Analysis
-
max time kernel
142s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28/08/2024, 18:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
011ec350ab933538dc3956a2e0fbb57c8a8fd682c81c16c999ded0d1d180d19c.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
011ec350ab933538dc3956a2e0fbb57c8a8fd682c81c16c999ded0d1d180d19c.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
011ec350ab933538dc3956a2e0fbb57c8a8fd682c81c16c999ded0d1d180d19c.exe
-
Size
1.6MB
-
MD5
31bed948c95aa7d179df312b22f9d41e
-
SHA1
9cfe6f7146a931bf2b7cbd2b2e19183ec1893353
-
SHA256
011ec350ab933538dc3956a2e0fbb57c8a8fd682c81c16c999ded0d1d180d19c
-
SHA512
65961bae1aaf4540b8db77355295dacff65c27566eafd4ffa9b11c867af3ed3422d63722cc19c660778c03b9da9ee954621438f279604fdcb2f825f394d2d534
-
SSDEEP
24576:URM/P5gu5YyCtCCm0BmmvFimm00h2kkkkK4kXkkkkkkkkhLX3a20R0v50+YNpsKn:URYhgu5RCtCmizbazR0vKLXZ+Ktz
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgekdq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agpqnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghqeihbb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nldjnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnhdbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhnjna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Keghocao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hanlcjgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhocgqjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fffqjfom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gqpapacd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmkeekag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfkhfmdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oggbfdog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pocdba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjbjlpga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npnqcpmc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmmffhnk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gajpmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agkgceeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omkdcccb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odelpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcjkje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbibeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ednajepe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciiaogon.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnoefagj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dajnol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phfcdcfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkabbgol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnbdjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahgamo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Encgdbqd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkjqme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfljfjpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nklfho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Malnklgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dehgejep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcgemhic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjhqcmjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afkipi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfaglf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjbnndgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecdbop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbefln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fofdkcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pilgnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbqlpabf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hohjgpmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljjicl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echbad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgmlde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aphegjhc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plgpjhnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfljfjpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eeodqocd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfqjhmhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pldcdhpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ochamg32.exe -
Executes dropped EXE 64 IoCs
pid Process 2228 Cbkfbcpb.exe 3740 Cienon32.exe 1792 Ckggnp32.exe 3308 Cpcpfg32.exe 4552 Dpmcmf32.exe 944 Dckoia32.exe 2816 Ecdbop32.exe 4784 Edihdb32.exe 432 Fbaahf32.exe 3548 Fbdnne32.exe 984 Gqkhda32.exe 2488 Gdiakp32.exe 5040 Gqpapacd.exe 3160 Gkefmjcj.exe 184 Hnkhjdle.exe 4480 Hnpaec32.exe 3964 Ilhkigcd.exe 4384 Jnnnfalp.exe 4908 Jldkeeig.exe 1928 Jjihfbno.exe 612 Keceoj32.exe 1500 Kopcbo32.exe 732 Kkgdhp32.exe 5064 Lkiamp32.exe 1516 Lacijjgi.exe 4488 Logicn32.exe 4508 Lhpnlclc.exe 2360 Lknjhokg.exe 3868 Lahbei32.exe 4936 Ldfoad32.exe 1600 Llngbabj.exe 4492 Lbhool32.exe 220 Lefkkg32.exe 3036 Lhdggb32.exe 1036 Lkcccn32.exe 1816 Lamlphoo.exe 1612 Lhgdmb32.exe 2800 Mkepineo.exe 1400 Maoifh32.exe 4864 Mdnebc32.exe 4812 Mlemcq32.exe 2088 Mcoepkdo.exe 4736 Memalfcb.exe 876 Mlgjhp32.exe 5156 Moefdljc.exe 5196 Madbagif.exe 5236 Mhnjna32.exe 5276 Mklfjm32.exe 5316 Mccokj32.exe 5356 Mebkge32.exe 5396 Mhpgca32.exe 5436 Mkocol32.exe 5476 Mcfkpjng.exe 5516 Mdghhb32.exe 5556 Nlnpio32.exe 5596 Nchhfild.exe 5636 Nefdbekh.exe 5676 Nheqnpjk.exe 5716 Nkcmjlio.exe 5756 Ncjdki32.exe 5796 Ndlacapp.exe 5836 Nlcidopb.exe 5876 Noaeqjpe.exe 5916 Napameoi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bjhgke32.exe Bqpbboeg.exe File created C:\Windows\SysWOW64\Pgdqpp32.dll Ddmhcg32.exe File opened for modification C:\Windows\SysWOW64\Ceeaim32.exe Cgaqphgl.exe File created C:\Windows\SysWOW64\Moljgeco.exe Mhbakk32.exe File created C:\Windows\SysWOW64\Jglaepim.exe Jcoioabf.exe File created C:\Windows\SysWOW64\Ecnnqk32.dll Andqol32.exe File created C:\Windows\SysWOW64\Ikmepj32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bejobk32.exe Albkieqj.exe File created C:\Windows\SysWOW64\Aqbfaa32.exe Ajhndgjj.exe File created C:\Windows\SysWOW64\Ngjdppnh.dll Addahh32.exe File created C:\Windows\SysWOW64\Nbdijpjh.exe Nkjqme32.exe File created C:\Windows\SysWOW64\Knjjbggj.dll Peonhg32.exe File opened for modification C:\Windows\SysWOW64\Oinbgk32.exe Okiefn32.exe File created C:\Windows\SysWOW64\Qkmfmiei.dll Eacaej32.exe File created C:\Windows\SysWOW64\Mikepg32.exe Mcnmhpoj.exe File opened for modification C:\Windows\SysWOW64\Bojhnjgf.exe Apdkmn32.exe File opened for modification C:\Windows\SysWOW64\Gijmlh32.exe Gbqeonfj.exe File opened for modification C:\Windows\SysWOW64\Lahbei32.exe Lknjhokg.exe File opened for modification C:\Windows\SysWOW64\Ibmmbj32.exe Iakajagl.exe File created C:\Windows\SysWOW64\Nigjifgc.exe Process not Found File created C:\Windows\SysWOW64\Feifgnki.exe Fbjjkble.exe File created C:\Windows\SysWOW64\Jfehpg32.exe Jmmcgbnf.exe File created C:\Windows\SysWOW64\Clpppmqn.exe Cnlpgibd.exe File opened for modification C:\Windows\SysWOW64\Gajpmg32.exe Gojgkl32.exe File created C:\Windows\SysWOW64\Kkaljpmd.exe Kbigajfc.exe File created C:\Windows\SysWOW64\Cbqlpabf.exe Clfdcgkj.exe File created C:\Windows\SysWOW64\Nqifkl32.exe Ngaabfio.exe File created C:\Windows\SysWOW64\Jaimko32.exe Jjoeoedo.exe File created C:\Windows\SysWOW64\Gfdqdf32.dll Hclaeocp.exe File opened for modification C:\Windows\SysWOW64\Lpcedbjp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ojllkcdk.exe Process not Found File created C:\Windows\SysWOW64\Balodg32.dll Memalfcb.exe File created C:\Windows\SysWOW64\Lkldlgok.exe Lnhdbc32.exe File opened for modification C:\Windows\SysWOW64\Logbigbg.exe Ldanloba.exe File created C:\Windows\SysWOW64\Phbcfe32.dll Cegnol32.exe File created C:\Windows\SysWOW64\Bqpbboeg.exe Bhennm32.exe File opened for modification C:\Windows\SysWOW64\Ncbaabom.exe Naaejj32.exe File opened for modification C:\Windows\SysWOW64\Lacijjgi.exe Lkiamp32.exe File opened for modification C:\Windows\SysWOW64\Qnamofdf.exe Qdihfq32.exe File created C:\Windows\SysWOW64\Jikjmbmb.exe Jfjakgpa.exe File created C:\Windows\SysWOW64\Jkhpogij.exe Jflgfpkc.exe File created C:\Windows\SysWOW64\Kbkdgj32.exe Kkaljpmd.exe File created C:\Windows\SysWOW64\Mhqgal32.dll Eojcao32.exe File created C:\Windows\SysWOW64\Cbpijjbj.dll Nfpghccm.exe File created C:\Windows\SysWOW64\Jgekdq32.exe Jnmglk32.exe File created C:\Windows\SysWOW64\Acmfel32.exe Aanjiqki.exe File opened for modification C:\Windows\SysWOW64\Mhpgca32.exe Mebkge32.exe File opened for modification C:\Windows\SysWOW64\Piceflpi.exe Pfeijqqe.exe File opened for modification C:\Windows\SysWOW64\Apdkmn32.exe Aacjofkp.exe File opened for modification C:\Windows\SysWOW64\Dckoia32.exe Dpmcmf32.exe File created C:\Windows\SysWOW64\Nboiekjd.exe Nmbamdkm.exe File created C:\Windows\SysWOW64\Nniohegg.dll Oemofpel.exe File opened for modification C:\Windows\SysWOW64\Icgqqmib.exe Immhdc32.exe File created C:\Windows\SysWOW64\Bfdcaj32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Alkeifga.exe Aealll32.exe File created C:\Windows\SysWOW64\Gefpidln.dll Nhbmnj32.exe File created C:\Windows\SysWOW64\Epkijdie.dll Oijgmokc.exe File opened for modification C:\Windows\SysWOW64\Idnfal32.exe Iiibdc32.exe File created C:\Windows\SysWOW64\Hbpgle32.exe Process not Found File created C:\Windows\SysWOW64\Neabfbci.dll Process not Found File created C:\Windows\SysWOW64\Eigdflna.dll Jfjakgpa.exe File created C:\Windows\SysWOW64\Pgphggpe.exe Pcdlghgl.exe File opened for modification C:\Windows\SysWOW64\Ejiiippb.exe Ehhpge32.exe File opened for modification C:\Windows\SysWOW64\Nigjifgc.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 7800 8156 Process not Found 1217 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldckan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmiljn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mphamg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gngckfdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmjhlklg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfikaqme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfeibf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiibdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmgdaokh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekcplp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngklppei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcgcaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peodcmeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iandjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpjjhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjhqcmjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enllgbcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hljnkdnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bckddn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oooodcci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abngccbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gggfme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpkppbho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cemcqcgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dajnol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koiejemn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niiaae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Albpff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afqifo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icnphd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilpfgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfnfhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffkhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eifffoob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnboma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbkmngfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdbked32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bomppneg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aphegjhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnehgmob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqbpjmeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfmmajed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cljomc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jagqfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piceflpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkbmih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihjjln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhcmbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pilgnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkchpoka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bipcei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kojdkhdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbhlikpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mikepg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djmbbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mddbjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cobciblp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nocbfjmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oinbgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ongijo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejpnin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbccbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mahbck32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chknpnap.dll" Biigildg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqnajlid.dll" Kofheeoq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmipdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oagbljcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoaebjii.dll" Hmioicek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldfoad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggilgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Feella32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iefnjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfgpm32.dll" Accnco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnmojj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nkpbpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Facjlhil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbfjljhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kggjghkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppfhnh32.dll" Gekeie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiipnb32.dll" Fifdqhal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icnphd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkkekdhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbmlmmjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncenga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Laqlclga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agnkck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfalhgni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eifffoob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dampal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gajibq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejompeel.dll" Hdaajd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfnjbdep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjndaj32.dll" Ekcemmgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcgemhic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqbnpknn.dll" Gqhknd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfffcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eaabci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laibqedm.dll" Qnbdjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfqjhmhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blgmmd32.dll" Kmaooihb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmefiakh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phqdjm32.dll" Fmbflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bojhnjgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofdqcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oenlmopg.dll" Omcbkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lechkaga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hagnihom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pljama32.dll" Bngdndfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddpeigle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gggfme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jepidp32.dll" Nhfoocaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nkgmmpab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obpkcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpjdiadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbkeki32.dll" Mhnjna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eojeodga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odqpha32.dll" Malnklgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npgjbabk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfajlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hflhco32.dll" Apkhfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odljjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdicggla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gooqfkan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqhqgc32.dll" Ckpjob32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2200 wrote to memory of 2228 2200 011ec350ab933538dc3956a2e0fbb57c8a8fd682c81c16c999ded0d1d180d19c.exe 91 PID 2200 wrote to memory of 2228 2200 011ec350ab933538dc3956a2e0fbb57c8a8fd682c81c16c999ded0d1d180d19c.exe 91 PID 2200 wrote to memory of 2228 2200 011ec350ab933538dc3956a2e0fbb57c8a8fd682c81c16c999ded0d1d180d19c.exe 91 PID 2228 wrote to memory of 3740 2228 Cbkfbcpb.exe 92 PID 2228 wrote to memory of 3740 2228 Cbkfbcpb.exe 92 PID 2228 wrote to memory of 3740 2228 Cbkfbcpb.exe 92 PID 3740 wrote to memory of 1792 3740 Cienon32.exe 93 PID 3740 wrote to memory of 1792 3740 Cienon32.exe 93 PID 3740 wrote to memory of 1792 3740 Cienon32.exe 93 PID 1792 wrote to memory of 3308 1792 Ckggnp32.exe 96 PID 1792 wrote to memory of 3308 1792 Ckggnp32.exe 96 PID 1792 wrote to memory of 3308 1792 Ckggnp32.exe 96 PID 3308 wrote to memory of 4552 3308 Cpcpfg32.exe 97 PID 3308 wrote to memory of 4552 3308 Cpcpfg32.exe 97 PID 3308 wrote to memory of 4552 3308 Cpcpfg32.exe 97 PID 4552 wrote to memory of 944 4552 Dpmcmf32.exe 98 PID 4552 wrote to memory of 944 4552 Dpmcmf32.exe 98 PID 4552 wrote to memory of 944 4552 Dpmcmf32.exe 98 PID 944 wrote to memory of 2816 944 Dckoia32.exe 100 PID 944 wrote to memory of 2816 944 Dckoia32.exe 100 PID 944 wrote to memory of 2816 944 Dckoia32.exe 100 PID 2816 wrote to memory of 4784 2816 Ecdbop32.exe 101 PID 2816 wrote to memory of 4784 2816 Ecdbop32.exe 101 PID 2816 wrote to memory of 4784 2816 Ecdbop32.exe 101 PID 4784 wrote to memory of 432 4784 Edihdb32.exe 102 PID 4784 wrote to memory of 432 4784 Edihdb32.exe 102 PID 4784 wrote to memory of 432 4784 Edihdb32.exe 102 PID 432 wrote to memory of 3548 432 Fbaahf32.exe 103 PID 432 wrote to memory of 3548 432 Fbaahf32.exe 103 PID 432 wrote to memory of 3548 432 Fbaahf32.exe 103 PID 3548 wrote to memory of 984 3548 Fbdnne32.exe 104 PID 3548 wrote to memory of 984 3548 Fbdnne32.exe 104 PID 3548 wrote to memory of 984 3548 Fbdnne32.exe 104 PID 984 wrote to memory of 2488 984 Gqkhda32.exe 105 PID 984 wrote to memory of 2488 984 Gqkhda32.exe 105 PID 984 wrote to memory of 2488 984 Gqkhda32.exe 105 PID 2488 wrote to memory of 5040 2488 Gdiakp32.exe 106 PID 2488 wrote to memory of 5040 2488 Gdiakp32.exe 106 PID 2488 wrote to memory of 5040 2488 Gdiakp32.exe 106 PID 5040 wrote to memory of 3160 5040 Gqpapacd.exe 107 PID 5040 wrote to memory of 3160 5040 Gqpapacd.exe 107 PID 5040 wrote to memory of 3160 5040 Gqpapacd.exe 107 PID 3160 wrote to memory of 184 3160 Gkefmjcj.exe 108 PID 3160 wrote to memory of 184 3160 Gkefmjcj.exe 108 PID 3160 wrote to memory of 184 3160 Gkefmjcj.exe 108 PID 184 wrote to memory of 4480 184 Hnkhjdle.exe 109 PID 184 wrote to memory of 4480 184 Hnkhjdle.exe 109 PID 184 wrote to memory of 4480 184 Hnkhjdle.exe 109 PID 4480 wrote to memory of 3964 4480 Hnpaec32.exe 110 PID 4480 wrote to memory of 3964 4480 Hnpaec32.exe 110 PID 4480 wrote to memory of 3964 4480 Hnpaec32.exe 110 PID 3964 wrote to memory of 4384 3964 Ilhkigcd.exe 111 PID 3964 wrote to memory of 4384 3964 Ilhkigcd.exe 111 PID 3964 wrote to memory of 4384 3964 Ilhkigcd.exe 111 PID 4384 wrote to memory of 4908 4384 Jnnnfalp.exe 112 PID 4384 wrote to memory of 4908 4384 Jnnnfalp.exe 112 PID 4384 wrote to memory of 4908 4384 Jnnnfalp.exe 112 PID 4908 wrote to memory of 1928 4908 Jldkeeig.exe 113 PID 4908 wrote to memory of 1928 4908 Jldkeeig.exe 113 PID 4908 wrote to memory of 1928 4908 Jldkeeig.exe 113 PID 1928 wrote to memory of 612 1928 Jjihfbno.exe 114 PID 1928 wrote to memory of 612 1928 Jjihfbno.exe 114 PID 1928 wrote to memory of 612 1928 Jjihfbno.exe 114 PID 612 wrote to memory of 1500 612 Keceoj32.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\011ec350ab933538dc3956a2e0fbb57c8a8fd682c81c16c999ded0d1d180d19c.exe"C:\Users\Admin\AppData\Local\Temp\011ec350ab933538dc3956a2e0fbb57c8a8fd682c81c16c999ded0d1d180d19c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Cbkfbcpb.exeC:\Windows\system32\Cbkfbcpb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Cienon32.exeC:\Windows\system32\Cienon32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\Ckggnp32.exeC:\Windows\system32\Ckggnp32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Cpcpfg32.exeC:\Windows\system32\Cpcpfg32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\Dpmcmf32.exeC:\Windows\system32\Dpmcmf32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\Dckoia32.exeC:\Windows\system32\Dckoia32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Ecdbop32.exeC:\Windows\system32\Ecdbop32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Edihdb32.exeC:\Windows\system32\Edihdb32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Fbaahf32.exeC:\Windows\system32\Fbaahf32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Fbdnne32.exeC:\Windows\system32\Fbdnne32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\Gqkhda32.exeC:\Windows\system32\Gqkhda32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\Gdiakp32.exeC:\Windows\system32\Gdiakp32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Gqpapacd.exeC:\Windows\system32\Gqpapacd.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Gkefmjcj.exeC:\Windows\system32\Gkefmjcj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\Hnkhjdle.exeC:\Windows\system32\Hnkhjdle.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:184 -
C:\Windows\SysWOW64\Hnpaec32.exeC:\Windows\system32\Hnpaec32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Ilhkigcd.exeC:\Windows\system32\Ilhkigcd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Jnnnfalp.exeC:\Windows\system32\Jnnnfalp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\Jldkeeig.exeC:\Windows\system32\Jldkeeig.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\Jjihfbno.exeC:\Windows\system32\Jjihfbno.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Keceoj32.exeC:\Windows\system32\Keceoj32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\SysWOW64\Kopcbo32.exeC:\Windows\system32\Kopcbo32.exe23⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Kkgdhp32.exeC:\Windows\system32\Kkgdhp32.exe24⤵
- Executes dropped EXE
PID:732 -
C:\Windows\SysWOW64\Lkiamp32.exeC:\Windows\system32\Lkiamp32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5064 -
C:\Windows\SysWOW64\Lacijjgi.exeC:\Windows\system32\Lacijjgi.exe26⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Logicn32.exeC:\Windows\system32\Logicn32.exe27⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Lhpnlclc.exeC:\Windows\system32\Lhpnlclc.exe28⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Lknjhokg.exeC:\Windows\system32\Lknjhokg.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Lahbei32.exeC:\Windows\system32\Lahbei32.exe30⤵
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\Ldfoad32.exeC:\Windows\system32\Ldfoad32.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:4936 -
C:\Windows\SysWOW64\Llngbabj.exeC:\Windows\system32\Llngbabj.exe32⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Lbhool32.exeC:\Windows\system32\Lbhool32.exe33⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Lefkkg32.exeC:\Windows\system32\Lefkkg32.exe34⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Lhdggb32.exeC:\Windows\system32\Lhdggb32.exe35⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Lkcccn32.exeC:\Windows\system32\Lkcccn32.exe36⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Lamlphoo.exeC:\Windows\system32\Lamlphoo.exe37⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Lhgdmb32.exeC:\Windows\system32\Lhgdmb32.exe38⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Mkepineo.exeC:\Windows\system32\Mkepineo.exe39⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Maoifh32.exeC:\Windows\system32\Maoifh32.exe40⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Mdnebc32.exeC:\Windows\system32\Mdnebc32.exe41⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Mlemcq32.exeC:\Windows\system32\Mlemcq32.exe42⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Mcoepkdo.exeC:\Windows\system32\Mcoepkdo.exe43⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Memalfcb.exeC:\Windows\system32\Memalfcb.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4736 -
C:\Windows\SysWOW64\Mlgjhp32.exeC:\Windows\system32\Mlgjhp32.exe45⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Moefdljc.exeC:\Windows\system32\Moefdljc.exe46⤵
- Executes dropped EXE
PID:5156 -
C:\Windows\SysWOW64\Madbagif.exeC:\Windows\system32\Madbagif.exe47⤵
- Executes dropped EXE
PID:5196 -
C:\Windows\SysWOW64\Mhnjna32.exeC:\Windows\system32\Mhnjna32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5236 -
C:\Windows\SysWOW64\Mklfjm32.exeC:\Windows\system32\Mklfjm32.exe49⤵
- Executes dropped EXE
PID:5276 -
C:\Windows\SysWOW64\Mccokj32.exeC:\Windows\system32\Mccokj32.exe50⤵
- Executes dropped EXE
PID:5316 -
C:\Windows\SysWOW64\Mebkge32.exeC:\Windows\system32\Mebkge32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5356 -
C:\Windows\SysWOW64\Mhpgca32.exeC:\Windows\system32\Mhpgca32.exe52⤵
- Executes dropped EXE
PID:5396 -
C:\Windows\SysWOW64\Mkocol32.exeC:\Windows\system32\Mkocol32.exe53⤵
- Executes dropped EXE
PID:5436 -
C:\Windows\SysWOW64\Mcfkpjng.exeC:\Windows\system32\Mcfkpjng.exe54⤵
- Executes dropped EXE
PID:5476 -
C:\Windows\SysWOW64\Mdghhb32.exeC:\Windows\system32\Mdghhb32.exe55⤵
- Executes dropped EXE
PID:5516 -
C:\Windows\SysWOW64\Nlnpio32.exeC:\Windows\system32\Nlnpio32.exe56⤵
- Executes dropped EXE
PID:5556 -
C:\Windows\SysWOW64\Nchhfild.exeC:\Windows\system32\Nchhfild.exe57⤵
- Executes dropped EXE
PID:5596 -
C:\Windows\SysWOW64\Nefdbekh.exeC:\Windows\system32\Nefdbekh.exe58⤵
- Executes dropped EXE
PID:5636 -
C:\Windows\SysWOW64\Nheqnpjk.exeC:\Windows\system32\Nheqnpjk.exe59⤵
- Executes dropped EXE
PID:5676 -
C:\Windows\SysWOW64\Nkcmjlio.exeC:\Windows\system32\Nkcmjlio.exe60⤵
- Executes dropped EXE
PID:5716 -
C:\Windows\SysWOW64\Ncjdki32.exeC:\Windows\system32\Ncjdki32.exe61⤵
- Executes dropped EXE
PID:5756 -
C:\Windows\SysWOW64\Ndlacapp.exeC:\Windows\system32\Ndlacapp.exe62⤵
- Executes dropped EXE
PID:5796 -
C:\Windows\SysWOW64\Nlcidopb.exeC:\Windows\system32\Nlcidopb.exe63⤵
- Executes dropped EXE
PID:5836 -
C:\Windows\SysWOW64\Noaeqjpe.exeC:\Windows\system32\Noaeqjpe.exe64⤵
- Executes dropped EXE
PID:5876 -
C:\Windows\SysWOW64\Napameoi.exeC:\Windows\system32\Napameoi.exe65⤵
- Executes dropped EXE
PID:5916 -
C:\Windows\SysWOW64\Ndnnianm.exeC:\Windows\system32\Ndnnianm.exe66⤵PID:5956
-
C:\Windows\SysWOW64\Nlefjnno.exeC:\Windows\system32\Nlefjnno.exe67⤵PID:5996
-
C:\Windows\SysWOW64\Nocbfjmc.exeC:\Windows\system32\Nocbfjmc.exe68⤵
- System Location Discovery: System Language Discovery
PID:6036 -
C:\Windows\SysWOW64\Nfnjbdep.exeC:\Windows\system32\Nfnjbdep.exe69⤵
- Modifies registry class
PID:6076 -
C:\Windows\SysWOW64\Nhlfoodc.exeC:\Windows\system32\Nhlfoodc.exe70⤵PID:6116
-
C:\Windows\SysWOW64\Nkjckkcg.exeC:\Windows\system32\Nkjckkcg.exe71⤵PID:2928
-
C:\Windows\SysWOW64\Ncaklhdi.exeC:\Windows\system32\Ncaklhdi.exe72⤵PID:4428
-
C:\Windows\SysWOW64\Nfpghccm.exeC:\Windows\system32\Nfpghccm.exe73⤵
- Drops file in System32 directory
PID:3600 -
C:\Windows\SysWOW64\Oljoen32.exeC:\Windows\system32\Oljoen32.exe74⤵PID:1004
-
C:\Windows\SysWOW64\Oohkai32.exeC:\Windows\system32\Oohkai32.exe75⤵PID:5172
-
C:\Windows\SysWOW64\Obfhmd32.exeC:\Windows\system32\Obfhmd32.exe76⤵PID:5252
-
C:\Windows\SysWOW64\Ohqpjo32.exeC:\Windows\system32\Ohqpjo32.exe77⤵PID:5332
-
C:\Windows\SysWOW64\Okolfj32.exeC:\Windows\system32\Okolfj32.exe78⤵PID:5372
-
C:\Windows\SysWOW64\Ocfdgg32.exeC:\Windows\system32\Ocfdgg32.exe79⤵PID:3104
-
C:\Windows\SysWOW64\Ofdqcc32.exeC:\Windows\system32\Ofdqcc32.exe80⤵
- Modifies registry class
PID:5532 -
C:\Windows\SysWOW64\Ohcmpn32.exeC:\Windows\system32\Ohcmpn32.exe81⤵PID:5588
-
C:\Windows\SysWOW64\Okailj32.exeC:\Windows\system32\Okailj32.exe82⤵PID:2984
-
C:\Windows\SysWOW64\Ochamg32.exeC:\Windows\system32\Ochamg32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:640 -
C:\Windows\SysWOW64\Ofgmib32.exeC:\Windows\system32\Ofgmib32.exe84⤵PID:5772
-
C:\Windows\SysWOW64\Omaeem32.exeC:\Windows\system32\Omaeem32.exe85⤵PID:5864
-
C:\Windows\SysWOW64\Oooaah32.exeC:\Windows\system32\Oooaah32.exe86⤵PID:5944
-
C:\Windows\SysWOW64\Obnnnc32.exeC:\Windows\system32\Obnnnc32.exe87⤵PID:6024
-
C:\Windows\SysWOW64\Odljjo32.exeC:\Windows\system32\Odljjo32.exe88⤵
- Modifies registry class
PID:6092 -
C:\Windows\SysWOW64\Omcbkl32.exeC:\Windows\system32\Omcbkl32.exe89⤵
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Ooangh32.exeC:\Windows\system32\Ooangh32.exe90⤵PID:3612
-
C:\Windows\SysWOW64\Obpkcc32.exeC:\Windows\system32\Obpkcc32.exe91⤵
- Modifies registry class
PID:456 -
C:\Windows\SysWOW64\Pdngpo32.exeC:\Windows\system32\Pdngpo32.exe92⤵PID:5152
-
C:\Windows\SysWOW64\Pkholi32.exeC:\Windows\system32\Pkholi32.exe93⤵PID:5272
-
C:\Windows\SysWOW64\Pcpgmf32.exeC:\Windows\system32\Pcpgmf32.exe94⤵PID:5384
-
C:\Windows\SysWOW64\Pfncia32.exeC:\Windows\system32\Pfncia32.exe95⤵PID:5204
-
C:\Windows\SysWOW64\Pmhkflnj.exeC:\Windows\system32\Pmhkflnj.exe96⤵PID:5580
-
C:\Windows\SysWOW64\Pofhbgmn.exeC:\Windows\system32\Pofhbgmn.exe97⤵PID:5692
-
C:\Windows\SysWOW64\Pbddobla.exeC:\Windows\system32\Pbddobla.exe98⤵PID:5784
-
C:\Windows\SysWOW64\Pecpknke.exeC:\Windows\system32\Pecpknke.exe99⤵PID:5444
-
C:\Windows\SysWOW64\Pmjhlklg.exeC:\Windows\system32\Pmjhlklg.exe100⤵
- System Location Discovery: System Language Discovery
PID:5980 -
C:\Windows\SysWOW64\Poidhg32.exeC:\Windows\system32\Poidhg32.exe101⤵PID:6052
-
C:\Windows\SysWOW64\Pfbmdabh.exeC:\Windows\system32\Pfbmdabh.exe102⤵PID:2532
-
C:\Windows\SysWOW64\Piaiqlak.exeC:\Windows\system32\Piaiqlak.exe103⤵PID:5604
-
C:\Windows\SysWOW64\Pkoemhao.exeC:\Windows\system32\Pkoemhao.exe104⤵PID:5260
-
C:\Windows\SysWOW64\Pcfmneaa.exeC:\Windows\system32\Pcfmneaa.exe105⤵PID:5348
-
C:\Windows\SysWOW64\Pfeijqqe.exeC:\Windows\system32\Pfeijqqe.exe106⤵
- Drops file in System32 directory
PID:5508 -
C:\Windows\SysWOW64\Piceflpi.exeC:\Windows\system32\Piceflpi.exe107⤵
- System Location Discovery: System Language Discovery
PID:5668 -
C:\Windows\SysWOW64\Pkabbgol.exeC:\Windows\system32\Pkabbgol.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5820 -
C:\Windows\SysWOW64\Pcijce32.exeC:\Windows\system32\Pcijce32.exe109⤵PID:5484
-
C:\Windows\SysWOW64\Qfgfpp32.exeC:\Windows\system32\Qfgfpp32.exe110⤵PID:6064
-
C:\Windows\SysWOW64\Qifbll32.exeC:\Windows\system32\Qifbll32.exe111⤵PID:4928
-
C:\Windows\SysWOW64\Qppkhfec.exeC:\Windows\system32\Qppkhfec.exe112⤵PID:5224
-
C:\Windows\SysWOW64\Qfjcep32.exeC:\Windows\system32\Qfjcep32.exe113⤵PID:5164
-
C:\Windows\SysWOW64\Qihoak32.exeC:\Windows\system32\Qihoak32.exe114⤵PID:2960
-
C:\Windows\SysWOW64\Qkfkng32.exeC:\Windows\system32\Qkfkng32.exe115⤵PID:5852
-
C:\Windows\SysWOW64\Qcncodki.exeC:\Windows\system32\Qcncodki.exe116⤵PID:5524
-
C:\Windows\SysWOW64\Aeopfl32.exeC:\Windows\system32\Aeopfl32.exe117⤵PID:3924
-
C:\Windows\SysWOW64\Apddce32.exeC:\Windows\system32\Apddce32.exe118⤵PID:5812
-
C:\Windows\SysWOW64\Aealll32.exeC:\Windows\system32\Aealll32.exe119⤵
- Drops file in System32 directory
PID:3644 -
C:\Windows\SysWOW64\Alkeifga.exeC:\Windows\system32\Alkeifga.exe120⤵PID:5752
-
C:\Windows\SysWOW64\Afqifo32.exeC:\Windows\system32\Afqifo32.exe121⤵
- System Location Discovery: System Language Discovery
PID:5684
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-