Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
23-07-2024 19:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
266feb3bdf94c14a5862f4ba4e6eff9d938a51230369f80e97bd53574b29e771.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
266feb3bdf94c14a5862f4ba4e6eff9d938a51230369f80e97bd53574b29e771.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
266feb3bdf94c14a5862f4ba4e6eff9d938a51230369f80e97bd53574b29e771.exe
-
Size
80KB
-
MD5
79ae3ab5af4932f89f2616f547e0e391
-
SHA1
31972f535e2a0bf5f9f5f7387434c72db2d7d12e
-
SHA256
266feb3bdf94c14a5862f4ba4e6eff9d938a51230369f80e97bd53574b29e771
-
SHA512
3d8e5c38c69eaf986ca3adae1ff0ff49cddc17ce35957184e00492014258dab2e4ff17ade8a89c5c08317b58e9c1ad1b3f7f824ec34bd7cad227fab2f223bd77
-
SSDEEP
1536:Pt+z7GgiIHz7Dp4/d1IpLLpXwLefNGT+BfHGI5BtwmjtgQFeJuqnhCN:10GAz7F4I9L9weqefHGIrpZpFeJLCN
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Folaiqng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohnohn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opemca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgjccb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cofecami.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flinkojm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hienlpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lddgmbpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phganm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idcepgmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikfabm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbkbpoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meiaib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moobbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojnblg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkgnfhnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alqjpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oflgep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Danecp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdkidohn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gigaka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hffcmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnadagbm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojjolnaq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djklmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhdlao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgmgqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpiljh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ophjiaql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omqmop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikejgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boflmdkk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljaoeini.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2940 Jblpek32.exe 4284 Jeklag32.exe 2492 Jmbdbd32.exe 3332 Jpppnp32.exe 4116 Kfjhkjle.exe 2016 Kiidgeki.exe 1996 Klgqcqkl.exe 4276 Kdnidn32.exe 1768 Kbaipkbi.exe 1876 Kikame32.exe 1468 Klimip32.exe 2592 Kdqejn32.exe 4500 Kfoafi32.exe 4380 Kimnbd32.exe 1588 Klljnp32.exe 1952 Kbfbkj32.exe 232 Kmkfhc32.exe 1616 Kpjcdn32.exe 368 Kbhoqj32.exe 4372 Kefkme32.exe 3916 Klqcioba.exe 2324 Kdgljmcd.exe 3272 Liddbc32.exe 5036 Lmppcbjd.exe 528 Ldjhpl32.exe 4356 Lekehdgp.exe 1160 Lmbmibhb.exe 4332 Ldleel32.exe 4368 Liimncmf.exe 2116 Llgjjnlj.exe 4220 Ldoaklml.exe 1512 Lgmngglp.exe 3832 Likjcbkc.exe 1340 Lljfpnjg.exe 2508 Ldanqkki.exe 4760 Lbdolh32.exe 5056 Lingibiq.exe 2256 Lmiciaaj.exe 3992 Lphoelqn.exe 1604 Mbfkbhpa.exe 2900 Medgncoe.exe 3156 Mipcob32.exe 5108 Mlopkm32.exe 1528 Mdehlk32.exe 4992 Mgddhf32.exe 3608 Megdccmb.exe 2124 Mmnldp32.exe 4304 Mlampmdo.exe 3012 Mdhdajea.exe 3504 Mckemg32.exe 3244 Meiaib32.exe 3612 Mmpijp32.exe 676 Mcmabg32.exe 1972 Mgimcebb.exe 2836 Migjoaaf.exe 2584 Mmbfpp32.exe 848 Mpablkhc.exe 1000 Mcpnhfhf.exe 1092 Menjdbgj.exe 4268 Mnebeogl.exe 2664 Npcoakfp.exe 4024 Ncbknfed.exe 1772 Nepgjaeg.exe 2204 Nljofl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oalfdbfa.dll Gochjpho.exe File opened for modification C:\Windows\SysWOW64\Pomgjn32.exe Ploknb32.exe File opened for modification C:\Windows\SysWOW64\Ghkeio32.exe Gaamlecg.exe File opened for modification C:\Windows\SysWOW64\Pcepkfld.exe Pkogiikb.exe File created C:\Windows\SysWOW64\Kahdohfm.dll Dogogcpo.exe File created C:\Windows\SysWOW64\Ihnkel32.exe Hpfcdojl.exe File opened for modification C:\Windows\SysWOW64\Inainbcn.exe Ikcmbfcj.exe File opened for modification C:\Windows\SysWOW64\Alelqb32.exe Process not Found File created C:\Windows\SysWOW64\Hhjhdagb.dll Process not Found File created C:\Windows\SysWOW64\Pplobcpp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Qmdblp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kelalp32.exe Kfjapcii.exe File created C:\Windows\SysWOW64\Jldajape.dll Jgcamf32.exe File opened for modification C:\Windows\SysWOW64\Polppg32.exe Pkadoiip.exe File created C:\Windows\SysWOW64\Fcniglmb.exe Elgaeolp.exe File created C:\Windows\SysWOW64\Ddipic32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fkjmlaac.exe Process not Found File created C:\Windows\SysWOW64\Ihbponja.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mhbmphjm.exe Mojhgbdl.exe File opened for modification C:\Windows\SysWOW64\Jjopcb32.exe Jgadgf32.exe File opened for modification C:\Windows\SysWOW64\Nbgcih32.exe Nkqkhk32.exe File created C:\Windows\SysWOW64\Mablfnne.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ppikbm32.exe Process not Found File created C:\Windows\SysWOW64\Iiofld32.dll Empoiimf.exe File opened for modification C:\Windows\SysWOW64\Gmeakf32.exe Ggkiol32.exe File created C:\Windows\SysWOW64\Kbjodaqj.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dkcndeen.exe Process not Found File created C:\Windows\SysWOW64\Oebneoob.dll Fojedapj.exe File opened for modification C:\Windows\SysWOW64\Oklkdi32.exe Ohnohn32.exe File opened for modification C:\Windows\SysWOW64\Oloahhki.exe Oeehkn32.exe File created C:\Windows\SysWOW64\Ogcggo32.dll Mpghkf32.exe File created C:\Windows\SysWOW64\Dipidh32.dll Ghipne32.exe File created C:\Windows\SysWOW64\Clkbmh32.dll Nliaao32.exe File created C:\Windows\SysWOW64\Joicekop.dll Lcnmin32.exe File created C:\Windows\SysWOW64\Abdkep32.dll Process not Found File created C:\Windows\SysWOW64\Mlkpophj.dll Process not Found File created C:\Windows\SysWOW64\Dgjoif32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bpcgpihi.exe Process not Found File created C:\Windows\SysWOW64\Halpnqlq.dll Pdfjifjo.exe File created C:\Windows\SysWOW64\Gengje32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Qadoba32.exe Qcaofebg.exe File opened for modification C:\Windows\SysWOW64\Ohjlgefb.exe Oekpkigo.exe File created C:\Windows\SysWOW64\Phdnngdn.exe Process not Found File created C:\Windows\SysWOW64\Bhgbbckh.dll Process not Found File created C:\Windows\SysWOW64\Dahceqce.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mjidgkog.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nqfbpb32.exe Process not Found File created C:\Windows\SysWOW64\Mkddhfnh.dll Process not Found File opened for modification C:\Windows\SysWOW64\Nepgjaeg.exe Ncbknfed.exe File opened for modification C:\Windows\SysWOW64\Fnobem32.exe Folaiqng.exe File created C:\Windows\SysWOW64\Nqomdf32.dll Mbhamajc.exe File created C:\Windows\SysWOW64\Oodneg32.dll Ggkiol32.exe File created C:\Windows\SysWOW64\Jeeobqbq.dll Process not Found File opened for modification C:\Windows\SysWOW64\Npiiffqe.exe Process not Found File created C:\Windows\SysWOW64\Ihkjno32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ihbponja.exe Process not Found File created C:\Windows\SysWOW64\Gnbinq32.dll Kbhoqj32.exe File opened for modification C:\Windows\SysWOW64\Gaopfe32.exe Gigheh32.exe File opened for modification C:\Windows\SysWOW64\Ecefqnel.exe Elnoopdj.exe File created C:\Windows\SysWOW64\Njpdnedf.exe Nhahaiec.exe File opened for modification C:\Windows\SysWOW64\Eklajcmc.exe Process not Found File created C:\Windows\SysWOW64\Feibedlp.dll Ambgef32.exe File opened for modification C:\Windows\SysWOW64\Fffhifdk.exe Fplpll32.exe File created C:\Windows\SysWOW64\Dkceokii.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 15372 15956 Process not Found 1807 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhbmphjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmklglpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmnmgnoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kelalp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdajb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amgapeea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebejfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpkphjeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqndhcdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olbdhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emphocjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmnoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlqomd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oenlqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmajipb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calhnpgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eehnem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjbkgfej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngjbaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cidjbmcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhkgoiqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dblgpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dabhdinj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpbiip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Indfca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okedcjcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ienekbld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqpamb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pckppl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odalmibl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ambgef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnnbqnjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqmjog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jodjhkkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinqbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlopkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdfehh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afnnnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnhahj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhabbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idajkk32.dll" Hgiepjga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbdlop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idcepgmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgeag32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gohaeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqnnno32.dll" Kgjgne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flinkojm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kodoah32.dll" Nnfgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miongake.dll" Neclenfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcdikecn.dll" Ohjlgefb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnhmla32.dll" Najceeoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Diccgfpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkjefc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhblffgn.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plikcm32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpoofmk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnobcjlg.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nebdoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdlndj32.dll" Fehfljca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjgbadl.dll" Lenicahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfohjf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 266feb3bdf94c14a5862f4ba4e6eff9d938a51230369f80e97bd53574b29e771.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnocia32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kppici32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgbbek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pedlgbkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdbdah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbiaci32.dll" Aodfajaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjbkgfej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqadgkdb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdaih32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogcggo32.dll" Mpghkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bojlop32.dll" Hkpqkcpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pomgjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nonlon32.dll" Nacmdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Neclenfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njlmnj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll" Ajhddjfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdgljmcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lekehdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqhgk32.dll" Gigheh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcobaedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnhidk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhaomhld.dll" Kdnidn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnmghonf.dll" Eangpgcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpofii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miepkipc.dll" Ijqmhnko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfqikef.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlofiddl.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcjnoece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aqppkd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1096 wrote to memory of 2940 1096 266feb3bdf94c14a5862f4ba4e6eff9d938a51230369f80e97bd53574b29e771.exe 83 PID 1096 wrote to memory of 2940 1096 266feb3bdf94c14a5862f4ba4e6eff9d938a51230369f80e97bd53574b29e771.exe 83 PID 1096 wrote to memory of 2940 1096 266feb3bdf94c14a5862f4ba4e6eff9d938a51230369f80e97bd53574b29e771.exe 83 PID 2940 wrote to memory of 4284 2940 Jblpek32.exe 84 PID 2940 wrote to memory of 4284 2940 Jblpek32.exe 84 PID 2940 wrote to memory of 4284 2940 Jblpek32.exe 84 PID 4284 wrote to memory of 2492 4284 Jeklag32.exe 85 PID 4284 wrote to memory of 2492 4284 Jeklag32.exe 85 PID 4284 wrote to memory of 2492 4284 Jeklag32.exe 85 PID 2492 wrote to memory of 3332 2492 Jmbdbd32.exe 86 PID 2492 wrote to memory of 3332 2492 Jmbdbd32.exe 86 PID 2492 wrote to memory of 3332 2492 Jmbdbd32.exe 86 PID 3332 wrote to memory of 4116 3332 Jpppnp32.exe 87 PID 3332 wrote to memory of 4116 3332 Jpppnp32.exe 87 PID 3332 wrote to memory of 4116 3332 Jpppnp32.exe 87 PID 4116 wrote to memory of 2016 4116 Kfjhkjle.exe 88 PID 4116 wrote to memory of 2016 4116 Kfjhkjle.exe 88 PID 4116 wrote to memory of 2016 4116 Kfjhkjle.exe 88 PID 2016 wrote to memory of 1996 2016 Kiidgeki.exe 89 PID 2016 wrote to memory of 1996 2016 Kiidgeki.exe 89 PID 2016 wrote to memory of 1996 2016 Kiidgeki.exe 89 PID 1996 wrote to memory of 4276 1996 Klgqcqkl.exe 90 PID 1996 wrote to memory of 4276 1996 Klgqcqkl.exe 90 PID 1996 wrote to memory of 4276 1996 Klgqcqkl.exe 90 PID 4276 wrote to memory of 1768 4276 Kdnidn32.exe 92 PID 4276 wrote to memory of 1768 4276 Kdnidn32.exe 92 PID 4276 wrote to memory of 1768 4276 Kdnidn32.exe 92 PID 1768 wrote to memory of 1876 1768 Kbaipkbi.exe 93 PID 1768 wrote to memory of 1876 1768 Kbaipkbi.exe 93 PID 1768 wrote to memory of 1876 1768 Kbaipkbi.exe 93 PID 1876 wrote to memory of 1468 1876 Kikame32.exe 94 PID 1876 wrote to memory of 1468 1876 Kikame32.exe 94 PID 1876 wrote to memory of 1468 1876 Kikame32.exe 94 PID 1468 wrote to memory of 2592 1468 Klimip32.exe 95 PID 1468 wrote to memory of 2592 1468 Klimip32.exe 95 PID 1468 wrote to memory of 2592 1468 Klimip32.exe 95 PID 2592 wrote to memory of 4500 2592 Kdqejn32.exe 96 PID 2592 wrote to memory of 4500 2592 Kdqejn32.exe 96 PID 2592 wrote to memory of 4500 2592 Kdqejn32.exe 96 PID 4500 wrote to memory of 4380 4500 Kfoafi32.exe 97 PID 4500 wrote to memory of 4380 4500 Kfoafi32.exe 97 PID 4500 wrote to memory of 4380 4500 Kfoafi32.exe 97 PID 4380 wrote to memory of 1588 4380 Kimnbd32.exe 98 PID 4380 wrote to memory of 1588 4380 Kimnbd32.exe 98 PID 4380 wrote to memory of 1588 4380 Kimnbd32.exe 98 PID 1588 wrote to memory of 1952 1588 Klljnp32.exe 99 PID 1588 wrote to memory of 1952 1588 Klljnp32.exe 99 PID 1588 wrote to memory of 1952 1588 Klljnp32.exe 99 PID 1952 wrote to memory of 232 1952 Kbfbkj32.exe 100 PID 1952 wrote to memory of 232 1952 Kbfbkj32.exe 100 PID 1952 wrote to memory of 232 1952 Kbfbkj32.exe 100 PID 232 wrote to memory of 1616 232 Kmkfhc32.exe 102 PID 232 wrote to memory of 1616 232 Kmkfhc32.exe 102 PID 232 wrote to memory of 1616 232 Kmkfhc32.exe 102 PID 1616 wrote to memory of 368 1616 Kpjcdn32.exe 103 PID 1616 wrote to memory of 368 1616 Kpjcdn32.exe 103 PID 1616 wrote to memory of 368 1616 Kpjcdn32.exe 103 PID 368 wrote to memory of 4372 368 Kbhoqj32.exe 104 PID 368 wrote to memory of 4372 368 Kbhoqj32.exe 104 PID 368 wrote to memory of 4372 368 Kbhoqj32.exe 104 PID 4372 wrote to memory of 3916 4372 Kefkme32.exe 105 PID 4372 wrote to memory of 3916 4372 Kefkme32.exe 105 PID 4372 wrote to memory of 3916 4372 Kefkme32.exe 105 PID 3916 wrote to memory of 2324 3916 Klqcioba.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\266feb3bdf94c14a5862f4ba4e6eff9d938a51230369f80e97bd53574b29e771.exe"C:\Users\Admin\AppData\Local\Temp\266feb3bdf94c14a5862f4ba4e6eff9d938a51230369f80e97bd53574b29e771.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Jblpek32.exeC:\Windows\system32\Jblpek32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Jeklag32.exeC:\Windows\system32\Jeklag32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\Jmbdbd32.exeC:\Windows\system32\Jmbdbd32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Jpppnp32.exeC:\Windows\system32\Jpppnp32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\Kfjhkjle.exeC:\Windows\system32\Kfjhkjle.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SysWOW64\Kiidgeki.exeC:\Windows\system32\Kiidgeki.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Klgqcqkl.exeC:\Windows\system32\Klgqcqkl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Kdnidn32.exeC:\Windows\system32\Kdnidn32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\Kbaipkbi.exeC:\Windows\system32\Kbaipkbi.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Kikame32.exeC:\Windows\system32\Kikame32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\Klimip32.exeC:\Windows\system32\Klimip32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Kdqejn32.exeC:\Windows\system32\Kdqejn32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Kfoafi32.exeC:\Windows\system32\Kfoafi32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Kimnbd32.exeC:\Windows\system32\Kimnbd32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\Klljnp32.exeC:\Windows\system32\Klljnp32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Kbfbkj32.exeC:\Windows\system32\Kbfbkj32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Kmkfhc32.exeC:\Windows\system32\Kmkfhc32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\Kpjcdn32.exeC:\Windows\system32\Kpjcdn32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Kbhoqj32.exeC:\Windows\system32\Kbhoqj32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\Kefkme32.exeC:\Windows\system32\Kefkme32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\Klqcioba.exeC:\Windows\system32\Klqcioba.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\Kdgljmcd.exeC:\Windows\system32\Kdgljmcd.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Liddbc32.exeC:\Windows\system32\Liddbc32.exe24⤵
- Executes dropped EXE
PID:3272 -
C:\Windows\SysWOW64\Lmppcbjd.exeC:\Windows\system32\Lmppcbjd.exe25⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Ldjhpl32.exeC:\Windows\system32\Ldjhpl32.exe26⤵
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\Lekehdgp.exeC:\Windows\system32\Lekehdgp.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:4356 -
C:\Windows\SysWOW64\Lmbmibhb.exeC:\Windows\system32\Lmbmibhb.exe28⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Ldleel32.exeC:\Windows\system32\Ldleel32.exe29⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Liimncmf.exeC:\Windows\system32\Liimncmf.exe30⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Llgjjnlj.exeC:\Windows\system32\Llgjjnlj.exe31⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Ldoaklml.exeC:\Windows\system32\Ldoaklml.exe32⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Lgmngglp.exeC:\Windows\system32\Lgmngglp.exe33⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Likjcbkc.exeC:\Windows\system32\Likjcbkc.exe34⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Lljfpnjg.exeC:\Windows\system32\Lljfpnjg.exe35⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Ldanqkki.exeC:\Windows\system32\Ldanqkki.exe36⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Lbdolh32.exeC:\Windows\system32\Lbdolh32.exe37⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Lingibiq.exeC:\Windows\system32\Lingibiq.exe38⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Lmiciaaj.exeC:\Windows\system32\Lmiciaaj.exe39⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Lphoelqn.exeC:\Windows\system32\Lphoelqn.exe40⤵
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Mbfkbhpa.exeC:\Windows\system32\Mbfkbhpa.exe41⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Medgncoe.exeC:\Windows\system32\Medgncoe.exe42⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Mipcob32.exeC:\Windows\system32\Mipcob32.exe43⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Mlopkm32.exeC:\Windows\system32\Mlopkm32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5108 -
C:\Windows\SysWOW64\Mdehlk32.exeC:\Windows\system32\Mdehlk32.exe45⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Mgddhf32.exeC:\Windows\system32\Mgddhf32.exe46⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Megdccmb.exeC:\Windows\system32\Megdccmb.exe47⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Mmnldp32.exeC:\Windows\system32\Mmnldp32.exe48⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Mlampmdo.exeC:\Windows\system32\Mlampmdo.exe49⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Mdhdajea.exeC:\Windows\system32\Mdhdajea.exe50⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Mckemg32.exeC:\Windows\system32\Mckemg32.exe51⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Meiaib32.exeC:\Windows\system32\Meiaib32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Mmpijp32.exeC:\Windows\system32\Mmpijp32.exe53⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Mlcifmbl.exeC:\Windows\system32\Mlcifmbl.exe54⤵PID:3148
-
C:\Windows\SysWOW64\Mcmabg32.exeC:\Windows\system32\Mcmabg32.exe55⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Mgimcebb.exeC:\Windows\system32\Mgimcebb.exe56⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Migjoaaf.exeC:\Windows\system32\Migjoaaf.exe57⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Mmbfpp32.exeC:\Windows\system32\Mmbfpp32.exe58⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Mpablkhc.exeC:\Windows\system32\Mpablkhc.exe59⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Mcpnhfhf.exeC:\Windows\system32\Mcpnhfhf.exe60⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Menjdbgj.exeC:\Windows\system32\Menjdbgj.exe61⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Mnebeogl.exeC:\Windows\system32\Mnebeogl.exe62⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Npcoakfp.exeC:\Windows\system32\Npcoakfp.exe63⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Ncbknfed.exeC:\Windows\system32\Ncbknfed.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4024 -
C:\Windows\SysWOW64\Nepgjaeg.exeC:\Windows\system32\Nepgjaeg.exe65⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Nljofl32.exeC:\Windows\system32\Nljofl32.exe66⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Npfkgjdn.exeC:\Windows\system32\Npfkgjdn.exe67⤵PID:1496
-
C:\Windows\SysWOW64\Ncdgcf32.exeC:\Windows\system32\Ncdgcf32.exe68⤵PID:944
-
C:\Windows\SysWOW64\Nebdoa32.exeC:\Windows\system32\Nebdoa32.exe69⤵
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Nnjlpo32.exeC:\Windows\system32\Nnjlpo32.exe70⤵PID:2244
-
C:\Windows\SysWOW64\Nlmllkja.exeC:\Windows\system32\Nlmllkja.exe71⤵PID:2304
-
C:\Windows\SysWOW64\Ncfdie32.exeC:\Windows\system32\Ncfdie32.exe72⤵PID:4976
-
C:\Windows\SysWOW64\Neeqea32.exeC:\Windows\system32\Neeqea32.exe73⤵PID:3904
-
C:\Windows\SysWOW64\Nnlhfn32.exeC:\Windows\system32\Nnlhfn32.exe74⤵PID:4432
-
C:\Windows\SysWOW64\Ngdmod32.exeC:\Windows\system32\Ngdmod32.exe75⤵PID:1216
-
C:\Windows\SysWOW64\Nnneknob.exeC:\Windows\system32\Nnneknob.exe76⤵PID:880
-
C:\Windows\SysWOW64\Npmagine.exeC:\Windows\system32\Npmagine.exe77⤵PID:5112
-
C:\Windows\SysWOW64\Nckndeni.exeC:\Windows\system32\Nckndeni.exe78⤵PID:748
-
C:\Windows\SysWOW64\Nfjjppmm.exeC:\Windows\system32\Nfjjppmm.exe79⤵PID:2028
-
C:\Windows\SysWOW64\Nnqbanmo.exeC:\Windows\system32\Nnqbanmo.exe80⤵PID:4940
-
C:\Windows\SysWOW64\Oponmilc.exeC:\Windows\system32\Oponmilc.exe81⤵PID:4832
-
C:\Windows\SysWOW64\Ocnjidkf.exeC:\Windows\system32\Ocnjidkf.exe82⤵PID:4536
-
C:\Windows\SysWOW64\Oflgep32.exeC:\Windows\system32\Oflgep32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3108 -
C:\Windows\SysWOW64\Ojgbfocc.exeC:\Windows\system32\Ojgbfocc.exe84⤵PID:1436
-
C:\Windows\SysWOW64\Odmgcgbi.exeC:\Windows\system32\Odmgcgbi.exe85⤵PID:3884
-
C:\Windows\SysWOW64\Ojjolnaq.exeC:\Windows\system32\Ojjolnaq.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5144 -
C:\Windows\SysWOW64\Odocigqg.exeC:\Windows\system32\Odocigqg.exe87⤵PID:5220
-
C:\Windows\SysWOW64\Onhhamgg.exeC:\Windows\system32\Onhhamgg.exe88⤵PID:5280
-
C:\Windows\SysWOW64\Odapnf32.exeC:\Windows\system32\Odapnf32.exe89⤵PID:5324
-
C:\Windows\SysWOW64\Ocdqjceo.exeC:\Windows\system32\Ocdqjceo.exe90⤵PID:5364
-
C:\Windows\SysWOW64\Ogpmjb32.exeC:\Windows\system32\Ogpmjb32.exe91⤵PID:5404
-
C:\Windows\SysWOW64\Ofcmfodb.exeC:\Windows\system32\Ofcmfodb.exe92⤵PID:5452
-
C:\Windows\SysWOW64\Onjegled.exeC:\Windows\system32\Onjegled.exe93⤵PID:5488
-
C:\Windows\SysWOW64\Olmeci32.exeC:\Windows\system32\Olmeci32.exe94⤵PID:5532
-
C:\Windows\SysWOW64\Oqhacgdh.exeC:\Windows\system32\Oqhacgdh.exe95⤵PID:5572
-
C:\Windows\SysWOW64\Ocgmpccl.exeC:\Windows\system32\Ocgmpccl.exe96⤵PID:5620
-
C:\Windows\SysWOW64\Ogbipa32.exeC:\Windows\system32\Ogbipa32.exe97⤵PID:5664
-
C:\Windows\SysWOW64\Ojaelm32.exeC:\Windows\system32\Ojaelm32.exe98⤵PID:5708
-
C:\Windows\SysWOW64\Pnlaml32.exeC:\Windows\system32\Pnlaml32.exe99⤵PID:5752
-
C:\Windows\SysWOW64\Pmoahijl.exeC:\Windows\system32\Pmoahijl.exe100⤵PID:5792
-
C:\Windows\SysWOW64\Pdfjifjo.exeC:\Windows\system32\Pdfjifjo.exe101⤵
- Drops file in System32 directory
PID:5836 -
C:\Windows\SysWOW64\Pcijeb32.exeC:\Windows\system32\Pcijeb32.exe102⤵PID:5876
-
C:\Windows\SysWOW64\Pfhfan32.exeC:\Windows\system32\Pfhfan32.exe103⤵PID:5920
-
C:\Windows\SysWOW64\Pjcbbmif.exeC:\Windows\system32\Pjcbbmif.exe104⤵PID:5964
-
C:\Windows\SysWOW64\Pmannhhj.exeC:\Windows\system32\Pmannhhj.exe105⤵PID:6012
-
C:\Windows\SysWOW64\Pqmjog32.exeC:\Windows\system32\Pqmjog32.exe106⤵
- System Location Discovery: System Language Discovery
PID:6052 -
C:\Windows\SysWOW64\Pclgkb32.exeC:\Windows\system32\Pclgkb32.exe107⤵PID:6096
-
C:\Windows\SysWOW64\Pggbkagp.exeC:\Windows\system32\Pggbkagp.exe108⤵PID:6132
-
C:\Windows\SysWOW64\Pfjcgn32.exeC:\Windows\system32\Pfjcgn32.exe109⤵PID:5184
-
C:\Windows\SysWOW64\Pnakhkol.exeC:\Windows\system32\Pnakhkol.exe110⤵PID:5264
-
C:\Windows\SysWOW64\Pmdkch32.exeC:\Windows\system32\Pmdkch32.exe111⤵PID:5348
-
C:\Windows\SysWOW64\Pdkcde32.exeC:\Windows\system32\Pdkcde32.exe112⤵PID:5412
-
C:\Windows\SysWOW64\Pcncpbmd.exeC:\Windows\system32\Pcncpbmd.exe113⤵PID:5476
-
C:\Windows\SysWOW64\Pflplnlg.exeC:\Windows\system32\Pflplnlg.exe114⤵PID:5568
-
C:\Windows\SysWOW64\Pncgmkmj.exeC:\Windows\system32\Pncgmkmj.exe115⤵PID:5612
-
C:\Windows\SysWOW64\Pmfhig32.exeC:\Windows\system32\Pmfhig32.exe116⤵PID:5696
-
C:\Windows\SysWOW64\Pqbdjfln.exeC:\Windows\system32\Pqbdjfln.exe117⤵PID:5736
-
C:\Windows\SysWOW64\Pcppfaka.exeC:\Windows\system32\Pcppfaka.exe118⤵PID:5816
-
C:\Windows\SysWOW64\Pfolbmje.exeC:\Windows\system32\Pfolbmje.exe119⤵PID:5900
-
C:\Windows\SysWOW64\Pcbmka32.exeC:\Windows\system32\Pcbmka32.exe120⤵PID:5948
-
C:\Windows\SysWOW64\Pfaigm32.exeC:\Windows\system32\Pfaigm32.exe121⤵PID:6040
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-