exe89⤵PID:4264
-
C:\Windows\SysWOW64\Ggnlobej.exeC:\Windows\system32\Ggnlobej.exe90⤵PID:2460
-
C:\Windows\SysWOW64\Goedpofl.exeC:\Windows\system32\Goedpofl.exe91⤵PID:3396
-
C:\Windows\SysWOW64\Gnhdkl32.exeC:\Windows\system32\Gnhdkl32.exe92⤵PID:5144
-
C:\Windows\SysWOW64\Gepmlimi.exeC:\Windows\system32\Gepmlimi.exe93⤵PID:5188
-
C:\Windows\SysWOW64\Ghniielm.exeC:\Windows\system32\Ghniielm.exe94⤵PID:5232
-
C:\Windows\SysWOW64\Gkleeplq.exeC:\Windows\system32\Gkleeplq.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5280 -
C:\Windows\SysWOW64\Gafmaj32.exeC:\Windows\system32\Gafmaj32.exe96⤵PID:5324
-
C:\Windows\SysWOW64\Gddinf32.exeC:\Windows\system32\Gddinf32.exe97⤵PID:5368
-
C:\Windows\SysWOW64\Ghpendjj.exeC:\Windows\system32\Ghpendjj.exe98⤵PID:5412
-
C:\Windows\SysWOW64\Gkobjpin.exeC:\Windows\system32\Gkobjpin.exe99⤵PID:5456
-
C:\Windows\SysWOW64\Gahjgj32.exeC:\Windows\system32\Gahjgj32.exe100⤵PID:5500
-
C:\Windows\SysWOW64\Ghbbcd32.exeC:\Windows\system32\Ghbbcd32.exe101⤵PID:5544
-
C:\Windows\SysWOW64\Gkaopp32.exeC:\Windows\system32\Gkaopp32.exe102⤵PID:5584
-
C:\Windows\SysWOW64\Hnoklk32.exeC:\Windows\system32\Hnoklk32.exe103⤵PID:5628
-
C:\Windows\SysWOW64\Hdicienl.exeC:\Windows\system32\Hdicienl.exe104⤵PID:5676
-
C:\Windows\SysWOW64\Hghoeqmp.exeC:\Windows\system32\Hghoeqmp.exe105⤵
- System Location Discovery: System Language Discovery
PID:5720 -
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe106⤵
- Drops file in System32 directory
PID:5768 -
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe107⤵PID:5816
-
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe108⤵PID:5860
-
C:\Windows\SysWOW64\Hbpphi32.exeC:\Windows\system32\Hbpphi32.exe109⤵PID:5904
-
C:\Windows\SysWOW64\Hdnldd32.exeC:\Windows\system32\Hdnldd32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5956 -
C:\Windows\SysWOW64\Hglipp32.exeC:\Windows\system32\Hglipp32.exe111⤵PID:6020
-
C:\Windows\SysWOW64\Hnfamjqg.exeC:\Windows\system32\Hnfamjqg.exe112⤵PID:6084
-
C:\Windows\SysWOW64\Hfningai.exeC:\Windows\system32\Hfningai.exe113⤵PID:6128
-
C:\Windows\SysWOW64\Hdpiid32.exeC:\Windows\system32\Hdpiid32.exe114⤵PID:5152
-
C:\Windows\SysWOW64\Hhlejcpm.exeC:\Windows\system32\Hhlejcpm.exe115⤵PID:5196
-
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe116⤵PID:5272
-
C:\Windows\SysWOW64\Hofmfmhj.exeC:\Windows\system32\Hofmfmhj.exe117⤵PID:5360
-
C:\Windows\SysWOW64\Hninbj32.exeC:\Windows\system32\Hninbj32.exe118⤵
- System Location Discovery: System Language Discovery
PID:5400 -
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe119⤵PID:5496
-
C:\Windows\SysWOW64\Hdbfodfa.exeC:\Windows\system32\Hdbfodfa.exe120⤵
- System Location Discovery: System Language Discovery
PID:5556 -
C:\Windows\SysWOW64\Hgabkoee.exeC:\Windows\system32\Hgabkoee.exe121⤵PID:5608
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-