Analysis
-
max time kernel
93s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2024, 17:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
54f7a8a53d225ccb62ab8c4beefa0950N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
54f7a8a53d225ccb62ab8c4beefa0950N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
54f7a8a53d225ccb62ab8c4beefa0950N.exe
-
Size
259KB
-
MD5
54f7a8a53d225ccb62ab8c4beefa0950
-
SHA1
23428d24f1a9db009871dd1c4e030262c4e63352
-
SHA256
1b7d3aba06242657d9d2ea323f51f3add0de3558af5c2e17fdc5a2a2d1b39fd0
-
SHA512
609c37ef34a41148a4853377211bde279c1cc4e404ad3137e42213e6c3a70f74a196dcef6ad3093dce7ec911f3199d28389b686834256e6d3ab1812f12be793a
-
SSDEEP
3072:BE6daG6SCJ9IDlRxyhTbhgu+tAcrzkAqSxYIhOmTsF93UYfwC6GIoutz5yLp:BuSCsDshsrYIcm4FmowdHoSa
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eblpgjha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjohde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njpdnedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpoalo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngkqbgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gglpibgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poaqemao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjjlkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fknicb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqhcpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfheof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aefjii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfdie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmdonkgc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfaigm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anmjcieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jibmgi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkjlic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfqmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaqbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klqcioba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncianepl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pajeam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhpfqcln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmaopfjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncabfkqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akglloai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpcapp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfqgab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijogmdqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onpjichj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edhjqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhlgfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfpcoefj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljeafb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhknpmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hckeoeno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjecpkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnhidk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccnncgmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Facqkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcjnoece.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmdina32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhbfff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqojclne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gljgbllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pocpfphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbaojpgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfjola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceqnmpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihphkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odocigqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2620 Hmhhehlb.exe 1048 Ifefimom.exe 4140 Imoneg32.exe 2520 Iejcji32.exe 4100 Imakkfdg.exe 2044 Ickchq32.exe 1876 Ibnccmbo.exe 3096 Icnpmp32.exe 628 Ibqpimpl.exe 452 Ilidbbgl.exe 1464 Jimekgff.exe 2952 Jlkagbej.exe 1056 Jbeidl32.exe 3896 Jlnnmb32.exe 976 Jfcbjk32.exe 5012 Jlpkba32.exe 5028 Jbjcolha.exe 3532 Jidklf32.exe 2316 Jlbgha32.exe 916 Jpppnp32.exe 2336 Kemhff32.exe 4400 Kpbmco32.exe 3048 Kfmepi32.exe 3120 Kepelfam.exe 2972 Kbceejpf.exe 2580 Kimnbd32.exe 552 Kpgfooop.exe 1556 Kedoge32.exe 544 Kmkfhc32.exe 2680 Kfckahdj.exe 696 Klqcioba.exe 3264 Kdgljmcd.exe 1724 Lmppcbjd.exe 3032 Ldjhpl32.exe 1240 Lekehdgp.exe 5052 Llemdo32.exe 4232 Lboeaifi.exe 2360 Lenamdem.exe 1756 Lmdina32.exe 1112 Ldoaklml.exe 4956 Lepncd32.exe 1620 Likjcbkc.exe 4468 Ldanqkki.exe 4736 Lmiciaaj.exe 4156 Lphoelqn.exe 424 Mbfkbhpa.exe 1420 Mipcob32.exe 2376 Mpjlklok.exe 1504 Mchhggno.exe 2576 Mibpda32.exe 4292 Mplhql32.exe 2500 Mckemg32.exe 1400 Miemjaci.exe 224 Mmpijp32.exe 3664 Mpoefk32.exe 4340 Mgimcebb.exe 920 Migjoaaf.exe 1768 Mlefklpj.exe 2892 Mcpnhfhf.exe 4592 Miifeq32.exe 1012 Npcoakfp.exe 1840 Nngokoej.exe 4200 Npfkgjdn.exe 1340 Nebdoa32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Chglab32.exe Camddhoi.exe File opened for modification C:\Windows\SysWOW64\Onkidm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Paeelgnj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mqjbddpl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ihnkel32.exe Hpfcdojl.exe File opened for modification C:\Windows\SysWOW64\Gbeejp32.exe Gpgind32.exe File created C:\Windows\SysWOW64\Lcgpni32.exe Lqhdbm32.exe File created C:\Windows\SysWOW64\Odocigqg.exe Opdghh32.exe File created C:\Windows\SysWOW64\Bbiado32.exe Bokehc32.exe File opened for modification C:\Windows\SysWOW64\Chiigadc.exe Cbpajgmf.exe File created C:\Windows\SysWOW64\Paeelgnj.exe Process not Found File created C:\Windows\SysWOW64\Jidinqpb.exe Process not Found File created C:\Windows\SysWOW64\Njljch32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hdlpneli.exe Hfipbh32.exe File opened for modification C:\Windows\SysWOW64\Djcoai32.exe Dblgpl32.exe File created C:\Windows\SysWOW64\Ggpenegb.dll Process not Found File created C:\Windows\SysWOW64\Kideagnd.dll Hkbmqb32.exe File created C:\Windows\SysWOW64\Kdmqmc32.exe Kmfhkf32.exe File created C:\Windows\SysWOW64\Jepjhg32.exe Jpcapp32.exe File created C:\Windows\SysWOW64\Aldclhie.dll Process not Found File created C:\Windows\SysWOW64\Ajckij32.exe Acjclpcf.exe File opened for modification C:\Windows\SysWOW64\Leoghn32.exe Lbqklb32.exe File created C:\Windows\SysWOW64\Pdnjmc32.dll Lddgmbpb.exe File opened for modification C:\Windows\SysWOW64\Fiaael32.exe Fbgihaji.exe File created C:\Windows\SysWOW64\Blnlefae.dll Coiaiakf.exe File created C:\Windows\SysWOW64\Kpmmljnd.dll Process not Found File created C:\Windows\SysWOW64\Efoope32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ibnccmbo.exe Ickchq32.exe File created C:\Windows\SysWOW64\Ipncng32.dll Klkcdj32.exe File opened for modification C:\Windows\SysWOW64\Mfjcnold.exe Mockmala.exe File created C:\Windows\SysWOW64\Bnnkgo32.dll Kpoalo32.exe File created C:\Windows\SysWOW64\Pnpkdp32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Foapaa32.exe Process not Found File created C:\Windows\SysWOW64\Ppadalgj.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bheffh32.exe Bcinna32.exe File opened for modification C:\Windows\SysWOW64\Hmdlmg32.exe Hemdlj32.exe File opened for modification C:\Windows\SysWOW64\Oqmhqapg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ncianepl.exe Nloiakho.exe File opened for modification C:\Windows\SysWOW64\Hdkidohn.exe Hammhcij.exe File created C:\Windows\SysWOW64\Mahnhhod.exe Mlkepaam.exe File created C:\Windows\SysWOW64\Fjohde32.exe Ffclcgfn.exe File opened for modification C:\Windows\SysWOW64\Lnohlgep.exe Lkalplel.exe File created C:\Windows\SysWOW64\Ipaooi32.dll Process not Found File created C:\Windows\SysWOW64\Fpbdco32.dll Process not Found File created C:\Windows\SysWOW64\Mhjhmhhd.exe Process not Found File created C:\Windows\SysWOW64\Ipoheakj.exe Impliekg.exe File created C:\Windows\SysWOW64\Jfpqiega.dll Process not Found File created C:\Windows\SysWOW64\Jimekgff.exe Ilidbbgl.exe File created C:\Windows\SysWOW64\Elcenjob.dll Phjenbhp.exe File opened for modification C:\Windows\SysWOW64\Onnmdcjm.exe Ojbacd32.exe File opened for modification C:\Windows\SysWOW64\Kckqbj32.exe Koodbl32.exe File created C:\Windows\SysWOW64\Cknmplfo.dll Process not Found File created C:\Windows\SysWOW64\Ojjolnaq.exe Ogkcpbam.exe File created C:\Windows\SysWOW64\Dcjnoece.exe Dmpfbk32.exe File opened for modification C:\Windows\SysWOW64\Bopocbcq.exe Bheffh32.exe File created C:\Windows\SysWOW64\Acpklg32.dll Ckilmcgb.exe File created C:\Windows\SysWOW64\Loeolc32.exe Llgcph32.exe File created C:\Windows\SysWOW64\Eblpgjha.exe Epndknin.exe File created C:\Windows\SysWOW64\Ajgqdaoi.dll Process not Found File created C:\Windows\SysWOW64\Fbdehlip.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jhijqj32.exe Ibobdqid.exe File created C:\Windows\SysWOW64\Bicdfa32.dll Ljbfpo32.exe File created C:\Windows\SysWOW64\Ajjjof32.dll Okgaijaj.exe File opened for modification C:\Windows\SysWOW64\Hibafp32.exe Hdehni32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12652 13316 Process not Found 1508 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllokajf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfgipd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmnoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eejjjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcobaedj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mepfiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adfnofpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iohejo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mipcob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efhcbodf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gklnjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gknkpjfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbbokdlk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkagbej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lppbkgcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccqkigkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoelkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgioqq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjcmebie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhkikq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkogiikb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glldgljg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdmoohbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfchlbfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncabfkqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eejeiocj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odkjng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogifjcdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnfdcjkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbgcih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqklon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpcapp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnoklk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfbobf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cceddf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hglaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihphkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbaojpgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebdcld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjbcakl.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leilnmkp.dll" Mnmmboed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dipidh32.dll" Gdncmghi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koijai32.dll" Hkehkocf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmhkg32.dll" Igjngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbfpack.dll" Jbaojpgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbcohkd.dll" Emphocjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlaegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjmgfgdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mngegmbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdfehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcncmnn.dll" Iipfmggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maodigil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igegpo32.dll" Aoofle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckilmcgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alpbecod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkaobnio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odkjng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmniml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciafbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpjqcaao.dll" Elnoopdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilnbicff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbbhnma.dll" Jlfpdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcjeh32.dll" Ebgpad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klfjijgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efhcbodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befhip32.dll" Nbefdijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Illddp32.dll" Lkchelci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cohkokgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmbekjjm.dll" Gnhdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibkpcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Niipjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adbofa32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mibijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaplji32.dll" Mhfppabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amlkko32.dll" Kdbjhbbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmgabcge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmkqpkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgnboabc.dll" Fknbil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmlneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odcfhh32.dll" Giinpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Likjcbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejbdho32.dll" Niooqcad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okkbgpmc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmpijp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkpimfpo.dll" Ghpendjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjlnnemp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nngokoej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnmnfkia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blknem32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlgjo32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efjbcakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmcldc32.dll" Fphnlcdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpdaepai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdmoohbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhogopn.dll" Bhnikc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emmdom32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 656 wrote to memory of 2620 656 54f7a8a53d225ccb62ab8c4beefa0950N.exe 83 PID 656 wrote to memory of 2620 656 54f7a8a53d225ccb62ab8c4beefa0950N.exe 83 PID 656 wrote to memory of 2620 656 54f7a8a53d225ccb62ab8c4beefa0950N.exe 83 PID 2620 wrote to memory of 1048 2620 Hmhhehlb.exe 84 PID 2620 wrote to memory of 1048 2620 Hmhhehlb.exe 84 PID 2620 wrote to memory of 1048 2620 Hmhhehlb.exe 84 PID 1048 wrote to memory of 4140 1048 Ifefimom.exe 85 PID 1048 wrote to memory of 4140 1048 Ifefimom.exe 85 PID 1048 wrote to memory of 4140 1048 Ifefimom.exe 85 PID 4140 wrote to memory of 2520 4140 Imoneg32.exe 86 PID 4140 wrote to memory of 2520 4140 Imoneg32.exe 86 PID 4140 wrote to memory of 2520 4140 Imoneg32.exe 86 PID 2520 wrote to memory of 4100 2520 Iejcji32.exe 87 PID 2520 wrote to memory of 4100 2520 Iejcji32.exe 87 PID 2520 wrote to memory of 4100 2520 Iejcji32.exe 87 PID 4100 wrote to memory of 2044 4100 Imakkfdg.exe 88 PID 4100 wrote to memory of 2044 4100 Imakkfdg.exe 88 PID 4100 wrote to memory of 2044 4100 Imakkfdg.exe 88 PID 2044 wrote to memory of 1876 2044 Ickchq32.exe 89 PID 2044 wrote to memory of 1876 2044 Ickchq32.exe 89 PID 2044 wrote to memory of 1876 2044 Ickchq32.exe 89 PID 1876 wrote to memory of 3096 1876 Ibnccmbo.exe 92 PID 1876 wrote to memory of 3096 1876 Ibnccmbo.exe 92 PID 1876 wrote to memory of 3096 1876 Ibnccmbo.exe 92 PID 3096 wrote to memory of 628 3096 Icnpmp32.exe 93 PID 3096 wrote to memory of 628 3096 Icnpmp32.exe 93 PID 3096 wrote to memory of 628 3096 Icnpmp32.exe 93 PID 628 wrote to memory of 452 628 Ibqpimpl.exe 94 PID 628 wrote to memory of 452 628 Ibqpimpl.exe 94 PID 628 wrote to memory of 452 628 Ibqpimpl.exe 94 PID 452 wrote to memory of 1464 452 Ilidbbgl.exe 95 PID 452 wrote to memory of 1464 452 Ilidbbgl.exe 95 PID 452 wrote to memory of 1464 452 Ilidbbgl.exe 95 PID 1464 wrote to memory of 2952 1464 Jimekgff.exe 97 PID 1464 wrote to memory of 2952 1464 Jimekgff.exe 97 PID 1464 wrote to memory of 2952 1464 Jimekgff.exe 97 PID 2952 wrote to memory of 1056 2952 Jlkagbej.exe 98 PID 2952 wrote to memory of 1056 2952 Jlkagbej.exe 98 PID 2952 wrote to memory of 1056 2952 Jlkagbej.exe 98 PID 1056 wrote to memory of 3896 1056 Jbeidl32.exe 99 PID 1056 wrote to memory of 3896 1056 Jbeidl32.exe 99 PID 1056 wrote to memory of 3896 1056 Jbeidl32.exe 99 PID 3896 wrote to memory of 976 3896 Jlnnmb32.exe 100 PID 3896 wrote to memory of 976 3896 Jlnnmb32.exe 100 PID 3896 wrote to memory of 976 3896 Jlnnmb32.exe 100 PID 976 wrote to memory of 5012 976 Jfcbjk32.exe 101 PID 976 wrote to memory of 5012 976 Jfcbjk32.exe 101 PID 976 wrote to memory of 5012 976 Jfcbjk32.exe 101 PID 5012 wrote to memory of 5028 5012 Jlpkba32.exe 102 PID 5012 wrote to memory of 5028 5012 Jlpkba32.exe 102 PID 5012 wrote to memory of 5028 5012 Jlpkba32.exe 102 PID 5028 wrote to memory of 3532 5028 Jbjcolha.exe 103 PID 5028 wrote to memory of 3532 5028 Jbjcolha.exe 103 PID 5028 wrote to memory of 3532 5028 Jbjcolha.exe 103 PID 3532 wrote to memory of 2316 3532 Jidklf32.exe 104 PID 3532 wrote to memory of 2316 3532 Jidklf32.exe 104 PID 3532 wrote to memory of 2316 3532 Jidklf32.exe 104 PID 2316 wrote to memory of 916 2316 Jlbgha32.exe 105 PID 2316 wrote to memory of 916 2316 Jlbgha32.exe 105 PID 2316 wrote to memory of 916 2316 Jlbgha32.exe 105 PID 916 wrote to memory of 2336 916 Jpppnp32.exe 106 PID 916 wrote to memory of 2336 916 Jpppnp32.exe 106 PID 916 wrote to memory of 2336 916 Jpppnp32.exe 106 PID 2336 wrote to memory of 4400 2336 Kemhff32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\54f7a8a53d225ccb62ab8c4beefa0950N.exe"C:\Users\Admin\AppData\Local\Temp\54f7a8a53d225ccb62ab8c4beefa0950N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\Hmhhehlb.exeC:\Windows\system32\Hmhhehlb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Ifefimom.exeC:\Windows\system32\Ifefimom.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Imoneg32.exeC:\Windows\system32\Imoneg32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\Iejcji32.exeC:\Windows\system32\Iejcji32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Imakkfdg.exeC:\Windows\system32\Imakkfdg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\Ickchq32.exeC:\Windows\system32\Ickchq32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Ibnccmbo.exeC:\Windows\system32\Ibnccmbo.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\Icnpmp32.exeC:\Windows\system32\Icnpmp32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\Ibqpimpl.exeC:\Windows\system32\Ibqpimpl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\Ilidbbgl.exeC:\Windows\system32\Ilidbbgl.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\Jimekgff.exeC:\Windows\system32\Jimekgff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Jlkagbej.exeC:\Windows\system32\Jlkagbej.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Jbeidl32.exeC:\Windows\system32\Jbeidl32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Jlnnmb32.exeC:\Windows\system32\Jlnnmb32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\Jfcbjk32.exeC:\Windows\system32\Jfcbjk32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\Jlpkba32.exeC:\Windows\system32\Jlpkba32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Jbjcolha.exeC:\Windows\system32\Jbjcolha.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Jidklf32.exeC:\Windows\system32\Jidklf32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\Jlbgha32.exeC:\Windows\system32\Jlbgha32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Jpppnp32.exeC:\Windows\system32\Jpppnp32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Kemhff32.exeC:\Windows\system32\Kemhff32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Kpbmco32.exeC:\Windows\system32\Kpbmco32.exe23⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Kfmepi32.exeC:\Windows\system32\Kfmepi32.exe24⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Kepelfam.exeC:\Windows\system32\Kepelfam.exe25⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Kbceejpf.exeC:\Windows\system32\Kbceejpf.exe26⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Kimnbd32.exeC:\Windows\system32\Kimnbd32.exe27⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Kpgfooop.exeC:\Windows\system32\Kpgfooop.exe28⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Kedoge32.exeC:\Windows\system32\Kedoge32.exe29⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Kmkfhc32.exeC:\Windows\system32\Kmkfhc32.exe30⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Kfckahdj.exeC:\Windows\system32\Kfckahdj.exe31⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Klqcioba.exeC:\Windows\system32\Klqcioba.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Kdgljmcd.exeC:\Windows\system32\Kdgljmcd.exe33⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Lmppcbjd.exeC:\Windows\system32\Lmppcbjd.exe34⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Ldjhpl32.exeC:\Windows\system32\Ldjhpl32.exe35⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Lekehdgp.exeC:\Windows\system32\Lekehdgp.exe36⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Llemdo32.exeC:\Windows\system32\Llemdo32.exe37⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Lboeaifi.exeC:\Windows\system32\Lboeaifi.exe38⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Lenamdem.exeC:\Windows\system32\Lenamdem.exe39⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Lmdina32.exeC:\Windows\system32\Lmdina32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Ldoaklml.exeC:\Windows\system32\Ldoaklml.exe41⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Lepncd32.exeC:\Windows\system32\Lepncd32.exe42⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Likjcbkc.exeC:\Windows\system32\Likjcbkc.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Ldanqkki.exeC:\Windows\system32\Ldanqkki.exe44⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Lmiciaaj.exeC:\Windows\system32\Lmiciaaj.exe45⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Lphoelqn.exeC:\Windows\system32\Lphoelqn.exe46⤵
- Executes dropped EXE
PID:4156 -
C:\Windows\SysWOW64\Mbfkbhpa.exeC:\Windows\system32\Mbfkbhpa.exe47⤵
- Executes dropped EXE
PID:424 -
C:\Windows\SysWOW64\Mipcob32.exeC:\Windows\system32\Mipcob32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1420 -
C:\Windows\SysWOW64\Mpjlklok.exeC:\Windows\system32\Mpjlklok.exe49⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Mchhggno.exeC:\Windows\system32\Mchhggno.exe50⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Mibpda32.exeC:\Windows\system32\Mibpda32.exe51⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Mplhql32.exeC:\Windows\system32\Mplhql32.exe52⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Mckemg32.exeC:\Windows\system32\Mckemg32.exe53⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Miemjaci.exeC:\Windows\system32\Miemjaci.exe54⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Mmpijp32.exeC:\Windows\system32\Mmpijp32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:224 -
C:\Windows\SysWOW64\Mpoefk32.exeC:\Windows\system32\Mpoefk32.exe56⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Mgimcebb.exeC:\Windows\system32\Mgimcebb.exe57⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Migjoaaf.exeC:\Windows\system32\Migjoaaf.exe58⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Mlefklpj.exeC:\Windows\system32\Mlefklpj.exe59⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Mcpnhfhf.exeC:\Windows\system32\Mcpnhfhf.exe60⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Miifeq32.exeC:\Windows\system32\Miifeq32.exe61⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Npcoakfp.exeC:\Windows\system32\Npcoakfp.exe62⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Nngokoej.exeC:\Windows\system32\Nngokoej.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1840 -
C:\Windows\SysWOW64\Npfkgjdn.exeC:\Windows\system32\Npfkgjdn.exe64⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\Nebdoa32.exeC:\Windows\system32\Nebdoa32.exe65⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Ncfdie32.exeC:\Windows\system32\Ncfdie32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4336 -
C:\Windows\SysWOW64\Nloiakho.exeC:\Windows\system32\Nloiakho.exe67⤵
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Ncianepl.exeC:\Windows\system32\Ncianepl.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4028 -
C:\Windows\SysWOW64\Nfgmjqop.exeC:\Windows\system32\Nfgmjqop.exe69⤵PID:2836
-
C:\Windows\SysWOW64\Nlaegk32.exeC:\Windows\system32\Nlaegk32.exe70⤵
- Modifies registry class
PID:1844 -
C:\Windows\SysWOW64\Ndhmhh32.exeC:\Windows\system32\Ndhmhh32.exe71⤵PID:212
-
C:\Windows\SysWOW64\Nggjdc32.exeC:\Windows\system32\Nggjdc32.exe72⤵PID:620
-
C:\Windows\SysWOW64\Olcbmj32.exeC:\Windows\system32\Olcbmj32.exe73⤵PID:2484
-
C:\Windows\SysWOW64\Odkjng32.exeC:\Windows\system32\Odkjng32.exe74⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:396 -
C:\Windows\SysWOW64\Ogifjcdp.exeC:\Windows\system32\Ogifjcdp.exe75⤵
- System Location Discovery: System Language Discovery
PID:4252 -
C:\Windows\SysWOW64\Oncofm32.exeC:\Windows\system32\Oncofm32.exe76⤵PID:2832
-
C:\Windows\SysWOW64\Opakbi32.exeC:\Windows\system32\Opakbi32.exe77⤵PID:1584
-
C:\Windows\SysWOW64\Ogkcpbam.exeC:\Windows\system32\Ogkcpbam.exe78⤵
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Ojjolnaq.exeC:\Windows\system32\Ojjolnaq.exe79⤵PID:1944
-
C:\Windows\SysWOW64\Opdghh32.exeC:\Windows\system32\Opdghh32.exe80⤵
- Drops file in System32 directory
PID:5164 -
C:\Windows\SysWOW64\Odocigqg.exeC:\Windows\system32\Odocigqg.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5200 -
C:\Windows\SysWOW64\Ojllan32.exeC:\Windows\system32\Ojllan32.exe82⤵PID:5252
-
C:\Windows\SysWOW64\Olkhmi32.exeC:\Windows\system32\Olkhmi32.exe83⤵PID:5296
-
C:\Windows\SysWOW64\Ogpmjb32.exeC:\Windows\system32\Ogpmjb32.exe84⤵PID:5352
-
C:\Windows\SysWOW64\Onjegled.exeC:\Windows\system32\Onjegled.exe85⤵PID:5396
-
C:\Windows\SysWOW64\Ocgmpccl.exeC:\Windows\system32\Ocgmpccl.exe86⤵PID:5440
-
C:\Windows\SysWOW64\Pmoahijl.exeC:\Windows\system32\Pmoahijl.exe87⤵PID:5484
-
C:\Windows\SysWOW64\Pnonbk32.exeC:\Windows\system32\Pnonbk32.exe88⤵PID:5528
-
C:\Windows\SysWOW64\Pclgkb32.exeC:\Windows\system32\Pclgkb32.exe89⤵PID:5572
-
C:\Windows\SysWOW64\Pmdkch32.exeC:\Windows\system32\Pmdkch32.exe90⤵PID:5616
-
C:\Windows\SysWOW64\Pqpgdfnp.exeC:\Windows\system32\Pqpgdfnp.exe91⤵PID:5660
-
C:\Windows\SysWOW64\Pgioqq32.exeC:\Windows\system32\Pgioqq32.exe92⤵
- System Location Discovery: System Language Discovery
PID:5704 -
C:\Windows\SysWOW64\Pncgmkmj.exeC:\Windows\system32\Pncgmkmj.exe93⤵PID:5752
-
C:\Windows\SysWOW64\Pdmpje32.exeC:\Windows\system32\Pdmpje32.exe94⤵PID:5796
-
C:\Windows\SysWOW64\Pnfdcjkg.exeC:\Windows\system32\Pnfdcjkg.exe95⤵
- System Location Discovery: System Language Discovery
PID:5840 -
C:\Windows\SysWOW64\Pqdqof32.exeC:\Windows\system32\Pqdqof32.exe96⤵PID:5880
-
C:\Windows\SysWOW64\Pfaigm32.exeC:\Windows\system32\Pfaigm32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5920 -
C:\Windows\SysWOW64\Qmkadgpo.exeC:\Windows\system32\Qmkadgpo.exe98⤵PID:5968
-
C:\Windows\SysWOW64\Qqfmde32.exeC:\Windows\system32\Qqfmde32.exe99⤵PID:6008
-
C:\Windows\SysWOW64\Qfcfml32.exeC:\Windows\system32\Qfcfml32.exe100⤵PID:6048
-
C:\Windows\SysWOW64\Qnjnnj32.exeC:\Windows\system32\Qnjnnj32.exe101⤵PID:6092
-
C:\Windows\SysWOW64\Qgcbgo32.exeC:\Windows\system32\Qgcbgo32.exe102⤵PID:6136
-
C:\Windows\SysWOW64\Anmjcieo.exeC:\Windows\system32\Anmjcieo.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5156 -
C:\Windows\SysWOW64\Acjclpcf.exeC:\Windows\system32\Acjclpcf.exe104⤵
- Drops file in System32 directory
PID:5248 -
C:\Windows\SysWOW64\Ajckij32.exeC:\Windows\system32\Ajckij32.exe105⤵PID:5272
-
C:\Windows\SysWOW64\Aqncedbp.exeC:\Windows\system32\Aqncedbp.exe106⤵PID:5392
-
C:\Windows\SysWOW64\Anadoi32.exeC:\Windows\system32\Anadoi32.exe107⤵PID:5456
-
C:\Windows\SysWOW64\Aqppkd32.exeC:\Windows\system32\Aqppkd32.exe108⤵PID:5520
-
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe109⤵PID:5560
-
C:\Windows\SysWOW64\Agjhgngj.exeC:\Windows\system32\Agjhgngj.exe110⤵PID:5656
-
C:\Windows\SysWOW64\Ajhddjfn.exeC:\Windows\system32\Ajhddjfn.exe111⤵PID:5744
-
C:\Windows\SysWOW64\Aeniabfd.exeC:\Windows\system32\Aeniabfd.exe112⤵PID:5812
-
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe113⤵PID:5864
-
C:\Windows\SysWOW64\Anfmjhmd.exeC:\Windows\system32\Anfmjhmd.exe114⤵PID:5952
-
C:\Windows\SysWOW64\Accfbokl.exeC:\Windows\system32\Accfbokl.exe115⤵PID:6044
-
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe116⤵
- System Location Discovery: System Language Discovery
PID:6108 -
C:\Windows\SysWOW64\Bmkjkd32.exeC:\Windows\system32\Bmkjkd32.exe117⤵PID:5160
-
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe118⤵PID:5180
-
C:\Windows\SysWOW64\Bmngqdpj.exeC:\Windows\system32\Bmngqdpj.exe119⤵PID:5364
-
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe120⤵PID:5472
-
C:\Windows\SysWOW64\Bchomn32.exeC:\Windows\system32\Bchomn32.exe121⤵PID:5600
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-