Analysis
-
max time kernel
108s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 15:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c3e83f7923339065c6ac7f5edea283b0N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
c3e83f7923339065c6ac7f5edea283b0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
c3e83f7923339065c6ac7f5edea283b0N.exe
-
Size
90KB
-
MD5
c3e83f7923339065c6ac7f5edea283b0
-
SHA1
e070c86a379d274e10f4eb2f2310a6774e0e4176
-
SHA256
2b13210835caff27247c6683fe5deea26ccc74291635565e0ccb4c54e89cc139
-
SHA512
06f4044af7bac352108f961f38f1862d02384ed1780097f08b4086614288f294b4d46636e7604d1a12ccaaed95c13d6476dd3fac1f035200693c590283e2e5ee
-
SSDEEP
1536:IZj8R2CjRnT85pn+9lP3mm5Bo+5UufhtYXYQxC9UG/u/Ub0VkVNK:IpCVi1+5BozRXNC9UG/u/Ub0+NK
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diffglam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldipha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojomcopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfmcfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Neclenfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aajohjon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gemkelcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhpbfpka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcaofebg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cijpahho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohlimd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgnkhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbbhqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgaokl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oogpjbbb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilnbicff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knqepc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llmhaold.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bclang32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkgnfhnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knkekn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckfphc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aehgnied.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cceddf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edjgfcec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkdhjknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmmbbejp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peahgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfglfdkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nglhld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baegibae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inmpcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lckiihok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljhnlb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bklomh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klmpiiai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlnipg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opcqnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leopnglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgpgng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Higjaoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iciaqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqafhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nedjjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bajqda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkkgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbalopbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llodgnja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amhfkopc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgndoeag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knenkbio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpbfii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhdjehhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhdckaeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acfhad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dannij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Falcae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdfoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgelek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iddljmpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjimhnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnmkfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkceokii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnfpinmi.exe -
Executes dropped EXE 64 IoCs
pid Process 4624 Hnfamjqg.exe 4512 Hdpiid32.exe 2808 Hkjafn32.exe 2144 Hninbj32.exe 2852 Hdbfodfa.exe 4740 Hkmnln32.exe 3208 Inkjhi32.exe 1464 Idebdcdo.exe 3936 Igcoqocb.exe 4776 Iokgal32.exe 1644 Ifdonfka.exe 2056 Iickkbje.exe 4820 Iomcgl32.exe 1348 Ibkpcg32.exe 852 Ighhln32.exe 4636 Inbqhhfj.exe 960 Ieliebnf.exe 3416 Ikfabm32.exe 1932 Ifleoe32.exe 4020 Iijaka32.exe 3552 Jkhngl32.exe 3108 Jngjch32.exe 2252 Jfnbdecg.exe 4436 Jilnqqbj.exe 1564 Jgonlm32.exe 1028 Joffnk32.exe 1048 Jecofa32.exe 1160 Jieagojp.exe 3020 Kppici32.exe 1312 Kelalp32.exe 3704 Kgknhl32.exe 4508 Kpbfii32.exe 3468 Kflnfcgg.exe 2308 Keonap32.exe 4844 Khmknk32.exe 2200 Kpdboimg.exe 3436 Kngcje32.exe 3832 Keakgpko.exe 5072 Khpgckkb.exe 1728 Klkcdj32.exe 1168 Kbekqdjh.exe 1216 Kechmoil.exe 4188 Kiodmn32.exe 764 Klmpiiai.exe 2484 Knlleepl.exe 376 Kefdbo32.exe 4384 Lhdqnj32.exe 2500 Lpkiph32.exe 3500 Lbjelc32.exe 4540 Lfealaol.exe 944 Llbidimc.exe 4768 Lpneegel.exe 3952 Lblaabdp.exe 1500 Lifjnm32.exe 4456 Lhijijbg.exe 1420 Lppbkgcj.exe 4800 Lbnngbbn.exe 4616 Lemkcnaa.exe 696 Llgcph32.exe 1328 Lpbopfag.exe 1376 Lbqklb32.exe 5008 Leoghn32.exe 1484 Lhncdi32.exe 4912 Lpekef32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pgkelj32.exe Podmkm32.exe File opened for modification C:\Windows\SysWOW64\Akamff32.exe Ajpqnneo.exe File created C:\Windows\SysWOW64\Fikbocki.exe Ffmfchle.exe File opened for modification C:\Windows\SysWOW64\Igfclkdj.exe Iplkpa32.exe File created C:\Windows\SysWOW64\Ifenan32.dll Jjpode32.exe File opened for modification C:\Windows\SysWOW64\Nnfpinmi.exe Nglhld32.exe File created C:\Windows\SysWOW64\Cippgm32.exe Cjmpkqqj.exe File opened for modification C:\Windows\SysWOW64\Djklmo32.exe Dpehof32.exe File created C:\Windows\SysWOW64\Nonlon32.dll Nacmdf32.exe File created C:\Windows\SysWOW64\Adnipccc.dll Gbabigfj.exe File opened for modification C:\Windows\SysWOW64\Pahilmoc.exe Plkpcfal.exe File created C:\Windows\SysWOW64\Jhkbjd32.dll Eiloco32.exe File created C:\Windows\SysWOW64\Lnangaoa.exe Ljeafb32.exe File created C:\Windows\SysWOW64\Kohmng32.dll Oohnonij.exe File created C:\Windows\SysWOW64\Opeemh32.dll Ehcfaboo.exe File created C:\Windows\SysWOW64\Legokici.dll Nlfelogp.exe File created C:\Windows\SysWOW64\Qcaofebg.exe Qkjgegae.exe File created C:\Windows\SysWOW64\Qgfcle32.dll Bmlilh32.exe File opened for modification C:\Windows\SysWOW64\Hkpqkcpd.exe Hloqml32.exe File created C:\Windows\SysWOW64\Cocopa32.dll Eppjfgcp.exe File opened for modification C:\Windows\SysWOW64\Apodoq32.exe Apmhiq32.exe File created C:\Windows\SysWOW64\Bkibgh32.exe Bhkfkmmg.exe File opened for modification C:\Windows\SysWOW64\Mehjol32.exe Mbjnbqhp.exe File opened for modification C:\Windows\SysWOW64\Cmfclm32.exe Cflkpblf.exe File opened for modification C:\Windows\SysWOW64\Nelfeo32.exe Napjdpcn.exe File created C:\Windows\SysWOW64\Pnpkdp32.dll Ocaebc32.exe File created C:\Windows\SysWOW64\Mnfnlf32.exe Mjkblhfo.exe File opened for modification C:\Windows\SysWOW64\Dfglfdkb.exe Domdjj32.exe File created C:\Windows\SysWOW64\Nmqmbmdf.dll Fihnomjp.exe File created C:\Windows\SysWOW64\Pgpecj32.dll Kjgeedch.exe File created C:\Windows\SysWOW64\Jngjch32.exe Jkhngl32.exe File created C:\Windows\SysWOW64\Nhbfff32.exe Nedjjj32.exe File created C:\Windows\SysWOW64\Cidjbmcp.exe Cffmfadl.exe File created C:\Windows\SysWOW64\Dikpbl32.exe Djhpgofm.exe File created C:\Windows\SysWOW64\Omlokmha.dll Fmnkkg32.exe File created C:\Windows\SysWOW64\Bildbk32.dll Gkiaej32.exe File created C:\Windows\SysWOW64\Dpildobq.dll Ohkbbn32.exe File created C:\Windows\SysWOW64\Gpecbk32.exe Gmggfp32.exe File opened for modification C:\Windows\SysWOW64\Pehngkcg.exe Pmaffnce.exe File created C:\Windows\SysWOW64\Aknhkd32.dll Fnnjmbpm.exe File created C:\Windows\SysWOW64\Kgffoo32.dll Ieidhh32.exe File created C:\Windows\SysWOW64\Gaagdbfm.dll Ocohmc32.exe File created C:\Windows\SysWOW64\Phfcipoo.exe Palklf32.exe File created C:\Windows\SysWOW64\Eehnaq32.dll Bajqda32.exe File created C:\Windows\SysWOW64\Ecefqnel.exe Eiobceef.exe File created C:\Windows\SysWOW64\Hgmgqc32.exe Hlhccj32.exe File created C:\Windows\SysWOW64\Hplbickp.exe Hlpfhe32.exe File opened for modification C:\Windows\SysWOW64\Lijlof32.exe Leopnglc.exe File created C:\Windows\SysWOW64\Dcpmen32.exe Djhimica.exe File opened for modification C:\Windows\SysWOW64\Eplgeokq.exe Eiaoid32.exe File created C:\Windows\SysWOW64\Ldgccb32.exe Lnmkfh32.exe File created C:\Windows\SysWOW64\Lfcpgb32.dll Jiglnf32.exe File created C:\Windows\SysWOW64\Bkncfepb.dll Mcpcdg32.exe File opened for modification C:\Windows\SysWOW64\Npepkf32.exe Nqbpojnp.exe File created C:\Windows\SysWOW64\Mehjol32.exe Mbjnbqhp.exe File created C:\Windows\SysWOW64\Ncfmno32.exe Npgabc32.exe File opened for modification C:\Windows\SysWOW64\Qfbobf32.exe Qoifflkg.exe File created C:\Windows\SysWOW64\Bcahmb32.exe Boflmdkk.exe File created C:\Windows\SysWOW64\Qikoka32.dll Glkmmefl.exe File created C:\Windows\SysWOW64\Jkjpda32.dll Lpfgmnfp.exe File created C:\Windows\SysWOW64\Ifdonfka.exe Iokgal32.exe File created C:\Windows\SysWOW64\Lpbopfag.exe Llgcph32.exe File created C:\Windows\SysWOW64\Gphqhffa.dll Oocddono.exe File created C:\Windows\SysWOW64\Opakdijo.dll Ophjiaql.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6820 4936 WerFault.exe 1060 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iomcgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bidqko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjomap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokdnjkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qacameaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apaadpng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnhgjaml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcghch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icnklbmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojefobm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebimgcfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpekef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikqqlgem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmfjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddcenpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgamnded.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofhknodl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Majjng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmbbejp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfjfecno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mekgdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfamapjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Falcae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mecjif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgknhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcddcbab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmlkhofd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nihipdhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckpbnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjimhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmhhefi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccchof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkjgegae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Panhbfep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgcihgaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdpiid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aijnep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iddljmpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iknmla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcbpjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aihaoqlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghhhcomg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llhikacp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpkibf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loighj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabhfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhncdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbfpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akoqpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jepjhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doaneiop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leadnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neffpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqmkae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqikmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaqegecm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbenmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bheplb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glkmmefl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iplkpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oblmdhdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akkffkhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iokgal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inbqhhfj.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blnoga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afakoidm.dll" Igfclkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpmapodj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inbqhhfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lajagj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgdkaadn.dll" Ckpbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aolblopj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnjnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmcpd32.dll" Plkpcfal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpfcdojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fphppfgi.dll" Kbpkkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbpdblmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpifba32.dll" Poomegpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kngcje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpneegel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbchba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icgcab32.dll" Bmkcqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Loighj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anoipp32.dll" Lcimdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjjkaabc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inkjhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmgghbe.dll" Hjlkge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njoddaaj.dll" Cjnffjkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcbnnpka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpkibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdifpa32.dll" Gfhndpol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkgeainn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Coegoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hajpbckl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibobdqid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lklcfhik.dll" Kdinljnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqmfklog.dll" Alkijdci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inbhocbm.dll" Bcfahbpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmflbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgiiiidd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bajqda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cippgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fggocmhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihphkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bddchh32.dll" Lgkpdcmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemnff32.dll" Jgpfbjlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adfgdpmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lppbkgcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omhebonp.dll" Qfbobf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lihpif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnjmc32.dll" Lddgmbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obgbikfp.dll" Bdgged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbikhdcm.dll" Pccahbmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liijiqcd.dll" Kbekqdjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iglhgnlj.dll" Oohgdhfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icdheded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kqfngd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bblnindg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neiqnh32.dll" Bohbhmfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbbnpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehcfaboo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlkepaam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idahjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klbbcjfp.dll" Olicnfco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akepfpcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmhocd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hminmc32.dll" Lpbopfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgfcle32.dll" Bmlilh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cijpahho.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4440 wrote to memory of 4624 4440 c3e83f7923339065c6ac7f5edea283b0N.exe 84 PID 4440 wrote to memory of 4624 4440 c3e83f7923339065c6ac7f5edea283b0N.exe 84 PID 4440 wrote to memory of 4624 4440 c3e83f7923339065c6ac7f5edea283b0N.exe 84 PID 4624 wrote to memory of 4512 4624 Hnfamjqg.exe 85 PID 4624 wrote to memory of 4512 4624 Hnfamjqg.exe 85 PID 4624 wrote to memory of 4512 4624 Hnfamjqg.exe 85 PID 4512 wrote to memory of 2808 4512 Hdpiid32.exe 86 PID 4512 wrote to memory of 2808 4512 Hdpiid32.exe 86 PID 4512 wrote to memory of 2808 4512 Hdpiid32.exe 86 PID 2808 wrote to memory of 2144 2808 Hkjafn32.exe 87 PID 2808 wrote to memory of 2144 2808 Hkjafn32.exe 87 PID 2808 wrote to memory of 2144 2808 Hkjafn32.exe 87 PID 2144 wrote to memory of 2852 2144 Hninbj32.exe 88 PID 2144 wrote to memory of 2852 2144 Hninbj32.exe 88 PID 2144 wrote to memory of 2852 2144 Hninbj32.exe 88 PID 2852 wrote to memory of 4740 2852 Hdbfodfa.exe 89 PID 2852 wrote to memory of 4740 2852 Hdbfodfa.exe 89 PID 2852 wrote to memory of 4740 2852 Hdbfodfa.exe 89 PID 4740 wrote to memory of 3208 4740 Hkmnln32.exe 91 PID 4740 wrote to memory of 3208 4740 Hkmnln32.exe 91 PID 4740 wrote to memory of 3208 4740 Hkmnln32.exe 91 PID 3208 wrote to memory of 1464 3208 Inkjhi32.exe 92 PID 3208 wrote to memory of 1464 3208 Inkjhi32.exe 92 PID 3208 wrote to memory of 1464 3208 Inkjhi32.exe 92 PID 1464 wrote to memory of 3936 1464 Idebdcdo.exe 93 PID 1464 wrote to memory of 3936 1464 Idebdcdo.exe 93 PID 1464 wrote to memory of 3936 1464 Idebdcdo.exe 93 PID 3936 wrote to memory of 4776 3936 Igcoqocb.exe 94 PID 3936 wrote to memory of 4776 3936 Igcoqocb.exe 94 PID 3936 wrote to memory of 4776 3936 Igcoqocb.exe 94 PID 4776 wrote to memory of 1644 4776 Iokgal32.exe 95 PID 4776 wrote to memory of 1644 4776 Iokgal32.exe 95 PID 4776 wrote to memory of 1644 4776 Iokgal32.exe 95 PID 1644 wrote to memory of 2056 1644 Ifdonfka.exe 96 PID 1644 wrote to memory of 2056 1644 Ifdonfka.exe 96 PID 1644 wrote to memory of 2056 1644 Ifdonfka.exe 96 PID 2056 wrote to memory of 4820 2056 Iickkbje.exe 97 PID 2056 wrote to memory of 4820 2056 Iickkbje.exe 97 PID 2056 wrote to memory of 4820 2056 Iickkbje.exe 97 PID 4820 wrote to memory of 1348 4820 Iomcgl32.exe 99 PID 4820 wrote to memory of 1348 4820 Iomcgl32.exe 99 PID 4820 wrote to memory of 1348 4820 Iomcgl32.exe 99 PID 1348 wrote to memory of 852 1348 Ibkpcg32.exe 100 PID 1348 wrote to memory of 852 1348 Ibkpcg32.exe 100 PID 1348 wrote to memory of 852 1348 Ibkpcg32.exe 100 PID 852 wrote to memory of 4636 852 Ighhln32.exe 101 PID 852 wrote to memory of 4636 852 Ighhln32.exe 101 PID 852 wrote to memory of 4636 852 Ighhln32.exe 101 PID 4636 wrote to memory of 960 4636 Inbqhhfj.exe 102 PID 4636 wrote to memory of 960 4636 Inbqhhfj.exe 102 PID 4636 wrote to memory of 960 4636 Inbqhhfj.exe 102 PID 960 wrote to memory of 3416 960 Ieliebnf.exe 103 PID 960 wrote to memory of 3416 960 Ieliebnf.exe 103 PID 960 wrote to memory of 3416 960 Ieliebnf.exe 103 PID 3416 wrote to memory of 1932 3416 Ikfabm32.exe 104 PID 3416 wrote to memory of 1932 3416 Ikfabm32.exe 104 PID 3416 wrote to memory of 1932 3416 Ikfabm32.exe 104 PID 1932 wrote to memory of 4020 1932 Ifleoe32.exe 105 PID 1932 wrote to memory of 4020 1932 Ifleoe32.exe 105 PID 1932 wrote to memory of 4020 1932 Ifleoe32.exe 105 PID 4020 wrote to memory of 3552 4020 Iijaka32.exe 106 PID 4020 wrote to memory of 3552 4020 Iijaka32.exe 106 PID 4020 wrote to memory of 3552 4020 Iijaka32.exe 106 PID 3552 wrote to memory of 3108 3552 Jkhngl32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3e83f7923339065c6ac7f5edea283b0N.exe"C:\Users\Admin\AppData\Local\Temp\c3e83f7923339065c6ac7f5edea283b0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\Hnfamjqg.exeC:\Windows\system32\Hnfamjqg.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\Hdpiid32.exeC:\Windows\system32\Hdpiid32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Hkjafn32.exeC:\Windows\system32\Hkjafn32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Hninbj32.exeC:\Windows\system32\Hninbj32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Hdbfodfa.exeC:\Windows\system32\Hdbfodfa.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Hkmnln32.exeC:\Windows\system32\Hkmnln32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\Inkjhi32.exeC:\Windows\system32\Inkjhi32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Idebdcdo.exeC:\Windows\system32\Idebdcdo.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\Iokgal32.exeC:\Windows\system32\Iokgal32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\Ibkpcg32.exeC:\Windows\system32\Ibkpcg32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Ighhln32.exeC:\Windows\system32\Ighhln32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Inbqhhfj.exeC:\Windows\system32\Inbqhhfj.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\Ieliebnf.exeC:\Windows\system32\Ieliebnf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\Ikfabm32.exeC:\Windows\system32\Ikfabm32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\Ifleoe32.exeC:\Windows\system32\Ifleoe32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Iijaka32.exeC:\Windows\system32\Iijaka32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\Jkhngl32.exeC:\Windows\system32\Jkhngl32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe23⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\Jfnbdecg.exeC:\Windows\system32\Jfnbdecg.exe24⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe25⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Jgonlm32.exeC:\Windows\system32\Jgonlm32.exe26⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe27⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe28⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Jieagojp.exeC:\Windows\system32\Jieagojp.exe29⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe30⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Kelalp32.exeC:\Windows\system32\Kelalp32.exe31⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Kgknhl32.exeC:\Windows\system32\Kgknhl32.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3704 -
C:\Windows\SysWOW64\Kpbfii32.exeC:\Windows\system32\Kpbfii32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Kflnfcgg.exeC:\Windows\system32\Kflnfcgg.exe34⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Keonap32.exeC:\Windows\system32\Keonap32.exe35⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Khmknk32.exeC:\Windows\system32\Khmknk32.exe36⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Kpdboimg.exeC:\Windows\system32\Kpdboimg.exe37⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:3436 -
C:\Windows\SysWOW64\Keakgpko.exeC:\Windows\system32\Keakgpko.exe39⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Khpgckkb.exeC:\Windows\system32\Khpgckkb.exe40⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Klkcdj32.exeC:\Windows\system32\Klkcdj32.exe41⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Kbekqdjh.exeC:\Windows\system32\Kbekqdjh.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1168 -
C:\Windows\SysWOW64\Kechmoil.exeC:\Windows\system32\Kechmoil.exe43⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe44⤵
- Executes dropped EXE
PID:4188 -
C:\Windows\SysWOW64\Klmpiiai.exeC:\Windows\system32\Klmpiiai.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Knlleepl.exeC:\Windows\system32\Knlleepl.exe46⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Kefdbo32.exeC:\Windows\system32\Kefdbo32.exe47⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe48⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe49⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Lbjelc32.exeC:\Windows\system32\Lbjelc32.exe50⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Lfealaol.exeC:\Windows\system32\Lfealaol.exe51⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Llbidimc.exeC:\Windows\system32\Llbidimc.exe52⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:4768 -
C:\Windows\SysWOW64\Lblaabdp.exeC:\Windows\system32\Lblaabdp.exe54⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Lifjnm32.exeC:\Windows\system32\Lifjnm32.exe55⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe56⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1420 -
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe58⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Lemkcnaa.exeC:\Windows\system32\Lemkcnaa.exe59⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Llgcph32.exeC:\Windows\system32\Llgcph32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:696 -
C:\Windows\SysWOW64\Lpbopfag.exeC:\Windows\system32\Lpbopfag.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1328 -
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe62⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Leoghn32.exeC:\Windows\system32\Leoghn32.exe63⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Lhncdi32.exeC:\Windows\system32\Lhncdi32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Windows\SysWOW64\Lpekef32.exeC:\Windows\system32\Lpekef32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4912 -
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe66⤵
- Modifies registry class
PID:3148 -
C:\Windows\SysWOW64\Leadnm32.exeC:\Windows\system32\Leadnm32.exe67⤵
- System Location Discovery: System Language Discovery
PID:2088 -
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe68⤵PID:3256
-
C:\Windows\SysWOW64\Mlklkgei.exeC:\Windows\system32\Mlklkgei.exe69⤵PID:832
-
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe70⤵PID:2508
-
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe71⤵PID:5036
-
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:760 -
C:\Windows\SysWOW64\Mfcmmp32.exeC:\Windows\system32\Mfcmmp32.exe73⤵PID:4068
-
C:\Windows\SysWOW64\Mhdjehhj.exeC:\Windows\system32\Mhdjehhj.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2816 -
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe75⤵
- Drops file in System32 directory
PID:3156 -
C:\Windows\SysWOW64\Mehjol32.exeC:\Windows\system32\Mehjol32.exe76⤵PID:5096
-
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe77⤵PID:2780
-
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe78⤵PID:1948
-
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe79⤵
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Mifcejnj.exeC:\Windows\system32\Mifcejnj.exe80⤵PID:4868
-
C:\Windows\SysWOW64\Mpqkad32.exeC:\Windows\system32\Mpqkad32.exe81⤵PID:3440
-
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe82⤵PID:4936
-
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe83⤵PID:724
-
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe84⤵PID:3636
-
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe85⤵PID:4336
-
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe86⤵PID:4124
-
C:\Windows\SysWOW64\Nbcqiope.exeC:\Windows\system32\Nbcqiope.exe87⤵PID:2784
-
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe88⤵PID:4828
-
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe89⤵PID:3524
-
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe90⤵
- Drops file in System32 directory
PID:988 -
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe91⤵PID:1016
-
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3804 -
C:\Windows\SysWOW64\Nhbfff32.exeC:\Windows\system32\Nhbfff32.exe93⤵PID:4008
-
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe94⤵PID:5128
-
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe95⤵PID:5172
-
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe96⤵
- System Location Discovery: System Language Discovery
PID:5220 -
C:\Windows\SysWOW64\Nheble32.exeC:\Windows\system32\Nheble32.exe97⤵PID:5268
-
C:\Windows\SysWOW64\Nookip32.exeC:\Windows\system32\Nookip32.exe98⤵PID:5312
-
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe99⤵PID:5356
-
C:\Windows\SysWOW64\Oeicejia.exeC:\Windows\system32\Oeicejia.exe100⤵PID:5400
-
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe101⤵PID:5444
-
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe102⤵PID:5492
-
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe103⤵PID:5544
-
C:\Windows\SysWOW64\Ocmconhk.exeC:\Windows\system32\Ocmconhk.exe104⤵PID:5580
-
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe105⤵PID:5656
-
C:\Windows\SysWOW64\Ohjlgefb.exeC:\Windows\system32\Ohjlgefb.exe106⤵PID:5716
-
C:\Windows\SysWOW64\Opadhb32.exeC:\Windows\system32\Opadhb32.exe107⤵PID:5768
-
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe108⤵
- Drops file in System32 directory
PID:5816 -
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe109⤵PID:5880
-
C:\Windows\SysWOW64\Oenlqi32.exeC:\Windows\system32\Oenlqi32.exe110⤵PID:5940
-
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6004 -
C:\Windows\SysWOW64\Opcqnb32.exeC:\Windows\system32\Opcqnb32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6060 -
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe113⤵PID:6112
-
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe114⤵PID:5136
-
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe115⤵PID:5204
-
C:\Windows\SysWOW64\Ohnebd32.exeC:\Windows\system32\Ohnebd32.exe116⤵PID:5308
-
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe117⤵PID:5364
-
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe118⤵
- Drops file in System32 directory
PID:5428 -
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe119⤵PID:5532
-
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe120⤵PID:5640
-
C:\Windows\SysWOW64\Ophjiaql.exeC:\Windows\system32\Ophjiaql.exe121⤵
- Drops file in System32 directory
PID:5752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-