Analysis
-
max time kernel
93s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/09/2024, 00:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d7d747f6db2e1e84826a3a69c2fc1c00N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
d7d747f6db2e1e84826a3a69c2fc1c00N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
d7d747f6db2e1e84826a3a69c2fc1c00N.exe
-
Size
64KB
-
MD5
d7d747f6db2e1e84826a3a69c2fc1c00
-
SHA1
60abcfa6b8e4288c7d1e8c6ea59f2eb538903b5b
-
SHA256
665d4aedb3882fc45509c6ffc2ff495bc6d473ef70e1066c4095b165f5efb0a8
-
SHA512
0abe98519515805dc42cd5097f228608fde3f925ae4b393def851305f9597ba0334883e88e70c1dd4d95585f7824ac5699363ed111345e31d840040da8940235
-
SSDEEP
1536:HTvfYjxM4hVsiV91BWWWiiiiiiiiiiiiiiiNwm4XUXruCHcpzt/Idn:zvfYNM4VBemQpFwn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhhdil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olfobjbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdifoehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjehmfch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjkpoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niooqcad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pehngkcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boklbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bckkca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmbmibhb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igchfiof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nemmoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fideeaco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpkiph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akamff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inlihl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgflqkdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emphocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aopmfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gigheh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pllgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dopigd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibkpcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiaglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kinmcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imakkfdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlmfeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnfgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpnihiio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiaqcnpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miaboe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miaboe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fffhifdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpnkdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlhkgi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akhcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfokoelp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deokon32.exe -
Executes dropped EXE 64 IoCs
pid Process 4820 Hkfoeega.exe 3068 Hbpgbo32.exe 4632 Heocnk32.exe 3604 Hkikkeeo.exe 3924 Hbbdholl.exe 2820 Heapdjlp.exe 5092 Hmhhehlb.exe 2244 Hofdacke.exe 2168 Hbeqmoji.exe 2308 Hecmijim.exe 2672 Hmjdjgjo.exe 3692 Hbgmcnhf.exe 744 Iiaephpc.exe 5112 Ikpaldog.exe 4652 Iehfdi32.exe 3528 Imoneg32.exe 2344 Iblfnn32.exe 928 Imakkfdg.exe 4112 Ibnccmbo.exe 4716 Iemppiab.exe 3520 Ilghlc32.exe 4904 Ibqpimpl.exe 3824 Ieolehop.exe 512 Ilidbbgl.exe 4192 Ipdqba32.exe 1940 Jfoiokfb.exe 4828 Jmhale32.exe 2864 Jcbihpel.exe 4328 Jedeph32.exe 4848 Jpijnqkp.exe 864 Jbhfjljd.exe 1208 Jianff32.exe 1440 Jlpkba32.exe 3916 Jbjcolha.exe 3636 Jidklf32.exe 1536 Jlbgha32.exe 3492 Jblpek32.exe 3332 Jeklag32.exe 3516 Jmbdbd32.exe 2396 Jpppnp32.exe 2084 Kboljk32.exe 2712 Kemhff32.exe 2364 Klgqcqkl.exe 388 Kpbmco32.exe 4908 Kepelfam.exe 2772 Klimip32.exe 1548 Kbceejpf.exe 1568 Kimnbd32.exe 4248 Kmijbcpl.exe 728 Kdcbom32.exe 1660 Kedoge32.exe 4416 Klngdpdd.exe 4332 Kbhoqj32.exe 3268 Kefkme32.exe 1192 Klqcioba.exe 2128 Kplpjn32.exe 5032 Lffhfh32.exe 1804 Lmppcbjd.exe 4552 Llcpoo32.exe 1792 Ldjhpl32.exe 1204 Lekehdgp.exe 4780 Lmbmibhb.exe 3972 Lpqiemge.exe 3064 Lboeaifi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Eglgbdep.exe Eejjjl32.exe File opened for modification C:\Windows\SysWOW64\Aaiimadl.exe Aojlaeei.exe File created C:\Windows\SysWOW64\Bjbfklei.exe Bblnindg.exe File created C:\Windows\SysWOW64\Fdccbl32.exe Fllkqn32.exe File created C:\Windows\SysWOW64\Pmannhhj.exe Pfhfan32.exe File opened for modification C:\Windows\SysWOW64\Qdbiedpa.exe Qnhahj32.exe File created C:\Windows\SysWOW64\Dcmann32.dll Oeicejia.exe File created C:\Windows\SysWOW64\Pmlmkn32.exe Plkpcfal.exe File created C:\Windows\SysWOW64\Alapqh32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ocbddc32.exe Opdghh32.exe File opened for modification C:\Windows\SysWOW64\Bcoenmao.exe Bmemac32.exe File created C:\Windows\SysWOW64\Lmafqb32.dll Mepfiq32.exe File created C:\Windows\SysWOW64\Nnmoekkn.dll Cmipblaq.exe File created C:\Windows\SysWOW64\Hhdebqbi.dll Process not Found File created C:\Windows\SysWOW64\Fkpool32.exe Fhabbp32.exe File created C:\Windows\SysWOW64\Fllkqn32.exe Fimodc32.exe File opened for modification C:\Windows\SysWOW64\Mmkkmc32.exe Mjmoag32.exe File created C:\Windows\SysWOW64\Ogcnmc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Akblfj32.exe Process not Found File created C:\Windows\SysWOW64\Qkhnbpne.dll Process not Found File created C:\Windows\SysWOW64\Mhbacd32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mbfkbhpa.exe Lphoelqn.exe File opened for modification C:\Windows\SysWOW64\Mockmala.exe Mleoafmn.exe File created C:\Windows\SysWOW64\Fmqgpgoc.exe Fkbkdkpp.exe File created C:\Windows\SysWOW64\Piomhofd.dll Injcmc32.exe File opened for modification C:\Windows\SysWOW64\Flpmagqi.exe Process not Found File created C:\Windows\SysWOW64\Jcbdgb32.exe Jpdhkf32.exe File created C:\Windows\SysWOW64\Oophlo32.exe Process not Found File created C:\Windows\SysWOW64\Cdaile32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fdkggg32.exe Famjkl32.exe File opened for modification C:\Windows\SysWOW64\Jodjhkkj.exe Igmagnkg.exe File opened for modification C:\Windows\SysWOW64\Ookjdn32.exe Ollnhb32.exe File created C:\Windows\SysWOW64\Mcnggo32.dll Gdmmbq32.exe File created C:\Windows\SysWOW64\Agbgbe32.dll Kiggbhda.exe File opened for modification C:\Windows\SysWOW64\Dcphdqmj.exe Process not Found File created C:\Windows\SysWOW64\Kminigbj.dll Process not Found File created C:\Windows\SysWOW64\Elcgieob.dll Nhkikq32.exe File opened for modification C:\Windows\SysWOW64\Lqkgbcff.exe Ljaoeini.exe File created C:\Windows\SysWOW64\Qjalckog.dll Qachgk32.exe File created C:\Windows\SysWOW64\Hlglnp32.dll Process not Found File created C:\Windows\SysWOW64\Ecdbop32.exe Process not Found File created C:\Windows\SysWOW64\Efqidp32.dll Fgjccb32.exe File created C:\Windows\SysWOW64\Gajaoo32.dll Fllkqn32.exe File created C:\Windows\SysWOW64\Mqfpckhm.exe Process not Found File created C:\Windows\SysWOW64\Jadgnb32.exe Process not Found File created C:\Windows\SysWOW64\Nagfjh32.dll Dcogje32.exe File created C:\Windows\SysWOW64\Cjnffjkl.exe Cfcjfk32.exe File opened for modification C:\Windows\SysWOW64\Fechomko.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gncchb32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cmlcbbcj.exe Cjmgfgdf.exe File created C:\Windows\SysWOW64\Dapkni32.exe Djfcaohp.exe File created C:\Windows\SysWOW64\Omfekbdh.exe Process not Found File created C:\Windows\SysWOW64\Bjokon32.dll Process not Found File created C:\Windows\SysWOW64\Pfepdg32.exe Process not Found File created C:\Windows\SysWOW64\Ejnjpohk.dll Kmijbcpl.exe File created C:\Windows\SysWOW64\Mimpolee.exe Lfodbqfa.exe File created C:\Windows\SysWOW64\Epcdqd32.exe Emehdh32.exe File opened for modification C:\Windows\SysWOW64\Niakfbpa.exe Nbgcih32.exe File opened for modification C:\Windows\SysWOW64\Ejalcgkg.exe Ebjcajjd.exe File created C:\Windows\SysWOW64\Lgdidgjg.exe Process not Found File created C:\Windows\SysWOW64\Iohmnmmb.dll Process not Found File created C:\Windows\SysWOW64\Ncpeaoih.exe Process not Found File opened for modification C:\Windows\SysWOW64\Egdqae32.exe Eecdjmfi.exe File created C:\Windows\SysWOW64\Kkkahahf.dll Npedmdab.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 17256 16068 Process not Found 1849 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibafp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgkkkcbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdigadjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olfghg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbgcih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nacmdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnicid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihqoeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haoimcgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooejohhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajbmdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emcbio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibpiogmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnelok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkkeclfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iehfdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbaojpgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glcaambb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jidklf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Medgncoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foqkdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnddgjbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhakoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hienlpel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjghcfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baicac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niklpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mngegmbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhfedil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aehgnied.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chagok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noehba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaompd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cijpahho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpeohh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgenbfoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnokgcbe.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbllbmg.dll" Pleaoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkicaahi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panlem32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbddol32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oolpjdob.dll" Lboeaifi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpbopfag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mockmala.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofblbapl.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkgohbq.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmdfp32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieoigp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kamonn32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhpmopi.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmannhhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll" Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjakkfbf.dll" Iblfnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhbimf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olfghg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnlaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gohaeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbefdijg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdpmbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onnmdcjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpibgp32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nebmekoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acilajpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfogpg32.dll" Efffmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhikb32.dll" Fideeaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfjcnold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbdlop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momkkhch.dll" Fdglmkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjkblhfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aknhkd32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hheoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gikkfqmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggiabl32.dll" Mjkblhfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeeape32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qegnoi32.dll" Hbgmcnhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbcnlf32.dll" Afjeceml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkeekk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncofplba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibffdoal.dll" Ookjdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdehni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nneilmna.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chmndlge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaogak32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5064 wrote to memory of 4820 5064 d7d747f6db2e1e84826a3a69c2fc1c00N.exe 83 PID 5064 wrote to memory of 4820 5064 d7d747f6db2e1e84826a3a69c2fc1c00N.exe 83 PID 5064 wrote to memory of 4820 5064 d7d747f6db2e1e84826a3a69c2fc1c00N.exe 83 PID 4820 wrote to memory of 3068 4820 Hkfoeega.exe 84 PID 4820 wrote to memory of 3068 4820 Hkfoeega.exe 84 PID 4820 wrote to memory of 3068 4820 Hkfoeega.exe 84 PID 3068 wrote to memory of 4632 3068 Hbpgbo32.exe 85 PID 3068 wrote to memory of 4632 3068 Hbpgbo32.exe 85 PID 3068 wrote to memory of 4632 3068 Hbpgbo32.exe 85 PID 4632 wrote to memory of 3604 4632 Heocnk32.exe 86 PID 4632 wrote to memory of 3604 4632 Heocnk32.exe 86 PID 4632 wrote to memory of 3604 4632 Heocnk32.exe 86 PID 3604 wrote to memory of 3924 3604 Hkikkeeo.exe 87 PID 3604 wrote to memory of 3924 3604 Hkikkeeo.exe 87 PID 3604 wrote to memory of 3924 3604 Hkikkeeo.exe 87 PID 3924 wrote to memory of 2820 3924 Hbbdholl.exe 88 PID 3924 wrote to memory of 2820 3924 Hbbdholl.exe 88 PID 3924 wrote to memory of 2820 3924 Hbbdholl.exe 88 PID 2820 wrote to memory of 5092 2820 Heapdjlp.exe 89 PID 2820 wrote to memory of 5092 2820 Heapdjlp.exe 89 PID 2820 wrote to memory of 5092 2820 Heapdjlp.exe 89 PID 5092 wrote to memory of 2244 5092 Hmhhehlb.exe 90 PID 5092 wrote to memory of 2244 5092 Hmhhehlb.exe 90 PID 5092 wrote to memory of 2244 5092 Hmhhehlb.exe 90 PID 2244 wrote to memory of 2168 2244 Hofdacke.exe 91 PID 2244 wrote to memory of 2168 2244 Hofdacke.exe 91 PID 2244 wrote to memory of 2168 2244 Hofdacke.exe 91 PID 2168 wrote to memory of 2308 2168 Hbeqmoji.exe 92 PID 2168 wrote to memory of 2308 2168 Hbeqmoji.exe 92 PID 2168 wrote to memory of 2308 2168 Hbeqmoji.exe 92 PID 2308 wrote to memory of 2672 2308 Hecmijim.exe 94 PID 2308 wrote to memory of 2672 2308 Hecmijim.exe 94 PID 2308 wrote to memory of 2672 2308 Hecmijim.exe 94 PID 2672 wrote to memory of 3692 2672 Hmjdjgjo.exe 95 PID 2672 wrote to memory of 3692 2672 Hmjdjgjo.exe 95 PID 2672 wrote to memory of 3692 2672 Hmjdjgjo.exe 95 PID 3692 wrote to memory of 744 3692 Hbgmcnhf.exe 96 PID 3692 wrote to memory of 744 3692 Hbgmcnhf.exe 96 PID 3692 wrote to memory of 744 3692 Hbgmcnhf.exe 96 PID 744 wrote to memory of 5112 744 Iiaephpc.exe 97 PID 744 wrote to memory of 5112 744 Iiaephpc.exe 97 PID 744 wrote to memory of 5112 744 Iiaephpc.exe 97 PID 5112 wrote to memory of 4652 5112 Ikpaldog.exe 98 PID 5112 wrote to memory of 4652 5112 Ikpaldog.exe 98 PID 5112 wrote to memory of 4652 5112 Ikpaldog.exe 98 PID 4652 wrote to memory of 3528 4652 Iehfdi32.exe 100 PID 4652 wrote to memory of 3528 4652 Iehfdi32.exe 100 PID 4652 wrote to memory of 3528 4652 Iehfdi32.exe 100 PID 3528 wrote to memory of 2344 3528 Imoneg32.exe 101 PID 3528 wrote to memory of 2344 3528 Imoneg32.exe 101 PID 3528 wrote to memory of 2344 3528 Imoneg32.exe 101 PID 2344 wrote to memory of 928 2344 Iblfnn32.exe 102 PID 2344 wrote to memory of 928 2344 Iblfnn32.exe 102 PID 2344 wrote to memory of 928 2344 Iblfnn32.exe 102 PID 928 wrote to memory of 4112 928 Imakkfdg.exe 103 PID 928 wrote to memory of 4112 928 Imakkfdg.exe 103 PID 928 wrote to memory of 4112 928 Imakkfdg.exe 103 PID 4112 wrote to memory of 4716 4112 Ibnccmbo.exe 105 PID 4112 wrote to memory of 4716 4112 Ibnccmbo.exe 105 PID 4112 wrote to memory of 4716 4112 Ibnccmbo.exe 105 PID 4716 wrote to memory of 3520 4716 Iemppiab.exe 106 PID 4716 wrote to memory of 3520 4716 Iemppiab.exe 106 PID 4716 wrote to memory of 3520 4716 Iemppiab.exe 106 PID 3520 wrote to memory of 4904 3520 Ilghlc32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7d747f6db2e1e84826a3a69c2fc1c00N.exe"C:\Users\Admin\AppData\Local\Temp\d7d747f6db2e1e84826a3a69c2fc1c00N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\Hkfoeega.exeC:\Windows\system32\Hkfoeega.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\Hbpgbo32.exeC:\Windows\system32\Hbpgbo32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Heocnk32.exeC:\Windows\system32\Heocnk32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\Hkikkeeo.exeC:\Windows\system32\Hkikkeeo.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\Hbbdholl.exeC:\Windows\system32\Hbbdholl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\Heapdjlp.exeC:\Windows\system32\Heapdjlp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Hmhhehlb.exeC:\Windows\system32\Hmhhehlb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\Hofdacke.exeC:\Windows\system32\Hofdacke.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Hbeqmoji.exeC:\Windows\system32\Hbeqmoji.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Hecmijim.exeC:\Windows\system32\Hecmijim.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Hmjdjgjo.exeC:\Windows\system32\Hmjdjgjo.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Hbgmcnhf.exeC:\Windows\system32\Hbgmcnhf.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\Iiaephpc.exeC:\Windows\system32\Iiaephpc.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\Ikpaldog.exeC:\Windows\system32\Ikpaldog.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\Iehfdi32.exeC:\Windows\system32\Iehfdi32.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\Imoneg32.exeC:\Windows\system32\Imoneg32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Iblfnn32.exeC:\Windows\system32\Iblfnn32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Imakkfdg.exeC:\Windows\system32\Imakkfdg.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Ibnccmbo.exeC:\Windows\system32\Ibnccmbo.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\Iemppiab.exeC:\Windows\system32\Iemppiab.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Ilghlc32.exeC:\Windows\system32\Ilghlc32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\Ibqpimpl.exeC:\Windows\system32\Ibqpimpl.exe23⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Ieolehop.exeC:\Windows\system32\Ieolehop.exe24⤵
- Executes dropped EXE
PID:3824 -
C:\Windows\SysWOW64\Ilidbbgl.exeC:\Windows\system32\Ilidbbgl.exe25⤵
- Executes dropped EXE
PID:512 -
C:\Windows\SysWOW64\Ipdqba32.exeC:\Windows\system32\Ipdqba32.exe26⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Jfoiokfb.exeC:\Windows\system32\Jfoiokfb.exe27⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Jmhale32.exeC:\Windows\system32\Jmhale32.exe28⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Jcbihpel.exeC:\Windows\system32\Jcbihpel.exe29⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Jedeph32.exeC:\Windows\system32\Jedeph32.exe30⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Jpijnqkp.exeC:\Windows\system32\Jpijnqkp.exe31⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Jbhfjljd.exeC:\Windows\system32\Jbhfjljd.exe32⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Jianff32.exeC:\Windows\system32\Jianff32.exe33⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Jlpkba32.exeC:\Windows\system32\Jlpkba32.exe34⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Jbjcolha.exeC:\Windows\system32\Jbjcolha.exe35⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Jidklf32.exeC:\Windows\system32\Jidklf32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3636 -
C:\Windows\SysWOW64\Jlbgha32.exeC:\Windows\system32\Jlbgha32.exe37⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Jblpek32.exeC:\Windows\system32\Jblpek32.exe38⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Jeklag32.exeC:\Windows\system32\Jeklag32.exe39⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Jmbdbd32.exeC:\Windows\system32\Jmbdbd32.exe40⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Jpppnp32.exeC:\Windows\system32\Jpppnp32.exe41⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Kboljk32.exeC:\Windows\system32\Kboljk32.exe42⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Kemhff32.exeC:\Windows\system32\Kemhff32.exe43⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Klgqcqkl.exeC:\Windows\system32\Klgqcqkl.exe44⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Kpbmco32.exeC:\Windows\system32\Kpbmco32.exe45⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Kepelfam.exeC:\Windows\system32\Kepelfam.exe46⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Klimip32.exeC:\Windows\system32\Klimip32.exe47⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Kbceejpf.exeC:\Windows\system32\Kbceejpf.exe48⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Kimnbd32.exeC:\Windows\system32\Kimnbd32.exe49⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Kmijbcpl.exeC:\Windows\system32\Kmijbcpl.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4248 -
C:\Windows\SysWOW64\Kdcbom32.exeC:\Windows\system32\Kdcbom32.exe51⤵
- Executes dropped EXE
PID:728 -
C:\Windows\SysWOW64\Kedoge32.exeC:\Windows\system32\Kedoge32.exe52⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Klngdpdd.exeC:\Windows\system32\Klngdpdd.exe53⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Kbhoqj32.exeC:\Windows\system32\Kbhoqj32.exe54⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Kefkme32.exeC:\Windows\system32\Kefkme32.exe55⤵
- Executes dropped EXE
PID:3268 -
C:\Windows\SysWOW64\Klqcioba.exeC:\Windows\system32\Klqcioba.exe56⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Kplpjn32.exeC:\Windows\system32\Kplpjn32.exe57⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Lffhfh32.exeC:\Windows\system32\Lffhfh32.exe58⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Lmppcbjd.exeC:\Windows\system32\Lmppcbjd.exe59⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Llcpoo32.exeC:\Windows\system32\Llcpoo32.exe60⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Ldjhpl32.exeC:\Windows\system32\Ldjhpl32.exe61⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Lekehdgp.exeC:\Windows\system32\Lekehdgp.exe62⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Lmbmibhb.exeC:\Windows\system32\Lmbmibhb.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Lpqiemge.exeC:\Windows\system32\Lpqiemge.exe64⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Lboeaifi.exeC:\Windows\system32\Lboeaifi.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Liimncmf.exeC:\Windows\system32\Liimncmf.exe66⤵PID:3164
-
C:\Windows\SysWOW64\Lpcfkm32.exeC:\Windows\system32\Lpcfkm32.exe67⤵PID:4872
-
C:\Windows\SysWOW64\Lbabgh32.exeC:\Windows\system32\Lbabgh32.exe68⤵PID:2804
-
C:\Windows\SysWOW64\Lgmngglp.exeC:\Windows\system32\Lgmngglp.exe69⤵PID:784
-
C:\Windows\SysWOW64\Likjcbkc.exeC:\Windows\system32\Likjcbkc.exe70⤵PID:4932
-
C:\Windows\SysWOW64\Lpebpm32.exeC:\Windows\system32\Lpebpm32.exe71⤵PID:4240
-
C:\Windows\SysWOW64\Lbdolh32.exeC:\Windows\system32\Lbdolh32.exe72⤵PID:3676
-
C:\Windows\SysWOW64\Lgokmgjm.exeC:\Windows\system32\Lgokmgjm.exe73⤵PID:2912
-
C:\Windows\SysWOW64\Lmiciaaj.exeC:\Windows\system32\Lmiciaaj.exe74⤵PID:4428
-
C:\Windows\SysWOW64\Lphoelqn.exeC:\Windows\system32\Lphoelqn.exe75⤵
- Drops file in System32 directory
PID:4532 -
C:\Windows\SysWOW64\Mbfkbhpa.exeC:\Windows\system32\Mbfkbhpa.exe76⤵PID:4812
-
C:\Windows\SysWOW64\Medgncoe.exeC:\Windows\system32\Medgncoe.exe77⤵
- System Location Discovery: System Language Discovery
PID:1364 -
C:\Windows\SysWOW64\Mmlpoqpg.exeC:\Windows\system32\Mmlpoqpg.exe78⤵PID:2472
-
C:\Windows\SysWOW64\Mdehlk32.exeC:\Windows\system32\Mdehlk32.exe79⤵PID:4588
-
C:\Windows\SysWOW64\Mchhggno.exeC:\Windows\system32\Mchhggno.exe80⤵PID:4972
-
C:\Windows\SysWOW64\Megdccmb.exeC:\Windows\system32\Megdccmb.exe81⤵PID:3264
-
C:\Windows\SysWOW64\Mmnldp32.exeC:\Windows\system32\Mmnldp32.exe82⤵PID:3712
-
C:\Windows\SysWOW64\Mplhql32.exeC:\Windows\system32\Mplhql32.exe83⤵PID:1532
-
C:\Windows\SysWOW64\Mgfqmfde.exeC:\Windows\system32\Mgfqmfde.exe84⤵PID:4448
-
C:\Windows\SysWOW64\Miemjaci.exeC:\Windows\system32\Miemjaci.exe85⤵PID:3760
-
C:\Windows\SysWOW64\Mlcifmbl.exeC:\Windows\system32\Mlcifmbl.exe86⤵PID:4460
-
C:\Windows\SysWOW64\Mcmabg32.exeC:\Windows\system32\Mcmabg32.exe87⤵PID:1852
-
C:\Windows\SysWOW64\Migjoaaf.exeC:\Windows\system32\Migjoaaf.exe88⤵PID:3780
-
C:\Windows\SysWOW64\Mmbfpp32.exeC:\Windows\system32\Mmbfpp32.exe89⤵PID:3848
-
C:\Windows\SysWOW64\Mdmnlj32.exeC:\Windows\system32\Mdmnlj32.exe90⤵PID:1856
-
C:\Windows\SysWOW64\Miifeq32.exeC:\Windows\system32\Miifeq32.exe91⤵PID:1972
-
C:\Windows\SysWOW64\Ncbknfed.exeC:\Windows\system32\Ncbknfed.exe92⤵PID:944
-
C:\Windows\SysWOW64\Nljofl32.exeC:\Windows\system32\Nljofl32.exe93⤵PID:3100
-
C:\Windows\SysWOW64\Ndaggimg.exeC:\Windows\system32\Ndaggimg.exe94⤵PID:2548
-
C:\Windows\SysWOW64\Nebdoa32.exeC:\Windows\system32\Nebdoa32.exe95⤵PID:5136
-
C:\Windows\SysWOW64\Nlmllkja.exeC:\Windows\system32\Nlmllkja.exe96⤵PID:5180
-
C:\Windows\SysWOW64\Ncfdie32.exeC:\Windows\system32\Ncfdie32.exe97⤵PID:5220
-
C:\Windows\SysWOW64\Njqmepik.exeC:\Windows\system32\Njqmepik.exe98⤵PID:5264
-
C:\Windows\SysWOW64\Ncianepl.exeC:\Windows\system32\Ncianepl.exe99⤵PID:5308
-
C:\Windows\SysWOW64\Nnneknob.exeC:\Windows\system32\Nnneknob.exe100⤵PID:5352
-
C:\Windows\SysWOW64\Ndhmhh32.exeC:\Windows\system32\Ndhmhh32.exe101⤵PID:5396
-
C:\Windows\SysWOW64\Nfjjppmm.exeC:\Windows\system32\Nfjjppmm.exe102⤵PID:5440
-
C:\Windows\SysWOW64\Olcbmj32.exeC:\Windows\system32\Olcbmj32.exe103⤵PID:5484
-
C:\Windows\SysWOW64\Ogifjcdp.exeC:\Windows\system32\Ogifjcdp.exe104⤵PID:5528
-
C:\Windows\SysWOW64\Oncofm32.exeC:\Windows\system32\Oncofm32.exe105⤵PID:5572
-
C:\Windows\SysWOW64\Olfobjbg.exeC:\Windows\system32\Olfobjbg.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5616 -
C:\Windows\SysWOW64\Odmgcgbi.exeC:\Windows\system32\Odmgcgbi.exe107⤵PID:5660
-
C:\Windows\SysWOW64\Ogkcpbam.exeC:\Windows\system32\Ogkcpbam.exe108⤵PID:5704
-
C:\Windows\SysWOW64\Oneklm32.exeC:\Windows\system32\Oneklm32.exe109⤵PID:5748
-
C:\Windows\SysWOW64\Opdghh32.exeC:\Windows\system32\Opdghh32.exe110⤵
- Drops file in System32 directory
PID:5796 -
C:\Windows\SysWOW64\Ocbddc32.exeC:\Windows\system32\Ocbddc32.exe111⤵PID:5840
-
C:\Windows\SysWOW64\Ofqpqo32.exeC:\Windows\system32\Ofqpqo32.exe112⤵PID:5884
-
C:\Windows\SysWOW64\Onhhamgg.exeC:\Windows\system32\Onhhamgg.exe113⤵PID:5928
-
C:\Windows\SysWOW64\Oqfdnhfk.exeC:\Windows\system32\Oqfdnhfk.exe114⤵PID:5972
-
C:\Windows\SysWOW64\Ocdqjceo.exeC:\Windows\system32\Ocdqjceo.exe115⤵PID:6016
-
C:\Windows\SysWOW64\Ofcmfodb.exeC:\Windows\system32\Ofcmfodb.exe116⤵PID:6060
-
C:\Windows\SysWOW64\Onjegled.exeC:\Windows\system32\Onjegled.exe117⤵PID:6104
-
C:\Windows\SysWOW64\Oddmdf32.exeC:\Windows\system32\Oddmdf32.exe118⤵PID:5124
-
C:\Windows\SysWOW64\Ogbipa32.exeC:\Windows\system32\Ogbipa32.exe119⤵PID:5192
-
C:\Windows\SysWOW64\Pnlaml32.exeC:\Windows\system32\Pnlaml32.exe120⤵
- Modifies registry class
PID:5272 -
C:\Windows\SysWOW64\Pqknig32.exeC:\Windows\system32\Pqknig32.exe121⤵PID:5336
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-