Analysis
-
max time kernel
108s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09/09/2024, 20:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3bb3c3d214de49149c27a66c13b6a8c102e058c97e38bb07eaf9fac7b1b224b2.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
3bb3c3d214de49149c27a66c13b6a8c102e058c97e38bb07eaf9fac7b1b224b2.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
3bb3c3d214de49149c27a66c13b6a8c102e058c97e38bb07eaf9fac7b1b224b2.exe
-
Size
322KB
-
MD5
0098887049b85a7876e1743d49a763b7
-
SHA1
ecf6dfe896e77f7f9ea3d3783fbf679f99fbbb38
-
SHA256
3bb3c3d214de49149c27a66c13b6a8c102e058c97e38bb07eaf9fac7b1b224b2
-
SHA512
fbf0e67a72bcf566bcd71ed96c5ced8b368c2638289dc900d48ec1df99cbf61f925763ba63bf8c38548ef5cd26e9da1cb11b45ede56150842fa933c4db59a2b3
-
SSDEEP
1536:Y6Y0ffzroqAWRnoh9eEm/kCkXGEvRbCFRQITmDhdF+PhJFTq1dlCsTx4LBp:bffzcCR0wsjGEvRbCFeISVGZ3Odl2
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njiegl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obafpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmfeidbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnfihkqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klcekpdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkalplel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adndoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbchdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnnpdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neppokal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phhhhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aompak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfqmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Glkmmefl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pffgom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aijnep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmnqjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pldcjeia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbhboolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oimkbaed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfhbga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aflaie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdffbake.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nimbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Doaneiop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooqqdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcnfohmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmiikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pccahbmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbognp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbngllob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hginecde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnangaoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jghabl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hncmmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbdlop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phedhmhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dihlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gdobnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofmdio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehfcfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejdocm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcfahbpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfefkkqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iedjmioj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jphkkpbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qjlnnemp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gphgbafl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiejmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkenjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Innfnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Moobbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmbiamhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Manmoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gldglf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmaamn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmdfgm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgqqdeod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdlqqcnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hajpbckl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kbbhqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qmepam32.exe -
Executes dropped EXE 64 IoCs
pid Process 3500 Hffcmh32.exe 4760 Hghoeqmp.exe 4332 Hfipbh32.exe 3244 Hgjljpkm.exe 5016 Hbpphi32.exe 1068 Hglipp32.exe 1120 Hnfamjqg.exe 3008 Hbbmmi32.exe 1128 Hninbj32.exe 3104 Hdbfodfa.exe 2448 Inkjhi32.exe 904 Idebdcdo.exe 3404 Iokgal32.exe 4836 Ibicnh32.exe 4196 Igfkfo32.exe 1240 Iomcgl32.exe 3584 Idjlpc32.exe 4456 Ioopml32.exe 3632 Ifihif32.exe 4972 Ikfabm32.exe 212 Ibpiogmp.exe 2256 Iijaka32.exe 4740 Jodjhkkj.exe 868 Jeqbpb32.exe 1124 Joffnk32.exe 3772 Jfpojead.exe 4292 Jkmgblok.exe 2268 Jfbkpd32.exe 5084 Jgdhgmep.exe 1824 Jnnpdg32.exe 5100 Jehhaaci.exe 2720 Jgfdmlcm.exe 4420 Jfgdkd32.exe 4560 Jghabl32.exe 2600 Knbiofhg.exe 2692 Kelalp32.exe 5064 Klfjijgq.exe 4772 Keonap32.exe 2540 Kpgodhkd.exe 2024 Kechmoil.exe 2588 Khbdikip.exe 3200 Kbghfc32.exe 4200 Kefdbo32.exe 4552 Llpmoiof.exe 2516 Lehaho32.exe 856 Lhfmdj32.exe 1028 Lpneegel.exe 4116 Lblaabdp.exe 2064 Lifjnm32.exe 4340 Lppbkgcj.exe 4168 Lbnngbbn.exe 3952 Lihfcm32.exe 2660 Lhkgoiqe.exe 664 Loeolc32.exe 3084 Lflgmqhd.exe 456 Likcilhh.exe 4580 Llipehgk.exe 3764 Lbchba32.exe 4152 Lfodbqfa.exe 4596 Mimpolee.exe 1800 Mlklkgei.exe 4412 Mpghkf32.exe 4916 Mbedga32.exe 516 Medqcmki.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Aaohcj32.exe Aoalgn32.exe File opened for modification C:\Windows\SysWOW64\Adndoe32.exe Aaohcj32.exe File created C:\Windows\SysWOW64\Cmpdihki.dll Fiodpl32.exe File created C:\Windows\SysWOW64\Nokpod32.dll Igfclkdj.exe File created C:\Windows\SysWOW64\Mlmbfqoj.exe Miofjepg.exe File created C:\Windows\SysWOW64\Dbndfl32.exe Dkdliame.exe File opened for modification C:\Windows\SysWOW64\Akccap32.exe Adikdfna.exe File created C:\Windows\SysWOW64\Pjmdlh32.dll Hbhboolf.exe File opened for modification C:\Windows\SysWOW64\Cggimh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mbighjdd.exe Mjbogmdb.exe File created C:\Windows\SysWOW64\Elcgieob.dll Nhkikq32.exe File created C:\Windows\SysWOW64\Cjibekmc.dll Njfagf32.exe File opened for modification C:\Windows\SysWOW64\Pmoiqneg.exe Plmmif32.exe File created C:\Windows\SysWOW64\Mbighjdd.exe Mjbogmdb.exe File opened for modification C:\Windows\SysWOW64\Mkadfj32.exe Mcjmel32.exe File created C:\Windows\SysWOW64\Lqnlgjdd.dll Mpghkf32.exe File created C:\Windows\SysWOW64\Pgflqkdd.exe Ppmcdq32.exe File created C:\Windows\SysWOW64\Bklomh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jnfcia32.exe Jkhgmf32.exe File opened for modification C:\Windows\SysWOW64\Lqpamb32.exe Lmdemd32.exe File created C:\Windows\SysWOW64\Plhfdjfl.dll Ocdjpmac.exe File created C:\Windows\SysWOW64\Hlhefcoo.dll Pccahbmn.exe File created C:\Windows\SysWOW64\Panhbfep.exe Pjdpelnc.exe File opened for modification C:\Windows\SysWOW64\Idkkpf32.exe Ilccoh32.exe File created C:\Windows\SysWOW64\Amlkko32.dll Kcejco32.exe File opened for modification C:\Windows\SysWOW64\Eofgpikj.exe Emhkdmlg.exe File opened for modification C:\Windows\SysWOW64\Mefmimif.exe Mfcmmp32.exe File opened for modification C:\Windows\SysWOW64\Ccnncgmc.exe Cqpbglno.exe File opened for modification C:\Windows\SysWOW64\Gphgbafl.exe Ginnfgop.exe File created C:\Windows\SysWOW64\Khblgpag.dll Dnmhpg32.exe File opened for modification C:\Windows\SysWOW64\Jnhidk32.exe Jjlmclqa.exe File created C:\Windows\SysWOW64\Hibjli32.exe Hefnkkkj.exe File created C:\Windows\SysWOW64\Dbfbnkdn.dll Ajcdnd32.exe File created C:\Windows\SysWOW64\Lbpdblmo.exe Ljilqnlm.exe File opened for modification C:\Windows\SysWOW64\Kgdpni32.exe Komhll32.exe File created C:\Windows\SysWOW64\Ohjlgefb.exe Oigllh32.exe File opened for modification C:\Windows\SysWOW64\Ejalcgkg.exe Eplgeokq.exe File opened for modification C:\Windows\SysWOW64\Ahfmpnql.exe Apodoq32.exe File created C:\Windows\SysWOW64\Mlnigobn.dll Licfngjd.exe File created C:\Windows\SysWOW64\Oalipoiq.exe Ojbacd32.exe File created C:\Windows\SysWOW64\Kiodpebj.dll Ilqoobdd.exe File opened for modification C:\Windows\SysWOW64\Cbbnpg32.exe Cocacl32.exe File created C:\Windows\SysWOW64\Lppbkgcj.exe Lifjnm32.exe File opened for modification C:\Windows\SysWOW64\Bppfmigl.exe Bmbiamhi.exe File opened for modification C:\Windows\SysWOW64\Fmgejhgn.exe Fkihnmhj.exe File created C:\Windows\SysWOW64\Egjogddi.dll Phbhcmjl.exe File created C:\Windows\SysWOW64\Nmigoagp.exe Njkkbehl.exe File created C:\Windows\SysWOW64\Iokgal32.exe Idebdcdo.exe File created C:\Windows\SysWOW64\Iamfph32.dll Cimcan32.exe File created C:\Windows\SysWOW64\Ddnnfbmk.dll Idghpmnp.exe File opened for modification C:\Windows\SysWOW64\Coiaiakf.exe Cmjemflb.exe File created C:\Windows\SysWOW64\Aepjgm32.dll Ngqagcag.exe File opened for modification C:\Windows\SysWOW64\Dmpfbk32.exe Cjaifp32.exe File created C:\Windows\SysWOW64\Algheg32.dll Kiejmi32.exe File opened for modification C:\Windows\SysWOW64\Bkgeainn.exe Bhhiemoj.exe File opened for modification C:\Windows\SysWOW64\Pmaffnce.exe Plpjoe32.exe File created C:\Windows\SysWOW64\Dhclmp32.exe Dfdpad32.exe File opened for modification C:\Windows\SysWOW64\Jocefm32.exe Jleijb32.exe File opened for modification C:\Windows\SysWOW64\Ljhnlb32.exe Lcnfohmi.exe File opened for modification C:\Windows\SysWOW64\Kinmcg32.exe Kageaj32.exe File created C:\Windows\SysWOW64\Aogbfi32.exe Afpjel32.exe File created C:\Windows\SysWOW64\Lhjlnlii.dll Pojcjh32.exe File opened for modification C:\Windows\SysWOW64\Nmgjia32.exe Nndjndbh.exe File opened for modification C:\Windows\SysWOW64\Eagaoh32.exe Eipinkib.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6264 5580 Process not Found 1159 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qklmpalf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gidnkkpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjkmomfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgninn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmcjpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqhcpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpnbog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leopnglc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdobnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jddnfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjjiej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phdnngdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfjfecno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogjdmbil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpgpgfmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoclopne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkkpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odalmibl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cadlbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igqkqiai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohghgodi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qofcff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jniood32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lehaho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llipehgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccnncgmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mniallpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmlilh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glcaambb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eofgpikj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palklf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcmpodi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfagf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmlmkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiaael32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqbpojnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aleckinj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npgmpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joffnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfbkpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghkeio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bckkca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmaamn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocmconhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lankbigo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knooej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjneln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhkikq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phedhmhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkalplel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgdpni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lppbkgcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncofplba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohlqcagj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhdhon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnkldqkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbcmakpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkokcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oplfkeob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aogbfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcain32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qacameaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khbdikip.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhilfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efccmidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dbpjaeoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhghfqcd.dll" Jfpojead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jnmijq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgbloglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgemej32.dll" Nglhld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lqpamb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhpmfbl.dll" Bdpaeehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Olgemcli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Enbjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lqndhcdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Plkpcfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibkfhc32.dll" Joffnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bfjnjcni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmmcnn32.dll" Lnjnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbddbhk.dll" Apmhiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dobhii32.dll" Oofaiokl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Edemkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fllkqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdickcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ofmdio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oiihahme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aqmlknnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cofecami.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Camddhoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Flinkojm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dcogje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Empoiimf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebgpad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lfbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcgdbco.dll" Iomcgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Olgemcli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fagjfflb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjkhmfa.dll" Hhdhon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mohokaph.dll" Qepkbpak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pkegpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Blielbfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lppbkgcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqbff32.dll" Cfqmpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bnfihkqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eofgpikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiejjepo.dll" Hpnoncim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ighkgpcl.dll" Nhpiafnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dbcmakpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qlgpod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Efhlhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fielph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpkbko32.dll" Ibmeoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfojjf32.dll" Jgnqgqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bppgif32.dll" Klfaapbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcnfjkma.dll" Ilccoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mglfplgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginacp32.dll" Akccap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkhpmpa.dll" Nflkbanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lhfmdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggiabl32.dll" Mjkblhfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohlqcagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Domdocba.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcllpfj.dll" Jeqbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlacji32.dll" Edemkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liokmchg.dll" Ehcfaboo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oogpjbbb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 544 wrote to memory of 3500 544 3bb3c3d214de49149c27a66c13b6a8c102e058c97e38bb07eaf9fac7b1b224b2.exe 83 PID 544 wrote to memory of 3500 544 3bb3c3d214de49149c27a66c13b6a8c102e058c97e38bb07eaf9fac7b1b224b2.exe 83 PID 544 wrote to memory of 3500 544 3bb3c3d214de49149c27a66c13b6a8c102e058c97e38bb07eaf9fac7b1b224b2.exe 83 PID 3500 wrote to memory of 4760 3500 Hffcmh32.exe 84 PID 3500 wrote to memory of 4760 3500 Hffcmh32.exe 84 PID 3500 wrote to memory of 4760 3500 Hffcmh32.exe 84 PID 4760 wrote to memory of 4332 4760 Hghoeqmp.exe 85 PID 4760 wrote to memory of 4332 4760 Hghoeqmp.exe 85 PID 4760 wrote to memory of 4332 4760 Hghoeqmp.exe 85 PID 4332 wrote to memory of 3244 4332 Hfipbh32.exe 86 PID 4332 wrote to memory of 3244 4332 Hfipbh32.exe 86 PID 4332 wrote to memory of 3244 4332 Hfipbh32.exe 86 PID 3244 wrote to memory of 5016 3244 Hgjljpkm.exe 87 PID 3244 wrote to memory of 5016 3244 Hgjljpkm.exe 87 PID 3244 wrote to memory of 5016 3244 Hgjljpkm.exe 87 PID 5016 wrote to memory of 1068 5016 Hbpphi32.exe 88 PID 5016 wrote to memory of 1068 5016 Hbpphi32.exe 88 PID 5016 wrote to memory of 1068 5016 Hbpphi32.exe 88 PID 1068 wrote to memory of 1120 1068 Hglipp32.exe 89 PID 1068 wrote to memory of 1120 1068 Hglipp32.exe 89 PID 1068 wrote to memory of 1120 1068 Hglipp32.exe 89 PID 1120 wrote to memory of 3008 1120 Hnfamjqg.exe 91 PID 1120 wrote to memory of 3008 1120 Hnfamjqg.exe 91 PID 1120 wrote to memory of 3008 1120 Hnfamjqg.exe 91 PID 3008 wrote to memory of 1128 3008 Hbbmmi32.exe 93 PID 3008 wrote to memory of 1128 3008 Hbbmmi32.exe 93 PID 3008 wrote to memory of 1128 3008 Hbbmmi32.exe 93 PID 1128 wrote to memory of 3104 1128 Hninbj32.exe 94 PID 1128 wrote to memory of 3104 1128 Hninbj32.exe 94 PID 1128 wrote to memory of 3104 1128 Hninbj32.exe 94 PID 3104 wrote to memory of 2448 3104 Hdbfodfa.exe 95 PID 3104 wrote to memory of 2448 3104 Hdbfodfa.exe 95 PID 3104 wrote to memory of 2448 3104 Hdbfodfa.exe 95 PID 2448 wrote to memory of 904 2448 Inkjhi32.exe 97 PID 2448 wrote to memory of 904 2448 Inkjhi32.exe 97 PID 2448 wrote to memory of 904 2448 Inkjhi32.exe 97 PID 904 wrote to memory of 3404 904 Idebdcdo.exe 98 PID 904 wrote to memory of 3404 904 Idebdcdo.exe 98 PID 904 wrote to memory of 3404 904 Idebdcdo.exe 98 PID 3404 wrote to memory of 4836 3404 Iokgal32.exe 99 PID 3404 wrote to memory of 4836 3404 Iokgal32.exe 99 PID 3404 wrote to memory of 4836 3404 Iokgal32.exe 99 PID 4836 wrote to memory of 4196 4836 Ibicnh32.exe 100 PID 4836 wrote to memory of 4196 4836 Ibicnh32.exe 100 PID 4836 wrote to memory of 4196 4836 Ibicnh32.exe 100 PID 4196 wrote to memory of 1240 4196 Igfkfo32.exe 101 PID 4196 wrote to memory of 1240 4196 Igfkfo32.exe 101 PID 4196 wrote to memory of 1240 4196 Igfkfo32.exe 101 PID 1240 wrote to memory of 3584 1240 Iomcgl32.exe 102 PID 1240 wrote to memory of 3584 1240 Iomcgl32.exe 102 PID 1240 wrote to memory of 3584 1240 Iomcgl32.exe 102 PID 3584 wrote to memory of 4456 3584 Idjlpc32.exe 103 PID 3584 wrote to memory of 4456 3584 Idjlpc32.exe 103 PID 3584 wrote to memory of 4456 3584 Idjlpc32.exe 103 PID 4456 wrote to memory of 3632 4456 Ioopml32.exe 104 PID 4456 wrote to memory of 3632 4456 Ioopml32.exe 104 PID 4456 wrote to memory of 3632 4456 Ioopml32.exe 104 PID 3632 wrote to memory of 4972 3632 Ifihif32.exe 105 PID 3632 wrote to memory of 4972 3632 Ifihif32.exe 105 PID 3632 wrote to memory of 4972 3632 Ifihif32.exe 105 PID 4972 wrote to memory of 212 4972 Ikfabm32.exe 106 PID 4972 wrote to memory of 212 4972 Ikfabm32.exe 106 PID 4972 wrote to memory of 212 4972 Ikfabm32.exe 106 PID 212 wrote to memory of 2256 212 Ibpiogmp.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bb3c3d214de49149c27a66c13b6a8c102e058c97e38bb07eaf9fac7b1b224b2.exe"C:\Users\Admin\AppData\Local\Temp\3bb3c3d214de49149c27a66c13b6a8c102e058c97e38bb07eaf9fac7b1b224b2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Hffcmh32.exeC:\Windows\system32\Hffcmh32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\Hghoeqmp.exeC:\Windows\system32\Hghoeqmp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\Hgjljpkm.exeC:\Windows\system32\Hgjljpkm.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\Hbpphi32.exeC:\Windows\system32\Hbpphi32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Hglipp32.exeC:\Windows\system32\Hglipp32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Hnfamjqg.exeC:\Windows\system32\Hnfamjqg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\Hbbmmi32.exeC:\Windows\system32\Hbbmmi32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Hninbj32.exeC:\Windows\system32\Hninbj32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Hdbfodfa.exeC:\Windows\system32\Hdbfodfa.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\Inkjhi32.exeC:\Windows\system32\Inkjhi32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Idebdcdo.exeC:\Windows\system32\Idebdcdo.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\Iokgal32.exeC:\Windows\system32\Iokgal32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\Ibicnh32.exeC:\Windows\system32\Ibicnh32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Igfkfo32.exeC:\Windows\system32\Igfkfo32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Idjlpc32.exeC:\Windows\system32\Idjlpc32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\Ioopml32.exeC:\Windows\system32\Ioopml32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\Ikfabm32.exeC:\Windows\system32\Ikfabm32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Ibpiogmp.exeC:\Windows\system32\Ibpiogmp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\Iijaka32.exeC:\Windows\system32\Iijaka32.exe23⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Jodjhkkj.exeC:\Windows\system32\Jodjhkkj.exe24⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Jeqbpb32.exeC:\Windows\system32\Jeqbpb32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1124 -
C:\Windows\SysWOW64\Jfpojead.exeC:\Windows\system32\Jfpojead.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:3772 -
C:\Windows\SysWOW64\Jkmgblok.exeC:\Windows\system32\Jkmgblok.exe28⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Jfbkpd32.exeC:\Windows\system32\Jfbkpd32.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2268 -
C:\Windows\SysWOW64\Jgdhgmep.exeC:\Windows\system32\Jgdhgmep.exe30⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Jehhaaci.exeC:\Windows\system32\Jehhaaci.exe32⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Jgfdmlcm.exeC:\Windows\system32\Jgfdmlcm.exe33⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Jfgdkd32.exeC:\Windows\system32\Jfgdkd32.exe34⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Knbiofhg.exeC:\Windows\system32\Knbiofhg.exe36⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Kelalp32.exeC:\Windows\system32\Kelalp32.exe37⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe38⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Keonap32.exeC:\Windows\system32\Keonap32.exe39⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Kpgodhkd.exeC:\Windows\system32\Kpgodhkd.exe40⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Kechmoil.exeC:\Windows\system32\Kechmoil.exe41⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Khbdikip.exeC:\Windows\system32\Khbdikip.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Windows\SysWOW64\Kbghfc32.exeC:\Windows\system32\Kbghfc32.exe43⤵
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\Kefdbo32.exeC:\Windows\system32\Kefdbo32.exe44⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\Llpmoiof.exeC:\Windows\system32\Llpmoiof.exe45⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Lehaho32.exeC:\Windows\system32\Lehaho32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\Lhfmdj32.exeC:\Windows\system32\Lhfmdj32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:856 -
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe48⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Lblaabdp.exeC:\Windows\system32\Lblaabdp.exe49⤵
- Executes dropped EXE
PID:4116 -
C:\Windows\SysWOW64\Lifjnm32.exeC:\Windows\system32\Lifjnm32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4340 -
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe52⤵
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\Lihfcm32.exeC:\Windows\system32\Lihfcm32.exe53⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe54⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Loeolc32.exeC:\Windows\system32\Loeolc32.exe55⤵
- Executes dropped EXE
PID:664 -
C:\Windows\SysWOW64\Lflgmqhd.exeC:\Windows\system32\Lflgmqhd.exe56⤵
- Executes dropped EXE
PID:3084 -
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe57⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Llipehgk.exeC:\Windows\system32\Llipehgk.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4580 -
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe59⤵
- Executes dropped EXE
PID:3764 -
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe60⤵
- Executes dropped EXE
PID:4152 -
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe61⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Mlklkgei.exeC:\Windows\system32\Mlklkgei.exe62⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4412 -
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe64⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe65⤵
- Executes dropped EXE
PID:516 -
C:\Windows\SysWOW64\Mpieqeko.exeC:\Windows\system32\Mpieqeko.exe66⤵PID:3236
-
C:\Windows\SysWOW64\Mfcmmp32.exeC:\Windows\system32\Mfcmmp32.exe67⤵
- Drops file in System32 directory
PID:3608 -
C:\Windows\SysWOW64\Mefmimif.exeC:\Windows\system32\Mefmimif.exe68⤵PID:3056
-
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe69⤵PID:2744
-
C:\Windows\SysWOW64\Moobbb32.exeC:\Windows\system32\Moobbb32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3020 -
C:\Windows\SysWOW64\Mffjcopi.exeC:\Windows\system32\Mffjcopi.exe71⤵PID:2200
-
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe72⤵PID:2276
-
C:\Windows\SysWOW64\Mlbbkfoq.exeC:\Windows\system32\Mlbbkfoq.exe73⤵PID:2644
-
C:\Windows\SysWOW64\Mblkhq32.exeC:\Windows\system32\Mblkhq32.exe74⤵PID:4132
-
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe75⤵PID:4496
-
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2208 -
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe77⤵PID:4052
-
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe78⤵PID:1596
-
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1364 -
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe80⤵PID:4876
-
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe81⤵PID:1256
-
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe82⤵
- Modifies registry class
PID:4912 -
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe83⤵PID:3076
-
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe84⤵PID:3808
-
C:\Windows\SysWOW64\Nipekiep.exeC:\Windows\system32\Nipekiep.exe85⤵PID:2604
-
C:\Windows\SysWOW64\Nomncpcg.exeC:\Windows\system32\Nomncpcg.exe86⤵PID:4652
-
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe87⤵PID:4828
-
C:\Windows\SysWOW64\Nheble32.exeC:\Windows\system32\Nheble32.exe88⤵PID:1452
-
C:\Windows\SysWOW64\Nplkmckj.exeC:\Windows\system32\Nplkmckj.exe89⤵PID:2376
-
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe90⤵PID:1600
-
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe91⤵PID:1812
-
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe92⤵PID:1356
-
C:\Windows\SysWOW64\Ocmconhk.exeC:\Windows\system32\Ocmconhk.exe93⤵
- System Location Discovery: System Language Discovery
PID:3912 -
C:\Windows\SysWOW64\Oghppm32.exeC:\Windows\system32\Oghppm32.exe94⤵PID:3280
-
C:\Windows\SysWOW64\Oigllh32.exeC:\Windows\system32\Oigllh32.exe95⤵
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Ohjlgefb.exeC:\Windows\system32\Ohjlgefb.exe96⤵PID:4444
-
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe97⤵PID:1948
-
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe98⤵PID:3032
-
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe99⤵
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe100⤵
- Modifies registry class
PID:4688 -
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe101⤵
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe102⤵PID:3088
-
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe103⤵PID:4780
-
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe104⤵PID:1632
-
C:\Windows\SysWOW64\Ocdjpmac.exeC:\Windows\system32\Ocdjpmac.exe105⤵
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe106⤵PID:1880
-
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe107⤵PID:4284
-
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe108⤵PID:2128
-
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe109⤵PID:3264
-
C:\Windows\SysWOW64\Ploknb32.exeC:\Windows\system32\Ploknb32.exe110⤵PID:2148
-
C:\Windows\SysWOW64\Pomgjn32.exeC:\Windows\system32\Pomgjn32.exe111⤵PID:5144
-
C:\Windows\SysWOW64\Pgdokkfg.exeC:\Windows\system32\Pgdokkfg.exe112⤵PID:5188
-
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe113⤵PID:5232
-
C:\Windows\SysWOW64\Ppmcdq32.exeC:\Windows\system32\Ppmcdq32.exe114⤵
- Drops file in System32 directory
PID:5276 -
C:\Windows\SysWOW64\Pgflqkdd.exeC:\Windows\system32\Pgflqkdd.exe115⤵PID:5320
-
C:\Windows\SysWOW64\Pjehmfch.exeC:\Windows\system32\Pjehmfch.exe116⤵PID:5364
-
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5408 -
C:\Windows\SysWOW64\Poaqemao.exeC:\Windows\system32\Poaqemao.exe118⤵PID:5452
-
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe119⤵PID:5496
-
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe120⤵PID:5544
-
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe121⤵PID:5588
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-