Analysis
-
max time kernel
117s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22-08-2024 18:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
58645874f16f6ec9643802b2de2046d0N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
58645874f16f6ec9643802b2de2046d0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
58645874f16f6ec9643802b2de2046d0N.exe
-
Size
96KB
-
MD5
58645874f16f6ec9643802b2de2046d0
-
SHA1
8df09ae8d28be05ee5b1b9cc2542806b89fa3eeb
-
SHA256
391a3cbf570af55ad5cde5f39a44ed01a30b1e60a6981f967280be97afb42866
-
SHA512
76146fdcbbd85730d3ddd3ffe4f9cf5186a47670fab42346295fe8d58f8948f59ef489eb4e9cc68722c965b063135a6080cc2642bb6fe32890fb78f10962e61b
-
SSDEEP
1536:Ym7vk367U/L98NzvDHYMPghy0BBIzJzyu03houx0keDuduV9jojTIvjrH:lkK7U/L98BvDHYMe/IZyP3hosdBd69j1
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iecjhfji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dikgho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njokchca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipnokdie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckbejhdh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oojaja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhakfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efkfndgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdalij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnqda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnofnoii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmfmid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggbmod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gajnbmnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akbjfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmkici32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bompmlhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccghoidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipelfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekcekl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gechkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbbjmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnjdlbka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oenbgpjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jekqji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkgneg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cggnkghf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jolobo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kccjnldn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdmmapgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnbelq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jenegc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adjgebgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kblmcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gamjhmlp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjeejhgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baenoepp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqbblnqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcbaqafj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjoffm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajmdep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkikjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbgolg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noqodb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdoida32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cogkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Donajg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfjnfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjdjfoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iekgckhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plamjhjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbdjahii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eegpibdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfmpckpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epehlgel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fidbekfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlheo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edqdle32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqikidhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahngkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljgeae32.exe -
Executes dropped EXE 64 IoCs
pid Process 1448 Kfhkak32.exe 1436 Klddjb32.exe 4440 Kfjhgk32.exe 4400 Kmdqde32.exe 3024 Lbqill32.exe 1652 Lmfmid32.exe 4604 Lpeifp32.exe 1644 Leabng32.exe 4968 Lmijod32.exe 2620 Lfanhj32.exe 3948 Ledocfnp.exe 3716 Ldeoan32.exe 1504 Libgje32.exe 1920 Lbjlbj32.exe 4628 Lmpppc32.exe 1944 Mclhhj32.exe 3780 Mifqedpq.exe 2804 Mlemapod.exe 2340 Mgjanh32.exe 2464 Mpcegnek.exe 592 Mepnoecb.exe 4868 Mpebmnch.exe 2984 Mgokihke.exe 4840 Mmicfb32.exe 4580 Mcfkni32.exe 3316 Nnkpla32.exe 3688 Npjlhm32.exe 2312 Nchhdh32.exe 5036 Nlqlmn32.exe 4824 Neiaeckg.exe 2696 Npoeclkn.exe 1824 Nghmpf32.exe 4924 Nnbelq32.exe 4624 Ndlnikad.exe 1424 Ncondg32.exe 2836 Njifaapk.exe 2060 Nlgbmmoo.exe 672 Ngmgkfoe.exe 4100 Ongogpfb.exe 216 Ocdgpgdi.exe 2304 Ofbdlbcm.exe 1280 Onilmpdo.exe 3308 Odcdij32.exe 452 Ofdqabaj.exe 4496 Oloinlig.exe 2580 Ogdmkdhm.exe 952 Onneho32.exe 2284 Odhmdigf.exe 4356 Ofijla32.exe 1776 Onqbno32.exe 4584 Ocmjfelo.exe 3484 Pflfbqkb.exe 4068 Pqakojkh.exe 4144 Pfncgqip.exe 3864 Pqcgeiie.exe 4876 Pfppmp32.exe 3008 Pjllnopf.exe 1036 Pqfdji32.exe 2024 Pjnicomc.exe 1444 Pmmeojmg.exe 1472 Pcgmld32.exe 3612 Pjqein32.exe 1440 Pmoaei32.exe 1136 Qgdfbb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ifpephpo.exe Ikjabopi.exe File created C:\Windows\SysWOW64\Dlbkbnce.dll Glpdho32.exe File opened for modification C:\Windows\SysWOW64\Jookho32.exe Jnmopgna.exe File created C:\Windows\SysWOW64\Ihkijpaa.exe Ielmndbn.exe File created C:\Windows\SysWOW64\Pqjjidfd.dll Cmpcbe32.exe File created C:\Windows\SysWOW64\Cphgapig.exe Cogkjh32.exe File created C:\Windows\SysWOW64\Jbbjmh32.exe Jogomjfl.exe File created C:\Windows\SysWOW64\Aaofcc32.exe Akenfifb.exe File created C:\Windows\SysWOW64\Finkeo32.exe Enighf32.exe File opened for modification C:\Windows\SysWOW64\Pndlfmaa.exe Pjhpfn32.exe File created C:\Windows\SysWOW64\Dodemkop.dll Eoccld32.exe File opened for modification C:\Windows\SysWOW64\Dopicego.exe Domlnfib.exe File created C:\Windows\SysWOW64\Cifmmppg.exe Cfgaadad.exe File opened for modification C:\Windows\SysWOW64\Bbedlg32.exe Process not Found File created C:\Windows\SysWOW64\Iihieoch.dll Domlnfib.exe File opened for modification C:\Windows\SysWOW64\Pkfjke32.exe Pdmbnkgj.exe File created C:\Windows\SysWOW64\Jjjgec32.exe Jglkih32.exe File created C:\Windows\SysWOW64\Onccpo32.exe Ogikcehg.exe File created C:\Windows\SysWOW64\Fkjdaepm.exe Eoccld32.exe File created C:\Windows\SysWOW64\Acaocf32.exe Alggflkb.exe File created C:\Windows\SysWOW64\Mijlkg32.exe Mabdjida.exe File created C:\Windows\SysWOW64\Bllpkn32.dll Ncecfn32.exe File created C:\Windows\SysWOW64\Lqggqm32.dll Ohahnjek.exe File created C:\Windows\SysWOW64\Amohnb32.exe Process not Found File created C:\Windows\SysWOW64\Ebfbaofo.dll Fmgefi32.exe File opened for modification C:\Windows\SysWOW64\Kmobghlg.exe Kknfpp32.exe File opened for modification C:\Windows\SysWOW64\Dikgho32.exe Ccnnph32.exe File created C:\Windows\SysWOW64\Foachkng.dll Mclppo32.exe File created C:\Windows\SysWOW64\Dinbnaqe.exe Dbdjahii.exe File created C:\Windows\SysWOW64\Cgiofc32.dll Ncondg32.exe File created C:\Windows\SysWOW64\Amkaqh32.exe Afqidnij.exe File opened for modification C:\Windows\SysWOW64\Idhepigl.exe Innmco32.exe File created C:\Windows\SysWOW64\Mkcham32.exe Mclppo32.exe File created C:\Windows\SysWOW64\Ppedgp32.dll Process not Found File created C:\Windows\SysWOW64\Hadmjl32.dll Pjqein32.exe File created C:\Windows\SysWOW64\Aflfag32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Qmkfmidf.exe Qoheal32.exe File created C:\Windows\SysWOW64\Fdgjmdgm.exe Fmnbpj32.exe File created C:\Windows\SysWOW64\Jjndod32.dll Hngnmgjc.exe File created C:\Windows\SysWOW64\Ebbagnlj.dll Cicjmjoo.exe File created C:\Windows\SysWOW64\Ibgblp32.exe Hmkici32.exe File created C:\Windows\SysWOW64\Cpjdgp32.exe Cahdkcpj.exe File created C:\Windows\SysWOW64\Flijfl32.dll Bflhplom.exe File created C:\Windows\SysWOW64\Kjccql32.exe Kgdfdq32.exe File opened for modification C:\Windows\SysWOW64\Ccnnph32.exe Cihjbo32.exe File created C:\Windows\SysWOW64\Gjmejelh.dll Hmhmnjpi.exe File created C:\Windows\SysWOW64\Gdjpibgh.exe Ghcoda32.exe File created C:\Windows\SysWOW64\Cfgaadad.exe Ccieeibp.exe File created C:\Windows\SysWOW64\Gpnmnm32.exe Gkadffml.exe File opened for modification C:\Windows\SysWOW64\Iklnhonf.exe Iinalcob.exe File created C:\Windows\SysWOW64\Gdmcih32.exe Goqkaa32.exe File created C:\Windows\SysWOW64\Efbfgall.dll Mobjkjeg.exe File created C:\Windows\SysWOW64\Pdnhidak.exe Pnapamcd.exe File created C:\Windows\SysWOW64\Gkocoeqn.dll Ipkkkn32.exe File opened for modification C:\Windows\SysWOW64\Ammlhbnh.exe Process not Found File created C:\Windows\SysWOW64\Oljcip32.dll Process not Found File created C:\Windows\SysWOW64\Lmfmid32.exe Lbqill32.exe File created C:\Windows\SysWOW64\Oaddkg32.dll Lelahapl.exe File opened for modification C:\Windows\SysWOW64\Lbghbdim.exe Liocjo32.exe File created C:\Windows\SysWOW64\Qeceim32.exe Qagihnpk.exe File opened for modification C:\Windows\SysWOW64\Bdegqq32.exe Bagkde32.exe File created C:\Windows\SysWOW64\Pnhflm32.dll Process not Found File created C:\Windows\SysWOW64\Ongogpfb.exe Ngmgkfoe.exe File opened for modification C:\Windows\SysWOW64\Mkqllm32.exe Makgod32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11904 11828 Process not Found 1242 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcokddfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noqodb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpdoei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baenoepp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgfpbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bopeiiia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcgmld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bolicfdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceglcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mijcem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgjbqfqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlcckife.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jogomjfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkfahig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knbhkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efmccaol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncgiag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbmekalo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjbkdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mijlkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cahdkcpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djmgbhen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liapoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhjqcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngmgkfoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqjgkbob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agpocj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipplpdgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnkpla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knoflagf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbhpoinl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flmhak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kllogbko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mojhccdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdclejkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmobghlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edemgeip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpeifp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oodadlgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfadgmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gndgce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oojaja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhlbbaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjqkhgme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjecmlco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpmbfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmomjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdmmapgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pofafp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgmfck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acclheql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fklljcjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqaieq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pimknbfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcjbid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bononpop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pabhbhpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnjmcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlemapod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncjmamgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnplef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdojgp32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eodboe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahhgegap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnapamcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpegh32.dll" Pndlfmaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qfanqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bajgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cppejjgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Linmohoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgggmhjo.dll" Bmcfbjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhapko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afnedh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpbmboeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhkgkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gechkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egbdhgnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnokkjij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnbebeik.dll" Lpldcpob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jolobo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alocgfpg.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oedjgkno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcgafk32.dll" Pllnecik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mclppo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igielk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhmfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qefhib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alimaeed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqinhobc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fncbfppg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdefnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkihml32.dll" Lgopee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Keekhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmefnad.dll" Dmhidg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aocfmgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddkibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negkac32.dll" Bdmmapgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlgbmmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpbcnej.dll" Hbeefqoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dabbqnjh.dll" Akhimlke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kemnok32.dll" Nelmlfpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Giaaam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pojcfidc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilgcpkqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpnhab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nflpljfk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aghmfjnc.dll" Ddekkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgmigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daqhfekh.dll" Oalpgfnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncecfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfeaka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qoheal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmcmoijk.dll" Gkecmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Giqjgfob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmpopmg.dll" Felgmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcfamicj.dll" Hdppog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jelhac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjbdkegp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdldlcge.dll" Ahinpmel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enlqabio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Liocjo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4232 wrote to memory of 1448 4232 58645874f16f6ec9643802b2de2046d0N.exe 93 PID 4232 wrote to memory of 1448 4232 58645874f16f6ec9643802b2de2046d0N.exe 93 PID 4232 wrote to memory of 1448 4232 58645874f16f6ec9643802b2de2046d0N.exe 93 PID 1448 wrote to memory of 1436 1448 Kfhkak32.exe 94 PID 1448 wrote to memory of 1436 1448 Kfhkak32.exe 94 PID 1448 wrote to memory of 1436 1448 Kfhkak32.exe 94 PID 1436 wrote to memory of 4440 1436 Klddjb32.exe 95 PID 1436 wrote to memory of 4440 1436 Klddjb32.exe 95 PID 1436 wrote to memory of 4440 1436 Klddjb32.exe 95 PID 4440 wrote to memory of 4400 4440 Kfjhgk32.exe 96 PID 4440 wrote to memory of 4400 4440 Kfjhgk32.exe 96 PID 4440 wrote to memory of 4400 4440 Kfjhgk32.exe 96 PID 4400 wrote to memory of 3024 4400 Kmdqde32.exe 97 PID 4400 wrote to memory of 3024 4400 Kmdqde32.exe 97 PID 4400 wrote to memory of 3024 4400 Kmdqde32.exe 97 PID 3024 wrote to memory of 1652 3024 Lbqill32.exe 98 PID 3024 wrote to memory of 1652 3024 Lbqill32.exe 98 PID 3024 wrote to memory of 1652 3024 Lbqill32.exe 98 PID 1652 wrote to memory of 4604 1652 Lmfmid32.exe 99 PID 1652 wrote to memory of 4604 1652 Lmfmid32.exe 99 PID 1652 wrote to memory of 4604 1652 Lmfmid32.exe 99 PID 4604 wrote to memory of 1644 4604 Lpeifp32.exe 100 PID 4604 wrote to memory of 1644 4604 Lpeifp32.exe 100 PID 4604 wrote to memory of 1644 4604 Lpeifp32.exe 100 PID 1644 wrote to memory of 4968 1644 Leabng32.exe 101 PID 1644 wrote to memory of 4968 1644 Leabng32.exe 101 PID 1644 wrote to memory of 4968 1644 Leabng32.exe 101 PID 4968 wrote to memory of 2620 4968 Lmijod32.exe 102 PID 4968 wrote to memory of 2620 4968 Lmijod32.exe 102 PID 4968 wrote to memory of 2620 4968 Lmijod32.exe 102 PID 2620 wrote to memory of 3948 2620 Lfanhj32.exe 103 PID 2620 wrote to memory of 3948 2620 Lfanhj32.exe 103 PID 2620 wrote to memory of 3948 2620 Lfanhj32.exe 103 PID 3948 wrote to memory of 3716 3948 Ledocfnp.exe 105 PID 3948 wrote to memory of 3716 3948 Ledocfnp.exe 105 PID 3948 wrote to memory of 3716 3948 Ledocfnp.exe 105 PID 3716 wrote to memory of 1504 3716 Ldeoan32.exe 106 PID 3716 wrote to memory of 1504 3716 Ldeoan32.exe 106 PID 3716 wrote to memory of 1504 3716 Ldeoan32.exe 106 PID 1504 wrote to memory of 1920 1504 Libgje32.exe 107 PID 1504 wrote to memory of 1920 1504 Libgje32.exe 107 PID 1504 wrote to memory of 1920 1504 Libgje32.exe 107 PID 1920 wrote to memory of 4628 1920 Lbjlbj32.exe 109 PID 1920 wrote to memory of 4628 1920 Lbjlbj32.exe 109 PID 1920 wrote to memory of 4628 1920 Lbjlbj32.exe 109 PID 4628 wrote to memory of 1944 4628 Lmpppc32.exe 110 PID 4628 wrote to memory of 1944 4628 Lmpppc32.exe 110 PID 4628 wrote to memory of 1944 4628 Lmpppc32.exe 110 PID 1944 wrote to memory of 3780 1944 Mclhhj32.exe 111 PID 1944 wrote to memory of 3780 1944 Mclhhj32.exe 111 PID 1944 wrote to memory of 3780 1944 Mclhhj32.exe 111 PID 3780 wrote to memory of 2804 3780 Mifqedpq.exe 112 PID 3780 wrote to memory of 2804 3780 Mifqedpq.exe 112 PID 3780 wrote to memory of 2804 3780 Mifqedpq.exe 112 PID 2804 wrote to memory of 2340 2804 Mlemapod.exe 113 PID 2804 wrote to memory of 2340 2804 Mlemapod.exe 113 PID 2804 wrote to memory of 2340 2804 Mlemapod.exe 113 PID 2340 wrote to memory of 2464 2340 Mgjanh32.exe 115 PID 2340 wrote to memory of 2464 2340 Mgjanh32.exe 115 PID 2340 wrote to memory of 2464 2340 Mgjanh32.exe 115 PID 2464 wrote to memory of 592 2464 Mpcegnek.exe 116 PID 2464 wrote to memory of 592 2464 Mpcegnek.exe 116 PID 2464 wrote to memory of 592 2464 Mpcegnek.exe 116 PID 592 wrote to memory of 4868 592 Mepnoecb.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\58645874f16f6ec9643802b2de2046d0N.exe"C:\Users\Admin\AppData\Local\Temp\58645874f16f6ec9643802b2de2046d0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\Kfhkak32.exeC:\Windows\system32\Kfhkak32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Klddjb32.exeC:\Windows\system32\Klddjb32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Kfjhgk32.exeC:\Windows\system32\Kfjhgk32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\Kmdqde32.exeC:\Windows\system32\Kmdqde32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\Lbqill32.exeC:\Windows\system32\Lbqill32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Lmfmid32.exeC:\Windows\system32\Lmfmid32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Lpeifp32.exeC:\Windows\system32\Lpeifp32.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\Leabng32.exeC:\Windows\system32\Leabng32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Lmijod32.exeC:\Windows\system32\Lmijod32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Lfanhj32.exeC:\Windows\system32\Lfanhj32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Ledocfnp.exeC:\Windows\system32\Ledocfnp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Ldeoan32.exeC:\Windows\system32\Ldeoan32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\Libgje32.exeC:\Windows\system32\Libgje32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Lbjlbj32.exeC:\Windows\system32\Lbjlbj32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Lmpppc32.exeC:\Windows\system32\Lmpppc32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\Mclhhj32.exeC:\Windows\system32\Mclhhj32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Mifqedpq.exeC:\Windows\system32\Mifqedpq.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\Mlemapod.exeC:\Windows\system32\Mlemapod.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Mgjanh32.exeC:\Windows\system32\Mgjanh32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Mpcegnek.exeC:\Windows\system32\Mpcegnek.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Mepnoecb.exeC:\Windows\system32\Mepnoecb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Mpebmnch.exeC:\Windows\system32\Mpebmnch.exe23⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Mgokihke.exeC:\Windows\system32\Mgokihke.exe24⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Mmicfb32.exeC:\Windows\system32\Mmicfb32.exe25⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Mcfkni32.exeC:\Windows\system32\Mcfkni32.exe26⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Nnkpla32.exeC:\Windows\system32\Nnkpla32.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3316 -
C:\Windows\SysWOW64\Npjlhm32.exeC:\Windows\system32\Npjlhm32.exe28⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Nchhdh32.exeC:\Windows\system32\Nchhdh32.exe29⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Nlqlmn32.exeC:\Windows\system32\Nlqlmn32.exe30⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Neiaeckg.exeC:\Windows\system32\Neiaeckg.exe31⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Npoeclkn.exeC:\Windows\system32\Npoeclkn.exe32⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Nghmpf32.exeC:\Windows\system32\Nghmpf32.exe33⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Nnbelq32.exeC:\Windows\system32\Nnbelq32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Ndlnikad.exeC:\Windows\system32\Ndlnikad.exe35⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Ncondg32.exeC:\Windows\system32\Ncondg32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1424 -
C:\Windows\SysWOW64\Njifaapk.exeC:\Windows\system32\Njifaapk.exe37⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Nlgbmmoo.exeC:\Windows\system32\Nlgbmmoo.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Ngmgkfoe.exeC:\Windows\system32\Ngmgkfoe.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:672 -
C:\Windows\SysWOW64\Ongogpfb.exeC:\Windows\system32\Ongogpfb.exe40⤵
- Executes dropped EXE
PID:4100 -
C:\Windows\SysWOW64\Ocdgpgdi.exeC:\Windows\system32\Ocdgpgdi.exe41⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Ofbdlbcm.exeC:\Windows\system32\Ofbdlbcm.exe42⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Onilmpdo.exeC:\Windows\system32\Onilmpdo.exe43⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Odcdij32.exeC:\Windows\system32\Odcdij32.exe44⤵
- Executes dropped EXE
PID:3308 -
C:\Windows\SysWOW64\Ofdqabaj.exeC:\Windows\system32\Ofdqabaj.exe45⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Oloinlig.exeC:\Windows\system32\Oloinlig.exe46⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Ogdmkdhm.exeC:\Windows\system32\Ogdmkdhm.exe47⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Onneho32.exeC:\Windows\system32\Onneho32.exe48⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Odhmdigf.exeC:\Windows\system32\Odhmdigf.exe49⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Ofijla32.exeC:\Windows\system32\Ofijla32.exe50⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Onqbno32.exeC:\Windows\system32\Onqbno32.exe51⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Ocmjfelo.exeC:\Windows\system32\Ocmjfelo.exe52⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Pflfbqkb.exeC:\Windows\system32\Pflfbqkb.exe53⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Pqakojkh.exeC:\Windows\system32\Pqakojkh.exe54⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Pfncgqip.exeC:\Windows\system32\Pfncgqip.exe55⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Pqcgeiie.exeC:\Windows\system32\Pqcgeiie.exe56⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Pfppmp32.exeC:\Windows\system32\Pfppmp32.exe57⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Pjllnopf.exeC:\Windows\system32\Pjllnopf.exe58⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Pqfdji32.exeC:\Windows\system32\Pqfdji32.exe59⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Pjnicomc.exeC:\Windows\system32\Pjnicomc.exe60⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Pmmeojmg.exeC:\Windows\system32\Pmmeojmg.exe61⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Pcgmld32.exeC:\Windows\system32\Pcgmld32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1472 -
C:\Windows\SysWOW64\Pjqein32.exeC:\Windows\system32\Pjqein32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3612 -
C:\Windows\SysWOW64\Pmoaei32.exeC:\Windows\system32\Pmoaei32.exe64⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Qgdfbb32.exeC:\Windows\system32\Qgdfbb32.exe65⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Qnonolag.exeC:\Windows\system32\Qnonolag.exe66⤵PID:5144
-
C:\Windows\SysWOW64\Qdhfkf32.exeC:\Windows\system32\Qdhfkf32.exe67⤵PID:5184
-
C:\Windows\SysWOW64\Qggbhbhh.exeC:\Windows\system32\Qggbhbhh.exe68⤵PID:5228
-
C:\Windows\SysWOW64\Qjeodmgk.exeC:\Windows\system32\Qjeodmgk.exe69⤵PID:5268
-
C:\Windows\SysWOW64\Qqogqg32.exeC:\Windows\system32\Qqogqg32.exe70⤵PID:5308
-
C:\Windows\SysWOW64\Ajhlimei.exeC:\Windows\system32\Ajhlimei.exe71⤵PID:5348
-
C:\Windows\SysWOW64\Aqadfg32.exeC:\Windows\system32\Aqadfg32.exe72⤵PID:5388
-
C:\Windows\SysWOW64\Agllcadb.exeC:\Windows\system32\Agllcadb.exe73⤵PID:5428
-
C:\Windows\SysWOW64\Anedpklo.exeC:\Windows\system32\Anedpklo.exe74⤵PID:5468
-
C:\Windows\SysWOW64\Aqdqlgkc.exeC:\Windows\system32\Aqdqlgkc.exe75⤵PID:5508
-
C:\Windows\SysWOW64\Acbmhbjf.exeC:\Windows\system32\Acbmhbjf.exe76⤵PID:5548
-
C:\Windows\SysWOW64\Afqidnij.exeC:\Windows\system32\Afqidnij.exe77⤵
- Drops file in System32 directory
PID:5592 -
C:\Windows\SysWOW64\Amkaqh32.exeC:\Windows\system32\Amkaqh32.exe78⤵PID:5640
-
C:\Windows\SysWOW64\Afcfimgg.exeC:\Windows\system32\Afcfimgg.exe79⤵PID:5684
-
C:\Windows\SysWOW64\Ajoajl32.exeC:\Windows\system32\Ajoajl32.exe80⤵PID:5724
-
C:\Windows\SysWOW64\Aedfgeof.exeC:\Windows\system32\Aedfgeof.exe81⤵PID:5764
-
C:\Windows\SysWOW64\Agbbcpnj.exeC:\Windows\system32\Agbbcpnj.exe82⤵PID:5816
-
C:\Windows\SysWOW64\Anmjpj32.exeC:\Windows\system32\Anmjpj32.exe83⤵PID:5864
-
C:\Windows\SysWOW64\Bgeoiplh.exeC:\Windows\system32\Bgeoiplh.exe84⤵PID:5908
-
C:\Windows\SysWOW64\Bmagag32.exeC:\Windows\system32\Bmagag32.exe85⤵PID:5952
-
C:\Windows\SysWOW64\Bflhplom.exeC:\Windows\system32\Bflhplom.exe86⤵
- Drops file in System32 directory
PID:5996 -
C:\Windows\SysWOW64\Bmfqlf32.exeC:\Windows\system32\Bmfqlf32.exe87⤵PID:6044
-
C:\Windows\SysWOW64\Bccfop32.exeC:\Windows\system32\Bccfop32.exe88⤵PID:6088
-
C:\Windows\SysWOW64\Bagfhd32.exeC:\Windows\system32\Bagfhd32.exe89⤵PID:6136
-
C:\Windows\SysWOW64\Cnkfahig.exeC:\Windows\system32\Cnkfahig.exe90⤵
- System Location Discovery: System Language Discovery
PID:5192 -
C:\Windows\SysWOW64\Chckjn32.exeC:\Windows\system32\Chckjn32.exe91⤵PID:5260
-
C:\Windows\SysWOW64\Cmpcbe32.exeC:\Windows\system32\Cmpcbe32.exe92⤵
- Drops file in System32 directory
PID:5356 -
C:\Windows\SysWOW64\Ceglcb32.exeC:\Windows\system32\Ceglcb32.exe93⤵
- System Location Discovery: System Language Discovery
PID:5476 -
C:\Windows\SysWOW64\Chehpnne.exeC:\Windows\system32\Chehpnne.exe94⤵PID:5524
-
C:\Windows\SysWOW64\Cjddlimi.exeC:\Windows\system32\Cjddlimi.exe95⤵PID:5636
-
C:\Windows\SysWOW64\Canlic32.exeC:\Windows\system32\Canlic32.exe96⤵PID:5712
-
C:\Windows\SysWOW64\Cdlheo32.exeC:\Windows\system32\Cdlheo32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5808 -
C:\Windows\SysWOW64\Cjfqaikf.exeC:\Windows\system32\Cjfqaikf.exe98⤵PID:5876
-
C:\Windows\SysWOW64\Cfmafjqj.exeC:\Windows\system32\Cfmafjqj.exe99⤵PID:5944
-
C:\Windows\SysWOW64\Ddabpnod.exeC:\Windows\system32\Ddabpnod.exe100⤵PID:6016
-
C:\Windows\SysWOW64\Daebibnm.exeC:\Windows\system32\Daebibnm.exe101⤵PID:6084
-
C:\Windows\SysWOW64\Djmgbhen.exeC:\Windows\system32\Djmgbhen.exe102⤵
- System Location Discovery: System Language Discovery
PID:6132 -
C:\Windows\SysWOW64\Ddekkm32.exeC:\Windows\system32\Ddekkm32.exe103⤵
- Modifies registry class
PID:5216 -
C:\Windows\SysWOW64\Dhagllch.exeC:\Windows\system32\Dhagllch.exe104⤵PID:5304
-
C:\Windows\SysWOW64\Domlnfib.exeC:\Windows\system32\Domlnfib.exe105⤵
- Drops file in System32 directory
PID:5516 -
C:\Windows\SysWOW64\Dopicego.exeC:\Windows\system32\Dopicego.exe106⤵PID:5628
-
C:\Windows\SysWOW64\Eejapp32.exeC:\Windows\system32\Eejapp32.exe107⤵PID:5812
-
C:\Windows\SysWOW64\Emefdblg.exeC:\Windows\system32\Emefdblg.exe108⤵PID:5900
-
C:\Windows\SysWOW64\Ehjjbkkm.exeC:\Windows\system32\Ehjjbkkm.exe109⤵PID:5988
-
C:\Windows\SysWOW64\Eodboe32.exeC:\Windows\system32\Eodboe32.exe110⤵
- Modifies registry class
PID:6076 -
C:\Windows\SysWOW64\Emgbjajd.exeC:\Windows\system32\Emgbjajd.exe111⤵PID:5168
-
C:\Windows\SysWOW64\Ehmggjij.exeC:\Windows\system32\Ehmggjij.exe112⤵PID:5452
-
C:\Windows\SysWOW64\Egbdhgnb.exeC:\Windows\system32\Egbdhgnb.exe113⤵
- Modifies registry class
PID:5608 -
C:\Windows\SysWOW64\Ekpmoe32.exeC:\Windows\system32\Ekpmoe32.exe114⤵PID:5856
-
C:\Windows\SysWOW64\Fdhagk32.exeC:\Windows\system32\Fdhagk32.exe115⤵PID:4256
-
C:\Windows\SysWOW64\Fkbidebf.exeC:\Windows\system32\Fkbidebf.exe116⤵PID:5172
-
C:\Windows\SysWOW64\Foneec32.exeC:\Windows\system32\Foneec32.exe117⤵PID:5484
-
C:\Windows\SysWOW64\Fncbfppg.exeC:\Windows\system32\Fncbfppg.exe118⤵
- Modifies registry class
PID:5836 -
C:\Windows\SysWOW64\Fobopcgj.exeC:\Windows\system32\Fobopcgj.exe119⤵PID:6024
-
C:\Windows\SysWOW64\Felgmm32.exeC:\Windows\system32\Felgmm32.exe120⤵
- Modifies registry class
PID:5408 -
C:\Windows\SysWOW64\Fhkcih32.exeC:\Windows\system32\Fhkcih32.exe121⤵PID:6004
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-