Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28/08/2024, 23:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a3e0fc2e5f2eec054a77d190eb3987b0N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
a3e0fc2e5f2eec054a77d190eb3987b0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
a3e0fc2e5f2eec054a77d190eb3987b0N.exe
-
Size
76KB
-
MD5
a3e0fc2e5f2eec054a77d190eb3987b0
-
SHA1
2e3a7829335a9d60aa4c3342b05750602e3d68e9
-
SHA256
059e3865aad13a484a5e6635feb12cab48f4780ebb17ae7b3e98893d4afa8dd9
-
SHA512
026b91ab5d83276e77bad32351bc7c801fd168de19bc588f29b09e3965a92436a555ff7b0d4607eae1ee642f3059cb0a8d65c4e5befe6919197b3f5d33ad9aaa
-
SSDEEP
1536:LT22pR2AIUdfHSEjifq6NAscyOb0UHioQV+/eCeyvCQ:vNpr3dfHSEefq6NgJb7Hrk+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdccbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iedjmioj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjgeedch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dinmhkke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmlneg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnbdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibffhhek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khpgckkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajggomog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndflak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Komhll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koaagkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfgogh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikejgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlfpdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chlflabp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ponfka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emmdom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gahcmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlphbnoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oekiqccc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjnffjkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nndjndbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkmkkjko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oohnonij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cikglnkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cikglnkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giinpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efpomccg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npjnhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diccgfpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iinqbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnohlgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odjeljhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgnbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hajpbckl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqkgbcff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaohcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkodhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfealaol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Malpia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbhoeid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlbbkfoq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gahcmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdilnojp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdhbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdbnjdfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgodhkd.exe -
Executes dropped EXE 64 IoCs
pid Process 4784 Hheoid32.exe 3688 Hkckeo32.exe 3620 Hbmcbime.exe 4464 Hdlpneli.exe 976 Hgjljpkm.exe 5096 Hoadkn32.exe 2200 Hfklhhcl.exe 4328 Hhihdcbp.exe 428 Hkhdqoac.exe 1804 Hbbmmi32.exe 4816 Hhlejcpm.exe 4336 Hkjafn32.exe 1272 Hbdjchgn.exe 3444 Hgabkoee.exe 2752 Iohjlmeg.exe 2980 Ibffhhek.exe 3436 Ifbbig32.exe 1196 Iokgal32.exe 3936 Ifdonfka.exe 2408 Igfkfo32.exe 2120 Ibkpcg32.exe 4384 Iiehpahb.exe 3648 Ioopml32.exe 4044 Ifihif32.exe 3412 Ikfabm32.exe 2744 Ibpiogmp.exe 2564 Iijaka32.exe 4304 Jngjch32.exe 912 Jbbfdfkn.exe 1448 Jilnqqbj.exe 1412 Joffnk32.exe 2932 Jbdbjf32.exe 1164 Jgakbm32.exe 1872 Jnkcogno.exe 640 Jiaglp32.exe 228 Jkodhk32.exe 4404 Jnnpdg32.exe 4544 Jfehed32.exe 4800 Jicdap32.exe 5016 Jkaqnk32.exe 4716 Jnpmjf32.exe 3768 Jfgdkd32.exe 3284 Jghabl32.exe 2016 Kppici32.exe 1652 Kbnepe32.exe 2628 Kihnmohm.exe 832 Klfjijgq.exe 1344 Kbpbed32.exe 3880 Kijjbofj.exe 1488 Kpdboimg.exe 4992 Kngcje32.exe 3556 Kfnkkb32.exe 1044 Kimghn32.exe 2696 Khpgckkb.exe 2168 Kpgodhkd.exe 1208 Knippe32.exe 2840 Kfqgab32.exe 4656 Kiodmn32.exe 3060 Klmpiiai.exe 2276 Knlleepl.exe 2800 Kfcdfbqo.exe 1628 Kefdbo32.exe 636 Lhdqnj32.exe 1328 Lnnikdnj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ejoomhmi.exe Efccmidp.exe File opened for modification C:\Windows\SysWOW64\Hlhccj32.exe Hkfglb32.exe File created C:\Windows\SysWOW64\Kodapf32.dll Lgccinoe.exe File created C:\Windows\SysWOW64\Lqnlgjdd.dll Mpghkf32.exe File created C:\Windows\SysWOW64\Lefqkm32.dll Pgkelj32.exe File opened for modification C:\Windows\SysWOW64\Lgffic32.exe Legjmh32.exe File created C:\Windows\SysWOW64\Dnpdegjp.exe Dkahilkl.exe File created C:\Windows\SysWOW64\Eiildjag.exe Efkphnbd.exe File created C:\Windows\SysWOW64\Lhlndcmq.dll Hgmgqc32.exe File created C:\Windows\SysWOW64\Blciboie.dll Pldcjeia.exe File opened for modification C:\Windows\SysWOW64\Jinboekc.exe Jebfng32.exe File opened for modification C:\Windows\SysWOW64\Bgbpaipl.exe Process not Found File created C:\Windows\SysWOW64\Djmibn32.exe Dhomfc32.exe File created C:\Windows\SysWOW64\Bckkca32.exe Bkdcbd32.exe File created C:\Windows\SysWOW64\Oilmjcon.dll Ljfhqh32.exe File created C:\Windows\SysWOW64\Imnbiq32.dll Process not Found File created C:\Windows\SysWOW64\Pdbeojmh.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mfeeabda.exe Process not Found File created C:\Windows\SysWOW64\Paiogf32.exe Process not Found File created C:\Windows\SysWOW64\Hqbdnnae.dll Klfjijgq.exe File created C:\Windows\SysWOW64\Kkhpdcab.exe Kijchhbo.exe File created C:\Windows\SysWOW64\Lbngllob.exe Ljgpkonp.exe File opened for modification C:\Windows\SysWOW64\Mcifkf32.exe Process not Found File created C:\Windows\SysWOW64\Pjjahe32.exe Pgkelj32.exe File created C:\Windows\SysWOW64\Fdlgcl32.dll Qlggjk32.exe File created C:\Windows\SysWOW64\Nbdfqocb.dll Hehkajig.exe File created C:\Windows\SysWOW64\Hlhccj32.exe Hkfglb32.exe File created C:\Windows\SysWOW64\Mgloefco.exe Process not Found File created C:\Windows\SysWOW64\Godcje32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Eehicoel.exe Ebimgcfi.exe File opened for modification C:\Windows\SysWOW64\Oghghb32.exe Process not Found File created C:\Windows\SysWOW64\Ibffhhek.exe Iohjlmeg.exe File created C:\Windows\SysWOW64\Ppipkl32.dll Gmggfp32.exe File created C:\Windows\SysWOW64\Kqdaadln.exe Knfeeimj.exe File created C:\Windows\SysWOW64\Ckjbhmad.exe Chlflabp.exe File opened for modification C:\Windows\SysWOW64\Ofkgcobj.exe Process not Found File created C:\Windows\SysWOW64\Abeiec32.dll Jfehed32.exe File opened for modification C:\Windows\SysWOW64\Cmmbbejp.exe Cjnffjkl.exe File created C:\Windows\SysWOW64\Nenbjo32.exe Nmgjia32.exe File opened for modification C:\Windows\SysWOW64\Kniieo32.exe Kkjlic32.exe File opened for modification C:\Windows\SysWOW64\Coegoe32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Npjnhc32.exe Nipekiep.exe File created C:\Windows\SysWOW64\Agiamhdo.exe Aobilkcl.exe File created C:\Windows\SysWOW64\Hajpbckl.exe Hkpheidp.exe File opened for modification C:\Windows\SysWOW64\Ffqhcq32.exe Fpgpgfmh.exe File created C:\Windows\SysWOW64\Dnqjcbao.dll Lgkpdcmi.exe File created C:\Windows\SysWOW64\Jbecoe32.dll Qkipkani.exe File created C:\Windows\SysWOW64\Dhkgkgoe.dll Kbpbed32.exe File created C:\Windows\SysWOW64\Nmfgbl32.dll Ngdfdmdi.exe File created C:\Windows\SysWOW64\Pjigamma.dll Jkhgmf32.exe File created C:\Windows\SysWOW64\Gggpfopn.dll Fjadje32.exe File opened for modification C:\Windows\SysWOW64\Ngndaccj.exe Process not Found File created C:\Windows\SysWOW64\Dgegjnih.dll Process not Found File created C:\Windows\SysWOW64\Ccbadp32.exe Ckkiccep.exe File created C:\Windows\SysWOW64\Oidalg32.dll Dmcain32.exe File created C:\Windows\SysWOW64\Jipegn32.dll Enpmld32.exe File created C:\Windows\SysWOW64\Jkomldme.dll Cglgjeci.exe File created C:\Windows\SysWOW64\Pekbga32.exe Poajkgnc.exe File created C:\Windows\SysWOW64\Ogjembbd.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mqdcnl32.exe Process not Found File created C:\Windows\SysWOW64\Ocaebc32.exe Process not Found File created C:\Windows\SysWOW64\Pagbaglh.exe Process not Found File created C:\Windows\SysWOW64\Iqbmml32.dll Kbnepe32.exe File opened for modification C:\Windows\SysWOW64\Lpbopfag.exe Llgcph32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 21392 21308 Process not Found 1359 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jilnqqbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcdbfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mblcnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnepna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lblaabdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkceokii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifihif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhfedil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkdcbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpmjejp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmjmjnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difpmfna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhpfqcln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enkdaepb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiodpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdcliikj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bckkca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paoollik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhboolf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjodjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laqhhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahcajk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqjpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbenmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpdoqgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnnjmbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgjljpkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfnkkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbkkgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljgpkonp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oekiqccc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhacf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcqjon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efgemb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpchib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollnhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmbfbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poimpapp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekdnei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opcqnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chiigadc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keimof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccgjopal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllokajf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihphkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgnqgqan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchppmij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfedoc32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emdajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqjoqdcl.dll" Cndeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbdplc32.dll" Ljaoeini.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnohlgep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpgodhkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofimgb32.dll" Plbmokop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpbmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdmpmdpj.dll" Keimof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elnoopdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbgla32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkogl32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chlflabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imgicgca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lldfjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbajbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baadiiif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckhecmcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jljbeali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blanhfid.dll" Nookip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgejpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milcqamo.dll" Kjjiej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeehkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdcebook.dll" Aaohcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciepangh.dll" Lnqeqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnkmnide.dll" Ppamophb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccnncgmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojgjndno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aodogdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkbocbog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekkkoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelche32.dll" Kgkfnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpnnle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogpepl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fabibb32.dll" Cfqmpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fimodc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnfnlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgnfmhaj.dll" Nijeec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilccoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mccfdmmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knenkbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obqhpfck.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpghll32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqiieebk.dll" Kefdbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knegmo32.dll" Olgemcli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fineoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coohhlpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccgjopal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbjnik32.dll" Fpejlmcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lejgpb32.dll" Gnepna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qemhbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bohibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecgflaec.dll" Gigaka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knhakh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olfghg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2368 wrote to memory of 4784 2368 a3e0fc2e5f2eec054a77d190eb3987b0N.exe 84 PID 2368 wrote to memory of 4784 2368 a3e0fc2e5f2eec054a77d190eb3987b0N.exe 84 PID 2368 wrote to memory of 4784 2368 a3e0fc2e5f2eec054a77d190eb3987b0N.exe 84 PID 4784 wrote to memory of 3688 4784 Hheoid32.exe 85 PID 4784 wrote to memory of 3688 4784 Hheoid32.exe 85 PID 4784 wrote to memory of 3688 4784 Hheoid32.exe 85 PID 3688 wrote to memory of 3620 3688 Hkckeo32.exe 86 PID 3688 wrote to memory of 3620 3688 Hkckeo32.exe 86 PID 3688 wrote to memory of 3620 3688 Hkckeo32.exe 86 PID 3620 wrote to memory of 4464 3620 Hbmcbime.exe 87 PID 3620 wrote to memory of 4464 3620 Hbmcbime.exe 87 PID 3620 wrote to memory of 4464 3620 Hbmcbime.exe 87 PID 4464 wrote to memory of 976 4464 Hdlpneli.exe 88 PID 4464 wrote to memory of 976 4464 Hdlpneli.exe 88 PID 4464 wrote to memory of 976 4464 Hdlpneli.exe 88 PID 976 wrote to memory of 5096 976 Hgjljpkm.exe 89 PID 976 wrote to memory of 5096 976 Hgjljpkm.exe 89 PID 976 wrote to memory of 5096 976 Hgjljpkm.exe 89 PID 5096 wrote to memory of 2200 5096 Hoadkn32.exe 90 PID 5096 wrote to memory of 2200 5096 Hoadkn32.exe 90 PID 5096 wrote to memory of 2200 5096 Hoadkn32.exe 90 PID 2200 wrote to memory of 4328 2200 Hfklhhcl.exe 91 PID 2200 wrote to memory of 4328 2200 Hfklhhcl.exe 91 PID 2200 wrote to memory of 4328 2200 Hfklhhcl.exe 91 PID 4328 wrote to memory of 428 4328 Hhihdcbp.exe 92 PID 4328 wrote to memory of 428 4328 Hhihdcbp.exe 92 PID 4328 wrote to memory of 428 4328 Hhihdcbp.exe 92 PID 428 wrote to memory of 1804 428 Hkhdqoac.exe 93 PID 428 wrote to memory of 1804 428 Hkhdqoac.exe 93 PID 428 wrote to memory of 1804 428 Hkhdqoac.exe 93 PID 1804 wrote to memory of 4816 1804 Hbbmmi32.exe 94 PID 1804 wrote to memory of 4816 1804 Hbbmmi32.exe 94 PID 1804 wrote to memory of 4816 1804 Hbbmmi32.exe 94 PID 4816 wrote to memory of 4336 4816 Hhlejcpm.exe 95 PID 4816 wrote to memory of 4336 4816 Hhlejcpm.exe 95 PID 4816 wrote to memory of 4336 4816 Hhlejcpm.exe 95 PID 4336 wrote to memory of 1272 4336 Hkjafn32.exe 96 PID 4336 wrote to memory of 1272 4336 Hkjafn32.exe 96 PID 4336 wrote to memory of 1272 4336 Hkjafn32.exe 96 PID 1272 wrote to memory of 3444 1272 Hbdjchgn.exe 97 PID 1272 wrote to memory of 3444 1272 Hbdjchgn.exe 97 PID 1272 wrote to memory of 3444 1272 Hbdjchgn.exe 97 PID 3444 wrote to memory of 2752 3444 Hgabkoee.exe 98 PID 3444 wrote to memory of 2752 3444 Hgabkoee.exe 98 PID 3444 wrote to memory of 2752 3444 Hgabkoee.exe 98 PID 2752 wrote to memory of 2980 2752 Iohjlmeg.exe 99 PID 2752 wrote to memory of 2980 2752 Iohjlmeg.exe 99 PID 2752 wrote to memory of 2980 2752 Iohjlmeg.exe 99 PID 2980 wrote to memory of 3436 2980 Ibffhhek.exe 101 PID 2980 wrote to memory of 3436 2980 Ibffhhek.exe 101 PID 2980 wrote to memory of 3436 2980 Ibffhhek.exe 101 PID 3436 wrote to memory of 1196 3436 Ifbbig32.exe 102 PID 3436 wrote to memory of 1196 3436 Ifbbig32.exe 102 PID 3436 wrote to memory of 1196 3436 Ifbbig32.exe 102 PID 1196 wrote to memory of 3936 1196 Iokgal32.exe 103 PID 1196 wrote to memory of 3936 1196 Iokgal32.exe 103 PID 1196 wrote to memory of 3936 1196 Iokgal32.exe 103 PID 3936 wrote to memory of 2408 3936 Ifdonfka.exe 105 PID 3936 wrote to memory of 2408 3936 Ifdonfka.exe 105 PID 3936 wrote to memory of 2408 3936 Ifdonfka.exe 105 PID 2408 wrote to memory of 2120 2408 Igfkfo32.exe 106 PID 2408 wrote to memory of 2120 2408 Igfkfo32.exe 106 PID 2408 wrote to memory of 2120 2408 Igfkfo32.exe 106 PID 2120 wrote to memory of 4384 2120 Ibkpcg32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3e0fc2e5f2eec054a77d190eb3987b0N.exe"C:\Users\Admin\AppData\Local\Temp\a3e0fc2e5f2eec054a77d190eb3987b0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Hheoid32.exeC:\Windows\system32\Hheoid32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Hkckeo32.exeC:\Windows\system32\Hkckeo32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\Hbmcbime.exeC:\Windows\system32\Hbmcbime.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\Hdlpneli.exeC:\Windows\system32\Hdlpneli.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\Hgjljpkm.exeC:\Windows\system32\Hgjljpkm.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Hfklhhcl.exeC:\Windows\system32\Hfklhhcl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Hhihdcbp.exeC:\Windows\system32\Hhihdcbp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\Hkhdqoac.exeC:\Windows\system32\Hkhdqoac.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\Hbbmmi32.exeC:\Windows\system32\Hbbmmi32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Hhlejcpm.exeC:\Windows\system32\Hhlejcpm.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\Hkjafn32.exeC:\Windows\system32\Hkjafn32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\Hbdjchgn.exeC:\Windows\system32\Hbdjchgn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Hgabkoee.exeC:\Windows\system32\Hgabkoee.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\Iohjlmeg.exeC:\Windows\system32\Iohjlmeg.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Ibffhhek.exeC:\Windows\system32\Ibffhhek.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Ifbbig32.exeC:\Windows\system32\Ifbbig32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\Iokgal32.exeC:\Windows\system32\Iokgal32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\Igfkfo32.exeC:\Windows\system32\Igfkfo32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Ibkpcg32.exeC:\Windows\system32\Ibkpcg32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Iiehpahb.exeC:\Windows\system32\Iiehpahb.exe23⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Ioopml32.exeC:\Windows\system32\Ioopml32.exe24⤵
- Executes dropped EXE
PID:3648 -
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4044 -
C:\Windows\SysWOW64\Ikfabm32.exeC:\Windows\system32\Ikfabm32.exe26⤵
- Executes dropped EXE
PID:3412 -
C:\Windows\SysWOW64\Ibpiogmp.exeC:\Windows\system32\Ibpiogmp.exe27⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Iijaka32.exeC:\Windows\system32\Iijaka32.exe28⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe29⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Jbbfdfkn.exeC:\Windows\system32\Jbbfdfkn.exe30⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1448 -
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe32⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Jbdbjf32.exeC:\Windows\system32\Jbdbjf32.exe33⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Jgakbm32.exeC:\Windows\system32\Jgakbm32.exe34⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe35⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Jiaglp32.exeC:\Windows\system32\Jiaglp32.exe36⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Jkodhk32.exeC:\Windows\system32\Jkodhk32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe38⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Jfehed32.exeC:\Windows\system32\Jfehed32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4544 -
C:\Windows\SysWOW64\Jicdap32.exeC:\Windows\system32\Jicdap32.exe40⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Jkaqnk32.exeC:\Windows\system32\Jkaqnk32.exe41⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Jnpmjf32.exeC:\Windows\system32\Jnpmjf32.exe42⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Jfgdkd32.exeC:\Windows\system32\Jfgdkd32.exe43⤵
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe44⤵
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe45⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Kihnmohm.exeC:\Windows\system32\Kihnmohm.exe47⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Kbpbed32.exeC:\Windows\system32\Kbpbed32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1344 -
C:\Windows\SysWOW64\Kijjbofj.exeC:\Windows\system32\Kijjbofj.exe50⤵
- Executes dropped EXE
PID:3880 -
C:\Windows\SysWOW64\Kpdboimg.exeC:\Windows\system32\Kpdboimg.exe51⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe52⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Kfnkkb32.exeC:\Windows\system32\Kfnkkb32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3556 -
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe54⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Khpgckkb.exeC:\Windows\system32\Khpgckkb.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Kpgodhkd.exeC:\Windows\system32\Kpgodhkd.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Knippe32.exeC:\Windows\system32\Knippe32.exe57⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Kfqgab32.exeC:\Windows\system32\Kfqgab32.exe58⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe59⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Klmpiiai.exeC:\Windows\system32\Klmpiiai.exe60⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Knlleepl.exeC:\Windows\system32\Knlleepl.exe61⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe62⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Kefdbo32.exeC:\Windows\system32\Kefdbo32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe64⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Lnnikdnj.exeC:\Windows\system32\Lnnikdnj.exe65⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Lfealaol.exeC:\Windows\system32\Lfealaol.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2612 -
C:\Windows\SysWOW64\Lehaho32.exeC:\Windows\system32\Lehaho32.exe67⤵PID:1928
-
C:\Windows\SysWOW64\Lhfmdj32.exeC:\Windows\system32\Lhfmdj32.exe68⤵PID:1012
-
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe69⤵PID:4224
-
C:\Windows\SysWOW64\Lnqeqd32.exeC:\Windows\system32\Lnqeqd32.exe70⤵
- Modifies registry class
PID:4052 -
C:\Windows\SysWOW64\Lblaabdp.exeC:\Windows\system32\Lblaabdp.exe71⤵
- System Location Discovery: System Language Discovery
PID:1460 -
C:\Windows\SysWOW64\Lejnmncd.exeC:\Windows\system32\Lejnmncd.exe72⤵PID:2724
-
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe73⤵PID:4296
-
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe74⤵
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Locbfd32.exeC:\Windows\system32\Locbfd32.exe75⤵PID:2208
-
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe76⤵PID:2552
-
C:\Windows\SysWOW64\Lemkcnaa.exeC:\Windows\system32\Lemkcnaa.exe77⤵PID:4520
-
C:\Windows\SysWOW64\Llgcph32.exeC:\Windows\system32\Llgcph32.exe78⤵
- Drops file in System32 directory
PID:4776 -
C:\Windows\SysWOW64\Lpbopfag.exeC:\Windows\system32\Lpbopfag.exe79⤵PID:2240
-
C:\Windows\SysWOW64\Lflgmqhd.exeC:\Windows\system32\Lflgmqhd.exe80⤵PID:1404
-
C:\Windows\SysWOW64\Lhncdi32.exeC:\Windows\system32\Lhncdi32.exe81⤵PID:2304
-
C:\Windows\SysWOW64\Loglacfo.exeC:\Windows\system32\Loglacfo.exe82⤵PID:2400
-
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe83⤵PID:3388
-
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe84⤵PID:4364
-
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe85⤵PID:2364
-
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe86⤵
- Drops file in System32 directory
PID:3372 -
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe87⤵PID:4236
-
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe88⤵PID:4904
-
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe89⤵PID:5128
-
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe90⤵PID:5172
-
C:\Windows\SysWOW64\Mpieqeko.exeC:\Windows\system32\Mpieqeko.exe91⤵PID:5220
-
C:\Windows\SysWOW64\Molelb32.exeC:\Windows\system32\Molelb32.exe92⤵PID:5268
-
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe93⤵PID:5312
-
C:\Windows\SysWOW64\Mfcmmp32.exeC:\Windows\system32\Mfcmmp32.exe94⤵PID:5356
-
C:\Windows\SysWOW64\Mibijk32.exeC:\Windows\system32\Mibijk32.exe95⤵PID:5404
-
C:\Windows\SysWOW64\Mhdjehhj.exeC:\Windows\system32\Mhdjehhj.exe96⤵PID:5452
-
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe97⤵PID:5496
-
C:\Windows\SysWOW64\Moobbb32.exeC:\Windows\system32\Moobbb32.exe98⤵PID:5540
-
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe99⤵PID:5588
-
C:\Windows\SysWOW64\Mffjcopi.exeC:\Windows\system32\Mffjcopi.exe100⤵PID:5628
-
C:\Windows\SysWOW64\Mehjol32.exeC:\Windows\system32\Mehjol32.exe101⤵PID:5680
-
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe102⤵PID:5728
-
C:\Windows\SysWOW64\Mlbbkfoq.exeC:\Windows\system32\Mlbbkfoq.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5776 -
C:\Windows\SysWOW64\Mpnnle32.exeC:\Windows\system32\Mpnnle32.exe104⤵
- Modifies registry class
PID:5828 -
C:\Windows\SysWOW64\Mblkhq32.exeC:\Windows\system32\Mblkhq32.exe105⤵PID:5876
-
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe106⤵PID:5920
-
C:\Windows\SysWOW64\Mifcejnj.exeC:\Windows\system32\Mifcejnj.exe107⤵PID:5968
-
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe108⤵PID:6016
-
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe109⤵PID:6060
-
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe110⤵PID:6104
-
C:\Windows\SysWOW64\Niipjj32.exeC:\Windows\system32\Niipjj32.exe111⤵PID:1840
-
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe112⤵PID:5180
-
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe113⤵PID:5252
-
C:\Windows\SysWOW64\Niklpj32.exeC:\Windows\system32\Niklpj32.exe114⤵PID:5320
-
C:\Windows\SysWOW64\Nlihle32.exeC:\Windows\system32\Nlihle32.exe115⤵PID:5392
-
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe116⤵PID:5440
-
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe117⤵PID:5528
-
C:\Windows\SysWOW64\Nebmekoi.exeC:\Windows\system32\Nebmekoi.exe118⤵PID:5580
-
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe119⤵PID:5676
-
C:\Windows\SysWOW64\Nlleaeff.exeC:\Windows\system32\Nlleaeff.exe120⤵PID:5712
-
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe121⤵PID:5784
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-