Analysis
-
max time kernel
91s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2024, 02:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
efd9f9c89e4f4aea33c3aa65fdd591f59656cbd4f52529f3345e6076cf3a3d51N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
efd9f9c89e4f4aea33c3aa65fdd591f59656cbd4f52529f3345e6076cf3a3d51N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
efd9f9c89e4f4aea33c3aa65fdd591f59656cbd4f52529f3345e6076cf3a3d51N.exe
-
Size
395KB
-
MD5
6e65cc7a813973e0d5d18137ac969fe0
-
SHA1
2759a569c9c0bba08454a6b6ad7f1782098d6eb0
-
SHA256
efd9f9c89e4f4aea33c3aa65fdd591f59656cbd4f52529f3345e6076cf3a3d51
-
SHA512
0f6d3a1532166dcab51314b026daa6e80ab05885564d397bbca8bce45bedaa4c45fdd08f455d78eb443267dfa02dfb6223553f1d834708395256fadefb0fc5e0
-
SSDEEP
6144:yuSQs4y70u4HXs4yr0u490u4Ds4yvW8lM:M4O0dHc4i0d90dA4X
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmlilh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcnqpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lndagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogjdmbil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnblnlhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jidinqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lndham32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doojec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ganldgib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aalmimfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlambk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epndknin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iphioh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Modgdicm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooibkpmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biiobo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmoohe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbpjaeoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fligqhga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljqhkckn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahmjjoig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgcihgaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkofdbkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maeachag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnmkfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcpjnjii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhnhajba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haoimcgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpbflg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkimho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chdialdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbeejp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cncnob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdpcal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eidlnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cimmggfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahgcjddh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iliinc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajmladbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akcjkfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpoalo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpdnjple.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnbcgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iidphgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqojclne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmpolgoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieagmcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeapcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkadoiip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqdcnl32.exe -
Executes dropped EXE 64 IoCs
pid Process 1484 Fggocmhf.exe 2416 Fdkpma32.exe 1332 Gigheh32.exe 1544 Ggkiol32.exe 1624 Gaamlecg.exe 4712 Ggnedlao.exe 3368 Gacjadad.exe 4900 Gklnjj32.exe 5112 Gnjjfegi.exe 1984 Ghpocngo.exe 2096 Gnlgleef.exe 4024 Hjchaf32.exe 3860 Hajpbckl.exe 3284 Hjedffig.exe 3912 Haoimcgg.exe 1584 Hkgnfhnh.exe 1504 Hdpbon32.exe 3168 Igedlh32.exe 3240 Idieem32.exe 2912 Ijfnmc32.exe 4940 Igjngh32.exe 2440 Ijhjcchb.exe 4776 Jkhgmf32.exe 4004 Jdpkflfe.exe 1312 Jkjcbe32.exe 3216 Jhndljll.exe 3040 Jjopcb32.exe 4908 Jhpqaiji.exe 2980 Jbiejoaj.exe 4512 Jkaicd32.exe 2408 Kdinljnk.exe 3124 Kbmoen32.exe 3592 Kgjgne32.exe 4280 Kkfcndce.exe 1564 Kenggi32.exe 2780 Kgmcce32.exe 4260 Kbbhqn32.exe 2148 Kilpmh32.exe 1740 Kbddfmgl.exe 2188 Kgamnded.exe 4460 Knkekn32.exe 3948 Lbgalmej.exe 4376 Lkofdbkj.exe 1944 Lnnbqnjn.exe 2444 Legjmh32.exe 3984 Ljdceo32.exe 4876 Lbkkgl32.exe 3944 Lieccf32.exe 2360 Lbngllob.exe 4916 Lihpif32.exe 2692 Lndham32.exe 3436 Lacdmh32.exe 1168 Ljkifn32.exe 3204 Maeachag.exe 4596 Mlkepaam.exe 1456 Mniallpq.exe 936 Mahnhhod.exe 4340 Mjpbam32.exe 2372 Mbgjbkfg.exe 2140 Meefofek.exe 2776 Mbighjdd.exe 1820 Micoed32.exe 1924 Mnphmkji.exe 3720 Mifljdjo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Iliinc32.exe Iikmbh32.exe File created C:\Windows\SysWOW64\Jmbpjm32.dll Process not Found File created C:\Windows\SysWOW64\Fdmfqg32.dll Nkqkhk32.exe File created C:\Windows\SysWOW64\Pjbcplpe.exe Phcgcqab.exe File created C:\Windows\SysWOW64\Faagecfk.dll Process not Found File created C:\Windows\SysWOW64\Dcdepb32.dll Fdkpma32.exe File created C:\Windows\SysWOW64\Eleepoob.exe Embddb32.exe File opened for modification C:\Windows\SysWOW64\Kdkdgchl.exe Kmdlffhj.exe File opened for modification C:\Windows\SysWOW64\Pcjiff32.exe Phedhmhi.exe File created C:\Windows\SysWOW64\Hlegnjbm.exe Hkdjfb32.exe File created C:\Windows\SysWOW64\Pjmmpa32.dll Halhfe32.exe File created C:\Windows\SysWOW64\Gdgiklme.dll Hdjbiheb.exe File created C:\Windows\SysWOW64\Ondhkbee.dll Eoepebho.exe File opened for modification C:\Windows\SysWOW64\Ieeimlep.exe Process not Found File created C:\Windows\SysWOW64\Ohfaap32.dll Oidhlb32.exe File opened for modification C:\Windows\SysWOW64\Kpqggh32.exe Kekbjo32.exe File created C:\Windows\SysWOW64\Cildom32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cjliajmo.exe Cbeapmll.exe File opened for modification C:\Windows\SysWOW64\Dimenegi.exe Djjebh32.exe File opened for modification C:\Windows\SysWOW64\Hckeoeno.exe Hlambk32.exe File created C:\Windows\SysWOW64\Lncmdghm.dll Process not Found File created C:\Windows\SysWOW64\Lpghll32.dll Oakbehfe.exe File created C:\Windows\SysWOW64\Dfmioc32.dll Epndknin.exe File created C:\Windows\SysWOW64\Chgnfq32.dll Lebijnak.exe File created C:\Windows\SysWOW64\Fklcgk32.exe Process not Found File created C:\Windows\SysWOW64\Dhblne32.dll Blhpqhlh.exe File created C:\Windows\SysWOW64\Knknhqjn.dll Dfoiaj32.exe File created C:\Windows\SysWOW64\Miepkipc.dll Ijqmhnko.exe File opened for modification C:\Windows\SysWOW64\Doagjc32.exe Dkekjdck.exe File opened for modification C:\Windows\SysWOW64\Kpanan32.exe Kjgeedch.exe File opened for modification C:\Windows\SysWOW64\Jgpmmp32.exe Jdaaaeqg.exe File created C:\Windows\SysWOW64\Olicnfco.exe Oeokal32.exe File created C:\Windows\SysWOW64\Ibingd32.dll Fbelcblk.exe File created C:\Windows\SysWOW64\Ifenan32.dll Jnlkedai.exe File opened for modification C:\Windows\SysWOW64\Akqfkp32.exe Ahbjoe32.exe File created C:\Windows\SysWOW64\Cdlqqcnl.exe Cnahdi32.exe File created C:\Windows\SysWOW64\Oaabap32.dll Iohejo32.exe File opened for modification C:\Windows\SysWOW64\Nadleilm.exe Nnfpinmi.exe File opened for modification C:\Windows\SysWOW64\Egegjn32.exe Process not Found File created C:\Windows\SysWOW64\Jbnnbmfj.dll Oaompd32.exe File created C:\Windows\SysWOW64\Hoclopne.exe Hlepcdoa.exe File opened for modification C:\Windows\SysWOW64\Qjiipk32.exe Qhjmdp32.exe File created C:\Windows\SysWOW64\Lckboblp.exe Lhenai32.exe File created C:\Windows\SysWOW64\Lhlgjo32.dll Process not Found File created C:\Windows\SysWOW64\Jdiphhpk.dll Process not Found File created C:\Windows\SysWOW64\Pqfkck32.dll Fggocmhf.exe File created C:\Windows\SysWOW64\Nbenoa32.dll Chlflabp.exe File created C:\Windows\SysWOW64\Gpbpbecj.exe Gmdcfidg.exe File created C:\Windows\SysWOW64\Nmfcok32.exe Nflkbanj.exe File opened for modification C:\Windows\SysWOW64\Gbabigfj.exe Gdobnj32.exe File created C:\Windows\SysWOW64\Fkhpfbce.exe Fijdjfdb.exe File created C:\Windows\SysWOW64\Pjoppf32.exe Pbhgoh32.exe File created C:\Windows\SysWOW64\Hebcao32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mbighjdd.exe Meefofek.exe File opened for modification C:\Windows\SysWOW64\Nihipdhl.exe Mldhfpib.exe File created C:\Windows\SysWOW64\Kqqpck32.dll Fnnjmbpm.exe File created C:\Windows\SysWOW64\Mcifkf32.exe Mqkiok32.exe File created C:\Windows\SysWOW64\Pnifekmd.exe Pfandnla.exe File opened for modification C:\Windows\SysWOW64\Hgapmj32.exe Process not Found File created C:\Windows\SysWOW64\Jjihfbno.exe Process not Found File created C:\Windows\SysWOW64\Icfmci32.exe Process not Found File created C:\Windows\SysWOW64\Nbqmiinl.exe Nlfelogp.exe File created C:\Windows\SysWOW64\Qhkjegqi.dll Pkadoiip.exe File created C:\Windows\SysWOW64\Lggejg32.exe Lopmii32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8812 7204 Process not Found 1299 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mglfplgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnifekmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koonge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nihipdhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddkbmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jemfhacc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggnedlao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kilpmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flmqlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnmaea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccgjopal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbfdekd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aonoao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jblmgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egened32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibcjqgnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iolhkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amkhmoap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bojomm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdpcal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enkmfolf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igjngh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meiioonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeelnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofkgcobj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cklhcfle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdjibj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpdnjple.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebaplnie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aahbbkaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdjeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbpchb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmjmjnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjjkaabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhpofl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iojkeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loacdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejalcgkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbjoeojc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkibgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcdeeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfngdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggahedjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnjqmpgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocohmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhkfkmmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jocnlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahbjoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laiipofp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niojoeel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olicnfco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iomoenej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccdnjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikbfgppo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpffeaj.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqppci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bochcckb.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eleepoob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pajeam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekkkoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iipfmggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pognhd32.dll" Maeachag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmkkmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhhlfgd.dll" Bahdob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klfhhpnk.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhdlmdd.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijhjcchb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llmhaold.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcgdhkem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqaiecjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcggio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkngke32.dll" Jleijb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmgelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jeocna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmdlmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmbjcljl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnjdpaki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkekjdck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adkgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpkmal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcmpdfhi.dll" Legjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejfeng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hibafp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhokljge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjccdkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjcgfjdk.dll" Nelfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobkhf32.dll" Alpbecod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebnfbcbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngjbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdhbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nohffe32.dll" Dokgdkeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbegn32.dll" Lhgkgijg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkpqkcpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olfghg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lebijnak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehbnigjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpphjbnh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knknhqjn.dll" Dfoiaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qobhkjdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcphdpff.dll" Igbalblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnbpqkj.dll" Bacjdbch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfigmnlg.dll" Nqaiecjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apjdikqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aepjgm32.dll" Nceefd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aphnnafb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgpcliao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dagdgfkf.dll" Iojkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hemmac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jidinqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Celipg32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igdgglfl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3012 wrote to memory of 1484 3012 efd9f9c89e4f4aea33c3aa65fdd591f59656cbd4f52529f3345e6076cf3a3d51N.exe 86 PID 3012 wrote to memory of 1484 3012 efd9f9c89e4f4aea33c3aa65fdd591f59656cbd4f52529f3345e6076cf3a3d51N.exe 86 PID 3012 wrote to memory of 1484 3012 efd9f9c89e4f4aea33c3aa65fdd591f59656cbd4f52529f3345e6076cf3a3d51N.exe 86 PID 1484 wrote to memory of 2416 1484 Fggocmhf.exe 87 PID 1484 wrote to memory of 2416 1484 Fggocmhf.exe 87 PID 1484 wrote to memory of 2416 1484 Fggocmhf.exe 87 PID 2416 wrote to memory of 1332 2416 Fdkpma32.exe 88 PID 2416 wrote to memory of 1332 2416 Fdkpma32.exe 88 PID 2416 wrote to memory of 1332 2416 Fdkpma32.exe 88 PID 1332 wrote to memory of 1544 1332 Gigheh32.exe 89 PID 1332 wrote to memory of 1544 1332 Gigheh32.exe 89 PID 1332 wrote to memory of 1544 1332 Gigheh32.exe 89 PID 1544 wrote to memory of 1624 1544 Ggkiol32.exe 90 PID 1544 wrote to memory of 1624 1544 Ggkiol32.exe 90 PID 1544 wrote to memory of 1624 1544 Ggkiol32.exe 90 PID 1624 wrote to memory of 4712 1624 Gaamlecg.exe 91 PID 1624 wrote to memory of 4712 1624 Gaamlecg.exe 91 PID 1624 wrote to memory of 4712 1624 Gaamlecg.exe 91 PID 4712 wrote to memory of 3368 4712 Ggnedlao.exe 92 PID 4712 wrote to memory of 3368 4712 Ggnedlao.exe 92 PID 4712 wrote to memory of 3368 4712 Ggnedlao.exe 92 PID 3368 wrote to memory of 4900 3368 Gacjadad.exe 93 PID 3368 wrote to memory of 4900 3368 Gacjadad.exe 93 PID 3368 wrote to memory of 4900 3368 Gacjadad.exe 93 PID 4900 wrote to memory of 5112 4900 Gklnjj32.exe 94 PID 4900 wrote to memory of 5112 4900 Gklnjj32.exe 94 PID 4900 wrote to memory of 5112 4900 Gklnjj32.exe 94 PID 5112 wrote to memory of 1984 5112 Gnjjfegi.exe 95 PID 5112 wrote to memory of 1984 5112 Gnjjfegi.exe 95 PID 5112 wrote to memory of 1984 5112 Gnjjfegi.exe 95 PID 1984 wrote to memory of 2096 1984 Ghpocngo.exe 96 PID 1984 wrote to memory of 2096 1984 Ghpocngo.exe 96 PID 1984 wrote to memory of 2096 1984 Ghpocngo.exe 96 PID 2096 wrote to memory of 4024 2096 Gnlgleef.exe 97 PID 2096 wrote to memory of 4024 2096 Gnlgleef.exe 97 PID 2096 wrote to memory of 4024 2096 Gnlgleef.exe 97 PID 4024 wrote to memory of 3860 4024 Hjchaf32.exe 98 PID 4024 wrote to memory of 3860 4024 Hjchaf32.exe 98 PID 4024 wrote to memory of 3860 4024 Hjchaf32.exe 98 PID 3860 wrote to memory of 3284 3860 Hajpbckl.exe 99 PID 3860 wrote to memory of 3284 3860 Hajpbckl.exe 99 PID 3860 wrote to memory of 3284 3860 Hajpbckl.exe 99 PID 3284 wrote to memory of 3912 3284 Hjedffig.exe 100 PID 3284 wrote to memory of 3912 3284 Hjedffig.exe 100 PID 3284 wrote to memory of 3912 3284 Hjedffig.exe 100 PID 3912 wrote to memory of 1584 3912 Haoimcgg.exe 101 PID 3912 wrote to memory of 1584 3912 Haoimcgg.exe 101 PID 3912 wrote to memory of 1584 3912 Haoimcgg.exe 101 PID 1584 wrote to memory of 1504 1584 Hkgnfhnh.exe 102 PID 1584 wrote to memory of 1504 1584 Hkgnfhnh.exe 102 PID 1584 wrote to memory of 1504 1584 Hkgnfhnh.exe 102 PID 1504 wrote to memory of 3168 1504 Hdpbon32.exe 103 PID 1504 wrote to memory of 3168 1504 Hdpbon32.exe 103 PID 1504 wrote to memory of 3168 1504 Hdpbon32.exe 103 PID 3168 wrote to memory of 3240 3168 Igedlh32.exe 104 PID 3168 wrote to memory of 3240 3168 Igedlh32.exe 104 PID 3168 wrote to memory of 3240 3168 Igedlh32.exe 104 PID 3240 wrote to memory of 2912 3240 Idieem32.exe 105 PID 3240 wrote to memory of 2912 3240 Idieem32.exe 105 PID 3240 wrote to memory of 2912 3240 Idieem32.exe 105 PID 2912 wrote to memory of 4940 2912 Ijfnmc32.exe 106 PID 2912 wrote to memory of 4940 2912 Ijfnmc32.exe 106 PID 2912 wrote to memory of 4940 2912 Ijfnmc32.exe 106 PID 4940 wrote to memory of 2440 4940 Igjngh32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\efd9f9c89e4f4aea33c3aa65fdd591f59656cbd4f52529f3345e6076cf3a3d51N.exe"C:\Users\Admin\AppData\Local\Temp\efd9f9c89e4f4aea33c3aa65fdd591f59656cbd4f52529f3345e6076cf3a3d51N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Fggocmhf.exeC:\Windows\system32\Fggocmhf.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Fdkpma32.exeC:\Windows\system32\Fdkpma32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Ggkiol32.exeC:\Windows\system32\Ggkiol32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Gaamlecg.exeC:\Windows\system32\Gaamlecg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Ggnedlao.exeC:\Windows\system32\Ggnedlao.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\Gacjadad.exeC:\Windows\system32\Gacjadad.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\Gklnjj32.exeC:\Windows\system32\Gklnjj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Gnjjfegi.exeC:\Windows\system32\Gnjjfegi.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\Ghpocngo.exeC:\Windows\system32\Ghpocngo.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Gnlgleef.exeC:\Windows\system32\Gnlgleef.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Hjchaf32.exeC:\Windows\system32\Hjchaf32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\Hajpbckl.exeC:\Windows\system32\Hajpbckl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\Hjedffig.exeC:\Windows\system32\Hjedffig.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\Haoimcgg.exeC:\Windows\system32\Haoimcgg.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\Hkgnfhnh.exeC:\Windows\system32\Hkgnfhnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Hdpbon32.exeC:\Windows\system32\Hdpbon32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Igedlh32.exeC:\Windows\system32\Igedlh32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\Idieem32.exeC:\Windows\system32\Idieem32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\SysWOW64\Ijfnmc32.exeC:\Windows\system32\Ijfnmc32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Igjngh32.exeC:\Windows\system32\Igjngh32.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Ijhjcchb.exeC:\Windows\system32\Ijhjcchb.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Jkhgmf32.exeC:\Windows\system32\Jkhgmf32.exe24⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe25⤵
- Executes dropped EXE
PID:4004 -
C:\Windows\SysWOW64\Jkjcbe32.exeC:\Windows\system32\Jkjcbe32.exe26⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Jhndljll.exeC:\Windows\system32\Jhndljll.exe27⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Jjopcb32.exeC:\Windows\system32\Jjopcb32.exe28⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe29⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Jbiejoaj.exeC:\Windows\system32\Jbiejoaj.exe30⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Jkaicd32.exeC:\Windows\system32\Jkaicd32.exe31⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Kdinljnk.exeC:\Windows\system32\Kdinljnk.exe32⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Kbmoen32.exeC:\Windows\system32\Kbmoen32.exe33⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe34⤵
- Executes dropped EXE
PID:3592 -
C:\Windows\SysWOW64\Kkfcndce.exeC:\Windows\system32\Kkfcndce.exe35⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Kenggi32.exeC:\Windows\system32\Kenggi32.exe36⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Kgmcce32.exeC:\Windows\system32\Kgmcce32.exe37⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Kbbhqn32.exeC:\Windows\system32\Kbbhqn32.exe38⤵
- Executes dropped EXE
PID:4260 -
C:\Windows\SysWOW64\Kilpmh32.exeC:\Windows\system32\Kilpmh32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\SysWOW64\Kbddfmgl.exeC:\Windows\system32\Kbddfmgl.exe40⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Kgamnded.exeC:\Windows\system32\Kgamnded.exe41⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Knkekn32.exeC:\Windows\system32\Knkekn32.exe42⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Lbgalmej.exeC:\Windows\system32\Lbgalmej.exe43⤵
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe45⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Legjmh32.exeC:\Windows\system32\Legjmh32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Ljdceo32.exeC:\Windows\system32\Ljdceo32.exe47⤵
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe48⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Lieccf32.exeC:\Windows\system32\Lieccf32.exe49⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe50⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Lihpif32.exeC:\Windows\system32\Lihpif32.exe51⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Lndham32.exeC:\Windows\system32\Lndham32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Lacdmh32.exeC:\Windows\system32\Lacdmh32.exe53⤵
- Executes dropped EXE
PID:3436 -
C:\Windows\SysWOW64\Ljkifn32.exeC:\Windows\system32\Ljkifn32.exe54⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Maeachag.exeC:\Windows\system32\Maeachag.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3204 -
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe56⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe57⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Mahnhhod.exeC:\Windows\system32\Mahnhhod.exe58⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe59⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Mbgjbkfg.exeC:\Windows\system32\Mbgjbkfg.exe60⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe62⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe63⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Mnphmkji.exeC:\Windows\system32\Mnphmkji.exe64⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe65⤵
- Executes dropped EXE
PID:3720 -
C:\Windows\SysWOW64\Mldhfpib.exeC:\Windows\system32\Mldhfpib.exe66⤵
- Drops file in System32 directory
PID:1432 -
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe67⤵
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe68⤵
- Drops file in System32 directory
PID:3288 -
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe69⤵PID:3896
-
C:\Windows\SysWOW64\Nijeec32.exeC:\Windows\system32\Nijeec32.exe70⤵PID:2744
-
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe71⤵PID:880
-
C:\Windows\SysWOW64\Neafjdkn.exeC:\Windows\system32\Neafjdkn.exe72⤵PID:4760
-
C:\Windows\SysWOW64\Nknobkje.exeC:\Windows\system32\Nknobkje.exe73⤵PID:1464
-
C:\Windows\SysWOW64\Nbefdijg.exeC:\Windows\system32\Nbefdijg.exe74⤵PID:224
-
C:\Windows\SysWOW64\Nhbolp32.exeC:\Windows\system32\Nhbolp32.exe75⤵PID:3508
-
C:\Windows\SysWOW64\Nkqkhk32.exeC:\Windows\system32\Nkqkhk32.exe76⤵
- Drops file in System32 directory
PID:3684 -
C:\Windows\SysWOW64\Niakfbpa.exeC:\Windows\system32\Niakfbpa.exe77⤵PID:4228
-
C:\Windows\SysWOW64\Nlphbnoe.exeC:\Windows\system32\Nlphbnoe.exe78⤵PID:2180
-
C:\Windows\SysWOW64\Oidhlb32.exeC:\Windows\system32\Oidhlb32.exe79⤵
- Drops file in System32 directory
PID:1220 -
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe80⤵PID:3676
-
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe81⤵
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Oifeab32.exeC:\Windows\system32\Oifeab32.exe82⤵PID:1532
-
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe83⤵PID:4724
-
C:\Windows\SysWOW64\Oboijgbl.exeC:\Windows\system32\Oboijgbl.exe84⤵PID:3672
-
C:\Windows\SysWOW64\Ohkbbn32.exeC:\Windows\system32\Ohkbbn32.exe85⤵PID:2312
-
C:\Windows\SysWOW64\Oadfkdgd.exeC:\Windows\system32\Oadfkdgd.exe86⤵PID:2964
-
C:\Windows\SysWOW64\Olijhmgj.exeC:\Windows\system32\Olijhmgj.exe87⤵PID:1180
-
C:\Windows\SysWOW64\Oafcqcea.exeC:\Windows\system32\Oafcqcea.exe88⤵PID:2580
-
C:\Windows\SysWOW64\Pcepkfld.exeC:\Windows\system32\Pcepkfld.exe89⤵PID:4792
-
C:\Windows\SysWOW64\Pkadoiip.exeC:\Windows\system32\Pkadoiip.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3700 -
C:\Windows\SysWOW64\Pefhlaie.exeC:\Windows\system32\Pefhlaie.exe91⤵PID:4852
-
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe92⤵
- Drops file in System32 directory
PID:3904 -
C:\Windows\SysWOW64\Pcjiff32.exeC:\Windows\system32\Pcjiff32.exe93⤵PID:1628
-
C:\Windows\SysWOW64\Peieba32.exeC:\Windows\system32\Peieba32.exe94⤵PID:1424
-
C:\Windows\SysWOW64\Plbmokop.exeC:\Windows\system32\Plbmokop.exe95⤵PID:4344
-
C:\Windows\SysWOW64\Poajkgnc.exeC:\Windows\system32\Poajkgnc.exe96⤵PID:408
-
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe97⤵PID:1540
-
C:\Windows\SysWOW64\Phincl32.exeC:\Windows\system32\Phincl32.exe98⤵PID:1912
-
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe99⤵PID:1096
-
C:\Windows\SysWOW64\Pabblb32.exeC:\Windows\system32\Pabblb32.exe100⤵PID:2368
-
C:\Windows\SysWOW64\Pemomqcn.exeC:\Windows\system32\Pemomqcn.exe101⤵PID:1988
-
C:\Windows\SysWOW64\Qlggjk32.exeC:\Windows\system32\Qlggjk32.exe102⤵PID:780
-
C:\Windows\SysWOW64\Qofcff32.exeC:\Windows\system32\Qofcff32.exe103⤵PID:2052
-
C:\Windows\SysWOW64\Qepkbpak.exeC:\Windows\system32\Qepkbpak.exe104⤵PID:1932
-
C:\Windows\SysWOW64\Qhngolpo.exeC:\Windows\system32\Qhngolpo.exe105⤵PID:3668
-
C:\Windows\SysWOW64\Qohpkf32.exeC:\Windows\system32\Qohpkf32.exe106⤵PID:5044
-
C:\Windows\SysWOW64\Qaflgago.exeC:\Windows\system32\Qaflgago.exe107⤵PID:2168
-
C:\Windows\SysWOW64\Ajndioga.exeC:\Windows\system32\Ajndioga.exe108⤵PID:4812
-
C:\Windows\SysWOW64\Allpejfe.exeC:\Windows\system32\Allpejfe.exe109⤵PID:5168
-
C:\Windows\SysWOW64\Acfhad32.exeC:\Windows\system32\Acfhad32.exe110⤵PID:5208
-
C:\Windows\SysWOW64\Aeddnp32.exeC:\Windows\system32\Aeddnp32.exe111⤵PID:5264
-
C:\Windows\SysWOW64\Alnmjjdb.exeC:\Windows\system32\Alnmjjdb.exe112⤵PID:5304
-
C:\Windows\SysWOW64\Aomifecf.exeC:\Windows\system32\Aomifecf.exe113⤵PID:5340
-
C:\Windows\SysWOW64\Ajbmdn32.exeC:\Windows\system32\Ajbmdn32.exe114⤵PID:5388
-
C:\Windows\SysWOW64\Ahenokjf.exeC:\Windows\system32\Ahenokjf.exe115⤵PID:5432
-
C:\Windows\SysWOW64\Akcjkfij.exeC:\Windows\system32\Akcjkfij.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5476 -
C:\Windows\SysWOW64\Aanbhp32.exeC:\Windows\system32\Aanbhp32.exe117⤵PID:5520
-
C:\Windows\SysWOW64\Ahgjejhd.exeC:\Windows\system32\Ahgjejhd.exe118⤵PID:5564
-
C:\Windows\SysWOW64\Abponp32.exeC:\Windows\system32\Abponp32.exe119⤵PID:5608
-
C:\Windows\SysWOW64\Afkknogn.exeC:\Windows\system32\Afkknogn.exe120⤵PID:5652
-
C:\Windows\SysWOW64\Aleckinj.exeC:\Windows\system32\Aleckinj.exe121⤵PID:5700
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-