Analysis
-
max time kernel
93s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13/09/2024, 17:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4469a0dc59bc2be64cbe43ad0e4e0bf0N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
4469a0dc59bc2be64cbe43ad0e4e0bf0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
4469a0dc59bc2be64cbe43ad0e4e0bf0N.exe
-
Size
77KB
-
MD5
4469a0dc59bc2be64cbe43ad0e4e0bf0
-
SHA1
cd63776c9fec17e8f5b82dee2a826bbb757f16c2
-
SHA256
c2e90d3ae3bd98392b2360f2109c707ff1bee29d9d52af0841ff7909818163d5
-
SHA512
45592d47cb8f6044fef970e6fd0cac658e4e0e1655effaa966f17004731c6f3f78cbf90c78da851054a1cb34a6eff745557f963a065eb637c4cd5c6b34e91fef
-
SSDEEP
1536:Cfwxv4GCDqkvPXY/mtP780TtLsHH+wcE2Lt6wfi+TjRC/D:Nv4GAqhLkLsSdIwf1TjYD
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngdfdmdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcebhoii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpodlbng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lekehdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmiciaaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lehaho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aobilkcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haafcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcebhoii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edfdej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efhlhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmaopfjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jecofa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnmijq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaehljpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ginnfgop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgcamf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpbiip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkofdbkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idkkpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkobmnka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nebmekoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkaopp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdicienl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bidqko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbgoof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emphocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhkdof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfningai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lppbkgcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgflqkdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idfaefkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coohhlpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afghneoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kclgmq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bffkij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhhnpjmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbhpch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mibijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdfkolkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfpecg32.exe -
Executes dropped EXE 64 IoCs
pid Process 4852 Hfnphn32.exe 2680 Hkkhqd32.exe 1064 Ikpaldog.exe 4008 Ibjjhn32.exe 2052 Iicbehnq.exe 3836 Ipnjab32.exe 3032 Ifgbnlmj.exe 2364 Iifokh32.exe 548 Ickchq32.exe 2832 Iemppiab.exe 1784 Ilghlc32.exe 2948 Ibqpimpl.exe 4432 Iikhfg32.exe 4512 Ilidbbgl.exe 2648 Ibcmom32.exe 392 Jeaikh32.exe 4088 Jmhale32.exe 3256 Jcbihpel.exe 4736 Jfaedkdp.exe 2732 Jioaqfcc.exe 4200 Jpijnqkp.exe 4860 Jfcbjk32.exe 1920 Jmmjgejj.exe 4656 Jplfcpin.exe 624 Jbjcolha.exe 2448 Jehokgge.exe 4492 Jlbgha32.exe 2748 Jcioiood.exe 4296 Jfhlejnh.exe 2500 Jifhaenk.exe 2216 Jmbdbd32.exe 4340 Kboljk32.exe 1364 Kfjhkjle.exe 3572 Kbaipkbi.exe 3156 Kikame32.exe 5016 Klimip32.exe 4732 Kdqejn32.exe 208 Kebbafoj.exe 2360 Kmijbcpl.exe 1396 Klljnp32.exe 4448 Kbfbkj32.exe 2332 Kedoge32.exe 1224 Kipkhdeq.exe 4680 Klngdpdd.exe 4144 Kfckahdj.exe 4356 Kibgmdcn.exe 3208 Klqcioba.exe 4584 Kdgljmcd.exe 1392 Lbjlfi32.exe 3512 Leihbeib.exe 3476 Lmppcbjd.exe 4288 Llcpoo32.exe 844 Lbmhlihl.exe 4996 Lekehdgp.exe 2520 Lmbmibhb.exe 3948 Ldleel32.exe 876 Lboeaifi.exe 3092 Lfkaag32.exe 4576 Lmdina32.exe 1616 Lpcfkm32.exe 4428 Lbabgh32.exe 1012 Lepncd32.exe 2528 Lmgfda32.exe 4400 Ldanqkki.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Indfca32.exe Ikejgf32.exe File created C:\Windows\SysWOW64\Ikfghc32.dll Dcigeooj.exe File created C:\Windows\SysWOW64\Glengm32.exe Gigaka32.exe File opened for modification C:\Windows\SysWOW64\Jbccge32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Njfkmphe.exe Process not Found File created C:\Windows\SysWOW64\Mfpell32.exe Process not Found File created C:\Windows\SysWOW64\Ckijjqka.dll Mgagbf32.exe File opened for modification C:\Windows\SysWOW64\Gkiaej32.exe Ghkeio32.exe File created C:\Windows\SysWOW64\Meiioonj.exe Mjdebfnd.exe File opened for modification C:\Windows\SysWOW64\Lcimdh32.exe Process not Found File created C:\Windows\SysWOW64\Ddligq32.exe Process not Found File created C:\Windows\SysWOW64\Didmdo32.dll Process not Found File created C:\Windows\SysWOW64\Lbkkgl32.exe Ljdceo32.exe File opened for modification C:\Windows\SysWOW64\Qebhhp32.exe Qcclld32.exe File opened for modification C:\Windows\SysWOW64\Ilccoh32.exe Ikbfgppo.exe File opened for modification C:\Windows\SysWOW64\Ponfka32.exe Plpjoe32.exe File created C:\Windows\SysWOW64\Gnblnlhl.exe Process not Found File created C:\Windows\SysWOW64\Jcioiood.exe Jlbgha32.exe File opened for modification C:\Windows\SysWOW64\Lpcfkm32.exe Lmdina32.exe File opened for modification C:\Windows\SysWOW64\Cjgpfk32.exe Cbphdn32.exe File opened for modification C:\Windows\SysWOW64\Fofilp32.exe Process not Found File created C:\Windows\SysWOW64\Pefhlaie.exe Pakllc32.exe File opened for modification C:\Windows\SysWOW64\Fmfgek32.exe Process not Found File created C:\Windows\SysWOW64\Mjodla32.exe Process not Found File created C:\Windows\SysWOW64\Hbldphde.exe Process not Found File created C:\Windows\SysWOW64\Clkgcdmh.dll Ghniielm.exe File created C:\Windows\SysWOW64\Illfdc32.exe Process not Found File created C:\Windows\SysWOW64\Accimdgp.dll Process not Found File created C:\Windows\SysWOW64\Lcccepbd.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bmpcfdmg.exe Bffkij32.exe File created C:\Windows\SysWOW64\Ipligd32.dll Hdbfodfa.exe File opened for modification C:\Windows\SysWOW64\Kiggbhda.exe Kqpoakco.exe File created C:\Windows\SysWOW64\Fkaokcqj.dll Process not Found File opened for modification C:\Windows\SysWOW64\Apaadpng.exe Process not Found File created C:\Windows\SysWOW64\Fallih32.dll Process not Found File created C:\Windows\SysWOW64\Heffebak.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kkfcndce.exe Kiggbhda.exe File created C:\Windows\SysWOW64\Mkellk32.dll Aleckinj.exe File created C:\Windows\SysWOW64\Fdglmkeg.exe Flqdlnde.exe File opened for modification C:\Windows\SysWOW64\Bkjiao32.exe Bhkmec32.exe File created C:\Windows\SysWOW64\Nlplhfon.dll Klimip32.exe File created C:\Windows\SysWOW64\Bgeaifia.exe Bpnihiio.exe File opened for modification C:\Windows\SysWOW64\Oodcdb32.exe Olfghg32.exe File created C:\Windows\SysWOW64\Hkdoio32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Lijlof32.exe Lacdmh32.exe File opened for modification C:\Windows\SysWOW64\Fbhpch32.exe Flngfn32.exe File created C:\Windows\SysWOW64\Ilmjim32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Lckiihok.exe Process not Found File created C:\Windows\SysWOW64\Abcgjd32.dll Maeachag.exe File created C:\Windows\SysWOW64\Cjelhg32.dll Gbdoof32.exe File opened for modification C:\Windows\SysWOW64\Bkaobnio.exe Bhbcfbjk.exe File opened for modification C:\Windows\SysWOW64\Nfaemp32.exe Process not Found File created C:\Windows\SysWOW64\Ageolo32.exe Adgbpc32.exe File created C:\Windows\SysWOW64\Ffpmlcim.dll Cdfkolkf.exe File created C:\Windows\SysWOW64\Fpebke32.dll Jicdap32.exe File created C:\Windows\SysWOW64\Ngdfdmdi.exe Nchjdo32.exe File created C:\Windows\SysWOW64\Fipkjb32.exe Fbfcmhpg.exe File created C:\Windows\SysWOW64\Ojemig32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ofkgcobj.exe Process not Found File created C:\Windows\SysWOW64\Doojec32.exe Process not Found File created C:\Windows\SysWOW64\Odlkfe32.dll Process not Found File created C:\Windows\SysWOW64\Gahamgib.dll Process not Found File created C:\Windows\SysWOW64\Jfpqiega.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ofnckp32.exe Ocpgod32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14552 14804 Process not Found 1656 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phganm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glengm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffdpghg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkjhoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cceddf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjgpfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djhimica.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olkhmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bljlfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pleaoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djcoai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oodcdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbimf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiaglp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejalcgkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plkpcfal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfipef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgjljpkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlqomd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccqkigkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlkge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fffhifdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljdceo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhnpjmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggahedjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilmmni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edemkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haafcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flngfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjnkcekm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pggbkagp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjicdmmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djelgied.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfkaag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdqejn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfipbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcinna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojefobm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klqcioba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkggg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djhpgofm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mibpda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcijeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojoign32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bffkij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdicienl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ageolo32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll" Bgehcmmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cajlhqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fipkjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjmgfljg.dll" Lekmnajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibjjhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olmeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdeookg.dll" Mehcdfch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjecpkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojnblg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooejohhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plgdqf32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnkgeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdhhdlid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qipkmbib.dll" Ihgnkkbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgaokl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfipef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cepjip32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlplhfon.dll" Klimip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnffqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmfgbl32.dll" Ngdfdmdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdmqmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aogiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmgjgcgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maodigil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkicaahi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnoknihb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnblp32.dll" Fikbocki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idfaefkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmnqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qglobbdg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlampmdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jodjhkkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kinmcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilmjcon.dll" Ljfhqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgcpfdbd.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biepfnpi.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibcmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igigla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpnnd32.dll" Kdqejn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll" Pmoahijl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhmigagd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hglppijc.dll" Inomhbeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Occgpjdk.dll" Hcpojd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll" Pflplnlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pedbahod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkjaopom.dll" Gbabigfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blciboie.dll" Pldcjeia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofcmfodb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acnlgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnmdme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfbiemdb.dll" Njpdnedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omjpeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pldcjeia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iohmnmmb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmmbbejp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4944 wrote to memory of 4852 4944 4469a0dc59bc2be64cbe43ad0e4e0bf0N.exe 83 PID 4944 wrote to memory of 4852 4944 4469a0dc59bc2be64cbe43ad0e4e0bf0N.exe 83 PID 4944 wrote to memory of 4852 4944 4469a0dc59bc2be64cbe43ad0e4e0bf0N.exe 83 PID 4852 wrote to memory of 2680 4852 Hfnphn32.exe 84 PID 4852 wrote to memory of 2680 4852 Hfnphn32.exe 84 PID 4852 wrote to memory of 2680 4852 Hfnphn32.exe 84 PID 2680 wrote to memory of 1064 2680 Hkkhqd32.exe 85 PID 2680 wrote to memory of 1064 2680 Hkkhqd32.exe 85 PID 2680 wrote to memory of 1064 2680 Hkkhqd32.exe 85 PID 1064 wrote to memory of 4008 1064 Ikpaldog.exe 86 PID 1064 wrote to memory of 4008 1064 Ikpaldog.exe 86 PID 1064 wrote to memory of 4008 1064 Ikpaldog.exe 86 PID 4008 wrote to memory of 2052 4008 Ibjjhn32.exe 87 PID 4008 wrote to memory of 2052 4008 Ibjjhn32.exe 87 PID 4008 wrote to memory of 2052 4008 Ibjjhn32.exe 87 PID 2052 wrote to memory of 3836 2052 Iicbehnq.exe 88 PID 2052 wrote to memory of 3836 2052 Iicbehnq.exe 88 PID 2052 wrote to memory of 3836 2052 Iicbehnq.exe 88 PID 3836 wrote to memory of 3032 3836 Ipnjab32.exe 90 PID 3836 wrote to memory of 3032 3836 Ipnjab32.exe 90 PID 3836 wrote to memory of 3032 3836 Ipnjab32.exe 90 PID 3032 wrote to memory of 2364 3032 Ifgbnlmj.exe 91 PID 3032 wrote to memory of 2364 3032 Ifgbnlmj.exe 91 PID 3032 wrote to memory of 2364 3032 Ifgbnlmj.exe 91 PID 2364 wrote to memory of 548 2364 Iifokh32.exe 93 PID 2364 wrote to memory of 548 2364 Iifokh32.exe 93 PID 2364 wrote to memory of 548 2364 Iifokh32.exe 93 PID 548 wrote to memory of 2832 548 Ickchq32.exe 94 PID 548 wrote to memory of 2832 548 Ickchq32.exe 94 PID 548 wrote to memory of 2832 548 Ickchq32.exe 94 PID 2832 wrote to memory of 1784 2832 Iemppiab.exe 96 PID 2832 wrote to memory of 1784 2832 Iemppiab.exe 96 PID 2832 wrote to memory of 1784 2832 Iemppiab.exe 96 PID 1784 wrote to memory of 2948 1784 Ilghlc32.exe 97 PID 1784 wrote to memory of 2948 1784 Ilghlc32.exe 97 PID 1784 wrote to memory of 2948 1784 Ilghlc32.exe 97 PID 2948 wrote to memory of 4432 2948 Ibqpimpl.exe 98 PID 2948 wrote to memory of 4432 2948 Ibqpimpl.exe 98 PID 2948 wrote to memory of 4432 2948 Ibqpimpl.exe 98 PID 4432 wrote to memory of 4512 4432 Iikhfg32.exe 99 PID 4432 wrote to memory of 4512 4432 Iikhfg32.exe 99 PID 4432 wrote to memory of 4512 4432 Iikhfg32.exe 99 PID 4512 wrote to memory of 2648 4512 Ilidbbgl.exe 100 PID 4512 wrote to memory of 2648 4512 Ilidbbgl.exe 100 PID 4512 wrote to memory of 2648 4512 Ilidbbgl.exe 100 PID 2648 wrote to memory of 392 2648 Ibcmom32.exe 101 PID 2648 wrote to memory of 392 2648 Ibcmom32.exe 101 PID 2648 wrote to memory of 392 2648 Ibcmom32.exe 101 PID 392 wrote to memory of 4088 392 Jeaikh32.exe 102 PID 392 wrote to memory of 4088 392 Jeaikh32.exe 102 PID 392 wrote to memory of 4088 392 Jeaikh32.exe 102 PID 4088 wrote to memory of 3256 4088 Jmhale32.exe 103 PID 4088 wrote to memory of 3256 4088 Jmhale32.exe 103 PID 4088 wrote to memory of 3256 4088 Jmhale32.exe 103 PID 3256 wrote to memory of 4736 3256 Jcbihpel.exe 104 PID 3256 wrote to memory of 4736 3256 Jcbihpel.exe 104 PID 3256 wrote to memory of 4736 3256 Jcbihpel.exe 104 PID 4736 wrote to memory of 2732 4736 Jfaedkdp.exe 105 PID 4736 wrote to memory of 2732 4736 Jfaedkdp.exe 105 PID 4736 wrote to memory of 2732 4736 Jfaedkdp.exe 105 PID 2732 wrote to memory of 4200 2732 Jioaqfcc.exe 106 PID 2732 wrote to memory of 4200 2732 Jioaqfcc.exe 106 PID 2732 wrote to memory of 4200 2732 Jioaqfcc.exe 106 PID 4200 wrote to memory of 4860 4200 Jpijnqkp.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\4469a0dc59bc2be64cbe43ad0e4e0bf0N.exe"C:\Users\Admin\AppData\Local\Temp\4469a0dc59bc2be64cbe43ad0e4e0bf0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\Hfnphn32.exeC:\Windows\system32\Hfnphn32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Hkkhqd32.exeC:\Windows\system32\Hkkhqd32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Ikpaldog.exeC:\Windows\system32\Ikpaldog.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Ibjjhn32.exeC:\Windows\system32\Ibjjhn32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\Iicbehnq.exeC:\Windows\system32\Iicbehnq.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Ipnjab32.exeC:\Windows\system32\Ipnjab32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\Ifgbnlmj.exeC:\Windows\system32\Ifgbnlmj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Iifokh32.exeC:\Windows\system32\Iifokh32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Ickchq32.exeC:\Windows\system32\Ickchq32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Iemppiab.exeC:\Windows\system32\Iemppiab.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Ilghlc32.exeC:\Windows\system32\Ilghlc32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Ibqpimpl.exeC:\Windows\system32\Ibqpimpl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Iikhfg32.exeC:\Windows\system32\Iikhfg32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\Ilidbbgl.exeC:\Windows\system32\Ilidbbgl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Ibcmom32.exeC:\Windows\system32\Ibcmom32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Jeaikh32.exeC:\Windows\system32\Jeaikh32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Jmhale32.exeC:\Windows\system32\Jmhale32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\Jcbihpel.exeC:\Windows\system32\Jcbihpel.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\Jfaedkdp.exeC:\Windows\system32\Jfaedkdp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\Jioaqfcc.exeC:\Windows\system32\Jioaqfcc.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Jpijnqkp.exeC:\Windows\system32\Jpijnqkp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\Jfcbjk32.exeC:\Windows\system32\Jfcbjk32.exe23⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Jmmjgejj.exeC:\Windows\system32\Jmmjgejj.exe24⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Jplfcpin.exeC:\Windows\system32\Jplfcpin.exe25⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Jbjcolha.exeC:\Windows\system32\Jbjcolha.exe26⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Jehokgge.exeC:\Windows\system32\Jehokgge.exe27⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Jlbgha32.exeC:\Windows\system32\Jlbgha32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4492 -
C:\Windows\SysWOW64\Jcioiood.exeC:\Windows\system32\Jcioiood.exe29⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Jfhlejnh.exeC:\Windows\system32\Jfhlejnh.exe30⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Jifhaenk.exeC:\Windows\system32\Jifhaenk.exe31⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Jmbdbd32.exeC:\Windows\system32\Jmbdbd32.exe32⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Kboljk32.exeC:\Windows\system32\Kboljk32.exe33⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Kfjhkjle.exeC:\Windows\system32\Kfjhkjle.exe34⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Kbaipkbi.exeC:\Windows\system32\Kbaipkbi.exe35⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\Kikame32.exeC:\Windows\system32\Kikame32.exe36⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Klimip32.exeC:\Windows\system32\Klimip32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5016 -
C:\Windows\SysWOW64\Kdqejn32.exeC:\Windows\system32\Kdqejn32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4732 -
C:\Windows\SysWOW64\Kebbafoj.exeC:\Windows\system32\Kebbafoj.exe39⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\Kmijbcpl.exeC:\Windows\system32\Kmijbcpl.exe40⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Klljnp32.exeC:\Windows\system32\Klljnp32.exe41⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Kbfbkj32.exeC:\Windows\system32\Kbfbkj32.exe42⤵
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Kedoge32.exeC:\Windows\system32\Kedoge32.exe43⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Kipkhdeq.exeC:\Windows\system32\Kipkhdeq.exe44⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Klngdpdd.exeC:\Windows\system32\Klngdpdd.exe45⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Kfckahdj.exeC:\Windows\system32\Kfckahdj.exe46⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Kibgmdcn.exeC:\Windows\system32\Kibgmdcn.exe47⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Klqcioba.exeC:\Windows\system32\Klqcioba.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3208 -
C:\Windows\SysWOW64\Kdgljmcd.exeC:\Windows\system32\Kdgljmcd.exe49⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Lbjlfi32.exeC:\Windows\system32\Lbjlfi32.exe50⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Leihbeib.exeC:\Windows\system32\Leihbeib.exe51⤵
- Executes dropped EXE
PID:3512 -
C:\Windows\SysWOW64\Lmppcbjd.exeC:\Windows\system32\Lmppcbjd.exe52⤵
- Executes dropped EXE
PID:3476 -
C:\Windows\SysWOW64\Llcpoo32.exeC:\Windows\system32\Llcpoo32.exe53⤵
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\Lbmhlihl.exeC:\Windows\system32\Lbmhlihl.exe54⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Lekehdgp.exeC:\Windows\system32\Lekehdgp.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Lmbmibhb.exeC:\Windows\system32\Lmbmibhb.exe56⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Ldleel32.exeC:\Windows\system32\Ldleel32.exe57⤵
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\Lboeaifi.exeC:\Windows\system32\Lboeaifi.exe58⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Lfkaag32.exeC:\Windows\system32\Lfkaag32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3092 -
C:\Windows\SysWOW64\Lmdina32.exeC:\Windows\system32\Lmdina32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4576 -
C:\Windows\SysWOW64\Lpcfkm32.exeC:\Windows\system32\Lpcfkm32.exe61⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Lbabgh32.exeC:\Windows\system32\Lbabgh32.exe62⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Lepncd32.exeC:\Windows\system32\Lepncd32.exe63⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Lmgfda32.exeC:\Windows\system32\Lmgfda32.exe64⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Ldanqkki.exeC:\Windows\system32\Ldanqkki.exe65⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Lebkhc32.exeC:\Windows\system32\Lebkhc32.exe66⤵PID:2960
-
C:\Windows\SysWOW64\Lmiciaaj.exeC:\Windows\system32\Lmiciaaj.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2544 -
C:\Windows\SysWOW64\Lphoelqn.exeC:\Windows\system32\Lphoelqn.exe68⤵PID:2924
-
C:\Windows\SysWOW64\Mgagbf32.exeC:\Windows\system32\Mgagbf32.exe69⤵
- Drops file in System32 directory
PID:3408 -
C:\Windows\SysWOW64\Medgncoe.exeC:\Windows\system32\Medgncoe.exe70⤵PID:764
-
C:\Windows\SysWOW64\Mlopkm32.exeC:\Windows\system32\Mlopkm32.exe71⤵PID:2012
-
C:\Windows\SysWOW64\Mdehlk32.exeC:\Windows\system32\Mdehlk32.exe72⤵PID:2952
-
C:\Windows\SysWOW64\Mchhggno.exeC:\Windows\system32\Mchhggno.exe73⤵PID:1444
-
C:\Windows\SysWOW64\Mibpda32.exeC:\Windows\system32\Mibpda32.exe74⤵
- System Location Discovery: System Language Discovery
PID:2268 -
C:\Windows\SysWOW64\Mlampmdo.exeC:\Windows\system32\Mlampmdo.exe75⤵
- Modifies registry class
PID:3140 -
C:\Windows\SysWOW64\Mckemg32.exeC:\Windows\system32\Mckemg32.exe76⤵PID:3268
-
C:\Windows\SysWOW64\Meiaib32.exeC:\Windows\system32\Meiaib32.exe77⤵PID:4548
-
C:\Windows\SysWOW64\Mmpijp32.exeC:\Windows\system32\Mmpijp32.exe78⤵PID:2956
-
C:\Windows\SysWOW64\Mdjagjco.exeC:\Windows\system32\Mdjagjco.exe79⤵PID:4500
-
C:\Windows\SysWOW64\Migjoaaf.exeC:\Windows\system32\Migjoaaf.exe80⤵PID:3460
-
C:\Windows\SysWOW64\Mpablkhc.exeC:\Windows\system32\Mpablkhc.exe81⤵PID:4976
-
C:\Windows\SysWOW64\Mcpnhfhf.exeC:\Windows\system32\Mcpnhfhf.exe82⤵PID:5024
-
C:\Windows\SysWOW64\Miifeq32.exeC:\Windows\system32\Miifeq32.exe83⤵PID:2540
-
C:\Windows\SysWOW64\Mlhbal32.exeC:\Windows\system32\Mlhbal32.exe84⤵PID:1636
-
C:\Windows\SysWOW64\Ncbknfed.exeC:\Windows\system32\Ncbknfed.exe85⤵PID:4700
-
C:\Windows\SysWOW64\Nilcjp32.exeC:\Windows\system32\Nilcjp32.exe86⤵PID:5128
-
C:\Windows\SysWOW64\Npfkgjdn.exeC:\Windows\system32\Npfkgjdn.exe87⤵PID:5172
-
C:\Windows\SysWOW64\Ngpccdlj.exeC:\Windows\system32\Ngpccdlj.exe88⤵PID:5216
-
C:\Windows\SysWOW64\Nebdoa32.exeC:\Windows\system32\Nebdoa32.exe89⤵PID:5260
-
C:\Windows\SysWOW64\Nlmllkja.exeC:\Windows\system32\Nlmllkja.exe90⤵PID:5304
-
C:\Windows\SysWOW64\Ncfdie32.exeC:\Windows\system32\Ncfdie32.exe91⤵PID:5348
-
C:\Windows\SysWOW64\Njqmepik.exeC:\Windows\system32\Njqmepik.exe92⤵PID:5392
-
C:\Windows\SysWOW64\Npjebj32.exeC:\Windows\system32\Npjebj32.exe93⤵PID:5436
-
C:\Windows\SysWOW64\Ndfqbhia.exeC:\Windows\system32\Ndfqbhia.exe94⤵PID:5480
-
C:\Windows\SysWOW64\Nfgmjqop.exeC:\Windows\system32\Nfgmjqop.exe95⤵PID:5524
-
C:\Windows\SysWOW64\Ndhmhh32.exeC:\Windows\system32\Ndhmhh32.exe96⤵PID:5568
-
C:\Windows\SysWOW64\Nckndeni.exeC:\Windows\system32\Nckndeni.exe97⤵PID:5612
-
C:\Windows\SysWOW64\Njefqo32.exeC:\Windows\system32\Njefqo32.exe98⤵PID:5656
-
C:\Windows\SysWOW64\Oponmilc.exeC:\Windows\system32\Oponmilc.exe99⤵PID:5700
-
C:\Windows\SysWOW64\Oflgep32.exeC:\Windows\system32\Oflgep32.exe100⤵PID:5744
-
C:\Windows\SysWOW64\Olfobjbg.exeC:\Windows\system32\Olfobjbg.exe101⤵PID:5788
-
C:\Windows\SysWOW64\Ocpgod32.exeC:\Windows\system32\Ocpgod32.exe102⤵
- Drops file in System32 directory
PID:5832 -
C:\Windows\SysWOW64\Ofnckp32.exeC:\Windows\system32\Ofnckp32.exe103⤵PID:5876
-
C:\Windows\SysWOW64\Olhlhjpd.exeC:\Windows\system32\Olhlhjpd.exe104⤵PID:5920
-
C:\Windows\SysWOW64\Ocbddc32.exeC:\Windows\system32\Ocbddc32.exe105⤵PID:5964
-
C:\Windows\SysWOW64\Ognpebpj.exeC:\Windows\system32\Ognpebpj.exe106⤵PID:6008
-
C:\Windows\SysWOW64\Onhhamgg.exeC:\Windows\system32\Onhhamgg.exe107⤵PID:6068
-
C:\Windows\SysWOW64\Olkhmi32.exeC:\Windows\system32\Olkhmi32.exe108⤵
- System Location Discovery: System Language Discovery
PID:6120 -
C:\Windows\SysWOW64\Ocdqjceo.exeC:\Windows\system32\Ocdqjceo.exe109⤵PID:5180
-
C:\Windows\SysWOW64\Ofcmfodb.exeC:\Windows\system32\Ofcmfodb.exe110⤵
- Modifies registry class
PID:5272 -
C:\Windows\SysWOW64\Ojoign32.exeC:\Windows\system32\Ojoign32.exe111⤵
- System Location Discovery: System Language Discovery
PID:5336 -
C:\Windows\SysWOW64\Olmeci32.exeC:\Windows\system32\Olmeci32.exe112⤵
- Modifies registry class
PID:5424 -
C:\Windows\SysWOW64\Ocgmpccl.exeC:\Windows\system32\Ocgmpccl.exe113⤵PID:5556
-
C:\Windows\SysWOW64\Ofeilobp.exeC:\Windows\system32\Ofeilobp.exe114⤵PID:5664
-
C:\Windows\SysWOW64\Ojaelm32.exeC:\Windows\system32\Ojaelm32.exe115⤵PID:5728
-
C:\Windows\SysWOW64\Pmoahijl.exeC:\Windows\system32\Pmoahijl.exe116⤵
- Modifies registry class
PID:5800 -
C:\Windows\SysWOW64\Pdfjifjo.exeC:\Windows\system32\Pdfjifjo.exe117⤵PID:5856
-
C:\Windows\SysWOW64\Pcijeb32.exeC:\Windows\system32\Pcijeb32.exe118⤵
- System Location Discovery: System Language Discovery
PID:5960 -
C:\Windows\SysWOW64\Pfhfan32.exeC:\Windows\system32\Pfhfan32.exe119⤵PID:5992
-
C:\Windows\SysWOW64\Pjcbbmif.exeC:\Windows\system32\Pjcbbmif.exe120⤵PID:5124
-
C:\Windows\SysWOW64\Pmannhhj.exeC:\Windows\system32\Pmannhhj.exe121⤵PID:5292
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-