Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 23:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
329bfe84d0fdf5a8b6c063c4af7172c0N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
329bfe84d0fdf5a8b6c063c4af7172c0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
329bfe84d0fdf5a8b6c063c4af7172c0N.exe
-
Size
60KB
-
MD5
329bfe84d0fdf5a8b6c063c4af7172c0
-
SHA1
51c013812bda09e749f6f86d568d20a1b0826ce2
-
SHA256
9c2c911949dc5ebd6a551b7b452e09e7e42489a27e83a66358b7ed594faa439f
-
SHA512
0b523dddb2dd1323c1d0b2685c67d48a099bc1afa2e43b01bb65fbb8bc8e751adaefeaf73c8eea8bbe8410db1b98e889b546242b3fdf04acf84737ed977ddf96
-
SSDEEP
1536:DAMXAKfgtjctXmPbEFZV72iliINOfLwi7B86l1rs:3XA4g+tXkbEFZVhk0uEuB86l1rs
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nonbqd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkpijfgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nffceq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnopjfgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emikpeig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfpidk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gajibq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inhmqlmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbedaand.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljjicl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gonilenb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpnfbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gammbfqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akbjidbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbjbfjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnbeggmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmlkpgia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmpgghoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knpmhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laeoec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnghhqdk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgaiffii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebbmpmnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npighq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbfeoohe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bichcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akipic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhdcmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgimjmfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpdjbapj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkoaagmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbhlikpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjjbjjdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlkmlhea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiimejap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clpgkcdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnllhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goadfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkpmcddi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioclnblj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfcdaehf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Malnklgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdflaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqfolqna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acmomgoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnpmkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjfnphpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Accnco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnfpcada.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egdqph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkkdhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Executes dropped EXE 64 IoCs
pid Process 4708 Aioebj32.exe 2056 Abgjkpll.exe 3548 Aeffgkkp.exe 3868 Alpnde32.exe 3032 Acgfec32.exe 3504 Afeban32.exe 840 Albkieqj.exe 4156 Bblcfo32.exe 4180 Bifkcioc.exe 2656 Bboplo32.exe 4492 Bihhhi32.exe 4532 Blgddd32.exe 4504 Bbalaoda.exe 4736 Bmfqngcg.exe 5012 Bcpika32.exe 628 Bpgjpb32.exe 4448 Bcbeqaia.exe 3100 Bipnihgi.exe 392 Bmkjig32.exe 3468 Cibkohef.exe 4300 Clpgkcdj.exe 2388 Cdgolq32.exe 1608 Cmpcdfll.exe 1604 Cfhhml32.exe 3920 Cmbpjfij.exe 2364 Cpqlfa32.exe 3120 Ciiaogon.exe 3624 Clgmkbna.exe 944 Cdnelpod.exe 4556 Cmgjee32.exe 720 Ddqbbo32.exe 4272 Dfonnk32.exe 1052 Ddcogo32.exe 4312 Dedkogqm.exe 2420 Dmkcpdao.exe 2404 Dbhlikpf.exe 3104 Defheg32.exe 2468 Ddhhbngi.exe 1624 Didqkeeq.exe 3136 Ddjehneg.exe 4864 Dghadidj.exe 3668 Epaemojk.exe 832 Ecoaijio.exe 2260 Eiijfd32.exe 1536 Edoncm32.exe 3776 Emgblc32.exe 648 Edakimoo.exe 1268 Eebgqe32.exe 3220 Emioab32.exe 1764 Ephlnn32.exe 4940 Egbdjhlp.exe 1068 Eippgckc.exe 4676 Edfddl32.exe 1636 Egdqph32.exe 3768 Eibmlc32.exe 3712 Flaiho32.exe 1740 Fdhail32.exe 3664 Fjeibc32.exe 1888 Fcmnkh32.exe 1332 Feljgd32.exe 892 Fdmjdkda.exe 5136 Fjjcmbci.exe 5184 Flhoinbl.exe 5236 Fcbgfhii.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pclafhka.dll Galonj32.exe File created C:\Windows\SysWOW64\Fbofckhp.dll Mglhgg32.exe File created C:\Windows\SysWOW64\Dhpobmqh.dll Hndibn32.exe File created C:\Windows\SysWOW64\Olndnp32.exe Oiphbd32.exe File created C:\Windows\SysWOW64\Klpjgfdg.dll Pdlbpldg.exe File created C:\Windows\SysWOW64\Pmdflo32.dll Ngodlgka.exe File created C:\Windows\SysWOW64\Kcjael32.dll Qkqdnkge.exe File created C:\Windows\SysWOW64\Hnhbbmim.dll Ccdgjm32.exe File opened for modification C:\Windows\SysWOW64\Hqjcgbbo.exe Hjpkjh32.exe File created C:\Windows\SysWOW64\Gcbnjh32.dll Lcealh32.exe File created C:\Windows\SysWOW64\Nmkgdlkh.dll Pjgemi32.exe File created C:\Windows\SysWOW64\Dipnio32.dll Ihlgan32.exe File opened for modification C:\Windows\SysWOW64\Jbpkfa32.exe Jkfcigkm.exe File created C:\Windows\SysWOW64\Mmfaafej.exe Mflidl32.exe File opened for modification C:\Windows\SysWOW64\Hcifmdeo.exe Hdffah32.exe File created C:\Windows\SysWOW64\Aefdge32.dll Jnmglk32.exe File opened for modification C:\Windows\SysWOW64\Kkhidaeo.exe Jekpljgg.exe File created C:\Windows\SysWOW64\Apfemf32.dll Khakqo32.exe File created C:\Windows\SysWOW64\Gobicbgf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Egdqph32.exe Edfddl32.exe File opened for modification C:\Windows\SysWOW64\Khakqo32.exe Kmlgcf32.exe File created C:\Windows\SysWOW64\Ibqaoebi.dll Process not Found File created C:\Windows\SysWOW64\Ciqbmf32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mkfnlmkl.exe Mbnjcg32.exe File created C:\Windows\SysWOW64\Cpmcffca.dll Djjobedk.exe File created C:\Windows\SysWOW64\Kjamhd32.exe Kgcqlh32.exe File opened for modification C:\Windows\SysWOW64\Glkkop32.exe Geabbfoc.exe File opened for modification C:\Windows\SysWOW64\Hkjjfkcm.exe Hiinoc32.exe File created C:\Windows\SysWOW64\Qpboqfjk.dll Bckknd32.exe File opened for modification C:\Windows\SysWOW64\Jolodqcp.exe Jhbfgflc.exe File opened for modification C:\Windows\SysWOW64\Odidld32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Alpnde32.exe Aeffgkkp.exe File opened for modification C:\Windows\SysWOW64\Cdnelpod.exe Clgmkbna.exe File created C:\Windows\SysWOW64\Dmccncmj.dll Ndphpk32.exe File created C:\Windows\SysWOW64\Jikojcaa.exe Process not Found File created C:\Windows\SysWOW64\Ailghj32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pjlnhi32.exe Pgnblm32.exe File opened for modification C:\Windows\SysWOW64\Cnboma32.exe Cejjdlap.exe File opened for modification C:\Windows\SysWOW64\Bnbeggmi.exe Bgimjmfl.exe File created C:\Windows\SysWOW64\Fnhppa32.exe Ecblbi32.exe File created C:\Windows\SysWOW64\Peqkdjmm.dll Gojnfb32.exe File created C:\Windows\SysWOW64\Chhmjaaq.dll Apqhldjp.exe File created C:\Windows\SysWOW64\Lfaqcclf.exe Lhopgg32.exe File created C:\Windows\SysWOW64\Komoed32.exe Kjqfmn32.exe File created C:\Windows\SysWOW64\Lbikcgbb.dll Mqpcdn32.exe File created C:\Windows\SysWOW64\Ndphpk32.exe Nnfpcada.exe File created C:\Windows\SysWOW64\Abgjkpll.exe Aioebj32.exe File created C:\Windows\SysWOW64\Oegicjdd.dll Imiagi32.exe File created C:\Windows\SysWOW64\Eekcho32.dll Jgbccm32.exe File created C:\Windows\SysWOW64\Onfbpi32.exe Process not Found File created C:\Windows\SysWOW64\Gpgihh32.exe Gnfmapqo.exe File opened for modification C:\Windows\SysWOW64\Impldi32.exe Ikbphn32.exe File created C:\Windows\SysWOW64\Odnngclb.exe Process not Found File created C:\Windows\SysWOW64\Klgnnd32.dll Bndjfjhl.exe File created C:\Windows\SysWOW64\Emgnje32.exe Ejhanj32.exe File created C:\Windows\SysWOW64\Iehkefih.dll Kfcdaehf.exe File opened for modification C:\Windows\SysWOW64\Okkidceh.exe Process not Found File created C:\Windows\SysWOW64\Fphmhm32.dll Gfemmb32.exe File created C:\Windows\SysWOW64\Gohapb32.exe Fhnichde.exe File created C:\Windows\SysWOW64\Peddhb32.exe Process not Found File created C:\Windows\SysWOW64\Dbebgj32.dll Bipnihgi.exe File opened for modification C:\Windows\SysWOW64\Fqfeag32.exe Process not Found File created C:\Windows\SysWOW64\Qfhgbj32.dll Ajjjjghg.exe File created C:\Windows\SysWOW64\Jbofelbi.dll Addahh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13936 13492 Process not Found 1372 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Minipm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaofedkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iglhob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oggllnkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnikmjdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbchp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebokodfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jihngboe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgnblm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olkqnjhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnphag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcomonkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnhppa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnjqhcno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfemmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feella32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eohhie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icakofel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbenho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cppelkeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbmffi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Galonj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lamjbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pknghk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgekdq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgllad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gedohfmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jookjpam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnbeggmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgencf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Defheg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcealh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djmima32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikejbjip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllmml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mihikgod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnkdpgnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kallod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deokja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpejlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqdodo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glkkop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdobhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccdgjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipcakd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndfanlpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hommhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmpfcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qipjokik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cllkcbnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmbflm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpmmhpgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oahgnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogjpld32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effdbcbq.dll" Kccbjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpjjc32.dll" Nffceq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icdhdfcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaabf32.dll" Kgeiokao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abmcod32.dll" Cejjdlap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akipic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejhikgob.dll" Didjqoae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpejlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liifnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahkkhnpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glpdjpbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aplgij32.dll" Gajibq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lebpfepo.dll" Kmmmnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dadbgmaf.dll" Dcpffk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgdcom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agacalbb.dll" Fplnogmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngipjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlqmgaad.dll" Cbiabq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mboqnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpipkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akgcdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icakofel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeoqhi32.dll" Omdnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loqjlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clbmfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cblebgfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpgfoc32.dll" Efhjjcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpiinc32.dll" Paomog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cllkcbnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlcaca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqbpjmeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mobbdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbehienn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggdbmoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecjpfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghqeihbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bicbje32.dll" Lmneemaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhcmbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgnblm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjeonlkj.dll" Beippj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebldoh32.dll" Dfonnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kobnji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beaoimie.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epehnhbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcknee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Galonj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpdjbapj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oediim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mldbeh32.dll" Bnehgmob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hekpnp32.dll" Ekcemmgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ollpdaom.dll" Feella32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdihfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enpknplq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqgjoenq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhbfgflc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbalaoda.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3772 wrote to memory of 4708 3772 329bfe84d0fdf5a8b6c063c4af7172c0N.exe 91 PID 3772 wrote to memory of 4708 3772 329bfe84d0fdf5a8b6c063c4af7172c0N.exe 91 PID 3772 wrote to memory of 4708 3772 329bfe84d0fdf5a8b6c063c4af7172c0N.exe 91 PID 4708 wrote to memory of 2056 4708 Aioebj32.exe 92 PID 4708 wrote to memory of 2056 4708 Aioebj32.exe 92 PID 4708 wrote to memory of 2056 4708 Aioebj32.exe 92 PID 2056 wrote to memory of 3548 2056 Abgjkpll.exe 93 PID 2056 wrote to memory of 3548 2056 Abgjkpll.exe 93 PID 2056 wrote to memory of 3548 2056 Abgjkpll.exe 93 PID 3548 wrote to memory of 3868 3548 Aeffgkkp.exe 94 PID 3548 wrote to memory of 3868 3548 Aeffgkkp.exe 94 PID 3548 wrote to memory of 3868 3548 Aeffgkkp.exe 94 PID 3868 wrote to memory of 3032 3868 Alpnde32.exe 95 PID 3868 wrote to memory of 3032 3868 Alpnde32.exe 95 PID 3868 wrote to memory of 3032 3868 Alpnde32.exe 95 PID 3032 wrote to memory of 3504 3032 Acgfec32.exe 96 PID 3032 wrote to memory of 3504 3032 Acgfec32.exe 96 PID 3032 wrote to memory of 3504 3032 Acgfec32.exe 96 PID 3504 wrote to memory of 840 3504 Afeban32.exe 97 PID 3504 wrote to memory of 840 3504 Afeban32.exe 97 PID 3504 wrote to memory of 840 3504 Afeban32.exe 97 PID 840 wrote to memory of 4156 840 Albkieqj.exe 98 PID 840 wrote to memory of 4156 840 Albkieqj.exe 98 PID 840 wrote to memory of 4156 840 Albkieqj.exe 98 PID 4156 wrote to memory of 4180 4156 Bblcfo32.exe 99 PID 4156 wrote to memory of 4180 4156 Bblcfo32.exe 99 PID 4156 wrote to memory of 4180 4156 Bblcfo32.exe 99 PID 4180 wrote to memory of 2656 4180 Bifkcioc.exe 100 PID 4180 wrote to memory of 2656 4180 Bifkcioc.exe 100 PID 4180 wrote to memory of 2656 4180 Bifkcioc.exe 100 PID 2656 wrote to memory of 4492 2656 Bboplo32.exe 101 PID 2656 wrote to memory of 4492 2656 Bboplo32.exe 101 PID 2656 wrote to memory of 4492 2656 Bboplo32.exe 101 PID 4492 wrote to memory of 4532 4492 Bihhhi32.exe 102 PID 4492 wrote to memory of 4532 4492 Bihhhi32.exe 102 PID 4492 wrote to memory of 4532 4492 Bihhhi32.exe 102 PID 4532 wrote to memory of 4504 4532 Blgddd32.exe 103 PID 4532 wrote to memory of 4504 4532 Blgddd32.exe 103 PID 4532 wrote to memory of 4504 4532 Blgddd32.exe 103 PID 4504 wrote to memory of 4736 4504 Bbalaoda.exe 104 PID 4504 wrote to memory of 4736 4504 Bbalaoda.exe 104 PID 4504 wrote to memory of 4736 4504 Bbalaoda.exe 104 PID 4736 wrote to memory of 5012 4736 Bmfqngcg.exe 106 PID 4736 wrote to memory of 5012 4736 Bmfqngcg.exe 106 PID 4736 wrote to memory of 5012 4736 Bmfqngcg.exe 106 PID 5012 wrote to memory of 628 5012 Bcpika32.exe 107 PID 5012 wrote to memory of 628 5012 Bcpika32.exe 107 PID 5012 wrote to memory of 628 5012 Bcpika32.exe 107 PID 628 wrote to memory of 4448 628 Bpgjpb32.exe 109 PID 628 wrote to memory of 4448 628 Bpgjpb32.exe 109 PID 628 wrote to memory of 4448 628 Bpgjpb32.exe 109 PID 4448 wrote to memory of 3100 4448 Bcbeqaia.exe 110 PID 4448 wrote to memory of 3100 4448 Bcbeqaia.exe 110 PID 4448 wrote to memory of 3100 4448 Bcbeqaia.exe 110 PID 3100 wrote to memory of 392 3100 Bipnihgi.exe 111 PID 3100 wrote to memory of 392 3100 Bipnihgi.exe 111 PID 3100 wrote to memory of 392 3100 Bipnihgi.exe 111 PID 392 wrote to memory of 3468 392 Bmkjig32.exe 112 PID 392 wrote to memory of 3468 392 Bmkjig32.exe 112 PID 392 wrote to memory of 3468 392 Bmkjig32.exe 112 PID 3468 wrote to memory of 4300 3468 Cibkohef.exe 113 PID 3468 wrote to memory of 4300 3468 Cibkohef.exe 113 PID 3468 wrote to memory of 4300 3468 Cibkohef.exe 113 PID 4300 wrote to memory of 2388 4300 Clpgkcdj.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\329bfe84d0fdf5a8b6c063c4af7172c0N.exe"C:\Users\Admin\AppData\Local\Temp\329bfe84d0fdf5a8b6c063c4af7172c0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\Aioebj32.exeC:\Windows\system32\Aioebj32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\Abgjkpll.exeC:\Windows\system32\Abgjkpll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Aeffgkkp.exeC:\Windows\system32\Aeffgkkp.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\Alpnde32.exeC:\Windows\system32\Alpnde32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\SysWOW64\Acgfec32.exeC:\Windows\system32\Acgfec32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Afeban32.exeC:\Windows\system32\Afeban32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\Albkieqj.exeC:\Windows\system32\Albkieqj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Bblcfo32.exeC:\Windows\system32\Bblcfo32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\Bifkcioc.exeC:\Windows\system32\Bifkcioc.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\Bboplo32.exeC:\Windows\system32\Bboplo32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Bihhhi32.exeC:\Windows\system32\Bihhhi32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\Blgddd32.exeC:\Windows\system32\Blgddd32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\Bbalaoda.exeC:\Windows\system32\Bbalaoda.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Bmfqngcg.exeC:\Windows\system32\Bmfqngcg.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\Bcpika32.exeC:\Windows\system32\Bcpika32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Bpgjpb32.exeC:\Windows\system32\Bpgjpb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\Bcbeqaia.exeC:\Windows\system32\Bcbeqaia.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\Bipnihgi.exeC:\Windows\system32\Bipnihgi.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\Bmkjig32.exeC:\Windows\system32\Bmkjig32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Cibkohef.exeC:\Windows\system32\Cibkohef.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\Clpgkcdj.exeC:\Windows\system32\Clpgkcdj.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\Cdgolq32.exeC:\Windows\system32\Cdgolq32.exe23⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Cmpcdfll.exeC:\Windows\system32\Cmpcdfll.exe24⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Cfhhml32.exeC:\Windows\system32\Cfhhml32.exe25⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Cmbpjfij.exeC:\Windows\system32\Cmbpjfij.exe26⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Cpqlfa32.exeC:\Windows\system32\Cpqlfa32.exe27⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Ciiaogon.exeC:\Windows\system32\Ciiaogon.exe28⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Clgmkbna.exeC:\Windows\system32\Clgmkbna.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3624 -
C:\Windows\SysWOW64\Cdnelpod.exeC:\Windows\system32\Cdnelpod.exe30⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Cmgjee32.exeC:\Windows\system32\Cmgjee32.exe31⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Ddqbbo32.exeC:\Windows\system32\Ddqbbo32.exe32⤵
- Executes dropped EXE
PID:720 -
C:\Windows\SysWOW64\Dfonnk32.exeC:\Windows\system32\Dfonnk32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:4272 -
C:\Windows\SysWOW64\Ddcogo32.exeC:\Windows\system32\Ddcogo32.exe34⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Dedkogqm.exeC:\Windows\system32\Dedkogqm.exe35⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Dmkcpdao.exeC:\Windows\system32\Dmkcpdao.exe36⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Dbhlikpf.exeC:\Windows\system32\Dbhlikpf.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Defheg32.exeC:\Windows\system32\Defheg32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3104 -
C:\Windows\SysWOW64\Ddhhbngi.exeC:\Windows\system32\Ddhhbngi.exe39⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Didqkeeq.exeC:\Windows\system32\Didqkeeq.exe40⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Ddjehneg.exeC:\Windows\system32\Ddjehneg.exe41⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Dghadidj.exeC:\Windows\system32\Dghadidj.exe42⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Epaemojk.exeC:\Windows\system32\Epaemojk.exe43⤵
- Executes dropped EXE
PID:3668 -
C:\Windows\SysWOW64\Ecoaijio.exeC:\Windows\system32\Ecoaijio.exe44⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Eiijfd32.exeC:\Windows\system32\Eiijfd32.exe45⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Edoncm32.exeC:\Windows\system32\Edoncm32.exe46⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Emgblc32.exeC:\Windows\system32\Emgblc32.exe47⤵
- Executes dropped EXE
PID:3776 -
C:\Windows\SysWOW64\Edakimoo.exeC:\Windows\system32\Edakimoo.exe48⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Eebgqe32.exeC:\Windows\system32\Eebgqe32.exe49⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Emioab32.exeC:\Windows\system32\Emioab32.exe50⤵
- Executes dropped EXE
PID:3220 -
C:\Windows\SysWOW64\Ephlnn32.exeC:\Windows\system32\Ephlnn32.exe51⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Egbdjhlp.exeC:\Windows\system32\Egbdjhlp.exe52⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Eippgckc.exeC:\Windows\system32\Eippgckc.exe53⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Edfddl32.exeC:\Windows\system32\Edfddl32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4676 -
C:\Windows\SysWOW64\Egdqph32.exeC:\Windows\system32\Egdqph32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Eibmlc32.exeC:\Windows\system32\Eibmlc32.exe56⤵
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\Flaiho32.exeC:\Windows\system32\Flaiho32.exe57⤵
- Executes dropped EXE
PID:3712 -
C:\Windows\SysWOW64\Fdhail32.exeC:\Windows\system32\Fdhail32.exe58⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Fjeibc32.exeC:\Windows\system32\Fjeibc32.exe59⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Fcmnkh32.exeC:\Windows\system32\Fcmnkh32.exe60⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Feljgd32.exeC:\Windows\system32\Feljgd32.exe61⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Fdmjdkda.exeC:\Windows\system32\Fdmjdkda.exe62⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Fjjcmbci.exeC:\Windows\system32\Fjjcmbci.exe63⤵
- Executes dropped EXE
PID:5136 -
C:\Windows\SysWOW64\Flhoinbl.exeC:\Windows\system32\Flhoinbl.exe64⤵
- Executes dropped EXE
PID:5184 -
C:\Windows\SysWOW64\Fcbgfhii.exeC:\Windows\system32\Fcbgfhii.exe65⤵
- Executes dropped EXE
PID:5236 -
C:\Windows\SysWOW64\Ffpcbchm.exeC:\Windows\system32\Ffpcbchm.exe66⤵PID:5276
-
C:\Windows\SysWOW64\Fcddkggf.exeC:\Windows\system32\Fcddkggf.exe67⤵PID:5320
-
C:\Windows\SysWOW64\Gnjhhpgl.exeC:\Windows\system32\Gnjhhpgl.exe68⤵PID:5364
-
C:\Windows\SysWOW64\Gcgqag32.exeC:\Windows\system32\Gcgqag32.exe69⤵PID:5404
-
C:\Windows\SysWOW64\Gfemmb32.exeC:\Windows\system32\Gfemmb32.exe70⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5448 -
C:\Windows\SysWOW64\Gdfmkjlg.exeC:\Windows\system32\Gdfmkjlg.exe71⤵PID:5496
-
C:\Windows\SysWOW64\Gjcfcakn.exeC:\Windows\system32\Gjcfcakn.exe72⤵PID:5536
-
C:\Windows\SysWOW64\Gmdoel32.exeC:\Windows\system32\Gmdoel32.exe73⤵PID:5580
-
C:\Windows\SysWOW64\Gcngafol.exeC:\Windows\system32\Gcngafol.exe74⤵PID:5632
-
C:\Windows\SysWOW64\Gflcnanp.exeC:\Windows\system32\Gflcnanp.exe75⤵PID:5676
-
C:\Windows\SysWOW64\Gdmcki32.exeC:\Windows\system32\Gdmcki32.exe76⤵PID:5720
-
C:\Windows\SysWOW64\Hqddqj32.exeC:\Windows\system32\Hqddqj32.exe77⤵PID:5760
-
C:\Windows\SysWOW64\Hcbpme32.exeC:\Windows\system32\Hcbpme32.exe78⤵PID:5804
-
C:\Windows\SysWOW64\Hnhdjn32.exeC:\Windows\system32\Hnhdjn32.exe79⤵PID:5848
-
C:\Windows\SysWOW64\Hfcinq32.exeC:\Windows\system32\Hfcinq32.exe80⤵PID:5892
-
C:\Windows\SysWOW64\Hmmakk32.exeC:\Windows\system32\Hmmakk32.exe81⤵PID:5932
-
C:\Windows\SysWOW64\Hfefdpfe.exeC:\Windows\system32\Hfefdpfe.exe82⤵PID:5976
-
C:\Windows\SysWOW64\Hdffah32.exeC:\Windows\system32\Hdffah32.exe83⤵
- Drops file in System32 directory
PID:6020 -
C:\Windows\SysWOW64\Hcifmdeo.exeC:\Windows\system32\Hcifmdeo.exe84⤵PID:6064
-
C:\Windows\SysWOW64\Hjcojo32.exeC:\Windows\system32\Hjcojo32.exe85⤵PID:6120
-
C:\Windows\SysWOW64\Hdicggla.exeC:\Windows\system32\Hdicggla.exe86⤵PID:5152
-
C:\Windows\SysWOW64\Ijfkpnji.exeC:\Windows\system32\Ijfkpnji.exe87⤵PID:5228
-
C:\Windows\SysWOW64\Iqpclh32.exeC:\Windows\system32\Iqpclh32.exe88⤵PID:5316
-
C:\Windows\SysWOW64\Iglhob32.exeC:\Windows\system32\Iglhob32.exe89⤵
- System Location Discovery: System Language Discovery
PID:5372 -
C:\Windows\SysWOW64\Ifoijonj.exeC:\Windows\system32\Ifoijonj.exe90⤵PID:5432
-
C:\Windows\SysWOW64\Infqklol.exeC:\Windows\system32\Infqklol.exe91⤵PID:5508
-
C:\Windows\SysWOW64\Imiagi32.exeC:\Windows\system32\Imiagi32.exe92⤵
- Drops file in System32 directory
PID:5572 -
C:\Windows\SysWOW64\Iqdmghnp.exeC:\Windows\system32\Iqdmghnp.exe93⤵PID:5640
-
C:\Windows\SysWOW64\Icciccmd.exeC:\Windows\system32\Icciccmd.exe94⤵PID:5716
-
C:\Windows\SysWOW64\Inhmqlmj.exeC:\Windows\system32\Inhmqlmj.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5772 -
C:\Windows\SysWOW64\Iqgjmg32.exeC:\Windows\system32\Iqgjmg32.exe96⤵PID:5844
-
C:\Windows\SysWOW64\Icefib32.exeC:\Windows\system32\Icefib32.exe97⤵PID:5920
-
C:\Windows\SysWOW64\Ijonfmbn.exeC:\Windows\system32\Ijonfmbn.exe98⤵PID:5988
-
C:\Windows\SysWOW64\Icgbob32.exeC:\Windows\system32\Icgbob32.exe99⤵PID:6072
-
C:\Windows\SysWOW64\Jgcooaah.exeC:\Windows\system32\Jgcooaah.exe100⤵PID:5144
-
C:\Windows\SysWOW64\Jffokn32.exeC:\Windows\system32\Jffokn32.exe101⤵PID:5232
-
C:\Windows\SysWOW64\Jnmglk32.exeC:\Windows\system32\Jnmglk32.exe102⤵
- Drops file in System32 directory
PID:5456 -
C:\Windows\SysWOW64\Jmpgghoo.exeC:\Windows\system32\Jmpgghoo.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:572 -
C:\Windows\SysWOW64\Jegohe32.exeC:\Windows\system32\Jegohe32.exe104⤵PID:5744
-
C:\Windows\SysWOW64\Jgekdq32.exeC:\Windows\system32\Jgekdq32.exe105⤵
- System Location Discovery: System Language Discovery
PID:5860 -
C:\Windows\SysWOW64\Jjdgal32.exeC:\Windows\system32\Jjdgal32.exe106⤵PID:5968
-
C:\Windows\SysWOW64\Jclljaei.exeC:\Windows\system32\Jclljaei.exe107⤵PID:6128
-
C:\Windows\SysWOW64\Jnapgjdo.exeC:\Windows\system32\Jnapgjdo.exe108⤵PID:5356
-
C:\Windows\SysWOW64\Jgjeppkp.exeC:\Windows\system32\Jgjeppkp.exe109⤵PID:5592
-
C:\Windows\SysWOW64\Jjhalkjc.exeC:\Windows\system32\Jjhalkjc.exe110⤵PID:5728
-
C:\Windows\SysWOW64\Jmgmhgig.exeC:\Windows\system32\Jmgmhgig.exe111⤵PID:5964
-
C:\Windows\SysWOW64\Jjknakhq.exeC:\Windows\system32\Jjknakhq.exe112⤵PID:6132
-
C:\Windows\SysWOW64\Kccbjq32.exeC:\Windows\system32\Kccbjq32.exe113⤵
- Modifies registry class
PID:5568 -
C:\Windows\SysWOW64\Kmlgcf32.exeC:\Windows\system32\Kmlgcf32.exe114⤵
- Drops file in System32 directory
PID:5876 -
C:\Windows\SysWOW64\Khakqo32.exeC:\Windows\system32\Khakqo32.exe115⤵
- Drops file in System32 directory
PID:5176 -
C:\Windows\SysWOW64\Knkcmild.exeC:\Windows\system32\Knkcmild.exe116⤵PID:5824
-
C:\Windows\SysWOW64\Kffhakjp.exeC:\Windows\system32\Kffhakjp.exe117⤵PID:5712
-
C:\Windows\SysWOW64\Kallod32.exeC:\Windows\system32\Kallod32.exe118⤵
- System Location Discovery: System Language Discovery
PID:5796 -
C:\Windows\SysWOW64\Kdjhkp32.exeC:\Windows\system32\Kdjhkp32.exe119⤵PID:6012
-
C:\Windows\SysWOW64\Knpmhh32.exeC:\Windows\system32\Knpmhh32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6184 -
C:\Windows\SysWOW64\Kanidd32.exeC:\Windows\system32\Kanidd32.exe121⤵PID:6236
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-