Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2024 16:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5766efb253dc718b9efa2384f82404ab6dbdcea748f6b3782fd8ae96af2017aeN.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
5766efb253dc718b9efa2384f82404ab6dbdcea748f6b3782fd8ae96af2017aeN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
5766efb253dc718b9efa2384f82404ab6dbdcea748f6b3782fd8ae96af2017aeN.exe
-
Size
78KB
-
MD5
8000d2ab04d449b218c722f482b57e50
-
SHA1
a565b4a9195dcea40aada7cd4b6a2bfca2f47b20
-
SHA256
5766efb253dc718b9efa2384f82404ab6dbdcea748f6b3782fd8ae96af2017ae
-
SHA512
c55a12a7480578f1f0b66994caef3b2a2da51c90f3edc1031c20e851e3de5aef9e171b259606141308678bc3a95e65803c7c2839e3661473b1505f351659412a
-
SSDEEP
1536:OCP1OpgvzW7HhVZlmbXNjwK9HUSqU7iVDN+zL20gJi1ie:bUSvEHh9mJjlGSqU7iVDgzL20WKt
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gigheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbeapmll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajeadd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mffjcopi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pleaoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbmcbime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inpccihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgadgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjjcfabm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efkphnbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moaogand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfhjkabi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoogfnnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phjenbhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibnligoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fknbil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbenmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akoqpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cadlbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfmcfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maeachag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aanbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joiccj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opogbbig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqbbpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lalnmiia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peieba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiaqcnpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edhjqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpdoqgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coknoaic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfealaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfjcnold.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plhnda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecgcfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mefmimif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2204 Fggfnc32.exe 624 Fkcboack.exe 4772 Fnaokmco.exe 384 Famjkl32.exe 2840 Fehfljca.exe 4516 Fhgbhfbe.exe 1036 Fgjccb32.exe 1236 Foqkdp32.exe 1696 Fnckpmql.exe 3068 Gekcaj32.exe 4524 Ghipne32.exe 2108 Gkglja32.exe 4032 Gnfhfl32.exe 3872 Gaadfkgc.exe 4964 Gdppbfff.exe 396 Ggnlobej.exe 2476 Goedpofl.exe 4060 Gadqlkep.exe 4556 Gdbmhf32.exe 1284 Ggqida32.exe 1380 Gafmaj32.exe 4936 Gfbibikg.exe 436 Ghpendjj.exe 1672 Gkobjpin.exe 3432 Gnmnfkia.exe 3420 Gfdfgiid.exe 1396 Ghbbcd32.exe 1960 Goljqnpd.exe 3172 Hakgmjoh.exe 3912 Hdicienl.exe 3936 Hghoeqmp.exe 3580 Hoogfnnb.exe 2940 Hbmcbime.exe 1772 Hfipbh32.exe 1688 Hhgloc32.exe 3400 Hgjljpkm.exe 224 Hkehkocf.exe 2972 Hnddgjbj.exe 2372 Hfklhhcl.exe 4428 Hhihdcbp.exe 940 Hglipp32.exe 696 Hocqam32.exe 2456 Hbbmmi32.exe 4488 Hhlejcpm.exe 512 Hkjafn32.exe 4968 Hninbj32.exe 4948 Hfpecg32.exe 1848 Hhnbpb32.exe 1548 Hgabkoee.exe 924 Hkmnln32.exe 1572 Inmgmijo.exe 4584 Ibicnh32.exe 4776 Idgojc32.exe 1580 Igfkfo32.exe 4812 Iomcgl32.exe 2280 Inpccihl.exe 4748 Ifgldfio.exe 4512 Idjlpc32.exe 4956 Ikcdlmgf.exe 2220 Ikcdlmgf.exe 1720 Ioopml32.exe 4156 Ibnligoc.exe 1744 Ifihif32.exe 2328 Ieliebnf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jgakbm32.exe Jecofa32.exe File created C:\Windows\SysWOW64\Bjfjka32.exe Bfjnjcni.exe File opened for modification C:\Windows\SysWOW64\Dfoiaj32.exe Dbcmakpl.exe File opened for modification C:\Windows\SysWOW64\Eppqqn32.exe Process not Found File created C:\Windows\SysWOW64\Hicpgc32.exe Process not Found File created C:\Windows\SysWOW64\Gfbibikg.exe Gafmaj32.exe File created C:\Windows\SysWOW64\Kkbdni32.dll Pcmlfl32.exe File created C:\Windows\SysWOW64\Eagaoh32.exe Emlenj32.exe File created C:\Windows\SysWOW64\Ophpeg32.dll Kjffdalb.exe File created C:\Windows\SysWOW64\Nmdgikhi.exe Process not Found File opened for modification C:\Windows\SysWOW64\Akdilipp.exe Process not Found File created C:\Windows\SysWOW64\Eoonaj32.dll Ikfabm32.exe File created C:\Windows\SysWOW64\Lnaoodjg.dll Cpleig32.exe File created C:\Windows\SysWOW64\Kpbodmjl.dll Alnmjjdb.exe File created C:\Windows\SysWOW64\Bmjkic32.exe Process not Found File created C:\Windows\SysWOW64\Plgdqf32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Efhcbodf.exe Ehfcfb32.exe File created C:\Windows\SysWOW64\Chembclp.dll Ffpicn32.exe File created C:\Windows\SysWOW64\Kolkod32.dll Process not Found File created C:\Windows\SysWOW64\Dpcpem32.dll Process not Found File created C:\Windows\SysWOW64\Gbdqegoi.dll Process not Found File created C:\Windows\SysWOW64\Cdjnam32.dll Afjeceml.exe File created C:\Windows\SysWOW64\Kednfemc.dll Fdamgb32.exe File created C:\Windows\SysWOW64\Cqnnno32.dll Kkfcndce.exe File created C:\Windows\SysWOW64\Qkjgegae.exe Qlggjk32.exe File created C:\Windows\SysWOW64\Lhnblp32.dll Process not Found File created C:\Windows\SysWOW64\Gbabigfj.exe Process not Found File created C:\Windows\SysWOW64\Gbfldf32.exe Process not Found File created C:\Windows\SysWOW64\Jdljmf32.dll Jeqbpb32.exe File opened for modification C:\Windows\SysWOW64\Aimkjp32.exe Ajjjocap.exe File opened for modification C:\Windows\SysWOW64\Gaopfe32.exe Gmcdffmq.exe File opened for modification C:\Windows\SysWOW64\Gljgbllj.exe Process not Found File created C:\Windows\SysWOW64\Fhgbhfbe.exe Fehfljca.exe File created C:\Windows\SysWOW64\Bilqdmae.dll Cibmlmeb.exe File created C:\Windows\SysWOW64\Ajggomog.exe Afkknogn.exe File created C:\Windows\SysWOW64\Odoogi32.exe Process not Found File created C:\Windows\SysWOW64\Dafppp32.exe Process not Found File created C:\Windows\SysWOW64\Mhppji32.exe Mimpolee.exe File created C:\Windows\SysWOW64\Ackigjmh.exe Aopmfk32.exe File created C:\Windows\SysWOW64\Gdbnag32.dll Emlenj32.exe File created C:\Windows\SysWOW64\Hkhiofap.dll Jklphekp.exe File opened for modification C:\Windows\SysWOW64\Lakfeodm.exe Process not Found File created C:\Windows\SysWOW64\Oipgkfab.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pnkibcle.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ohjlgefb.exe Oekpkigo.exe File opened for modification C:\Windows\SysWOW64\Ohlimd32.exe Oiihahme.exe File opened for modification C:\Windows\SysWOW64\Agdhbi32.exe Acilajpk.exe File created C:\Windows\SysWOW64\Dfokdq32.dll Hpmpnp32.exe File opened for modification C:\Windows\SysWOW64\Lmbhgd32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mqkiok32.exe Process not Found File created C:\Windows\SysWOW64\Egcaod32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ejflhm32.exe Efkphnbd.exe File opened for modification C:\Windows\SysWOW64\Alcfei32.exe Ahgjejhd.exe File opened for modification C:\Windows\SysWOW64\Ohhnbhok.exe Process not Found File created C:\Windows\SysWOW64\Ogigdpmb.dll Process not Found File opened for modification C:\Windows\SysWOW64\Nmdgikhi.exe Process not Found File created C:\Windows\SysWOW64\Ghaeocdd.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mpghkf32.exe Mhppji32.exe File opened for modification C:\Windows\SysWOW64\Lihpif32.exe Lelchgne.exe File created C:\Windows\SysWOW64\Jheldb32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bahkih32.exe Process not Found File created C:\Windows\SysWOW64\Nceefd32.exe Process not Found File created C:\Windows\SysWOW64\Mlcdqdie.dll Process not Found File created C:\Windows\SysWOW64\Fkdjqkoj.dll Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 12828 12676 Process not Found 1960 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jejefqaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppjgoaoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgjccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hammhcij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agiamhdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbbdjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plagcbdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akoqpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdfoio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccdnjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iafonaao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohghgodi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difpmfna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgpogili.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlkepaam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmglcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbadcpbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjjahe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opemca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckfphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oboijgbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djklmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaindh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajndioga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppopjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pocfpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqffjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phhhhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djmibn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhjckcgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqmidndd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kilpmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkafmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqbff32.dll" Cioilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbdplc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Likcilhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iggaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiejmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkjlic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oimkbaed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Locbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjjnae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjpbam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgejpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qepkbpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmihij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkafmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcpcam32.dll" Bblnindg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hclnnc32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeeaodnk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mimpolee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghakj32.dll" Pfillg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmklglpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmmde32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqbgfn32.dll" Lidmhmnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggnedlao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkkceedp.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecipcemb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iijaka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kppici32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iakiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nijeec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egacbb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglpdp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmaplg32.dll" Pflibgil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqcjepfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iamfph32.dll" Cmipblaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmiakk32.dll" Diffglam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambahc32.dll" Ckilmcgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqmlknnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fagjfflb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkabjbih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbbhnma.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4924 wrote to memory of 2204 4924 5766efb253dc718b9efa2384f82404ab6dbdcea748f6b3782fd8ae96af2017aeN.exe 82 PID 4924 wrote to memory of 2204 4924 5766efb253dc718b9efa2384f82404ab6dbdcea748f6b3782fd8ae96af2017aeN.exe 82 PID 4924 wrote to memory of 2204 4924 5766efb253dc718b9efa2384f82404ab6dbdcea748f6b3782fd8ae96af2017aeN.exe 82 PID 2204 wrote to memory of 624 2204 Fggfnc32.exe 83 PID 2204 wrote to memory of 624 2204 Fggfnc32.exe 83 PID 2204 wrote to memory of 624 2204 Fggfnc32.exe 83 PID 624 wrote to memory of 4772 624 Fkcboack.exe 84 PID 624 wrote to memory of 4772 624 Fkcboack.exe 84 PID 624 wrote to memory of 4772 624 Fkcboack.exe 84 PID 4772 wrote to memory of 384 4772 Fnaokmco.exe 85 PID 4772 wrote to memory of 384 4772 Fnaokmco.exe 85 PID 4772 wrote to memory of 384 4772 Fnaokmco.exe 85 PID 384 wrote to memory of 2840 384 Famjkl32.exe 86 PID 384 wrote to memory of 2840 384 Famjkl32.exe 86 PID 384 wrote to memory of 2840 384 Famjkl32.exe 86 PID 2840 wrote to memory of 4516 2840 Fehfljca.exe 87 PID 2840 wrote to memory of 4516 2840 Fehfljca.exe 87 PID 2840 wrote to memory of 4516 2840 Fehfljca.exe 87 PID 4516 wrote to memory of 1036 4516 Fhgbhfbe.exe 88 PID 4516 wrote to memory of 1036 4516 Fhgbhfbe.exe 88 PID 4516 wrote to memory of 1036 4516 Fhgbhfbe.exe 88 PID 1036 wrote to memory of 1236 1036 Fgjccb32.exe 89 PID 1036 wrote to memory of 1236 1036 Fgjccb32.exe 89 PID 1036 wrote to memory of 1236 1036 Fgjccb32.exe 89 PID 1236 wrote to memory of 1696 1236 Foqkdp32.exe 90 PID 1236 wrote to memory of 1696 1236 Foqkdp32.exe 90 PID 1236 wrote to memory of 1696 1236 Foqkdp32.exe 90 PID 1696 wrote to memory of 3068 1696 Fnckpmql.exe 91 PID 1696 wrote to memory of 3068 1696 Fnckpmql.exe 91 PID 1696 wrote to memory of 3068 1696 Fnckpmql.exe 91 PID 3068 wrote to memory of 4524 3068 Gekcaj32.exe 92 PID 3068 wrote to memory of 4524 3068 Gekcaj32.exe 92 PID 3068 wrote to memory of 4524 3068 Gekcaj32.exe 92 PID 4524 wrote to memory of 2108 4524 Ghipne32.exe 93 PID 4524 wrote to memory of 2108 4524 Ghipne32.exe 93 PID 4524 wrote to memory of 2108 4524 Ghipne32.exe 93 PID 2108 wrote to memory of 4032 2108 Gkglja32.exe 94 PID 2108 wrote to memory of 4032 2108 Gkglja32.exe 94 PID 2108 wrote to memory of 4032 2108 Gkglja32.exe 94 PID 4032 wrote to memory of 3872 4032 Gnfhfl32.exe 95 PID 4032 wrote to memory of 3872 4032 Gnfhfl32.exe 95 PID 4032 wrote to memory of 3872 4032 Gnfhfl32.exe 95 PID 3872 wrote to memory of 4964 3872 Gaadfkgc.exe 96 PID 3872 wrote to memory of 4964 3872 Gaadfkgc.exe 96 PID 3872 wrote to memory of 4964 3872 Gaadfkgc.exe 96 PID 4964 wrote to memory of 396 4964 Gdppbfff.exe 97 PID 4964 wrote to memory of 396 4964 Gdppbfff.exe 97 PID 4964 wrote to memory of 396 4964 Gdppbfff.exe 97 PID 396 wrote to memory of 2476 396 Ggnlobej.exe 98 PID 396 wrote to memory of 2476 396 Ggnlobej.exe 98 PID 396 wrote to memory of 2476 396 Ggnlobej.exe 98 PID 2476 wrote to memory of 4060 2476 Goedpofl.exe 99 PID 2476 wrote to memory of 4060 2476 Goedpofl.exe 99 PID 2476 wrote to memory of 4060 2476 Goedpofl.exe 99 PID 4060 wrote to memory of 4556 4060 Gadqlkep.exe 100 PID 4060 wrote to memory of 4556 4060 Gadqlkep.exe 100 PID 4060 wrote to memory of 4556 4060 Gadqlkep.exe 100 PID 4556 wrote to memory of 1284 4556 Gdbmhf32.exe 101 PID 4556 wrote to memory of 1284 4556 Gdbmhf32.exe 101 PID 4556 wrote to memory of 1284 4556 Gdbmhf32.exe 101 PID 1284 wrote to memory of 1380 1284 Ggqida32.exe 102 PID 1284 wrote to memory of 1380 1284 Ggqida32.exe 102 PID 1284 wrote to memory of 1380 1284 Ggqida32.exe 102 PID 1380 wrote to memory of 4936 1380 Gafmaj32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\5766efb253dc718b9efa2384f82404ab6dbdcea748f6b3782fd8ae96af2017aeN.exe"C:\Users\Admin\AppData\Local\Temp\5766efb253dc718b9efa2384f82404ab6dbdcea748f6b3782fd8ae96af2017aeN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\Fggfnc32.exeC:\Windows\system32\Fggfnc32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Fkcboack.exeC:\Windows\system32\Fkcboack.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Fnaokmco.exeC:\Windows\system32\Fnaokmco.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\Famjkl32.exeC:\Windows\system32\Famjkl32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\Fehfljca.exeC:\Windows\system32\Fehfljca.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Fhgbhfbe.exeC:\Windows\system32\Fhgbhfbe.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Fgjccb32.exeC:\Windows\system32\Fgjccb32.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Foqkdp32.exeC:\Windows\system32\Foqkdp32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Fnckpmql.exeC:\Windows\system32\Fnckpmql.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Gekcaj32.exeC:\Windows\system32\Gekcaj32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\Gkglja32.exeC:\Windows\system32\Gkglja32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Gnfhfl32.exeC:\Windows\system32\Gnfhfl32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Gaadfkgc.exeC:\Windows\system32\Gaadfkgc.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\Gdppbfff.exeC:\Windows\system32\Gdppbfff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Ggnlobej.exeC:\Windows\system32\Ggnlobej.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Goedpofl.exeC:\Windows\system32\Goedpofl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Gadqlkep.exeC:\Windows\system32\Gadqlkep.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\Gdbmhf32.exeC:\Windows\system32\Gdbmhf32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\Ggqida32.exeC:\Windows\system32\Ggqida32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Gafmaj32.exeC:\Windows\system32\Gafmaj32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Gfbibikg.exeC:\Windows\system32\Gfbibikg.exe23⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Ghpendjj.exeC:\Windows\system32\Ghpendjj.exe24⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Gkobjpin.exeC:\Windows\system32\Gkobjpin.exe25⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Gnmnfkia.exeC:\Windows\system32\Gnmnfkia.exe26⤵
- Executes dropped EXE
PID:3432 -
C:\Windows\SysWOW64\Gfdfgiid.exeC:\Windows\system32\Gfdfgiid.exe27⤵
- Executes dropped EXE
PID:3420 -
C:\Windows\SysWOW64\Ghbbcd32.exeC:\Windows\system32\Ghbbcd32.exe28⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Goljqnpd.exeC:\Windows\system32\Goljqnpd.exe29⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Hakgmjoh.exeC:\Windows\system32\Hakgmjoh.exe30⤵
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Hdicienl.exeC:\Windows\system32\Hdicienl.exe31⤵
- Executes dropped EXE
PID:3912 -
C:\Windows\SysWOW64\Hghoeqmp.exeC:\Windows\system32\Hghoeqmp.exe32⤵
- Executes dropped EXE
PID:3936 -
C:\Windows\SysWOW64\Hoogfnnb.exeC:\Windows\system32\Hoogfnnb.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Hbmcbime.exeC:\Windows\system32\Hbmcbime.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe35⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe36⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Hgjljpkm.exeC:\Windows\system32\Hgjljpkm.exe37⤵
- Executes dropped EXE
PID:3400 -
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe38⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Hnddgjbj.exeC:\Windows\system32\Hnddgjbj.exe39⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Hfklhhcl.exeC:\Windows\system32\Hfklhhcl.exe40⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Hhihdcbp.exeC:\Windows\system32\Hhihdcbp.exe41⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Hglipp32.exeC:\Windows\system32\Hglipp32.exe42⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Hocqam32.exeC:\Windows\system32\Hocqam32.exe43⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Hbbmmi32.exeC:\Windows\system32\Hbbmmi32.exe44⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Hhlejcpm.exeC:\Windows\system32\Hhlejcpm.exe45⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Hkjafn32.exeC:\Windows\system32\Hkjafn32.exe46⤵
- Executes dropped EXE
PID:512 -
C:\Windows\SysWOW64\Hninbj32.exeC:\Windows\system32\Hninbj32.exe47⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe48⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Hhnbpb32.exeC:\Windows\system32\Hhnbpb32.exe49⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Hgabkoee.exeC:\Windows\system32\Hgabkoee.exe50⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Hkmnln32.exeC:\Windows\system32\Hkmnln32.exe51⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Inmgmijo.exeC:\Windows\system32\Inmgmijo.exe52⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Ibicnh32.exeC:\Windows\system32\Ibicnh32.exe53⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Idgojc32.exeC:\Windows\system32\Idgojc32.exe54⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Igfkfo32.exeC:\Windows\system32\Igfkfo32.exe55⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe56⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Inpccihl.exeC:\Windows\system32\Inpccihl.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Ifgldfio.exeC:\Windows\system32\Ifgldfio.exe58⤵
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Idjlpc32.exeC:\Windows\system32\Idjlpc32.exe59⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Ikcdlmgf.exeC:\Windows\system32\Ikcdlmgf.exe60⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Ikcdlmgf.exeC:\Windows\system32\Ikcdlmgf.exe61⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Ioopml32.exeC:\Windows\system32\Ioopml32.exe62⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Ibnligoc.exeC:\Windows\system32\Ibnligoc.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4156 -
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe64⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Ieliebnf.exeC:\Windows\system32\Ieliebnf.exe65⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Igjeanmj.exeC:\Windows\system32\Igjeanmj.exe66⤵PID:3952
-
C:\Windows\SysWOW64\Ikfabm32.exeC:\Windows\system32\Ikfabm32.exe67⤵
- Drops file in System32 directory
PID:3280 -
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe68⤵PID:1088
-
C:\Windows\SysWOW64\Indmnh32.exeC:\Windows\system32\Indmnh32.exe69⤵PID:3836
-
C:\Windows\SysWOW64\Ifleoe32.exeC:\Windows\system32\Ifleoe32.exe70⤵PID:4736
-
C:\Windows\SysWOW64\Iijaka32.exeC:\Windows\system32\Iijaka32.exe71⤵
- Modifies registry class
PID:4856 -
C:\Windows\SysWOW64\Igmagnkg.exeC:\Windows\system32\Igmagnkg.exe72⤵PID:4716
-
C:\Windows\SysWOW64\Jkhngl32.exeC:\Windows\system32\Jkhngl32.exe73⤵PID:4548
-
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe74⤵PID:5024
-
C:\Windows\SysWOW64\Jfnbdecg.exeC:\Windows\system32\Jfnbdecg.exe75⤵PID:1364
-
C:\Windows\SysWOW64\Jeqbpb32.exeC:\Windows\system32\Jeqbpb32.exe76⤵
- Drops file in System32 directory
PID:1232 -
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe77⤵PID:4724
-
C:\Windows\SysWOW64\Jkkjmlan.exeC:\Windows\system32\Jkkjmlan.exe78⤵PID:532
-
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe79⤵PID:5092
-
C:\Windows\SysWOW64\Jbdbjf32.exeC:\Windows\system32\Jbdbjf32.exe80⤵PID:3368
-
C:\Windows\SysWOW64\Jfpojead.exeC:\Windows\system32\Jfpojead.exe81⤵PID:4248
-
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe82⤵
- Drops file in System32 directory
PID:4436 -
C:\Windows\SysWOW64\Jgakbm32.exeC:\Windows\system32\Jgakbm32.exe83⤵PID:4704
-
C:\Windows\SysWOW64\Joiccj32.exeC:\Windows\system32\Joiccj32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2844 -
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe85⤵PID:4280
-
C:\Windows\SysWOW64\Jfbkpd32.exeC:\Windows\system32\Jfbkpd32.exe86⤵PID:4840
-
C:\Windows\SysWOW64\Jpkphjeb.exeC:\Windows\system32\Jpkphjeb.exe87⤵PID:1096
-
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe88⤵PID:828
-
C:\Windows\SysWOW64\Jfehed32.exeC:\Windows\system32\Jfehed32.exe89⤵PID:4996
-
C:\Windows\SysWOW64\Jicdap32.exeC:\Windows\system32\Jicdap32.exe90⤵PID:4708
-
C:\Windows\SysWOW64\Jkaqnk32.exeC:\Windows\system32\Jkaqnk32.exe91⤵PID:4680
-
C:\Windows\SysWOW64\Jnpmjf32.exeC:\Windows\system32\Jnpmjf32.exe92⤵PID:4848
-
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe93⤵PID:728
-
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe94⤵
- System Location Discovery: System Language Discovery
PID:548 -
C:\Windows\SysWOW64\Jieagojp.exeC:\Windows\system32\Jieagojp.exe95⤵PID:5052
-
C:\Windows\SysWOW64\Kldmckic.exeC:\Windows\system32\Kldmckic.exe96⤵PID:1376
-
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe97⤵
- Modifies registry class
PID:3856 -
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe98⤵PID:1836
-
C:\Windows\SysWOW64\Kelalp32.exeC:\Windows\system32\Kelalp32.exe99⤵PID:2140
-
C:\Windows\SysWOW64\Kgknhl32.exeC:\Windows\system32\Kgknhl32.exe100⤵PID:2828
-
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe101⤵PID:3064
-
C:\Windows\SysWOW64\Knefeffd.exeC:\Windows\system32\Knefeffd.exe102⤵PID:4380
-
C:\Windows\SysWOW64\Kflnfcgg.exeC:\Windows\system32\Kflnfcgg.exe103⤵PID:220
-
C:\Windows\SysWOW64\Keonap32.exeC:\Windows\system32\Keonap32.exe104⤵PID:4768
-
C:\Windows\SysWOW64\Khmknk32.exeC:\Windows\system32\Khmknk32.exe105⤵PID:3268
-
C:\Windows\SysWOW64\Kpdboimg.exeC:\Windows\system32\Kpdboimg.exe106⤵PID:1560
-
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe107⤵PID:4088
-
C:\Windows\SysWOW64\Kbbokdlk.exeC:\Windows\system32\Kbbokdlk.exe108⤵PID:1084
-
C:\Windows\SysWOW64\Keakgpko.exeC:\Windows\system32\Keakgpko.exe109⤵PID:4872
-
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe110⤵PID:4264
-
C:\Windows\SysWOW64\Khpgckkb.exeC:\Windows\system32\Khpgckkb.exe111⤵PID:4072
-
C:\Windows\SysWOW64\Kpgodhkd.exeC:\Windows\system32\Kpgodhkd.exe112⤵PID:3220
-
C:\Windows\SysWOW64\Knippe32.exeC:\Windows\system32\Knippe32.exe113⤵PID:620
-
C:\Windows\SysWOW64\Kfqgab32.exeC:\Windows\system32\Kfqgab32.exe114⤵PID:432
-
C:\Windows\SysWOW64\Kechmoil.exeC:\Windows\system32\Kechmoil.exe115⤵PID:4412
-
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe116⤵PID:972
-
C:\Windows\SysWOW64\Klmpiiai.exeC:\Windows\system32\Klmpiiai.exe117⤵PID:3932
-
C:\Windows\SysWOW64\Kpiljh32.exeC:\Windows\system32\Kpiljh32.exe118⤵PID:3852
-
C:\Windows\SysWOW64\Knlleepl.exeC:\Windows\system32\Knlleepl.exe119⤵PID:4148
-
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe120⤵PID:3184
-
C:\Windows\SysWOW64\Kefdbo32.exeC:\Windows\system32\Kefdbo32.exe121⤵PID:4304
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-