Analysis
-
max time kernel
94s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 10:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c4308aeaf08852e4878d7453661642715faa5ded6bc3a9e260a759ffec379fa2N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
c4308aeaf08852e4878d7453661642715faa5ded6bc3a9e260a759ffec379fa2N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
c4308aeaf08852e4878d7453661642715faa5ded6bc3a9e260a759ffec379fa2N.exe
-
Size
95KB
-
MD5
ae11599bd1dae309fab60cd2b7161f30
-
SHA1
cc245cd3efa3ea324155359e3e77c283ab5a853a
-
SHA256
c4308aeaf08852e4878d7453661642715faa5ded6bc3a9e260a759ffec379fa2
-
SHA512
879ae165dd6ee0a00ef1c0d99cb80451ae99bb1db4d44260b14ad5c998d4dcf519f206696536e8a413f7c99791bbd62ec5546167a715e9dc1d2f1e745631d6ef
-
SSDEEP
1536:Xntv+iQFstP7r1K1ssgmgYCOuWnR7Q88aAVmqLoE5O62u0oOWq51to2hw3OM6bO/:tKkMvQOz8JVmoODuti3e2hyDrLXfzoeV
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oalipoiq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egohdegl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqjbddpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfgklkoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqklkbbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miaboe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmlmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahofoogd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljpaqmgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibegfglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjjlkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Innfnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjmfjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iidphgcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekcgkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phbhcmjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfigpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akdilipp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgelgi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meiioonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obcceg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfigpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilnbicff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iolhkh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefgbh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jepjhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnldla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckebcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikejgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Majjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbdjeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gihgfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpeahb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cklhcfle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niooqcad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkaobnio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhkdmlg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqafhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfldelik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcdala32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaoaic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjgchm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgnqgqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pehngkcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iondqhpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbihjifh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbdhiojo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmfhkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbjena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfqlfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmikeaap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oelolmnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbpjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhhdnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qemhbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipeeobbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akffafgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjecpkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djqblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmggfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbnaeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njljch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjkblhfo.exe -
Executes dropped EXE 64 IoCs
pid Process 4712 Ijfnmc32.exe 3220 Iqpfjnba.exe 2328 Ihgnkkbd.exe 2632 Ikejgf32.exe 3772 Indfca32.exe 2548 Jdnoplhh.exe 5080 Jglklggl.exe 1864 Jjjghcfp.exe 5008 Jbaojpgb.exe 2324 Jdpkflfe.exe 4620 Jkjcbe32.exe 548 Jnhpoamf.exe 4176 Jqglkmlj.exe 2280 Jgadgf32.exe 3436 Jjopcb32.exe 4632 Jbfheo32.exe 5084 Jhpqaiji.exe 2448 Jkomneim.exe 2432 Jbiejoaj.exe 4920 Jibmgi32.exe 5000 Jjdjoane.exe 432 Jbkbpoog.exe 1448 Kdinljnk.exe 1844 Kghjhemo.exe 3368 Kkcfid32.exe 3940 Kjffdalb.exe 1180 Kbmoen32.exe 4924 Kgjgne32.exe 4536 Kkfcndce.exe 4244 Kjhcjq32.exe 5004 Kqbkfkal.exe 4272 Kgmcce32.exe 2296 Kjkpoq32.exe 3560 Kbbhqn32.exe 2268 Keqdmihc.exe 1104 Kilpmh32.exe 4728 Kgopidgf.exe 3672 Kniieo32.exe 4324 Kbddfmgl.exe 4080 Kecabifp.exe 2836 Kgamnded.exe 5112 Kkmioc32.exe 3836 Knkekn32.exe 4744 Lbgalmej.exe 3652 Liqihglg.exe 3632 Lkofdbkj.exe 4724 Ljbfpo32.exe 1316 Lbinam32.exe 620 Legjmh32.exe 3032 Ljdceo32.exe 368 Lbkkgl32.exe 1608 Lejgch32.exe 2276 Lghcocol.exe 2952 Ljgpkonp.exe 2032 Laqhhi32.exe 384 Lihpif32.exe 2908 Ljilqnlm.exe 1856 Lndham32.exe 2692 Lacdmh32.exe 3908 Lijlof32.exe 2740 Llhikacp.exe 1404 Mbbagk32.exe 1028 Meamcg32.exe 2676 Mhoipb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jofill32.dll Glcaambb.exe File created C:\Windows\SysWOW64\Hmokmkpo.dll Kjhloj32.exe File created C:\Windows\SysWOW64\Ondljl32.exe Ojhpimhp.exe File created C:\Windows\SysWOW64\Jnijfj32.dll Eomffaag.exe File opened for modification C:\Windows\SysWOW64\Fgmdec32.exe Fijdjfdb.exe File opened for modification C:\Windows\SysWOW64\Jkjcbe32.exe Jdpkflfe.exe File created C:\Windows\SysWOW64\Jbqaei32.dll Dlghoa32.exe File opened for modification C:\Windows\SysWOW64\Mmmqhl32.exe Mjodla32.exe File created C:\Windows\SysWOW64\Lmnbjama.dll Palklf32.exe File created C:\Windows\SysWOW64\Iaejqcdo.dll Joqafgni.exe File created C:\Windows\SysWOW64\Pkffgpdd.dll Khbiello.exe File opened for modification C:\Windows\SysWOW64\Oldjcg32.exe Ohhnbhok.exe File opened for modification C:\Windows\SysWOW64\Qoelkp32.exe Qlgpod32.exe File created C:\Windows\SysWOW64\Ojdgnn32.exe Ofhknodl.exe File created C:\Windows\SysWOW64\Cnffoibg.dll Ondljl32.exe File created C:\Windows\SysWOW64\Bpdnjple.exe Bmeandma.exe File created C:\Windows\SysWOW64\Cepjip32.dll Dgeenfog.exe File created C:\Windows\SysWOW64\Dmdhcddh.exe Dihlbf32.exe File created C:\Windows\SysWOW64\Illfdc32.exe Iinjhh32.exe File created C:\Windows\SysWOW64\Lfcpgb32.dll Jiglnf32.exe File created C:\Windows\SysWOW64\Jpcapp32.exe Jmeede32.exe File created C:\Windows\SysWOW64\Npepkf32.exe Nmfcok32.exe File created C:\Windows\SysWOW64\Nfcconde.dll Kmfhkf32.exe File opened for modification C:\Windows\SysWOW64\Aeaanjkl.exe Aafemk32.exe File opened for modification C:\Windows\SysWOW64\Akffafgg.exe Ajdjin32.exe File created C:\Windows\SysWOW64\Dcgbdc32.dll Gpecbk32.exe File opened for modification C:\Windows\SysWOW64\Hdmoohbo.exe Hlegnjbm.exe File created C:\Windows\SysWOW64\Mcqjon32.exe Lqbncb32.exe File created C:\Windows\SysWOW64\Gdencf32.dll Napjdpcn.exe File opened for modification C:\Windows\SysWOW64\Qemhbj32.exe Pocpfphe.exe File created C:\Windows\SysWOW64\Kgopidgf.exe Kilpmh32.exe File created C:\Windows\SysWOW64\Obonfmck.dll Kkmioc32.exe File opened for modification C:\Windows\SysWOW64\Ibcjqgnm.exe Iogopi32.exe File created C:\Windows\SysWOW64\Lplfcf32.exe Legben32.exe File created C:\Windows\SysWOW64\Nnndji32.dll Oiccje32.exe File opened for modification C:\Windows\SysWOW64\Akkffkhk.exe Ahmjjoig.exe File opened for modification C:\Windows\SysWOW64\Akdilipp.exe Ahfmpnql.exe File opened for modification C:\Windows\SysWOW64\Pmblagmf.exe Pjdpelnc.exe File created C:\Windows\SysWOW64\Adfgdpmi.exe Aagkhd32.exe File created C:\Windows\SysWOW64\Dahceqce.dll Ganldgib.exe File opened for modification C:\Windows\SysWOW64\Jaajhb32.exe Jocnlg32.exe File created C:\Windows\SysWOW64\Hnnpaa32.dll Pllgnl32.exe File created C:\Windows\SysWOW64\Hlepcdoa.exe Hifcgion.exe File created C:\Windows\SysWOW64\Fdflahpe.dll Bcfahbpo.exe File opened for modification C:\Windows\SysWOW64\Djcoai32.exe Dblgpl32.exe File opened for modification C:\Windows\SysWOW64\Dfiildio.exe Dooaoj32.exe File created C:\Windows\SysWOW64\Iipfmggc.exe Igajal32.exe File created C:\Windows\SysWOW64\Lljklo32.exe Kjlopc32.exe File created C:\Windows\SysWOW64\Bljlpjaf.dll Bgpcliao.exe File opened for modification C:\Windows\SysWOW64\Keqdmihc.exe Kbbhqn32.exe File created C:\Windows\SysWOW64\Ljdceo32.exe Legjmh32.exe File created C:\Windows\SysWOW64\Ipamlopb.dll Lpjjmg32.exe File created C:\Windows\SysWOW64\Eomffaag.exe Egened32.exe File created C:\Windows\SysWOW64\Hnbeeiji.exe Hhimhobl.exe File created C:\Windows\SysWOW64\Fligqhga.exe Fijkdmhn.exe File created C:\Windows\SysWOW64\Lfbped32.exe Lcdciiec.exe File opened for modification C:\Windows\SysWOW64\Pmlfqh32.exe Pjmjdm32.exe File created C:\Windows\SysWOW64\Hejqldci.exe Hbldphde.exe File created C:\Windows\SysWOW64\Mkhapk32.exe Mcqjon32.exe File opened for modification C:\Windows\SysWOW64\Ebdcld32.exe Eofgpikj.exe File opened for modification C:\Windows\SysWOW64\Eppjfgcp.exe Emanjldl.exe File created C:\Windows\SysWOW64\Mfhbga32.exe Mcifkf32.exe File opened for modification C:\Windows\SysWOW64\Mcdeeq32.exe Mpeiie32.exe File created C:\Windows\SysWOW64\Qdbpmock.dll Cfqmpl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 344 3088 Process not Found 1142 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahbjoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoalgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjiao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodjjimm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kflide32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liqihglg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miaboe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njinmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfandnla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddnobj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kidben32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poajkgnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdpcal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bafndi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fniihmpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnegbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dakikoom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibqnkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiikpnmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqbncb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeelnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jokkgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffqhcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqmfdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfkqjmdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djjebh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blqllqqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klcekpdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieagmcmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljobpiql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqkgbcff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doagjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcoccc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbdoof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnepna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aagkhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcehdod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieojgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfdpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Domdjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidgai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnaaib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipgkjlmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjffdalb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqhdbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paiogf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdpjlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhpofl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbfheo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keqdmihc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djqblj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpiqfima.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mofmobmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjghcfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngjbaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeokal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcifkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaldccip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoepebho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfldelik.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jebfng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jocnlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbqaei32.dll" Dlghoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfhbga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aagkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Legben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbdiknlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnffda32.dll" Djcoai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkmkkjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cleegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eodolnaf.dll" Fflohaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opcefi32.dll" Ofhknodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaidib32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpbjkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoejj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncdmbe32.dll" Mcjmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcmfjll.dll" Mcpcdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdglhf32.dll" Njmqnobn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfoann32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbiockdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node c4308aeaf08852e4878d7453661642715faa5ded6bc3a9e260a759ffec379fa2N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elnoopdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdepgkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmaamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajdjin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmigoagp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdlqqcnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebgpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aagkhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcddcbab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfiildio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nfjola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghgmioe.dll" Cogddd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enhpao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igkilc32.dll" Ncmhko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njljch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obcceg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flkdfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfedh32.dll" Fgoakc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fohfbpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnobcjlg.dll" Gnpphljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfiop32.dll" Ibcaknbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfnoqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgfpihkg.dll" Opclldhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhkikq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Niooqcad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebejfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmokmkpo.dll" Kjhloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggiabl32.dll" Mjkblhfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdlkdhnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jifecp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nccokk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klcekpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiapmnp.dll" Cpfcfmlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mljmhflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnihkq32.dll" Mgbefe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofhknodl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpdennml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hloqml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igigla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgeofeib.dll" Oalipoiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohmhmh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2360 wrote to memory of 4712 2360 c4308aeaf08852e4878d7453661642715faa5ded6bc3a9e260a759ffec379fa2N.exe 84 PID 2360 wrote to memory of 4712 2360 c4308aeaf08852e4878d7453661642715faa5ded6bc3a9e260a759ffec379fa2N.exe 84 PID 2360 wrote to memory of 4712 2360 c4308aeaf08852e4878d7453661642715faa5ded6bc3a9e260a759ffec379fa2N.exe 84 PID 4712 wrote to memory of 3220 4712 Ijfnmc32.exe 85 PID 4712 wrote to memory of 3220 4712 Ijfnmc32.exe 85 PID 4712 wrote to memory of 3220 4712 Ijfnmc32.exe 85 PID 3220 wrote to memory of 2328 3220 Iqpfjnba.exe 86 PID 3220 wrote to memory of 2328 3220 Iqpfjnba.exe 86 PID 3220 wrote to memory of 2328 3220 Iqpfjnba.exe 86 PID 2328 wrote to memory of 2632 2328 Ihgnkkbd.exe 87 PID 2328 wrote to memory of 2632 2328 Ihgnkkbd.exe 87 PID 2328 wrote to memory of 2632 2328 Ihgnkkbd.exe 87 PID 2632 wrote to memory of 3772 2632 Ikejgf32.exe 89 PID 2632 wrote to memory of 3772 2632 Ikejgf32.exe 89 PID 2632 wrote to memory of 3772 2632 Ikejgf32.exe 89 PID 3772 wrote to memory of 2548 3772 Indfca32.exe 90 PID 3772 wrote to memory of 2548 3772 Indfca32.exe 90 PID 3772 wrote to memory of 2548 3772 Indfca32.exe 90 PID 2548 wrote to memory of 5080 2548 Jdnoplhh.exe 91 PID 2548 wrote to memory of 5080 2548 Jdnoplhh.exe 91 PID 2548 wrote to memory of 5080 2548 Jdnoplhh.exe 91 PID 5080 wrote to memory of 1864 5080 Jglklggl.exe 92 PID 5080 wrote to memory of 1864 5080 Jglklggl.exe 92 PID 5080 wrote to memory of 1864 5080 Jglklggl.exe 92 PID 1864 wrote to memory of 5008 1864 Jjjghcfp.exe 93 PID 1864 wrote to memory of 5008 1864 Jjjghcfp.exe 93 PID 1864 wrote to memory of 5008 1864 Jjjghcfp.exe 93 PID 5008 wrote to memory of 2324 5008 Jbaojpgb.exe 94 PID 5008 wrote to memory of 2324 5008 Jbaojpgb.exe 94 PID 5008 wrote to memory of 2324 5008 Jbaojpgb.exe 94 PID 2324 wrote to memory of 4620 2324 Jdpkflfe.exe 95 PID 2324 wrote to memory of 4620 2324 Jdpkflfe.exe 95 PID 2324 wrote to memory of 4620 2324 Jdpkflfe.exe 95 PID 4620 wrote to memory of 548 4620 Jkjcbe32.exe 96 PID 4620 wrote to memory of 548 4620 Jkjcbe32.exe 96 PID 4620 wrote to memory of 548 4620 Jkjcbe32.exe 96 PID 548 wrote to memory of 4176 548 Jnhpoamf.exe 98 PID 548 wrote to memory of 4176 548 Jnhpoamf.exe 98 PID 548 wrote to memory of 4176 548 Jnhpoamf.exe 98 PID 4176 wrote to memory of 2280 4176 Jqglkmlj.exe 99 PID 4176 wrote to memory of 2280 4176 Jqglkmlj.exe 99 PID 4176 wrote to memory of 2280 4176 Jqglkmlj.exe 99 PID 2280 wrote to memory of 3436 2280 Jgadgf32.exe 100 PID 2280 wrote to memory of 3436 2280 Jgadgf32.exe 100 PID 2280 wrote to memory of 3436 2280 Jgadgf32.exe 100 PID 3436 wrote to memory of 4632 3436 Jjopcb32.exe 101 PID 3436 wrote to memory of 4632 3436 Jjopcb32.exe 101 PID 3436 wrote to memory of 4632 3436 Jjopcb32.exe 101 PID 4632 wrote to memory of 5084 4632 Jbfheo32.exe 102 PID 4632 wrote to memory of 5084 4632 Jbfheo32.exe 102 PID 4632 wrote to memory of 5084 4632 Jbfheo32.exe 102 PID 5084 wrote to memory of 2448 5084 Jhpqaiji.exe 103 PID 5084 wrote to memory of 2448 5084 Jhpqaiji.exe 103 PID 5084 wrote to memory of 2448 5084 Jhpqaiji.exe 103 PID 2448 wrote to memory of 2432 2448 Jkomneim.exe 104 PID 2448 wrote to memory of 2432 2448 Jkomneim.exe 104 PID 2448 wrote to memory of 2432 2448 Jkomneim.exe 104 PID 2432 wrote to memory of 4920 2432 Jbiejoaj.exe 105 PID 2432 wrote to memory of 4920 2432 Jbiejoaj.exe 105 PID 2432 wrote to memory of 4920 2432 Jbiejoaj.exe 105 PID 4920 wrote to memory of 5000 4920 Jibmgi32.exe 106 PID 4920 wrote to memory of 5000 4920 Jibmgi32.exe 106 PID 4920 wrote to memory of 5000 4920 Jibmgi32.exe 106 PID 5000 wrote to memory of 432 5000 Jjdjoane.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4308aeaf08852e4878d7453661642715faa5ded6bc3a9e260a759ffec379fa2N.exe"C:\Users\Admin\AppData\Local\Temp\c4308aeaf08852e4878d7453661642715faa5ded6bc3a9e260a759ffec379fa2N.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Ijfnmc32.exeC:\Windows\system32\Ijfnmc32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\Iqpfjnba.exeC:\Windows\system32\Iqpfjnba.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\Ihgnkkbd.exeC:\Windows\system32\Ihgnkkbd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Ikejgf32.exeC:\Windows\system32\Ikejgf32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\Jdnoplhh.exeC:\Windows\system32\Jdnoplhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Jglklggl.exeC:\Windows\system32\Jglklggl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\Jjjghcfp.exeC:\Windows\system32\Jjjghcfp.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Jkjcbe32.exeC:\Windows\system32\Jkjcbe32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Jnhpoamf.exeC:\Windows\system32\Jnhpoamf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\SysWOW64\Jgadgf32.exeC:\Windows\system32\Jgadgf32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Jjopcb32.exeC:\Windows\system32\Jjopcb32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\Jkomneim.exeC:\Windows\system32\Jkomneim.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Jbiejoaj.exeC:\Windows\system32\Jbiejoaj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Jibmgi32.exeC:\Windows\system32\Jibmgi32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Jjdjoane.exeC:\Windows\system32\Jjdjoane.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Jbkbpoog.exeC:\Windows\system32\Jbkbpoog.exe23⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Kdinljnk.exeC:\Windows\system32\Kdinljnk.exe24⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Kghjhemo.exeC:\Windows\system32\Kghjhemo.exe25⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Kkcfid32.exeC:\Windows\system32\Kkcfid32.exe26⤵
- Executes dropped EXE
PID:3368 -
C:\Windows\SysWOW64\Kjffdalb.exeC:\Windows\system32\Kjffdalb.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3940 -
C:\Windows\SysWOW64\Kbmoen32.exeC:\Windows\system32\Kbmoen32.exe28⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe29⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Kkfcndce.exeC:\Windows\system32\Kkfcndce.exe30⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe31⤵
- Executes dropped EXE
PID:4244 -
C:\Windows\SysWOW64\Kqbkfkal.exeC:\Windows\system32\Kqbkfkal.exe32⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Kgmcce32.exeC:\Windows\system32\Kgmcce32.exe33⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Kjkpoq32.exeC:\Windows\system32\Kjkpoq32.exe34⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Kbbhqn32.exeC:\Windows\system32\Kbbhqn32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3560 -
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2268 -
C:\Windows\SysWOW64\Kilpmh32.exeC:\Windows\system32\Kilpmh32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1104 -
C:\Windows\SysWOW64\Kgopidgf.exeC:\Windows\system32\Kgopidgf.exe38⤵
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Kniieo32.exeC:\Windows\system32\Kniieo32.exe39⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Kbddfmgl.exeC:\Windows\system32\Kbddfmgl.exe40⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe41⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Kgamnded.exeC:\Windows\system32\Kgamnded.exe42⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Kkmioc32.exeC:\Windows\system32\Kkmioc32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5112 -
C:\Windows\SysWOW64\Knkekn32.exeC:\Windows\system32\Knkekn32.exe44⤵
- Executes dropped EXE
PID:3836 -
C:\Windows\SysWOW64\Lbgalmej.exeC:\Windows\system32\Lbgalmej.exe45⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Liqihglg.exeC:\Windows\system32\Liqihglg.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3652 -
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe47⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\Ljbfpo32.exeC:\Windows\system32\Ljbfpo32.exe48⤵
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Lbinam32.exeC:\Windows\system32\Lbinam32.exe49⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Legjmh32.exeC:\Windows\system32\Legjmh32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:620 -
C:\Windows\SysWOW64\Ljdceo32.exeC:\Windows\system32\Ljdceo32.exe51⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe52⤵
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe53⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Lghcocol.exeC:\Windows\system32\Lghcocol.exe54⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Ljgpkonp.exeC:\Windows\system32\Ljgpkonp.exe55⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Laqhhi32.exeC:\Windows\system32\Laqhhi32.exe56⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Lihpif32.exeC:\Windows\system32\Lihpif32.exe57⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Ljilqnlm.exeC:\Windows\system32\Ljilqnlm.exe58⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Lndham32.exeC:\Windows\system32\Lndham32.exe59⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Lacdmh32.exeC:\Windows\system32\Lacdmh32.exe60⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe61⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe62⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe63⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe64⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Mhoipb32.exeC:\Windows\system32\Mhoipb32.exe65⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe66⤵PID:5036
-
C:\Windows\SysWOW64\Mahnhhod.exeC:\Windows\system32\Mahnhhod.exe67⤵PID:3608
-
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe68⤵PID:4988
-
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe69⤵PID:2852
-
C:\Windows\SysWOW64\Mnlnbl32.exeC:\Windows\system32\Mnlnbl32.exe70⤵PID:1876
-
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4400 -
C:\Windows\SysWOW64\Miaboe32.exeC:\Windows\system32\Miaboe32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4644 -
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe73⤵PID:1752
-
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe74⤵PID:2528
-
C:\Windows\SysWOW64\Mehcdfch.exeC:\Windows\system32\Mehcdfch.exe75⤵PID:3192
-
C:\Windows\SysWOW64\Mblcnj32.exeC:\Windows\system32\Mblcnj32.exe76⤵PID:1504
-
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe77⤵PID:3596
-
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe78⤵PID:4380
-
C:\Windows\SysWOW64\Naaqofgj.exeC:\Windows\system32\Naaqofgj.exe79⤵PID:728
-
C:\Windows\SysWOW64\Nhkikq32.exeC:\Windows\system32\Nhkikq32.exe80⤵
- Modifies registry class
PID:5040 -
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe81⤵PID:2760
-
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe82⤵PID:4612
-
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe83⤵PID:2400
-
C:\Windows\SysWOW64\Niooqcad.exeC:\Windows\system32\Niooqcad.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:264 -
C:\Windows\SysWOW64\Nolgijpk.exeC:\Windows\system32\Nolgijpk.exe85⤵PID:1888
-
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe86⤵PID:2376
-
C:\Windows\SysWOW64\Nlphbnoe.exeC:\Windows\system32\Nlphbnoe.exe87⤵PID:4420
-
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe88⤵PID:3648
-
C:\Windows\SysWOW64\Objpoh32.exeC:\Windows\system32\Objpoh32.exe89⤵PID:344
-
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe90⤵PID:2028
-
C:\Windows\SysWOW64\Oidhlb32.exeC:\Windows\system32\Oidhlb32.exe91⤵PID:2332
-
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe92⤵PID:4236
-
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe93⤵PID:2716
-
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe94⤵PID:3020
-
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe95⤵PID:3904
-
C:\Windows\SysWOW64\Ohkbbn32.exeC:\Windows\system32\Ohkbbn32.exe96⤵PID:1060
-
C:\Windows\SysWOW64\Ooejohhq.exeC:\Windows\system32\Ooejohhq.exe97⤵PID:3332
-
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe98⤵PID:376
-
C:\Windows\SysWOW64\Oiknlagg.exeC:\Windows\system32\Oiknlagg.exe99⤵PID:2696
-
C:\Windows\SysWOW64\Ohnohn32.exeC:\Windows\system32\Ohnohn32.exe100⤵PID:4208
-
C:\Windows\SysWOW64\Oohgdhfn.exeC:\Windows\system32\Oohgdhfn.exe101⤵PID:464
-
C:\Windows\SysWOW64\Obcceg32.exeC:\Windows\system32\Obcceg32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1088 -
C:\Windows\SysWOW64\Pllgnl32.exeC:\Windows\system32\Pllgnl32.exe103⤵
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Pojcjh32.exeC:\Windows\system32\Pojcjh32.exe104⤵PID:2380
-
C:\Windows\SysWOW64\Phbhcmjl.exeC:\Windows\system32\Phbhcmjl.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4720 -
C:\Windows\SysWOW64\Pchlpfjb.exeC:\Windows\system32\Pchlpfjb.exe106⤵PID:3924
-
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe107⤵PID:716
-
C:\Windows\SysWOW64\Pcjiff32.exeC:\Windows\system32\Pcjiff32.exe108⤵PID:4296
-
C:\Windows\SysWOW64\Pidabppl.exeC:\Windows\system32\Pidabppl.exe109⤵PID:4220
-
C:\Windows\SysWOW64\Poajkgnc.exeC:\Windows\system32\Poajkgnc.exe110⤵
- System Location Discovery: System Language Discovery
PID:5136 -
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe111⤵PID:5180
-
C:\Windows\SysWOW64\Plejdkmm.exeC:\Windows\system32\Plejdkmm.exe112⤵PID:5224
-
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe113⤵PID:5268
-
C:\Windows\SysWOW64\Pcobaedj.exeC:\Windows\system32\Pcobaedj.exe114⤵PID:5312
-
C:\Windows\SysWOW64\Pemomqcn.exeC:\Windows\system32\Pemomqcn.exe115⤵PID:5356
-
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe116⤵PID:5400
-
C:\Windows\SysWOW64\Qcaofebg.exeC:\Windows\system32\Qcaofebg.exe117⤵PID:5444
-
C:\Windows\SysWOW64\Qadoba32.exeC:\Windows\system32\Qadoba32.exe118⤵PID:5488
-
C:\Windows\SysWOW64\Qhngolpo.exeC:\Windows\system32\Qhngolpo.exe119⤵PID:5532
-
C:\Windows\SysWOW64\Qljcoj32.exeC:\Windows\system32\Qljcoj32.exe120⤵PID:5576
-
C:\Windows\SysWOW64\Qcclld32.exeC:\Windows\system32\Qcclld32.exe121⤵PID:5620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-