Analysis
-
max time kernel
100s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-09-2024 22:27
Behavioral task
behavioral1
Sample
6676b08ba453f4867119c0c282b29ba87829b982aad2840122c3550888cb8683.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
6676b08ba453f4867119c0c282b29ba87829b982aad2840122c3550888cb8683.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
6676b08ba453f4867119c0c282b29ba87829b982aad2840122c3550888cb8683.exe
-
Size
337KB
-
MD5
6af0ac30af4a4500deba158720fafbd5
-
SHA1
4aad182ffe54bae5a2aadfb4917c740b23030c41
-
SHA256
6676b08ba453f4867119c0c282b29ba87829b982aad2840122c3550888cb8683
-
SHA512
05bf1c8d80ecad7f3508e13106b9e2fd183a021a426b405c0c7e41523a7a6d771386d703d31ff2c26e3f8cc9dbab0de57d01bc2611c19a35c61c635659cc14e9
-
SSDEEP
3072:ct/S7swmVTi0uAUngYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:6wmYAUn1+fIyG5jZkCwi8r
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eghkjdoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fecadghc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hicpgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpnfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdhkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kamjda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lokdnjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmhocd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poajkgnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mogcihaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ompfej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdapehop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbgnemjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofjqihnn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qapnmopa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nihipdhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oemefcap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpnkdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moipoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ommceclc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcffnbee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdfjld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fflohaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhoahh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbccge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbkfbcpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdobnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eicedn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcnfohmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eomffaag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcalieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chqogq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfnoqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pekbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bckkca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjnffjkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfcabp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeelnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijeec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nijeec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkdcbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knhakh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aahbbkaq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocgkan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fklcgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Difpmfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hloqml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohmhmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caqpkjcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cibain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oldamm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eplgeokq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpaekqhh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geoapenf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcclld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npepkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olijhmgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nolgijpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdmoohbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmdlffhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbohpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aphnnafb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jojdlfeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbaclegm.exe -
Executes dropped EXE 64 IoCs
pid Process 4536 Lnnbqnjn.exe 4900 Lghcocol.exe 4992 Lnbklm32.exe 3084 Llflea32.exe 1560 Lndham32.exe 1004 Llhikacp.exe 2096 Mbbagk32.exe 1508 Mlkepaam.exe 4540 Mbenmk32.exe 4060 Mecjif32.exe 2944 Mhafeb32.exe 4208 Mlmbfqoj.exe 2956 Mnlnbl32.exe 664 Mbgjbkfg.exe 3976 Meefofek.exe 4224 Miaboe32.exe 4180 Mhdckaeo.exe 636 Mjbogmdb.exe 2524 Mnnkgl32.exe 2148 Malgcg32.exe 740 Micoed32.exe 884 Mhfppabl.exe 3292 Mnphmkji.exe 4304 Mejpje32.exe 1864 Mhilfa32.exe 964 Mldhfpib.exe 1040 Njghbl32.exe 316 Nbnpcj32.exe 4252 Nemmoe32.exe 5052 Nihipdhl.exe 3216 Nhkikq32.exe 2264 Njiegl32.exe 4752 Noeahkfc.exe 4668 Nacmdf32.exe 1376 Neoieenp.exe 4840 Nijeec32.exe 468 Nliaao32.exe 692 Nklbmllg.exe 4604 Nognnj32.exe 3316 Nafjjf32.exe 536 Neafjdkn.exe 4544 Nhpbfpka.exe 4520 Nlkngo32.exe 936 Nknobkje.exe 4044 Nbefdijg.exe 2012 Neccpd32.exe 3644 Niooqcad.exe 1828 Nlnkmnah.exe 1916 Nolgijpk.exe 4932 Nbgcih32.exe 2912 Nefped32.exe 3524 Niakfbpa.exe 3228 Nhdlao32.exe 2140 Okchnk32.exe 3124 Oondnini.exe 3360 Oampjeml.exe 4572 Oehlkc32.exe 4300 Ohghgodi.exe 4432 Olbdhn32.exe 3748 Ooqqdi32.exe 4948 Oaompd32.exe 1232 Oekiqccc.exe 3936 Ohiemobf.exe 1500 Oldamm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dgcaaddl.dll Nlkngo32.exe File created C:\Windows\SysWOW64\Dgdncplk.exe Ddfbgelh.exe File created C:\Windows\SysWOW64\Ogcnmc32.exe Oaifpi32.exe File created C:\Windows\SysWOW64\Lhenai32.exe Legben32.exe File created C:\Windows\SysWOW64\Phaahggp.exe Pknqoc32.exe File opened for modification C:\Windows\SysWOW64\Qdphngfl.exe Pldcjeia.exe File created C:\Windows\SysWOW64\Ffceip32.exe Fpimlfke.exe File created C:\Windows\SysWOW64\Jenmcggo.exe Jpaekqhh.exe File created C:\Windows\SysWOW64\Ibdlakbf.dll Hffken32.exe File created C:\Windows\SysWOW64\Bpcgpihi.exe Bmdkcnie.exe File created C:\Windows\SysWOW64\Aagkhd32.exe Aknbkjfh.exe File opened for modification C:\Windows\SysWOW64\Gejhef32.exe Gpmomo32.exe File created C:\Windows\SysWOW64\Jlgfga32.dll Kamjda32.exe File created C:\Windows\SysWOW64\Lljoca32.dll Cmgqpkip.exe File created C:\Windows\SysWOW64\Cbgnemjj.exe Coiaiakf.exe File opened for modification C:\Windows\SysWOW64\Difpmfna.exe Dfgcakon.exe File created C:\Windows\SysWOW64\Ibhkfm32.exe Ilnbicff.exe File created C:\Windows\SysWOW64\Qmfqknfm.dll Lfjfecno.exe File created C:\Windows\SysWOW64\Fbjena32.exe Flpmagqi.exe File opened for modification C:\Windows\SysWOW64\Lepleocn.exe Kofdhd32.exe File created C:\Windows\SysWOW64\Inpoggcb.dll Qbajeg32.exe File opened for modification C:\Windows\SysWOW64\Nklbmllg.exe Nliaao32.exe File created C:\Windows\SysWOW64\Ogeacidl.dll Fniihmpf.exe File created C:\Windows\SysWOW64\Mofmobmo.exe Mjidgkog.exe File created C:\Windows\SysWOW64\Lpepbgbd.exe Lepleocn.exe File opened for modification C:\Windows\SysWOW64\Oflmnh32.exe Opbean32.exe File created C:\Windows\SysWOW64\Qcjdoc32.dll Knhakh32.exe File created C:\Windows\SysWOW64\Lbpflbpa.dll Onmfimga.exe File created C:\Windows\SysWOW64\Pfdjinjo.exe Pdenmbkk.exe File opened for modification C:\Windows\SysWOW64\Fbmohmoh.exe Ekcgkb32.exe File opened for modification C:\Windows\SysWOW64\Fimodc32.exe Ffobhg32.exe File created C:\Windows\SysWOW64\Bfmolc32.exe Bbaclegm.exe File opened for modification C:\Windows\SysWOW64\Epdime32.exe Eaaiahei.exe File created C:\Windows\SysWOW64\Eclhcj32.dll Edfknb32.exe File created C:\Windows\SysWOW64\Bombmcec.exe Bmofagfp.exe File created C:\Windows\SysWOW64\Qacameaj.exe Qodeajbg.exe File created C:\Windows\SysWOW64\Nchkcb32.dll Dnmaea32.exe File created C:\Windows\SysWOW64\Fkmjaa32.exe Finnef32.exe File created C:\Windows\SysWOW64\Bkkhbb32.exe Bdapehop.exe File created C:\Windows\SysWOW64\Djfoankj.dll Dpnkdq32.exe File opened for modification C:\Windows\SysWOW64\Jpaleglc.exe Ikdcmpnl.exe File created C:\Windows\SysWOW64\Jcgmgn32.dll Pmnbfhal.exe File opened for modification C:\Windows\SysWOW64\Bpqjjjjl.exe Bmbnnn32.exe File created C:\Windows\SysWOW64\Nmbjcljl.exe Mcifkf32.exe File created C:\Windows\SysWOW64\Hpaoan32.dll Feenjgfq.exe File opened for modification C:\Windows\SysWOW64\Qikgco32.exe Qadoba32.exe File created C:\Windows\SysWOW64\Aplhmakj.dll Dbndfl32.exe File created C:\Windows\SysWOW64\Iipfmggc.exe Igajal32.exe File created C:\Windows\SysWOW64\Lfjfecno.exe Lopmii32.exe File created C:\Windows\SysWOW64\Cnfkdb32.exe Ckgohf32.exe File created C:\Windows\SysWOW64\Ecgodpgb.exe Ephbhd32.exe File created C:\Windows\SysWOW64\Ljclki32.exe Lgepom32.exe File created C:\Windows\SysWOW64\Mchppmij.exe Mnkggfkb.exe File opened for modification C:\Windows\SysWOW64\Olanmgig.exe Oalipoiq.exe File created C:\Windows\SysWOW64\Cjijid32.dll Nmfcok32.exe File created C:\Windows\SysWOW64\Chbfoaba.dll Hpfbcn32.exe File created C:\Windows\SysWOW64\Ddlnnc32.dll Hbnaeh32.exe File created C:\Windows\SysWOW64\Onnnbnbp.dll Pafkgphl.exe File created C:\Windows\SysWOW64\Nnoefe32.dll Eaaiahei.exe File opened for modification C:\Windows\SysWOW64\Pcobaedj.exe Pkhjph32.exe File created C:\Windows\SysWOW64\Jhnhbn32.dll Efafgifc.exe File opened for modification C:\Windows\SysWOW64\Ibhkfm32.exe Ilnbicff.exe File created C:\Windows\SysWOW64\Pncepolj.dll Geoapenf.exe File opened for modification C:\Windows\SysWOW64\Glipgf32.exe Gflhoo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6052 5892 WerFault.exe 980 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oocmii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imiehfao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkmjaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klndfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpgpgfmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qacameaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fndpmndl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgepom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igajal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllhpkfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gghdaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Komhll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbnaeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhoahh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfgipd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oampjeml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpcbhji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kckqbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kofdhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epffbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhhpop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ommceclc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjlopc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejjaqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emphocjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbgbnkfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddmhhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nemmoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jocnlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnkmnah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibcaknbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnonkq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqfojblo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkgiimng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klggli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noppeaed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckfphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfcabp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqbcbkab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkfcqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbicl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kamjda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlbcnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkphhgfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dckoia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahjgjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibegfglj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgklmacf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbgjbkfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncabfkqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eofgpikj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iimcma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamamcop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bakgoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfdpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knqepc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omalpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Megljppl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqhdbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npepkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehlhih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqmhnko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmieae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmbjcljl.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doccpcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfjqmbc.dll" Nciopppp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olbdhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbphdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfdqcn32.dll" Pfandnla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhhdnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpenhh32.dll" Nodiqp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Napjdpcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bochmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dckajh32.dll" Mnegbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpiedk32.dll" Pciqnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcoobn32.dll" Ooejohhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhjmpfcl.dll" Dkhnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llodgnja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahjgjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhghaf32.dll" Omegjomb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilmjim32.dll" Gncchb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imiehfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkhjph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpbkpm32.dll" Dcigeooj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fimodc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpfbcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjmhg32.dll" Cnahdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgphpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ombcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Higplnpb.dll" Adepji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ponfhp32.dll" Oekiqccc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alqjpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joahqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niooqcad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhdlao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdaociml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbchdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioolkncg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgieglah.dll" Pekbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfendmoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmdjapgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pafkgphl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnhkbfme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnegbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnahhegq.dll" Onapdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnnccl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nognnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghdfilo.dll" Ebejfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jinboekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndoell32.dll" Glipgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geanfelc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlkepaam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlejfm32.dll" Dcnqpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iphioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jimldogg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcpnhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejlnfjbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Difpmfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeelnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggkqgaol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekodjiol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iefgbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgkiaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnckgmik.dll" Fecadghc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baampdgc.dll" Finnef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggmgbckd.dll" Nbefdijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phbhcmjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coiaiakf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3376 wrote to memory of 4536 3376 6676b08ba453f4867119c0c282b29ba87829b982aad2840122c3550888cb8683.exe 83 PID 3376 wrote to memory of 4536 3376 6676b08ba453f4867119c0c282b29ba87829b982aad2840122c3550888cb8683.exe 83 PID 3376 wrote to memory of 4536 3376 6676b08ba453f4867119c0c282b29ba87829b982aad2840122c3550888cb8683.exe 83 PID 4536 wrote to memory of 4900 4536 Lnnbqnjn.exe 84 PID 4536 wrote to memory of 4900 4536 Lnnbqnjn.exe 84 PID 4536 wrote to memory of 4900 4536 Lnnbqnjn.exe 84 PID 4900 wrote to memory of 4992 4900 Lghcocol.exe 85 PID 4900 wrote to memory of 4992 4900 Lghcocol.exe 85 PID 4900 wrote to memory of 4992 4900 Lghcocol.exe 85 PID 4992 wrote to memory of 3084 4992 Lnbklm32.exe 87 PID 4992 wrote to memory of 3084 4992 Lnbklm32.exe 87 PID 4992 wrote to memory of 3084 4992 Lnbklm32.exe 87 PID 3084 wrote to memory of 1560 3084 Llflea32.exe 88 PID 3084 wrote to memory of 1560 3084 Llflea32.exe 88 PID 3084 wrote to memory of 1560 3084 Llflea32.exe 88 PID 1560 wrote to memory of 1004 1560 Lndham32.exe 89 PID 1560 wrote to memory of 1004 1560 Lndham32.exe 89 PID 1560 wrote to memory of 1004 1560 Lndham32.exe 89 PID 1004 wrote to memory of 2096 1004 Llhikacp.exe 91 PID 1004 wrote to memory of 2096 1004 Llhikacp.exe 91 PID 1004 wrote to memory of 2096 1004 Llhikacp.exe 91 PID 2096 wrote to memory of 1508 2096 Mbbagk32.exe 92 PID 2096 wrote to memory of 1508 2096 Mbbagk32.exe 92 PID 2096 wrote to memory of 1508 2096 Mbbagk32.exe 92 PID 1508 wrote to memory of 4540 1508 Mlkepaam.exe 94 PID 1508 wrote to memory of 4540 1508 Mlkepaam.exe 94 PID 1508 wrote to memory of 4540 1508 Mlkepaam.exe 94 PID 4540 wrote to memory of 4060 4540 Mbenmk32.exe 95 PID 4540 wrote to memory of 4060 4540 Mbenmk32.exe 95 PID 4540 wrote to memory of 4060 4540 Mbenmk32.exe 95 PID 4060 wrote to memory of 2944 4060 Mecjif32.exe 96 PID 4060 wrote to memory of 2944 4060 Mecjif32.exe 96 PID 4060 wrote to memory of 2944 4060 Mecjif32.exe 96 PID 2944 wrote to memory of 4208 2944 Mhafeb32.exe 97 PID 2944 wrote to memory of 4208 2944 Mhafeb32.exe 97 PID 2944 wrote to memory of 4208 2944 Mhafeb32.exe 97 PID 4208 wrote to memory of 2956 4208 Mlmbfqoj.exe 98 PID 4208 wrote to memory of 2956 4208 Mlmbfqoj.exe 98 PID 4208 wrote to memory of 2956 4208 Mlmbfqoj.exe 98 PID 2956 wrote to memory of 664 2956 Mnlnbl32.exe 99 PID 2956 wrote to memory of 664 2956 Mnlnbl32.exe 99 PID 2956 wrote to memory of 664 2956 Mnlnbl32.exe 99 PID 664 wrote to memory of 3976 664 Mbgjbkfg.exe 100 PID 664 wrote to memory of 3976 664 Mbgjbkfg.exe 100 PID 664 wrote to memory of 3976 664 Mbgjbkfg.exe 100 PID 3976 wrote to memory of 4224 3976 Meefofek.exe 101 PID 3976 wrote to memory of 4224 3976 Meefofek.exe 101 PID 3976 wrote to memory of 4224 3976 Meefofek.exe 101 PID 4224 wrote to memory of 4180 4224 Miaboe32.exe 102 PID 4224 wrote to memory of 4180 4224 Miaboe32.exe 102 PID 4224 wrote to memory of 4180 4224 Miaboe32.exe 102 PID 4180 wrote to memory of 636 4180 Mhdckaeo.exe 103 PID 4180 wrote to memory of 636 4180 Mhdckaeo.exe 103 PID 4180 wrote to memory of 636 4180 Mhdckaeo.exe 103 PID 636 wrote to memory of 2524 636 Mjbogmdb.exe 104 PID 636 wrote to memory of 2524 636 Mjbogmdb.exe 104 PID 636 wrote to memory of 2524 636 Mjbogmdb.exe 104 PID 2524 wrote to memory of 2148 2524 Mnnkgl32.exe 105 PID 2524 wrote to memory of 2148 2524 Mnnkgl32.exe 105 PID 2524 wrote to memory of 2148 2524 Mnnkgl32.exe 105 PID 2148 wrote to memory of 740 2148 Malgcg32.exe 106 PID 2148 wrote to memory of 740 2148 Malgcg32.exe 106 PID 2148 wrote to memory of 740 2148 Malgcg32.exe 106 PID 740 wrote to memory of 884 740 Micoed32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\6676b08ba453f4867119c0c282b29ba87829b982aad2840122c3550888cb8683.exe"C:\Users\Admin\AppData\Local\Temp\6676b08ba453f4867119c0c282b29ba87829b982aad2840122c3550888cb8683.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Lghcocol.exeC:\Windows\system32\Lghcocol.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Lnbklm32.exeC:\Windows\system32\Lnbklm32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\Lndham32.exeC:\Windows\system32\Lndham32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Mecjif32.exeC:\Windows\system32\Mecjif32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\Mnlnbl32.exeC:\Windows\system32\Mnlnbl32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Mbgjbkfg.exeC:\Windows\system32\Mbgjbkfg.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\Miaboe32.exeC:\Windows\system32\Miaboe32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Malgcg32.exeC:\Windows\system32\Malgcg32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\Mhfppabl.exeC:\Windows\system32\Mhfppabl.exe23⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Mnphmkji.exeC:\Windows\system32\Mnphmkji.exe24⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Mejpje32.exeC:\Windows\system32\Mejpje32.exe25⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe26⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Mldhfpib.exeC:\Windows\system32\Mldhfpib.exe27⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Njghbl32.exeC:\Windows\system32\Njghbl32.exe28⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe29⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4252 -
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Nhkikq32.exeC:\Windows\system32\Nhkikq32.exe32⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Njiegl32.exeC:\Windows\system32\Njiegl32.exe33⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Noeahkfc.exeC:\Windows\system32\Noeahkfc.exe34⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Nacmdf32.exeC:\Windows\system32\Nacmdf32.exe35⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Neoieenp.exeC:\Windows\system32\Neoieenp.exe36⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Nijeec32.exeC:\Windows\system32\Nijeec32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Nliaao32.exeC:\Windows\system32\Nliaao32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:468 -
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe39⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:4604 -
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe41⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Neafjdkn.exeC:\Windows\system32\Neafjdkn.exe42⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe43⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Nlkngo32.exeC:\Windows\system32\Nlkngo32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4520 -
C:\Windows\SysWOW64\Nknobkje.exeC:\Windows\system32\Nknobkje.exe45⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Nbefdijg.exeC:\Windows\system32\Nbefdijg.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:4044 -
C:\Windows\SysWOW64\Neccpd32.exeC:\Windows\system32\Neccpd32.exe47⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Niooqcad.exeC:\Windows\system32\Niooqcad.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:3644 -
C:\Windows\SysWOW64\Nlnkmnah.exeC:\Windows\system32\Nlnkmnah.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1828 -
C:\Windows\SysWOW64\Nolgijpk.exeC:\Windows\system32\Nolgijpk.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Nbgcih32.exeC:\Windows\system32\Nbgcih32.exe51⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe52⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Niakfbpa.exeC:\Windows\system32\Niakfbpa.exe53⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Nhdlao32.exeC:\Windows\system32\Nhdlao32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:3228 -
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe55⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Oondnini.exeC:\Windows\system32\Oondnini.exe56⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Oampjeml.exeC:\Windows\system32\Oampjeml.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3360 -
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe58⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Ohghgodi.exeC:\Windows\system32\Ohghgodi.exe59⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Olbdhn32.exeC:\Windows\system32\Olbdhn32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:4432 -
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe61⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe62⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Oekiqccc.exeC:\Windows\system32\Oekiqccc.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1232 -
C:\Windows\SysWOW64\Ohiemobf.exeC:\Windows\system32\Ohiemobf.exe64⤵
- Executes dropped EXE
PID:3936 -
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Oocmii32.exeC:\Windows\system32\Oocmii32.exe66⤵
- System Location Discovery: System Language Discovery
PID:1316 -
C:\Windows\SysWOW64\Oaajed32.exeC:\Windows\system32\Oaajed32.exe67⤵PID:1984
-
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3588 -
C:\Windows\SysWOW64\Ohkbbn32.exeC:\Windows\system32\Ohkbbn32.exe69⤵PID:4564
-
C:\Windows\SysWOW64\Olgncmim.exeC:\Windows\system32\Olgncmim.exe70⤵PID:2872
-
C:\Windows\SysWOW64\Ooejohhq.exeC:\Windows\system32\Ooejohhq.exe71⤵
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Oadfkdgd.exeC:\Windows\system32\Oadfkdgd.exe72⤵PID:1368
-
C:\Windows\SysWOW64\Oiknlagg.exeC:\Windows\system32\Oiknlagg.exe73⤵PID:1816
-
C:\Windows\SysWOW64\Olijhmgj.exeC:\Windows\system32\Olijhmgj.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1064 -
C:\Windows\SysWOW64\Oohgdhfn.exeC:\Windows\system32\Oohgdhfn.exe75⤵PID:5112
-
C:\Windows\SysWOW64\Obcceg32.exeC:\Windows\system32\Obcceg32.exe76⤵PID:3636
-
C:\Windows\SysWOW64\Oeaoab32.exeC:\Windows\system32\Oeaoab32.exe77⤵PID:4872
-
C:\Windows\SysWOW64\Ohpkmn32.exeC:\Windows\system32\Ohpkmn32.exe78⤵PID:1648
-
C:\Windows\SysWOW64\Pkogiikb.exeC:\Windows\system32\Pkogiikb.exe79⤵PID:3148
-
C:\Windows\SysWOW64\Pcepkfld.exeC:\Windows\system32\Pcepkfld.exe80⤵PID:4664
-
C:\Windows\SysWOW64\Pedlgbkh.exeC:\Windows\system32\Pedlgbkh.exe81⤵PID:2412
-
C:\Windows\SysWOW64\Phbhcmjl.exeC:\Windows\system32\Phbhcmjl.exe82⤵
- Modifies registry class
PID:3156 -
C:\Windows\SysWOW64\Pkadoiip.exeC:\Windows\system32\Pkadoiip.exe83⤵PID:4028
-
C:\Windows\SysWOW64\Pchlpfjb.exeC:\Windows\system32\Pchlpfjb.exe84⤵PID:1176
-
C:\Windows\SysWOW64\Pefhlaie.exeC:\Windows\system32\Pefhlaie.exe85⤵PID:4512
-
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe86⤵PID:2104
-
C:\Windows\SysWOW64\Pkcadhgm.exeC:\Windows\system32\Pkcadhgm.exe87⤵PID:2348
-
C:\Windows\SysWOW64\Pcjiff32.exeC:\Windows\system32\Pcjiff32.exe88⤵PID:4716
-
C:\Windows\SysWOW64\Peieba32.exeC:\Windows\system32\Peieba32.exe89⤵PID:4660
-
C:\Windows\SysWOW64\Phganm32.exeC:\Windows\system32\Phganm32.exe90⤵PID:1940
-
C:\Windows\SysWOW64\Poajkgnc.exeC:\Windows\system32\Poajkgnc.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4580 -
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Plejdkmm.exeC:\Windows\system32\Plejdkmm.exe93⤵PID:3248
-
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:5060 -
C:\Windows\SysWOW64\Pcobaedj.exeC:\Windows\system32\Pcobaedj.exe95⤵PID:4368
-
C:\Windows\SysWOW64\Pemomqcn.exeC:\Windows\system32\Pemomqcn.exe96⤵PID:2164
-
C:\Windows\SysWOW64\Qhlkilba.exeC:\Windows\system32\Qhlkilba.exe97⤵PID:4504
-
C:\Windows\SysWOW64\Qlggjk32.exeC:\Windows\system32\Qlggjk32.exe98⤵PID:1492
-
C:\Windows\SysWOW64\Qofcff32.exeC:\Windows\system32\Qofcff32.exe99⤵PID:3016
-
C:\Windows\SysWOW64\Qadoba32.exeC:\Windows\system32\Qadoba32.exe100⤵
- Drops file in System32 directory
PID:748 -
C:\Windows\SysWOW64\Qikgco32.exeC:\Windows\system32\Qikgco32.exe101⤵PID:5104
-
C:\Windows\SysWOW64\Qljcoj32.exeC:\Windows\system32\Qljcoj32.exe102⤵PID:4676
-
C:\Windows\SysWOW64\Qkmdkgob.exeC:\Windows\system32\Qkmdkgob.exe103⤵PID:4588
-
C:\Windows\SysWOW64\Qcclld32.exeC:\Windows\system32\Qcclld32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1012 -
C:\Windows\SysWOW64\Ajndioga.exeC:\Windows\system32\Ajndioga.exe105⤵PID:3012
-
C:\Windows\SysWOW64\Allpejfe.exeC:\Windows\system32\Allpejfe.exe106⤵PID:4764
-
C:\Windows\SysWOW64\Akoqpg32.exeC:\Windows\system32\Akoqpg32.exe107⤵PID:1624
-
C:\Windows\SysWOW64\Acfhad32.exeC:\Windows\system32\Acfhad32.exe108⤵PID:4644
-
C:\Windows\SysWOW64\Ajpqnneo.exeC:\Windows\system32\Ajpqnneo.exe109⤵PID:5132
-
C:\Windows\SysWOW64\Alnmjjdb.exeC:\Windows\system32\Alnmjjdb.exe110⤵PID:5172
-
C:\Windows\SysWOW64\Aomifecf.exeC:\Windows\system32\Aomifecf.exe111⤵PID:5208
-
C:\Windows\SysWOW64\Aakebqbj.exeC:\Windows\system32\Aakebqbj.exe112⤵PID:5252
-
C:\Windows\SysWOW64\Ajbmdn32.exeC:\Windows\system32\Ajbmdn32.exe113⤵PID:5284
-
C:\Windows\SysWOW64\Alqjpi32.exeC:\Windows\system32\Alqjpi32.exe114⤵
- Modifies registry class
PID:5332 -
C:\Windows\SysWOW64\Akcjkfij.exeC:\Windows\system32\Akcjkfij.exe115⤵PID:5372
-
C:\Windows\SysWOW64\Ackbmcjl.exeC:\Windows\system32\Ackbmcjl.exe116⤵PID:5412
-
C:\Windows\SysWOW64\Afinioip.exeC:\Windows\system32\Afinioip.exe117⤵PID:5452
-
C:\Windows\SysWOW64\Ahgjejhd.exeC:\Windows\system32\Ahgjejhd.exe118⤵PID:5492
-
C:\Windows\SysWOW64\Akffafgg.exeC:\Windows\system32\Akffafgg.exe119⤵PID:5536
-
C:\Windows\SysWOW64\Acmobchj.exeC:\Windows\system32\Acmobchj.exe120⤵PID:5580
-
C:\Windows\SysWOW64\Afkknogn.exeC:\Windows\system32\Afkknogn.exe121⤵PID:5624
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-