Analysis
-
max time kernel
99s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23-08-2024 22:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
43cf70fb57c3ac1cfb0d6588f8a6d840N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
43cf70fb57c3ac1cfb0d6588f8a6d840N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
43cf70fb57c3ac1cfb0d6588f8a6d840N.exe
-
Size
123KB
-
MD5
43cf70fb57c3ac1cfb0d6588f8a6d840
-
SHA1
16c5f80967cb30f559ac991c75e479063faabb74
-
SHA256
aa54ad9da62395f6b4bbdaac7aa4d95e296308acbed6aa9cfdd2a14e68528d3b
-
SHA512
a245a419c72b643c9522867030cc166a693e7871ee0e19664ca93a628d49cae84271a5ce122f699b8d2e0f697fe2be729d177571f9ae71c291dc43cac8e76913
-
SSDEEP
3072:+dEV3agvtLWraFuzVV+CxlqRYSa9rR85DEn5k7r8:+dYakLJIoCnq4rQD85k/8
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfcjfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flngfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glfmgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbmoen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcbdgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ickglm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpaekqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cammjakm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coegoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egened32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjdaodja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmipdk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogekbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmeede32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qacameaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqpfmlce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qepkbpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dblgpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlmfeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Naaqofgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahcajk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emjgim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahmjjoig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enhpao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbenoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oampjeml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iacngdgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olbdhn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oimkbaed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjccdkki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbjhbbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afbgkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Figgdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqbncb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkkjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcfggkac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmdfonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkfcqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdphngfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbnoiqdq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojdgnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phfcipoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gokbgpeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oemefcap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipoopgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfeaopqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcfggkac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqgmmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkfcndce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjpbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pojcjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opeiadfg.exe -
Executes dropped EXE 64 IoCs
pid Process 2244 Gdafnpqh.exe 5096 Gklnjj32.exe 1472 Gaefgd32.exe 4308 Ghpocngo.exe 640 Giqkkf32.exe 5092 Gpkchqdj.exe 2988 Hgelek32.exe 4784 Hjchaf32.exe 1008 Hdilnojp.exe 4256 Hjedffig.exe 1536 Hammhcij.exe 4512 Hdkidohn.exe 5048 Hhfedm32.exe 4264 Hdmein32.exe 3568 Hglaej32.exe 4144 Hjjnae32.exe 2712 Hacbhb32.exe 684 Igqkqiai.exe 1148 Iafonaao.exe 3192 Igchfiof.exe 2572 Ijadbdoj.exe 2648 Ikqqlgem.exe 2032 Jnfcia32.exe 2168 Jqdoem32.exe 1912 Jdpkflfe.exe 4508 Jqglkmlj.exe 3216 Jjopcb32.exe 4428 Jbfheo32.exe 2204 Jqiipljg.exe 1600 Jhpqaiji.exe 536 Jgcamf32.exe 3376 Jgenbfoa.exe 400 Jjdjoane.exe 4068 Kdinljnk.exe 612 Kkcfid32.exe 2924 Kbmoen32.exe 720 Kelkaj32.exe 4980 Kkfcndce.exe 4328 Kndojobi.exe 1112 Kqbkfkal.exe 3184 Kijchhbo.exe 1400 Kjkpoq32.exe 4700 Kaehljpj.exe 4988 Keqdmihc.exe 4012 Kniieo32.exe 4500 Kecabifp.exe 4008 Kkmioc32.exe 4488 Knkekn32.exe 436 Lajagj32.exe 3528 Lbinam32.exe 2328 Licfngjd.exe 2912 Ljdceo32.exe 4924 Lankbigo.exe 1548 Lldopb32.exe 2652 Lbngllob.exe 2780 Lelchgne.exe 4300 Lgkpdcmi.exe 4260 Ljilqnlm.exe 3408 Lacdmh32.exe 3844 Lhmmjbkf.exe 3940 Llhikacp.exe 3156 Ljkifn32.exe 900 Mbbagk32.exe 2400 Meamcg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dkhkgplb.dll Mkjnfkma.exe File created C:\Windows\SysWOW64\Mcdibc32.dll Cnfkdb32.exe File opened for modification C:\Windows\SysWOW64\Dahmfpap.exe Dnmaea32.exe File created C:\Windows\SysWOW64\Mcgckb32.dll Iafkld32.exe File opened for modification C:\Windows\SysWOW64\Pfepdg32.exe Process not Found File created C:\Windows\SysWOW64\Pbmmao32.dll Gdcliikj.exe File created C:\Windows\SysWOW64\Eifaim32.exe Eblimcdf.exe File opened for modification C:\Windows\SysWOW64\Bknlbhhe.exe Bgbpaipl.exe File opened for modification C:\Windows\SysWOW64\Mbkkam32.dll Chkobkod.exe File opened for modification C:\Windows\SysWOW64\Fgjhpcmo.exe Figgdg32.exe File opened for modification C:\Windows\SysWOW64\Hhfedm32.exe Hdkidohn.exe File opened for modification C:\Windows\SysWOW64\Lcggio32.exe Lqikmc32.exe File created C:\Windows\SysWOW64\Kmkdjo32.dll Njfkmphe.exe File created C:\Windows\SysWOW64\Mglpdp32.dll Kgdpni32.exe File opened for modification C:\Windows\SysWOW64\Gaqhjggp.exe Gbnhoj32.exe File opened for modification C:\Windows\SysWOW64\Jjdjoane.exe Jgenbfoa.exe File created C:\Windows\SysWOW64\Qaalblgi.exe Pkgcea32.exe File created C:\Windows\SysWOW64\Ibingd32.dll Fbelcblk.exe File created C:\Windows\SysWOW64\Fjmkoeqi.exe Fpggamqc.exe File opened for modification C:\Windows\SysWOW64\Dqpfmlce.exe Dnajppda.exe File created C:\Windows\SysWOW64\Gbnhoj32.exe Gnblnlhl.exe File created C:\Windows\SysWOW64\Oifdaage.dll Njghbl32.exe File created C:\Windows\SysWOW64\Dgeaknci.dll Aajhndkb.exe File created C:\Windows\SysWOW64\Ipihpkkd.exe Ilnlom32.exe File created C:\Windows\SysWOW64\Pkbcikkp.dll Process not Found File created C:\Windows\SysWOW64\Egaejeej.exe Ehndnh32.exe File opened for modification C:\Windows\SysWOW64\Koonge32.exe Process not Found File created C:\Windows\SysWOW64\Iddgpk32.dll Hildmn32.exe File opened for modification C:\Windows\SysWOW64\Phdnngdn.exe Pajeam32.exe File created C:\Windows\SysWOW64\Pdkoch32.exe Pmaffnce.exe File opened for modification C:\Windows\SysWOW64\Ddnfmqng.exe Dbpjaeoc.exe File opened for modification C:\Windows\SysWOW64\Lckboblp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Chglab32.exe Cfipef32.exe File created C:\Windows\SysWOW64\Gdglhf32.dll Nnhmnn32.exe File opened for modification C:\Windows\SysWOW64\Nlkngo32.exe Nhpbfpka.exe File opened for modification C:\Windows\SysWOW64\Nqcejcha.exe Process not Found File created C:\Windows\SysWOW64\Bfcjjj32.dll Dqnjgl32.exe File opened for modification C:\Windows\SysWOW64\Ncbafoge.exe Process not Found File created C:\Windows\SysWOW64\Lfdqcn32.dll Pnifekmd.exe File created C:\Windows\SysWOW64\Lngqkhda.dll Pnmopk32.exe File opened for modification C:\Windows\SysWOW64\Ibqnkh32.exe Ilfennic.exe File created C:\Windows\SysWOW64\Dafppp32.exe Cnjdpaki.exe File created C:\Windows\SysWOW64\Ekppjn32.dll Dddllkbf.exe File opened for modification C:\Windows\SysWOW64\Lpjjmg32.exe Process not Found File created C:\Windows\SysWOW64\Gejqna32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Oemefcap.exe Oboijgbl.exe File opened for modification C:\Windows\SysWOW64\Mmhgmmbf.exe Mnegbp32.exe File created C:\Windows\SysWOW64\Omdppiif.exe Onapdl32.exe File created C:\Windows\SysWOW64\Mgeakekd.exe Mcifkf32.exe File created C:\Windows\SysWOW64\Lbpflbpa.dll Onmfimga.exe File opened for modification C:\Windows\SysWOW64\Oeheqm32.exe Onnmdcjm.exe File opened for modification C:\Windows\SysWOW64\Alpbecod.exe Aefjii32.exe File created C:\Windows\SysWOW64\Hoaojp32.exe Hlbcnd32.exe File created C:\Windows\SysWOW64\Fgmdec32.exe Fijdjfdb.exe File opened for modification C:\Windows\SysWOW64\Gegkpf32.exe Galoohke.exe File created C:\Windows\SysWOW64\Aglmllpq.dll Iojkeh32.exe File created C:\Windows\SysWOW64\Djfkblnn.dll Hgelek32.exe File created C:\Windows\SysWOW64\Dnajppda.exe Doojec32.exe File created C:\Windows\SysWOW64\Ablmdkdf.dll Process not Found File created C:\Windows\SysWOW64\Pkbjjbda.exe Phdnngdn.exe File created C:\Windows\SysWOW64\Jihiic32.dll Nclbpf32.exe File created C:\Windows\SysWOW64\Oblknjim.dll Cgqlcg32.exe File created C:\Windows\SysWOW64\Dgfnagdi.dll Nmkmjjaa.exe File created C:\Windows\SysWOW64\Hhblffgn.dll Pdmdnadc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6220 6436 Process not Found 1313 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlmfeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emjgim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcbfcigf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqkqhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnjqmpgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fajbjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlkepaam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgchm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgqfdnah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpdegjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfeaopqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kniieo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjellmbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bljlfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpiecd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaenbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnlodjpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlppno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibegfglj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giqkkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmlpaoaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pccahbmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qacameaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnbeeiji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jblmgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbccge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najceeoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjdaodja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnblnlhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piijno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlfpdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emmdom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flfkkhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Papfgbmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afkknogn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqnjgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjopcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gghdaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppolhcnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgqlcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmlilh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hipmfjee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lncjlq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fooclapd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckgohf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foclgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkkgpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omegjomb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojajin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogekbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjfmkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaoaic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbbigf32.dll" Nbqmiinl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfpagon.dll" Aogbfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgmdec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhkikq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llgmeiqa.dll" Mkohaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdbplg32.dll" Gfeaopqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edionhpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihmfco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olbdhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kideagnd.dll" Hienlpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncpgam32.dll" Llmhaold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfifmo32.dll" Dckdjomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnnhjlpl.dll" Olijhmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnkkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iohejo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bohbhmfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gppcmeem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmbphg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dihlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmlpaoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfohjf32.dll" Qaalblgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkhqmjb.dll" Caojpaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgcjfbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iheocj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hienlpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empmffib.dll" Inqbclob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmjob32.dll" Ljhnlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phaahggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kelkaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aeddnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epndknin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lqkqhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mqafhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njfkmphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijilflah.dll" Chkobkod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakdmb32.dll" Gbmingjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diinlj32.dll" Cnahdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkahilkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iahici32.dll" Bdpaeehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipdndloi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkmjaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhdckaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qmhlgmmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebkbbmqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgelek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pccahbmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkhkgplb.dll" Mkjnfkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nenbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ankkea32.dll" Efeihb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enhpaj32.dll" 43cf70fb57c3ac1cfb0d6588f8a6d840N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbgbe32.dll" Kelkaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnnkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Milidebi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afakoidm.dll" Ickglm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hifmmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphnbpql.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olfghg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 856 wrote to memory of 2244 856 43cf70fb57c3ac1cfb0d6588f8a6d840N.exe 84 PID 856 wrote to memory of 2244 856 43cf70fb57c3ac1cfb0d6588f8a6d840N.exe 84 PID 856 wrote to memory of 2244 856 43cf70fb57c3ac1cfb0d6588f8a6d840N.exe 84 PID 2244 wrote to memory of 5096 2244 Gdafnpqh.exe 85 PID 2244 wrote to memory of 5096 2244 Gdafnpqh.exe 85 PID 2244 wrote to memory of 5096 2244 Gdafnpqh.exe 85 PID 5096 wrote to memory of 1472 5096 Gklnjj32.exe 86 PID 5096 wrote to memory of 1472 5096 Gklnjj32.exe 86 PID 5096 wrote to memory of 1472 5096 Gklnjj32.exe 86 PID 1472 wrote to memory of 4308 1472 Gaefgd32.exe 87 PID 1472 wrote to memory of 4308 1472 Gaefgd32.exe 87 PID 1472 wrote to memory of 4308 1472 Gaefgd32.exe 87 PID 4308 wrote to memory of 640 4308 Ghpocngo.exe 88 PID 4308 wrote to memory of 640 4308 Ghpocngo.exe 88 PID 4308 wrote to memory of 640 4308 Ghpocngo.exe 88 PID 640 wrote to memory of 5092 640 Giqkkf32.exe 89 PID 640 wrote to memory of 5092 640 Giqkkf32.exe 89 PID 640 wrote to memory of 5092 640 Giqkkf32.exe 89 PID 5092 wrote to memory of 2988 5092 Gpkchqdj.exe 90 PID 5092 wrote to memory of 2988 5092 Gpkchqdj.exe 90 PID 5092 wrote to memory of 2988 5092 Gpkchqdj.exe 90 PID 2988 wrote to memory of 4784 2988 Hgelek32.exe 91 PID 2988 wrote to memory of 4784 2988 Hgelek32.exe 91 PID 2988 wrote to memory of 4784 2988 Hgelek32.exe 91 PID 4784 wrote to memory of 1008 4784 Hjchaf32.exe 92 PID 4784 wrote to memory of 1008 4784 Hjchaf32.exe 92 PID 4784 wrote to memory of 1008 4784 Hjchaf32.exe 92 PID 1008 wrote to memory of 4256 1008 Hdilnojp.exe 93 PID 1008 wrote to memory of 4256 1008 Hdilnojp.exe 93 PID 1008 wrote to memory of 4256 1008 Hdilnojp.exe 93 PID 4256 wrote to memory of 1536 4256 Hjedffig.exe 94 PID 4256 wrote to memory of 1536 4256 Hjedffig.exe 94 PID 4256 wrote to memory of 1536 4256 Hjedffig.exe 94 PID 1536 wrote to memory of 4512 1536 Hammhcij.exe 95 PID 1536 wrote to memory of 4512 1536 Hammhcij.exe 95 PID 1536 wrote to memory of 4512 1536 Hammhcij.exe 95 PID 4512 wrote to memory of 5048 4512 Hdkidohn.exe 96 PID 4512 wrote to memory of 5048 4512 Hdkidohn.exe 96 PID 4512 wrote to memory of 5048 4512 Hdkidohn.exe 96 PID 5048 wrote to memory of 4264 5048 Hhfedm32.exe 97 PID 5048 wrote to memory of 4264 5048 Hhfedm32.exe 97 PID 5048 wrote to memory of 4264 5048 Hhfedm32.exe 97 PID 4264 wrote to memory of 3568 4264 Hdmein32.exe 98 PID 4264 wrote to memory of 3568 4264 Hdmein32.exe 98 PID 4264 wrote to memory of 3568 4264 Hdmein32.exe 98 PID 3568 wrote to memory of 4144 3568 Hglaej32.exe 99 PID 3568 wrote to memory of 4144 3568 Hglaej32.exe 99 PID 3568 wrote to memory of 4144 3568 Hglaej32.exe 99 PID 4144 wrote to memory of 2712 4144 Hjjnae32.exe 101 PID 4144 wrote to memory of 2712 4144 Hjjnae32.exe 101 PID 4144 wrote to memory of 2712 4144 Hjjnae32.exe 101 PID 2712 wrote to memory of 684 2712 Hacbhb32.exe 102 PID 2712 wrote to memory of 684 2712 Hacbhb32.exe 102 PID 2712 wrote to memory of 684 2712 Hacbhb32.exe 102 PID 684 wrote to memory of 1148 684 Igqkqiai.exe 104 PID 684 wrote to memory of 1148 684 Igqkqiai.exe 104 PID 684 wrote to memory of 1148 684 Igqkqiai.exe 104 PID 1148 wrote to memory of 3192 1148 Iafonaao.exe 105 PID 1148 wrote to memory of 3192 1148 Iafonaao.exe 105 PID 1148 wrote to memory of 3192 1148 Iafonaao.exe 105 PID 3192 wrote to memory of 2572 3192 Igchfiof.exe 106 PID 3192 wrote to memory of 2572 3192 Igchfiof.exe 106 PID 3192 wrote to memory of 2572 3192 Igchfiof.exe 106 PID 2572 wrote to memory of 2648 2572 Ijadbdoj.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\43cf70fb57c3ac1cfb0d6588f8a6d840N.exe"C:\Users\Admin\AppData\Local\Temp\43cf70fb57c3ac1cfb0d6588f8a6d840N.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Gdafnpqh.exeC:\Windows\system32\Gdafnpqh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Gklnjj32.exeC:\Windows\system32\Gklnjj32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Gaefgd32.exeC:\Windows\system32\Gaefgd32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Ghpocngo.exeC:\Windows\system32\Ghpocngo.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\Giqkkf32.exeC:\Windows\system32\Giqkkf32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Gpkchqdj.exeC:\Windows\system32\Gpkchqdj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\Hgelek32.exeC:\Windows\system32\Hgelek32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Hjchaf32.exeC:\Windows\system32\Hjchaf32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Hdilnojp.exeC:\Windows\system32\Hdilnojp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\Hjedffig.exeC:\Windows\system32\Hjedffig.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Hdkidohn.exeC:\Windows\system32\Hdkidohn.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Hhfedm32.exeC:\Windows\system32\Hhfedm32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\Hdmein32.exeC:\Windows\system32\Hdmein32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\Hglaej32.exeC:\Windows\system32\Hglaej32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\Hjjnae32.exeC:\Windows\system32\Hjjnae32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\Hacbhb32.exeC:\Windows\system32\Hacbhb32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Igqkqiai.exeC:\Windows\system32\Igqkqiai.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\Iafonaao.exeC:\Windows\system32\Iafonaao.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Igchfiof.exeC:\Windows\system32\Igchfiof.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\Ijadbdoj.exeC:\Windows\system32\Ijadbdoj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Ikqqlgem.exeC:\Windows\system32\Ikqqlgem.exe23⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Jnfcia32.exeC:\Windows\system32\Jnfcia32.exe24⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Jqdoem32.exeC:\Windows\system32\Jqdoem32.exe25⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe26⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe27⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Jjopcb32.exeC:\Windows\system32\Jjopcb32.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3216 -
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe29⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Jqiipljg.exeC:\Windows\system32\Jqiipljg.exe30⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe31⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Jgcamf32.exeC:\Windows\system32\Jgcamf32.exe32⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Jgenbfoa.exeC:\Windows\system32\Jgenbfoa.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3376 -
C:\Windows\SysWOW64\Jjdjoane.exeC:\Windows\system32\Jjdjoane.exe34⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Kdinljnk.exeC:\Windows\system32\Kdinljnk.exe35⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Kkcfid32.exeC:\Windows\system32\Kkcfid32.exe36⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Kbmoen32.exeC:\Windows\system32\Kbmoen32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Kelkaj32.exeC:\Windows\system32\Kelkaj32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:720 -
C:\Windows\SysWOW64\Kkfcndce.exeC:\Windows\system32\Kkfcndce.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Kndojobi.exeC:\Windows\system32\Kndojobi.exe40⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Kqbkfkal.exeC:\Windows\system32\Kqbkfkal.exe41⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Kijchhbo.exeC:\Windows\system32\Kijchhbo.exe42⤵
- Executes dropped EXE
PID:3184 -
C:\Windows\SysWOW64\Kjkpoq32.exeC:\Windows\system32\Kjkpoq32.exe43⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Kaehljpj.exeC:\Windows\system32\Kaehljpj.exe44⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe45⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Kniieo32.exeC:\Windows\system32\Kniieo32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4012 -
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe47⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Kkmioc32.exeC:\Windows\system32\Kkmioc32.exe48⤵
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\Knkekn32.exeC:\Windows\system32\Knkekn32.exe49⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Lajagj32.exeC:\Windows\system32\Lajagj32.exe50⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe51⤵PID:4412
-
C:\Windows\SysWOW64\Lbinam32.exeC:\Windows\system32\Lbinam32.exe52⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe53⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Ljdceo32.exeC:\Windows\system32\Ljdceo32.exe54⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Lankbigo.exeC:\Windows\system32\Lankbigo.exe55⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe56⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe57⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe58⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Lgkpdcmi.exeC:\Windows\system32\Lgkpdcmi.exe59⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Ljilqnlm.exeC:\Windows\system32\Ljilqnlm.exe60⤵
- Executes dropped EXE
PID:4260 -
C:\Windows\SysWOW64\Lacdmh32.exeC:\Windows\system32\Lacdmh32.exe61⤵
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe62⤵
- Executes dropped EXE
PID:3844 -
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe63⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Ljkifn32.exeC:\Windows\system32\Ljkifn32.exe64⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe65⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe66⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe67⤵
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe68⤵
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Windows\SysWOW64\Mjneln32.exeC:\Windows\system32\Mjneln32.exe69⤵PID:2952
-
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe70⤵PID:2676
-
C:\Windows\SysWOW64\Mahnhhod.exeC:\Windows\system32\Mahnhhod.exe71⤵PID:1924
-
C:\Windows\SysWOW64\Miofjepg.exeC:\Windows\system32\Miofjepg.exe72⤵PID:2916
-
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3868 -
C:\Windows\SysWOW64\Mnlnbl32.exeC:\Windows\system32\Mnlnbl32.exe74⤵PID:2732
-
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe75⤵PID:1104
-
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe76⤵
- Modifies registry class
PID:3832 -
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe77⤵
- Modifies registry class
PID:3892 -
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe78⤵PID:4344
-
C:\Windows\SysWOW64\Mehcdfch.exeC:\Windows\system32\Mehcdfch.exe79⤵PID:1908
-
C:\Windows\SysWOW64\Mhfppabl.exeC:\Windows\system32\Mhfppabl.exe80⤵PID:2148
-
C:\Windows\SysWOW64\Mlbkap32.exeC:\Windows\system32\Mlbkap32.exe81⤵PID:928
-
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe82⤵
- System Location Discovery: System Language Discovery
PID:1368 -
C:\Windows\SysWOW64\Mblcnj32.exeC:\Windows\system32\Mblcnj32.exe83⤵PID:1680
-
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe84⤵PID:2716
-
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe85⤵PID:2520
-
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe86⤵PID:1260
-
C:\Windows\SysWOW64\Njghbl32.exeC:\Windows\system32\Njghbl32.exe87⤵
- Drops file in System32 directory
PID:5136 -
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe88⤵PID:5180
-
C:\Windows\SysWOW64\Naaqofgj.exeC:\Windows\system32\Naaqofgj.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5224 -
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe90⤵PID:5268
-
C:\Windows\SysWOW64\Nhkikq32.exeC:\Windows\system32\Nhkikq32.exe91⤵
- Modifies registry class
PID:5312 -
C:\Windows\SysWOW64\Njiegl32.exeC:\Windows\system32\Njiegl32.exe92⤵PID:5356
-
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe93⤵
- Modifies registry class
PID:5400 -
C:\Windows\SysWOW64\Nacmdf32.exeC:\Windows\system32\Nacmdf32.exe94⤵PID:5444
-
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe95⤵PID:5492
-
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe96⤵PID:5536
-
C:\Windows\SysWOW64\Neafjdkn.exeC:\Windows\system32\Neafjdkn.exe97⤵PID:5580
-
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe98⤵
- Drops file in System32 directory
PID:5624 -
C:\Windows\SysWOW64\Nlkngo32.exeC:\Windows\system32\Nlkngo32.exe99⤵PID:5684
-
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe100⤵PID:5728
-
C:\Windows\SysWOW64\Nbefdijg.exeC:\Windows\system32\Nbefdijg.exe101⤵PID:5792
-
C:\Windows\SysWOW64\Nahgoe32.exeC:\Windows\system32\Nahgoe32.exe102⤵PID:5848
-
C:\Windows\SysWOW64\Niooqcad.exeC:\Windows\system32\Niooqcad.exe103⤵PID:5904
-
C:\Windows\SysWOW64\Nhbolp32.exeC:\Windows\system32\Nhbolp32.exe104⤵PID:5964
-
C:\Windows\SysWOW64\Nkqkhk32.exeC:\Windows\system32\Nkqkhk32.exe105⤵PID:6012
-
C:\Windows\SysWOW64\Nolgijpk.exeC:\Windows\system32\Nolgijpk.exe106⤵PID:6056
-
C:\Windows\SysWOW64\Najceeoo.exeC:\Windows\system32\Najceeoo.exe107⤵
- System Location Discovery: System Language Discovery
PID:6132 -
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe108⤵PID:5168
-
C:\Windows\SysWOW64\Nhdlao32.exeC:\Windows\system32\Nhdlao32.exe109⤵PID:5296
-
C:\Windows\SysWOW64\Nlphbnoe.exeC:\Windows\system32\Nlphbnoe.exe110⤵PID:5340
-
C:\Windows\SysWOW64\Oondnini.exeC:\Windows\system32\Oondnini.exe111⤵PID:5452
-
C:\Windows\SysWOW64\Objpoh32.exeC:\Windows\system32\Objpoh32.exe112⤵PID:5472
-
C:\Windows\SysWOW64\Oampjeml.exeC:\Windows\system32\Oampjeml.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5588 -
C:\Windows\SysWOW64\Oidhlb32.exeC:\Windows\system32\Oidhlb32.exe114⤵PID:5664
-
C:\Windows\SysWOW64\Ohghgodi.exeC:\Windows\system32\Ohghgodi.exe115⤵PID:5740
-
C:\Windows\SysWOW64\Olbdhn32.exeC:\Windows\system32\Olbdhn32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5840 -
C:\Windows\SysWOW64\Okedcjcm.exeC:\Windows\system32\Okedcjcm.exe117⤵PID:5960
-
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe118⤵PID:6052
-
C:\Windows\SysWOW64\Oekiqccc.exeC:\Windows\system32\Oekiqccc.exe119⤵PID:6140
-
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe120⤵PID:5280
-
C:\Windows\SysWOW64\Oboijgbl.exeC:\Windows\system32\Oboijgbl.exe121⤵
- Drops file in System32 directory
PID:5392
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-