Analysis
-
max time kernel
131s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/09/2024, 19:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3dc09ca4633a193b2cf059506e106bdbeadc6620c386867b3df916d5cbd8ebbf.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
3dc09ca4633a193b2cf059506e106bdbeadc6620c386867b3df916d5cbd8ebbf.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
3dc09ca4633a193b2cf059506e106bdbeadc6620c386867b3df916d5cbd8ebbf.exe
-
Size
64KB
-
MD5
6d0f2e73664d5d390ca2f47e1baf8e28
-
SHA1
e3d4f2155ab281b0b342bab3ef2390677dc41075
-
SHA256
3dc09ca4633a193b2cf059506e106bdbeadc6620c386867b3df916d5cbd8ebbf
-
SHA512
82d9cfaa55adc2364a9fa19752cd538f6c831a1fd6ef478c2784f11be9feeb8a6ad394545c55472de3b06e417f7ff07633e3a14df11f4bf69b5f004ff9267505
-
SSDEEP
1536:wgSAcFbt0yHmH5Fn3kn9F62zJA2/jU46UXruCHcpzt/Idn:e7btHHmH5FnU9l7jUFpFwn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fncbha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noqofdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odifjipd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eihcln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nagngjmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oahgnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdgehobe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abemep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keekjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdgckg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hodqlq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mffjnc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ancjef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Komoed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjeibc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijhhenhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pklkbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enpknplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbjlgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhnkppbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikejbjip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjjbjjdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pokanf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdllffpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eimlgnij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmiljn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbmbgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eacaej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmnpfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfgloiqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljjpnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kofheeoq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eekjep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmebpbod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndmpddfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkinmlnm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgpplf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Janpnfee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlicflic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jikjmbmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfmghdpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpmfpid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgncff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdokmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkpijfgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioppho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppdjpcng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkehdnee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcljk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mppdbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgkjch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cinpdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmkkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pokanf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhffijdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chddpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiqomj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mikepg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfefdpfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eebgqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmbmdeoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moeoje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agaoca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blkgen32.exe -
Executes dropped EXE 64 IoCs
pid Process 1720 Infhebbh.exe 1756 Iholohii.exe 3424 Inidkb32.exe 2800 Icfmci32.exe 3672 Inkaqb32.exe 1364 Ieeimlep.exe 4760 Iloajfml.exe 2904 Jaljbmkd.exe 1072 Jlanpfkj.exe 3900 Jnpjlajn.exe 2888 Jejbhk32.exe 1180 Jjgkab32.exe 4600 Jaqcnl32.exe 1584 Jhkljfok.exe 2156 Jjihfbno.exe 3224 Jbppgona.exe 2804 Jacpcl32.exe 4768 Jddiegbm.exe 1744 Koimbpbc.exe 3996 Kbeibo32.exe 2316 Khabke32.exe 2936 Koljgppp.exe 4840 Klpjad32.exe 5000 Kalcik32.exe 4920 Kdkoef32.exe 2064 Kkegbpca.exe 228 Kblpcndd.exe 1300 Kaaldjil.exe 4872 Lkiamp32.exe 3528 Llimgb32.exe 3660 Lojfin32.exe 1172 Lkqgno32.exe 4180 Lajokiaa.exe 3964 Lkcccn32.exe 416 Moalil32.exe 4988 Maoifh32.exe 1168 Mociol32.exe 3472 Mlgjhp32.exe 224 Mkjjdmaj.exe 2384 Madbagif.exe 3544 Mklfjm32.exe 2228 Mafofggd.exe 3264 Medglemj.exe 5008 Nheqnpjk.exe 1864 Nhgmcp32.exe 4672 Nhjjip32.exe 688 Nbbnbemf.exe 2700 Nbdkhe32.exe 1768 Okmpqjad.exe 1220 Ofbdncaj.exe 1088 Ollljmhg.exe 1964 Okolfj32.exe 1828 Ofdqcc32.exe 452 Ohcmpn32.exe 4612 Okailj32.exe 4256 Obkahddl.exe 1288 Odjmdocp.exe 2728 Oheienli.exe 5020 Omaeem32.exe 4376 Oooaah32.exe 5100 Ocknbglo.exe 2340 Ofijnbkb.exe 3864 Odljjo32.exe 4604 Omcbkl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Obmbfpea.dll Ioafchai.exe File opened for modification C:\Windows\SysWOW64\Iqpclh32.exe Inagpm32.exe File opened for modification C:\Windows\SysWOW64\Lechkaga.exe Ljncnhhk.exe File created C:\Windows\SysWOW64\Qpioeell.dll Qkakhakq.exe File created C:\Windows\SysWOW64\Aojmda32.dll Eebgqe32.exe File created C:\Windows\SysWOW64\Lmhhbnla.dll Beobcdoi.exe File created C:\Windows\SysWOW64\Kjnihnmd.exe Kbgafqla.exe File opened for modification C:\Windows\SysWOW64\Lkqgno32.exe Lojfin32.exe File opened for modification C:\Windows\SysWOW64\Ddekmo32.exe Dlncla32.exe File opened for modification C:\Windows\SysWOW64\Dcmedk32.exe Dmplkd32.exe File created C:\Windows\SysWOW64\Ljcihc32.dll Gjhonp32.exe File created C:\Windows\SysWOW64\Jmdjha32.exe Jfjakgpa.exe File created C:\Windows\SysWOW64\Ghcbohpp.exe Ggafgo32.exe File opened for modification C:\Windows\SysWOW64\Qpmmfbfl.exe Qnopjfgi.exe File opened for modification C:\Windows\SysWOW64\Kokbpe32.exe Kkofofbb.exe File opened for modification C:\Windows\SysWOW64\Dmplkd32.exe Deidjf32.exe File created C:\Windows\SysWOW64\Fnammclg.dll Ijhhenhf.exe File created C:\Windows\SysWOW64\Eehidffj.dll Chddpn32.exe File created C:\Windows\SysWOW64\Fmdbil32.dll Mihikgod.exe File opened for modification C:\Windows\SysWOW64\Cibkohef.exe Cbhbbn32.exe File opened for modification C:\Windows\SysWOW64\Anfmeldl.exe Akhaipei.exe File created C:\Windows\SysWOW64\Giplpe32.dll Fikihlmj.exe File opened for modification C:\Windows\SysWOW64\Kgngqico.exe Kpgoolbl.exe File created C:\Windows\SysWOW64\Edmleg32.dll Ppdjpcng.exe File opened for modification C:\Windows\SysWOW64\Koimbpbc.exe Jddiegbm.exe File created C:\Windows\SysWOW64\Nheqnpjk.exe Medglemj.exe File created C:\Windows\SysWOW64\Ogpfko32.exe Opfnne32.exe File opened for modification C:\Windows\SysWOW64\Gjdknjep.exe Geipnl32.exe File created C:\Windows\SysWOW64\Bhgjcmfi.exe Bbmbgb32.exe File opened for modification C:\Windows\SysWOW64\Ikejbjip.exe Iameid32.exe File created C:\Windows\SysWOW64\Nbdkhe32.exe Nbbnbemf.exe File opened for modification C:\Windows\SysWOW64\Okolfj32.exe Ollljmhg.exe File created C:\Windows\SysWOW64\Okkjkh32.dll Fcpkph32.exe File created C:\Windows\SysWOW64\Jjdiadlg.dll Lfmghdpl.exe File created C:\Windows\SysWOW64\Olanmmjm.dll Mhjpceko.exe File opened for modification C:\Windows\SysWOW64\Iofpnhmc.exe Ijigfaol.exe File created C:\Windows\SysWOW64\Agobna32.exe Afnefieo.exe File opened for modification C:\Windows\SysWOW64\Qhddgofo.exe Qpmmfbfl.exe File created C:\Windows\SysWOW64\Jojgkahb.dll Glkkop32.exe File created C:\Windows\SysWOW64\Nqbpidem.dll Dedkogqm.exe File created C:\Windows\SysWOW64\Fncbha32.exe Fjgfgbek.exe File created C:\Windows\SysWOW64\Okcncdkp.dll Onhhmpoo.exe File opened for modification C:\Windows\SysWOW64\Onhhmpoo.exe Nkjlqd32.exe File opened for modification C:\Windows\SysWOW64\Ohbfeh32.exe Onmahojj.exe File opened for modification C:\Windows\SysWOW64\Jcihjl32.exe Jicdlc32.exe File created C:\Windows\SysWOW64\Faamghko.exe Fhiinbdo.exe File created C:\Windows\SysWOW64\Kdogqi32.dll Aidomjaf.exe File opened for modification C:\Windows\SysWOW64\Emioab32.exe Eebgqe32.exe File created C:\Windows\SysWOW64\Iglhob32.exe Iqbpahpc.exe File created C:\Windows\SysWOW64\Cleqfb32.exe Cekhihig.exe File opened for modification C:\Windows\SysWOW64\Iqfcbahb.exe Ignnjk32.exe File opened for modification C:\Windows\SysWOW64\Odhppclh.exe Onngci32.exe File created C:\Windows\SysWOW64\Phkaqqoi.exe Ppdjpcng.exe File created C:\Windows\SysWOW64\Ejnbdp32.exe Eimelg32.exe File created C:\Windows\SysWOW64\Jcokoo32.dll Okolfj32.exe File opened for modification C:\Windows\SysWOW64\Kfdklllb.exe Khakqo32.exe File created C:\Windows\SysWOW64\Nojgmmgl.dll Oahgnh32.exe File opened for modification C:\Windows\SysWOW64\Mdkabmjf.exe Lmqiec32.exe File opened for modification C:\Windows\SysWOW64\Ehifak32.exe Eekjep32.exe File created C:\Windows\SysWOW64\Mmdcde32.dll Elaobdmm.exe File created C:\Windows\SysWOW64\Abejiq32.dll Kbbhka32.exe File opened for modification C:\Windows\SysWOW64\Iglhob32.exe Iqbpahpc.exe File created C:\Windows\SysWOW64\Nhafcd32.exe Nagngjmj.exe File created C:\Windows\SysWOW64\Mejfbf32.dll Nonbqd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4504 1336 WerFault.exe 831 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbpolb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlgjko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iofpnhmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfgnka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgqdfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhppik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkpijfgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggdbmoho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfeoijbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akenij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llmbqdfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcljk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimach32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmamba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfcdaehf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Minipm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlnlak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdkabmjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiqkmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Googaaej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppdjpcng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkiapn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dc09ca4633a193b2cf059506e106bdbeadc6620c386867b3df916d5cbd8ebbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmiljn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdklebje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhiinbdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mflidl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfbfjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icefib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfniikha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giddddad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edfddl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aimhmkgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jndmlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beaohcmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mociol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lechkaga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moiheebb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kifjip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miklkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnamofdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifnkeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqbpahpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhefhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nieoal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhiaepfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqpclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcoioabf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oojalb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Homcbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imhjlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjafoapj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhgjcmfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nleaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcncodki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehifak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljmmcbdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhddgofo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckafkfkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flmonbbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjeibc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaljbmkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifoijonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldckan32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnknim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnaoemei.dll" Liifnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phpklp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feofmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Janpnfee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhmcck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moglpedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjjggede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kppbejka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhjpceko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjqgfmbl.dll" Nkpbpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lonnnh32.dll" Hcofbifb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhkljfok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpmifkgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfniikha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjebiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hohmmncd.dll" Npnqcpmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fikihlmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eacaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoadhp32.dll" Flmonbbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eegqldqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncfqehop.dll" Japmcfcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbqonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imobclfe.dll" Kjnihnmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioppho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mphamg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkehdnee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhgmcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pokanf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgoiid32.dll" Homcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngihj32.dll" Mkjjdmaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgkbak32.dll" Becknc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpbmfghh.dll" Minipm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okleqm32.dll" Eelpqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hikkdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hedhoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egfolf32.dll" Lbcabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpllbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljkghi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggdbmoho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phiekaql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maoifh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecanojgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cndpaojf.dll" Cblebgfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpelqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opfnne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaejhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gogjflhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpkkgbmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cblebgfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihjafd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaihonhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlphmafm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bihhkm32.dll" Nehjmnei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clffalkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfabok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbfndd32.dll" Ohcmpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfijgnnj.dll" Cibkohef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgoigcip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iiaggc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Capkim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pocdba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igadaq32.dll" Agaoca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eldbbjof.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3232 wrote to memory of 1720 3232 3dc09ca4633a193b2cf059506e106bdbeadc6620c386867b3df916d5cbd8ebbf.exe 89 PID 3232 wrote to memory of 1720 3232 3dc09ca4633a193b2cf059506e106bdbeadc6620c386867b3df916d5cbd8ebbf.exe 89 PID 3232 wrote to memory of 1720 3232 3dc09ca4633a193b2cf059506e106bdbeadc6620c386867b3df916d5cbd8ebbf.exe 89 PID 1720 wrote to memory of 1756 1720 Infhebbh.exe 90 PID 1720 wrote to memory of 1756 1720 Infhebbh.exe 90 PID 1720 wrote to memory of 1756 1720 Infhebbh.exe 90 PID 1756 wrote to memory of 3424 1756 Iholohii.exe 91 PID 1756 wrote to memory of 3424 1756 Iholohii.exe 91 PID 1756 wrote to memory of 3424 1756 Iholohii.exe 91 PID 3424 wrote to memory of 2800 3424 Inidkb32.exe 92 PID 3424 wrote to memory of 2800 3424 Inidkb32.exe 92 PID 3424 wrote to memory of 2800 3424 Inidkb32.exe 92 PID 2800 wrote to memory of 3672 2800 Icfmci32.exe 93 PID 2800 wrote to memory of 3672 2800 Icfmci32.exe 93 PID 2800 wrote to memory of 3672 2800 Icfmci32.exe 93 PID 3672 wrote to memory of 1364 3672 Inkaqb32.exe 94 PID 3672 wrote to memory of 1364 3672 Inkaqb32.exe 94 PID 3672 wrote to memory of 1364 3672 Inkaqb32.exe 94 PID 1364 wrote to memory of 4760 1364 Ieeimlep.exe 95 PID 1364 wrote to memory of 4760 1364 Ieeimlep.exe 95 PID 1364 wrote to memory of 4760 1364 Ieeimlep.exe 95 PID 4760 wrote to memory of 2904 4760 Iloajfml.exe 96 PID 4760 wrote to memory of 2904 4760 Iloajfml.exe 96 PID 4760 wrote to memory of 2904 4760 Iloajfml.exe 96 PID 2904 wrote to memory of 1072 2904 Jaljbmkd.exe 97 PID 2904 wrote to memory of 1072 2904 Jaljbmkd.exe 97 PID 2904 wrote to memory of 1072 2904 Jaljbmkd.exe 97 PID 1072 wrote to memory of 3900 1072 Jlanpfkj.exe 98 PID 1072 wrote to memory of 3900 1072 Jlanpfkj.exe 98 PID 1072 wrote to memory of 3900 1072 Jlanpfkj.exe 98 PID 3900 wrote to memory of 2888 3900 Jnpjlajn.exe 99 PID 3900 wrote to memory of 2888 3900 Jnpjlajn.exe 99 PID 3900 wrote to memory of 2888 3900 Jnpjlajn.exe 99 PID 2888 wrote to memory of 1180 2888 Jejbhk32.exe 100 PID 2888 wrote to memory of 1180 2888 Jejbhk32.exe 100 PID 2888 wrote to memory of 1180 2888 Jejbhk32.exe 100 PID 1180 wrote to memory of 4600 1180 Jjgkab32.exe 101 PID 1180 wrote to memory of 4600 1180 Jjgkab32.exe 101 PID 1180 wrote to memory of 4600 1180 Jjgkab32.exe 101 PID 4600 wrote to memory of 1584 4600 Jaqcnl32.exe 102 PID 4600 wrote to memory of 1584 4600 Jaqcnl32.exe 102 PID 4600 wrote to memory of 1584 4600 Jaqcnl32.exe 102 PID 1584 wrote to memory of 2156 1584 Jhkljfok.exe 103 PID 1584 wrote to memory of 2156 1584 Jhkljfok.exe 103 PID 1584 wrote to memory of 2156 1584 Jhkljfok.exe 103 PID 2156 wrote to memory of 3224 2156 Jjihfbno.exe 104 PID 2156 wrote to memory of 3224 2156 Jjihfbno.exe 104 PID 2156 wrote to memory of 3224 2156 Jjihfbno.exe 104 PID 3224 wrote to memory of 2804 3224 Jbppgona.exe 105 PID 3224 wrote to memory of 2804 3224 Jbppgona.exe 105 PID 3224 wrote to memory of 2804 3224 Jbppgona.exe 105 PID 2804 wrote to memory of 4768 2804 Jacpcl32.exe 106 PID 2804 wrote to memory of 4768 2804 Jacpcl32.exe 106 PID 2804 wrote to memory of 4768 2804 Jacpcl32.exe 106 PID 4768 wrote to memory of 1744 4768 Jddiegbm.exe 107 PID 4768 wrote to memory of 1744 4768 Jddiegbm.exe 107 PID 4768 wrote to memory of 1744 4768 Jddiegbm.exe 107 PID 1744 wrote to memory of 3996 1744 Koimbpbc.exe 108 PID 1744 wrote to memory of 3996 1744 Koimbpbc.exe 108 PID 1744 wrote to memory of 3996 1744 Koimbpbc.exe 108 PID 3996 wrote to memory of 2316 3996 Kbeibo32.exe 109 PID 3996 wrote to memory of 2316 3996 Kbeibo32.exe 109 PID 3996 wrote to memory of 2316 3996 Kbeibo32.exe 109 PID 2316 wrote to memory of 2936 2316 Khabke32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\3dc09ca4633a193b2cf059506e106bdbeadc6620c386867b3df916d5cbd8ebbf.exe"C:\Users\Admin\AppData\Local\Temp\3dc09ca4633a193b2cf059506e106bdbeadc6620c386867b3df916d5cbd8ebbf.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\Infhebbh.exeC:\Windows\system32\Infhebbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Iholohii.exeC:\Windows\system32\Iholohii.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Inidkb32.exeC:\Windows\system32\Inidkb32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\Icfmci32.exeC:\Windows\system32\Icfmci32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Inkaqb32.exeC:\Windows\system32\Inkaqb32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\Ieeimlep.exeC:\Windows\system32\Ieeimlep.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Iloajfml.exeC:\Windows\system32\Iloajfml.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\Jaljbmkd.exeC:\Windows\system32\Jaljbmkd.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Jlanpfkj.exeC:\Windows\system32\Jlanpfkj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Jnpjlajn.exeC:\Windows\system32\Jnpjlajn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\Jejbhk32.exeC:\Windows\system32\Jejbhk32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Jjgkab32.exeC:\Windows\system32\Jjgkab32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Jaqcnl32.exeC:\Windows\system32\Jaqcnl32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Jhkljfok.exeC:\Windows\system32\Jhkljfok.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Jjihfbno.exeC:\Windows\system32\Jjihfbno.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Jbppgona.exeC:\Windows\system32\Jbppgona.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\Jacpcl32.exeC:\Windows\system32\Jacpcl32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Jddiegbm.exeC:\Windows\system32\Jddiegbm.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\Koimbpbc.exeC:\Windows\system32\Koimbpbc.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Kbeibo32.exeC:\Windows\system32\Kbeibo32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\Khabke32.exeC:\Windows\system32\Khabke32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Koljgppp.exeC:\Windows\system32\Koljgppp.exe23⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Klpjad32.exeC:\Windows\system32\Klpjad32.exe24⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Kalcik32.exeC:\Windows\system32\Kalcik32.exe25⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Kdkoef32.exeC:\Windows\system32\Kdkoef32.exe26⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Kkegbpca.exeC:\Windows\system32\Kkegbpca.exe27⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Kblpcndd.exeC:\Windows\system32\Kblpcndd.exe28⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Kaaldjil.exeC:\Windows\system32\Kaaldjil.exe29⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Lkiamp32.exeC:\Windows\system32\Lkiamp32.exe30⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Llimgb32.exeC:\Windows\system32\Llimgb32.exe31⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Lojfin32.exeC:\Windows\system32\Lojfin32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3660 -
C:\Windows\SysWOW64\Lkqgno32.exeC:\Windows\system32\Lkqgno32.exe33⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Lajokiaa.exeC:\Windows\system32\Lajokiaa.exe34⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Lkcccn32.exeC:\Windows\system32\Lkcccn32.exe35⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Moalil32.exeC:\Windows\system32\Moalil32.exe36⤵
- Executes dropped EXE
PID:416 -
C:\Windows\SysWOW64\Maoifh32.exeC:\Windows\system32\Maoifh32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:4988 -
C:\Windows\SysWOW64\Mociol32.exeC:\Windows\system32\Mociol32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1168 -
C:\Windows\SysWOW64\Mlgjhp32.exeC:\Windows\system32\Mlgjhp32.exe39⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Mkjjdmaj.exeC:\Windows\system32\Mkjjdmaj.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:224 -
C:\Windows\SysWOW64\Madbagif.exeC:\Windows\system32\Madbagif.exe41⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Mklfjm32.exeC:\Windows\system32\Mklfjm32.exe42⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Mafofggd.exeC:\Windows\system32\Mafofggd.exe43⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Medglemj.exeC:\Windows\system32\Medglemj.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3264 -
C:\Windows\SysWOW64\Nheqnpjk.exeC:\Windows\system32\Nheqnpjk.exe45⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Nhgmcp32.exeC:\Windows\system32\Nhgmcp32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Nhjjip32.exeC:\Windows\system32\Nhjjip32.exe47⤵
- Executes dropped EXE
PID:4672 -
C:\Windows\SysWOW64\Nbbnbemf.exeC:\Windows\system32\Nbbnbemf.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:688 -
C:\Windows\SysWOW64\Nbdkhe32.exeC:\Windows\system32\Nbdkhe32.exe49⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Okmpqjad.exeC:\Windows\system32\Okmpqjad.exe50⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Ofbdncaj.exeC:\Windows\system32\Ofbdncaj.exe51⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Ollljmhg.exeC:\Windows\system32\Ollljmhg.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Okolfj32.exeC:\Windows\system32\Okolfj32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Ofdqcc32.exeC:\Windows\system32\Ofdqcc32.exe54⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Ohcmpn32.exeC:\Windows\system32\Ohcmpn32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:452 -
C:\Windows\SysWOW64\Okailj32.exeC:\Windows\system32\Okailj32.exe56⤵
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\Obkahddl.exeC:\Windows\system32\Obkahddl.exe57⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Odjmdocp.exeC:\Windows\system32\Odjmdocp.exe58⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Oheienli.exeC:\Windows\system32\Oheienli.exe59⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Omaeem32.exeC:\Windows\system32\Omaeem32.exe60⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Oooaah32.exeC:\Windows\system32\Oooaah32.exe61⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Ocknbglo.exeC:\Windows\system32\Ocknbglo.exe62⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Ofijnbkb.exeC:\Windows\system32\Ofijnbkb.exe63⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Odljjo32.exeC:\Windows\system32\Odljjo32.exe64⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Omcbkl32.exeC:\Windows\system32\Omcbkl32.exe65⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Okfbgiij.exeC:\Windows\system32\Okfbgiij.exe66⤵PID:3300
-
C:\Windows\SysWOW64\Pdngpo32.exeC:\Windows\system32\Pdngpo32.exe67⤵PID:4680
-
C:\Windows\SysWOW64\Pbbgicnd.exeC:\Windows\system32\Pbbgicnd.exe68⤵PID:4848
-
C:\Windows\SysWOW64\Pmhkflnj.exeC:\Windows\system32\Pmhkflnj.exe69⤵PID:4316
-
C:\Windows\SysWOW64\Pofhbgmn.exeC:\Windows\system32\Pofhbgmn.exe70⤵PID:4864
-
C:\Windows\SysWOW64\Piolkm32.exeC:\Windows\system32\Piolkm32.exe71⤵PID:636
-
C:\Windows\SysWOW64\Pokanf32.exeC:\Windows\system32\Pokanf32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4480 -
C:\Windows\SysWOW64\Piceflpi.exeC:\Windows\system32\Piceflpi.exe73⤵PID:1932
-
C:\Windows\SysWOW64\Pkabbgol.exeC:\Windows\system32\Pkabbgol.exe74⤵PID:5160
-
C:\Windows\SysWOW64\Qfgfpp32.exeC:\Windows\system32\Qfgfpp32.exe75⤵PID:5204
-
C:\Windows\SysWOW64\Qkdohg32.exeC:\Windows\system32\Qkdohg32.exe76⤵PID:5248
-
C:\Windows\SysWOW64\Qbngeadf.exeC:\Windows\system32\Qbngeadf.exe77⤵PID:5292
-
C:\Windows\SysWOW64\Qcncodki.exeC:\Windows\system32\Qcncodki.exe78⤵
- System Location Discovery: System Language Discovery
PID:5336 -
C:\Windows\SysWOW64\Aeopfl32.exeC:\Windows\system32\Aeopfl32.exe79⤵PID:5380
-
C:\Windows\SysWOW64\Akihcfid.exeC:\Windows\system32\Akihcfid.exe80⤵PID:5424
-
C:\Windows\SysWOW64\Abcppq32.exeC:\Windows\system32\Abcppq32.exe81⤵PID:5468
-
C:\Windows\SysWOW64\Aimhmkgn.exeC:\Windows\system32\Aimhmkgn.exe82⤵
- System Location Discovery: System Language Discovery
PID:5512 -
C:\Windows\SysWOW64\Apgqie32.exeC:\Windows\system32\Apgqie32.exe83⤵PID:5556
-
C:\Windows\SysWOW64\Abemep32.exeC:\Windows\system32\Abemep32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5600 -
C:\Windows\SysWOW64\Amkabind.exeC:\Windows\system32\Amkabind.exe85⤵PID:5644
-
C:\Windows\SysWOW64\Apimodmh.exeC:\Windows\system32\Apimodmh.exe86⤵PID:5688
-
C:\Windows\SysWOW64\Afceko32.exeC:\Windows\system32\Afceko32.exe87⤵PID:5732
-
C:\Windows\SysWOW64\Alpnde32.exeC:\Windows\system32\Alpnde32.exe88⤵PID:5776
-
C:\Windows\SysWOW64\Abjfqpji.exeC:\Windows\system32\Abjfqpji.exe89⤵PID:5820
-
C:\Windows\SysWOW64\Aidomjaf.exeC:\Windows\system32\Aidomjaf.exe90⤵
- Drops file in System32 directory
PID:5864 -
C:\Windows\SysWOW64\Apngjd32.exeC:\Windows\system32\Apngjd32.exe91⤵PID:5908
-
C:\Windows\SysWOW64\Bblcfo32.exeC:\Windows\system32\Bblcfo32.exe92⤵PID:5952
-
C:\Windows\SysWOW64\Bifkcioc.exeC:\Windows\system32\Bifkcioc.exe93⤵PID:5996
-
C:\Windows\SysWOW64\Bppcpc32.exeC:\Windows\system32\Bppcpc32.exe94⤵PID:6040
-
C:\Windows\SysWOW64\Bboplo32.exeC:\Windows\system32\Bboplo32.exe95⤵PID:6084
-
C:\Windows\SysWOW64\Bihhhi32.exeC:\Windows\system32\Bihhhi32.exe96⤵PID:6128
-
C:\Windows\SysWOW64\Bpbpecen.exeC:\Windows\system32\Bpbpecen.exe97⤵PID:5176
-
C:\Windows\SysWOW64\Bcnleb32.exeC:\Windows\system32\Bcnleb32.exe98⤵PID:5240
-
C:\Windows\SysWOW64\Bikeni32.exeC:\Windows\system32\Bikeni32.exe99⤵PID:5304
-
C:\Windows\SysWOW64\Bliajd32.exeC:\Windows\system32\Bliajd32.exe100⤵PID:5376
-
C:\Windows\SysWOW64\Bfoegm32.exeC:\Windows\system32\Bfoegm32.exe101⤵PID:5456
-
C:\Windows\SysWOW64\Bimach32.exeC:\Windows\system32\Bimach32.exe102⤵
- System Location Discovery: System Language Discovery
PID:5528 -
C:\Windows\SysWOW64\Bcbeqaia.exeC:\Windows\system32\Bcbeqaia.exe103⤵PID:5584
-
C:\Windows\SysWOW64\Bipnihgi.exeC:\Windows\system32\Bipnihgi.exe104⤵PID:5656
-
C:\Windows\SysWOW64\Blnjecfl.exeC:\Windows\system32\Blnjecfl.exe105⤵PID:5724
-
C:\Windows\SysWOW64\Cbhbbn32.exeC:\Windows\system32\Cbhbbn32.exe106⤵
- Drops file in System32 directory
PID:5792 -
C:\Windows\SysWOW64\Cibkohef.exeC:\Windows\system32\Cibkohef.exe107⤵
- Modifies registry class
PID:5856 -
C:\Windows\SysWOW64\Cplckbmc.exeC:\Windows\system32\Cplckbmc.exe108⤵PID:5936
-
C:\Windows\SysWOW64\Cffkhl32.exeC:\Windows\system32\Cffkhl32.exe109⤵PID:6004
-
C:\Windows\SysWOW64\Cmpcdfll.exeC:\Windows\system32\Cmpcdfll.exe110⤵PID:6076
-
C:\Windows\SysWOW64\Cdjlap32.exeC:\Windows\system32\Cdjlap32.exe111⤵PID:5132
-
C:\Windows\SysWOW64\Cekhihig.exeC:\Windows\system32\Cekhihig.exe112⤵
- Drops file in System32 directory
PID:5244 -
C:\Windows\SysWOW64\Cleqfb32.exeC:\Windows\system32\Cleqfb32.exe113⤵PID:5324
-
C:\Windows\SysWOW64\Cfjeckpj.exeC:\Windows\system32\Cfjeckpj.exe114⤵PID:5436
-
C:\Windows\SysWOW64\Clgmkbna.exeC:\Windows\system32\Clgmkbna.exe115⤵PID:5568
-
C:\Windows\SysWOW64\Cepadh32.exeC:\Windows\system32\Cepadh32.exe116⤵PID:5672
-
C:\Windows\SysWOW64\Cmgjee32.exeC:\Windows\system32\Cmgjee32.exe117⤵PID:5768
-
C:\Windows\SysWOW64\Dpefaq32.exeC:\Windows\system32\Dpefaq32.exe118⤵PID:5924
-
C:\Windows\SysWOW64\Ddqbbo32.exeC:\Windows\system32\Ddqbbo32.exe119⤵PID:6056
-
C:\Windows\SysWOW64\Dmifkecb.exeC:\Windows\system32\Dmifkecb.exe120⤵PID:5200
-
C:\Windows\SysWOW64\Ddcogo32.exeC:\Windows\system32\Ddcogo32.exe121⤵PID:5372
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-