Analysis
-
max time kernel
106s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22-08-2024 19:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c7d09bc9bd4f56705b12fb65cc5b5780N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
c7d09bc9bd4f56705b12fb65cc5b5780N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
c7d09bc9bd4f56705b12fb65cc5b5780N.exe
-
Size
384KB
-
MD5
c7d09bc9bd4f56705b12fb65cc5b5780
-
SHA1
bf5f48184fa587bad77bbf99c5087776e9ad5b05
-
SHA256
3cf7bf3a4b6fb7afa5576d6175b3a9c3c2570bf3b9d5ac558cbe35839b0d131c
-
SHA512
21b4051353dec85121a7c6a20fbd6492e664935cf4078e4a7ce6b865427d772deffe40cd584a1c13880fd769a895347ebfcf45d93a71c1e861df634bf43d05b0
-
SSDEEP
6144:s2dT08uBqcF+RdB5jw5pui6yYPaIGckpyWO63t5YNpui6yYPaIGcky0PVd68LwY9:s+T08uBbF+FJUpV6yYPI3cpV6yYPZ0Pz
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efkphnbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmoiqneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" c7d09bc9bd4f56705b12fb65cc5b5780N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amgapeea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qeodhjmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Achegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmdjapgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcnmin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbjcljl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gacjadad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmdlffhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kbnepe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qohpkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lclpdncg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njmqnobn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ageolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edmjfifl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dcigeooj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gipdap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjmkoeqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknmla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chlflabp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpiecd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idgojc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djmibn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpbmfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcqjon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oloahhki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blqllqqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmbjcljl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gahjgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lejgch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kgopidgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Objpoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bheplb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lehaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpqkad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffobhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igjeanmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klmpiiai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dimenegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nagpeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aafemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqcjepfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cimmggfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbicpfdk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eofgpikj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfgogh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcbnnpka.exe -
Executes dropped EXE 64 IoCs
pid Process 4048 Ajanck32.exe 540 Ageolo32.exe 4076 Ambgef32.exe 2412 Aclpap32.exe 1960 Anadoi32.exe 3936 Acnlgp32.exe 920 Amgapeea.exe 2132 Afoeiklb.exe 1656 Aminee32.exe 708 Agoabn32.exe 3476 Bnhjohkb.exe 404 Bcebhoii.exe 4192 Bmngqdpj.exe 664 Bffkij32.exe 1288 Bmpcfdmg.exe 3768 Bcjlcn32.exe 4328 Bjddphlq.exe 1192 Bclhhnca.exe 4840 Bnbmefbg.exe 1376 Chjaol32.exe 4836 Cndikf32.exe 4296 Cenahpha.exe 2676 Cdabcm32.exe 4064 Cfpnph32.exe 4616 Cfbkeh32.exe 4612 Ceckcp32.exe 3528 Cjpckf32.exe 3188 Ceehho32.exe 5012 Cjbpaf32.exe 4848 Cegdnopg.exe 2232 Dfiafg32.exe 4884 Danecp32.exe 3976 Dhhnpjmh.exe 4200 Dobfld32.exe 936 Dmefhako.exe 2852 Daqbip32.exe 1532 Dhkjej32.exe 4832 Dkifae32.exe 3520 Daconoae.exe 2372 Ddakjkqi.exe 396 Dfpgffpm.exe 4876 Dogogcpo.exe 3840 Daekdooc.exe 2060 Dddhpjof.exe 4816 Dknpmdfc.exe 1440 Doilmc32.exe 1400 Edfdej32.exe 640 Eolhbc32.exe 2648 Eajeon32.exe 224 Ehdmlhcj.exe 3224 Ekbihd32.exe 4636 Eonehbjg.exe 4788 Edknqiho.exe 2192 Ekefmc32.exe 3548 Emcbio32.exe 2212 Edmjfifl.exe 3912 Ekgbccni.exe 1384 Eaakpm32.exe 3220 Edpgli32.exe 1996 Egnchd32.exe 2900 Eoekia32.exe 4980 Eachem32.exe 1648 Fhmpagkp.exe 2208 Fgppmd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ennqfenp.exe Ekodjiol.exe File created C:\Windows\SysWOW64\Jeipof32.dll Aglnbhal.exe File opened for modification C:\Windows\SysWOW64\Fagjfflb.exe Fmlneg32.exe File created C:\Windows\SysWOW64\Hglppijc.dll Iakiia32.exe File created C:\Windows\SysWOW64\Qhmqdemc.exe Qeodhjmo.exe File created C:\Windows\SysWOW64\Kqmkae32.exe Knooej32.exe File created C:\Windows\SysWOW64\Geqnma32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Eonehbjg.exe Ekbihd32.exe File created C:\Windows\SysWOW64\Qhonib32.exe Qfpbmfdf.exe File opened for modification C:\Windows\SysWOW64\Ffobhg32.exe Fpejlmcf.exe File created C:\Windows\SysWOW64\Jghpbk32.exe Ilcldb32.exe File created C:\Windows\SysWOW64\Hibafp32.exe Hgdejd32.exe File opened for modification C:\Windows\SysWOW64\Mebcop32.exe Mnhkbfme.exe File created C:\Windows\SysWOW64\Fbjena32.exe Fpkibf32.exe File created C:\Windows\SysWOW64\Iciaqc32.exe Ipjedh32.exe File opened for modification C:\Windows\SysWOW64\Palklf32.exe Process not Found File created C:\Windows\SysWOW64\Bahdob32.exe Process not Found File created C:\Windows\SysWOW64\Fnebjidl.dll Process not Found File created C:\Windows\SysWOW64\Eiojlkkj.dll Ambgef32.exe File opened for modification C:\Windows\SysWOW64\Gacjadad.exe Gkiaej32.exe File opened for modification C:\Windows\SysWOW64\Idghpmnp.exe Iahlcaol.exe File created C:\Windows\SysWOW64\Fneggdhg.exe Flfkkhid.exe File created C:\Windows\SysWOW64\Pmhbqbae.exe Process not Found File created C:\Windows\SysWOW64\Pfepdg32.exe Process not Found File created C:\Windows\SysWOW64\Dcdepb32.dll Ggilil32.exe File opened for modification C:\Windows\SysWOW64\Knbbep32.exe Kiejmi32.exe File created C:\Windows\SysWOW64\Ebnfbcbc.exe Eppjfgcp.exe File created C:\Windows\SysWOW64\Ohcpka32.dll Addaif32.exe File created C:\Windows\SysWOW64\Iaejbl32.dll Kniieo32.exe File opened for modification C:\Windows\SysWOW64\Akamff32.exe Ahcajk32.exe File created C:\Windows\SysWOW64\Gologg32.dll Jjgchm32.exe File created C:\Windows\SysWOW64\Noeocqni.dll Mefmimif.exe File created C:\Windows\SysWOW64\Liabph32.dll Lgbloglj.exe File created C:\Windows\SysWOW64\Nciopppp.exe Process not Found File created C:\Windows\SysWOW64\Ihpcinld.exe Process not Found File created C:\Windows\SysWOW64\Ejgcaq32.dll Agbkmijg.exe File opened for modification C:\Windows\SysWOW64\Lijlof32.exe Leopnglc.exe File opened for modification C:\Windows\SysWOW64\Hloqml32.exe Gipdap32.exe File created C:\Windows\SysWOW64\Ocaegbjb.dll Ikcmbfcj.exe File created C:\Windows\SysWOW64\Olgncmim.exe Oemefcap.exe File created C:\Windows\SysWOW64\Hodlgn32.dll Process not Found File created C:\Windows\SysWOW64\Dhkjej32.exe Daqbip32.exe File created C:\Windows\SysWOW64\Kpoqijhk.dll Ekgbccni.exe File created C:\Windows\SysWOW64\Pedbahod.exe Ookjdn32.exe File created C:\Windows\SysWOW64\Flqdlnde.exe Fibhpbea.exe File created C:\Windows\SysWOW64\Aphnnafb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pafkgphl.exe Process not Found File created C:\Windows\SysWOW64\Gigheh32.exe Ggilil32.exe File opened for modification C:\Windows\SysWOW64\Meefofek.exe Mnlnbl32.exe File created C:\Windows\SysWOW64\Olaqbelh.dll Cimmggfl.exe File created C:\Windows\SysWOW64\Oidhlb32.exe Objpoh32.exe File opened for modification C:\Windows\SysWOW64\Nndjndbh.exe Ngjbaj32.exe File created C:\Windows\SysWOW64\Cfbcke32.exe Cnkkjh32.exe File created C:\Windows\SysWOW64\Fpgpgfmh.exe Flkdfh32.exe File opened for modification C:\Windows\SysWOW64\Jhifomdj.exe Process not Found File created C:\Windows\SysWOW64\Bdmmeo32.exe Process not Found File created C:\Windows\SysWOW64\Hclkag32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Omdieb32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jgakbm32.exe Jiokfpph.exe File created C:\Windows\SysWOW64\Lmmolepp.exe Lnjnqh32.exe File created C:\Windows\SysWOW64\Cnkkjh32.exe Ckmonl32.exe File created C:\Windows\SysWOW64\Jnifpf32.dll Mgphpe32.exe File created C:\Windows\SysWOW64\Dmbbhkjf.exe Dcjnoece.exe File created C:\Windows\SysWOW64\Cbbnpg32.exe Cleegp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11876 10440 Process not Found 1441 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdabcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnagak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfaqhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ennqfenp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npiiffqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaakpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iklgah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okchnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Achegd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlambk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifkpknp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dobfld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgaijaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmbaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffobhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hckeoeno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceehho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eachem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgakbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbjnbqhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjjahe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fielph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbmqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pldcjeia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glbjggof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooqqdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmmolepp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmofj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhokljge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npbceggm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fibhpbea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7d09bc9bd4f56705b12fb65cc5b5780N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenahpha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceckcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ienekbld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nomncpcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnodaecc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leadnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niooqcad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cleegp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imgicgca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfbaonae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flkdfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klcekpdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aompak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhdhon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nccokk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imkbnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igfclkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chjaol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nopfpgip.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bnfihkqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnlhc32.dll" Gmdjapgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqhajknb.dll" Amodep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Glipgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfpgffpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hofmfmhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pfgogh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhohnk32.dll" Kjepjkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjepjkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fhmpagkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mekgdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmoohe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Joiccj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmfgbl32.dll" Nchjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmiogmig.dll" Fmkgkapm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ieliebnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfomc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idmdhm32.dll" Lbjelc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajcdnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiikeffm.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fklenm32.dll" Plpjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qlmgopjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qqhcpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ljkifn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbpkkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchign32.dll" Lqpamb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Daconoae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Igjeanmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cimcan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipeabep.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoimppcd.dll" Pfgogh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dbndfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ffclcgfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jgbjbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmfplibd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gglpibgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jodjhkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikaqhj32.dll" Leadnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eolhbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cabomkll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iddljmpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fdkggg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcpeei32.dll" Dkdliame.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kikdcj32.dll" Mmpdhboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fgppmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlkfgena.dll" Khmknk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mminhceb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mmpdhboj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeapfm32.dll" Afjeceml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmomlnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Emnbdioi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gijekg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abdkep32.dll" Ekodjiol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgagmm32.dll" Qhakoa32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1292 wrote to memory of 4048 1292 c7d09bc9bd4f56705b12fb65cc5b5780N.exe 84 PID 1292 wrote to memory of 4048 1292 c7d09bc9bd4f56705b12fb65cc5b5780N.exe 84 PID 1292 wrote to memory of 4048 1292 c7d09bc9bd4f56705b12fb65cc5b5780N.exe 84 PID 4048 wrote to memory of 540 4048 Ajanck32.exe 85 PID 4048 wrote to memory of 540 4048 Ajanck32.exe 85 PID 4048 wrote to memory of 540 4048 Ajanck32.exe 85 PID 540 wrote to memory of 4076 540 Ageolo32.exe 86 PID 540 wrote to memory of 4076 540 Ageolo32.exe 86 PID 540 wrote to memory of 4076 540 Ageolo32.exe 86 PID 4076 wrote to memory of 2412 4076 Ambgef32.exe 87 PID 4076 wrote to memory of 2412 4076 Ambgef32.exe 87 PID 4076 wrote to memory of 2412 4076 Ambgef32.exe 87 PID 2412 wrote to memory of 1960 2412 Aclpap32.exe 88 PID 2412 wrote to memory of 1960 2412 Aclpap32.exe 88 PID 2412 wrote to memory of 1960 2412 Aclpap32.exe 88 PID 1960 wrote to memory of 3936 1960 Anadoi32.exe 89 PID 1960 wrote to memory of 3936 1960 Anadoi32.exe 89 PID 1960 wrote to memory of 3936 1960 Anadoi32.exe 89 PID 3936 wrote to memory of 920 3936 Acnlgp32.exe 90 PID 3936 wrote to memory of 920 3936 Acnlgp32.exe 90 PID 3936 wrote to memory of 920 3936 Acnlgp32.exe 90 PID 920 wrote to memory of 2132 920 Amgapeea.exe 92 PID 920 wrote to memory of 2132 920 Amgapeea.exe 92 PID 920 wrote to memory of 2132 920 Amgapeea.exe 92 PID 2132 wrote to memory of 1656 2132 Afoeiklb.exe 93 PID 2132 wrote to memory of 1656 2132 Afoeiklb.exe 93 PID 2132 wrote to memory of 1656 2132 Afoeiklb.exe 93 PID 1656 wrote to memory of 708 1656 Aminee32.exe 94 PID 1656 wrote to memory of 708 1656 Aminee32.exe 94 PID 1656 wrote to memory of 708 1656 Aminee32.exe 94 PID 708 wrote to memory of 3476 708 Agoabn32.exe 95 PID 708 wrote to memory of 3476 708 Agoabn32.exe 95 PID 708 wrote to memory of 3476 708 Agoabn32.exe 95 PID 3476 wrote to memory of 404 3476 Bnhjohkb.exe 96 PID 3476 wrote to memory of 404 3476 Bnhjohkb.exe 96 PID 3476 wrote to memory of 404 3476 Bnhjohkb.exe 96 PID 404 wrote to memory of 4192 404 Bcebhoii.exe 98 PID 404 wrote to memory of 4192 404 Bcebhoii.exe 98 PID 404 wrote to memory of 4192 404 Bcebhoii.exe 98 PID 4192 wrote to memory of 664 4192 Bmngqdpj.exe 99 PID 4192 wrote to memory of 664 4192 Bmngqdpj.exe 99 PID 4192 wrote to memory of 664 4192 Bmngqdpj.exe 99 PID 664 wrote to memory of 1288 664 Bffkij32.exe 100 PID 664 wrote to memory of 1288 664 Bffkij32.exe 100 PID 664 wrote to memory of 1288 664 Bffkij32.exe 100 PID 1288 wrote to memory of 3768 1288 Bmpcfdmg.exe 101 PID 1288 wrote to memory of 3768 1288 Bmpcfdmg.exe 101 PID 1288 wrote to memory of 3768 1288 Bmpcfdmg.exe 101 PID 3768 wrote to memory of 4328 3768 Bcjlcn32.exe 102 PID 3768 wrote to memory of 4328 3768 Bcjlcn32.exe 102 PID 3768 wrote to memory of 4328 3768 Bcjlcn32.exe 102 PID 4328 wrote to memory of 1192 4328 Bjddphlq.exe 103 PID 4328 wrote to memory of 1192 4328 Bjddphlq.exe 103 PID 4328 wrote to memory of 1192 4328 Bjddphlq.exe 103 PID 1192 wrote to memory of 4840 1192 Bclhhnca.exe 104 PID 1192 wrote to memory of 4840 1192 Bclhhnca.exe 104 PID 1192 wrote to memory of 4840 1192 Bclhhnca.exe 104 PID 4840 wrote to memory of 1376 4840 Bnbmefbg.exe 106 PID 4840 wrote to memory of 1376 4840 Bnbmefbg.exe 106 PID 4840 wrote to memory of 1376 4840 Bnbmefbg.exe 106 PID 1376 wrote to memory of 4836 1376 Chjaol32.exe 107 PID 1376 wrote to memory of 4836 1376 Chjaol32.exe 107 PID 1376 wrote to memory of 4836 1376 Chjaol32.exe 107 PID 4836 wrote to memory of 4296 4836 Cndikf32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7d09bc9bd4f56705b12fb65cc5b5780N.exe"C:\Users\Admin\AppData\Local\Temp\c7d09bc9bd4f56705b12fb65cc5b5780N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Ajanck32.exeC:\Windows\system32\Ajanck32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\Ageolo32.exeC:\Windows\system32\Ageolo32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Ambgef32.exeC:\Windows\system32\Ambgef32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Aclpap32.exeC:\Windows\system32\Aclpap32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Anadoi32.exeC:\Windows\system32\Anadoi32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Acnlgp32.exeC:\Windows\system32\Acnlgp32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\Amgapeea.exeC:\Windows\system32\Amgapeea.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Aminee32.exeC:\Windows\system32\Aminee32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Agoabn32.exeC:\Windows\system32\Agoabn32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\Bcebhoii.exeC:\Windows\system32\Bcebhoii.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Bmngqdpj.exeC:\Windows\system32\Bmngqdpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\Bcjlcn32.exeC:\Windows\system32\Bcjlcn32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\Bjddphlq.exeC:\Windows\system32\Bjddphlq.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\Bclhhnca.exeC:\Windows\system32\Bclhhnca.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Chjaol32.exeC:\Windows\system32\Chjaol32.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4296 -
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe25⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe26⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4612 -
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe28⤵PID:2120
-
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe29⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Ceehho32.exeC:\Windows\system32\Ceehho32.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3188 -
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe31⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Cegdnopg.exeC:\Windows\system32\Cegdnopg.exe32⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe33⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe34⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe35⤵
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4200 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe37⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe39⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe40⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:3520 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe42⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:396 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe44⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe45⤵
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe46⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe47⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe48⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Edfdej32.exeC:\Windows\system32\Edfdej32.exe49⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Eolhbc32.exeC:\Windows\system32\Eolhbc32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:640 -
C:\Windows\SysWOW64\Eajeon32.exeC:\Windows\system32\Eajeon32.exe51⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Ehdmlhcj.exeC:\Windows\system32\Ehdmlhcj.exe52⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Ekbihd32.exeC:\Windows\system32\Ekbihd32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3224 -
C:\Windows\SysWOW64\Eonehbjg.exeC:\Windows\system32\Eonehbjg.exe54⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Edknqiho.exeC:\Windows\system32\Edknqiho.exe55⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Ekefmc32.exeC:\Windows\system32\Ekefmc32.exe56⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Emcbio32.exeC:\Windows\system32\Emcbio32.exe57⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Edmjfifl.exeC:\Windows\system32\Edmjfifl.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Ekgbccni.exeC:\Windows\system32\Ekgbccni.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3912 -
C:\Windows\SysWOW64\Eaakpm32.exeC:\Windows\system32\Eaakpm32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1384 -
C:\Windows\SysWOW64\Edpgli32.exeC:\Windows\system32\Edpgli32.exe61⤵
- Executes dropped EXE
PID:3220 -
C:\Windows\SysWOW64\Egnchd32.exeC:\Windows\system32\Egnchd32.exe62⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Eoekia32.exeC:\Windows\system32\Eoekia32.exe63⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Eachem32.exeC:\Windows\system32\Eachem32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4980 -
C:\Windows\SysWOW64\Fhmpagkp.exeC:\Windows\system32\Fhmpagkp.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Fgppmd32.exeC:\Windows\system32\Fgppmd32.exe66⤵
- Executes dropped EXE
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Fnjhjn32.exeC:\Windows\system32\Fnjhjn32.exe67⤵PID:2376
-
C:\Windows\SysWOW64\Feapkk32.exeC:\Windows\system32\Feapkk32.exe68⤵PID:2848
-
C:\Windows\SysWOW64\Fhpmgg32.exeC:\Windows\system32\Fhpmgg32.exe69⤵PID:1824
-
C:\Windows\SysWOW64\Fknicb32.exeC:\Windows\system32\Fknicb32.exe70⤵PID:3048
-
C:\Windows\SysWOW64\Fnmepn32.exeC:\Windows\system32\Fnmepn32.exe71⤵PID:1504
-
C:\Windows\SysWOW64\Fedmqk32.exeC:\Windows\system32\Fedmqk32.exe72⤵PID:4864
-
C:\Windows\SysWOW64\Fhbimf32.exeC:\Windows\system32\Fhbimf32.exe73⤵PID:3540
-
C:\Windows\SysWOW64\Fkqeib32.exeC:\Windows\system32\Fkqeib32.exe74⤵PID:5064
-
C:\Windows\SysWOW64\Fnobem32.exeC:\Windows\system32\Fnobem32.exe75⤵PID:2608
-
C:\Windows\SysWOW64\Fefjfked.exeC:\Windows\system32\Fefjfked.exe76⤵PID:4992
-
C:\Windows\SysWOW64\Fhdfbfdh.exeC:\Windows\system32\Fhdfbfdh.exe77⤵PID:3524
-
C:\Windows\SysWOW64\Fkcboack.exeC:\Windows\system32\Fkcboack.exe78⤵PID:4624
-
C:\Windows\SysWOW64\Fnaokmco.exeC:\Windows\system32\Fnaokmco.exe79⤵PID:3348
-
C:\Windows\SysWOW64\Famjkl32.exeC:\Windows\system32\Famjkl32.exe80⤵PID:1800
-
C:\Windows\SysWOW64\Fdkggg32.exeC:\Windows\system32\Fdkggg32.exe81⤵
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Fgjccb32.exeC:\Windows\system32\Fgjccb32.exe82⤵PID:2052
-
C:\Windows\SysWOW64\Foqkdp32.exeC:\Windows\system32\Foqkdp32.exe83⤵PID:5144
-
C:\Windows\SysWOW64\Gaogak32.exeC:\Windows\system32\Gaogak32.exe84⤵PID:5188
-
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe85⤵PID:5232
-
C:\Windows\SysWOW64\Gglpibgm.exeC:\Windows\system32\Gglpibgm.exe86⤵
- Modifies registry class
PID:5292 -
C:\Windows\SysWOW64\Gkglja32.exeC:\Windows\system32\Gkglja32.exe87⤵PID:5328
-
C:\Windows\SysWOW64\Gaadfkgc.exeC:\Windows\system32\Gaadfkgc.exe88⤵PID:5412
-
C:\Windows\SysWOW64\Ghklce32.exeC:\Windows\system32\Ghklce32.exe89⤵PID:5476
-
C:\Windows\SysWOW64\Gkjhoq32.exeC:\Windows\system32\Gkjhoq32.exe90⤵PID:5532
-
C:\Windows\SysWOW64\Goedpofl.exeC:\Windows\system32\Goedpofl.exe91⤵PID:5576
-
C:\Windows\SysWOW64\Gadqlkep.exeC:\Windows\system32\Gadqlkep.exe92⤵PID:5632
-
C:\Windows\SysWOW64\Gepmlimi.exeC:\Windows\system32\Gepmlimi.exe93⤵PID:5708
-
C:\Windows\SysWOW64\Gdbmhf32.exeC:\Windows\system32\Gdbmhf32.exe94⤵PID:5784
-
C:\Windows\SysWOW64\Ggqida32.exeC:\Windows\system32\Ggqida32.exe95⤵PID:5828
-
C:\Windows\SysWOW64\Gnkaalkd.exeC:\Windows\system32\Gnkaalkd.exe96⤵PID:5880
-
C:\Windows\SysWOW64\Gafmaj32.exeC:\Windows\system32\Gafmaj32.exe97⤵PID:5932
-
C:\Windows\SysWOW64\Gddinf32.exeC:\Windows\system32\Gddinf32.exe98⤵PID:5980
-
C:\Windows\SysWOW64\Ggcfja32.exeC:\Windows\system32\Ggcfja32.exe99⤵PID:6040
-
C:\Windows\SysWOW64\Gojnko32.exeC:\Windows\system32\Gojnko32.exe100⤵PID:6084
-
C:\Windows\SysWOW64\Gahjgj32.exeC:\Windows\system32\Gahjgj32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6128 -
C:\Windows\SysWOW64\Gfdfgiid.exeC:\Windows\system32\Gfdfgiid.exe102⤵PID:5172
-
C:\Windows\SysWOW64\Ggeboaob.exeC:\Windows\system32\Ggeboaob.exe103⤵PID:5240
-
C:\Windows\SysWOW64\Gkaopp32.exeC:\Windows\system32\Gkaopp32.exe104⤵PID:5316
-
C:\Windows\SysWOW64\Hakgmjoh.exeC:\Windows\system32\Hakgmjoh.exe105⤵PID:5420
-
C:\Windows\SysWOW64\Hheoid32.exeC:\Windows\system32\Hheoid32.exe106⤵PID:5496
-
C:\Windows\SysWOW64\Hghoeqmp.exeC:\Windows\system32\Hghoeqmp.exe107⤵PID:5572
-
C:\Windows\SysWOW64\Hnagak32.exeC:\Windows\system32\Hnagak32.exe108⤵
- System Location Discovery: System Language Discovery
PID:5672 -
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe109⤵PID:5792
-
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe110⤵PID:4560
-
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe111⤵PID:5920
-
C:\Windows\SysWOW64\Hdnldd32.exeC:\Windows\system32\Hdnldd32.exe112⤵PID:5996
-
C:\Windows\SysWOW64\Hglipp32.exeC:\Windows\system32\Hglipp32.exe113⤵PID:6076
-
C:\Windows\SysWOW64\Hocqam32.exeC:\Windows\system32\Hocqam32.exe114⤵PID:6140
-
C:\Windows\SysWOW64\Hbbmmi32.exeC:\Windows\system32\Hbbmmi32.exe115⤵PID:5220
-
C:\Windows\SysWOW64\Hdpiid32.exeC:\Windows\system32\Hdpiid32.exe116⤵PID:5348
-
C:\Windows\SysWOW64\Hofmfmhj.exeC:\Windows\system32\Hofmfmhj.exe117⤵
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Idebdcdo.exeC:\Windows\system32\Idebdcdo.exe118⤵PID:5492
-
C:\Windows\SysWOW64\Iokgal32.exeC:\Windows\system32\Iokgal32.exe119⤵PID:5584
-
C:\Windows\SysWOW64\Idgojc32.exeC:\Windows\system32\Idgojc32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5776 -
C:\Windows\SysWOW64\Ibkpcg32.exeC:\Windows\system32\Ibkpcg32.exe121⤵PID:5868
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-