Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01-09-2024 22:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eccdb5ed371a7dad16b5ca83475d0290N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
eccdb5ed371a7dad16b5ca83475d0290N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
eccdb5ed371a7dad16b5ca83475d0290N.exe
-
Size
96KB
-
MD5
eccdb5ed371a7dad16b5ca83475d0290
-
SHA1
15254ba510c86a8c8c1e81477f4d7c5585a71a4b
-
SHA256
be818fe441e0934a000594d2df66de2598929108c763d1c0bef1b4aba8c431aa
-
SHA512
3874a8c2259e7791ef1a84f261267f7758b5c6cffccf2547123484797d12b0a6bafd22b6f2767654259859ef3caa677d6a175b19a281a82c37193b998732b13f
-
SSDEEP
1536:BK+hy497dkdHO0wX6hE6/NTz7cw2Lk1wPXuhiTMuZXGTIVefVDkryyAyqX:BByk7dkdHjwqhE6/tzSawPXuhuXGQmVT
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lifjnm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajcdnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlnkmnah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eciplm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkfglb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdigadjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfpdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccpdoqgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iedjmioj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhniccb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjjnae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjlkge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nihipdhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlhljhbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpoalo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aonhghjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjjocap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kghjhemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qikgco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmoiqneg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efpomccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpfkpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phlacbfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbeejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ploknb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccchof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diffglam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckfphc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Madjhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cljobphg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajbmdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahjgjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lflbkcll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chmndlge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlggjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oodcdb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfnofpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejdocm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqpoakco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojcjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcbfakec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfpbmfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmggfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibfnqmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmfeidbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejchhgid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilmmni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmpkadnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neclenfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlimed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imkbnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Calhnpgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bihjfnmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaamlecg.exe -
Executes dropped EXE 64 IoCs
pid Process 3260 Aqkgpedc.exe 2412 Acjclpcf.exe 4828 Anogiicl.exe 2624 Aclpap32.exe 532 Ajfhnjhq.exe 808 Aeklkchg.exe 440 Agjhgngj.exe 1284 Andqdh32.exe 3356 Aabmqd32.exe 1940 Afoeiklb.exe 2832 Anfmjhmd.exe 5092 Aepefb32.exe 2888 Bmkjkd32.exe 3752 Bganhm32.exe 4440 Bnkgeg32.exe 2996 Baicac32.exe 4860 Bffkij32.exe 4012 Bnmcjg32.exe 4436 Beglgani.exe 3612 Bgehcmmm.exe 3348 Bclhhnca.exe 3672 Bfkedibe.exe 3112 Bcoenmao.exe 3920 Cfmajipb.exe 3080 Cmgjgcgo.exe 3300 Chmndlge.exe 3968 Caebma32.exe 1192 Chokikeb.exe 5088 Cmlcbbcj.exe 2876 Cdfkolkf.exe 2512 Chagok32.exe 760 Cnkplejl.exe 620 Cdhhdlid.exe 2068 Cnnlaehj.exe 2208 Calhnpgn.exe 3872 Dhfajjoj.exe 3484 Dmcibama.exe 1448 Ddmaok32.exe 64 Djgjlelk.exe 3620 Dmefhako.exe 1344 Dhkjej32.exe 1248 Dodbbdbb.exe 4244 Deokon32.exe 3156 Dhmgki32.exe 4052 Deagdn32.exe 2212 Dhocqigp.exe 1744 Doilmc32.exe 464 Edfdej32.exe 5004 Eolhbc32.exe 728 Eefaomcg.exe 4900 Ehdmlhcj.exe 3240 Eonehbjg.exe 4668 Emaedo32.exe 2200 Ehfjah32.exe 3500 Ekefmc32.exe 1888 Eaonjngh.exe 4536 Eglgbdep.exe 1584 Emeoooml.exe 4620 Edpgli32.exe 536 Eoekia32.exe 1076 Feocelll.exe 4452 Fgppmd32.exe 1132 Fnjhjn32.exe 3028 Fddqghpd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mnlnbl32.exe Mlmbfqoj.exe File created C:\Windows\SysWOW64\Amnlme32.exe Aokkahlo.exe File created C:\Windows\SysWOW64\Ogfcjm32.exe Nookip32.exe File created C:\Windows\SysWOW64\Hhknpmma.exe Haafcb32.exe File created C:\Windows\SysWOW64\Ljeafb32.exe Lggejg32.exe File opened for modification C:\Windows\SysWOW64\Chiblk32.exe Process not Found File created C:\Windows\SysWOW64\Hhbdbmfg.dll Palbgl32.exe File created C:\Windows\SysWOW64\Eemnff32.dll Jebfng32.exe File created C:\Windows\SysWOW64\Nmjfodne.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dfmcfp32.exe Dcogje32.exe File created C:\Windows\SysWOW64\Phmgghbe.dll Hjlkge32.exe File created C:\Windows\SysWOW64\Ikpjbq32.exe Iciaqc32.exe File created C:\Windows\SysWOW64\Mchppmij.exe Mmnhcb32.exe File opened for modification C:\Windows\SysWOW64\Epagkd32.exe Ejdocm32.exe File created C:\Windows\SysWOW64\Ennioe32.dll Hpabni32.exe File opened for modification C:\Windows\SysWOW64\Aaiqcnhg.exe Process not Found File created C:\Windows\SysWOW64\Dmcibama.exe Dhfajjoj.exe File created C:\Windows\SysWOW64\Dhmgki32.exe Deokon32.exe File created C:\Windows\SysWOW64\Cocacl32.exe Cleegp32.exe File created C:\Windows\SysWOW64\Nainbl32.dll Jbdbjf32.exe File opened for modification C:\Windows\SysWOW64\Kjhcjq32.exe Kgjgne32.exe File opened for modification C:\Windows\SysWOW64\Ajbmdn32.exe Aakebqbj.exe File opened for modification C:\Windows\SysWOW64\Ddkbmj32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hlbcnd32.exe Hidgai32.exe File created C:\Windows\SysWOW64\Mnegbp32.exe Mfnoqc32.exe File opened for modification C:\Windows\SysWOW64\Dclkee32.exe Dpqodfij.exe File created C:\Windows\SysWOW64\Ebnfbcbc.exe Eppjfgcp.exe File created C:\Windows\SysWOW64\Nmigoagp.exe Njkkbehl.exe File created C:\Windows\SysWOW64\Didmdo32.dll Imkbnf32.exe File created C:\Windows\SysWOW64\Qclmck32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dhkjej32.exe Dmefhako.exe File created C:\Windows\SysWOW64\Aomifecf.exe Alnmjjdb.exe File created C:\Windows\SysWOW64\Gemkelcd.exe Gncchb32.exe File created C:\Windows\SysWOW64\Bkibgh32.exe Bdojjo32.exe File opened for modification C:\Windows\SysWOW64\Ngdfdmdi.exe Nhbfff32.exe File created C:\Windows\SysWOW64\Blnlefae.dll Ccdnjp32.exe File opened for modification C:\Windows\SysWOW64\Nookip32.exe Nibbqicm.exe File opened for modification C:\Windows\SysWOW64\Lbngllob.exe Lieccf32.exe File created C:\Windows\SysWOW64\Knienl32.dll Efjimhnh.exe File created C:\Windows\SysWOW64\Bmaioi32.dll Dmcain32.exe File created C:\Windows\SysWOW64\Eoekia32.exe Edpgli32.exe File created C:\Windows\SysWOW64\Plgehm32.dll Inbqhhfj.exe File created C:\Windows\SysWOW64\Kcjjhdjb.exe Process not Found File created C:\Windows\SysWOW64\Aeklkchg.exe Ajfhnjhq.exe File created C:\Windows\SysWOW64\Gfdfgiid.exe Gkobjpin.exe File opened for modification C:\Windows\SysWOW64\Ebkbbmqj.exe Process not Found File created C:\Windows\SysWOW64\Fiqjke32.exe Process not Found File created C:\Windows\SysWOW64\Hbgkei32.exe Process not Found File created C:\Windows\SysWOW64\Phcebinc.dll Ihqoeb32.exe File created C:\Windows\SysWOW64\Anmfbl32.exe Aknifq32.exe File created C:\Windows\SysWOW64\Eapjpi32.dll Process not Found File created C:\Windows\SysWOW64\Gpaoobkd.dll Cofecami.exe File created C:\Windows\SysWOW64\Oeheqm32.exe Oalipoiq.exe File created C:\Windows\SysWOW64\Dimenegi.exe Dfoiaj32.exe File created C:\Windows\SysWOW64\Gedapeof.dll Knooej32.exe File opened for modification C:\Windows\SysWOW64\Hmkigh32.exe Gbeejp32.exe File opened for modification C:\Windows\SysWOW64\Ljeafb32.exe Lggejg32.exe File created C:\Windows\SysWOW64\Icpjna32.dll Process not Found File created C:\Windows\SysWOW64\Iiofld32.dll Eidbij32.exe File opened for modification C:\Windows\SysWOW64\Lihpif32.exe Lbngllob.exe File created C:\Windows\SysWOW64\Aqaffn32.exe Aijnep32.exe File created C:\Windows\SysWOW64\Kiikpnmj.exe Process not Found File created C:\Windows\SysWOW64\Pnnlinml.dll Innfnl32.exe File opened for modification C:\Windows\SysWOW64\Qpeahb32.exe Qodeajbg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11292 10608 Process not Found 1408 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acmobchj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gblbca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opogbbig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epagkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icknfcol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnfhfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnjjfegi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknifq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmfbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgppmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqknkedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklfgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljclki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neclenfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lankbigo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbngllob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfglb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifkpknp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calhnpgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgjgne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbgcih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncchb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adndoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnmcjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjchaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmbmkpie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palbgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhknpmma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oelolmnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioolkncg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdqfll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cleegp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpfjma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaiimadl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bebjdgmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chlflabp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afpjel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpmlnjco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnqeqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilmmni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpjmnjqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lekmnajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibaeen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghpocngo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Indfca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeklkchg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lggejg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgcjdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piijno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akoqpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgemej32.dll" Ncqlkemc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkkceedp.dll" Eppqqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpajnp32.dll" Jqglkmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojqhdcii.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efmmmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbajbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hplicjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnmepn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdokdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckjbhmad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doepmnag.dll" Jniood32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnokgcbe.dll" Ojfcdnjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjjgd32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qckcba32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mknjbg32.dll" Higjaoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehiffj32.dll" Gijekg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcfgpga.dll" Kkmioc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbfadafe.dll" Gfkbde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipmbjgpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngpock32.dll" Neppokal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iofeei32.dll" Jlhljhbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akdilipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnfamjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqfbknfp.dll" Nemcjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphihiif.dll" Oghghb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chgnfq32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knodgg32.dll" Medqcmki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbom32.dll" Poodpmca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agiamhdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjgdg32.dll" Albpkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jicdap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Conanfli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhoqeibl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mccfdmmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aonhghjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbnngbbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmbmkpie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epokedmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fplpll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdaociml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcimdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afbgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phjenbhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpcjgnhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhgngp32.dll" Joffnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnpnbg32.dll" Cfadkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dikhjofo.dll" Diffglam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkoqgjn.dll" Gjdaodja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bppgif32.dll" Kncaec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eaonjngh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgdpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njpdnedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkomneim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcnqpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqdoem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njghbl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 400 wrote to memory of 3260 400 eccdb5ed371a7dad16b5ca83475d0290N.exe 83 PID 400 wrote to memory of 3260 400 eccdb5ed371a7dad16b5ca83475d0290N.exe 83 PID 400 wrote to memory of 3260 400 eccdb5ed371a7dad16b5ca83475d0290N.exe 83 PID 3260 wrote to memory of 2412 3260 Aqkgpedc.exe 84 PID 3260 wrote to memory of 2412 3260 Aqkgpedc.exe 84 PID 3260 wrote to memory of 2412 3260 Aqkgpedc.exe 84 PID 2412 wrote to memory of 4828 2412 Acjclpcf.exe 85 PID 2412 wrote to memory of 4828 2412 Acjclpcf.exe 85 PID 2412 wrote to memory of 4828 2412 Acjclpcf.exe 85 PID 4828 wrote to memory of 2624 4828 Anogiicl.exe 86 PID 4828 wrote to memory of 2624 4828 Anogiicl.exe 86 PID 4828 wrote to memory of 2624 4828 Anogiicl.exe 86 PID 2624 wrote to memory of 532 2624 Aclpap32.exe 87 PID 2624 wrote to memory of 532 2624 Aclpap32.exe 87 PID 2624 wrote to memory of 532 2624 Aclpap32.exe 87 PID 532 wrote to memory of 808 532 Ajfhnjhq.exe 88 PID 532 wrote to memory of 808 532 Ajfhnjhq.exe 88 PID 532 wrote to memory of 808 532 Ajfhnjhq.exe 88 PID 808 wrote to memory of 440 808 Aeklkchg.exe 89 PID 808 wrote to memory of 440 808 Aeklkchg.exe 89 PID 808 wrote to memory of 440 808 Aeklkchg.exe 89 PID 440 wrote to memory of 1284 440 Agjhgngj.exe 90 PID 440 wrote to memory of 1284 440 Agjhgngj.exe 90 PID 440 wrote to memory of 1284 440 Agjhgngj.exe 90 PID 1284 wrote to memory of 3356 1284 Andqdh32.exe 92 PID 1284 wrote to memory of 3356 1284 Andqdh32.exe 92 PID 1284 wrote to memory of 3356 1284 Andqdh32.exe 92 PID 3356 wrote to memory of 1940 3356 Aabmqd32.exe 93 PID 3356 wrote to memory of 1940 3356 Aabmqd32.exe 93 PID 3356 wrote to memory of 1940 3356 Aabmqd32.exe 93 PID 1940 wrote to memory of 2832 1940 Afoeiklb.exe 94 PID 1940 wrote to memory of 2832 1940 Afoeiklb.exe 94 PID 1940 wrote to memory of 2832 1940 Afoeiklb.exe 94 PID 2832 wrote to memory of 5092 2832 Anfmjhmd.exe 95 PID 2832 wrote to memory of 5092 2832 Anfmjhmd.exe 95 PID 2832 wrote to memory of 5092 2832 Anfmjhmd.exe 95 PID 5092 wrote to memory of 2888 5092 Aepefb32.exe 96 PID 5092 wrote to memory of 2888 5092 Aepefb32.exe 96 PID 5092 wrote to memory of 2888 5092 Aepefb32.exe 96 PID 2888 wrote to memory of 3752 2888 Bmkjkd32.exe 98 PID 2888 wrote to memory of 3752 2888 Bmkjkd32.exe 98 PID 2888 wrote to memory of 3752 2888 Bmkjkd32.exe 98 PID 3752 wrote to memory of 4440 3752 Bganhm32.exe 99 PID 3752 wrote to memory of 4440 3752 Bganhm32.exe 99 PID 3752 wrote to memory of 4440 3752 Bganhm32.exe 99 PID 4440 wrote to memory of 2996 4440 Bnkgeg32.exe 100 PID 4440 wrote to memory of 2996 4440 Bnkgeg32.exe 100 PID 4440 wrote to memory of 2996 4440 Bnkgeg32.exe 100 PID 2996 wrote to memory of 4860 2996 Baicac32.exe 101 PID 2996 wrote to memory of 4860 2996 Baicac32.exe 101 PID 2996 wrote to memory of 4860 2996 Baicac32.exe 101 PID 4860 wrote to memory of 4012 4860 Bffkij32.exe 102 PID 4860 wrote to memory of 4012 4860 Bffkij32.exe 102 PID 4860 wrote to memory of 4012 4860 Bffkij32.exe 102 PID 4012 wrote to memory of 4436 4012 Bnmcjg32.exe 103 PID 4012 wrote to memory of 4436 4012 Bnmcjg32.exe 103 PID 4012 wrote to memory of 4436 4012 Bnmcjg32.exe 103 PID 4436 wrote to memory of 3612 4436 Beglgani.exe 104 PID 4436 wrote to memory of 3612 4436 Beglgani.exe 104 PID 4436 wrote to memory of 3612 4436 Beglgani.exe 104 PID 3612 wrote to memory of 3348 3612 Bgehcmmm.exe 105 PID 3612 wrote to memory of 3348 3612 Bgehcmmm.exe 105 PID 3612 wrote to memory of 3348 3612 Bgehcmmm.exe 105 PID 3348 wrote to memory of 3672 3348 Bclhhnca.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\eccdb5ed371a7dad16b5ca83475d0290N.exe"C:\Users\Admin\AppData\Local\Temp\eccdb5ed371a7dad16b5ca83475d0290N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Aqkgpedc.exeC:\Windows\system32\Aqkgpedc.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\Acjclpcf.exeC:\Windows\system32\Acjclpcf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Anogiicl.exeC:\Windows\system32\Anogiicl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Aclpap32.exeC:\Windows\system32\Aclpap32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Ajfhnjhq.exeC:\Windows\system32\Ajfhnjhq.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Agjhgngj.exeC:\Windows\system32\Agjhgngj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\Andqdh32.exeC:\Windows\system32\Andqdh32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Aabmqd32.exeC:\Windows\system32\Aabmqd32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Anfmjhmd.exeC:\Windows\system32\Anfmjhmd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Aepefb32.exeC:\Windows\system32\Aepefb32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\Bmkjkd32.exeC:\Windows\system32\Bmkjkd32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Bganhm32.exeC:\Windows\system32\Bganhm32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\Baicac32.exeC:\Windows\system32\Baicac32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\Bnmcjg32.exeC:\Windows\system32\Bnmcjg32.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\Bgehcmmm.exeC:\Windows\system32\Bgehcmmm.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\Bclhhnca.exeC:\Windows\system32\Bclhhnca.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\SysWOW64\Bfkedibe.exeC:\Windows\system32\Bfkedibe.exe23⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe24⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe25⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Cmgjgcgo.exeC:\Windows\system32\Cmgjgcgo.exe26⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Chmndlge.exeC:\Windows\system32\Chmndlge.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\Caebma32.exeC:\Windows\system32\Caebma32.exe28⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe29⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Cmlcbbcj.exeC:\Windows\system32\Cmlcbbcj.exe30⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Cdfkolkf.exeC:\Windows\system32\Cdfkolkf.exe31⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe32⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe33⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe34⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe35⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3872 -
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe39⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe40⤵
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3620 -
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe42⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Dodbbdbb.exeC:\Windows\system32\Dodbbdbb.exe43⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4244 -
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe45⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe46⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe47⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe48⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Edfdej32.exeC:\Windows\system32\Edfdej32.exe49⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Eolhbc32.exeC:\Windows\system32\Eolhbc32.exe50⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Eefaomcg.exeC:\Windows\system32\Eefaomcg.exe51⤵
- Executes dropped EXE
PID:728 -
C:\Windows\SysWOW64\Ehdmlhcj.exeC:\Windows\system32\Ehdmlhcj.exe52⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Eonehbjg.exeC:\Windows\system32\Eonehbjg.exe53⤵
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\Emaedo32.exeC:\Windows\system32\Emaedo32.exe54⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Ehfjah32.exeC:\Windows\system32\Ehfjah32.exe55⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Ekefmc32.exeC:\Windows\system32\Ekefmc32.exe56⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Eaonjngh.exeC:\Windows\system32\Eaonjngh.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1888 -
C:\Windows\SysWOW64\Eglgbdep.exeC:\Windows\system32\Eglgbdep.exe58⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Emeoooml.exeC:\Windows\system32\Emeoooml.exe59⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Edpgli32.exeC:\Windows\system32\Edpgli32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4620 -
C:\Windows\SysWOW64\Eoekia32.exeC:\Windows\system32\Eoekia32.exe61⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Feocelll.exeC:\Windows\system32\Feocelll.exe62⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Fgppmd32.exeC:\Windows\system32\Fgppmd32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4452 -
C:\Windows\SysWOW64\Fnjhjn32.exeC:\Windows\system32\Fnjhjn32.exe64⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Fddqghpd.exeC:\Windows\system32\Fddqghpd.exe65⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Fnmepn32.exeC:\Windows\system32\Fnmepn32.exe66⤵
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Fahaplon.exeC:\Windows\system32\Fahaplon.exe67⤵PID:636
-
C:\Windows\SysWOW64\Fkqeib32.exeC:\Windows\system32\Fkqeib32.exe68⤵PID:1596
-
C:\Windows\SysWOW64\Fajnfl32.exeC:\Windows\system32\Fajnfl32.exe69⤵PID:1996
-
C:\Windows\SysWOW64\Fhdfbfdh.exeC:\Windows\system32\Fhdfbfdh.exe70⤵PID:2868
-
C:\Windows\SysWOW64\Fonnop32.exeC:\Windows\system32\Fonnop32.exe71⤵PID:432
-
C:\Windows\SysWOW64\Fehfljca.exeC:\Windows\system32\Fehfljca.exe72⤵PID:4528
-
C:\Windows\SysWOW64\Gekcaj32.exeC:\Windows\system32\Gekcaj32.exe73⤵PID:2344
-
C:\Windows\SysWOW64\Gkglja32.exeC:\Windows\system32\Gkglja32.exe74⤵PID:2444
-
C:\Windows\SysWOW64\Gnfhfl32.exeC:\Windows\system32\Gnfhfl32.exe75⤵
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Windows\SysWOW64\Gdppbfff.exeC:\Windows\system32\Gdppbfff.exe76⤵PID:4060
-
C:\Windows\SysWOW64\Ggnlobej.exeC:\Windows\system32\Ggnlobej.exe77⤵PID:3248
-
C:\Windows\SysWOW64\Goedpofl.exeC:\Windows\system32\Goedpofl.exe78⤵PID:2588
-
C:\Windows\SysWOW64\Gdbmhf32.exeC:\Windows\system32\Gdbmhf32.exe79⤵PID:3624
-
C:\Windows\SysWOW64\Ggqida32.exeC:\Windows\system32\Ggqida32.exe80⤵PID:1792
-
C:\Windows\SysWOW64\Gddinf32.exeC:\Windows\system32\Gddinf32.exe81⤵PID:3928
-
C:\Windows\SysWOW64\Gkobjpin.exeC:\Windows\system32\Gkobjpin.exe82⤵
- Drops file in System32 directory
PID:3096 -
C:\Windows\SysWOW64\Gfdfgiid.exeC:\Windows\system32\Gfdfgiid.exe83⤵PID:3984
-
C:\Windows\SysWOW64\Gkaopp32.exeC:\Windows\system32\Gkaopp32.exe84⤵PID:744
-
C:\Windows\SysWOW64\Hdicienl.exeC:\Windows\system32\Hdicienl.exe85⤵PID:3120
-
C:\Windows\SysWOW64\Hoogfnnb.exeC:\Windows\system32\Hoogfnnb.exe86⤵PID:4492
-
C:\Windows\SysWOW64\Hbmcbime.exeC:\Windows\system32\Hbmcbime.exe87⤵PID:5132
-
C:\Windows\SysWOW64\Hdlpneli.exeC:\Windows\system32\Hdlpneli.exe88⤵PID:5184
-
C:\Windows\SysWOW64\Hgjljpkm.exeC:\Windows\system32\Hgjljpkm.exe89⤵PID:5216
-
C:\Windows\SysWOW64\Hbpphi32.exeC:\Windows\system32\Hbpphi32.exe90⤵PID:5280
-
C:\Windows\SysWOW64\Hfklhhcl.exeC:\Windows\system32\Hfklhhcl.exe91⤵PID:5324
-
C:\Windows\SysWOW64\Hhihdcbp.exeC:\Windows\system32\Hhihdcbp.exe92⤵PID:5364
-
C:\Windows\SysWOW64\Hkhdqoac.exeC:\Windows\system32\Hkhdqoac.exe93⤵PID:5416
-
C:\Windows\SysWOW64\Hnfamjqg.exeC:\Windows\system32\Hnfamjqg.exe94⤵
- Modifies registry class
PID:5460 -
C:\Windows\SysWOW64\Hdpiid32.exeC:\Windows\system32\Hdpiid32.exe95⤵PID:5520
-
C:\Windows\SysWOW64\Hkjafn32.exeC:\Windows\system32\Hkjafn32.exe96⤵PID:5564
-
C:\Windows\SysWOW64\Hkmnln32.exeC:\Windows\system32\Hkmnln32.exe97⤵PID:5608
-
C:\Windows\SysWOW64\Inkjhi32.exeC:\Windows\system32\Inkjhi32.exe98⤵PID:5652
-
C:\Windows\SysWOW64\Ihqoeb32.exeC:\Windows\system32\Ihqoeb32.exe99⤵
- Drops file in System32 directory
PID:5696 -
C:\Windows\SysWOW64\Ikokan32.exeC:\Windows\system32\Ikokan32.exe100⤵PID:5740
-
C:\Windows\SysWOW64\Inmgmijo.exeC:\Windows\system32\Inmgmijo.exe101⤵PID:5784
-
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe102⤵PID:5828
-
C:\Windows\SysWOW64\Igfkfo32.exeC:\Windows\system32\Igfkfo32.exe103⤵PID:5872
-
C:\Windows\SysWOW64\Inpccihl.exeC:\Windows\system32\Inpccihl.exe104⤵PID:5916
-
C:\Windows\SysWOW64\Ifgldfio.exeC:\Windows\system32\Ifgldfio.exe105⤵PID:5960
-
C:\Windows\SysWOW64\Ighhln32.exeC:\Windows\system32\Ighhln32.exe106⤵PID:6000
-
C:\Windows\SysWOW64\Inbqhhfj.exeC:\Windows\system32\Inbqhhfj.exe107⤵
- Drops file in System32 directory
PID:6044 -
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe108⤵PID:6088
-
C:\Windows\SysWOW64\Iigdfa32.exeC:\Windows\system32\Iigdfa32.exe109⤵PID:6132
-
C:\Windows\SysWOW64\Ikfabm32.exeC:\Windows\system32\Ikfabm32.exe110⤵PID:5172
-
C:\Windows\SysWOW64\Indmnh32.exeC:\Windows\system32\Indmnh32.exe111⤵PID:5144
-
C:\Windows\SysWOW64\Iijaka32.exeC:\Windows\system32\Iijaka32.exe112⤵PID:5320
-
C:\Windows\SysWOW64\Jodjhkkj.exeC:\Windows\system32\Jodjhkkj.exe113⤵PID:5360
-
C:\Windows\SysWOW64\Jbbfdfkn.exeC:\Windows\system32\Jbbfdfkn.exe114⤵PID:5448
-
C:\Windows\SysWOW64\Jeqbpb32.exeC:\Windows\system32\Jeqbpb32.exe115⤵PID:5528
-
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe116⤵
- Modifies registry class
PID:3204 -
C:\Windows\SysWOW64\Jbdbjf32.exeC:\Windows\system32\Jbdbjf32.exe117⤵
- Drops file in System32 directory
PID:5604 -
C:\Windows\SysWOW64\Jgakbm32.exeC:\Windows\system32\Jgakbm32.exe118⤵PID:5668
-
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe119⤵PID:5732
-
C:\Windows\SysWOW64\Jiaglp32.exeC:\Windows\system32\Jiaglp32.exe120⤵PID:5820
-
C:\Windows\SysWOW64\Jbileede.exeC:\Windows\system32\Jbileede.exe121⤵PID:5868
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-