Analysis
-
max time kernel
95s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07/09/2024, 20:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f65269a5ea406a559b511fef3a44c230N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
f65269a5ea406a559b511fef3a44c230N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
f65269a5ea406a559b511fef3a44c230N.exe
-
Size
404KB
-
MD5
f65269a5ea406a559b511fef3a44c230
-
SHA1
26c60e28f220a9fd9e6d4c16cf15cbd64bada7b6
-
SHA256
b846cf802c52827f619b4a3a4d3ab1330a23bed7876a7471264bcd46a613384d
-
SHA512
ffb13e0caa3f3fba794621ca03cd218fb66affb4dcf6699ab2baf73029d09417769d2b4858a9876aed34194a6bfe14e11aed15637671a3eba7eb3fa58cae13a7
-
SSDEEP
6144:bkEEv4HwENm+3Mpui6yYPaIGckfru5xyDpui6yYPaIGckSU05836S5:b86wcMpV6yYP4rbpV6yYPg058KS
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibnligoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jedccfqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iliinc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ilcldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jleijb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poajkgnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlobkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmcclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dnmhpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbkqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Poodpmca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnicid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qhkdof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lehaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbfldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbdjeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eejeiocj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Flmqlg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgflqkdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gigheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Poajkgnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmihij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kncaec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgbefe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nglhld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paeelgnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpnfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmhgmmbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amcmpodi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhknpmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkhnjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lljklo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djhpgofm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iakiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgehfkop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oanfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahippdbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddadpdmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjlkge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhmqdemc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbpchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpnfge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojnblg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohiemobf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pddhbipj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpchib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iedjmioj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Illfdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oaplqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jeqbpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njmhhefi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohcegi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkegpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aaohcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oofaiokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpdaepai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epikpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndflak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlnjbedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgelek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgogbgei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oodcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Anaomkdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ondljl32.exe -
Executes dropped EXE 64 IoCs
pid Process 1096 Fdijbg32.exe 4808 Fehfljca.exe 1928 Foqkdp32.exe 2672 Gdncmghi.exe 4796 Gempgj32.exe 1056 Gnhdkl32.exe 4376 Gadqlkep.exe 2092 Gnkaalkd.exe 1732 Gfbibikg.exe 4916 Ggcfja32.exe 4076 Gnmnfkia.exe 1712 Gfdfgiid.exe 4024 Hfipbh32.exe 2480 Hnddgjbj.exe 2160 Hocqam32.exe 4972 Hdpiid32.exe 2412 Hofmfmhj.exe 3308 Hgabkoee.exe 3580 Inkjhi32.exe 1020 Ikokan32.exe 4264 Ifdonfka.exe 4872 Ikaggmii.exe 956 Ibkpcg32.exe 1472 Ibnligoc.exe 2244 Ikfabm32.exe 1904 Ienekbld.exe 2528 Jbbfdfkn.exe 1408 Jeqbpb32.exe 4316 Jbdbjf32.exe 4396 Jfpojead.exe 536 Joiccj32.exe 5044 Jbgoof32.exe 1232 Jfbkpd32.exe 4044 Jiaglp32.exe 4252 Jkaqnk32.exe 2136 Jfgdkd32.exe 2792 Jieagojp.exe 2392 Kppici32.exe 3936 Kfjapcii.exe 4956 Kgknhl32.exe 2492 Knefeffd.exe 2364 Keonap32.exe 1884 Kijjbofj.exe 1640 Kpdboimg.exe 4860 Kbbokdlk.exe 1296 Kfnkkb32.exe 1584 Kimghn32.exe 988 Klkcdj32.exe 3236 Kiodmn32.exe 4812 Kpiljh32.exe 3904 Kbghfc32.exe 1532 Kfcdfbqo.exe 1764 Lhdqnj32.exe 2020 Lehaho32.exe 4532 Lpneegel.exe 4308 Lejnmncd.exe 4616 Lldfjh32.exe 636 Locbfd32.exe 2348 Lemkcnaa.exe 2956 Lihfcm32.exe 4360 Loeolc32.exe 3536 Lhncdi32.exe 4064 Loglacfo.exe 2848 Mimpolee.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pfoann32.exe Ohlqcagj.exe File created C:\Windows\SysWOW64\Ghmpmgdc.dll Jjopcb32.exe File created C:\Windows\SysWOW64\Oqpakfgb.dll Aoabad32.exe File created C:\Windows\SysWOW64\Naecop32.exe Njkkbehl.exe File created C:\Windows\SysWOW64\Kldbpfio.dll Epmmqheb.exe File created C:\Windows\SysWOW64\Fibhpbea.exe Fdepgkgj.exe File created C:\Windows\SysWOW64\Pocpfphe.exe Pldcjeia.exe File created C:\Windows\SysWOW64\Amdomd32.dll Cbfgkffn.exe File created C:\Windows\SysWOW64\Aonhqi32.dll Aglnbhal.exe File created C:\Windows\SysWOW64\Iinjhh32.exe Ifomll32.exe File created C:\Windows\SysWOW64\Ppamophb.exe Pflibgil.exe File created C:\Windows\SysWOW64\Ceelqcdb.dll Kqbkfkal.exe File opened for modification C:\Windows\SysWOW64\Moipoh32.exe Mqfpckhm.exe File opened for modification C:\Windows\SysWOW64\Gempgj32.exe Gdncmghi.exe File opened for modification C:\Windows\SysWOW64\Geohklaa.exe Gflhoo32.exe File opened for modification C:\Windows\SysWOW64\Jenmcggo.exe Jgkmgk32.exe File opened for modification C:\Windows\SysWOW64\Ocopdn32.exe Olehhc32.exe File opened for modification C:\Windows\SysWOW64\Mniallpq.exe Mlkepaam.exe File created C:\Windows\SysWOW64\Mkankndb.dll Kbbokdlk.exe File opened for modification C:\Windows\SysWOW64\Phodcg32.exe Pddhbipj.exe File opened for modification C:\Windows\SysWOW64\Dkahilkl.exe Dmohno32.exe File created C:\Windows\SysWOW64\Iidphgcn.exe Ieidhh32.exe File created C:\Windows\SysWOW64\Jgogbgei.exe Jqdoem32.exe File opened for modification C:\Windows\SysWOW64\Mjdebfnd.exe Mgehfkop.exe File created C:\Windows\SysWOW64\Gfeaopqo.exe Fbjena32.exe File opened for modification C:\Windows\SysWOW64\Fdffbake.exe Fagjfflb.exe File created C:\Windows\SysWOW64\Adfokn32.dll Geohklaa.exe File opened for modification C:\Windows\SysWOW64\Jlolpq32.exe Jnlkedai.exe File opened for modification C:\Windows\SysWOW64\Bfchidda.exe Boipmj32.exe File opened for modification C:\Windows\SysWOW64\Dpdaepai.exe Djhimica.exe File opened for modification C:\Windows\SysWOW64\Dmlkhofd.exe Chqogq32.exe File created C:\Windows\SysWOW64\Edopabqn.exe Emehdh32.exe File created C:\Windows\SysWOW64\Fmhdkknd.exe Fimhjl32.exe File created C:\Windows\SysWOW64\Cncnob32.exe Process not Found File created C:\Windows\SysWOW64\Jbgoof32.exe Joiccj32.exe File opened for modification C:\Windows\SysWOW64\Flfkkhid.exe Fmcjpl32.exe File created C:\Windows\SysWOW64\Ggpenegb.dll Pfdjinjo.exe File created C:\Windows\SysWOW64\Jkkbik32.dll Jnmijq32.exe File created C:\Windows\SysWOW64\Lfojmmbg.dll Pddhbipj.exe File created C:\Windows\SysWOW64\Hnkmnide.dll Ppamophb.exe File created C:\Windows\SysWOW64\Nbcjnilj.exe Nklbmllg.exe File created C:\Windows\SysWOW64\Ohpfbb32.dll Knfeeimj.exe File created C:\Windows\SysWOW64\Kcmmhj32.exe Koaagkcb.exe File created C:\Windows\SysWOW64\Jdokpl32.dll Mhilfa32.exe File created C:\Windows\SysWOW64\Iohmnmmb.dll Agimkk32.exe File created C:\Windows\SysWOW64\Mmkdcm32.exe Mfqlfb32.exe File created C:\Windows\SysWOW64\Kfjapcii.exe Kppici32.exe File opened for modification C:\Windows\SysWOW64\Giinpa32.exe Gfkbde32.exe File opened for modification C:\Windows\SysWOW64\Maiccajf.exe Mjokgg32.exe File created C:\Windows\SysWOW64\Ibkfhc32.dll Jbdbjf32.exe File opened for modification C:\Windows\SysWOW64\Pocpfphe.exe Pldcjeia.exe File created C:\Windows\SysWOW64\Dmohno32.exe Ddgplado.exe File created C:\Windows\SysWOW64\Phahglpk.dll Bcddcbab.exe File created C:\Windows\SysWOW64\Igigla32.exe Ipoopgnf.exe File opened for modification C:\Windows\SysWOW64\Pdmkhgho.exe Paoollik.exe File created C:\Windows\SysWOW64\Kcmgob32.dll Enkdaepb.exe File created C:\Windows\SysWOW64\Iefeek32.dll Imnocf32.exe File created C:\Windows\SysWOW64\Baadiiif.exe Bnfihkqm.exe File created C:\Windows\SysWOW64\Bepmoh32.exe Badanigc.exe File created C:\Windows\SysWOW64\Gemdebha.dll Kjlopc32.exe File created C:\Windows\SysWOW64\Njgigo32.dll Kpjgaoqm.exe File created C:\Windows\SysWOW64\Mgphpe32.exe Mcelpggq.exe File created C:\Windows\SysWOW64\Nnbebofc.dll Kfjapcii.exe File opened for modification C:\Windows\SysWOW64\Phelcc32.exe Pfgogh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6112 5916 Process not Found 1149 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkgpbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgepom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apodoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lejnmncd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpqodfij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkoigdom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhnikc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmmmfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgejpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdafkdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koaagkcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffpicn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffqhcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pajeam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiahnnph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhboolf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgeakekd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgbbek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pamiaboj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdaociml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfgcakon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmikeaap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhnbhok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghpocngo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpdegjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkmgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibnligoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlleaeff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhknpmma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blhpqhlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibfnqmpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lclpdncg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Monjjgkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhomfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmdhcddh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpdoqgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjoiil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlpfhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqdcnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmmqhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ienekbld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjlaaig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdnabjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfkmkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollnhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdffbake.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gppcmeem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jklinohd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clgbmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfeaopqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggpbjkpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okedcjcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eblpgjha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmdcfidg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpelhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilqoobdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfaemp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdenmbkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfiddm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oafcqcea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bojomm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcbpjg32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Najmjokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nfaemp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jgbjbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oogpjbbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddfioo32.dll" Plagcbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmgdfa32.dll" Plhnda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Micoed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Edopabqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndflak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hicakqhn.dll" Kcidmkpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjjfgb32.dll" Bljlfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jlhljhbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfbdfl32.dll" Emmdom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ojbacd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Anaomkdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gceegdko.dll" Cfipef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hiipmhmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dckdjomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbecoe32.dll" Qmhlgmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fihnomjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Leopnglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gehcdm32.dll" Nhmofj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcjeh32.dll" Ebgpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cghane32.dll" Cleegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empmffib.dll" Inqbclob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmkbfeab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knnhjcog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gnjjfegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddgpk32.dll" Hildmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mgobel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gbchdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pdenmbkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ogpepl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aednci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpiecd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpghkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Clgbmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Difebl32.dll" Mcelpggq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpofmcef.dll" Dhhfedil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlcagc32.dll" Gdafnpqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehcplf32.dll" Dbkqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lobpkihi.dll" Holfoqcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnokgcbe.dll" Omdppiif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aompak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pidabppl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bkjiao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nglhld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amcehdod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gfkbde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbhpb32.dll" Kgmcce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kcidmkpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Opemca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icahfh32.dll" Kqpoakco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdeelde.dll" Bcfahbpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hfhgkmpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjbmjjno.dll" Kpmdfonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kfcdfbqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmfhkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohmhmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfogeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dapkni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhomfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dflfac32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 552 wrote to memory of 1096 552 f65269a5ea406a559b511fef3a44c230N.exe 83 PID 552 wrote to memory of 1096 552 f65269a5ea406a559b511fef3a44c230N.exe 83 PID 552 wrote to memory of 1096 552 f65269a5ea406a559b511fef3a44c230N.exe 83 PID 1096 wrote to memory of 4808 1096 Fdijbg32.exe 84 PID 1096 wrote to memory of 4808 1096 Fdijbg32.exe 84 PID 1096 wrote to memory of 4808 1096 Fdijbg32.exe 84 PID 4808 wrote to memory of 1928 4808 Fehfljca.exe 85 PID 4808 wrote to memory of 1928 4808 Fehfljca.exe 85 PID 4808 wrote to memory of 1928 4808 Fehfljca.exe 85 PID 1928 wrote to memory of 2672 1928 Foqkdp32.exe 86 PID 1928 wrote to memory of 2672 1928 Foqkdp32.exe 86 PID 1928 wrote to memory of 2672 1928 Foqkdp32.exe 86 PID 2672 wrote to memory of 4796 2672 Gdncmghi.exe 88 PID 2672 wrote to memory of 4796 2672 Gdncmghi.exe 88 PID 2672 wrote to memory of 4796 2672 Gdncmghi.exe 88 PID 4796 wrote to memory of 1056 4796 Gempgj32.exe 90 PID 4796 wrote to memory of 1056 4796 Gempgj32.exe 90 PID 4796 wrote to memory of 1056 4796 Gempgj32.exe 90 PID 1056 wrote to memory of 4376 1056 Gnhdkl32.exe 91 PID 1056 wrote to memory of 4376 1056 Gnhdkl32.exe 91 PID 1056 wrote to memory of 4376 1056 Gnhdkl32.exe 91 PID 4376 wrote to memory of 2092 4376 Gadqlkep.exe 92 PID 4376 wrote to memory of 2092 4376 Gadqlkep.exe 92 PID 4376 wrote to memory of 2092 4376 Gadqlkep.exe 92 PID 2092 wrote to memory of 1732 2092 Gnkaalkd.exe 93 PID 2092 wrote to memory of 1732 2092 Gnkaalkd.exe 93 PID 2092 wrote to memory of 1732 2092 Gnkaalkd.exe 93 PID 1732 wrote to memory of 4916 1732 Gfbibikg.exe 95 PID 1732 wrote to memory of 4916 1732 Gfbibikg.exe 95 PID 1732 wrote to memory of 4916 1732 Gfbibikg.exe 95 PID 4916 wrote to memory of 4076 4916 Ggcfja32.exe 96 PID 4916 wrote to memory of 4076 4916 Ggcfja32.exe 96 PID 4916 wrote to memory of 4076 4916 Ggcfja32.exe 96 PID 4076 wrote to memory of 1712 4076 Gnmnfkia.exe 97 PID 4076 wrote to memory of 1712 4076 Gnmnfkia.exe 97 PID 4076 wrote to memory of 1712 4076 Gnmnfkia.exe 97 PID 1712 wrote to memory of 4024 1712 Gfdfgiid.exe 98 PID 1712 wrote to memory of 4024 1712 Gfdfgiid.exe 98 PID 1712 wrote to memory of 4024 1712 Gfdfgiid.exe 98 PID 4024 wrote to memory of 2480 4024 Hfipbh32.exe 99 PID 4024 wrote to memory of 2480 4024 Hfipbh32.exe 99 PID 4024 wrote to memory of 2480 4024 Hfipbh32.exe 99 PID 2480 wrote to memory of 2160 2480 Hnddgjbj.exe 100 PID 2480 wrote to memory of 2160 2480 Hnddgjbj.exe 100 PID 2480 wrote to memory of 2160 2480 Hnddgjbj.exe 100 PID 2160 wrote to memory of 4972 2160 Hocqam32.exe 101 PID 2160 wrote to memory of 4972 2160 Hocqam32.exe 101 PID 2160 wrote to memory of 4972 2160 Hocqam32.exe 101 PID 4972 wrote to memory of 2412 4972 Hdpiid32.exe 102 PID 4972 wrote to memory of 2412 4972 Hdpiid32.exe 102 PID 4972 wrote to memory of 2412 4972 Hdpiid32.exe 102 PID 2412 wrote to memory of 3308 2412 Hofmfmhj.exe 103 PID 2412 wrote to memory of 3308 2412 Hofmfmhj.exe 103 PID 2412 wrote to memory of 3308 2412 Hofmfmhj.exe 103 PID 3308 wrote to memory of 3580 3308 Hgabkoee.exe 104 PID 3308 wrote to memory of 3580 3308 Hgabkoee.exe 104 PID 3308 wrote to memory of 3580 3308 Hgabkoee.exe 104 PID 3580 wrote to memory of 1020 3580 Inkjhi32.exe 105 PID 3580 wrote to memory of 1020 3580 Inkjhi32.exe 105 PID 3580 wrote to memory of 1020 3580 Inkjhi32.exe 105 PID 1020 wrote to memory of 4264 1020 Ikokan32.exe 106 PID 1020 wrote to memory of 4264 1020 Ikokan32.exe 106 PID 1020 wrote to memory of 4264 1020 Ikokan32.exe 106 PID 4264 wrote to memory of 4872 4264 Ifdonfka.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\f65269a5ea406a559b511fef3a44c230N.exe"C:\Users\Admin\AppData\Local\Temp\f65269a5ea406a559b511fef3a44c230N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Fdijbg32.exeC:\Windows\system32\Fdijbg32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Fehfljca.exeC:\Windows\system32\Fehfljca.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Foqkdp32.exeC:\Windows\system32\Foqkdp32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Gdncmghi.exeC:\Windows\system32\Gdncmghi.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Gempgj32.exeC:\Windows\system32\Gempgj32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\Gnhdkl32.exeC:\Windows\system32\Gnhdkl32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Gadqlkep.exeC:\Windows\system32\Gadqlkep.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\Gnkaalkd.exeC:\Windows\system32\Gnkaalkd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Gfbibikg.exeC:\Windows\system32\Gfbibikg.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Ggcfja32.exeC:\Windows\system32\Ggcfja32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\Gnmnfkia.exeC:\Windows\system32\Gnmnfkia.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Gfdfgiid.exeC:\Windows\system32\Gfdfgiid.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\Hnddgjbj.exeC:\Windows\system32\Hnddgjbj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Hocqam32.exeC:\Windows\system32\Hocqam32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Hdpiid32.exeC:\Windows\system32\Hdpiid32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Hofmfmhj.exeC:\Windows\system32\Hofmfmhj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Hgabkoee.exeC:\Windows\system32\Hgabkoee.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\Inkjhi32.exeC:\Windows\system32\Inkjhi32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\Ikokan32.exeC:\Windows\system32\Ikokan32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\Ikaggmii.exeC:\Windows\system32\Ikaggmii.exe23⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Ibkpcg32.exeC:\Windows\system32\Ibkpcg32.exe24⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Ibnligoc.exeC:\Windows\system32\Ibnligoc.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1472 -
C:\Windows\SysWOW64\Ikfabm32.exeC:\Windows\system32\Ikfabm32.exe26⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Ienekbld.exeC:\Windows\system32\Ienekbld.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Windows\SysWOW64\Jbbfdfkn.exeC:\Windows\system32\Jbbfdfkn.exe28⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Jeqbpb32.exeC:\Windows\system32\Jeqbpb32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Jbdbjf32.exeC:\Windows\system32\Jbdbjf32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4316 -
C:\Windows\SysWOW64\Jfpojead.exeC:\Windows\system32\Jfpojead.exe31⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Joiccj32.exeC:\Windows\system32\Joiccj32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:536 -
C:\Windows\SysWOW64\Jbgoof32.exeC:\Windows\system32\Jbgoof32.exe33⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Jfbkpd32.exeC:\Windows\system32\Jfbkpd32.exe34⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Jiaglp32.exeC:\Windows\system32\Jiaglp32.exe35⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Jkaqnk32.exeC:\Windows\system32\Jkaqnk32.exe36⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Jfgdkd32.exeC:\Windows\system32\Jfgdkd32.exe37⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Jieagojp.exeC:\Windows\system32\Jieagojp.exe38⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Kfjapcii.exeC:\Windows\system32\Kfjapcii.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3936 -
C:\Windows\SysWOW64\Kgknhl32.exeC:\Windows\system32\Kgknhl32.exe41⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Knefeffd.exeC:\Windows\system32\Knefeffd.exe42⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Keonap32.exeC:\Windows\system32\Keonap32.exe43⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Kijjbofj.exeC:\Windows\system32\Kijjbofj.exe44⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Kpdboimg.exeC:\Windows\system32\Kpdboimg.exe45⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Kbbokdlk.exeC:\Windows\system32\Kbbokdlk.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4860 -
C:\Windows\SysWOW64\Kfnkkb32.exeC:\Windows\system32\Kfnkkb32.exe47⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe48⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Klkcdj32.exeC:\Windows\system32\Klkcdj32.exe49⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe50⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Kpiljh32.exeC:\Windows\system32\Kpiljh32.exe51⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Kbghfc32.exeC:\Windows\system32\Kbghfc32.exe52⤵
- Executes dropped EXE
PID:3904 -
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe54⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Lehaho32.exeC:\Windows\system32\Lehaho32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe56⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Lejnmncd.exeC:\Windows\system32\Lejnmncd.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4308 -
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe58⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Locbfd32.exeC:\Windows\system32\Locbfd32.exe59⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Lemkcnaa.exeC:\Windows\system32\Lemkcnaa.exe60⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Lihfcm32.exeC:\Windows\system32\Lihfcm32.exe61⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Loeolc32.exeC:\Windows\system32\Loeolc32.exe62⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Lhncdi32.exeC:\Windows\system32\Lhncdi32.exe63⤵
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\Loglacfo.exeC:\Windows\system32\Loglacfo.exe64⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe65⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe66⤵
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe67⤵PID:4344
-
C:\Windows\SysWOW64\Molelb32.exeC:\Windows\system32\Molelb32.exe68⤵PID:1352
-
C:\Windows\SysWOW64\Mefmimif.exeC:\Windows\system32\Mefmimif.exe69⤵PID:4472
-
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe70⤵PID:3328
-
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe71⤵PID:4728
-
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe72⤵PID:4168
-
C:\Windows\SysWOW64\Mblkhq32.exeC:\Windows\system32\Mblkhq32.exe73⤵PID:1936
-
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe74⤵PID:364
-
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe75⤵PID:1404
-
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe76⤵PID:2328
-
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe77⤵PID:3948
-
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe78⤵PID:3040
-
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe79⤵PID:1452
-
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe80⤵PID:2912
-
C:\Windows\SysWOW64\Nebmekoi.exeC:\Windows\system32\Nebmekoi.exe81⤵PID:4220
-
C:\Windows\SysWOW64\Nlleaeff.exeC:\Windows\system32\Nlleaeff.exe82⤵
- System Location Discovery: System Language Discovery
PID:4744 -
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe83⤵PID:2648
-
C:\Windows\SysWOW64\Nhbfff32.exeC:\Windows\system32\Nhbfff32.exe84⤵PID:1360
-
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe85⤵PID:4696
-
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe86⤵PID:2272
-
C:\Windows\SysWOW64\Nheble32.exeC:\Windows\system32\Nheble32.exe87⤵PID:1008
-
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe88⤵PID:2228
-
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe89⤵PID:2744
-
C:\Windows\SysWOW64\Opogbbig.exeC:\Windows\system32\Opogbbig.exe90⤵PID:3332
-
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe91⤵
- Drops file in System32 directory
PID:8 -
C:\Windows\SysWOW64\Ocopdn32.exeC:\Windows\system32\Ocopdn32.exe92⤵PID:4628
-
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe93⤵PID:4172
-
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2920 -
C:\Windows\SysWOW64\Oepifi32.exeC:\Windows\system32\Oepifi32.exe95⤵PID:1048
-
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe96⤵
- Modifies registry class
PID:716 -
C:\Windows\SysWOW64\Ocdjpmac.exeC:\Windows\system32\Ocdjpmac.exe97⤵PID:3064
-
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe98⤵
- Modifies registry class
PID:4452 -
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4128 -
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe100⤵
- System Location Discovery: System Language Discovery
PID:4108 -
C:\Windows\SysWOW64\Ocffempp.exeC:\Windows\system32\Ocffempp.exe101⤵PID:4200
-
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe102⤵
- System Location Discovery: System Language Discovery
PID:1428 -
C:\Windows\SysWOW64\Phcomcng.exeC:\Windows\system32\Phcomcng.exe103⤵PID:2476
-
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe104⤵PID:1012
-
C:\Windows\SysWOW64\Pfgogh32.exeC:\Windows\system32\Pfgogh32.exe105⤵
- Drops file in System32 directory
PID:5028 -
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe106⤵PID:2932
-
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe107⤵
- Modifies registry class
PID:4540 -
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2800 -
C:\Windows\SysWOW64\Pgflqkdd.exeC:\Windows\system32\Pgflqkdd.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5128 -
C:\Windows\SysWOW64\Pjehmfch.exeC:\Windows\system32\Pjehmfch.exe110⤵PID:5200
-
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe111⤵PID:5260
-
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe112⤵
- Drops file in System32 directory
PID:5300 -
C:\Windows\SysWOW64\Ppamophb.exeC:\Windows\system32\Ppamophb.exe113⤵
- Drops file in System32 directory
PID:5344 -
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe114⤵PID:5388
-
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe115⤵
- Modifies registry class
PID:5432 -
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe116⤵PID:5476
-
C:\Windows\SysWOW64\Qgpogili.exeC:\Windows\system32\Qgpogili.exe117⤵PID:5520
-
C:\Windows\SysWOW64\Qqhcpo32.exeC:\Windows\system32\Qqhcpo32.exe118⤵PID:5564
-
C:\Windows\SysWOW64\Ajqgidij.exeC:\Windows\system32\Ajqgidij.exe119⤵PID:5608
-
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe120⤵
- Modifies registry class
PID:5652 -
C:\Windows\SysWOW64\Ahfdjanb.exeC:\Windows\system32\Ahfdjanb.exe121⤵PID:5696
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-