Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2024, 21:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8a22e0de4501240c6de1e2783bdf33d0N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
8a22e0de4501240c6de1e2783bdf33d0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
8a22e0de4501240c6de1e2783bdf33d0N.exe
-
Size
363KB
-
MD5
8a22e0de4501240c6de1e2783bdf33d0
-
SHA1
724ee9cdb76728d2ea69cc504d398e660f81da41
-
SHA256
7ed03f8215630080995223ada46ca2a3611265e1178f6bd8fe4f5f140304fee6
-
SHA512
4b33593eebc2bf5108a3a56df2051180b6ad8ca6bd83383a6982fb28be15a99186ebcbde3a43c100a4ee67cc181520aaea8bd4df547d305c4bbaf6f4cd116dac
-
SSDEEP
6144:uGoAF2/vvPQUEHvmqjkym/89b7yS49pkuk4Nx73U2S4D23DgDJsAE1m7uLcp37pd:iAFM4UEHv0f9S49yuFL73tS4D2FR1maK
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mchppmij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbfgkffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opclldhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhdohp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljilqnlm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqndhcdc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmdcfidg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mogcihaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phcgcqab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aobilkcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijadbdoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efepbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehlkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oldamm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoalgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbdjeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dngjff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiildjag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdafnpqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjoiil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgpmmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjoiil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjoja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncqlkemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gddinf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Peieba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjfnedho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmdcfidg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlbcnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpenfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lldopb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oemefcap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfbaonae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Madjhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbpajgmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohnebd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnhnaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knfeeimj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncjginjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emnbdioi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfiddm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bahdob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klkcdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhijijbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgfkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Digehphc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiaael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Conanfli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngmpcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njpdnedf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pefabkej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfpojead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hncmmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdpbon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amcehdod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pleaoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efkphnbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqhdbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiaglp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqhcpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omgmeigd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Codhnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fknbil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikcmbfcj.exe -
Executes dropped EXE 64 IoCs
pid Process 1152 Fojedapj.exe 940 Fahaplon.exe 2740 Fkqeib32.exe 1968 Fefjfked.exe 3236 Fonnop32.exe 2764 Fdkggg32.exe 1324 Fkeodaai.exe 4380 Gaogak32.exe 1884 Gglpibgm.exe 4592 Gochjpho.exe 232 Gnfhfl32.exe 4436 Ggnlobej.exe 4204 Gnhdkl32.exe 5004 Ghniielm.exe 1444 Gkleeplq.exe 3376 Gddinf32.exe 3188 Gojnko32.exe 4068 Gfdfgiid.exe 5064 Gkaopp32.exe 3520 Hffcmh32.exe 4156 Hghoeqmp.exe 2724 Hnagak32.exe 3616 Hhgloc32.exe 448 Hkehkocf.exe 4988 Hbpphi32.exe 4064 Hnfamjqg.exe 3216 Hdpiid32.exe 408 Hgoeep32.exe 3148 Hninbj32.exe 3604 Hdbfodfa.exe 3428 Inkjhi32.exe 3712 Igcoqocb.exe 2480 Inmgmijo.exe 2680 Ifdonfka.exe 3168 Iickkbje.exe 3232 Ikaggmii.exe 5076 Iomcgl32.exe 2928 Ibkpcg32.exe 3452 Iiehpahb.exe 4992 Ikcdlmgf.exe 3828 Ioopml32.exe 3264 Ibnligoc.exe 4016 Ieliebnf.exe 4280 Ikfabm32.exe 3744 Indmnh32.exe 1044 Ifleoe32.exe 4768 Iijaka32.exe 996 Jkhngl32.exe 3268 Jfnbdecg.exe 1728 Jilnqqbj.exe 4900 Joffnk32.exe 3132 Jfpojead.exe 1280 Jiokfpph.exe 724 Jkmgblok.exe 2896 Jfbkpd32.exe 1292 Jiaglp32.exe 2380 Jgdhgmep.exe 1572 Jnnpdg32.exe 1056 Jbileede.exe 3968 Jehhaaci.exe 4820 Jgfdmlcm.exe 2100 Jnpmjf32.exe 4288 Jfgdkd32.exe 5048 Jieagojp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mbighjdd.exe Mlpokp32.exe File created C:\Windows\SysWOW64\Odjjif32.dll Bhpfqcln.exe File opened for modification C:\Windows\SysWOW64\Goglcahb.exe Glipgf32.exe File created C:\Windows\SysWOW64\Effkpc32.dll Cbpajgmf.exe File created C:\Windows\SysWOW64\Dkhnjk32.exe Ddnfmqng.exe File created C:\Windows\SysWOW64\Lhdbgapf.dll Pnfiplog.exe File opened for modification C:\Windows\SysWOW64\Mehjol32.exe Moobbb32.exe File opened for modification C:\Windows\SysWOW64\Hglaej32.exe Hpbiip32.exe File created C:\Windows\SysWOW64\Kbglnn32.dll Inainbcn.exe File created C:\Windows\SysWOW64\Jfkohq32.dll Icnklbmj.exe File opened for modification C:\Windows\SysWOW64\Podmkm32.exe Pleaoa32.exe File created C:\Windows\SysWOW64\Hjpcoo32.dll Hkeaqi32.exe File created C:\Windows\SysWOW64\Ljclki32.exe Lgepom32.exe File opened for modification C:\Windows\SysWOW64\Bcelmhen.exe Bqfoamfj.exe File created C:\Windows\SysWOW64\Mgehfkop.exe Megljppl.exe File created C:\Windows\SysWOW64\Gncchb32.exe Gmafajfi.exe File opened for modification C:\Windows\SysWOW64\Eciplm32.exe Emphocjj.exe File opened for modification C:\Windows\SysWOW64\Cdpjlb32.exe Cnfaohbj.exe File created C:\Windows\SysWOW64\Aqmiic32.dll Iepaaico.exe File opened for modification C:\Windows\SysWOW64\Dannij32.exe Diffglam.exe File opened for modification C:\Windows\SysWOW64\Bmjkic32.exe Bogkmgba.exe File created C:\Windows\SysWOW64\Nihipdhl.exe Nbnpcj32.exe File created C:\Windows\SysWOW64\Hildmn32.exe Hgmgqc32.exe File created C:\Windows\SysWOW64\Cfogeb32.exe Cglgjeci.exe File created C:\Windows\SysWOW64\Efdjgo32.exe Epjajeqo.exe File created C:\Windows\SysWOW64\Hpbiip32.exe Hncmmd32.exe File created C:\Windows\SysWOW64\Kbpkkn32.exe Kkfcndce.exe File created C:\Windows\SysWOW64\Ilnpcnol.dll Knfeeimj.exe File created C:\Windows\SysWOW64\Ddbogpnj.dll Jiaglp32.exe File created C:\Windows\SysWOW64\Bjfjgifo.dll Lnpofnhk.exe File created C:\Windows\SysWOW64\Gkbofaoj.dll Eiaoid32.exe File created C:\Windows\SysWOW64\Kqfngd32.exe Knhakh32.exe File created C:\Windows\SysWOW64\Lbinam32.exe Lkofdbkj.exe File opened for modification C:\Windows\SysWOW64\Qmepam32.exe Pldcjeia.exe File opened for modification C:\Windows\SysWOW64\Cnfaohbj.exe Cocacl32.exe File created C:\Windows\SysWOW64\Okddnh32.dll Qaqegecm.exe File created C:\Windows\SysWOW64\Fmbgla32.dll Amjbbfgo.exe File created C:\Windows\SysWOW64\Inmgmijo.exe Igcoqocb.exe File created C:\Windows\SysWOW64\Hnfjbdmk.exe Hjjnae32.exe File opened for modification C:\Windows\SysWOW64\Nihipdhl.exe Nbnpcj32.exe File created C:\Windows\SysWOW64\Gidnkkpc.exe Gehbjm32.exe File opened for modification C:\Windows\SysWOW64\Afjeceml.exe Ackigjmh.exe File created C:\Windows\SysWOW64\Ncchae32.exe Nnfpinmi.exe File created C:\Windows\SysWOW64\Oklmii32.dll Klkcdj32.exe File created C:\Windows\SysWOW64\Lhijijbg.exe Lfhnaa32.exe File created C:\Windows\SysWOW64\Ncdpoaed.dll Oboijgbl.exe File opened for modification C:\Windows\SysWOW64\Klahfp32.exe Kjblje32.exe File created C:\Windows\SysWOW64\Gbfldf32.exe Gphphj32.exe File created C:\Windows\SysWOW64\Mobnnd32.dll Lnjnqh32.exe File opened for modification C:\Windows\SysWOW64\Kgnbdh32.exe Kofkbk32.exe File created C:\Windows\SysWOW64\Aflaie32.exe Agiamhdo.exe File created C:\Windows\SysWOW64\Epokedmj.exe Empoiimf.exe File created C:\Windows\SysWOW64\Ecjddk32.dll Filiii32.exe File created C:\Windows\SysWOW64\Neccpd32.exe Nbefdijg.exe File created C:\Windows\SysWOW64\Kimghn32.exe Kbbokdlk.exe File created C:\Windows\SysWOW64\Aolblopj.exe Alnfpcag.exe File opened for modification C:\Windows\SysWOW64\Oebflhaf.exe Ocdjpmac.exe File created C:\Windows\SysWOW64\Digehphc.exe Dbnmke32.exe File created C:\Windows\SysWOW64\Hefnkkkj.exe Hbhboolf.exe File opened for modification C:\Windows\SysWOW64\Jpcapp32.exe Jlgepanl.exe File created C:\Windows\SysWOW64\Hiebgmkm.dll Qfmmplad.exe File opened for modification C:\Windows\SysWOW64\Adhdjpjf.exe Aokkahlo.exe File created C:\Windows\SysWOW64\Ehhpla32.exe Epagkd32.exe File created C:\Windows\SysWOW64\Ffobhg32.exe Fdqfll32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7048 6252 Process not Found 1138 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iickkbje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbiejoaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbbagk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pldcjeia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbpajgmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iojbpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjbbfgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgpcliao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnfhfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emnbdioi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjlic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppjbmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfkqjmdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkggg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmklglpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgchm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnqfcbnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kegpifod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfnoqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnegbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omgmeigd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdoacabq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfqgab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghpocngo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afinioip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkhnjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioopml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlpfgbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcmpodi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpnbog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpfepf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfpojead.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daediilg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqmkae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahofoogd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahchda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhigf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emphocjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lknojl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmhhefi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oakbehfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngomin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjdqmng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oekpkigo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qachgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbgihaji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgflcifg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhlpqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edhjqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffobhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epjajeqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikndgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fflohaij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjoja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjomap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbmoen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inmpcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjkpoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ackbmcjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igfclkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfagf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkipkani.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkhngl32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlmbfqoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkhnpc32.dll" Nolgijpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjblje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epjajeqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plpqil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qepkbpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdpiid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgbiiion.dll" Dclkee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinbbnpa.dll" Iqbbpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlkngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofmdio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfjjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Logooemi.dll" Kdinljnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Innfnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okogahgo.dll" Acgolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnbklm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nekhop32.dll" Oblmdhdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfmojenc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Podmkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmklglpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Noeahkfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nafjjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjmoag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memicmfo.dll" Bfjnjcni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Coadnlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgihjf32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Niklpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mioaanec.dll" Bdmmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijqqd32.dll" Hoobdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipjoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcehifmk.dll" Jbiejoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lonege32.dll" Ngomin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akcjkfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lknojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnifpf32.dll" Mgphpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fonnop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdaociml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbdjeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opclldhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgkiaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kimapcmi.dll" Pibdmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjjnae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inmpcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flfkkhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jocefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nncccnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nboahd32.dll" Lfjjga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lihfcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effkpc32.dll" Cbpajgmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cimmggfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbjena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjgpfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohnebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpofmcef.dll" Dfjgaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekodjiol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lehaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pocfpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djcoai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gikdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qimkic32.dll" Nfjola32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbnepe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qqffjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eipinkib.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3560 wrote to memory of 1152 3560 8a22e0de4501240c6de1e2783bdf33d0N.exe 83 PID 3560 wrote to memory of 1152 3560 8a22e0de4501240c6de1e2783bdf33d0N.exe 83 PID 3560 wrote to memory of 1152 3560 8a22e0de4501240c6de1e2783bdf33d0N.exe 83 PID 1152 wrote to memory of 940 1152 Fojedapj.exe 84 PID 1152 wrote to memory of 940 1152 Fojedapj.exe 84 PID 1152 wrote to memory of 940 1152 Fojedapj.exe 84 PID 940 wrote to memory of 2740 940 Fahaplon.exe 85 PID 940 wrote to memory of 2740 940 Fahaplon.exe 85 PID 940 wrote to memory of 2740 940 Fahaplon.exe 85 PID 2740 wrote to memory of 1968 2740 Fkqeib32.exe 86 PID 2740 wrote to memory of 1968 2740 Fkqeib32.exe 86 PID 2740 wrote to memory of 1968 2740 Fkqeib32.exe 86 PID 1968 wrote to memory of 3236 1968 Fefjfked.exe 88 PID 1968 wrote to memory of 3236 1968 Fefjfked.exe 88 PID 1968 wrote to memory of 3236 1968 Fefjfked.exe 88 PID 3236 wrote to memory of 2764 3236 Fonnop32.exe 89 PID 3236 wrote to memory of 2764 3236 Fonnop32.exe 89 PID 3236 wrote to memory of 2764 3236 Fonnop32.exe 89 PID 2764 wrote to memory of 1324 2764 Fdkggg32.exe 91 PID 2764 wrote to memory of 1324 2764 Fdkggg32.exe 91 PID 2764 wrote to memory of 1324 2764 Fdkggg32.exe 91 PID 1324 wrote to memory of 4380 1324 Fkeodaai.exe 92 PID 1324 wrote to memory of 4380 1324 Fkeodaai.exe 92 PID 1324 wrote to memory of 4380 1324 Fkeodaai.exe 92 PID 4380 wrote to memory of 1884 4380 Gaogak32.exe 94 PID 4380 wrote to memory of 1884 4380 Gaogak32.exe 94 PID 4380 wrote to memory of 1884 4380 Gaogak32.exe 94 PID 1884 wrote to memory of 4592 1884 Gglpibgm.exe 95 PID 1884 wrote to memory of 4592 1884 Gglpibgm.exe 95 PID 1884 wrote to memory of 4592 1884 Gglpibgm.exe 95 PID 4592 wrote to memory of 232 4592 Gochjpho.exe 96 PID 4592 wrote to memory of 232 4592 Gochjpho.exe 96 PID 4592 wrote to memory of 232 4592 Gochjpho.exe 96 PID 232 wrote to memory of 4436 232 Gnfhfl32.exe 97 PID 232 wrote to memory of 4436 232 Gnfhfl32.exe 97 PID 232 wrote to memory of 4436 232 Gnfhfl32.exe 97 PID 4436 wrote to memory of 4204 4436 Ggnlobej.exe 98 PID 4436 wrote to memory of 4204 4436 Ggnlobej.exe 98 PID 4436 wrote to memory of 4204 4436 Ggnlobej.exe 98 PID 4204 wrote to memory of 5004 4204 Gnhdkl32.exe 99 PID 4204 wrote to memory of 5004 4204 Gnhdkl32.exe 99 PID 4204 wrote to memory of 5004 4204 Gnhdkl32.exe 99 PID 5004 wrote to memory of 1444 5004 Ghniielm.exe 100 PID 5004 wrote to memory of 1444 5004 Ghniielm.exe 100 PID 5004 wrote to memory of 1444 5004 Ghniielm.exe 100 PID 1444 wrote to memory of 3376 1444 Gkleeplq.exe 101 PID 1444 wrote to memory of 3376 1444 Gkleeplq.exe 101 PID 1444 wrote to memory of 3376 1444 Gkleeplq.exe 101 PID 3376 wrote to memory of 3188 3376 Gddinf32.exe 102 PID 3376 wrote to memory of 3188 3376 Gddinf32.exe 102 PID 3376 wrote to memory of 3188 3376 Gddinf32.exe 102 PID 3188 wrote to memory of 4068 3188 Gojnko32.exe 103 PID 3188 wrote to memory of 4068 3188 Gojnko32.exe 103 PID 3188 wrote to memory of 4068 3188 Gojnko32.exe 103 PID 4068 wrote to memory of 5064 4068 Gfdfgiid.exe 104 PID 4068 wrote to memory of 5064 4068 Gfdfgiid.exe 104 PID 4068 wrote to memory of 5064 4068 Gfdfgiid.exe 104 PID 5064 wrote to memory of 3520 5064 Gkaopp32.exe 105 PID 5064 wrote to memory of 3520 5064 Gkaopp32.exe 105 PID 5064 wrote to memory of 3520 5064 Gkaopp32.exe 105 PID 3520 wrote to memory of 4156 3520 Hffcmh32.exe 106 PID 3520 wrote to memory of 4156 3520 Hffcmh32.exe 106 PID 3520 wrote to memory of 4156 3520 Hffcmh32.exe 106 PID 4156 wrote to memory of 2724 4156 Hghoeqmp.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a22e0de4501240c6de1e2783bdf33d0N.exe"C:\Users\Admin\AppData\Local\Temp\8a22e0de4501240c6de1e2783bdf33d0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\Fojedapj.exeC:\Windows\system32\Fojedapj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Fahaplon.exeC:\Windows\system32\Fahaplon.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\Fkqeib32.exeC:\Windows\system32\Fkqeib32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Fefjfked.exeC:\Windows\system32\Fefjfked.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Fonnop32.exeC:\Windows\system32\Fonnop32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\Fdkggg32.exeC:\Windows\system32\Fdkggg32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Fkeodaai.exeC:\Windows\system32\Fkeodaai.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Gaogak32.exeC:\Windows\system32\Gaogak32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\Gglpibgm.exeC:\Windows\system32\Gglpibgm.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Gochjpho.exeC:\Windows\system32\Gochjpho.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Gnfhfl32.exeC:\Windows\system32\Gnfhfl32.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\Ggnlobej.exeC:\Windows\system32\Ggnlobej.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\Gnhdkl32.exeC:\Windows\system32\Gnhdkl32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\Ghniielm.exeC:\Windows\system32\Ghniielm.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Gkleeplq.exeC:\Windows\system32\Gkleeplq.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Gddinf32.exeC:\Windows\system32\Gddinf32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\Gojnko32.exeC:\Windows\system32\Gojnko32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\Gfdfgiid.exeC:\Windows\system32\Gfdfgiid.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Gkaopp32.exeC:\Windows\system32\Gkaopp32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\Hffcmh32.exeC:\Windows\system32\Hffcmh32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\Hghoeqmp.exeC:\Windows\system32\Hghoeqmp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\Hnagak32.exeC:\Windows\system32\Hnagak32.exe23⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe24⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe25⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Hbpphi32.exeC:\Windows\system32\Hbpphi32.exe26⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Hnfamjqg.exeC:\Windows\system32\Hnfamjqg.exe27⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Hdpiid32.exeC:\Windows\system32\Hdpiid32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:3216 -
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe29⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Hninbj32.exeC:\Windows\system32\Hninbj32.exe30⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\Hdbfodfa.exeC:\Windows\system32\Hdbfodfa.exe31⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Inkjhi32.exeC:\Windows\system32\Inkjhi32.exe32⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3712 -
C:\Windows\SysWOW64\Inmgmijo.exeC:\Windows\system32\Inmgmijo.exe34⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe35⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3168 -
C:\Windows\SysWOW64\Ikaggmii.exeC:\Windows\system32\Ikaggmii.exe37⤵
- Executes dropped EXE
PID:3232 -
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe38⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Ibkpcg32.exeC:\Windows\system32\Ibkpcg32.exe39⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Iiehpahb.exeC:\Windows\system32\Iiehpahb.exe40⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Ikcdlmgf.exeC:\Windows\system32\Ikcdlmgf.exe41⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Ioopml32.exeC:\Windows\system32\Ioopml32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3828 -
C:\Windows\SysWOW64\Ibnligoc.exeC:\Windows\system32\Ibnligoc.exe43⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Ieliebnf.exeC:\Windows\system32\Ieliebnf.exe44⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Ikfabm32.exeC:\Windows\system32\Ikfabm32.exe45⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Indmnh32.exeC:\Windows\system32\Indmnh32.exe46⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Ifleoe32.exeC:\Windows\system32\Ifleoe32.exe47⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Iijaka32.exeC:\Windows\system32\Iijaka32.exe48⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Jkhngl32.exeC:\Windows\system32\Jkhngl32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:996 -
C:\Windows\SysWOW64\Jfnbdecg.exeC:\Windows\system32\Jfnbdecg.exe50⤵
- Executes dropped EXE
PID:3268 -
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe51⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe52⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Jfpojead.exeC:\Windows\system32\Jfpojead.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3132 -
C:\Windows\SysWOW64\Jiokfpph.exeC:\Windows\system32\Jiokfpph.exe54⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Jkmgblok.exeC:\Windows\system32\Jkmgblok.exe55⤵
- Executes dropped EXE
PID:724 -
C:\Windows\SysWOW64\Jfbkpd32.exeC:\Windows\system32\Jfbkpd32.exe56⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Jiaglp32.exeC:\Windows\system32\Jiaglp32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\Jgdhgmep.exeC:\Windows\system32\Jgdhgmep.exe58⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe59⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Jbileede.exeC:\Windows\system32\Jbileede.exe60⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Jehhaaci.exeC:\Windows\system32\Jehhaaci.exe61⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Jgfdmlcm.exeC:\Windows\system32\Jgfdmlcm.exe62⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Jnpmjf32.exeC:\Windows\system32\Jnpmjf32.exe63⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Jfgdkd32.exeC:\Windows\system32\Jfgdkd32.exe64⤵
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\Jieagojp.exeC:\Windows\system32\Jieagojp.exe65⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Kldmckic.exeC:\Windows\system32\Kldmckic.exe66⤵PID:1376
-
C:\Windows\SysWOW64\Knbiofhg.exeC:\Windows\system32\Knbiofhg.exe67⤵PID:4632
-
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe68⤵
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Kihnmohm.exeC:\Windows\system32\Kihnmohm.exe69⤵PID:1008
-
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe70⤵PID:4336
-
C:\Windows\SysWOW64\Kflnfcgg.exeC:\Windows\system32\Kflnfcgg.exe71⤵PID:1048
-
C:\Windows\SysWOW64\Keonap32.exeC:\Windows\system32\Keonap32.exe72⤵PID:3952
-
C:\Windows\SysWOW64\Klifnj32.exeC:\Windows\system32\Klifnj32.exe73⤵PID:2244
-
C:\Windows\SysWOW64\Kpdboimg.exeC:\Windows\system32\Kpdboimg.exe74⤵PID:316
-
C:\Windows\SysWOW64\Kbbokdlk.exeC:\Windows\system32\Kbbokdlk.exe75⤵
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe76⤵PID:3808
-
C:\Windows\SysWOW64\Klkcdj32.exeC:\Windows\system32\Klkcdj32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4136 -
C:\Windows\SysWOW64\Knippe32.exeC:\Windows\system32\Knippe32.exe78⤵PID:3036
-
C:\Windows\SysWOW64\Kfqgab32.exeC:\Windows\system32\Kfqgab32.exe79⤵
- System Location Discovery: System Language Discovery
PID:1256 -
C:\Windows\SysWOW64\Klmpiiai.exeC:\Windows\system32\Klmpiiai.exe80⤵PID:3768
-
C:\Windows\SysWOW64\Kbghfc32.exeC:\Windows\system32\Kbghfc32.exe81⤵PID:4968
-
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe82⤵PID:3248
-
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe83⤵PID:3824
-
C:\Windows\SysWOW64\Lnnikdnj.exeC:\Windows\system32\Lnnikdnj.exe84⤵PID:3872
-
C:\Windows\SysWOW64\Lehaho32.exeC:\Windows\system32\Lehaho32.exe85⤵
- Modifies registry class
PID:744 -
C:\Windows\SysWOW64\Lhfmdj32.exeC:\Windows\system32\Lhfmdj32.exe86⤵PID:4360
-
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe87⤵PID:4480
-
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe88⤵
- Drops file in System32 directory
PID:4680 -
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1644 -
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe90⤵PID:4084
-
C:\Windows\SysWOW64\Lfjjga32.exeC:\Windows\system32\Lfjjga32.exe91⤵
- Modifies registry class
PID:4980 -
C:\Windows\SysWOW64\Lihfcm32.exeC:\Windows\system32\Lihfcm32.exe92⤵
- Modifies registry class
PID:1432 -
C:\Windows\SysWOW64\Llgcph32.exeC:\Windows\system32\Llgcph32.exe93⤵PID:2600
-
C:\Windows\SysWOW64\Lflgmqhd.exeC:\Windows\system32\Lflgmqhd.exe94⤵PID:1900
-
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe95⤵PID:3200
-
C:\Windows\SysWOW64\Loglacfo.exeC:\Windows\system32\Loglacfo.exe96⤵PID:944
-
C:\Windows\SysWOW64\Mlklkgei.exeC:\Windows\system32\Mlklkgei.exe97⤵PID:1296
-
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe98⤵PID:4140
-
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe99⤵PID:2128
-
C:\Windows\SysWOW64\Mpieqeko.exeC:\Windows\system32\Mpieqeko.exe100⤵PID:4244
-
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe101⤵PID:5148
-
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe102⤵PID:5192
-
C:\Windows\SysWOW64\Moobbb32.exeC:\Windows\system32\Moobbb32.exe103⤵
- Drops file in System32 directory
PID:5236 -
C:\Windows\SysWOW64\Mehjol32.exeC:\Windows\system32\Mehjol32.exe104⤵PID:5280
-
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5340 -
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe106⤵PID:5384
-
C:\Windows\SysWOW64\Mfhfhong.exeC:\Windows\system32\Mfhfhong.exe107⤵PID:5424
-
C:\Windows\SysWOW64\Mifcejnj.exeC:\Windows\system32\Mifcejnj.exe108⤵PID:5500
-
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe109⤵PID:5556
-
C:\Windows\SysWOW64\Mpqkad32.exeC:\Windows\system32\Mpqkad32.exe110⤵PID:5612
-
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe111⤵PID:5656
-
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe112⤵PID:5704
-
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe113⤵
- System Location Discovery: System Language Discovery
PID:5748 -
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe114⤵PID:5816
-
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe115⤵PID:5892
-
C:\Windows\SysWOW64\Ngmpcn32.exeC:\Windows\system32\Ngmpcn32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5948 -
C:\Windows\SysWOW64\Niklpj32.exeC:\Windows\system32\Niklpj32.exe117⤵
- Modifies registry class
PID:6000 -
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe118⤵PID:6040
-
C:\Windows\SysWOW64\Nlihle32.exeC:\Windows\system32\Nlihle32.exe119⤵PID:6080
-
C:\Windows\SysWOW64\Npedmdab.exeC:\Windows\system32\Npedmdab.exe120⤵PID:6140
-
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe121⤵PID:5188
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-