Analysis
-
max time kernel
109s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01/09/2024, 03:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d135273ce4f2db77959d1358b8d2c200N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
d135273ce4f2db77959d1358b8d2c200N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
d135273ce4f2db77959d1358b8d2c200N.exe
-
Size
71KB
-
MD5
d135273ce4f2db77959d1358b8d2c200
-
SHA1
ac2d87c08f7652a4b112ddcbf3a14f22236176c5
-
SHA256
ea3972c51dc72a8033772a7cf3edf6863a642ade6e9c8d15194b58c4ea43a5f3
-
SHA512
d3536d5e2b304bdbae2e9385baa4d19b204ba9901a2a2e60bfb355198bb53dd59de3f87a76f16934e5b0fe1c3af048b67b522fbbc445fe664b822e36684e79a9
-
SSDEEP
1536:6fb867meOk1AizFkv3bCS2vOT+a7r2L67RZObZUS:686jOk1As04jn6ClUS
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilmmni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pocpfphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jilfifme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlkbjqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpbflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dndgfpbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njjdho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oihagaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emjgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jepjhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgmgqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kadpdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afkknogn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnahdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglbhhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hemdlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfefkkqp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecgcfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eppjfgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jngbjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjlcjf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efccmidp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naecop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilqoobdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkdcbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pahilmoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckboblp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Monjjgkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edionhpn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okjnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiloco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kofkbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poajkgnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baadiiif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiekog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbekii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blnoga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiahnnph.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmkigh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gncchb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmdgikhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbccge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmfeidbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efhlhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qachgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbpjaeoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glgcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbenoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnjqmpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfjola32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogjdmbil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fajbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbibfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pamiaboj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eclmamod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enbjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cihclh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glgcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmkofa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhfppabl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njmqnobn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfmmplad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejqldci.exe -
Executes dropped EXE 64 IoCs
pid Process 672 Laqhhi32.exe 2240 Lgkpdcmi.exe 3352 Lndham32.exe 2400 Leopnglc.exe 2132 Lhmmjbkf.exe 312 Mngegmbc.exe 1680 Meamcg32.exe 4572 Mhoipb32.exe 744 Mniallpq.exe 4780 Mecjif32.exe 2560 Mhafeb32.exe 4984 Mnlnbl32.exe 4484 Meefofek.exe 4160 Mlpokp32.exe 5068 Mnnkgl32.exe 4312 Mehcdfch.exe 4784 Mhfppabl.exe 3312 Mnphmkji.exe 3396 Maodigil.exe 1692 Mhilfa32.exe 3012 Nobdbkhf.exe 4952 Nbnpcj32.exe 1428 Nihipdhl.exe 756 Nlfelogp.exe 1880 Nacmdf32.exe 3592 Nklbmllg.exe 4500 Nafjjf32.exe 2612 Nhpbfpka.exe 4800 Nojjcj32.exe 3380 Neccpd32.exe 1756 Nhbolp32.exe 4804 Nbgcih32.exe 3800 Nefped32.exe 4136 Nhdlao32.exe 3564 Okchnk32.exe 2620 Objpoh32.exe 1200 Oidhlb32.exe 4664 Ohghgodi.exe 4624 Ooqqdi32.exe 2196 Oblmdhdo.exe 1424 Oifeab32.exe 1804 Oldamm32.exe 1316 Oocmii32.exe 3164 Oaajed32.exe 2324 Oihagaji.exe 4928 Okjnnj32.exe 1168 Obafpg32.exe 3868 Oeoblb32.exe 4892 Olijhmgj.exe 1216 Oklkdi32.exe 4452 Oafcqcea.exe 1604 Oimkbaed.exe 3652 Pllgnl32.exe 4520 Pojcjh32.exe 1704 Pahpfc32.exe 4060 Pedlgbkh.exe 4436 Plndcl32.exe 1976 Polppg32.exe 4640 Pchlpfjb.exe 1372 Pefhlaie.exe 972 Plpqil32.exe 2840 Pamiaboj.exe 2428 Pidabppl.exe 5020 Plbmokop.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ofimgb32.dll Plbmokop.exe File opened for modification C:\Windows\SysWOW64\Meepdp32.exe Mkmkkjko.exe File opened for modification C:\Windows\SysWOW64\Eofgpikj.exe Emhkdmlg.exe File created C:\Windows\SysWOW64\Ncbafoge.exe Njjmni32.exe File created C:\Windows\SysWOW64\Hfaajnfb.exe Gbeejp32.exe File created C:\Windows\SysWOW64\Opngmi32.dll Cihclh32.exe File created C:\Windows\SysWOW64\Lhlgfb32.dll Hdokdg32.exe File created C:\Windows\SysWOW64\Jqknkedi.exe Jjafok32.exe File opened for modification C:\Windows\SysWOW64\Bheplb32.exe Bffcpg32.exe File created C:\Windows\SysWOW64\Akcaoeoo.dll Ebgpad32.exe File created C:\Windows\SysWOW64\Ncchae32.exe Npgmpf32.exe File created C:\Windows\SysWOW64\Cmakeiil.dll Nhpbfpka.exe File opened for modification C:\Windows\SysWOW64\Ahqddk32.exe Qebhhp32.exe File created C:\Windows\SysWOW64\Occgpjdk.dll Hcpojd32.exe File opened for modification C:\Windows\SysWOW64\Jcdjbk32.exe Johnamkm.exe File created C:\Windows\SysWOW64\Eeccjdie.dll Kofkbk32.exe File opened for modification C:\Windows\SysWOW64\Djcoai32.exe Dblgpl32.exe File opened for modification C:\Windows\SysWOW64\Mccfdmmo.exe Madjhb32.exe File created C:\Windows\SysWOW64\Hlmkgk32.dll Aahbbkaq.exe File opened for modification C:\Windows\SysWOW64\Oaifpi32.exe Omnjojpo.exe File opened for modification C:\Windows\SysWOW64\Meamcg32.exe Mngegmbc.exe File created C:\Windows\SysWOW64\Dpnkdq32.exe Diccgfpd.exe File created C:\Windows\SysWOW64\Ipoopgnf.exe Ilccoh32.exe File created C:\Windows\SysWOW64\Didmdo32.dll Ilnbicff.exe File created C:\Windows\SysWOW64\Geqnma32.dll Aknbkjfh.exe File opened for modification C:\Windows\SysWOW64\Oafcqcea.exe Oklkdi32.exe File opened for modification C:\Windows\SysWOW64\Pemomqcn.exe Pcobaedj.exe File created C:\Windows\SysWOW64\Gofdmmgd.dll Bnmoijje.exe File created C:\Windows\SysWOW64\Hoaojp32.exe Hpnoncim.exe File opened for modification C:\Windows\SysWOW64\Dglkoeio.exe Dndgfpbo.exe File opened for modification C:\Windows\SysWOW64\Neccpd32.exe Nojjcj32.exe File created C:\Windows\SysWOW64\Hkfglb32.exe Hcpojd32.exe File created C:\Windows\SysWOW64\Jkakadbk.dll Ccgjopal.exe File created C:\Windows\SysWOW64\Ngckdnpn.dll Gkaclqkk.exe File opened for modification C:\Windows\SysWOW64\Hefnkkkj.exe Hfcnpn32.exe File opened for modification C:\Windows\SysWOW64\Panhbfep.exe Phfcipoo.exe File opened for modification C:\Windows\SysWOW64\Obnehj32.exe Oophlo32.exe File created C:\Windows\SysWOW64\Nkddkljd.dll Mhfppabl.exe File created C:\Windows\SysWOW64\Nhbolp32.exe Neccpd32.exe File created C:\Windows\SysWOW64\Cbphdn32.exe Ccmgiaig.exe File created C:\Windows\SysWOW64\Lpamfo32.dll Adndoe32.exe File created C:\Windows\SysWOW64\Dmennnni.exe Ddnfmqng.exe File opened for modification C:\Windows\SysWOW64\Hejqldci.exe Hlblcn32.exe File created C:\Windows\SysWOW64\Jjdejk32.dll Hginecde.exe File opened for modification C:\Windows\SysWOW64\Jjlmclqa.exe Jcbdgb32.exe File created C:\Windows\SysWOW64\Dnbjkgmg.dll Jepjhg32.exe File created C:\Windows\SysWOW64\Gejain32.dll Oplfkeob.exe File opened for modification C:\Windows\SysWOW64\Ofhknodl.exe Opnbae32.exe File created C:\Windows\SysWOW64\Dafppp32.exe Chnlgjlb.exe File created C:\Windows\SysWOW64\Ccmgiaig.exe Ckfphc32.exe File created C:\Windows\SysWOW64\Knalji32.exe Kkconn32.exe File created C:\Windows\SysWOW64\Lenicahg.exe Lqbncb32.exe File opened for modification C:\Windows\SysWOW64\Mmmqhl32.exe Mnjqmpgg.exe File created C:\Windows\SysWOW64\Npiiffqe.exe Nmkmjjaa.exe File created C:\Windows\SysWOW64\Diccgfpd.exe Dfefkkqp.exe File created C:\Windows\SysWOW64\Gbdoof32.exe Gpecbk32.exe File opened for modification C:\Windows\SysWOW64\Lklbdm32.exe Kdbjhbbd.exe File created C:\Windows\SysWOW64\Dkceokii.exe Dmadco32.exe File created C:\Windows\SysWOW64\Bpcaaeme.dll Qdaniq32.exe File opened for modification C:\Windows\SysWOW64\Ijcjmmil.exe Ikpjbq32.exe File created C:\Windows\SysWOW64\Qcjdoc32.dll Kdbjhbbd.exe File opened for modification C:\Windows\SysWOW64\Dfglfdkb.exe Dbkqfe32.exe File created C:\Windows\SysWOW64\Eojiqb32.exe Ehpadhll.exe File created C:\Windows\SysWOW64\Aiffheej.dll Bojomm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4632 2312 WerFault.exe 1010 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfglb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmkkmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obnehj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hekgfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjcgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipmbjgpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgeenfog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gokbgpeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meefofek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcfahbpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akkffkhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcobaedj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmaffnce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjbcakl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Halhfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opbean32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emkndc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emoadlfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbpchb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmbphg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinjhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjjbjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afkknogn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqdcnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfiildio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knqepc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobhkjdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dndgfpbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnphmkji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Offnhpfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogjdmbil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fajbjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oimkbaed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knalji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chnbbqpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aopemh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcjmel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chiigadc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gflhoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joahqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjpode32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgflcifg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eohmkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijcjmmil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcjcnoej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pknqoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koaagkcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnfpinmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Momcpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hienlpel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbicpfdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hipmfjee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnfnlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiloco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gldglf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imkbnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpclce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dblgpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oogpjbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmadco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaajed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epikpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhgkgijg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfheof32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efjbcakl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnipbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nadleilm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iahici32.dll" Blgifbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjfmcmai.dll" Cbfgkffn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbkqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfhbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilfennic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Higjaoci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgpmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blgifbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjafgpmo.dll" Fpbflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hibjli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obqhpfck.dll" Mfhbga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oophlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjlcjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaklfpn.dll" Pciqnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lblldc32.dll" Igajal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jenmcggo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfeeabda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npepkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojajin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfojdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhbolp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhlkdj32.dll" Pmcclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbkqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imnocf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Halhfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emlmcm32.dll" Lpgmhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmalne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfbcke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcimdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kadpdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mehcdfch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahqddk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnhenj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhpfqcln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjkakfla.dll" Lgpoihnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhoneioi.dll" Jkgpbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oalipoiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhfppabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbgcih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooqqdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmalne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlkbjqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfkafocc.dll" Ilmmni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abklmb32.dll" Ckmonl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilnbicff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adhdjpjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmofagfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbjoeojc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnmodnoo.dll" Nnfpinmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoepebho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbeejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfgllk32.dll" Ifmqfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oocmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbdoof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdokdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekeodnf.dll" Lnmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeokal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmeddp32.dll" Bnfihkqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjpfjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leopnglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npkjmfie.dll" Pcobaedj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1116 wrote to memory of 672 1116 d135273ce4f2db77959d1358b8d2c200N.exe 84 PID 1116 wrote to memory of 672 1116 d135273ce4f2db77959d1358b8d2c200N.exe 84 PID 1116 wrote to memory of 672 1116 d135273ce4f2db77959d1358b8d2c200N.exe 84 PID 672 wrote to memory of 2240 672 Laqhhi32.exe 85 PID 672 wrote to memory of 2240 672 Laqhhi32.exe 85 PID 672 wrote to memory of 2240 672 Laqhhi32.exe 85 PID 2240 wrote to memory of 3352 2240 Lgkpdcmi.exe 86 PID 2240 wrote to memory of 3352 2240 Lgkpdcmi.exe 86 PID 2240 wrote to memory of 3352 2240 Lgkpdcmi.exe 86 PID 3352 wrote to memory of 2400 3352 Lndham32.exe 87 PID 3352 wrote to memory of 2400 3352 Lndham32.exe 87 PID 3352 wrote to memory of 2400 3352 Lndham32.exe 87 PID 2400 wrote to memory of 2132 2400 Leopnglc.exe 88 PID 2400 wrote to memory of 2132 2400 Leopnglc.exe 88 PID 2400 wrote to memory of 2132 2400 Leopnglc.exe 88 PID 2132 wrote to memory of 312 2132 Lhmmjbkf.exe 89 PID 2132 wrote to memory of 312 2132 Lhmmjbkf.exe 89 PID 2132 wrote to memory of 312 2132 Lhmmjbkf.exe 89 PID 312 wrote to memory of 1680 312 Mngegmbc.exe 90 PID 312 wrote to memory of 1680 312 Mngegmbc.exe 90 PID 312 wrote to memory of 1680 312 Mngegmbc.exe 90 PID 1680 wrote to memory of 4572 1680 Meamcg32.exe 91 PID 1680 wrote to memory of 4572 1680 Meamcg32.exe 91 PID 1680 wrote to memory of 4572 1680 Meamcg32.exe 91 PID 4572 wrote to memory of 744 4572 Mhoipb32.exe 92 PID 4572 wrote to memory of 744 4572 Mhoipb32.exe 92 PID 4572 wrote to memory of 744 4572 Mhoipb32.exe 92 PID 744 wrote to memory of 4780 744 Mniallpq.exe 93 PID 744 wrote to memory of 4780 744 Mniallpq.exe 93 PID 744 wrote to memory of 4780 744 Mniallpq.exe 93 PID 4780 wrote to memory of 2560 4780 Mecjif32.exe 94 PID 4780 wrote to memory of 2560 4780 Mecjif32.exe 94 PID 4780 wrote to memory of 2560 4780 Mecjif32.exe 94 PID 2560 wrote to memory of 4984 2560 Mhafeb32.exe 95 PID 2560 wrote to memory of 4984 2560 Mhafeb32.exe 95 PID 2560 wrote to memory of 4984 2560 Mhafeb32.exe 95 PID 4984 wrote to memory of 4484 4984 Mnlnbl32.exe 96 PID 4984 wrote to memory of 4484 4984 Mnlnbl32.exe 96 PID 4984 wrote to memory of 4484 4984 Mnlnbl32.exe 96 PID 4484 wrote to memory of 4160 4484 Meefofek.exe 97 PID 4484 wrote to memory of 4160 4484 Meefofek.exe 97 PID 4484 wrote to memory of 4160 4484 Meefofek.exe 97 PID 4160 wrote to memory of 5068 4160 Mlpokp32.exe 98 PID 4160 wrote to memory of 5068 4160 Mlpokp32.exe 98 PID 4160 wrote to memory of 5068 4160 Mlpokp32.exe 98 PID 5068 wrote to memory of 4312 5068 Mnnkgl32.exe 99 PID 5068 wrote to memory of 4312 5068 Mnnkgl32.exe 99 PID 5068 wrote to memory of 4312 5068 Mnnkgl32.exe 99 PID 4312 wrote to memory of 4784 4312 Mehcdfch.exe 100 PID 4312 wrote to memory of 4784 4312 Mehcdfch.exe 100 PID 4312 wrote to memory of 4784 4312 Mehcdfch.exe 100 PID 4784 wrote to memory of 3312 4784 Mhfppabl.exe 101 PID 4784 wrote to memory of 3312 4784 Mhfppabl.exe 101 PID 4784 wrote to memory of 3312 4784 Mhfppabl.exe 101 PID 3312 wrote to memory of 3396 3312 Mnphmkji.exe 102 PID 3312 wrote to memory of 3396 3312 Mnphmkji.exe 102 PID 3312 wrote to memory of 3396 3312 Mnphmkji.exe 102 PID 3396 wrote to memory of 1692 3396 Maodigil.exe 104 PID 3396 wrote to memory of 1692 3396 Maodigil.exe 104 PID 3396 wrote to memory of 1692 3396 Maodigil.exe 104 PID 1692 wrote to memory of 3012 1692 Mhilfa32.exe 105 PID 1692 wrote to memory of 3012 1692 Mhilfa32.exe 105 PID 1692 wrote to memory of 3012 1692 Mhilfa32.exe 105 PID 3012 wrote to memory of 4952 3012 Nobdbkhf.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\d135273ce4f2db77959d1358b8d2c200N.exe"C:\Users\Admin\AppData\Local\Temp\d135273ce4f2db77959d1358b8d2c200N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\Laqhhi32.exeC:\Windows\system32\Laqhhi32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\Lgkpdcmi.exeC:\Windows\system32\Lgkpdcmi.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Lndham32.exeC:\Windows\system32\Lndham32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\Leopnglc.exeC:\Windows\system32\Leopnglc.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Mngegmbc.exeC:\Windows\system32\Mngegmbc.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Mhoipb32.exeC:\Windows\system32\Mhoipb32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\Mecjif32.exeC:\Windows\system32\Mecjif32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Mnlnbl32.exeC:\Windows\system32\Mnlnbl32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Mehcdfch.exeC:\Windows\system32\Mehcdfch.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\Mhfppabl.exeC:\Windows\system32\Mhfppabl.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Mnphmkji.exeC:\Windows\system32\Mnphmkji.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe23⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe24⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe25⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Nacmdf32.exeC:\Windows\system32\Nacmdf32.exe26⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe27⤵
- Executes dropped EXE
PID:3592 -
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe28⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4800 -
C:\Windows\SysWOW64\Neccpd32.exeC:\Windows\system32\Neccpd32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3380 -
C:\Windows\SysWOW64\Nhbolp32.exeC:\Windows\system32\Nhbolp32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Nbgcih32.exeC:\Windows\system32\Nbgcih32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:4804 -
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe34⤵
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Nhdlao32.exeC:\Windows\system32\Nhdlao32.exe35⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe36⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Objpoh32.exeC:\Windows\system32\Objpoh32.exe37⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Oidhlb32.exeC:\Windows\system32\Oidhlb32.exe38⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Ohghgodi.exeC:\Windows\system32\Ohghgodi.exe39⤵
- Executes dropped EXE
PID:4664 -
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:4624 -
C:\Windows\SysWOW64\Oblmdhdo.exeC:\Windows\system32\Oblmdhdo.exe41⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Oifeab32.exeC:\Windows\system32\Oifeab32.exe42⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe43⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Oocmii32.exeC:\Windows\system32\Oocmii32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Oaajed32.exeC:\Windows\system32\Oaajed32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3164 -
C:\Windows\SysWOW64\Oihagaji.exeC:\Windows\system32\Oihagaji.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Okjnnj32.exeC:\Windows\system32\Okjnnj32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe48⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Oeoblb32.exeC:\Windows\system32\Oeoblb32.exe49⤵
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\Olijhmgj.exeC:\Windows\system32\Olijhmgj.exe50⤵
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\Oklkdi32.exeC:\Windows\system32\Oklkdi32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1216 -
C:\Windows\SysWOW64\Oafcqcea.exeC:\Windows\system32\Oafcqcea.exe52⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Oimkbaed.exeC:\Windows\system32\Oimkbaed.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\Pllgnl32.exeC:\Windows\system32\Pllgnl32.exe54⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Pojcjh32.exeC:\Windows\system32\Pojcjh32.exe55⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Pahpfc32.exeC:\Windows\system32\Pahpfc32.exe56⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Pedlgbkh.exeC:\Windows\system32\Pedlgbkh.exe57⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Plndcl32.exeC:\Windows\system32\Plndcl32.exe58⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Polppg32.exeC:\Windows\system32\Polppg32.exe59⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Pchlpfjb.exeC:\Windows\system32\Pchlpfjb.exe60⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Pefhlaie.exeC:\Windows\system32\Pefhlaie.exe61⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Plpqil32.exeC:\Windows\system32\Plpqil32.exe62⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Pamiaboj.exeC:\Windows\system32\Pamiaboj.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Pidabppl.exeC:\Windows\system32\Pidabppl.exe64⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Plbmokop.exeC:\Windows\system32\Plbmokop.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5020 -
C:\Windows\SysWOW64\Poajkgnc.exeC:\Windows\system32\Poajkgnc.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4920 -
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe67⤵PID:2536
-
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe68⤵PID:3548
-
C:\Windows\SysWOW64\Pcobaedj.exeC:\Windows\system32\Pcobaedj.exe69⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Pemomqcn.exeC:\Windows\system32\Pemomqcn.exe70⤵PID:2404
-
C:\Windows\SysWOW64\Qhlkilba.exeC:\Windows\system32\Qhlkilba.exe71⤵PID:3692
-
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe72⤵PID:5056
-
C:\Windows\SysWOW64\Qikgco32.exeC:\Windows\system32\Qikgco32.exe73⤵PID:5008
-
C:\Windows\SysWOW64\Qkmdkgob.exeC:\Windows\system32\Qkmdkgob.exe74⤵PID:3344
-
C:\Windows\SysWOW64\Qcclld32.exeC:\Windows\system32\Qcclld32.exe75⤵PID:3348
-
C:\Windows\SysWOW64\Qebhhp32.exeC:\Windows\system32\Qebhhp32.exe76⤵
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Ahqddk32.exeC:\Windows\system32\Ahqddk32.exe77⤵
- Modifies registry class
PID:3628 -
C:\Windows\SysWOW64\Aojlaeei.exeC:\Windows\system32\Aojlaeei.exe78⤵PID:3288
-
C:\Windows\SysWOW64\Aeddnp32.exeC:\Windows\system32\Aeddnp32.exe79⤵PID:2236
-
C:\Windows\SysWOW64\Ahcajk32.exeC:\Windows\system32\Ahcajk32.exe80⤵PID:2688
-
C:\Windows\SysWOW64\Akamff32.exeC:\Windows\system32\Akamff32.exe81⤵PID:4440
-
C:\Windows\SysWOW64\Aakebqbj.exeC:\Windows\system32\Aakebqbj.exe82⤵PID:3412
-
C:\Windows\SysWOW64\Ahenokjf.exeC:\Windows\system32\Ahenokjf.exe83⤵PID:1656
-
C:\Windows\SysWOW64\Aanbhp32.exeC:\Windows\system32\Aanbhp32.exe84⤵PID:5052
-
C:\Windows\SysWOW64\Ahgjejhd.exeC:\Windows\system32\Ahgjejhd.exe85⤵PID:4864
-
C:\Windows\SysWOW64\Aoabad32.exeC:\Windows\system32\Aoabad32.exe86⤵PID:2284
-
C:\Windows\SysWOW64\Afkknogn.exeC:\Windows\system32\Afkknogn.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4124 -
C:\Windows\SysWOW64\Aodogdmn.exeC:\Windows\system32\Aodogdmn.exe88⤵PID:1856
-
C:\Windows\SysWOW64\Bfngdn32.exeC:\Windows\system32\Bfngdn32.exe89⤵PID:1884
-
C:\Windows\SysWOW64\Bhldpj32.exeC:\Windows\system32\Bhldpj32.exe90⤵PID:2156
-
C:\Windows\SysWOW64\Bkkple32.exeC:\Windows\system32\Bkkple32.exe91⤵PID:3296
-
C:\Windows\SysWOW64\Bcahmb32.exeC:\Windows\system32\Bcahmb32.exe92⤵PID:5144
-
C:\Windows\SysWOW64\Bkmmaeap.exeC:\Windows\system32\Bkmmaeap.exe93⤵PID:5208
-
C:\Windows\SysWOW64\Bcddcbab.exeC:\Windows\system32\Bcddcbab.exe94⤵PID:5268
-
C:\Windows\SysWOW64\Bfbaonae.exeC:\Windows\system32\Bfbaonae.exe95⤵PID:5316
-
C:\Windows\SysWOW64\Bhamkipi.exeC:\Windows\system32\Bhamkipi.exe96⤵PID:5360
-
C:\Windows\SysWOW64\Bkoigdom.exeC:\Windows\system32\Bkoigdom.exe97⤵PID:5432
-
C:\Windows\SysWOW64\Bcfahbpo.exeC:\Windows\system32\Bcfahbpo.exe98⤵
- System Location Discovery: System Language Discovery
PID:5512 -
C:\Windows\SysWOW64\Bfendmoc.exeC:\Windows\system32\Bfendmoc.exe99⤵PID:5556
-
C:\Windows\SysWOW64\Bjpjel32.exeC:\Windows\system32\Bjpjel32.exe100⤵PID:5612
-
C:\Windows\SysWOW64\Bmofagfp.exeC:\Windows\system32\Bmofagfp.exe101⤵
- Modifies registry class
PID:5656 -
C:\Windows\SysWOW64\Bombmcec.exeC:\Windows\system32\Bombmcec.exe102⤵PID:5700
-
C:\Windows\SysWOW64\Bcinna32.exeC:\Windows\system32\Bcinna32.exe103⤵PID:5744
-
C:\Windows\SysWOW64\Bblnindg.exeC:\Windows\system32\Bblnindg.exe104⤵PID:5784
-
C:\Windows\SysWOW64\Bjbfklei.exeC:\Windows\system32\Bjbfklei.exe105⤵PID:5832
-
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5876 -
C:\Windows\SysWOW64\Bckkca32.exeC:\Windows\system32\Bckkca32.exe107⤵PID:5928
-
C:\Windows\SysWOW64\Cfigpm32.exeC:\Windows\system32\Cfigpm32.exe108⤵PID:5972
-
C:\Windows\SysWOW64\Cihclh32.exeC:\Windows\system32\Cihclh32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6024 -
C:\Windows\SysWOW64\Ckfphc32.exeC:\Windows\system32\Ckfphc32.exe110⤵
- Drops file in System32 directory
PID:6068 -
C:\Windows\SysWOW64\Ccmgiaig.exeC:\Windows\system32\Ccmgiaig.exe111⤵
- Drops file in System32 directory
PID:6112 -
C:\Windows\SysWOW64\Cbphdn32.exeC:\Windows\system32\Cbphdn32.exe112⤵PID:5140
-
C:\Windows\SysWOW64\Cjgpfk32.exeC:\Windows\system32\Cjgpfk32.exe113⤵PID:5264
-
C:\Windows\SysWOW64\Cmflbf32.exeC:\Windows\system32\Cmflbf32.exe114⤵PID:5324
-
C:\Windows\SysWOW64\Codhnb32.exeC:\Windows\system32\Codhnb32.exe115⤵PID:5416
-
C:\Windows\SysWOW64\Cbbdjm32.exeC:\Windows\system32\Cbbdjm32.exe116⤵PID:5528
-
C:\Windows\SysWOW64\Cjjlkk32.exeC:\Windows\system32\Cjjlkk32.exe117⤵PID:5592
-
C:\Windows\SysWOW64\Cmhigf32.exeC:\Windows\system32\Cmhigf32.exe118⤵PID:5672
-
C:\Windows\SysWOW64\Ccbadp32.exeC:\Windows\system32\Ccbadp32.exe119⤵PID:5740
-
C:\Windows\SysWOW64\Cfqmpl32.exeC:\Windows\system32\Cfqmpl32.exe120⤵PID:5816
-
C:\Windows\SysWOW64\Cioilg32.exeC:\Windows\system32\Cioilg32.exe121⤵PID:5896
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-