Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24-08-2024 05:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e6f93fd6d4f484aee3dc3305e1164f0255e2d4977e3795fde47a941a4419fdd7.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
e6f93fd6d4f484aee3dc3305e1164f0255e2d4977e3795fde47a941a4419fdd7.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
e6f93fd6d4f484aee3dc3305e1164f0255e2d4977e3795fde47a941a4419fdd7.exe
-
Size
77KB
-
MD5
76f7a657a396652576c1a834eb72320c
-
SHA1
65cef3153b76c1c7aa620466ee86fd85149b683c
-
SHA256
e6f93fd6d4f484aee3dc3305e1164f0255e2d4977e3795fde47a941a4419fdd7
-
SHA512
9d189f5705a6f7da6cbe346e9f4f6ad19db3066367bb0813b9a1bfbe94cf4b8050607f6af921cd7f812413c1208452d5b2377aa33febe16bd9ac7addbd5c8e61
-
SSDEEP
1536:2bgM/3wGJyZeWlj38qsS3OGKXA2LtMswfi+TjRC/D:cD/3n4iSXKXxzwf1TjYD
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfaqhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkdhjknm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bombmcec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dodjjimm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohlqcagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oocmii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fligqhga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgkfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emnbdioi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcjhkdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmdemd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akglloai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpaekqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohqbhdpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knfeeimj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaalblgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hemdlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ackigjmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjliajmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbjmhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjahlgpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmcain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imiehfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kckqbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfjjga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpeafcfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emdajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhabbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Komhll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llbidimc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkfglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aolblopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaplqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aijnep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bclang32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oohnonij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bciehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gigheh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnjjfegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meefofek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdpjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boipmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcelmhen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaopfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodogdmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idcepgmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddgplado.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Executes dropped EXE 64 IoCs
pid Process 3184 Kbghfc32.exe 5000 Kiaqcnpb.exe 3004 Llpmoiof.exe 4768 Lnnikdnj.exe 3164 Lehaho32.exe 4236 Llbidimc.exe 4852 Lblaabdp.exe 1788 Lifjnm32.exe 1308 Lppbkgcj.exe 3224 Locbfd32.exe 2696 Lfjjga32.exe 1992 Lihfcm32.exe 3480 Lpbopfag.exe 3092 Lbqklb32.exe 4984 Lhncdi32.exe 2112 Loglacfo.exe 4620 Leadnm32.exe 2332 Mimpolee.exe 2564 Mfaqhp32.exe 2184 Miomdk32.exe 2100 Mlnipg32.exe 3644 Molelb32.exe 2596 Mefmimif.exe 1292 Mhdjehhj.exe 2428 Mplafeil.exe 392 Mffjcopi.exe 4632 Mhgfkg32.exe 1736 Mpnnle32.exe 4296 Mblkhq32.exe 2304 Mekgdl32.exe 3872 Mhicpg32.exe 4560 Mleoafmn.exe 3220 Mfjcnold.exe 1912 Nhlpfgbb.exe 2120 Nlglfe32.exe 2672 Noehba32.exe 2076 Ngmpcn32.exe 2708 Neppokal.exe 2820 Nhnlkfpp.exe 3100 Npedmdab.exe 4928 Nbcqiope.exe 972 Nebmekoi.exe 1848 Nlleaeff.exe 1976 Nojanpej.exe 4960 Ncfmno32.exe 2868 Ngaionfl.exe 3868 Nipekiep.exe 2892 Nlnbgddc.exe 4568 Nomncpcg.exe 3288 Ngdfdmdi.exe 2020 Nibbqicm.exe 4792 Nplkmckj.exe 4128 Ogfcjm32.exe 1724 Oidofh32.exe 3392 Ohgoaehe.exe 4912 Ooagno32.exe 4476 Oghppm32.exe 3408 Ohjlgefb.exe 4716 Opadhb32.exe 1012 Oocddono.exe 1168 Oenlqi32.exe 456 Olgemcli.exe 4572 Oofaiokl.exe 4856 Ogmijllo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Aijnep32.exe Ajhniccb.exe File created C:\Windows\SysWOW64\Dmglcj32.exe Dfmcfp32.exe File created C:\Windows\SysWOW64\Ebfign32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gkdpbpih.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bfqkddfd.exe Bogcgj32.exe File created C:\Windows\SysWOW64\Dfiildio.exe Dnbakghm.exe File created C:\Windows\SysWOW64\Ghndhd32.dll Mfhbga32.exe File created C:\Windows\SysWOW64\Pnplfj32.exe Pfiddm32.exe File created C:\Windows\SysWOW64\Ajqgidij.exe Afelhf32.exe File opened for modification C:\Windows\SysWOW64\Likhem32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Eqgmmk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gejhef32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Iiopca32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lehaho32.exe Lnnikdnj.exe File opened for modification C:\Windows\SysWOW64\Nqbpojnp.exe Nncccnol.exe File created C:\Windows\SysWOW64\Fjecoi32.dll Oihagaji.exe File created C:\Windows\SysWOW64\Kioodcbn.dll Qaalblgi.exe File created C:\Windows\SysWOW64\Cnocia32.dll Mqimikfj.exe File created C:\Windows\SysWOW64\Hifmmb32.exe Process not Found File created C:\Windows\SysWOW64\Dmbbhkjf.exe Dfhjkabi.exe File created C:\Windows\SysWOW64\Igjngh32.exe Ibmeoq32.exe File created C:\Windows\SysWOW64\Gingkqkd.exe Gkkgpc32.exe File created C:\Windows\SysWOW64\Lhffmd32.dll Njkkbehl.exe File created C:\Windows\SysWOW64\Pdkoch32.exe Palbgl32.exe File created C:\Windows\SysWOW64\Omfmcjlk.dll Pjkmomfn.exe File created C:\Windows\SysWOW64\Jpkbko32.dll Ibmeoq32.exe File created C:\Windows\SysWOW64\Lenicahg.exe Lmgabcge.exe File created C:\Windows\SysWOW64\Lljklo32.exe Kfpcoefj.exe File opened for modification C:\Windows\SysWOW64\Ondljl32.exe Ogjdmbil.exe File created C:\Windows\SysWOW64\Hghklqmm.dll Process not Found File created C:\Windows\SysWOW64\Dndgfpbo.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oehlkc32.exe Oondnini.exe File created C:\Windows\SysWOW64\Ajggomog.exe Acmobchj.exe File opened for modification C:\Windows\SysWOW64\Phdnngdn.exe Pefabkej.exe File opened for modification C:\Windows\SysWOW64\Paoollik.exe Popbpqjh.exe File created C:\Windows\SysWOW64\Fnnjmbpm.exe Flpmagqi.exe File opened for modification C:\Windows\SysWOW64\Ofkgcobj.exe Oclkgccf.exe File opened for modification C:\Windows\SysWOW64\Cpmapodj.exe Bajqda32.exe File created C:\Windows\SysWOW64\Ciepangh.dll Llbidimc.exe File created C:\Windows\SysWOW64\Cpchnbbb.dll Lhmmjbkf.exe File created C:\Windows\SysWOW64\Fcplmmbl.dll Neoieenp.exe File created C:\Windows\SysWOW64\Pmhkafda.dll Imiehfao.exe File created C:\Windows\SysWOW64\Koonge32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lppbkgcj.exe Lifjnm32.exe File created C:\Windows\SysWOW64\Lhbhlgio.dll Gnjjfegi.exe File created C:\Windows\SysWOW64\Hlfkfcja.dll Phbhcmjl.exe File created C:\Windows\SysWOW64\Pngfalmm.dll Fbhpch32.exe File created C:\Windows\SysWOW64\Hipmfjee.exe Hfaajnfb.exe File created C:\Windows\SysWOW64\Lmaamn32.exe Ljceqb32.exe File opened for modification C:\Windows\SysWOW64\Qdaniq32.exe Qacameaj.exe File opened for modification C:\Windows\SysWOW64\Kgopidgf.exe Kaehljpj.exe File opened for modification C:\Windows\SysWOW64\Giinpa32.exe Gfkbde32.exe File created C:\Windows\SysWOW64\Ncpgam32.dll Lqhdbm32.exe File opened for modification C:\Windows\SysWOW64\Nelfeo32.exe Nmenca32.exe File created C:\Windows\SysWOW64\Gifjfmcq.dll Jilfifme.exe File created C:\Windows\SysWOW64\Fpbdco32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jhifomdj.exe Process not Found File created C:\Windows\SysWOW64\Ojqhdcii.dll Process not Found File opened for modification C:\Windows\SysWOW64\Meefofek.exe Mbgjbkfg.exe File opened for modification C:\Windows\SysWOW64\Eciplm32.exe Emphocjj.exe File created C:\Windows\SysWOW64\Ejfeng32.exe Ebommi32.exe File opened for modification C:\Windows\SysWOW64\Phjenbhp.exe Pflibgil.exe File created C:\Windows\SysWOW64\Igqkqiai.exe Hnhghcki.exe File created C:\Windows\SysWOW64\Eidlnd32.exe Efepbi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 18464 9648 Process not Found 1378 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcdala32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnhmnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpoaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nibbqicm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olgemcli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oohgdhfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlcjhkdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpfepf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jklinohd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclmamod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alkijdci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmkcqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mifljdjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcldb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbfpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lalnmiia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbfcmhpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbfldf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmaffnce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjiao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glbjggof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lggejg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqkill32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmnkkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjicdmmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikbfgppo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbfdekd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnifekmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpbjkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlnipg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchppmij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjoja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dakacjdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkomneim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaplqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eangpgcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnhghcki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idieem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcpojd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opadhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hblkjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iepaaico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gddbcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcgnbaeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neqopnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpihcgoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gahcmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjjnae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olfghg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keimof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfoann32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nafjjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eifhdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odoogi32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hienlpel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aajhndkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faenpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjopcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gihgfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaifpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjaei32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mngegmbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plbfdekd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngdcpk32.dll" Phelcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohnohn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amqhbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnblldi.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nebmekoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkeaqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfiildio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdohflaf.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eidbij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmigoagp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmoiqneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjgkan32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhoqoo32.dll" Lifjnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjellmbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkohaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpbpbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jomdjhoo.dll" Ngmpcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnjejjgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnpdegjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iepaaico.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jinboekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaehljpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikbfgppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpcnkaj.dll" Gldglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hohahelb.dll" Hblkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phonha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bogkmgba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjlgdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lldopb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lflbkcll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiaoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnjejjgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpidaqmj.dll" Jinboekc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljceqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdafnpqh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkeaqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglafhih.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mblkhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Macgaopp.dll" Pidabppl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qklmpalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nklbmllg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohnohn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmppfooc.dll" Opadhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgpamjnb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgjbbcpq.dll" Gmdjapgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dckajh32.dll" Mmhgmmbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahgcjddh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joahqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dobhii32.dll" Oofaiokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njmhhefi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efhlhh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1252 wrote to memory of 3184 1252 e6f93fd6d4f484aee3dc3305e1164f0255e2d4977e3795fde47a941a4419fdd7.exe 84 PID 1252 wrote to memory of 3184 1252 e6f93fd6d4f484aee3dc3305e1164f0255e2d4977e3795fde47a941a4419fdd7.exe 84 PID 1252 wrote to memory of 3184 1252 e6f93fd6d4f484aee3dc3305e1164f0255e2d4977e3795fde47a941a4419fdd7.exe 84 PID 3184 wrote to memory of 5000 3184 Kbghfc32.exe 85 PID 3184 wrote to memory of 5000 3184 Kbghfc32.exe 85 PID 3184 wrote to memory of 5000 3184 Kbghfc32.exe 85 PID 5000 wrote to memory of 3004 5000 Kiaqcnpb.exe 86 PID 5000 wrote to memory of 3004 5000 Kiaqcnpb.exe 86 PID 5000 wrote to memory of 3004 5000 Kiaqcnpb.exe 86 PID 3004 wrote to memory of 4768 3004 Llpmoiof.exe 87 PID 3004 wrote to memory of 4768 3004 Llpmoiof.exe 87 PID 3004 wrote to memory of 4768 3004 Llpmoiof.exe 87 PID 4768 wrote to memory of 3164 4768 Lnnikdnj.exe 88 PID 4768 wrote to memory of 3164 4768 Lnnikdnj.exe 88 PID 4768 wrote to memory of 3164 4768 Lnnikdnj.exe 88 PID 3164 wrote to memory of 4236 3164 Lehaho32.exe 89 PID 3164 wrote to memory of 4236 3164 Lehaho32.exe 89 PID 3164 wrote to memory of 4236 3164 Lehaho32.exe 89 PID 4236 wrote to memory of 4852 4236 Llbidimc.exe 90 PID 4236 wrote to memory of 4852 4236 Llbidimc.exe 90 PID 4236 wrote to memory of 4852 4236 Llbidimc.exe 90 PID 4852 wrote to memory of 1788 4852 Lblaabdp.exe 91 PID 4852 wrote to memory of 1788 4852 Lblaabdp.exe 91 PID 4852 wrote to memory of 1788 4852 Lblaabdp.exe 91 PID 1788 wrote to memory of 1308 1788 Lifjnm32.exe 92 PID 1788 wrote to memory of 1308 1788 Lifjnm32.exe 92 PID 1788 wrote to memory of 1308 1788 Lifjnm32.exe 92 PID 1308 wrote to memory of 3224 1308 Lppbkgcj.exe 93 PID 1308 wrote to memory of 3224 1308 Lppbkgcj.exe 93 PID 1308 wrote to memory of 3224 1308 Lppbkgcj.exe 93 PID 3224 wrote to memory of 2696 3224 Locbfd32.exe 94 PID 3224 wrote to memory of 2696 3224 Locbfd32.exe 94 PID 3224 wrote to memory of 2696 3224 Locbfd32.exe 94 PID 2696 wrote to memory of 1992 2696 Lfjjga32.exe 95 PID 2696 wrote to memory of 1992 2696 Lfjjga32.exe 95 PID 2696 wrote to memory of 1992 2696 Lfjjga32.exe 95 PID 1992 wrote to memory of 3480 1992 Lihfcm32.exe 96 PID 1992 wrote to memory of 3480 1992 Lihfcm32.exe 96 PID 1992 wrote to memory of 3480 1992 Lihfcm32.exe 96 PID 3480 wrote to memory of 3092 3480 Lpbopfag.exe 97 PID 3480 wrote to memory of 3092 3480 Lpbopfag.exe 97 PID 3480 wrote to memory of 3092 3480 Lpbopfag.exe 97 PID 3092 wrote to memory of 4984 3092 Lbqklb32.exe 99 PID 3092 wrote to memory of 4984 3092 Lbqklb32.exe 99 PID 3092 wrote to memory of 4984 3092 Lbqklb32.exe 99 PID 4984 wrote to memory of 2112 4984 Lhncdi32.exe 100 PID 4984 wrote to memory of 2112 4984 Lhncdi32.exe 100 PID 4984 wrote to memory of 2112 4984 Lhncdi32.exe 100 PID 2112 wrote to memory of 4620 2112 Loglacfo.exe 101 PID 2112 wrote to memory of 4620 2112 Loglacfo.exe 101 PID 2112 wrote to memory of 4620 2112 Loglacfo.exe 101 PID 4620 wrote to memory of 2332 4620 Leadnm32.exe 102 PID 4620 wrote to memory of 2332 4620 Leadnm32.exe 102 PID 4620 wrote to memory of 2332 4620 Leadnm32.exe 102 PID 2332 wrote to memory of 2564 2332 Mimpolee.exe 104 PID 2332 wrote to memory of 2564 2332 Mimpolee.exe 104 PID 2332 wrote to memory of 2564 2332 Mimpolee.exe 104 PID 2564 wrote to memory of 2184 2564 Mfaqhp32.exe 105 PID 2564 wrote to memory of 2184 2564 Mfaqhp32.exe 105 PID 2564 wrote to memory of 2184 2564 Mfaqhp32.exe 105 PID 2184 wrote to memory of 2100 2184 Miomdk32.exe 106 PID 2184 wrote to memory of 2100 2184 Miomdk32.exe 106 PID 2184 wrote to memory of 2100 2184 Miomdk32.exe 106 PID 2100 wrote to memory of 3644 2100 Mlnipg32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6f93fd6d4f484aee3dc3305e1164f0255e2d4977e3795fde47a941a4419fdd7.exe"C:\Users\Admin\AppData\Local\Temp\e6f93fd6d4f484aee3dc3305e1164f0255e2d4977e3795fde47a941a4419fdd7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Kbghfc32.exeC:\Windows\system32\Kbghfc32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\Kiaqcnpb.exeC:\Windows\system32\Kiaqcnpb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Llpmoiof.exeC:\Windows\system32\Llpmoiof.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Lnnikdnj.exeC:\Windows\system32\Lnnikdnj.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\Lehaho32.exeC:\Windows\system32\Lehaho32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\Llbidimc.exeC:\Windows\system32\Llbidimc.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\Lblaabdp.exeC:\Windows\system32\Lblaabdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Lifjnm32.exeC:\Windows\system32\Lifjnm32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Locbfd32.exeC:\Windows\system32\Locbfd32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\Lfjjga32.exeC:\Windows\system32\Lfjjga32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Lihfcm32.exeC:\Windows\system32\Lihfcm32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Lpbopfag.exeC:\Windows\system32\Lpbopfag.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\Lhncdi32.exeC:\Windows\system32\Lhncdi32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\Loglacfo.exeC:\Windows\system32\Loglacfo.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Leadnm32.exeC:\Windows\system32\Leadnm32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Molelb32.exeC:\Windows\system32\Molelb32.exe23⤵
- Executes dropped EXE
PID:3644 -
C:\Windows\SysWOW64\Mefmimif.exeC:\Windows\system32\Mefmimif.exe24⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Mhdjehhj.exeC:\Windows\system32\Mhdjehhj.exe25⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe26⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Mffjcopi.exeC:\Windows\system32\Mffjcopi.exe27⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe28⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Mpnnle32.exeC:\Windows\system32\Mpnnle32.exe29⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Mblkhq32.exeC:\Windows\system32\Mblkhq32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:4296 -
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe31⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe32⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe33⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe34⤵
- Executes dropped EXE
PID:3220 -
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe35⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe36⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe37⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Ngmpcn32.exeC:\Windows\system32\Ngmpcn32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe39⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe40⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Npedmdab.exeC:\Windows\system32\Npedmdab.exe41⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Nbcqiope.exeC:\Windows\system32\Nbcqiope.exe42⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Nebmekoi.exeC:\Windows\system32\Nebmekoi.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:972 -
C:\Windows\SysWOW64\Nlleaeff.exeC:\Windows\system32\Nlleaeff.exe44⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Nojanpej.exeC:\Windows\system32\Nojanpej.exe45⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe46⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Ngaionfl.exeC:\Windows\system32\Ngaionfl.exe47⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Nipekiep.exeC:\Windows\system32\Nipekiep.exe48⤵
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\Nlnbgddc.exeC:\Windows\system32\Nlnbgddc.exe49⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Nomncpcg.exeC:\Windows\system32\Nomncpcg.exe50⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe51⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Windows\SysWOW64\Nplkmckj.exeC:\Windows\system32\Nplkmckj.exe53⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe54⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe55⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Ohgoaehe.exeC:\Windows\system32\Ohgoaehe.exe56⤵
- Executes dropped EXE
PID:3392 -
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe57⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Oghppm32.exeC:\Windows\system32\Oghppm32.exe58⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Ohjlgefb.exeC:\Windows\system32\Ohjlgefb.exe59⤵
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\Opadhb32.exeC:\Windows\system32\Opadhb32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4716 -
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe61⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Oenlqi32.exeC:\Windows\system32\Oenlqi32.exe62⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:456 -
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:4572 -
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe65⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Ohnebd32.exeC:\Windows\system32\Ohnebd32.exe66⤵PID:4064
-
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3176 -
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe68⤵PID:232
-
C:\Windows\SysWOW64\Ohqbhdpj.exeC:\Windows\system32\Ohqbhdpj.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1856 -
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe70⤵PID:5044
-
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe71⤵PID:1916
-
C:\Windows\SysWOW64\Pjpobg32.exeC:\Windows\system32\Pjpobg32.exe72⤵PID:4824
-
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe73⤵PID:1668
-
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe74⤵PID:208
-
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe75⤵PID:1312
-
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe76⤵
- Modifies registry class
PID:4216 -
C:\Windows\SysWOW64\Ppmcdq32.exeC:\Windows\system32\Ppmcdq32.exe77⤵PID:3368
-
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe78⤵PID:644
-
C:\Windows\SysWOW64\Pgflqkdd.exeC:\Windows\system32\Pgflqkdd.exe79⤵PID:1336
-
C:\Windows\SysWOW64\Pjehmfch.exeC:\Windows\system32\Pjehmfch.exe80⤵PID:3552
-
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe81⤵PID:3112
-
C:\Windows\SysWOW64\Poaqemao.exeC:\Windows\system32\Poaqemao.exe82⤵PID:4964
-
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe83⤵
- Drops file in System32 directory
PID:3376 -
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe84⤵PID:2788
-
C:\Windows\SysWOW64\Podmkm32.exeC:\Windows\system32\Podmkm32.exe85⤵PID:344
-
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe86⤵PID:2216
-
C:\Windows\SysWOW64\Pqcjepfo.exeC:\Windows\system32\Pqcjepfo.exe87⤵PID:4332
-
C:\Windows\SysWOW64\Qgnbaj32.exeC:\Windows\system32\Qgnbaj32.exe88⤵PID:3400
-
C:\Windows\SysWOW64\Qljjjqlc.exeC:\Windows\system32\Qljjjqlc.exe89⤵PID:4644
-
C:\Windows\SysWOW64\Qoifflkg.exeC:\Windows\system32\Qoifflkg.exe90⤵PID:2096
-
C:\Windows\SysWOW64\Qgpogili.exeC:\Windows\system32\Qgpogili.exe91⤵PID:2260
-
C:\Windows\SysWOW64\Qjnkcekm.exeC:\Windows\system32\Qjnkcekm.exe92⤵PID:1352
-
C:\Windows\SysWOW64\Qlmgopjq.exeC:\Windows\system32\Qlmgopjq.exe93⤵PID:2056
-
C:\Windows\SysWOW64\Qqhcpo32.exeC:\Windows\system32\Qqhcpo32.exe94⤵PID:1972
-
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe95⤵PID:332
-
C:\Windows\SysWOW64\Afelhf32.exeC:\Windows\system32\Afelhf32.exe96⤵
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Ajqgidij.exeC:\Windows\system32\Ajqgidij.exe97⤵PID:2032
-
C:\Windows\SysWOW64\Aqkpeopg.exeC:\Windows\system32\Aqkpeopg.exe98⤵PID:5164
-
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe99⤵PID:5208
-
C:\Windows\SysWOW64\Agdhbi32.exeC:\Windows\system32\Agdhbi32.exe100⤵PID:5252
-
C:\Windows\SysWOW64\Afghneoo.exeC:\Windows\system32\Afghneoo.exe101⤵PID:5296
-
C:\Windows\SysWOW64\Ahfdjanb.exeC:\Windows\system32\Ahfdjanb.exe102⤵PID:5340
-
C:\Windows\SysWOW64\Aqmlknnd.exeC:\Windows\system32\Aqmlknnd.exe103⤵PID:5384
-
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5428 -
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe105⤵PID:5488
-
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe106⤵PID:5536
-
C:\Windows\SysWOW64\Aflaie32.exeC:\Windows\system32\Aflaie32.exe107⤵PID:5580
-
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe108⤵
- Drops file in System32 directory
PID:5624 -
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5684 -
C:\Windows\SysWOW64\Aqaffn32.exeC:\Windows\system32\Aqaffn32.exe110⤵PID:5728
-
C:\Windows\SysWOW64\Aodfajaj.exeC:\Windows\system32\Aodfajaj.exe111⤵PID:5776
-
C:\Windows\SysWOW64\Aglnbhal.exeC:\Windows\system32\Aglnbhal.exe112⤵PID:5820
-
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe113⤵PID:5864
-
C:\Windows\SysWOW64\Aimkjp32.exeC:\Windows\system32\Aimkjp32.exe114⤵PID:5904
-
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe115⤵PID:5948
-
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe116⤵
- Drops file in System32 directory
PID:5992 -
C:\Windows\SysWOW64\Bfqkddfd.exeC:\Windows\system32\Bfqkddfd.exe117⤵PID:6036
-
C:\Windows\SysWOW64\Bjlgdc32.exeC:\Windows\system32\Bjlgdc32.exe118⤵
- Modifies registry class
PID:6080 -
C:\Windows\SysWOW64\Bmkcqn32.exeC:\Windows\system32\Bmkcqn32.exe119⤵
- System Location Discovery: System Language Discovery
PID:6120 -
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5136 -
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5200
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-