Analysis
-
max time kernel
94s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/09/2024, 14:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bb38abd6997f811dedbe4292ff9f56e0N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
bb38abd6997f811dedbe4292ff9f56e0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
bb38abd6997f811dedbe4292ff9f56e0N.exe
-
Size
96KB
-
MD5
bb38abd6997f811dedbe4292ff9f56e0
-
SHA1
a1067f9b911911ce23d57efe2fba135622919800
-
SHA256
5b75e210fec08080ac842022f3f685fe3d7e703e6fa7f54d8a5eb2fc99ed9691
-
SHA512
eff3cc3fdd953312e50b435760f1e6ac620af89bdd57de8793c742d18143f85e2c077d04e365d6fbf505d9c7fc03bde2bad92a9a91a9028ea0aef0f75eab523e
-
SSDEEP
1536:/Z5NnT8JiDq9V3z3HlMT+joidLNRER4aErcpzqR6mIDjXiCCCCCCCCCCCCCCCCCn:hTQiDq9NBMT+MgLNRNwpzhnDjXiCCCC+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fknbil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcniglmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbofcghl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naecop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifihif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afjeceml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efffmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najceeoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbndfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lndagg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhdjehhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boflmdkk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckilmcgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeodhjmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfoplpla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkhpdcab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohiemobf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikdcmpnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndnpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaindh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knkekn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Papfgbmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ennqfenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjomap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Legjmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjnkcekm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkqeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcelmhen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhlgfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijcjmmil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oanfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdhhdlid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkkeclfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjopcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojcjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idahjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjbkgfej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehjlaaig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibobdqid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kghjhemo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnkpnclp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibnligoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfokoelp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcjcnoej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiaqcnpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lghcocol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efgemb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbkbpoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgdokkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgeaifia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggkiol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodogdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cihclh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdigadjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnbakghm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nookip32.exe -
Executes dropped EXE 64 IoCs
pid Process 3380 Bfhhoi32.exe 724 Bnpppgdj.exe 2580 Bmbplc32.exe 1360 Beihma32.exe 3360 Bfkedibe.exe 2052 Bnbmefbg.exe 4520 Belebq32.exe 3284 Bcoenmao.exe 848 Cfmajipb.exe 3020 Cmgjgcgo.exe 4180 Cenahpha.exe 4920 Cfpnph32.exe 4524 Cnffqf32.exe 2408 Cdcoim32.exe 1884 Cfbkeh32.exe 1736 Cnicfe32.exe 1512 Ceckcp32.exe 4408 Chagok32.exe 4580 Cjpckf32.exe 4492 Cajlhqjp.exe 3900 Cdhhdlid.exe 3816 Chcddk32.exe 3040 Cnnlaehj.exe 4348 Cegdnopg.exe 4184 Dhfajjoj.exe 3272 Djdmffnn.exe 1456 Dmcibama.exe 4344 Ddmaok32.exe 2476 Dfknkg32.exe 4016 Dmefhako.exe 4720 Delnin32.exe 1552 Ddonekbl.exe 1116 Dkifae32.exe 2588 Dodbbdbb.exe 4376 Daconoae.exe 1476 Ddakjkqi.exe 1932 Dfpgffpm.exe 3204 Dogogcpo.exe 5044 Dmjocp32.exe 2812 Dddhpjof.exe 2660 Dhocqigp.exe 2376 Dknpmdfc.exe 3644 Doilmc32.exe 2796 Dahhio32.exe 3064 Edfdej32.exe 1044 Ehapfiem.exe 2524 Ekpmbddq.exe 4216 Eolhbc32.exe 3448 Eajeon32.exe 4648 Edhakj32.exe 4336 Eggmge32.exe 3796 Emaedo32.exe 2432 Eehnem32.exe 1120 Edknqiho.exe 4912 Ekefmc32.exe 4904 Emcbio32.exe 4668 Eejjjl32.exe 3012 Edmjfifl.exe 3312 Eglgbdep.exe 4988 Emeoooml.exe 3540 Edpgli32.exe 4724 Egnchd32.exe 3628 Eoekia32.exe 1336 Eachem32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kdmqmc32.exe Knchpiom.exe File opened for modification C:\Windows\SysWOW64\Bcoenmao.exe Belebq32.exe File opened for modification C:\Windows\SysWOW64\Lhfmdj32.exe Lehaho32.exe File created C:\Windows\SysWOW64\Nohehq32.exe Nlihle32.exe File opened for modification C:\Windows\SysWOW64\Aggegh32.exe Aqmlknnd.exe File created C:\Windows\SysWOW64\Injcmc32.exe Iklgah32.exe File created C:\Windows\SysWOW64\Ffclcgfn.exe Fdepgkgj.exe File created C:\Windows\SysWOW64\Pbmmao32.dll Gbfldf32.exe File created C:\Windows\SysWOW64\Cdbfab32.exe Cbdjeg32.exe File created C:\Windows\SysWOW64\Kodnmkap.exe Process not Found File created C:\Windows\SysWOW64\Moipoh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oplfkeob.exe Process not Found File created C:\Windows\SysWOW64\Dedaad32.dll Ojnblg32.exe File opened for modification C:\Windows\SysWOW64\Pgdokkfg.exe Pomgjn32.exe File created C:\Windows\SysWOW64\Gigheh32.exe Ggilil32.exe File opened for modification C:\Windows\SysWOW64\Dblgpl32.exe Dcigeooj.exe File created C:\Windows\SysWOW64\Dimenegi.exe Dfoiaj32.exe File opened for modification C:\Windows\SysWOW64\Dimenegi.exe Dfoiaj32.exe File opened for modification C:\Windows\SysWOW64\Fmfnpa32.exe Fjhacf32.exe File opened for modification C:\Windows\SysWOW64\Adhdjpjf.exe Process not Found File created C:\Windows\SysWOW64\Ginlmijp.dll Lbchba32.exe File opened for modification C:\Windows\SysWOW64\Nhpiafnm.exe Ngomin32.exe File created C:\Windows\SysWOW64\Ccchof32.exe Cadlbk32.exe File created C:\Windows\SysWOW64\Cgdojhec.dll Ipflihfq.exe File created C:\Windows\SysWOW64\Jddnfd32.exe Jlmfeg32.exe File created C:\Windows\SysWOW64\Fngbbg32.dll Ljilqnlm.exe File opened for modification C:\Windows\SysWOW64\Dhclmp32.exe Dnmhpg32.exe File created C:\Windows\SysWOW64\Nbgqin32.dll Process not Found File created C:\Windows\SysWOW64\Chagok32.exe Ceckcp32.exe File created C:\Windows\SysWOW64\Keakgpko.exe Kfnkkb32.exe File created C:\Windows\SysWOW64\Gdilpd32.dll Ogklelna.exe File created C:\Windows\SysWOW64\Ockbnedp.dll Papfgbmg.exe File opened for modification C:\Windows\SysWOW64\Iphioh32.exe Ikkpgafg.exe File opened for modification C:\Windows\SysWOW64\Phigif32.exe Pejkmk32.exe File created C:\Windows\SysWOW64\Hemdlj32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mlpeff32.exe Mhdjehhj.exe File created C:\Windows\SysWOW64\Fpimlfke.exe Process not Found File created C:\Windows\SysWOW64\Pgnnnnod.dll Jqdoem32.exe File created C:\Windows\SysWOW64\Meebmkdh.dll Lgcjdd32.exe File opened for modification C:\Windows\SysWOW64\Ojajin32.exe Process not Found File created C:\Windows\SysWOW64\Gdcliikj.exe Gmiclo32.exe File opened for modification C:\Windows\SysWOW64\Kmkbfeab.exe Kjmfjj32.exe File created C:\Windows\SysWOW64\Pgdokkfg.exe Pomgjn32.exe File created C:\Windows\SysWOW64\Jibmgi32.exe Jjamia32.exe File created C:\Windows\SysWOW64\Mlbkap32.exe Mhfppabl.exe File opened for modification C:\Windows\SysWOW64\Jinboekc.exe Process not Found File created C:\Windows\SysWOW64\Bkncfepb.dll Process not Found File created C:\Windows\SysWOW64\Cpkhqmjb.dll Process not Found File created C:\Windows\SysWOW64\Dpckjfgg.exe Dmdonkgc.exe File created C:\Windows\SysWOW64\Oehlkc32.exe Oampjeml.exe File created C:\Windows\SysWOW64\Hgghjjid.exe Hajpbckl.exe File opened for modification C:\Windows\SysWOW64\Jibmgi32.exe Jjamia32.exe File opened for modification C:\Windows\SysWOW64\Hbhijepa.exe Hpjmnjqn.exe File opened for modification C:\Windows\SysWOW64\Bciehh32.exe Bmomlnjk.exe File opened for modification C:\Windows\SysWOW64\Chfegk32.exe Process not Found File created C:\Windows\SysWOW64\Ofhknodl.exe Process not Found File created C:\Windows\SysWOW64\Jjdcihik.dll Knbiofhg.exe File opened for modification C:\Windows\SysWOW64\Qgnbaj32.exe Pofjpl32.exe File created C:\Windows\SysWOW64\Bmomlnjk.exe Bidqko32.exe File created C:\Windows\SysWOW64\Ocmcjb32.dll Ffaong32.exe File opened for modification C:\Windows\SysWOW64\Chglab32.exe Cfipef32.exe File created C:\Windows\SysWOW64\Difebl32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cmgjgcgo.exe Cfmajipb.exe File created C:\Windows\SysWOW64\Igpdfb32.exe Idahjg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8348 8236 Process not Found 1392 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gojnko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmdonkgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddhpjof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phigif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oohgdhfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcmeke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkhkjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkgnfhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfehed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmjaphek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhndljll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjneln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipflihfq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddmaok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jglklggl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmihij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhocqigp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioambknl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbchba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mefmimif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpeohh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qofcff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmaopfjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdmffnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dabhdinj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnmjjdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbjmhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pleaoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khpgckkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahhio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbbfdfkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkpma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eblpgjha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcqjon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igcoqocb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjbkgfej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gacjadad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffobhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddgmbpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghipne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eachem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oidofh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgcamf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdkdgchl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kijjbofj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efffmo32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngaionfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcfgpga.dll" Knkekn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkllnbjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poodpmca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iggaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjelhg32.dll" Gbdoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjmoag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmpmfmao.dll" Anobgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kimapcmi.dll" Pibdmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okkdic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqnbqh32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgnbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akqfkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkeodaai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqokaeco.dll" Mhbmphjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nelfeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knippe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lppbkgcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlihle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccchof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkjlic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdmmkl32.dll" Mpieqeko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmlgah32.dll" Neppokal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miaajlho.dll" Bmomlnjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iklgah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plkpcfal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngomin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngaionfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idbodn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedobm32.dll" Bmofagfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knlleepl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlbkap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnkggfkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblhpckf.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egilaj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khmnbgbp.dll" Eejjjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acddcaom.dll" Lghcocol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kapceeje.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnbmefbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhbfff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhoaad32.dll" Ngaionfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kohmng32.dll" Oohnonij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdmein32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnfcia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oblmdhdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjpckf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jglklggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jncoikmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfpjcbmh.dll" Loglacfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjpqjh32.dll" Bheffh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmhbagkn.dll" Nhlpfgbb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4716 wrote to memory of 3380 4716 bb38abd6997f811dedbe4292ff9f56e0N.exe 83 PID 4716 wrote to memory of 3380 4716 bb38abd6997f811dedbe4292ff9f56e0N.exe 83 PID 4716 wrote to memory of 3380 4716 bb38abd6997f811dedbe4292ff9f56e0N.exe 83 PID 3380 wrote to memory of 724 3380 Bfhhoi32.exe 84 PID 3380 wrote to memory of 724 3380 Bfhhoi32.exe 84 PID 3380 wrote to memory of 724 3380 Bfhhoi32.exe 84 PID 724 wrote to memory of 2580 724 Bnpppgdj.exe 85 PID 724 wrote to memory of 2580 724 Bnpppgdj.exe 85 PID 724 wrote to memory of 2580 724 Bnpppgdj.exe 85 PID 2580 wrote to memory of 1360 2580 Bmbplc32.exe 86 PID 2580 wrote to memory of 1360 2580 Bmbplc32.exe 86 PID 2580 wrote to memory of 1360 2580 Bmbplc32.exe 86 PID 1360 wrote to memory of 3360 1360 Beihma32.exe 87 PID 1360 wrote to memory of 3360 1360 Beihma32.exe 87 PID 1360 wrote to memory of 3360 1360 Beihma32.exe 87 PID 3360 wrote to memory of 2052 3360 Bfkedibe.exe 88 PID 3360 wrote to memory of 2052 3360 Bfkedibe.exe 88 PID 3360 wrote to memory of 2052 3360 Bfkedibe.exe 88 PID 2052 wrote to memory of 4520 2052 Bnbmefbg.exe 89 PID 2052 wrote to memory of 4520 2052 Bnbmefbg.exe 89 PID 2052 wrote to memory of 4520 2052 Bnbmefbg.exe 89 PID 4520 wrote to memory of 3284 4520 Belebq32.exe 90 PID 4520 wrote to memory of 3284 4520 Belebq32.exe 90 PID 4520 wrote to memory of 3284 4520 Belebq32.exe 90 PID 3284 wrote to memory of 848 3284 Bcoenmao.exe 91 PID 3284 wrote to memory of 848 3284 Bcoenmao.exe 91 PID 3284 wrote to memory of 848 3284 Bcoenmao.exe 91 PID 848 wrote to memory of 3020 848 Cfmajipb.exe 92 PID 848 wrote to memory of 3020 848 Cfmajipb.exe 92 PID 848 wrote to memory of 3020 848 Cfmajipb.exe 92 PID 3020 wrote to memory of 4180 3020 Cmgjgcgo.exe 93 PID 3020 wrote to memory of 4180 3020 Cmgjgcgo.exe 93 PID 3020 wrote to memory of 4180 3020 Cmgjgcgo.exe 93 PID 4180 wrote to memory of 4920 4180 Cenahpha.exe 95 PID 4180 wrote to memory of 4920 4180 Cenahpha.exe 95 PID 4180 wrote to memory of 4920 4180 Cenahpha.exe 95 PID 4920 wrote to memory of 4524 4920 Cfpnph32.exe 96 PID 4920 wrote to memory of 4524 4920 Cfpnph32.exe 96 PID 4920 wrote to memory of 4524 4920 Cfpnph32.exe 96 PID 4524 wrote to memory of 2408 4524 Cnffqf32.exe 98 PID 4524 wrote to memory of 2408 4524 Cnffqf32.exe 98 PID 4524 wrote to memory of 2408 4524 Cnffqf32.exe 98 PID 2408 wrote to memory of 1884 2408 Cdcoim32.exe 99 PID 2408 wrote to memory of 1884 2408 Cdcoim32.exe 99 PID 2408 wrote to memory of 1884 2408 Cdcoim32.exe 99 PID 1884 wrote to memory of 1736 1884 Cfbkeh32.exe 100 PID 1884 wrote to memory of 1736 1884 Cfbkeh32.exe 100 PID 1884 wrote to memory of 1736 1884 Cfbkeh32.exe 100 PID 1736 wrote to memory of 1512 1736 Cnicfe32.exe 102 PID 1736 wrote to memory of 1512 1736 Cnicfe32.exe 102 PID 1736 wrote to memory of 1512 1736 Cnicfe32.exe 102 PID 1512 wrote to memory of 4408 1512 Ceckcp32.exe 103 PID 1512 wrote to memory of 4408 1512 Ceckcp32.exe 103 PID 1512 wrote to memory of 4408 1512 Ceckcp32.exe 103 PID 4408 wrote to memory of 4580 4408 Chagok32.exe 104 PID 4408 wrote to memory of 4580 4408 Chagok32.exe 104 PID 4408 wrote to memory of 4580 4408 Chagok32.exe 104 PID 4580 wrote to memory of 4492 4580 Cjpckf32.exe 105 PID 4580 wrote to memory of 4492 4580 Cjpckf32.exe 105 PID 4580 wrote to memory of 4492 4580 Cjpckf32.exe 105 PID 4492 wrote to memory of 3900 4492 Cajlhqjp.exe 106 PID 4492 wrote to memory of 3900 4492 Cajlhqjp.exe 106 PID 4492 wrote to memory of 3900 4492 Cajlhqjp.exe 106 PID 3900 wrote to memory of 3816 3900 Cdhhdlid.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb38abd6997f811dedbe4292ff9f56e0N.exe"C:\Users\Admin\AppData\Local\Temp\bb38abd6997f811dedbe4292ff9f56e0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\Bnpppgdj.exeC:\Windows\system32\Bnpppgdj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\SysWOW64\Bmbplc32.exeC:\Windows\system32\Bmbplc32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Bfkedibe.exeC:\Windows\system32\Bfkedibe.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Cmgjgcgo.exeC:\Windows\system32\Cmgjgcgo.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Cnffqf32.exeC:\Windows\system32\Cnffqf32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe23⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe24⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Cegdnopg.exeC:\Windows\system32\Cegdnopg.exe25⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe26⤵
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3272 -
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe28⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4344 -
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe30⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe31⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe32⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe33⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe34⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Dodbbdbb.exeC:\Windows\system32\Dodbbdbb.exe35⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe36⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe37⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe39⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Dmjocp32.exeC:\Windows\system32\Dmjocp32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe43⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe44⤵
- Executes dropped EXE
PID:3644 -
C:\Windows\SysWOW64\Dahhio32.exeC:\Windows\system32\Dahhio32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Windows\SysWOW64\Edfdej32.exeC:\Windows\system32\Edfdej32.exe46⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Ehapfiem.exeC:\Windows\system32\Ehapfiem.exe47⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Ekpmbddq.exeC:\Windows\system32\Ekpmbddq.exe48⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Eolhbc32.exeC:\Windows\system32\Eolhbc32.exe49⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Eajeon32.exeC:\Windows\system32\Eajeon32.exe50⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Edhakj32.exeC:\Windows\system32\Edhakj32.exe51⤵
- Executes dropped EXE
PID:4648 -
C:\Windows\SysWOW64\Eggmge32.exeC:\Windows\system32\Eggmge32.exe52⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Emaedo32.exeC:\Windows\system32\Emaedo32.exe53⤵
- Executes dropped EXE
PID:3796 -
C:\Windows\SysWOW64\Eehnem32.exeC:\Windows\system32\Eehnem32.exe54⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Edknqiho.exeC:\Windows\system32\Edknqiho.exe55⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Ekefmc32.exeC:\Windows\system32\Ekefmc32.exe56⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Emcbio32.exeC:\Windows\system32\Emcbio32.exe57⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Eejjjl32.exeC:\Windows\system32\Eejjjl32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:4668 -
C:\Windows\SysWOW64\Edmjfifl.exeC:\Windows\system32\Edmjfifl.exe59⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Eglgbdep.exeC:\Windows\system32\Eglgbdep.exe60⤵
- Executes dropped EXE
PID:3312 -
C:\Windows\SysWOW64\Emeoooml.exeC:\Windows\system32\Emeoooml.exe61⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Edpgli32.exeC:\Windows\system32\Edpgli32.exe62⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\Egnchd32.exeC:\Windows\system32\Egnchd32.exe63⤵
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Eoekia32.exeC:\Windows\system32\Eoekia32.exe64⤵
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\Eachem32.exeC:\Windows\system32\Eachem32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1336 -
C:\Windows\SysWOW64\Fdbdah32.exeC:\Windows\system32\Fdbdah32.exe66⤵PID:400
-
C:\Windows\SysWOW64\Fkllnbjc.exeC:\Windows\system32\Fkllnbjc.exe67⤵
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Fnjhjn32.exeC:\Windows\system32\Fnjhjn32.exe68⤵PID:3128
-
C:\Windows\SysWOW64\Feapkk32.exeC:\Windows\system32\Feapkk32.exe69⤵PID:4756
-
C:\Windows\SysWOW64\Fddqghpd.exeC:\Windows\system32\Fddqghpd.exe70⤵PID:2136
-
C:\Windows\SysWOW64\Fknicb32.exeC:\Windows\system32\Fknicb32.exe71⤵PID:3660
-
C:\Windows\SysWOW64\Fnmepn32.exeC:\Windows\system32\Fnmepn32.exe72⤵PID:4768
-
C:\Windows\SysWOW64\Fedmqk32.exeC:\Windows\system32\Fedmqk32.exe73⤵PID:3032
-
C:\Windows\SysWOW64\Fkqeib32.exeC:\Windows\system32\Fkqeib32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1432 -
C:\Windows\SysWOW64\Fajnfl32.exeC:\Windows\system32\Fajnfl32.exe75⤵PID:1344
-
C:\Windows\SysWOW64\Fdijbg32.exeC:\Windows\system32\Fdijbg32.exe76⤵PID:2256
-
C:\Windows\SysWOW64\Fggfnc32.exeC:\Windows\system32\Fggfnc32.exe77⤵PID:1460
-
C:\Windows\SysWOW64\Fonnop32.exeC:\Windows\system32\Fonnop32.exe78⤵PID:1944
-
C:\Windows\SysWOW64\Fhgbhfbe.exeC:\Windows\system32\Fhgbhfbe.exe79⤵PID:2884
-
C:\Windows\SysWOW64\Fkeodaai.exeC:\Windows\system32\Fkeodaai.exe80⤵
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Gaogak32.exeC:\Windows\system32\Gaogak32.exe81⤵PID:3624
-
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe82⤵
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\Gnfhfl32.exeC:\Windows\system32\Gnfhfl32.exe83⤵PID:1228
-
C:\Windows\SysWOW64\Gaadfkgc.exeC:\Windows\system32\Gaadfkgc.exe84⤵PID:3316
-
C:\Windows\SysWOW64\Ggnlobej.exeC:\Windows\system32\Ggnlobej.exe85⤵PID:5004
-
C:\Windows\SysWOW64\Gnhdkl32.exeC:\Windows\system32\Gnhdkl32.exe86⤵PID:3984
-
C:\Windows\SysWOW64\Gdbmhf32.exeC:\Windows\system32\Gdbmhf32.exe87⤵PID:4592
-
C:\Windows\SysWOW64\Gohaeo32.exeC:\Windows\system32\Gohaeo32.exe88⤵PID:1688
-
C:\Windows\SysWOW64\Gafmaj32.exeC:\Windows\system32\Gafmaj32.exe89⤵PID:2536
-
C:\Windows\SysWOW64\Ghpendjj.exeC:\Windows\system32\Ghpendjj.exe90⤵PID:2644
-
C:\Windows\SysWOW64\Gojnko32.exeC:\Windows\system32\Gojnko32.exe91⤵
- System Location Discovery: System Language Discovery
PID:4092 -
C:\Windows\SysWOW64\Gdgfce32.exeC:\Windows\system32\Gdgfce32.exe92⤵PID:4024
-
C:\Windows\SysWOW64\Gkaopp32.exeC:\Windows\system32\Gkaopp32.exe93⤵PID:3784
-
C:\Windows\SysWOW64\Hdicienl.exeC:\Windows\system32\Hdicienl.exe94⤵PID:336
-
C:\Windows\SysWOW64\Hnagak32.exeC:\Windows\system32\Hnagak32.exe95⤵PID:3824
-
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe96⤵PID:3548
-
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe97⤵PID:3240
-
C:\Windows\SysWOW64\Hfklhhcl.exeC:\Windows\system32\Hfklhhcl.exe98⤵PID:2968
-
C:\Windows\SysWOW64\Hkhdqoac.exeC:\Windows\system32\Hkhdqoac.exe99⤵PID:1276
-
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe100⤵PID:2864
-
C:\Windows\SysWOW64\Hninbj32.exeC:\Windows\system32\Hninbj32.exe101⤵PID:1832
-
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe102⤵PID:5080
-
C:\Windows\SysWOW64\Hdbfodfa.exeC:\Windows\system32\Hdbfodfa.exe103⤵PID:1452
-
C:\Windows\SysWOW64\Ibffhhek.exeC:\Windows\system32\Ibffhhek.exe104⤵PID:5128
-
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe105⤵
- System Location Discovery: System Language Discovery
PID:5172 -
C:\Windows\SysWOW64\Iokgal32.exeC:\Windows\system32\Iokgal32.exe106⤵PID:5216
-
C:\Windows\SysWOW64\Idgojc32.exeC:\Windows\system32\Idgojc32.exe107⤵PID:5264
-
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe108⤵PID:5308
-
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe109⤵PID:5352
-
C:\Windows\SysWOW64\Ifgldfio.exeC:\Windows\system32\Ifgldfio.exe110⤵PID:5396
-
C:\Windows\SysWOW64\Ikcdlmgf.exeC:\Windows\system32\Ikcdlmgf.exe111⤵PID:5440
-
C:\Windows\SysWOW64\Ibnligoc.exeC:\Windows\system32\Ibnligoc.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5484 -
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5528 -
C:\Windows\SysWOW64\Iigdfa32.exeC:\Windows\system32\Iigdfa32.exe114⤵PID:5572
-
C:\Windows\SysWOW64\Igjeanmj.exeC:\Windows\system32\Igjeanmj.exe115⤵PID:5616
-
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe116⤵
- System Location Discovery: System Language Discovery
PID:5660 -
C:\Windows\SysWOW64\Ifleoe32.exeC:\Windows\system32\Ifleoe32.exe117⤵PID:5704
-
C:\Windows\SysWOW64\Igmagnkg.exeC:\Windows\system32\Igmagnkg.exe118⤵PID:5748
-
C:\Windows\SysWOW64\Jbbfdfkn.exeC:\Windows\system32\Jbbfdfkn.exe119⤵
- System Location Discovery: System Language Discovery
PID:5792 -
C:\Windows\SysWOW64\Jgonlm32.exeC:\Windows\system32\Jgonlm32.exe120⤵PID:5832
-
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe121⤵PID:5876
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-