Analysis
-
max time kernel
105s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 17:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
aa72138756117d9fbf3b8f774661dad0N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
aa72138756117d9fbf3b8f774661dad0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
aa72138756117d9fbf3b8f774661dad0N.exe
-
Size
64KB
-
MD5
aa72138756117d9fbf3b8f774661dad0
-
SHA1
71d6def0bf934741176f31820a0a54c312bac7de
-
SHA256
93d873800a60d4d8ebf0f7f72cbdce0b6ee851e4ef3ab56d22148459a5842dbe
-
SHA512
acf28d131fa5fe0351347f38002c4d4818a39e591b28e6d71a9c90ba2fc55d9a805528ddc203b8bce1278d8da35c25d560f053f43ae0766ae7664bcb83263b0f
-
SSDEEP
1536:iaINuQ/4eelSdx//KTczcrwcldPLV1iL+iALMH6:Ba4emQxXtziTLV1iL+9Ma
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbepme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiphjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lncjlq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogekbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jllhpkfk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcepkfld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpfgmnfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kefiopki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnbcgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbfheo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akqfkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhphmj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igjngh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nolgijpk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpaekqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmhijd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kplmliko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooqqdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emmkiclm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndflak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohhnbhok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmioc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgccinoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjkblhfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdmmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpgmhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oonlfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okjnnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidabppl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ompfej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfnoqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqgmmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkjmlaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeddnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aojefobm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klfaapbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pifnhpmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iepaaico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkogiikb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qohpkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lggejg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meiioonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ennqfenp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdapehop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dolmodpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lepleocn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljdceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qaalblgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bakgoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnmjjdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdkdgchl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkohaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idkbkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnpfop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pakllc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjliajmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enbjad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phigif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eejeiocj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqpfjnba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elnoopdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgmgqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abcgjg32.exe -
Executes dropped EXE 64 IoCs
pid Process 4008 Hglaej32.exe 1620 Hjjnae32.exe 4540 Hnfjbdmk.exe 4200 Hpdfnolo.exe 880 Hgnoki32.exe 5044 Hjlkge32.exe 4480 Hacbhb32.exe 1792 Idbodn32.exe 412 Igqkqiai.exe 5004 Injcmc32.exe 3740 Iqipio32.exe 2380 Igchfiof.exe 4792 Ijadbdoj.exe 4916 Iqklon32.exe 3096 Idghpmnp.exe 4280 Ijcahd32.exe 1048 Iakiia32.exe 1520 Ihdafkdg.exe 4980 Ikcmbfcj.exe 3416 Iqpfjnba.exe 3324 Idkbkl32.exe 4336 Igjngh32.exe 3224 Ijhjcchb.exe 1984 Iqbbpm32.exe 2688 Jhijqj32.exe 3700 Jglklggl.exe 3192 Jjjghcfp.exe 4088 Jbaojpgb.exe 1764 Jdpkflfe.exe 3180 Jgogbgei.exe 3284 Jjmcnbdm.exe 5024 Jqglkmlj.exe 1996 Jgadgf32.exe 3636 Jjopcb32.exe 4852 Jbfheo32.exe 4292 Jgcamf32.exe 2968 Jjamia32.exe 3780 Jqlefl32.exe 4196 Jibmgi32.exe 1752 Jkaicd32.exe 1552 Jnpfop32.exe 2316 Kdinljnk.exe 3276 Kghjhemo.exe 620 Kjffdalb.exe 3264 Kbmoen32.exe 3860 Kelkaj32.exe 1192 Kgjgne32.exe 2392 Kjhcjq32.exe 1076 Kbpkkn32.exe 4112 Kenggi32.exe 3712 Kgmcce32.exe 3460 Kjkpoq32.exe 740 Kbbhqn32.exe 4384 Keqdmihc.exe 3124 Kkjlic32.exe 1472 Kniieo32.exe 2880 Kecabifp.exe 4064 Kinmcg32.exe 3928 Kkmioc32.exe 1000 Lbgalmej.exe 5008 Leenhhdn.exe 2184 Lgcjdd32.exe 2992 Lnnbqnjn.exe 636 Legjmh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ejchhgid.exe Emphocjj.exe File created C:\Windows\SysWOW64\Jihiic32.dll Nopfpgip.exe File created C:\Windows\SysWOW64\Bogkmgba.exe Bgpcliao.exe File created C:\Windows\SysWOW64\Gbpedjnb.exe Gpaihooo.exe File created C:\Windows\SysWOW64\Iocmhlca.dll Bpcgpihi.exe File created C:\Windows\SysWOW64\Pcepkfld.exe Pkogiikb.exe File created C:\Windows\SysWOW64\Codhnb32.exe Cijpahho.exe File created C:\Windows\SysWOW64\Kamhmbej.dll Dpdaepai.exe File opened for modification C:\Windows\SysWOW64\Cocacl32.exe Cdnmfclj.exe File created C:\Windows\SysWOW64\Fqgedh32.exe Fniihmpf.exe File created C:\Windows\SysWOW64\Cnnnfkal.dll Ggfglb32.exe File created C:\Windows\SysWOW64\Cobhcgin.dll Mjneln32.exe File opened for modification C:\Windows\SysWOW64\Nlfelogp.exe Nihipdhl.exe File opened for modification C:\Windows\SysWOW64\Dfjpfj32.exe Dpphjp32.exe File created C:\Windows\SysWOW64\Kjbhgf32.dll Fbcfhibj.exe File created C:\Windows\SysWOW64\Gmigpf32.dll Qhkdof32.exe File created C:\Windows\SysWOW64\Bdimkqnb.dll Jpaekqhh.exe File opened for modification C:\Windows\SysWOW64\Edplhjhi.exe Ebaplnie.exe File opened for modification C:\Windows\SysWOW64\Eqgmmk32.exe Eoepebho.exe File opened for modification C:\Windows\SysWOW64\Idbodn32.exe Hacbhb32.exe File opened for modification C:\Windows\SysWOW64\Nfqnbjfi.exe Ncbafoge.exe File created C:\Windows\SysWOW64\Jfdnfdoa.dll Nhahaiec.exe File opened for modification C:\Windows\SysWOW64\Cbpajgmf.exe Coadnlnb.exe File opened for modification C:\Windows\SysWOW64\Lgpoihnl.exe Lpfgmnfp.exe File created C:\Windows\SysWOW64\Phonha32.exe Paeelgnj.exe File opened for modification C:\Windows\SysWOW64\Dcffnbee.exe Dphiaffa.exe File opened for modification C:\Windows\SysWOW64\Hdhedh32.exe Hmnmgnoh.exe File created C:\Windows\SysWOW64\Dkahilkl.exe Dbicpfdk.exe File created C:\Windows\SysWOW64\Jflbhhom.dll Fiaael32.exe File created C:\Windows\SysWOW64\Lbmolo32.dll Lqojclne.exe File created C:\Windows\SysWOW64\Njhgbp32.exe Ngjkfd32.exe File created C:\Windows\SysWOW64\Pfoann32.exe Ocaebc32.exe File created C:\Windows\SysWOW64\Ebjjgd32.dll Dnonkq32.exe File opened for modification C:\Windows\SysWOW64\Dggbcf32.exe Dqnjgl32.exe File created C:\Windows\SysWOW64\Cjliajmo.exe Cfqmpl32.exe File created C:\Windows\SysWOW64\Kebkgjkg.dll Nofefp32.exe File opened for modification C:\Windows\SysWOW64\Jaajhb32.exe Jhifomdj.exe File opened for modification C:\Windows\SysWOW64\Gemkelcd.exe Gncchb32.exe File opened for modification C:\Windows\SysWOW64\Jcfggkac.exe Jllokajf.exe File created C:\Windows\SysWOW64\Badjai32.dll Foapaa32.exe File created C:\Windows\SysWOW64\Bfolacnc.exe Bdapehop.exe File opened for modification C:\Windows\SysWOW64\Ahpmjejp.exe Aafemk32.exe File opened for modification C:\Windows\SysWOW64\Codhnb32.exe Cijpahho.exe File created C:\Windows\SysWOW64\Najmjokc.exe Nmnqjp32.exe File created C:\Windows\SysWOW64\Chqogq32.exe Cbfgkffn.exe File created C:\Windows\SysWOW64\Oqoefand.exe Oihmedma.exe File created C:\Windows\SysWOW64\Bcahmb32.exe Bkkple32.exe File opened for modification C:\Windows\SysWOW64\Bokehc32.exe Bmlilh32.exe File created C:\Windows\SysWOW64\Cfigpm32.exe Bckkca32.exe File opened for modification C:\Windows\SysWOW64\Odalmibl.exe Oacoqnci.exe File created C:\Windows\SysWOW64\Qoelkp32.exe Qhkdof32.exe File opened for modification C:\Windows\SysWOW64\Hmkigh32.exe Hedafk32.exe File created C:\Windows\SysWOW64\Bhqndghj.dll Cpmapodj.exe File created C:\Windows\SysWOW64\Kiphjo32.exe Kedlip32.exe File opened for modification C:\Windows\SysWOW64\Lhmmjbkf.exe Leopnglc.exe File created C:\Windows\SysWOW64\Njonjm32.dll Ajaelc32.exe File created C:\Windows\SysWOW64\Fegbnohh.dll Llcghg32.exe File created C:\Windows\SysWOW64\Plejdkmm.exe Pifnhpmi.exe File created C:\Windows\SysWOW64\Bmlilh32.exe Bjnmpl32.exe File created C:\Windows\SysWOW64\Onpjichj.exe Ojdnid32.exe File created C:\Windows\SysWOW64\Pbegml32.dll Hifcgion.exe File created C:\Windows\SysWOW64\Jgmjmjnb.exe Jofalmmp.exe File opened for modification C:\Windows\SysWOW64\Lggejg32.exe Lopmii32.exe File opened for modification C:\Windows\SysWOW64\Enkmfolf.exe Eklajcmc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7104 6448 WerFault.exe 1113 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoelkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhmqdemc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aopemh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfiokmkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aibibp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obcceg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diccgfpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqfngd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiopca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiphjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecbjkngo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqfpckhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aphnnafb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhnojl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apjdikqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaplqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfkqjmdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdnhih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilkoim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbekii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccdihbgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbpedjnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jekjcaef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klggli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohiemobf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emphocjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fikbocki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbcfhibj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnlhncgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daeifj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpkkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipihpkkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajaelc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfqlfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfcipoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igjngh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbjkkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpjmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gblbca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olfghg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lncjlq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmdemd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hejqldci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdlqqcnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogjdmbil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idahjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnmkfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onpjichj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaqhjggp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnmmboed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkkaiphj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqbbpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgffic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akamff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnkggfkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebdcld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgfbbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difpmfna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pknqoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boldhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnphoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhenai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfendmoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dikihe32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Felbnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjofoqdn.dll" Hbohpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgphpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adfgdpmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klndfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcigeooj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pddhbipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akepfpcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpelhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpifjj32.dll" Mjlalkmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alkdoago.dll" Iqpfjnba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbcfhibj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amqhbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkibgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clnedaem.dll" Neoieenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjelhg32.dll" Gpecbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phfjcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjlkge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhaimehd.dll" Bckkca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fijkdmhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qejpnh32.dll" Ihdldn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njiegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhmeapmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciipkkdj.dll" Bgelgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcanfh32.dll" Biklho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daeifj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocgnlha.dll" Pkgcea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpchib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnibokbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpgkbmbm.dll" Nfqnbjfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfkbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Labnlj32.dll" Bgdemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfcnkn32.dll" Bjlpjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijagjini.dll" Elgaeolp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkconn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adfgdpmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocfgbfdm.dll" Fdlkdhnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feenjgfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhenai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbalagn.dll" Igchfiof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iakiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kibeebbj.dll" Kjffdalb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmigoagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddipic32.dll" Hefnkkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljqhkckn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llodgnja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfihbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmjmekgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijcahd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klobfk32.dll" Qebhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnbcgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpeiie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbjddh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodeaima.dll" Bdcmkgmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkhiofap.dll" Jgadgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aojlaeei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bldqfd32.dll" Oanfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcnfohmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbpedjnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apggckbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgmgqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lebcnn32.dll" Oelolmnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikgbdnie.dll" Igajal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfkfcja.dll" Plndcl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1884 wrote to memory of 4008 1884 aa72138756117d9fbf3b8f774661dad0N.exe 84 PID 1884 wrote to memory of 4008 1884 aa72138756117d9fbf3b8f774661dad0N.exe 84 PID 1884 wrote to memory of 4008 1884 aa72138756117d9fbf3b8f774661dad0N.exe 84 PID 4008 wrote to memory of 1620 4008 Hglaej32.exe 85 PID 4008 wrote to memory of 1620 4008 Hglaej32.exe 85 PID 4008 wrote to memory of 1620 4008 Hglaej32.exe 85 PID 1620 wrote to memory of 4540 1620 Hjjnae32.exe 86 PID 1620 wrote to memory of 4540 1620 Hjjnae32.exe 86 PID 1620 wrote to memory of 4540 1620 Hjjnae32.exe 86 PID 4540 wrote to memory of 4200 4540 Hnfjbdmk.exe 87 PID 4540 wrote to memory of 4200 4540 Hnfjbdmk.exe 87 PID 4540 wrote to memory of 4200 4540 Hnfjbdmk.exe 87 PID 4200 wrote to memory of 880 4200 Hpdfnolo.exe 88 PID 4200 wrote to memory of 880 4200 Hpdfnolo.exe 88 PID 4200 wrote to memory of 880 4200 Hpdfnolo.exe 88 PID 880 wrote to memory of 5044 880 Hgnoki32.exe 89 PID 880 wrote to memory of 5044 880 Hgnoki32.exe 89 PID 880 wrote to memory of 5044 880 Hgnoki32.exe 89 PID 5044 wrote to memory of 4480 5044 Hjlkge32.exe 90 PID 5044 wrote to memory of 4480 5044 Hjlkge32.exe 90 PID 5044 wrote to memory of 4480 5044 Hjlkge32.exe 90 PID 4480 wrote to memory of 1792 4480 Hacbhb32.exe 91 PID 4480 wrote to memory of 1792 4480 Hacbhb32.exe 91 PID 4480 wrote to memory of 1792 4480 Hacbhb32.exe 91 PID 1792 wrote to memory of 412 1792 Idbodn32.exe 92 PID 1792 wrote to memory of 412 1792 Idbodn32.exe 92 PID 1792 wrote to memory of 412 1792 Idbodn32.exe 92 PID 412 wrote to memory of 5004 412 Igqkqiai.exe 93 PID 412 wrote to memory of 5004 412 Igqkqiai.exe 93 PID 412 wrote to memory of 5004 412 Igqkqiai.exe 93 PID 5004 wrote to memory of 3740 5004 Injcmc32.exe 95 PID 5004 wrote to memory of 3740 5004 Injcmc32.exe 95 PID 5004 wrote to memory of 3740 5004 Injcmc32.exe 95 PID 3740 wrote to memory of 2380 3740 Iqipio32.exe 96 PID 3740 wrote to memory of 2380 3740 Iqipio32.exe 96 PID 3740 wrote to memory of 2380 3740 Iqipio32.exe 96 PID 2380 wrote to memory of 4792 2380 Igchfiof.exe 97 PID 2380 wrote to memory of 4792 2380 Igchfiof.exe 97 PID 2380 wrote to memory of 4792 2380 Igchfiof.exe 97 PID 4792 wrote to memory of 4916 4792 Ijadbdoj.exe 98 PID 4792 wrote to memory of 4916 4792 Ijadbdoj.exe 98 PID 4792 wrote to memory of 4916 4792 Ijadbdoj.exe 98 PID 4916 wrote to memory of 3096 4916 Iqklon32.exe 99 PID 4916 wrote to memory of 3096 4916 Iqklon32.exe 99 PID 4916 wrote to memory of 3096 4916 Iqklon32.exe 99 PID 3096 wrote to memory of 4280 3096 Idghpmnp.exe 100 PID 3096 wrote to memory of 4280 3096 Idghpmnp.exe 100 PID 3096 wrote to memory of 4280 3096 Idghpmnp.exe 100 PID 4280 wrote to memory of 1048 4280 Ijcahd32.exe 101 PID 4280 wrote to memory of 1048 4280 Ijcahd32.exe 101 PID 4280 wrote to memory of 1048 4280 Ijcahd32.exe 101 PID 1048 wrote to memory of 1520 1048 Iakiia32.exe 102 PID 1048 wrote to memory of 1520 1048 Iakiia32.exe 102 PID 1048 wrote to memory of 1520 1048 Iakiia32.exe 102 PID 1520 wrote to memory of 4980 1520 Ihdafkdg.exe 103 PID 1520 wrote to memory of 4980 1520 Ihdafkdg.exe 103 PID 1520 wrote to memory of 4980 1520 Ihdafkdg.exe 103 PID 4980 wrote to memory of 3416 4980 Ikcmbfcj.exe 105 PID 4980 wrote to memory of 3416 4980 Ikcmbfcj.exe 105 PID 4980 wrote to memory of 3416 4980 Ikcmbfcj.exe 105 PID 3416 wrote to memory of 3324 3416 Iqpfjnba.exe 106 PID 3416 wrote to memory of 3324 3416 Iqpfjnba.exe 106 PID 3416 wrote to memory of 3324 3416 Iqpfjnba.exe 106 PID 3324 wrote to memory of 4336 3324 Idkbkl32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa72138756117d9fbf3b8f774661dad0N.exe"C:\Users\Admin\AppData\Local\Temp\aa72138756117d9fbf3b8f774661dad0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Hglaej32.exeC:\Windows\system32\Hglaej32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\Hjjnae32.exeC:\Windows\system32\Hjjnae32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Hnfjbdmk.exeC:\Windows\system32\Hnfjbdmk.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Hpdfnolo.exeC:\Windows\system32\Hpdfnolo.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\Hgnoki32.exeC:\Windows\system32\Hgnoki32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\Hjlkge32.exeC:\Windows\system32\Hjlkge32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Hacbhb32.exeC:\Windows\system32\Hacbhb32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Idbodn32.exeC:\Windows\system32\Idbodn32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Igqkqiai.exeC:\Windows\system32\Igqkqiai.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\Injcmc32.exeC:\Windows\system32\Injcmc32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Iqipio32.exeC:\Windows\system32\Iqipio32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\Igchfiof.exeC:\Windows\system32\Igchfiof.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Ijadbdoj.exeC:\Windows\system32\Ijadbdoj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\Iqklon32.exeC:\Windows\system32\Iqklon32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\Idghpmnp.exeC:\Windows\system32\Idghpmnp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\Ijcahd32.exeC:\Windows\system32\Ijcahd32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\Iakiia32.exeC:\Windows\system32\Iakiia32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Ihdafkdg.exeC:\Windows\system32\Ihdafkdg.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Ikcmbfcj.exeC:\Windows\system32\Ikcmbfcj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Iqpfjnba.exeC:\Windows\system32\Iqpfjnba.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\Idkbkl32.exeC:\Windows\system32\Idkbkl32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\Igjngh32.exeC:\Windows\system32\Igjngh32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4336 -
C:\Windows\SysWOW64\Ijhjcchb.exeC:\Windows\system32\Ijhjcchb.exe24⤵
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\Iqbbpm32.exeC:\Windows\system32\Iqbbpm32.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\Jhijqj32.exeC:\Windows\system32\Jhijqj32.exe26⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Jglklggl.exeC:\Windows\system32\Jglklggl.exe27⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Jjjghcfp.exeC:\Windows\system32\Jjjghcfp.exe28⤵
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe29⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe30⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Jgogbgei.exeC:\Windows\system32\Jgogbgei.exe31⤵
- Executes dropped EXE
PID:3180 -
C:\Windows\SysWOW64\Jjmcnbdm.exeC:\Windows\system32\Jjmcnbdm.exe32⤵
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe33⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Jgadgf32.exeC:\Windows\system32\Jgadgf32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Jjopcb32.exeC:\Windows\system32\Jjopcb32.exe35⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Jgcamf32.exeC:\Windows\system32\Jgcamf32.exe37⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe38⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Jqlefl32.exeC:\Windows\system32\Jqlefl32.exe39⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Jibmgi32.exeC:\Windows\system32\Jibmgi32.exe40⤵
- Executes dropped EXE
PID:4196 -
C:\Windows\SysWOW64\Jkaicd32.exeC:\Windows\system32\Jkaicd32.exe41⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Jnpfop32.exeC:\Windows\system32\Jnpfop32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Kdinljnk.exeC:\Windows\system32\Kdinljnk.exe43⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Kghjhemo.exeC:\Windows\system32\Kghjhemo.exe44⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Kjffdalb.exeC:\Windows\system32\Kjffdalb.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:620 -
C:\Windows\SysWOW64\Kbmoen32.exeC:\Windows\system32\Kbmoen32.exe46⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Kelkaj32.exeC:\Windows\system32\Kelkaj32.exe47⤵
- Executes dropped EXE
PID:3860 -
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe48⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe49⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Kbpkkn32.exeC:\Windows\system32\Kbpkkn32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1076 -
C:\Windows\SysWOW64\Kenggi32.exeC:\Windows\system32\Kenggi32.exe51⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Kgmcce32.exeC:\Windows\system32\Kgmcce32.exe52⤵
- Executes dropped EXE
PID:3712 -
C:\Windows\SysWOW64\Kjkpoq32.exeC:\Windows\system32\Kjkpoq32.exe53⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Kbbhqn32.exeC:\Windows\system32\Kbbhqn32.exe54⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe55⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Kkjlic32.exeC:\Windows\system32\Kkjlic32.exe56⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Kniieo32.exeC:\Windows\system32\Kniieo32.exe57⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe58⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Kinmcg32.exeC:\Windows\system32\Kinmcg32.exe59⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Kkmioc32.exeC:\Windows\system32\Kkmioc32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Lbgalmej.exeC:\Windows\system32\Lbgalmej.exe61⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Leenhhdn.exeC:\Windows\system32\Leenhhdn.exe62⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Lgcjdd32.exeC:\Windows\system32\Lgcjdd32.exe63⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe64⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Legjmh32.exeC:\Windows\system32\Legjmh32.exe65⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Lgffic32.exeC:\Windows\system32\Lgffic32.exe66⤵
- System Location Discovery: System Language Discovery
PID:3940 -
C:\Windows\SysWOW64\Ljdceo32.exeC:\Windows\system32\Ljdceo32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4204 -
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe68⤵PID:2844
-
C:\Windows\SysWOW64\Lieccf32.exeC:\Windows\system32\Lieccf32.exe69⤵PID:428
-
C:\Windows\SysWOW64\Ljgpkonp.exeC:\Windows\system32\Ljgpkonp.exe70⤵PID:956
-
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe71⤵PID:464
-
C:\Windows\SysWOW64\Lihpif32.exeC:\Windows\system32\Lihpif32.exe72⤵PID:1304
-
C:\Windows\SysWOW64\Ljilqnlm.exeC:\Windows\system32\Ljilqnlm.exe73⤵PID:864
-
C:\Windows\SysWOW64\Lndham32.exeC:\Windows\system32\Lndham32.exe74⤵PID:4056
-
C:\Windows\SysWOW64\Leopnglc.exeC:\Windows\system32\Leopnglc.exe75⤵
- Drops file in System32 directory
PID:1108 -
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe76⤵PID:5048
-
C:\Windows\SysWOW64\Ljkifn32.exeC:\Windows\system32\Ljkifn32.exe77⤵PID:1920
-
C:\Windows\SysWOW64\Maeachag.exeC:\Windows\system32\Maeachag.exe78⤵PID:4988
-
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe79⤵PID:4348
-
C:\Windows\SysWOW64\Mjneln32.exeC:\Windows\system32\Mjneln32.exe80⤵
- Drops file in System32 directory
PID:4376 -
C:\Windows\SysWOW64\Mahnhhod.exeC:\Windows\system32\Mahnhhod.exe81⤵PID:3100
-
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe82⤵PID:1832
-
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe83⤵PID:3044
-
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe84⤵PID:1020
-
C:\Windows\SysWOW64\Malgcg32.exeC:\Windows\system32\Malgcg32.exe85⤵PID:1636
-
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe86⤵PID:1708
-
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe87⤵PID:3716
-
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe88⤵PID:3784
-
C:\Windows\SysWOW64\Mldhfpib.exeC:\Windows\system32\Mldhfpib.exe89⤵PID:4140
-
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe90⤵PID:4452
-
C:\Windows\SysWOW64\Naaqofgj.exeC:\Windows\system32\Naaqofgj.exe91⤵PID:936
-
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe92⤵
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe93⤵PID:5136
-
C:\Windows\SysWOW64\Njiegl32.exeC:\Windows\system32\Njiegl32.exe94⤵
- Modifies registry class
PID:5180 -
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe95⤵PID:5224
-
C:\Windows\SysWOW64\Neoieenp.exeC:\Windows\system32\Neoieenp.exe96⤵
- Modifies registry class
PID:5268 -
C:\Windows\SysWOW64\Nhmeapmd.exeC:\Windows\system32\Nhmeapmd.exe97⤵
- Modifies registry class
PID:5312 -
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe98⤵PID:5356
-
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe99⤵PID:5400
-
C:\Windows\SysWOW64\Neafjdkn.exeC:\Windows\system32\Neafjdkn.exe100⤵PID:5444
-
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe101⤵PID:5488
-
C:\Windows\SysWOW64\Nlkngo32.exeC:\Windows\system32\Nlkngo32.exe102⤵PID:5532
-
C:\Windows\SysWOW64\Niooqcad.exeC:\Windows\system32\Niooqcad.exe103⤵PID:5576
-
C:\Windows\SysWOW64\Nlnkmnah.exeC:\Windows\system32\Nlnkmnah.exe104⤵PID:5620
-
C:\Windows\SysWOW64\Nolgijpk.exeC:\Windows\system32\Nolgijpk.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5664 -
C:\Windows\SysWOW64\Najceeoo.exeC:\Windows\system32\Najceeoo.exe106⤵PID:5708
-
C:\Windows\SysWOW64\Niakfbpa.exeC:\Windows\system32\Niakfbpa.exe107⤵PID:5752
-
C:\Windows\SysWOW64\Nlphbnoe.exeC:\Windows\system32\Nlphbnoe.exe108⤵PID:5796
-
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe109⤵PID:5840
-
C:\Windows\SysWOW64\Objpoh32.exeC:\Windows\system32\Objpoh32.exe110⤵PID:5880
-
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe111⤵PID:5924
-
C:\Windows\SysWOW64\Ohghgodi.exeC:\Windows\system32\Ohghgodi.exe112⤵PID:5964
-
C:\Windows\SysWOW64\Okedcjcm.exeC:\Windows\system32\Okedcjcm.exe113⤵PID:6004
-
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6048 -
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe115⤵PID:6088
-
C:\Windows\SysWOW64\Oekiqccc.exeC:\Windows\system32\Oekiqccc.exe116⤵PID:6132
-
C:\Windows\SysWOW64\Ohiemobf.exeC:\Windows\system32\Ohiemobf.exe117⤵
- System Location Discovery: System Language Discovery
PID:5168 -
C:\Windows\SysWOW64\Okgaijaj.exeC:\Windows\system32\Okgaijaj.exe118⤵PID:5236
-
C:\Windows\SysWOW64\Oboijgbl.exeC:\Windows\system32\Oboijgbl.exe119⤵PID:5304
-
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe120⤵PID:5372
-
C:\Windows\SysWOW64\Oihagaji.exeC:\Windows\system32\Oihagaji.exe121⤵PID:5440
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-