Analysis
-
max time kernel
100s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26/08/2024, 05:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
443144585b17cc09973040a6c25fde60N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
443144585b17cc09973040a6c25fde60N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
443144585b17cc09973040a6c25fde60N.exe
-
Size
71KB
-
MD5
443144585b17cc09973040a6c25fde60
-
SHA1
24c6b6ee1ce10aeda666e5f0805959d005d32817
-
SHA256
9561f1d2117a828aa76c930c6645440cfcccf261e0d80ecda05e01f3a8163929
-
SHA512
1d20cc37254515f6181a9a8a0deae2130ea98bfc1c97d0b589919ba537ac4c2ef8a22181593eeb6d20516ceb16d609bf4138a3feddf4c8ac6db7eed203ffe4fe
-
SSDEEP
1536:2+vcflFleLNagRrUYadZnieMl+UHYIDNvRQi6K1P+ATT:bEnQTgZihl3HYIDleqP+A3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fimhjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chnlgjlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkogiikb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Addaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbbpmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjgpfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdlfhj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjgchm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqfngd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aknifq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olgncmim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oklkdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poajkgnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfmmplad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cggimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aleckinj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bombmcec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Npgmpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcbnnpka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkjeomld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coadnlnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amcehdod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgifbhid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kageaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plpqil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfgjjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caojpaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgcihgaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckmehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hiipmhmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibfnqmpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nolgijpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phganm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afkknogn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfjfecno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjpfjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akoqpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbeapmll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfgcakon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmkbfeab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbkqfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebgpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ilcldb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjeiodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Boflmdkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eplgeokq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlcjhkdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amlogfel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adkqoohc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpanan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgibpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncqlkemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kgflcifg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kncaec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amjbbfgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ackbmcjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpofii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Popbpqjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Flpmagqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmdlmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laqhhi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Okgaijaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jllokajf.exe -
Executes dropped EXE 64 IoCs
pid Process 2136 Jnhpoamf.exe 1124 Jdbhkk32.exe 4500 Jgadgf32.exe 3484 Jjopcb32.exe 2032 Jqiipljg.exe 2228 Jhpqaiji.exe 3224 Jjamia32.exe 1656 Jnmijq32.exe 3188 Jdgafjpn.exe 2736 Jibmgi32.exe 4764 Jkaicd32.exe 4296 Jnpfop32.exe 1308 Kqnbkl32.exe 1624 Kghjhemo.exe 400 Kkcfid32.exe 2632 Kbmoen32.exe 388 Kelkaj32.exe 612 Kgjgne32.exe 5012 Kkfcndce.exe 3588 Kndojobi.exe 756 Kenggi32.exe 2620 Kgmcce32.exe 2192 Knflpoqf.exe 1000 Keqdmihc.exe 3264 Kgopidgf.exe 716 Kniieo32.exe 208 Kageaj32.exe 2316 Kgamnded.exe 2816 Kjpijpdg.exe 4472 Knkekn32.exe 4628 Leenhhdn.exe 4376 Lkofdbkj.exe 4796 Lnnbqnjn.exe 1744 Lalnmiia.exe 2728 Licfngjd.exe 1284 Ljdceo32.exe 4592 Lbkkgl32.exe 3516 Lieccf32.exe 1684 Lldopb32.exe 3956 Lnbklm32.exe 2900 Laqhhi32.exe 4780 Lihpif32.exe 2300 Llflea32.exe 4856 Lndham32.exe 3984 Lacdmh32.exe 4236 Lijlof32.exe 2896 Llhikacp.exe 4768 Mbbagk32.exe 4872 Meamcg32.exe 888 Mlkepaam.exe 512 Mbenmk32.exe 3704 Mecjif32.exe 3004 Mhafeb32.exe 3016 Mnlnbl32.exe 3840 Majjng32.exe 3872 Mhdckaeo.exe 640 Mjbogmdb.exe 2936 Mbighjdd.exe 4620 Micoed32.exe 1560 Mlbkap32.exe 1812 Mnphmkji.exe 4240 Maodigil.exe 980 Mifljdjo.exe 5104 Njghbl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Coadnlnb.exe Ckeimm32.exe File created C:\Windows\SysWOW64\Ipoheakj.exe Ilcldb32.exe File created C:\Windows\SysWOW64\Lqhdbm32.exe Lnjgfb32.exe File opened for modification C:\Windows\SysWOW64\Nclbpf32.exe Nmbjcljl.exe File opened for modification C:\Windows\SysWOW64\Pccahbmn.exe Paeelgnj.exe File opened for modification C:\Windows\SysWOW64\Aknbkjfh.exe Afbgkl32.exe File created C:\Windows\SysWOW64\Bicdfa32.dll Lkofdbkj.exe File created C:\Windows\SysWOW64\Kamhmbej.dll Dpdaepai.exe File opened for modification C:\Windows\SysWOW64\Dbkqfe32.exe Domdjj32.exe File created C:\Windows\SysWOW64\Ebmenh32.dll Dbpjaeoc.exe File created C:\Windows\SysWOW64\Kgamnded.exe Kageaj32.exe File created C:\Windows\SysWOW64\Flnqig32.dll Qhngolpo.exe File opened for modification C:\Windows\SysWOW64\Dkdliame.exe Dmalne32.exe File opened for modification C:\Windows\SysWOW64\Adndoe32.exe Akepfpcl.exe File opened for modification C:\Windows\SysWOW64\Cofnik32.exe Chlflabp.exe File created C:\Windows\SysWOW64\Iedjmioj.exe Ibfnqmpf.exe File opened for modification C:\Windows\SysWOW64\Pmpolgoi.exe Pjbcplpe.exe File created C:\Windows\SysWOW64\Ahmjjoig.exe Qpeahb32.exe File opened for modification C:\Windows\SysWOW64\Mnphmkji.exe Mlbkap32.exe File created C:\Windows\SysWOW64\Kmaopfjm.exe Jcikgacl.exe File created C:\Windows\SysWOW64\Lafnnj32.dll Kmkbfeab.exe File opened for modification C:\Windows\SysWOW64\Olicnfco.exe Oeokal32.exe File created C:\Windows\SysWOW64\Koodbl32.exe Knnhjcog.exe File opened for modification C:\Windows\SysWOW64\Lcdciiec.exe Lpfgmnfp.exe File opened for modification C:\Windows\SysWOW64\Cogddd32.exe Chnlgjlb.exe File opened for modification C:\Windows\SysWOW64\Akcjkfij.exe Alqjpi32.exe File created C:\Windows\SysWOW64\Jihdpleo.dll Glldgljg.exe File created C:\Windows\SysWOW64\Lcgpni32.exe Lqhdbm32.exe File created C:\Windows\SysWOW64\Pplobcpp.exe Pmnbfhal.exe File created C:\Windows\SysWOW64\Iaqdae32.dll Jcphab32.exe File created C:\Windows\SysWOW64\Inmabofh.dll Kmdlffhj.exe File opened for modification C:\Windows\SysWOW64\Llodgnja.exe Ljqhkckn.exe File created C:\Windows\SysWOW64\Ebcmfjll.dll Mcpcdg32.exe File created C:\Windows\SysWOW64\Phcgcqab.exe Pplobcpp.exe File created C:\Windows\SysWOW64\Qdphngfl.exe Qaalblgi.exe File created C:\Windows\SysWOW64\Kigcfhbi.dll Hpchib32.exe File created C:\Windows\SysWOW64\Nmnpml32.dll Eplgeokq.exe File created C:\Windows\SysWOW64\Jcikgacl.exe Jdfjld32.exe File created C:\Windows\SysWOW64\Micgbemj.dll Chlflabp.exe File created C:\Windows\SysWOW64\Ahoemi32.dll Fbpchb32.exe File created C:\Windows\SysWOW64\Gppcmeem.exe Gifkpknp.exe File created C:\Windows\SysWOW64\Clomci32.dll Jibmgi32.exe File opened for modification C:\Windows\SysWOW64\Aaiimadl.exe Acfhad32.exe File opened for modification C:\Windows\SysWOW64\Mgnlkfal.exe Mogcihaj.exe File opened for modification C:\Windows\SysWOW64\Majjng32.exe Mnlnbl32.exe File created C:\Windows\SysWOW64\Hifcgion.exe Hfhgkmpj.exe File created C:\Windows\SysWOW64\Emmkiclm.exe Ejoomhmi.exe File opened for modification C:\Windows\SysWOW64\Hplbickp.exe Hefnkkkj.exe File created C:\Windows\SysWOW64\Koiagakg.dll Eleepoob.exe File created C:\Windows\SysWOW64\Fedbbjgh.dll Mnhkbfme.exe File created C:\Windows\SysWOW64\Okehmlqi.dll Mmpmnl32.exe File created C:\Windows\SysWOW64\Panhbfep.exe Pnplfj32.exe File created C:\Windows\SysWOW64\Mjbogmdb.exe Mhdckaeo.exe File created C:\Windows\SysWOW64\Nkddkljd.dll Mlbkap32.exe File opened for modification C:\Windows\SysWOW64\Jklinohd.exe Jdaaaeqg.exe File created C:\Windows\SysWOW64\Ldipha32.exe Ljclki32.exe File created C:\Windows\SysWOW64\Mminhceb.exe Mkhapk32.exe File created C:\Windows\SysWOW64\Ncpgam32.dll Lqhdbm32.exe File created C:\Windows\SysWOW64\Jcleff32.dll Ngjkfd32.exe File created C:\Windows\SysWOW64\Lqppgj32.dll Bkibgh32.exe File opened for modification C:\Windows\SysWOW64\Bgbpaipl.exe Bddcenpi.exe File opened for modification C:\Windows\SysWOW64\Dmalne32.exe Difpmfna.exe File opened for modification C:\Windows\SysWOW64\Eciplm32.exe Elbhjp32.exe File opened for modification C:\Windows\SysWOW64\Piphgq32.exe Pedlgbkh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 15860 15776 WerFault.exe 807 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbchdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ombcji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmofagfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfldelik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcigeooj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcnqpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eplgeokq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efepbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emphocjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgchm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcndbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epmmqheb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifcgion.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjjbjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgmcce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oblmdhdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aopemh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boldhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlbkap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfmojenc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chqogq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpchib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibcaknbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcidmkpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgbpaipl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pifnhpmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difpmfna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbmqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flfkkhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefedmil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdlmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afinioip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plmmif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnipbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niakfbpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecefqnel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmpkadnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdphngfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffqhcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imiehfao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Johnamkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmbjcljl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdccbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flqdlnde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmggfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmnmgnoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlmfeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pehngkcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlnjbedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jenmcggo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbenmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jklinohd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aefjii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkfadkgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqafhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajndioga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cobkhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdlqqcnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpoaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oifeab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aahbbkaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glbjggof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnnbqnjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ponfka32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opkpck32.dll" Hmnmgnoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbdplc32.dll" Lddgmbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doogdl32.dll" Ncofplba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Opqofe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Phfcipoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Piijno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcghdkpf.dll" Ilcldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfoel32.dll" Omgmeigd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Adfgdpmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Klhnfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qmhlgmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmlbhekk.dll" Fnipbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hbohpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bgkiaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dajkgl32.dll" Jqiipljg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njghbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pehngkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hefnkkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhblffgn.dll" Pdmdnadc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhhlfgd.dll" Bpkdjofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhidngmn.dll" Eblpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Flinkojm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dgcihgaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Olgncmim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dpdaepai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hkbmqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ombcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ahmjjoig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aaldccip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgqfdnah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mjahlgpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faeghb32.dll" Domdjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pccahbmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmbeqne.dll" Mmkkmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nlmdbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dheibpje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Imnocf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kgdpni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amcehdod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cjnffjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejhmqp32.dll" Ffclcgfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggiabl32.dll" Mkhapk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdgged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chnlgjlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nhmeapmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nlcalieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Moipoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjjpnlbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjgobjmp.dll" Nlfnaicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kffonkgk.dll" Koodbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cclnpmna.dll" Kgmcce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jnhidk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkchlonc.dll" Cofnik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dijbno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Akamff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Malpia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfbcke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kebncn32.dll" Dfgcakon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aafemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ieidhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Phonha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aaiimadl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nclbpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kghjhemo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4016 wrote to memory of 2136 4016 443144585b17cc09973040a6c25fde60N.exe 84 PID 4016 wrote to memory of 2136 4016 443144585b17cc09973040a6c25fde60N.exe 84 PID 4016 wrote to memory of 2136 4016 443144585b17cc09973040a6c25fde60N.exe 84 PID 2136 wrote to memory of 1124 2136 Jnhpoamf.exe 85 PID 2136 wrote to memory of 1124 2136 Jnhpoamf.exe 85 PID 2136 wrote to memory of 1124 2136 Jnhpoamf.exe 85 PID 1124 wrote to memory of 4500 1124 Jdbhkk32.exe 87 PID 1124 wrote to memory of 4500 1124 Jdbhkk32.exe 87 PID 1124 wrote to memory of 4500 1124 Jdbhkk32.exe 87 PID 4500 wrote to memory of 3484 4500 Jgadgf32.exe 88 PID 4500 wrote to memory of 3484 4500 Jgadgf32.exe 88 PID 4500 wrote to memory of 3484 4500 Jgadgf32.exe 88 PID 3484 wrote to memory of 2032 3484 Jjopcb32.exe 89 PID 3484 wrote to memory of 2032 3484 Jjopcb32.exe 89 PID 3484 wrote to memory of 2032 3484 Jjopcb32.exe 89 PID 2032 wrote to memory of 2228 2032 Jqiipljg.exe 90 PID 2032 wrote to memory of 2228 2032 Jqiipljg.exe 90 PID 2032 wrote to memory of 2228 2032 Jqiipljg.exe 90 PID 2228 wrote to memory of 3224 2228 Jhpqaiji.exe 91 PID 2228 wrote to memory of 3224 2228 Jhpqaiji.exe 91 PID 2228 wrote to memory of 3224 2228 Jhpqaiji.exe 91 PID 3224 wrote to memory of 1656 3224 Jjamia32.exe 92 PID 3224 wrote to memory of 1656 3224 Jjamia32.exe 92 PID 3224 wrote to memory of 1656 3224 Jjamia32.exe 92 PID 1656 wrote to memory of 3188 1656 Jnmijq32.exe 93 PID 1656 wrote to memory of 3188 1656 Jnmijq32.exe 93 PID 1656 wrote to memory of 3188 1656 Jnmijq32.exe 93 PID 3188 wrote to memory of 2736 3188 Jdgafjpn.exe 94 PID 3188 wrote to memory of 2736 3188 Jdgafjpn.exe 94 PID 3188 wrote to memory of 2736 3188 Jdgafjpn.exe 94 PID 2736 wrote to memory of 4764 2736 Jibmgi32.exe 95 PID 2736 wrote to memory of 4764 2736 Jibmgi32.exe 95 PID 2736 wrote to memory of 4764 2736 Jibmgi32.exe 95 PID 4764 wrote to memory of 4296 4764 Jkaicd32.exe 96 PID 4764 wrote to memory of 4296 4764 Jkaicd32.exe 96 PID 4764 wrote to memory of 4296 4764 Jkaicd32.exe 96 PID 4296 wrote to memory of 1308 4296 Jnpfop32.exe 97 PID 4296 wrote to memory of 1308 4296 Jnpfop32.exe 97 PID 4296 wrote to memory of 1308 4296 Jnpfop32.exe 97 PID 1308 wrote to memory of 1624 1308 Kqnbkl32.exe 98 PID 1308 wrote to memory of 1624 1308 Kqnbkl32.exe 98 PID 1308 wrote to memory of 1624 1308 Kqnbkl32.exe 98 PID 1624 wrote to memory of 400 1624 Kghjhemo.exe 100 PID 1624 wrote to memory of 400 1624 Kghjhemo.exe 100 PID 1624 wrote to memory of 400 1624 Kghjhemo.exe 100 PID 400 wrote to memory of 2632 400 Kkcfid32.exe 101 PID 400 wrote to memory of 2632 400 Kkcfid32.exe 101 PID 400 wrote to memory of 2632 400 Kkcfid32.exe 101 PID 2632 wrote to memory of 388 2632 Kbmoen32.exe 102 PID 2632 wrote to memory of 388 2632 Kbmoen32.exe 102 PID 2632 wrote to memory of 388 2632 Kbmoen32.exe 102 PID 388 wrote to memory of 612 388 Kelkaj32.exe 103 PID 388 wrote to memory of 612 388 Kelkaj32.exe 103 PID 388 wrote to memory of 612 388 Kelkaj32.exe 103 PID 612 wrote to memory of 5012 612 Kgjgne32.exe 104 PID 612 wrote to memory of 5012 612 Kgjgne32.exe 104 PID 612 wrote to memory of 5012 612 Kgjgne32.exe 104 PID 5012 wrote to memory of 3588 5012 Kkfcndce.exe 105 PID 5012 wrote to memory of 3588 5012 Kkfcndce.exe 105 PID 5012 wrote to memory of 3588 5012 Kkfcndce.exe 105 PID 3588 wrote to memory of 756 3588 Kndojobi.exe 106 PID 3588 wrote to memory of 756 3588 Kndojobi.exe 106 PID 3588 wrote to memory of 756 3588 Kndojobi.exe 106 PID 756 wrote to memory of 2620 756 Kenggi32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\443144585b17cc09973040a6c25fde60N.exe"C:\Users\Admin\AppData\Local\Temp\443144585b17cc09973040a6c25fde60N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\Jnhpoamf.exeC:\Windows\system32\Jnhpoamf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Jdbhkk32.exeC:\Windows\system32\Jdbhkk32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Jgadgf32.exeC:\Windows\system32\Jgadgf32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Jjopcb32.exeC:\Windows\system32\Jjopcb32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Jqiipljg.exeC:\Windows\system32\Jqiipljg.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\Jnmijq32.exeC:\Windows\system32\Jnmijq32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Jdgafjpn.exeC:\Windows\system32\Jdgafjpn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\Jibmgi32.exeC:\Windows\system32\Jibmgi32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Jkaicd32.exeC:\Windows\system32\Jkaicd32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\Jnpfop32.exeC:\Windows\system32\Jnpfop32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\Kqnbkl32.exeC:\Windows\system32\Kqnbkl32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Kghjhemo.exeC:\Windows\system32\Kghjhemo.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Kkcfid32.exeC:\Windows\system32\Kkcfid32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Kbmoen32.exeC:\Windows\system32\Kbmoen32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Kelkaj32.exeC:\Windows\system32\Kelkaj32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\SysWOW64\Kkfcndce.exeC:\Windows\system32\Kkfcndce.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Kndojobi.exeC:\Windows\system32\Kndojobi.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\Kenggi32.exeC:\Windows\system32\Kenggi32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Kgmcce32.exeC:\Windows\system32\Kgmcce32.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Knflpoqf.exeC:\Windows\system32\Knflpoqf.exe24⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe25⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Kgopidgf.exeC:\Windows\system32\Kgopidgf.exe26⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Kniieo32.exeC:\Windows\system32\Kniieo32.exe27⤵
- Executes dropped EXE
PID:716 -
C:\Windows\SysWOW64\Kageaj32.exeC:\Windows\system32\Kageaj32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:208 -
C:\Windows\SysWOW64\Kgamnded.exeC:\Windows\system32\Kgamnded.exe29⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe30⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Knkekn32.exeC:\Windows\system32\Knkekn32.exe31⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Leenhhdn.exeC:\Windows\system32\Leenhhdn.exe32⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4376 -
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4796 -
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe35⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe36⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Ljdceo32.exeC:\Windows\system32\Ljdceo32.exe37⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe38⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Lieccf32.exeC:\Windows\system32\Lieccf32.exe39⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe40⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Lnbklm32.exeC:\Windows\system32\Lnbklm32.exe41⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Laqhhi32.exeC:\Windows\system32\Laqhhi32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Lihpif32.exeC:\Windows\system32\Lihpif32.exe43⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe44⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Lndham32.exeC:\Windows\system32\Lndham32.exe45⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Lacdmh32.exeC:\Windows\system32\Lacdmh32.exe46⤵
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4236 -
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe48⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe49⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe50⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe51⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:512 -
C:\Windows\SysWOW64\Mecjif32.exeC:\Windows\system32\Mecjif32.exe53⤵
- Executes dropped EXE
PID:3704 -
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe54⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Mnlnbl32.exeC:\Windows\system32\Mnlnbl32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe56⤵
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3872 -
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe58⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe59⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe60⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Mlbkap32.exeC:\Windows\system32\Mlbkap32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\SysWOW64\Mnphmkji.exeC:\Windows\system32\Mnphmkji.exe62⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe63⤵
- Executes dropped EXE
PID:4240 -
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe64⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Njghbl32.exeC:\Windows\system32\Njghbl32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:5104 -
C:\Windows\SysWOW64\Nhkikq32.exeC:\Windows\system32\Nhkikq32.exe66⤵PID:1160
-
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe67⤵PID:1900
-
C:\Windows\SysWOW64\Neoieenp.exeC:\Windows\system32\Neoieenp.exe68⤵PID:3044
-
C:\Windows\SysWOW64\Nhmeapmd.exeC:\Windows\system32\Nhmeapmd.exe69⤵
- Modifies registry class
PID:3728 -
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe70⤵PID:1696
-
C:\Windows\SysWOW64\Nbcjnilj.exeC:\Windows\system32\Nbcjnilj.exe71⤵PID:2584
-
C:\Windows\SysWOW64\Neafjdkn.exeC:\Windows\system32\Neafjdkn.exe72⤵PID:3732
-
C:\Windows\SysWOW64\Nlkngo32.exeC:\Windows\system32\Nlkngo32.exe73⤵PID:4600
-
C:\Windows\SysWOW64\Nknobkje.exeC:\Windows\system32\Nknobkje.exe74⤵PID:1832
-
C:\Windows\SysWOW64\Nbefdijg.exeC:\Windows\system32\Nbefdijg.exe75⤵PID:3616
-
C:\Windows\SysWOW64\Neccpd32.exeC:\Windows\system32\Neccpd32.exe76⤵PID:1636
-
C:\Windows\SysWOW64\Nhbolp32.exeC:\Windows\system32\Nhbolp32.exe77⤵PID:4248
-
C:\Windows\SysWOW64\Nolgijpk.exeC:\Windows\system32\Nolgijpk.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5028 -
C:\Windows\SysWOW64\Najceeoo.exeC:\Windows\system32\Najceeoo.exe79⤵PID:2868
-
C:\Windows\SysWOW64\Niakfbpa.exeC:\Windows\system32\Niakfbpa.exe80⤵
- System Location Discovery: System Language Discovery
PID:4876 -
C:\Windows\SysWOW64\Nlphbnoe.exeC:\Windows\system32\Nlphbnoe.exe81⤵PID:3232
-
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe82⤵PID:1120
-
C:\Windows\SysWOW64\Oampjeml.exeC:\Windows\system32\Oampjeml.exe83⤵PID:4100
-
C:\Windows\SysWOW64\Ohghgodi.exeC:\Windows\system32\Ohghgodi.exe84⤵PID:2772
-
C:\Windows\SysWOW64\Oblmdhdo.exeC:\Windows\system32\Oblmdhdo.exe85⤵
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Oifeab32.exeC:\Windows\system32\Oifeab32.exe86⤵
- System Location Discovery: System Language Discovery
PID:312 -
C:\Windows\SysWOW64\Okgaijaj.exeC:\Windows\system32\Okgaijaj.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2612 -
C:\Windows\SysWOW64\Oboijgbl.exeC:\Windows\system32\Oboijgbl.exe88⤵PID:2700
-
C:\Windows\SysWOW64\Oihagaji.exeC:\Windows\system32\Oihagaji.exe89⤵PID:2072
-
C:\Windows\SysWOW64\Olgncmim.exeC:\Windows\system32\Olgncmim.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5160 -
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe91⤵PID:5204
-
C:\Windows\SysWOW64\Oeoblb32.exeC:\Windows\system32\Oeoblb32.exe92⤵PID:5248
-
C:\Windows\SysWOW64\Ohnohn32.exeC:\Windows\system32\Ohnohn32.exe93⤵PID:5300
-
C:\Windows\SysWOW64\Oklkdi32.exeC:\Windows\system32\Oklkdi32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5344 -
C:\Windows\SysWOW64\Obcceg32.exeC:\Windows\system32\Obcceg32.exe95⤵PID:5388
-
C:\Windows\SysWOW64\Oeaoab32.exeC:\Windows\system32\Oeaoab32.exe96⤵PID:5432
-
C:\Windows\SysWOW64\Pllgnl32.exeC:\Windows\system32\Pllgnl32.exe97⤵PID:5492
-
C:\Windows\SysWOW64\Pkogiikb.exeC:\Windows\system32\Pkogiikb.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5548 -
C:\Windows\SysWOW64\Pcepkfld.exeC:\Windows\system32\Pcepkfld.exe99⤵PID:5604
-
C:\Windows\SysWOW64\Pedlgbkh.exeC:\Windows\system32\Pedlgbkh.exe100⤵
- Drops file in System32 directory
PID:5652 -
C:\Windows\SysWOW64\Piphgq32.exeC:\Windows\system32\Piphgq32.exe101⤵PID:5696
-
C:\Windows\SysWOW64\Plndcl32.exeC:\Windows\system32\Plndcl32.exe102⤵PID:5740
-
C:\Windows\SysWOW64\Polppg32.exeC:\Windows\system32\Polppg32.exe103⤵PID:5788
-
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe104⤵PID:5832
-
C:\Windows\SysWOW64\Pibdmp32.exeC:\Windows\system32\Pibdmp32.exe105⤵PID:5880
-
C:\Windows\SysWOW64\Plpqil32.exeC:\Windows\system32\Plpqil32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5928 -
C:\Windows\SysWOW64\Poomegpf.exeC:\Windows\system32\Poomegpf.exe107⤵PID:5984
-
C:\Windows\SysWOW64\Peieba32.exeC:\Windows\system32\Peieba32.exe108⤵PID:6056
-
C:\Windows\SysWOW64\Phganm32.exeC:\Windows\system32\Phganm32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6100 -
C:\Windows\SysWOW64\Pkenjh32.exeC:\Windows\system32\Pkenjh32.exe110⤵PID:4596
-
C:\Windows\SysWOW64\Poajkgnc.exeC:\Windows\system32\Poajkgnc.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5152 -
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe112⤵PID:5216
-
C:\Windows\SysWOW64\Pifnhpmi.exeC:\Windows\system32\Pifnhpmi.exe113⤵
- System Location Discovery: System Language Discovery
PID:5284 -
C:\Windows\SysWOW64\Plejdkmm.exeC:\Windows\system32\Plejdkmm.exe114⤵PID:5360
-
C:\Windows\SysWOW64\Pocfpf32.exeC:\Windows\system32\Pocfpf32.exe115⤵PID:5428
-
C:\Windows\SysWOW64\Pabblb32.exeC:\Windows\system32\Pabblb32.exe116⤵PID:5500
-
C:\Windows\SysWOW64\Piijno32.exeC:\Windows\system32\Piijno32.exe117⤵
- Modifies registry class
PID:5572 -
C:\Windows\SysWOW64\Qhlkilba.exeC:\Windows\system32\Qhlkilba.exe118⤵PID:5692
-
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe119⤵PID:5748
-
C:\Windows\SysWOW64\Qcaofebg.exeC:\Windows\system32\Qcaofebg.exe120⤵PID:5816
-
C:\Windows\SysWOW64\Qepkbpak.exeC:\Windows\system32\Qepkbpak.exe121⤵PID:5888
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-